(All. 06.22A EN v.01 MODELLO v.00)
To the data subject (legal person or natural person)
In the text below, we will also refer to Wondersys under the words ‘our company’ and to your company, or to your person, also referred to as ‘your company’.
This Privacy Statement is provided on the basis of Articles 13 to 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
The following definitions are taken from Articles 4 and 9 of Regulation (EU) No 679/2016, to which reference is made for full terminology, and are summarised:
- “Personal data” is any information relating to an identified natural person (data subject) or identifiable directly or indirectly. In particular, data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric identification data, data concerning health, life or sexual orientation should be considered as ‘special personal data’ (or ‘sensitive’ data as defined in Legislative Decree No 196/2003).
- “Processing” relates to any operation on personal data (collection, recording, organisation, storage, alteration, retrieval, consultation, transmission, dissemination, restriction, erasure, etc.).
- The “data controller” determines the purposes and means of the processing of personal data and is legally responsible for compliance with the obligations laid down in the Regulation.
- The “data processor” processes personal data on behalf of the controller, taking appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
- “Data subjects” are persons whose personal data are involved in the processing.
Categories of personal data processing and their acquisition by our company
Our company acquires the ‘common’ personal identification data (such as name, telephone number, e-mail, company duties), which are not sensitive or particular (Article 9 of Regulation (EU) No 679/2016), or legal (Article 10 of Regulation (EU) No 679/2016) or concerning minors, of your company’s staff or of how many others you can contact us, including your suppliers, employees and your clients, for the sole purpose of directly interacting and managing the pre-contractual and contractual relationship for the purposes of any offer or order. More generally, your personal contact details will serve to be able to interact even at an interlocutory level. This disclosure therefore does not require consent to the processing.
Should we enter into a contractual relationship providing for the processing of your personal data of a particular category, we will send you a specific privacy statement requesting the necessary consent.
In general, an initial acquisition of your contact details may have taken place indirectly through public bodies where your company has registered (e.g. Confindustria), or directly to have been contacted by you or for having already received offers and/or supplies from you. In general, our company can also receive personal data via its own websites from those who request contact or subscribe to newsletters, as well as by any other means of mail, telephone or e-mail, by which data subjects turn directly to it or which they have deliberately made public.
Identity and contact of subjects involved in the personal data processing
- Joint data controllers, in accordance with Article 4 of Regulation (EU) No 679/2016 (GDPR):
- Wondersys s.r.l. –Via A. Lampredi, 45 – 57121 Livorno – Italia – P.IVA 01598430492
- Wondersys GmbH – Zeil 109, 60313 Frankfurt am Main – Deutschland – Umsatzsteuer-Identifikationsnummer DE351096893
the two companies correspond to the same ownership and refer to the same email address provided
- Company data processor:
- firstname.lastname@example.org (in case your data are taken from our website)
- People in charge of relations with suppliers and/or collaborators and administrative and financial management, as well as the Company Directorate and the (Information) System Administrator of our company.
- Staff responsible for monitoring the implementation of contractual activities.
- External data processor of your personal data processing: Google as a provider used by our company to record common contact data, as well as to meet pre-contractual and contractual requests, as subject in charge of data storage, data transfer, encryption and decryption to make them usable by the user.
- As regards the personal data of your employees, collaborators and any other data subject, which has been communicated to us by your company, it is you company who takes on the role of data controller, while our company is the external data processor.
The purposes and legal basis for the processing
In general terms, the lawfulness of the processing results, in accordance with Article 6 of Regulation (EU) No 679/2016, from one or more of the following conditions:
- implementing of the contract or of the pre-contractual measures to which your company is a party,
- the legitimate interest of the data controller, which must not override the interests or fundamental rights and freedoms of the data subject, such as the right to credit protection, the need to prevent fraud, or the obligation to comply with legal requirements.
Even if there are particular data, processing is permitted, in accordance with Article 9 of Regulation (EU) No 679/2016, on the basis of:
- any explicit consent to the processing of sensitive data,
- acquisition of already manifestly public data.
Specifically, the main purposes of our processing of your data are:
- the management of communications between our company and your company, in particular in relation to what may concern pre-contractual and contractual relationships to which your company and its representatives are parties.
- direct marketing from us (without having entrusted a third party) made by sending commercial communications by means of sporadic emails, limited to products for which you have already requested an offer or purchase or subscription in a non-remote period. For a different or more frequent sending of advertising material, we would ask you, by other means, for your explicit consent. In all cases, you can object by simply communicating to one of the addresses provided you.
