Privacy policy customers and contact persons at customer companies

In its role of controller of your personal data, pursuant to Regulation (EU) 2016/679, hereinafter ‘GDPR’, GRUPPO ROMANI S.P.A. hereby informs you that, in compliance with the Regulation, data processing must be based on principles of fairness, lawfulness, transparency and protection of your confidentiality and your rights.

Your personal data will be processed in compliance with the legislative prescriptions of the aforementioned regulation and the confidentiality obligations it contains.

Aims and legal grounds of data processing: in particular, your data will be processed for the following aims connected with the fulfilment of legal obligations:

• legally required compliance concerning taxation and accounts.

Your data will also be used for the following aims related to the execution of measures connected to contractual or pre-contractual obligations:

• after-sales service;

• customer care;

• management of disputes;

• management of the contract of sale and the compliance activities connected thereto, including pre-contractual and shipping activities; management of customers;

• customer billing records.

Your data will also be used for the following aims, necessary for the pursuit of the controller’s legitimate interests:

• marketing via email, in relation to services or products that are similar to those you have already purchased and, also through the transmission of newsletters or invitations to events to entitled parties concerning said services or products. Moreover, you can object to said processing aim at the time of data collection or at the time of the transmission of each subsequent communication, using the link at the foot of the message or by sending a request to the controller using the contact details given in this privacy policy statement.

In relation to the above indicated aims, if you are an employee-reference person of the customer-legal entity, your data will be processed due to our need to interact, through you, with the customer-legal entity in question.

Methods of processing. Your personal data can be processed in the following ways:

• by means of computers that use software systems managed by third parties;

• outsourcing of processing operations from third parties;

• automated contact management;

• processing of data collected by third parties;

• reports: to compare and potentially improve the results of communications, systems are used for sending newsletters and promotional communications with reports. Through the reports, the controller can access, e.g.: the number of readers, page views, unique clickers, and clicks; details of the activity of individual users; details of emails sent by date/hour/minute; details of emails delivered or not delivered, of those sent; a list of persons who have unsubscribed from the newsletter; the persons who opened an email or clicked a single link; users experiencing problems viewing the message; link tracking (i.e. the number of clicks on the message links); click tracking (which links were clicked and by whom). All these data are used to compare and potentially improve communication results;

• processing by means of computers;

• manual processing by means of hard copy files.

Each processing operation is carried out in compliance with the methods as at articles 6, 32 of the GDPR and by adopting the adequate security measures provided for.

Your data will be processed solely by personnel expressly authorised by the controller and, in particular, by staff in the following categories:

• Administration Department

• Sales Department.

Disclosure: Your data may be disclosed to external parties for correct management of the relationship and in particular to the following categories of recipients who act in the role of duly appointed controllers or processors:

• banks and lenders;

• consultants and freelancers, also in associated form;

• in the context of public and/or private recipients for whom disclosure of the data is required or necessary in compliance with legal obligations or is anyway functional for administration of the relationship;

• service providers that supply hardware and software assistance and cloud services;

• service providers for electronic billing management;

• external platform for management of transmission of corporate communications;

• shippers, hauliers, independent truckers, postal services, logistics companies.

Distribution: Your personal data will not be disseminated under any circumstances.

Your personal data can also be transferred, limited to the above indicated aims, to the following countries:

• EU member states.

Period of Retention. In compliance with the principles of fairness, limitation of aims, and minimisation of data, pursuant to article 5 of the GDPR, the period of retention of your personal data is:

• established for a period of time no greater than the time required to achieve the aims for which they were collected and processed for the execution and fulfilment of the contractual aims;

• established for a period of time no greater than the time required to achieve the aims for which they were collected and in compliance with the obligatory times prescribed by law;

• for marketing aims, the data will be retained as long as contractual relations are in place or until the data subject exercises his or her right to object to processing.

Controller: in accordance with the law the controller is GRUPPO ROMANI SPA (via A. Volta 9 – 23/25, 42013 Casalgrande (RE), Italy; VAT number: 03028130361; contactable at: 39-0522-998411/911 e-mail: info@grupporomanispa.it; Telephone: +390522998411) in the person of its pro tempora legal representative.

The data protection officer (DPO) appointed by the controller pursuant to article 37 of the GDPR is:

• Name of the DPO available by writing to dpo@grupporomanispa.it (address: c/o the company headquarters).

You have the right to request the data protection officer for erasure (right to be forgotten), restriction of processing, updating, rectification, portability, to object to processing of your personal data, and more in general, to exercise all the rights provided by articles 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR.

1. The data subject has the right to receive confirmation regarding the existence of personal data concerning him or her, even if not yet subscribed, and to receive a copy of such data in intelligible form. The data subject also has the right to lodge a complaint with the Supervisory authority.

2.The data subject has the right to be informed of:

a. the source from which the personal data originate;

b. the aims and methods of processing;

c. the logic applied in the case of data processing performed with the aid of electronic equipment;

d. the name and contact details of the controller, of the processors, and of the controller’s representative pursuant to article 5, subsection 2;

e. the recipients or categories of recipients to whom the personal data may be disclosed or who may become informed of the personal data in their role of designated representative in the Member State, and of processors or persons authorised to process personal data.

3. The data subject has the right to obtain:

a. updating, rectification and, taking into account the purposes of processing, completion of incomplete personal data concerning him or her;

b. erasure, transformation into anonymous form or blocking of data processed in violation of the law, including data whose retention is not required for the aims for which the data were collected or subsequently processed;

c. an attestation that the operations as at letters a) and b) have been brought to the attention, also with regard to their contents, of the parties to whom the data were disclosed or disseminated, except for cases in which compliance with this requirement is not possible or would require the use of manifestly disproportionate resources with respect to the protected right;

d. data portability.

4. The data subject has the right to object, entirely or partly:

a. for legitimate grounds, to the processing of personal data concerning him or her, even if relevant to the aim of data collection;

b. to the processing of personal data concerning him or her for transmission of advertising or direct sales material, for market surveys or for commercial communications.