The data supplied to Secolo, via the website at www.secolo.co.uk (hereafter the “Website”) when using services supplied by Secolo (hereafter “Services”), shall be processed in compliance with personal data protection legislation (GDPR EU Regulation 2016/679 and Italian Privacy Code). Secolo informs users of the following.
1. Data Controller
1.1. The Data Controller of personal data is SECOLO XXI, with registered office in London, 305 Harbour Yard - Chelsea Harbour - SW100XD, number of registration at UK Company House a 290300633(hereafter “SECOLO” or “Data Controller”), phone n. +44 20 7352 6766, firstname.lastname@example.org
2. Nature of the data processed and purposes of the processing
2.1. The personal data processed are exclusively of users who has reached the age of majority, where personal data is defined as any information on a physical person who is identified or may be identified, either directly or indirectly through reference to any other information.
The data processed are the data provided by the user to the Data Controller when registering for the newsletter Service and / or requesting for supply/activation of a Secolo’s Service and/or when sending communications to Secolo via e-mail or through an appropriate form to be filled in, such as name and surname, date of birth, e-mail address, postal address, telephone number, as well as the data collected by Secolo when browsing the Website, such as IP address, information obtained through cookies.
2.2 The data will be used for the following purposes:
A)for the performance of the Services requested, for the fulfilment of obligations under the law and EU regulations or legislation, as well as for exercising rights before the Courts;
B) for the promotion, via e-mail, telephone calls with an operator, sms, mms of commercial proposals related and/or connected to Secolo’s Services, and for sending advertising material exclusively regarding Secolo’s products or services, and in order to conduct market surveys and to send free samples or promotional gifts of modest value;
C) for the analysis of consumers’ habits and consumption choices, for the creation of a user’s profile on the basis of the information and preferences expressed when browsing the Website or during the use of the Services requested, for the purpose of sending personalized advertising communications via e-mail, sms, mms, paper-based mail and telephone calls with an operator.
The profiling activity as identified in section 2.2C shall not produce legal effects on the user nor affect him personally, except for the communication and promotion of personalized offers.
3. Obligatory/optional nature of providing data
3.1 Providing the data requested at the time of activation of Services for the purposes identified in the section 2.2A above is mandatory, as it is strictly functional for providing the Services requested and meeting legal obligations. Refusal to supply data will make it impossible for Secolo to complete the process of providing the Services requested and/or meeting legal obligations.
3.2 Providing the data requested for the purposes identified in sections 2.2B, 2.2C above is optional.
Refusal to consent to the purposes of sections 2.2B, 2.2C will have no effect on the providing of Services. Users will be able to use Secolo’s Services anyway.
Users may object to processing for the purposes identified in sections 2.2B, 2.2C either right away, by not giving their consent while activating the newsletter Service or further Services, or at a later time, by sending an e-mail to email@example.com Users tick off checkboxes at the time of activation of Services to consent to use of the data identified above for the purposes specified therein; if users do not select a particular checkbox, they will be considered not to have consented to processing for this purpose.
4. Processing methods
4.1 Users’ data will be collected on line during the activation of the Services requested, by comparing items of parts of items of information, or through use of the e-mail service.
4.2 Users’ data will be processed through registration, consultation, communication, storage and deletion operations conducted primarily using electronic tools and manually, ensuring that appropriate measures are taken to protect the security and guarantee the confidentiality of the data processed.
4.3 Users’ data, stored in electronic/magnetic/digital form, are stored and filed on a server located in the USA; personal data stored in paper form shall be filed in specific registers and/or records whose conservation shall be guaranteed by placing the latter in specific containers, stored in suitable premises. Secolo declares that data registered on its server and/or in suitable premises are protected against the risk of intrusion and unauthorized access, and that it has taken appropriate security measures to ensure the integrity and availability of data and protect areas and places for data storage and accessibility.
In particular the company hosting our server has been duly certified according to Privacy Shield.
4.4 Personal data will be processed by Secolo’ employees and/or collaborators acting as data processors or persons in charge of the processing, in the context of their respective functions and in accordance with the instructions given by Secolo.
5. Data disclosure
5.1 Users’ personal data may be disclosed to certain parties appointed by Secolo to provide the Services requested and to meet legal obligations.
