Within the meaning and for the purposes (i) of EU Regulation 2016/679 on the ‘protection of natural persons with regard to the processing of personal data, and on the free circulation of such data’, the “GDPR”, art.13 and 14 and (ii) of Legislative Decree of 30 June 2003, n. 196, the ‘Privacy Code’, also jointly called ‘Privacy Policy’, some obligations are set forth upon the subjects carrying out the processing – intended as ‘the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ – of personal data referred to other subjects (The “Processing”).
flon gaskets headquartered in Viale delle Industrie 7, 24060, Sovere, Bergamo (the ‘Company’) wish to inform you, in the following sections, about the modalities and purposes dealing with the processing of your personal data.
A. Data Controller
The Data Controller is the person who determines the purposes for which and the manner in which personal data are to be processed (the ‘Data Controller’) and is identified in flon gaskets.
The Data Controller may be contacted by e-mail at the following address Viale delle Industrie 7, 24060, Sovere, Bergamo or at the following e-mail address info@flongaskets.it
B. Modalities to collect data from the Data Subject
The Data Controller may acquire your personal data under the following circumstances:
- if you contact us through our website, by email or phone, to require information about our services and products;
- if you buy a product and/or a service carried out by our Company, including pre-contractual negotiations;
- if you provide your data to receive direct marketing communications, newsletters and/or to be updated on the events organised and the marketing initiatives carried out by the Company;
- if the commercial partners of the Data Processor transfer to the Controller your personal data lawfully;
- if the Data Controller acquires your personal data from other sources in accordance with the applicable laws and the requirements under Art. 14 of the GDPR (i.e. public registers, directories, acts or documents available to whoever within the limits and under the conditions provided by law on their knowability).
C. Categories of data subject to Processing
Data processed by Data controller may include:
- Data related to natural persons that are necessary to sign and perform a contractual/commercial relationship with a customer/supplier, such as those referred to the customers/suppliers themselves or those of the legal representative of the customers/suppliers signing the contract for and on behalf of the latter or of the company’s internal representatives of the customers/suppliers themselves (for ex. Name, surname, phone number, email, bank account), involved in the activities dealing with the main contractual/commercial relationship, as well as any other information necessary to perform the contractual/commercial relationship and/or provide services;
- Information dealing with the modalities in which you use the company’s website, you open or send the communications received by the company, including the information collected by the means of cookies and other tracking technologies;
- Images of you collected with photos/videos realized during any event organized by the company (referred to also as “Data”)
D. Purposes and legal basis of the processing
Within the meaning of the Privacy Policy, the processing of personal data must be legitimised by one of the legal provisions provided by art 6 of the GDPR. These are specifically described for each purpose under which the Data Controller processes your data:
- Management of the contractual relationship: the Data Controller shall process your data to reply to your requests, and to fulfil the preliminary requirements for the conclusion of the contract.
Legal basis: processing is necessary for the performance of your contract or of the pre-contractual measures adopted upon your request (art. 6 par. 1 letter b of the GDPR).
Data storage policy: The data that we collect only for an estimate will be stored for a maximum period of five years. The data processed to perform the contract may be stored for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question. - Fulfilment of legally binding obligations: The Controller processes your data to fulfil any private law, administrative, fiscal, accounting obligation provided by law, a Regulation, the European legislation or by an order of the Authorities deriving from the outstanding relationship with you.
Legal basis: processing is necessary for the performance of your contract (art. 6 par. 1 letter b of the GDPR) or to fulfil a legal obligation of the Controller (art. 6 par. 1 lett. c del GDPR).
Data retention period: The Data may be stored for the period of time necessary to fulfil any legal obligation and, in any case, for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question. - Defend the case for the Data Controller’s rights: if necessary, the Controller will provide all the information dealing with you to the Authorities and the bodies responsible for the enforcement of law, regulation or judicial documents, as well as to third parties into formal dispute. The Data Controller reserves the right to process your personal data to defend his or her rights deriving from the Contract before a judge, also for debt collection, directly or by third parties (debt collection agencies/companies), who will receive your data only for these purposes.
Legal basis: processing is necessary for the purposes of the legitimate interest pursued by the controller, in order to defend a right or make further demands on the outstanding commercial relationship, except where such interests are overridden by the interests or fundamental rights (art. 6 par. 1 letter f of the GDPR).
Data retention period: your data may be stored for the necessary period of time in order to allow the Company to take actions or defend against eventual claims towards you or third parties. - Marketing activities: The data collected for the selling of a product and/or service also through the company’s website may be processed to send you commercial/promotional communications – by automated means (such as email) and/or traditional (i.e. paper mail) related to services offered by the Company – and/or invitations to events organised by the company, as well as for the realisation of market researches, statistical analyses or customer satisfaction collection. At any moment, you will be informed of the modalities to withdraw consent to processing, easily and free of charge. As for promotional purposes of the company, with your consent, the Controller will collect and publish your image on any means of communication, on the company’s website, on social medias or in the local, national or international newspapers as well as on any other means (existing or to be invented in the future).