- creditworthiness assessment, prevention of over-indebtedness, statistical processing (excluding automated decisions), protection and recovery of claims, consultation, comparison with pre-established criteria and any other appropriate operations relating to the achievement of those objectives.
Communication and dissemination of data (other recipients of the data)
The recipients of the personal data of the data subjects are all those persons, controllers and processors, whether internal or external to our company, who are responsible for the data processing, within the limits of their intended purpose.
These entities, as far as our company is concerned, include the natural persons of the (operational) owner, the Business Manager and the involved operators, as well as the System Administrator, as specified above. They rely, inter alia, on cloud services provided by providers, such as Google LLC, Google Workspace provider (formerly Google Suite) and Google Platform, which, by its own declaration, acts as external data controller.
Other recipients may be employees of our company, such as IT companies, credit protection bodies, payment companies, insurance companies, retailers, contractors, credit brokers, factoring and/or debt collection companies, law firms, if they are aimed at the performance of pre-contractual, contractual and post-contractual activities. In such cases, the data transmitted will only be those necessary for the purpose, in accordance with the principle of minimisation.
In any event, our company does not disseminate, let alone commercialise, personal data with third parties that are not directly involved in the processing for the specific purposes.
Transfer your data to non-EU countries
Providers such as Google use, also for the purposes of security against loss of data, duplicates on several mass storage media, different locations and also located outside the European Union (‘third countries’), while ensuring the requirements of the GDPR, since in countries explicitly authorised by the Authority (adequacy decision, Article 45 of Regulation (EU) No 679/2016) and/or by the presence of other clauses laid down in the GDPR or by the European Commission for Privacy, such as the EU Standard Contractual Clauses (as an alternative to the US-EU Privacy Shield, in force for the U.S.A. until July 2020).
Guarantees offered by Google
Certifications found at the link https://cloud.google.com/security/compliance/#/:
- ISO 27001 Information technology — Security techniques — Information security management systems — Requirements,
- ISO 27017 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services,
- ISO 27018 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public Clouds acting as PII processors,
- SYSTEM AND ORGANIZATION CONTROLS: SOC 1 (Checks on financial reporting), SOC 2 (checks on security, availability and confidentiality), SOC 3 (Public report on security, availability and confidentiality checks);
- cloud security alliance CSA STAR (Protection of cloud computing environments).
- TISAX certification (Trusted Information Security Assessment Exchange, an IT security framework), at assessment level 2 (AL2)
- Compliance with GDPR according to link https://privacy.google.com/businesses/compliance/?hl=it#!?modal_active=none
- EU-U.S. PRIVACY SHIELD FRAMEWORK
- SWISS-U.S. PRIVACY SHIELD FRAMEWORK
- signature of Model Contract Clauses (corresponding to EU Standard Contractual Clauses)
- Adherence to the GDPR, as per https://cloud.google.com/security/compliance/eu-mcc/ and https://cloud.google.com/security/gdpr/
- White PAPER “GOOGLE CLOUD AND GDPR” at the link https://cloud.google.com/security/gdpr/
- transparency about engaged entities (Google Cloud Platform Subprocessors)
Period of data retention
Personal data shall be maintained and managed for a period consistent with the purposes of the processing (Article 5 of Regulation (EU) No 679/2016) and shall be further retained for any subsequent periods if this is required to comply with any legal requirements. Depending on the case, the processing period may be predetermined, but more generally linked and limited to the needs of the processing itself, in accordance with the needs of the Data controller and the data subjects.
The personal contact details are deleted when, in addition to any contractual relationship, our company’s interest in your company ceases, as well as when it is found that a contact is no longer linked to it. A five-yearly check of the archives, wherever they are located, shall be planned for a comprehensive check on the necessity or otherwise of maintaining individual contacts, with possible deletion of the records, subject to renewal of the transmission of the information and, if necessary, of the request for consent to the processing.
Technical and organisational measures
In general, our company, in the context of privacy by design and privacy by default, takes the following measures (Articles 24, 25 and 32 of Regulation (EU) No 679/2016) for all personal data processing carried out, in order to mitigate the possible risks to the freedoms and rights of natural persons, which may arise in the event of data breaches or physical destruction:
- minimisation, by acquiring and managing only the data strictly necessary for the purposes of the processing,
- training and awareness-raising of all company staff on compliance with the requirements of the GDPR,
- formal appointment of all data processors, operational and business handlers, system administrators and other possible staff members,
- commitment to the confidentiality, in case of special categories of personal data, by all data processors,
- management of data breach security for physical devices and access to company accounts, through hardware, software and organisational measures,
- measures against theft and possible disasters within the premises of the company,
- protection of any working copies of necessary personal data temporarily on the mass memory of personal computers, by means of protections adopted on the computer itself, in accordance with internal instructions issued for that purpose, and their deletion at the end of the relevant local processing,
- verification of guarantees provided by cloud service providers, such as certifications acquired, third-party audits, declarations of responsibility,
- use of cloud services that ensure data redundancy and possible restoration,
- use of the Gmail service for sending and receiving e-mail in order to use SSL/TLS encryption of transit messages,
- establishment of a register of the data controller and the company data processor (Article 30), for each category of personal data processing or, where necessary, for each individual processing.
