- Personal data controller and contact details
The controller is IUNGO spa, with registered office in 41121 Modena (MO), Via S. Vincenzo no. 4, and operating unit in 41123 Modena (MO) Via Tacito no. 7, tax code and VAT number 02731600363, tel. 059.251643, fax __________, e-mail firstname.lastname@example.org, web www.iungo.com (hereinafter the Website).
- Principles applicable to processing
In accordance with the provisions of the GDPR, IUNGO spa works constantly to ensure that the personal data is:
(a) processed lawfully, fairly and in a transparent manner;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
(d) accurate and, where necessary, kept up to date;
(e) kept for a period no longer than is necessary for the purposes for which the personal data is processed;
(f) processed in a manner that ensures security of the personal data, using appropriate technical or organisational measures;
(g) processed, if consent is given freely by the Customer/Data Subject concerned, on the basis of a request presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
IUNGO spa adopts technical and organisational measures to ensure protection of personal data right from planning and to guarantee, through pre-established settings, that only the data necessary for each specific purpose of processing is processed.
IUNGO spa obtains and duly considers the indications, comments and opinions of the Customer/Data Subject transmitted to the addresses indicated above, in order to implement a dynamic privacy management system that ensures effective protection of natural persons with regard to processing of their data.
This policy document is subject to changes in line with developments in the applicable regulations and the technical and organisational methods adopted progressively by IUNGO spa; the Customer/Data Subject is therefore asked to visit this section of the Website periodically (or one with similar content on other social media or web applications of IUNGO spa), in order to view the updates and the policy applicable at the time.
- Personal data processing methods
The personal data is processed manually and with electronic means, applying logic strictly linked to the purposes indicated hereunder and, in any case, in a manner to guarantee the security and confidentiality of the data.
- Purposes of personal data processing
(4a) Purposes for which data processing is necessary
The personal data provided by the Customer/Data Subject is processed principally for fulfilment of the Contract and management of credit and, more generally, the relationship resulting from the Contract itself.
It is mandatory to provide the data in the Contract or subsequently, during the contractual relationship, for purposes of the processing in question; failure to provide the data or providing of partial or imprecise data will therefore make it impossible to sign and/or execute the Contract and, for the Customer/Data Subject, use the products/services offered by IUNGO spa, potentially exposing said Customer/Data Subject to liability for contractual non-fulfilment.
The personal data provided by the Customer/Data Subject may also be processed if this is necessary to satisfy a legal obligation placed on IUNGO spa, to protect the vital interests of the Customer/Data Subject or another natural person, for performance of a task of public interest or connected with exercising of public powers invested in IUNGO spa, or for the pursuit of a legitimate interest of IUNGO spa itself or third parties, provided that the interests or rights and fundamental freedoms of the Customer/Data Subject do not prevail; it is mandatory to provide the data in these cases as well and, therefore, failure to provide the data or providing of partial or imprecise data may expose the Customer/Data Subject to possible liability and the sanctions envisaged by law.
(4b) Further purposes of processing following specific and precise consent of the Customer/Data Subject
In addition to the above purposes, the personal data provided may also be processed, with the consent of the Customer/Data Subject (except what is specified hereunder for the so-called soft spam), to be expressed by selecting the box <<I agree>> on the Contract or on the Website, also for performance of market surveys and to make business and promotional communications, by telephone (also using the mobile telephone number provided) and automated contact systems (e-mail, SMS, MMS, fax, etc.), on products/services of IUNGO spa or the companies of the Group to which IUNGO spa belongs.
Consent for the purposes of processing of this point (4b) is optional; therefore, if it is denied, the data will be processed solely for the purposes indicated in the previous point (4a), except in the case of what is specified hereunder in relation to the legitimate interests of the controller or third parties.
In relation to the purposes of processing that require optional prior consent, see also, with reference to the so-called browsing data (as defined hereunder), the tracking policy published on the website.
- Categories of personal data processed
IUNGO spa processes mainly identification/contact data (first name, surname, address, type and number of identity documents, telephone numbers, e-mail addresses, taxation/invoicing information, possibly other information) and financial data (bank details, specifically current account details, credit card numbers, possibly other information related to business transactions), in addition to the aforementioned browsing data and traffic data strictly necessary when, in performance of the Contract and in the interest of the Customer, IUNGO spa activates e-mail products/services and/or carries out initiatives in relation to them.
The processing performed by IUNGO spa, both for fulfilment of the Contract and by virtue of the express consent of the Customer/Data Subject, does not generally relate to particular categories of personal data, referred to as sensitive (data that reveals racial origin or ethnicity, political opinions, religious beliefs, state of health, sexual orientation, etc.) nor genetic and biometric data or so-called judicial data (relating to criminal convictions and crimes).
However, in order to fulfil its obligations under the Contract, IUNGO spa may also be required to keep and/or process sensitive data, genetic or biometric or judicial data of the Customer/Data Subject or third parties, which the Customer/Data Subject possesses as the controller; in other words, in this case: (i) processing is carried out by IUNGO spa by virtue of, under the terms and conditions of and within the limits of its appointment as the processor, contained in the Contract signed; (ii) the Customer/Data Subject therefore operates as the Controller, accepting all the resulting legal obligations and responsibilities (with reference, in particular, to the existence of a suitable legal basis of processing), expressly and fully holding IUNGO spa harmless against any dispute, claim, demand for compensation that may be received from said third parties, whose personal data is processed as a result of use, by said Customer, of the products/services supplied by IUNGO spa.
