GENERAL PRIVACY POLICY FOR THE USERS OF Gruppo Urmet
The management of the contractual relationship with customers and suppliers necessarily entails the processing of personal data (identifying information, telephone numbers, email addresses) of the people contacted.
This privacy policy is therefore provided pursuant to art. 13 GDPR 679/16 - "European General Data Protection Regulation" for natural persons who work for customers and suppliers.
Given the difficulty in delivering it directly to the data subjects, the privacy policy is made available to customers and suppliers with the request that they notify the data subjects.
Identity of the Data Controller
The Data Controller of the processing referred to below is Urmet S.p.A. based at Via Bologna 188/C, 10154 Turin, Italy, in the person of its legal representative pro tempore.
Identity of the Data Protection Officer
The Data Controller appointed the Data Protection Officer, who can be reached at the headquarters of the Joint Data Controller or contacted by email at the address [email protected].
Data source
The personal data processed are those provided by the data subject during:
Visits or phone calls;
Direct contacts at trade shows, exhibitions, etc.;
The proposal of offers;
Communications and transactions subsequent to the order
Purposes of the processing
Personal data of contact persons are processed to:
· Send communications of various kinds and with different methods (telephone, mobile phone, text message, email, fax, post)
· Make requests or fulfil requests and offers received
· Exchange information aimed at the fulfilment of the contractual relationship, including pre- and post-contractual activities
Legal basis for the processing
The legal basis is the need to follow up on pre-contractual, contractual and post-contractual obligations.
Data recipients
The personal data processed by the Data Controller are not disseminated or are not made known to indeterminate parties in any form, including being made available or for viewing. On the other hand, they may be disclosed to workers who work for the Data Controller, to third parties who collaborate with it as Data Processors or who are authorised to process the data under the authority of the data controller.
They can also be disclosed to the extent strictly necessary to persons who for the purpose of processing your requests must provide goods or perform tasks or services on behalf of the Data Controller. Finally, they may be disclosed to persons entitled to access them by virtue of provisions of law, regulations and European Community legislation.
More specifically, depending on their roles and duties, workers have been authorised to process your personal data within the limits of their responsibilities and in accordance with the instructions given to them by the Data Controller.
External parties operating under the authority of the Data Controller have also been appropriately authorised on the basis of the type of service provided, the processing performed and the nature of the data processed.
External parties to whom the Data Controller has entrusted the processing of personal data have been designated as Data Processors.
Data transfer
Under no circumstances does the Data Controller transfer personal data to third countries or to international organisations.
However, it reserves the right to use cloud services, in which case the service providers will be selected from those that provide adequate guarantees, as required by art. 46 GDPR 679/16.
Data retention
The Data Controller retains and processes personal data for the time necessary to fulfil the purposes specified. In this case, contact details are kept for two years following their termination.
Rights of the Data Subject
With reference to articles 15 - right of access, 16 - right to rectification, 17 - right to erasure, 18 - right to restriction of processing, 20 - right to data portability, 21 - right to object, 22 - right to oppose an automated decision-making process of GDPR 679/16, the data subject exercises his/her rights by writing to the Data Controller at the address above or by email, specifying the subject of his/her request, the right being exercised and attaching a photocopy of an identity document attesting to the legitimacy of the request.
The Data Controller underscores that each data subject can exercise the right to object in the forms and manners envisaged by art. 21 GDPR.
Further information on the rights of the data subject is provided at the end of this section.
Withdrawal of consent
With reference to art. 7 of GDPR 679/16, at any time the data subject can withdraw any consent given.
However, the processing referred to in this privacy policy is lawful and permissible, even without consent, as it is necessary for the fulfilment of a contract the data subject is a party to (for the supply of goods and services).
Refusal to provide data
The data subject can refuse to give the Data Controller his/her personal data.
However, the provision of personal data is necessary for a correct and efficient management of the contractual relationship. Therefore, any refusal to provide the data may wholly or partially compromise the contractual relationship.
Automated decision-making processes
With regard to the processing specified below, under no circumstances does the Data Controller perform processing consisting of automated decision-making processes involving data of natural persons.