As a general rule, further measures may be taken for specific processing operations, as suggested by the risk assessment and possible impact assessment (Article 35 of Regulation (EU) No 679/2016) where relevant and necessary. If the outcome of an impact assessment reveals, even if the measures that can reasonably be implemented are present, that there are still high risks for the data subjects, prior consultation of the supervisory authority is envisaged, or alternatively a waiver of the processing and therefore of the possible contrat.
Rights of data subjects, in accordance with Articles 15 to 22 of Regulation (EU) No 679/2016 and Article 7 of Legislative Decree No 196/2003
- Right to information and right of access (Article 15 of Regulation (EU) No 679/2016). The data subject shall have the right, upon request, to be confirmed or not that his or her personal data are being processed and to obtain access to the data and related information.
- Right of rectification (Article 16 of Regulation (EU) No 679/2016). The data subject shall have the right to have his or her inaccurate data corrected or supplemented without undue delay in accordance with the purposes of the data processing.
- Right to withdraw consent (Article 13 of Regulation (EU) No 679/2016). The data subject should have the possibility to withdraw prior consent for the processing of his or her personal data for a purpose.
- Right to erasure or “right to be forgotten” (Article 17 of Regulation (EU) No 679/2016). The erasure, which also covers data transmitted to third parties, to which the Data controller must refer the request, must be effected following revocation or opposition to processing (provided that it is not contrary to statutory or other mandatory provisions), as well as for other events, irrespective of the data subjects’ requests, such as the discontinuation of the purposes of the processing.
- Right to restrict processing (Article 18 of Regulation (EU) No 679/2016). The data subject has the right to request a suspension of the time of the processing (but with the retention of the data), in the event of disputes or other legitimate occurrences that may require their availability, until the law enforcement is resolved.
- The right that any such request should also be addressed to those to whom the data have been disclosed or disseminated, except where such compliance proves impossible or involves a commitment of means which is manifestly disproportionate to the right protected.
- Right to data portability (Article 20 of Regulation (EU) No 679/2016). The data subject may request to receive his or her personal data in a commonly used machine-readable format and may request its transmission to another controller.
- Right to object (Article 21 of Regulation (EU) No 679/2016). The data subject shall have the right to object, on legitimate grounds, to his or her personal data processing, without involving their erasure, in whole or in part, in respect of a specific part of the processing, such as, for example, the purpose of direct marketing.
- Right to object to automated processing (Article 22 of Regulation (EU) No 679/2016). The data subject has the right that his or her data are not processed as a result of automatic decisions, such as profiling, because he or she considers, for example, that non-manual processing cannot take into account his or her singularity.
- The right to be notified by the data controller of any breaches of personal data (Article 34 of Regulation (EU) No 679/2016), if this represents a high risk to the rights and freedoms of the individual despite any countermeasures applied.
- Right to lodge a complaint with the Supervisory Authority.
- Right to know the logic applied in the case of processing using electronic means.
- Right to information in this notice: Purposes and modalities of processing, identification details of the controller (or its representative) and the processor, persons or categories of persons to whom the personal data may be disclosed or entrusted.
Exercise of their rights by data subjects
Data subjects may address their queries concerning the processing of personal data to our company, by contacting the data controller or the data processor, by the most appropriate means, by e-mail or by post, preferably by certified e-mail or registered mail, but in any case in writing. Unsubscription from newsletters can be done via the link provided by sending them.
Our company will comply with these requests, within the time limits laid down in the GDPR, unless any problems are communicated in this respect, by means of manual procedures, even when interfacing with electronic applications and services, or automatically whenever possible and designed for that purpose
However, if the requests were manifestly unfounded or excessive, a reasonable fee could be charged to the applicants, or a refusal to comply with the requests could take place.
Consequences of failure to submit data or to object to processing
Failure to provide the data or a request to delete or restrict the data would prevent our company from fulfilling the pre-contractual commitments and using the contractual obligations, necessarily leading to the termination of the contract, if already concluded, otherwise the possible waiver, by our company, of any products or services, involved by the personal data, that could not be processed, including the possibility of contacting your company.