Falper S.r.L.
Privacy Notice pursuant to Art. 13 of Regulation (EU) No. 679/2016 (“GDPR”)
Falper S.r.L. protects the privacy of personal data and guarantees the necessary protection against any event that may put them at risk of breach.
As required by European Union Regulation No. 679/2016 (“GDPR”), and in particular Article 13, the following information is provided to the user (“Data Subject”) regarding the processing of their personal data.
SECTION I
Who we are and what data we process (Art. 13, para. 1, lett. a, Art. 15, lett. b GDPR)
Falper S.r.L., represented by its legal representative pro tempore, with registered office at Via Veneto 7-9, 40064 Ozzano Emilia – Bologna (IT), acts as Data Controller and can be contacted at info@falper.it. It collects and/or receives information relating to the Data Subject, such as:
| Data Category | Examples of data types |
|---|---|
| Personal/Identification data | first name, surname, physical address, nationality, province and municipality of residence, landline and/or mobile phone, fax, tax code, email address(es) |
| Banking data | IBAN and bank/postal details (excluding credit card numbers) |
| Telematic traffic data | Logs, source IP address |
Falper S.r.L. does not request the Data Subject to provide so-called “special” data, i.e., as defined by the GDPR (Art. 9), personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data concerning health, sex life or sexual orientation. Should the service requested from Falper S.r.L. require the processing of such data, the Data Subject will receive a specific notice in advance and will be asked to provide specific consent.
Purposes for which the Data Subject’s data is required (Art. 13, para. 1 GDPR)
The data is required by the Controller to process registration requests and service/product supply contracts, manage and fulfil contact requests submitted by the Data Subject, provide assistance, and comply with legal and regulatory obligations. Under no circumstances does Falper S.r.L. resell the Data Subject’s personal data to third parties or use it for undisclosed purposes.
In particular, the Data Subject’s data will be processed for:
a) Registration and contact/information requests
Personal data is processed to handle preliminary and subsequent activities related to registration requests, the management of information and contact requests and/or the sending of informational materials, as well as the fulfilment of any other resulting obligations.
The legal basis for such processing is the fulfilment of obligations relating to registration, information and contact requests and/or the sending of informational materials, and compliance with legal obligations.
b) Management of the contractual relationship
Personal data is processed to handle preliminary and subsequent activities related to the purchase of a Service and/or Product, the management of the related order, the provision of the Service and/or the production and/or shipment of the purchased Product, the related invoicing and payment management, the handling of complaints and/or reports to the customer service and the provision of said service, fraud prevention, and the fulfilment of any other contractual obligation.
The legal basis for such processing is the fulfilment of obligations relating to the contractual relationship and compliance with legal obligations.
c) Promotional activities for Services/Products similar to those purchased by the Data Subject (Recital 47 GDPR)
The Data Controller may, even without your explicit consent, use the contact details provided by the Data Subject for the purpose of direct selling of its own Services/Products, limited to cases involving Services/Products similar to those already purchased, unless the Data Subject explicitly objects.
d) Commercial promotional activities for Services/Products different from those purchased by the Data Subject
The Data Subject’s personal data may also be processed for commercial promotional purposes, market research and surveys regarding Services/Products offered by the Controller, only if the Data Subject has authorised such processing and does not object to it.
Such processing may be carried out in an automated manner through the following channels:
- email;
- SMS;
- telephone contact
and may be conducted:
- provided the Data Subject has not withdrawn their consent to the use of their data;
- provided the Data Subject, in the case of processing carried out via telephone contact with an operator, is not registered in the opposition register referred to in Presidential Decree No. 178/2010.
The legal basis for such processing is the consent given by the Data Subject prior to the processing, which may be freely withdrawn at any time (see Section III).
e) IT security
The Controller, in line with Recital 49 of the GDPR, processes – also through its suppliers (third parties and/or recipients) – the Data Subject’s personal data relating to traffic to the extent strictly necessary and proportionate to ensure network and information security, i.e. the ability of a network or information system to resist, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted.
The Controller will promptly inform Data Subjects should there be a particular risk of breach of their data, subject to the obligations arising from Art. 33 of the GDPR concerning personal data breach notifications.