As the controller, IUNGO spa processes, with reference to the Website (or to other social media and web applications of IUNGO spa itself), and, potentially, as the processor assigned to this (in the terms indicated above) by the Customer/Data Subject with reference to the latter’s website(s) (or other social media or web applications), including browsing data. The computer systems and software procedures used for functioning of the websites acquire certain personal data during their normal operation, the transmission of which is implicit in use of Internet communication protocols. This information is not collected in order to be associated with identified subjects, but, as a result of its nature, could allow the data subject to be identified. This may also occur through cross-referencing of data between different functions, cookies or using different identification techniques (so-called fingerprinting), which is based on processing even only of information or parts of information that is not, or is not yet, personal data, but that, when associated with each other or with other information, also available to third parties, could become personal data, with the purpose of unequivocally identifying the terminal (so-called single out) and, through it, also profiling of one or more users of that device. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and addresses of the websites on which access or logout has taken place, information on the pages visited by the users on the website, access time, time spent on the individual page, analysis of the internal path and other parameters relating to the operating system and to the user’s IT environment. It is therefore information that, due to its nature, allows users to be identified through processing and associations, also with data held by third parties.
Cookies may also be used on the Website, including both session cookies (which are not stored on the data subject’s computer and disappear when the browser is closed) and persistent cookies, for transmission of personal information, or systems for tracking the data subjects. See the cookies policy published on the Website for more information on them.
- Source of personal data
The personal data processed by IUNGO spa is collected directly by IUNGO spa itself from the Customer/Data Subject on or during browsing of this Website (or using other social media or web applications of IUNGO spa), or, including through its own sales representatives, during or subsequent to signing of the Contract, during its fulfilment, or from public sources.
As specified above, IUNGO spa , as the processor assigned to this and in order to fulfil its obligations under the Contract, may keep and/or process data, particularly browsing data, potentially also sensitive, genetic and biometric or judicial data, of third parties, that the Customer/Data Subject possesses as the controller, acquired, with the consent of said third parties, on or during browsing by said third parties of the website(s) (or using other social media or web applications) relating to the Customer/Data Subject concerned.
- Legitimate interests
The legitimate interests of the controller or third parties may constitute a valid legal basis of processing, provided that the interests or rights and fundamental freedoms of the data subject do not prevail. Generally, said legitimate interests may exist when a pertinent and appropriate relationship exists between the controller and the data subject, such as when the data subject is a customer of the controller. It is a specific legitimate interest of IUNGO spa to process the personal data of the Customer/Data Subject: for prevention of fraud, for direct marketing purposes with existing customers (via e-mail, also with profiling to customise business communications, for products/services similar to ones purchased previously), to ensure free circulation of said data within the business Group to which IUNGO spa belongs, or relating to traffic, in order to guarantee security of the networks and the information, meaning the capacity of a network or system to withstand unexpected events or illegal acts that could compromise the availability, authenticity, integrity and confidentiality of the data.
- Circulation of personal data
(8a) Disclosure of personal data – categories of recipients
In addition to the employees and various collaborators of IUNGO spa (who are authorised by IUNGO spa itself to carry out processing, on the basis of sufficient, written operating instructions, in order to guarantee the security and confidentiality of the data), several processing operations may also be carried out by third parties, to whom IUNGO spa assigns certain activities, or part thereof, functional to the purposes of point (4a), and therefore to satisfy both contractual and legal obligations; including, but not limited to: business and/or technical partners; companies that supply banking and financial services; companies that perform document archiving services; debt recovery companies; auditing firms and companies certifying annual financial statements; rating companies; parties who provide assistance and professional consultancy activities to IUNGO spa; customer care companies; factoring companies, companies performing securitization of credit or other transferee title loans; companies in the Group to which IUNGO spa belongs; parties supplying business information; IT services companies. The parties in said categories process the personal data as independent controllers, or as processors, with reference to specific processing operations that form part of the contractual services that said parties provide to/in the interest of IUNGO spa; IUNGO spa provides sufficient, written operating instructions to its processors, with particular reference to adoption of minimum security measures, in order to guarantee the confidentiality and security of the data.
Certain processing operations may be performed by third parties, to whom IUNGO spa assigns certain activities, or part of them, also functionally to the purposes of point (4b), including, but not limited to: business and/or technical partners; companies that supply marketing services institutionally; advertising agencies; parties who supply assistance and consultancy activities for competitions and rewards programs. The parties in said categories process the personal data as independent controllers, or as processors, with reference to specific processing operations that form part of the contractual services that said parties provide to/in the interest of IUNGO spa; IUNGO spa provides sufficient, written operating instructions to its processors, with particular reference to adoption of minimum security measures, in order to guarantee the confidentiality and security of the data.
