Privacy Policy

INFORMATION ON THE PROCESSING OF PERSONAL DATA

PURSUANT TO ARTICLES 12 AND 13 OF EU REGULATION 2016/679

Preamble

EU Regulation 2016/679 (hereinafter also GDPR) and Italian Legislative Decree 196/2003, as amended and supplemented (Italian Personal Data Protection Code), lay down rules on the protection of natural persons with regard to the processing of personal data, and on the free movement of such data. In order to protect the fundamental rights and freedoms of natural persons, privacy legislation imposes on data controllers the obligation to provide data subjects with information regarding the processing of personal data collected online and offline through various channels.

1) Data controller

The data controller is RELANGHE S.R.L., with registered office in Località San Cassiano n. 34, 12051 Alba (Province of Cuneo), Italy, tax code and VAT number: 02343840043.

2) Processed personal data

The data controller hereby informs you that, for the purposes hereof, personal data means any information concerning your person, capable of identifying you directly and/or indirectly, such as:

The data controller will not process special data. Should it become necessary, the data controller shall process such data in accordance with applicable legislation.

Your data will be collected through your subscription to the newsletter and a request for information sent to the data controller's contacts.

3) Purposes of processing and legal basis

Your data, as defined above, will be processed by the data controller for the following purposes:

  1. To reply to requests sent to the data controller's contacts.
    Your contact data may be processed to respond to requests sent to the data controller's contacts on the website www.relanghe.it.
    The data processing is necessary to perform pre-contractual measures and/or the contract to which the data subject is a party (Article 6, paragraph 1 (b), GDPR). The provision of data is obligatory; failure to provide such data will make it impossible to respond to your request.
  2. To manage applications submitted via the 'work with us' form.
    Your personal and contact data will be processed for the purpose of examining and replying to job application requests.
    The data processing is necessary to perform pre-contractual measures and/or the contract to which the data subject is a party (Article 6, paragraph 1, point b), GDPR). The provision of data is obligatory; failure to provide data will make it impossible to examine your application.
  3. To send commercial communications - newsletters.
    Your contact data may be used - subject to your consent - to send you commercial communications and newsletters (including personalised newsletters, if you have consented to the processing of your data for the purpose referred to in section e) below), via email, text message, messaging tools, or traditional contact methods such as telephone calls and paperbased mail. If consent is not given for profiling, commercial communications may still be sent without making predictions about your preferences and interests.
    The provision of data for this purpose is optional, the prerequisite for such processing is the consent of the data subject (Article 6, paragraph 1 (a) GDPR). Such consent may be withdrawn at any time as described in section 7. Processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out. Failure to give consent for this purpose shall not have any consequences on any contractual relationship between the parties.
  4. To send commercial communications - newsletters by Ceretto Group companies.
    Your contact data may be used - subject to your consent - to send you commercial communications and newsletters, via email, text message, messaging tools, or traditional contact methods such as telephone call, paperbased mail, by companies belonging to the Ceretto Group.
    The provision of data for this purpose is optional, the prerequisite for such processing is the consent of the data subject (Article 6, paragraph 1 (a) GDPR). Such consent may be withdrawn at any time as described in section 7. Processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out. Failure to give consent for this purpose shall not have any consequences on any contractual relationship between the parties.
  5. For profiling activities.
    The data described in section 2 above may be used - subject to your consent - for profiling activities such as the processing of data to examine your purchasing habits, preferences, goods purchased, frequency of purchase, geographical area of reference, etc., in order to create profiles (individual and/or aggregate), and possibly propose personalised commercial communications (in the event of consent to the processing of data for the purposes referred to in section c above).
    The prerequisite for such processing is the consent of the data subject (Article 6, paragraph 1 (a) GDPR). Such consent may be withdrawn at any time as described in section 7. Processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out.
    Failure to give consent for this purpose shall not have any consequences on any contractual relationship.
    If consent is given, no further data will be requested for this purpose. The data controller shall use the data already collected for the pursuit of other purposes if they are deemed compatible with the present purpose.
  6. For aggregate analysis.
    Your data may be used in aggregate form to improve the company's services, for internal statistics.
    The prerequisite for such processing is that the data controller pursues a legitimate interest in the improvement of their services (Article 6, paragraph 1, (f), GDPR). For the achievement of such purpose, the provision of further data will not be required and the data controller shall use the data already collected for other purposes deemed compatible with this one.
  7. To respond to requests from competent authorities, fulfilling legally binding requests.
    Your data may be processed to respond to requests from competent authorities, fulfil legally binding requests.
    The legal basis for such processing is the need to fulfil a legal obligation (Article 6, paragraph 1 (b), GDPR). The data controller shall use the data already collected for the pursuit of other purposes if they are deemed compatible with the present purpose.
  8. For the protection of rights.
    Your data may be processed to protect your rights or those of the data controller, or to take legal action.
    The prerequisite for such processing is that the data controller pursues a legitimate interest in the protection of their rights (Article 6, paragraph 1, (f), GDPR). For the achievement of such purpose, the provision of further data will not be required and the data controller shall use the data already collected for other purposes deemed compatible with this one.