Data may be disclosed to:
a) people, companies or professionals who provide Secolo with bookkeeping, administrative, legal, fiscal and financial assistance, consulting services and collaboration;
b) parties delegated and/or appointed by Secolo to perform activities or parts of activities related to the supply of the requested Services and all other external parties who collaborate with Secolo and must be informed of the data in order to correctly fulfill Secolo’s obligations under the contract for the supply of Services;
c) Public Authorities in the performance of their institutional functions, within the limits set by laws and regulations.
Users’ data will not be disseminated.
The Data Controller has appointed Data Processors for the processing of personal data. The updated list of all Data Processors may be requested at the following e-mail address dpo@Secolo.com. Secolo may update the list from time to time.
6. Users’ rights
6.1 Users (hereafter “data subject”) are entitled to obtain confirmation of the presence of their personal data and the purposes for which the data are processed at any time. Users are also entitled to request updating, correction, deletion or blocking of data and to refuse its use, entirely or in part.
6.2 Users’ rights are listed below. Specifically:
6.2.1 A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information.
6.2.2 A data subject shall have the right to be informed of:
a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
b) the contact details of the data protection officer, where applicable;
c) the categories of personal data, their source, the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing;
d) the legitimate interests, if any, pursued by the controller or by a third party;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable protections and the means by which to obtain a copy of them or where they have been made available.
6.2.3 In addition to the previous information, the controller shall provide the data subject with the following further information:
a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
b) the existence of the right to request from the controller access to and rectification or deletion of personal data or restriction of processing concerning the data subject or to refuse the processing as well as the right to data portability;
c) where the processing is based on the users’ consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
d) the right to lodge a complaint with a supervisory authority (data protection Authority);
e) whether the communication of personal data is a legal or a contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data;
f) the existence of automated decision-making, including profiling, and, in those cases where the latter automated decision-making process produces legal effects concerning him/her or similarly significantly affects him/her, relevant information about the logic involved, as well as the significance and the consequences of such processing for the data subject.
6.2.4 The data subject shall have the right to object, at any time, to processing of personal data concerning him or her:
a) on grounds relating to his or her particular situation, including profiling;
b) where personal data are processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.
6.2.5 The data subject shall have the right to:
a) obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement;
b) receive the personal data concerning him or her, which he or she has provided to Secolo, in a commonly used electronic form and in an easily legible manner, and have the right to transmit those data to another controller without interferences;
c) obtain from the controller the deletion of personal data concerning him or her and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased in order to comply with a legal obligation under European Union law or Member State law to which the controller is subject;
d) obtain from the controller restriction of processing.
6.3To exercise the above mentioned rights and receive information on parties to whom the data are disclosed, or parties who may become aware of data while acting as data processors or persons in charge of the processing, the users may contact Secolo, by sending a request using the contact details provided above.
The controller shall provide the information related to the action taken on a data subject’s request without undue delay and no later than one month after having received the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any extension within one month after having received the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
7. Duration of processing
7.1 Personal data will be processed with regard to the purpose mentioned in section 2.2.A for no longer than the period necessary for the performance of Services required, and for the time necessary for the fulfilment of current civil, fiscal and tax obligations and in any case for no longer than a period of 10 years from the termination of the underlined obligation (according to statute of limitation applicable provisions).
7.2 Personal data will be processed with regard to the purposes mentioned in section 2.2.B (marketing/promotional activities) for no longer than 24 months starting from the date in which the consent to the processing of personal data was given.
7.3 Personal data will be processed with regard to the purposes mentioned in section 2.2.C (profiling activity) for no longer than 12 months starting from the date in which the consent to the processing of personal data was given.
7.4 At the end of the data processing period, the data will be deleted or permanently rendered anonymous.
8. Legal basis for the processing
8.1 The legal basis for the processing shall be constituted in accordance with the user’s consent, the compliance with a contractual requirement and the legal provisions.
10. Transfer to non-EU countries
10.1 Personal data are transferred to the USA, as some of the data processors hold their server infrastructure there.
10.2 The European Commission has made an "adequacy decision" with respect to the data protection laws of the USA.
Transfers to the USA will be protected by appropriate safeguards, namely the Privacy Shield, more
info https://www.privacyshield.gov/European-Businesses, or the use of standard data protection clauses adopted or approved by the European Commission, a copy of which can be obtained from www.garanteprivacy.it or www.garanteprivacy.it/web/guest/home/footer/contatti.