Legal basis: you have given your consent as data subject of the processing (art. 6 par. 1 letter a of the GDPR).
Data retention period: data collected for marketing purposes may be stored until you withdraw consent, except when any image of you has been published on our website, social medias or commercial brochures. - Promotional activities: in order to promote the core business of the Company, the Controller shall collect personal data pertaining to you (carried out during promotional events) and would share your image on any means of communication, on the Company’s website, on social medias (for instance Facebook, Linkedin) or in the local, national or international newspapers as well as on any other means (existing or to be invented in the future), without any compensation.
Legal basis: you have given your consent as data subject of the processing (art. 6 par. 1 letter a of the GDPR).
Data retention period: data concerning your image will be stored in the controller’s database for twenty-four months. Then, they will be erased, except where they have been shared on the internet, social medias or commercial brochures. You can withdraw consent to the abovementioned processing at any time. If the Controller intend to process your data for other purposes than those mentioned above, he or she is required to inform you of these other purposes before performing it.
E. Nature of consent to data processing:
Consent to data processing for letter a), b), c) purposes is compulsory since it is required to perform legal and contractual obligations. Any refusal or successive withdrawal may determine the inability for the Controller to fulfil the outstanding contractual relationship. Instead, consent to data processing for letters d) and e) is optional and the failure to give consent to the processing to those data will determine the inability to carry out the abovementioned activities.
F. Modalities to process Personal Data:
Processing will be carried out by the Company in compliance with the security measures under art. 32 of the GDPR, through manual, information system and computerised tools specifically designed to store, manage and transmit them to pursue only the purposes for which the data were collected and, in any case, to guarantee their security and confidentiality, as well as in full compliance with the principles of fairness, lawfulness and transparency. No automated tools are used by the Controller to process data.
G. Communication of Data:
Access may be granted to:
- Controller’s employees and associates in charge and/or internal Processors and/or system administrators;
- External third parties carrying out on behalf of the controller outsourcing activities for purposes dealing with support, administrative, accounting, fiscal areas or for purposes related to supply relationship or legal protection;
- Supervisory bodies, judicial authorities and all other subjects which by law require such communication in order to achieve these purposes.
H. Data transfer to a third country or an international organization:
Personal data are to be processed within the European Union and stored on servers located in that area. Anyway, if necessary, the Data Controller will have the right to transmit such data to a third country or to an international organisation and / or to move the servers even outside the EU. In this case, the Data Controller ensures that the transfer of non-EU data will be carried out in accordance with the applicable legal provisions under art. 44 and following of the GDPR.
I. Data subject’s rights:
The Company informs you that, pursuant to articles 15-22 of the GDPR and in relation to your personal data, you as Data subject may exercise specific rights at any time, by contacting the Data Controller, such as:
- Access to your personal data and information, i.e. the possibility to get the confirmation from the Data Controller that the processing of personal Data is in progress. In this case you can get access to own personal Data;
- Rectification of incorrect personal data, as well as the integration of the in-complete data (with an integrative statement);
- The right to deletion of your personal Data if (i) the personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;, (ii) you withdraw consent on which the processing is based and there is no other legal ground for the processing; (iii) the personal data have been unlawfully processed; (iv) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (v) the data subject objects to the processing pursuant to Article 21subsection 1 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 subsection 2 of the GDPR, (personal data processed for direct marketing purposes).
- Right to limitation of processing where the accuracy of personal data is con-tested (for the period necessary for the Data Controller to verify the accuracy of such personal data) or the processing is unlawful and/or the interested has opposed the Treatment asking for its limitation;
- Right to data portability like right to receive from the Data Controller personal data in a structured format, commonly used and readable by an automatic device and to transmit such data to another Data Controller, only for cases where the treatment is based on consent and only for data whose treatment is carried out by automated means;
- Right to object without prejudice to the right of the Data Controller to demonstrate the existence of legitimate reasons for proceeding with the Treatment anyway;
- Withdrawal of consent at any time, if the treatment is based on your explicit consent, without negative effects on the lawfulness of the treatments carried out until the exercise of the revocation;
- Right to lodge a complaint with a supervisory Authority of the Member State in which you reside or habitually work or the state in which the alleged violation occurred without prejudice to any other administrative or judicial ap-peal, in case of violation of the aforementioned regulation.
If you need further information on the processing of your personal data and to exercise the above-mentioned rights, you can send a written request using the contacts provided in the ‘Data Controller’ section of this statement. If you request more information about your data, the Data Controller shall respond promptly – unless it is impossible or involves a manifestly disproportionate effort compared with the right to be protected – and in any case no later than thirty days from the request. The Data Controller will justify any inability or delay in doing so to meet the request.
Last update: May 2022