The list of processors used by IUNGO spa, which is periodically revised, is available on written request, to be sent to IUNGO spa.
The personal data may also be disclosed to the competent authorities, on request, in order to satisfy legal obligations.
(8b) Transfer of the personal data to third countries
The personal data of the Customer/Data Subject may also be transferred abroad, both to European Union countries and to countries outside the European Union. In this latter case, or on the basis of an adequacy decision, or within and with the appropriate safeguards envisaged by the GDPR (therefore, in particular, in the presence of standard contractual clauses on data protection approved by the European Commission), or, in cases other than the above, when one or more of the derogations envisaged by the GDPR exist (in particular, by virtue of the explicit consent of the Customer/Data Subject, or for fulfilment of the Contract concluded by the Customer/Data Subject, or fulfilment of a contract signed between IUNGO spa and another natural or legal person in favour of the Customer/Data Subject, specifically for performance of activities assigned to it by IUNGO spa itself for fulfilment of the Contract concluded with the Customer/Data Subject). With reference to transfer of data to countries outside the European Union, the Customer/Data Subject is entitled, through a written request sent to the offices of IUNGO spa, to know what the appropriate safeguards are (and, in theory, obtain a copy of the document that explains the contractual clauses signed with the data importer and serving to provide appropriate safeguards for protection of the private life, rights and fundamental freedoms of people, with regard to processing of personal data), or derogations that justify said cross-border processing. It is understood that, in the case of transfer of data to countries outside the European Union, for each request relating to said data and also to exercise the rights granted to the Customer/Data Subject by the GDPR, the Customer/Data Subject may always validly contact IUNGO spa.
- Criteria for establishing the personal data storage period
For the purposes of point (4a) above, the storage period of personal data provided by the Customer/Data Subject, and its consequent, potential processing, coincides with the period of limitation of the rights/obligations (legal, fiscal, etc.) deriving from the Contract, which is usually 10 years, unless events occur that could interrupt limitation and thus extend said period.
For the purposes of point (4b) above, the period of potential processing of the data ends when the consent previously provided by the Customer/Data Subject is withdrawn or, if this does not occur, three years after termination of all relations between IUNGO spa and the Customer/Data Subject.
- Rights of the Customer/Data Subject
IUNGO spa recognises – and assists the Customer/Data Subject in exercising – all the rights envisaged by the GDPR, in particular the right to request access to the personal data and extract a copy thereof (Art. 15 GDPR), the right to rectification (Art. 16 GDPR) and to erasure of the data (Art. 17 GDPR), to restriction of processing relating to him or her (Art. 18 GDPR), to data portability (Art. 20 GDPR, if the requirements are satisfied) and the right to object to processing relating to him or her (Arts. 21 and 22 GDPR, for the cases mentioned therein and, in particular, processing for marketing purposes or which result in an automated decision-making process, including profiling, which produces legal effects relating to him or her, if the requirements are satisfied).
IUNGO spa also grants the Customer/Data Subject, if processing is based on consent, the right to withdraw said consent at any moment, without affecting the lawfulness of processing based on consent before its withdrawal. To do this, the Customer/Data Subject may unsubscribe their registration on the Website (or other social media or web applications of IUNGO spa) either by using the specific link present at the bottom of each commercial communication received or by contacting IUNGO spa at the addresses indicated above.
IUNGO spa also informs the Customer/Data Subject of the right to lodge a complaint with the Data Protection Authority, as the supervisory authority operating in Italy, or to bring a legal action, both against the decision of the Supervisory Authority and against IUNGO spa itself and/or a processor.
- Security of systems and personal data
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, IUNGO spa implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, ensuring, in particular, the ongoing confidentiality, integrity, availability and resilience of processing systems and services (also through encryption of the personal data, where necessary) and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and adopting internal procedures for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures adopted.
In assessing the appropriate level of security, account is taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
IUNGO spa takes steps to ensure that any natural person acting under its authority or who has access to the personal data does not process it except on instructions from IUNGO spa.
That said, the Customer/Data Subject acknowledges and accepts that no security system guarantees, in terms of certainty, absolute protection; IUNGO spa is therefore not liable for any actions or facts of third parties who, despite the appropriate precautions adopted, illegally gain access to the systems without due authorisation.
- Automated decision-making, including profiling
IUNGO spa carries out automated processing, including profiling, in relation to the purposes of point (4b) above, in order to optimise browsing of the Website (or use of the other social media or web applications of IUNGO spa) and to improve the purchasing experience, except in the case of what is specified above in relation to the right of the Customer/Data Subject to object to processing and to withdraw consent.
Profiling means any form of automated processing of personal data in order to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning, for example, personal preferences, interests or location of said person, in order to create profiles, or homogeneous groups of subjects in terms of their characteristics, interests or behaviour.
IUNGO spa does not carry out any automated processing that produces legal effects relating to the Customer/Data Subject or that significantly effects his or her person, in a similar manner, unless this is necessary for the conclusion or fulfilment of the Contract, is authorised by law or is based on the explicit consent of the Customer/Data Subject, and, in any case, always grants him or her the right to obtain human intervention, to express his or her opinion and to dispute the decision.