The legal basis for such processing is compliance with legal obligations and the Controller’s legitimate interest in carrying out processing relating to the protection of company assets and the security of Falper S.r.L.’s premises and systems.
f) Profiling
The Data Subject’s personal data may also be processed for profiling purposes (such as analysing transmitted data and chosen Services/Products, proposing advertising messages and/or commercial offers in line with the choices expressed by users) exclusively where the Data Subject has provided explicit and informed consent. The legal basis for such processing is the consent given by the Data Subject prior to the processing, which may be freely withdrawn at any time (see Section III).
g) Fraud prevention (Recital 47 and Art. 22 GDPR)
The Data Subject’s personal data, excluding special categories (Art. 9 GDPR) or judicial data (Art. 10 GDPR), will be processed to enable checks for the purpose of monitoring and preventing fraudulent payments, by means of software systems that carry out automated checks prior to the negotiation of Services/Products.
Failure to pass such checks will result in the inability to complete the transaction; the Data Subject may in any case express their opinion, obtain an explanation or contest the decision by stating their reasons to the Customer Service or by contacting info@falper.it.
Personal data collected solely for anti-fraud purposes, unlike data necessary for the correct execution of the requested service, will be immediately deleted upon completion of the verification process.
h) Protection of minors
The Services/Products offered by the Controller are reserved for persons who are legally capable, under applicable national law, of entering into contractual obligations.
To prevent unauthorised access to its services, the Controller implements preventive measures to protect its legitimate interests, such as verification of the tax code and/or other checks, when necessary for specific Services/Products, and verification of the accuracy of identification data in identity documents issued by competent authorities.
Communication to third parties and categories of recipients (Art. 13, para. 1 GDPR)
The communication of the Data Subject’s personal data occurs primarily to third parties and/or recipients whose activity is necessary for the performance of activities related to the established relationship and to comply with certain legal obligations, such as:
| Categories of recipients | Purpose |
|---|---|
| Third-party suppliers and Falper S.r.L. companies | Provision of services (assistance, maintenance, product delivery/shipment, provision of additional services, providers of electronic communication networks and services) related to the requested service |
| Credit and digital payment institutions, banking/postal institutions | Management of collections, payments, refunds related to the contractual service |
| External professionals/consultants and consulting firms | Compliance with legal obligations, exercise of rights, protection of contractual rights, debt recovery |
| Tax authorities, public bodies, judicial authorities, supervisory and control authorities | Compliance with legal obligations, defence of rights; lists and registers held by public authorities or similar entities under specific regulations, in relation to the contractual service |
| Formally delegated persons or those with recognised legal title | Legal representatives, trustees, guardians, etc. |
The Controller requires its third-party suppliers and Data Processors to comply with security measures equivalent to those adopted with respect to the Data Subject, restricting the scope of action of the Processor to the processing connected to the requested service.
The Controller does not transfer your personal data to countries in which the GDPR does not apply (non-EU countries), except where specifically indicated otherwise, of which you will be informed in advance and, where necessary, your consent will be requested.
The legal basis for such processing is the fulfilment of obligations relating to the established relationship, compliance with legal obligations and the legitimate interest of Falper S.r.L. in carrying out processing necessary for such purposes.
SECTION III
What happens if the Data Subject does not provide data identified as necessary for the performance of the requested service? (Art. 13, para. 2, lett. e GDPR)
The collection and processing of personal data is necessary in order to fulfil the requested services and to provide the requested Service and/or Product. Should the Data Subject fail to provide the personal data expressly indicated as required within the order form or registration form, the Controller will be unable to proceed with the processing related to the management of the requested services and/or the contract and the Services/Products linked to it, nor with the obligations depending on them.
What happens if the Data Subject does not consent to the processing of personal data for commercial promotional activities relating to Services/Products different from those already purchased?
Should the Data Subject not consent to the processing of their personal data for such purposes, said processing will not take place for those purposes, without any effect on the provision of the requested services, nor on those for which they have already given their consent, where required.
Should the Data Subject have given consent and subsequently withdraw it or object to processing for commercial promotional activities, their data will no longer be processed for such activities, without any adverse consequences or effects for the Data Subject or the requested services.
How we process the Data Subject’s data (Art. 32 GDPR)
The Controller implements adequate security measures to preserve the confidentiality, integrity and availability of the Data Subject’s personal data, and requires third-party suppliers and Data Processors to adopt equivalent security measures.
Where we process the Data Subject’s data
The Data Subject’s personal data is stored in paper, computer and telematic archives located in countries where the GDPR applies (EU countries).
For how long is the Data Subject’s data retained? (Art. 13, para. 2, lett. a GDPR)
Unless the Data Subject explicitly requests their removal, personal data will be retained for as long as necessary for the legitimate purposes for which it was collected.
In particular, data will be retained for the entire duration of the Data Subject’s registration and in any case no longer than a maximum period of 12 (twelve) months of inactivity, or if, within that period, no Services have been associated with or Products purchased through that registration.
