Combined with the Cikis S.r.l.
pursuant to articles 13 and 14 of the EU Reg. / 679/2016 and of the Legislative Decree 101/2018 (to modify and integrate the Legislative Decree 196/2003)
1. Who is the data controller?
The company Cikis S.r.l., P.Iva and C.F. 10967730960, with registered office in Piazza Po n. 6 – 20144 – Milan (MI), in the person of its legal representative Ms Serena Moro, acts as “Data Controller” of the processing (hereinafter “the Data Controller”) of the customer’s personal data and any co-obligated (jointly defined the “Data Subject”) referred to in paragraph 2 below and can be contacted at the e-mail address firstname.lastname@example.org – PEC email@example.com.
2. What data are processed?
The Data Controller processes the personal data provided by the Data Subject (user of the website www.cikis.it owned by Cikis S.r.l.), and relating to:
– first name,
– email address,
In the following the personal data processed by the owner will be jointly defined as “Data”.
The Data Controller does not need to process particular data of the Data Subject referred to in Article 9 and 10 of EU Regulation / 679/2016 and, therefore, the Data Subject must not provide them to the Data Controller: if the Data Subject, through the messaging form on the website www.cikis.it, should you communicate data belonging to particular categories, you give your consent to the processing of the same by the Data Controller. It is understood that, at any time, the Data Subject may revoke any consent given by sending a specific request to the e-mail address firstname.lastname@example.org or to the PEC email@example.com.
3. For what purposes are the Data processed?
Data processing will be performed by the Data Controller for the following purposes:
a) conclude the contracts for the services of the Data Controller;
b) fulfill the pre-contractual, contractual and tax obligations deriving from existing relationships with the Data Subject;
c) fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority (such as for example in the matter of anti-money laundering);
d) exercise the rights of the Data Controller, such as, for example, the right to defense in court.
The purposes referred to in points (a) to (d) are jointly defined as “Contractual Purposes”.
e) for carrying out activities functional to any securitisations, assignments of credit and issue of securities, disposals of companies and business branches, acquisitions, mergers, demergers or other transformations and for the execution of such operations;
f) for carrying out checks aimed at preventing any fraud.
The purposes referred to in points (e) and (f) are jointly defined as “Legitimate Interest Purposes”.
g) for the promotion of products and services offered by the data controller, also by sending advertising materials, commercial communications, carrying out market research and direct sales activities, both through traditional communication tools, such as mail on paper, which through remote communication tools, such as emails, newsletters, social networks, and other adv communication tools;
The purposes referred to in points (g) to (i) are jointly defined as “Marketing Purposes”.
4. On what basis are the Data processed?
- it is necessary for the Contractual Purposes as it is aimed at the execution of the contract between the Data Controller and the Data Subject, the provision of the requested services and any information relating to them, in the cases referred to in letters from ( a) a (c) of the previous paragraph 3 and to fulfill legal obligations in the case referred to in letter (d) of the previous paragraph 3. The provision of Data is mandatory to manage the contractual relationship and comply with legal obligations: if the Data Subject does not provide such Data, the Data Controller cannot proceed with the stipulation of the Contract and the provision of the services offered;
- the processing for the Legitimate Interest Purposes referred to in paragraph 3, letter (e), is carried out for the pursuit of the legitimate interest of the Data Controller and its counterparties in carrying out the economic operations indicated therein pursuant to Article 6, letter f), of EU Regulation / 2016/679, adequately balanced with the interests of the Data Subject as the processing takes place within the limits strictly necessary for the execution of these operations, while the processing for the purposes of legitimate interest referred to in paragraph 3 , letter (f) is functional to the pursuit of a legitimate interest of the data controller, adequately balanced with the interests of the Data Subject in light of the limits imposed on this treatment and the specific circumstances in which the treatment takes place, illustrated in the same paragraph 3.
The treatment for the purposes of legitimate interest is not mandatory and the Data Subject may oppose said treatment by sending a specific request to the e-mail address firstname.lastname@example.org or to the PEC email@example.com: if the Data Subject opposes to this treatment, your data cannot be used for the purposes of legitimate interest, unless the Data Controller demonstrates the presence of prevailing binding legitimate reasons or the exercise or defense of a right pursuant to article 21 of the GDPR;
- Finally, with the consent of the Data Subject, the data provided may be used for the marketing purposes better specified in letter (g) of the previous paragraph 3. The processing of data for marketing purposes is optional and, if the Data Subject denies the your consent, the same will not receive any commercial communications, will not participate in market research and will not receive communications and services adapted to your profile. Failure to consent to the provision of Data for Marketing Purposes does not in any way prejudice the contractual relationships established with the Data Controller and the provision of the services offered by them. At any time, the interested party may revoke any consent given by sending a specific request to the e-mail address firstname.lastname@example.org or to the PEC email@example.com.
- How is the Data processed?
The processing of the data of the Data Subject is carried out by means of the operations indicated in art. 4 no. 2) of EU Regulation / 679/2016 and, more precisely: collection, registration, organization, storage, consultation, processing, modification, extraction, use, communication by any available form, cancellation and destruction of data. The Data can be processed with manual or IT tools, suitable to guarantee its security, confidentiality and to avoid unauthorized access and violation of the Data processed.
The information storage of Data is carried out by means of cloud computing tools on servers located within the territory of the EU (Ireland): for more information on the safety, compliance and compliance standards required by the GDPR adopted by the chosen external providers, visit the web pages https://support.google.com/drive/answer/2450387?hl=it.