4) Recipients of the collected data

Your personal data will be processed by the data controller for the purposes described above, through entities who have access to your data in order to fulfil their work tasks. These subjects have been specifically authorised by a letter of appointment.

In carrying out its activities, the data controller collaborates with external subjects and/or categories of subjects, who process the data as autonomous data controllers or data processors (in the latter case, duly appointed by the data controller). Your personal data may therefore be communicated, by way of example but not limited to: external consultants and suppliers, banks and credit institutions, insurance companies, carriers, professional firms, other Ceretto Group companies, public administrations, police forces.

Under no circumstances shall your data be transferred to third parties. The list of data processors may be requested from the data controller in the manner provided for in section 7 below.

5) Transfer of data to third countries.

In processing the data collected for the purposes described above, the data controller shall not transfer data to third countries.

6) Data Storage period.

It should be noted that, pursuant to Article 5 of the GDPR, in compliance with the principles of lawfulness, purpose limitation and data retention and minimisation, the data collected for the purposes set out in sections a), b), f), g), h), shall be processed in accordance with the law and for the time necessary to carry out the activities referred to in the above-mentioned purposes, and subsequently retained for the time required by legal obligations. For the purposes referred to in section e), the data shall be processed after obtaining your consent, and will be kept for a maximum period of 12 months. For the purposes referred to in section c), d), the data shall be processed after obtaining your consent, and will be kept for a maximum period of 24 months. Consent may be withdrawn at any time and processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out.

7) Rights of the data subjects.

The data subject may exercise the following rights against the data controller with regard to the processing of their data:

You may exercise the rights listed above by sending a request to the address of the registered office or by writing to ceretto@ceretto.com.

We will acknowledge receipt of your request and provide you with the relevant information within 1 (one) month of receiving your request. If necessary, and taking into account the complexity and number of requests, such time period may be extended by 2 (two) months, subject to a motivated communication to be sent within 1 (one) month of receipt of the request.

Any rectification, erasure, restriction or opposition shall be communicated to all recipients, as identified in Article 4 paragraph 1 (9) of the GDPR, to whom such data have been transmitted, unless this proves impossible and/or involves a disproportionate effort.

Following the sending of your request for rectification, erasure, restriction or opposition, if the data controller has reasonable doubts about your identity, they will request further information to confirm it. Such communications will be sent by email.

In the event that the data controller does not comply with your request within 1 (one) month from receipt of the request, the data controller shall inform you of the reasons for non-compliance, informing you as of now of your right to lodge a complaint with the Supervisory Authority (Italian Garante per la protezione dei dati personali), as specified pursuant to Article 13 paragraph 2 (d) and covered by Articles 77 et seq. of the GDPR.

8) Automated decision-making process

The data controller informs you that, for the purpose of processing your personal data, they do not use automated decision-making processes, namely processes aimed at making decisions based solely on technological means according to predetermined criteria (i.e. without human involvement).