In the case of data provided to the Controller for commercial promotional purposes relating to services other than those already obtained by the Data Subject, for which consent was initially given, data will be retained for 24 months, unless consent is withdrawn.
In the case of data provided to the Controller for profiling purposes, data will be retained for 12 months, unless consent is withdrawn.
It should also be noted that, in the event a user submits to Falper S.r.L. personal data that was not requested or not necessary for the execution of the requested service or the provision of a service strictly connected to it, Falper S.r.L. cannot be considered the controller of such data and will proceed to delete it as soon as possible.
Regardless of the Data Subject’s decision to request removal, personal data will in any case be retained in accordance with the terms provided by applicable legislation and/or national regulations, for the sole purpose of ensuring compliance with specific obligations applicable to certain Services (by way of example and without limitation, Certified Electronic Mail, Digital Signature, Digital Document Preservation – see the relevant section in this regard).
Personal data will also be retained in any case for the fulfilment of obligations (e.g. tax and accounting) that persist even after the termination of the contract (Art. 2220 of the Italian Civil Code); for such purposes, the Controller will retain only the data necessary to pursue them.
This is without prejudice to cases in which it may be necessary to assert rights arising from the contract and/or registration in legal proceedings, in which case the Data Subject’s personal data, limited to that which is strictly necessary for such purposes, will be processed for the time indispensable to pursue them.
What are the Data Subject’s rights? (Arts. 15–20 GDPR)
The Data Subject has the right to obtain from the Controller the following:
a) confirmation as to whether or not personal data concerning them is being processed and, if so, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the Controller rectification or erasure of personal data, or restriction of processing, or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data is not collected from the Data Subject, any available information as to its source;
- the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject;
- the appropriate safeguards provided by the third country (non-EU) or international organisation in the event of any transfer of personal data.
b) the right to obtain a copy of the personal data undergoing processing, provided that such right does not adversely affect the rights and freedoms of others; for any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs.
c) the right to obtain from the Controller the rectification of inaccurate personal data concerning them without undue delay.
d) the right to obtain from the Controller the erasure of personal data concerning them without undue delay, where the grounds set out in Art. 17 of the GDPR exist, including, for example, where the data is no longer necessary for the purposes of the processing or where the processing is assumed to be unlawful, and always where the conditions provided by law are met; and in any case where the processing is not justified by an equally legitimate reason.
e) the right to obtain from the Controller restriction of processing in the cases provided for in Art. 18 of the GDPR, for example where the Data Subject has contested its accuracy, for the period necessary for the Controller to verify its accuracy. The Data Subject must be informed, within a reasonable time, of when the suspension period has ended or the reason for the restriction of processing has ceased, and thus the restriction itself has been lifted.
f) the right to receive notification from the Controller of the recipients to whom any rectification, erasure or restriction of processing has been communicated, unless this proves impossible or involves a disproportionate effort.
g) the right to receive the personal data concerning them in a structured, commonly used and machine-readable format, and the right to transmit such data to another controller without hindrance from the controller to whom it was provided, in the cases provided for by Art. 20 of the GDPR, and the right to have the personal data transmitted directly from one controller to another, where technically feasible.
For any further information and in any case to submit a request, please contact the Controller at info@falper.it. In order to ensure that the above-mentioned rights are exercised by the Data Subject and not by unauthorised third parties, the Controller may request that the Data Subject provide any additional information necessary for this purpose.
How and when can the Data Subject object to the processing of their personal data? (Art. 21 GDPR)
For reasons relating to their particular situation, the Data Subject may object at any time to the processing of their personal data where it is based on legitimate interest or where it takes place for commercial promotional activities, by sending a request to the Controller at info@falper.it.
The Data Subject has the right to erasure of their personal data if there is no overriding legitimate reason on the part of the Controller compared to the reason that gave rise to the request, and in any case where the Data Subject has objected to processing for commercial promotional activities.
Who can the Data Subject lodge a complaint with? (Art. 15 GDPR)
Without prejudice to any other administrative or judicial remedy, the Data Subject may lodge a complaint with the supervisory authority competent in Italian territory (Garante per la protezione dei dati personali) or with the authority that carries out its tasks and exercises its powers in the Member State where the GDPR infringement occurred.
Any update to this Notice will be communicated promptly and through appropriate means; the Controller will also notify the Data Subject if it intends to process their data for purposes other than those set out in this Notice, prior to doing so and following the expression of the relevant consent of the Data Subject where necessary.
