Information pursuant to Article 13 of Regulation (EU) 679/2016 on the processing of personal data of the data subject
Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on data protection (hereinafter “Regulation” or “GDPR”), in connection with the processing of your personal data, Metz BH s.r.l. (hereinafter for brevity “Metz” or the “Controller”), whose identity and contact details are set out below,
informs you, in your capacity as interested party
of the following.
1) Identity and contact details of the Data Controller.
The Data Controller pursuant to Articles 4 and 24 of the Regulation is Metz BH s.r.l., with registered office in Turin (TO), Via Leonardo da Vinci 21, in the person of its legal representative pro tempore, tel. 011-9982093, fax 011-9987605, e-mail firstname.lastname@example.org.
You can contact the Data Controller by writing to the above-mentioned contacts.
2) Purposes of the processing for which the data are intended and legal basis of the processing.
The personal data provided by you to the Data Controller will be processed exclusively for the purposes inherent to the fulfilment of the object of the contract being stipulated or already in existence with the Data Controller, in compliance with the provisions indicated in art. 13 of the Regulations. For “purposes inherent to the realization of the object of the contract” must be understood any data processing operation related to the management, administration and fulfillment of the contractual relationship in question. The legal basis for processing for the aforementioned purposes is Article 6(1)(b) of the GDPR (“processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject”).
Within the scope of these purposes, the processing is also carried out for the fulfilment of specific legal obligations inherent to the management of the contractual relationship (e.g. of an accounting and/or tax nature). The legal basis of the processing for the above purposes is Article 6(1)(c) of the GDPR (“the processing is necessary for compliance with a legal obligation to which the data controller is subject”).
3) Special categories of personal data
If, in the execution of the contract or in order to fulfil specific legal obligations inherent to the management of the contractual relationship, the undersigned Data Controller should need to acquire data that fall within the particular categories of personal data referred to in art. 9 of the Regulation (in particular, personal data revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data concerning health or sex life or sexual orientation of the person”) these categories of data can be processed only with your free and explicit consent.
The legal basis for the processing of the data provided by you belonging to the above-mentioned special categories of personal data referred to in art. 9 of the Regulation will be represented, in this case, by your specific consent pursuant to art. 9, paragraph 2, letter a), of the Regulation (“the person concerned has given his or her explicit consent to the processing of such personal data for one or more specific purposes”).
4) Modalities of data processing.
In relation to the aforementioned purposes, the processing of your personal data will be carried out by manual, computerised and telematic means for the mere fulfilment of such purposes and, in any case, in such a way as to guarantee security and confidentiality, in compliance with the provisions of art. 32 of the Regulations concerning security measures and by specifically authorised persons, in compliance with the provisions of art. 29 of the Regulations.
5) Possible recipients and possible categories of recipients of personal data.
The processing of personal data provided by you will be carried out by persons expressly and specifically designated by the Owner who operate in the interest of the same as managers (art. 28 of the Regulations) or as authorized (art. 29 of the Regulations) or as persons expressly designated to the processing of data in the terms provided by the Regulations and the national legislation adapting to the provisions of the GDPR. The data provided may also be processed by the Owner directly and also communicated to third parties if such processing is functional to the obligations of law and the execution of the contract. For this purpose of communication, the data may be brought to the attention of external companies or professionals whose collaboration the Owner may use for the purposes indicated in this statement.
The data may be communicated, in order to allow the fulfillment of contractual and legal obligations, to post offices, shippers and couriers for the sending of documents, as well as banks for accounting management arising from the execution of the contract, as well as to public administrations in accordance with the law, and to third parties for the provision of computer services or storage services.
The personal data of the interested party are not subject to dissemination and the Owner will not give knowledge or make available in any way to unspecified subjects.
6) Transfer of personal data to a third country or an international organization.
As a rule, no personal data of the data subject will be transferred to a third country outside the European Union or to International Organizations. Should this be necessary for the realization of the object of the contract to be stipulated or already in existence with the Data Controller, the latter undertakes to ensure that any transfer will take place in compliance with the provisions of art. 45 (on the basis of an adequacy decision of the Commission) and 46 (on the basis of the existence of adequate guarantees), if applicable, or in any case pursuant to art. 49 of the Regulation.
7) Period of conservation of personal data.
The personal data being processed will be stored in compliance with the provisions of art. 5, paragraph 1, letter e), of the Regulation in a form that allows the identification of the interested parties for a period of time not exceeding the achievement of the above-mentioned purposes for which the personal data are collected and processed.
Personal data are stored according to the following criteria: (a) for the time strictly necessary for the achievement of the “purposes inherent to the realization of the object of the contract” for which they are processed and in any case for a period not exceeding 10 (ten) years; (b) for the time strictly necessary for the fulfillment of legal obligations, regulations or provisions issued by supervisory and control bodies.
At the end of the storage period, your data will be deleted, or archived anonymously.
8) Rights of the interested party.
Pursuant to art. 15 et seq. of the Regulation, you, as a data subject, have the right to request from the Data Controller
- access to your personal data;
- the rectification or cancellation of the same or the limitation of the processing concerning you;
- the opposition to the processing;
- the portability of the data;
- where the processing is based on Article 6(1)(a) or Article 9(2)(a) of the Regulation the withdrawal of consent at any time without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal.
Without prejudice to any other administrative or judicial remedy, a data subject who considers that the processing concerning him or her is in breach of the GDPR has the right to lodge a complaint with a supervisory authority, namely in the Member State in which he or she normally resides, works or in the place where the alleged breach has occurred pursuant to Article 77 of the Regulation (the Italian supervisory authority is the Garante for the protection of personal data).
In order to exercise the above rights, the interested party may contact the Data Controller at the addresses indicated in point 1 of this information notice.
9) If the communication of personal data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract; possible consequences of failure to communicate such data.
The communication of your personal data and the consequent treatment by the Owner are necessary for the establishment, for the continuation and for the correct management of the relationship in question; said communication, therefore, must be considered as obligatory.
Any refusal on your part to provide the personal data requested may make it impossible for the Data Controller to perfect and manage the contractual relationship with you that is being entered into or in existence.
10) Existence of an automated decision-making process, including profiling.
Pursuant to art. 13, paragraph 2, letter f) of the GDPR, we inform you that the personal data collected will not be subject to any automated decision-making process, including profiling referred to in art. 22, paragraphs 1 and 4 of the Regulation.
11) Processing of personal data for a purpose other than that for which they were collected.
If the Data Controller intends to further process your personal data for a purpose other than the purpose for which they were collected, prior to such further processing it will provide the data subject with information regarding such different purpose and any further relevant information referred to in Article 13(2) of the Regulation.
The Data Controller
Metz BH s.r.l.