6. To whom is the data communicated?
The Data may be communicated for Contractual Purposes to subjects who perform services connected and functional to the management of the contractual relationship in existence or to be stipulated and, in particular, to the following categories of subjects located within the European Union and, within the limits of referred to in paragraph 7 of this statement, outside the European Union:
- service providers connected to the activities of the Data Controller;
- assistance, tax and legal advice, including debt collection companies;
providers of IT or archiving services, such as, among others, the company that issues and manages the digital signature certificate in the event that the digital signature is used by the Data Subject to sign the contract.
The Data may be disclosed for the Legitimate Interest Purposes referred to in paragraph 3, letter (e) and (f), to suppliers of assistance services, technical, tax and legal advice, assignees of credits in the context of securitization of credit or assignment of credit for purposes strictly connected and instrumental to the management of the relationship with the transferred interested party, as well as to the issue of securities, assignees of company or business branch, potential buyers of Cikis Srl and companies resulting from possible mergers, demergers or other transformations of Cikis S.r.l., also in the context of the activities functional to these operations, and to competent authorities.
Finally, the data may be communicated for marketing purposes to service providers such as external data processors and with the prior consent of the Data Subject, to the third parties referred to in paragraph 3, letter (g). The subjects indicated above may act, as appropriate, as external data processors or independent data controllers. The updated list of companies to which the Data Subject will be communicated may be requested at any time to the Data Controller, by means of a specific request to be sent to the address referred to in paragraph 8 of this information. The data will not be subject to further disclosure with respect to what is indicated in this statement.
7. Are the data transferred abroad?
The data may be freely transferred outside the national territory to countries located in the European Union and to non-EU countries. The interested party will have the right to obtain a copy of the data detained abroad and to obtain information about the place where this data is stored by sending a specific request to the e-mail address firstname.lastname@example.org or to the PEC email@example.com.
8. What are the rights of the interested party?
The Data Subject, in addition to the right to lodge a complaint with a supervisory authority, also has the rights listed below:
- 15 of EU Regulation / 679/2016 – Right of access: “The Data Subject has the right to obtain from the data controller confirmation that personal data concerning him or her is being processed and in this case, to obtain access to personal data and information regarding processing “;
- 16 of EU Regulation / 679/2016 – Right of rectification: “The Data Subject has the right to obtain from the data controller the correction of inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete personal data, also by providing an additional declaration “;
- 17 of EU Regulation / 679/2016 – Right to erasure (right to be forgotten): “The Data Subject has the right to obtain from the data controller the cancellation of personal data concerning him without undue delay and the owner of the processing has the obligation to delete personal data without undue delay “;
- 18 of EU Regulation / 679/2016 – Right to limit the treatment: “The Data Subject has the right to obtain the limitation of the treatment from the data controller when one of the following hypotheses occurs:
a) the Data Subject disputes the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
b) the processing is unlawful and the Data Subject opposes the cancellation of personal data and instead requests that their use be limited;
c) although the Data Controller no longer needs it for processing purposes, personal data are necessary for the Data Subject to ascertain, exercise or defend a right in court;
d) the Data Subject has opposed the processing pursuant to Article 21, paragraph 1, pending verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the Data Subject”;
- 20 of EU Regulation / 679/2016 – Right to data portability: “The Data Subject has the right to receive the personal data concerning him / her provided to a holder in a structured format, commonly used and readable by automatic device of the processing and has the right to transmit such data to another data controller without hindrance by the Data Controller to whom it has provided them. In exercising his rights in relation to data portability pursuant to paragraph 1, the Data Subject has the right to obtain the direct transmission of personal data from one data controller to another, if technically feasible “;
- 21 of EU Regulation / 679/2016 – Right to object: “The Data Subject has the right to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him pursuant to the article 6, paragraph 1, letters e) or f), including profiling based on these provisions “;
- 22 of EU Regulation / 679/2016 – Right not to be subjected to automated decision-making process, including profiling: “The Data Subject has the right not to be subjected to a decision based solely on automated processing, including profiling, that produces legal effects that concern him or that significantly affects his person in a similar way “.
The exercise of the aforementioned rights can be carried out by sending a specific request to the e-mail address firstname.lastname@example.org or to the PEC email@example.com, or through the other methods communicated from time to time by the Data Controller of the treatment.
- Who are the external data processors?
The complete list of Data Processors is available by sending a specific request to the e-mail address firstname.lastname@example.org or to PECcikis@pec.it.
10. How long will the processed data be kept?
The Data Processed by the Data Controller:
- for the Contractual Purposes referred to in letters (a) to (d) and for the Legitimate Interest Purposes referred to in paragraph 3, letter (e), they will be kept for a period equal to the duration of the Contract and / or service offered (including any renewals) and for the 10 years following the end, termination or withdrawal of the same, except in cases where retention for a subsequent period is required for any disputes, requests from the competent authorities or pursuant to applicable legislation;
- for the Legitimate Interest Purposes referred to in paragraph 3, letter (f), will be kept for the duration strictly necessary to ensure the reliability of the checks indicated therein;
- for the Marketing Purposes referred to in paragraph 3, letter (g), they will be kept for a period equal to the duration of the Contract and / or the service offered (including any renewals) and for a maximum period equal to 24 months from the expression of consent by the Data Subject.
- Modifications and Updates.
This information is valid from the date indicated at the bottom. The Data Controller may also make changes and / or additions to this information, also as a consequence of any subsequent changes and / or regulatory additions in force on the matter. If substantial, the changes will be notified in advance and the Data Subject will be able to view the text of the information constantly updated on the website www.cikis.it or make an explicit request to the e-mail address email@example.com or to the PEC cikis. @ pec.it.
Last update date of this document
20th November 2019