SECTION IV
COOKIES
General information, deactivation and management of cookies
Cookies are data sent by a website and stored by the internet browser on the user’s computer or other device (e.g. tablet or mobile phone). Technical cookies and third-party cookies may be installed by our website or its related subdomains.
In any case, the user may manage, or request the general deactivation or deletion of cookies, by changing their internet browser settings. However, such deactivation may slow down or prevent access to certain parts of the website.
The settings for managing or deactivating cookies may vary depending on the internet browser used; therefore, for further information on how to carry out these operations, we recommend that users consult their device manual or the “Help” function of their internet browser. Below are links explaining how to manage or disable cookies for the most commonly used internet browsers:
- Internet Explorer: http://windows.microsoft.com/it-IT/internet-explorer/delete-manage-cookies
- Google Chrome: https://support.google.com/chrome/answer/95647
- Mozilla Firefox: http://support.mozilla.org/it/kb/Gestione%20dei%20cookie
- Opera: http://help.opera.com/Windows/10.00/it/cookies.html
- Safari: https://support.apple.com/kb/PH19255
Technical cookies
The use of technical cookies — i.e. cookies necessary for the transmission of communications over an electronic communications network, or cookies strictly necessary for the provider to deliver the service requested by the customer — enables safe and efficient use of our website.
Session cookies may be installed to allow access to and use of the reserved area of the portal as an authenticated user.
Technical cookies are essential for the proper functioning of our website and are used to enable users to browse normally and make use of the advanced services available on our website. The technical cookies used are divided into session cookies, which are stored exclusively for the duration of browsing until the browser is closed, and persistent cookies, which are saved in the user’s device memory until their expiry or deletion by the user. Our website uses the following technical cookies:
- Navigation or session technical cookies, used to manage normal browsing and user authentication;
- Functional technical cookies, used to store user-selected preferences, such as language;
- Analytics technical cookies, used to understand how users interact with our website in order to evaluate and improve its functioning.
Third-party cookies
Third-party cookies may be installed: these are the analytical and profiling cookies of Google Analytics, Google Doubleclick, Criteo, Rocket Fuel, Youtube, Yahoo, Bing and Facebook. Such cookies are sent by the websites of the aforementioned third parties, external to our website.
Third-party analytical cookies are used to collect information about user behaviour on the website. Data is collected anonymously in order to monitor performance and improve the website’s usability. Third-party profiling cookies are used to create user profiles in order to propose advertising messages in line with the choices expressed by users.
The use of these cookies is governed by the rules established by the respective third parties; therefore, users are invited to review the privacy policies and instructions for managing or disabling cookies published on the following web pages:
For Google Analytics cookies: – privacy policy: https://www.google.com/intl/it/policies/privacy/ – instructions for managing or disabling cookies: https://support.google.com/accounts/answer/61416?hl=it
For Google Doubleclick cookies: – privacy policy: https://www.google.com/intl/it/policies/privacy/ – instructions for managing or disabling cookies: https://www.google.com/settings/ads/plugin
For Criteo cookies: – privacy policy: http://www.criteo.com/it/privacy/ – instructions for managing or disabling cookies: http://www.criteo.com/it/privacy/
For Facebook cookies: – privacy policy: https://www.facebook.com/privacy/explanation – instructions for managing or disabling cookies: https://www.facebook.com/help/cookies/
For CrazyEgg cookies: – privacy policy: https://www.crazyegg.com/privacy/ – instructions for managing or disabling cookies: https://www.crazyegg.com/cookies/
For Rocket Fuel cookies: – privacy policy: http://rocketfuel.com/it/privacy/ – instructions for managing or disabling cookies: http://rocketfuel.com/it/cookie-policy/
For Youtube cookies: – privacy policy: https://www.youtube.com/intl/it/yt/about/policies/#community-guidelines – instructions for managing or disabling cookies: https://support.google.com/accounts/answer/61416?hl=it
For Yahoo cookies: – privacy policy and instructions for managing or disabling cookies: https://policies.yahoo.com/ie/it/yahoo/privacy/euoathnoticefaq/
For Bing cookies: – privacy policy and instructions for managing or disabling cookies: https://privacy.microsoft.com/it-it/privacystatement
Profiling cookies
Profiling cookies may be installed by the Controller(s) through so-called web analytics software. These are used to prepare detailed, real-time analysis reports containing information on: website visitors, referral search engines, keywords used, language of use, most visited pages. They may also collect information and data such as IP address, nationality, city, date/time, device, browser, operating system, screen resolution, browsing source, pages visited and number of pages, duration of visit, number of visits made.