Sofidel respects your privacy and protects your personal data.
Please find below the policy, drafted pursuant to Articles 13 and 14 of European Regulation No. 679/2016, on the protection of personal data (for brevity, referred to as the ‘Regulation’ or ‘GDPR’), regarding the processing of any personal data that you provide when you browse our websites and/or use the services contained therein.
Below we describe the general rules of data processing, the rules on cookies and how it is always possible for you to withdraw your consent to certain processing of your personal data.
Your personal data shall be processed by Sofidel in accordance with the principles of law and the Regulation. Please note that processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
The Data Controller is Sofidel S.p.A., with registered office in Via G. Lazzareschi no. 23 – 55016 Porcari (LU), Italy (hereinafter, ‘Data Controller’ or ‘Sofidel’), who can be contacted at firstname.lastname@example.org.
The Data Controller has appointed a Data Protection Officer (‘DPO’) who can be contacted at email@example.com.
2. CATEGORIES AND TYPES OF PERSONAL DATA PROCESSED
By using the sites www.papernet.com and www.sofidel.com (hereinafter for brevity referred to as the ‘Websites’), the Data Controller may collect and process the following personal data:
a. Browsing data
We refer to all those parameters relating your operating system and the computer environment you are using, including IP address, location (country), computer domain names, URI (Uniform Resource Identifier) addresses of the resources requested on the Websites, time of the requests, method used to send requests to the server, size of the file obtained in response to a request, numerical code indicating the status of the response given by the server (successful, error, etc.), and so on. This information is collected by the Websites and enables them to function.
We inform you that this personal data is used by the Data Controller solely in order to obtain anonymous statistical information on use of the Websites, and to check that they function correctly and identify any malfunctions and/or abuses
This personal data is deleted immediately after processing, unless it is necessary to identify those responsible in the event of suspected cybercrimes against the Websites or third parties.
b. Data voluntarily provided by the user
We refer to the personal data you voluntarily enter in the information collection forms that may be on the Websites, such as, for example, the information request form in the ‘Contact Us’ section, where you are asked to enter your contact details, such as, for example, your first name, your last name, your city and/or province of residence, your email address and/or your telephone number, as well as any personal data you may provide us in the requests for information sent to the email addresses of the Data Controller’s customer service department published on the Websites.
c. Data processed as a result of services rendered online
Without prejudice to any specific information that may be available in the various sections of the Websites, this document is also intended to cover the processing of the data you voluntarily provide in order to receive services provided online. For example, we refer to the registration service and access to your personal area, where your personal data such as personal details and contact details shall be processed.
3. FINALITÀ DEL PURPOSE OF PROCESSING
Your personal data shall be processed, if necessary with your consent, for the following purposes, where applicable:
a) to allow you to browse the Websites and to receive services, such as participating in the prize competition, in the prize draw as per the competition rules duly published by the Data Controller on the relevant site, including the management of security profiles;
b) to respond to any requests you submit using the appropriate forms available on the Websites or through the customer service email addresses published on the Websites;
c) with your consent, to send you promotional and marketing communications, including newsletters, promotional offers, commercial initiatives, advertising material, direct sales and market research, on the products and services of the Data Controller and/or of Business Partners, as well as invitations to events and initiatives organised by the Data Controller or by companies in the Group, by automated means (text message, multimedia message, email, automated call systems without an operator, use of social networks, push notifications, WhatsApp, fax) and non-automated means (paper mail, telephone with operator);
d) with your consent, to analyse your purchasing choices and behavioural preferences, in order to better structure personalised commercial communications and offers, to carry out general analyses for strategic orientation and commercial intelligence purposes and for profiling activities in general;
e) for statistical evaluation and monitoring purposes; this purpose involves analysis of aggregate information that does not relate to identified or identifiable natural persons and, therefore, does not constitute personal data and thus does not allow the Data Controller to trace your identity in any way;
f) to fulfil any obligations under applicable laws, regulations or EU legislation, or to comply with requests from the authorities;
g) in the event that it is necessary to ascertain, exercise or defend a legal claim.
4. LEGAL BASIS AND MANDATORY OR OPTIONAL NATURE OF THE PROCESSING
The legal basis for processing personal data for the purposes referred to in points a) and b) is Article 6(1)(b) of the Regulation, since the processing is necessary for the provision of the services you have requested. Providing your personal data for these purposes is optional, but failure to do so would make it impossible to activate the Services provided by the Website or respond to requests.
The processing carried out for the marketing and profiling purposes described in points c) and d) is based on your giving consent pursuant to Article 6(1)(a). Your consent can be withdrawn at any time. Providing your personal data for these purposes is therefore entirely optional and does not affect the use of other services offered by the Websites. With regard to marketing purposes, it should be noted that the Data Controller collects a single consent for the marketing purposes described herein, pursuant to the General Provision of the Italian Data Protection Authority ‘Linee guida in materia di attività promozionale e contrasto allo spam’ (Guidelines on promotional activities and combating spam) of 4 July 2013. If, in any event, you wish to object to the processing of your data for marketing or profiling purposes, you may do so at any time by contacting the Data Controller at the addresses indicated in the ‘Contacts’ section of this policy.
Finally, it should be noted that the processing referred to in point e), not being personal data, does not fall under the scope of the legislation on the data protection and can therefore be freely carried out by the Data Controller.
The purpose referred to in point f) constitutes lawful processing of personal data within the meaning of Article 6(1)(c) of the Regulation.
Data processing carried out for the purposes referred to in point g) is based on the legitimate interest of the Data Controller pursuant to Article 6(1)(e) of the Regulation.
5. RECIPIENTS OF PERSONAL DATA
Your personal data may be shared, for the purposes indicated, with the following recipients:
- Persons who typically act as Data Processors pursuant to Article 28 of the Regulation on behalf of the Data Controller, in particular: persons in charge of providing the Services (for example, hosting providers or providers of email platforms); persons authorised to perform technical maintenance (including maintenance of network equipment and electronic communication networks), etc. The complete list of Data Processors is available by sending a written request to the Data Controller at the addresses indicated in the ‘Contacts’ section of this policy.
- Persons authorised by the Data Controller to process personal data necessary to carry out activities strictly related to the provision of services, who have committed to maintaining confidentiality or are under an appropriate legal obligation of confidentiality..
- Persons, entities or authorities to whom it is compulsory to communicate your personal data pursuant to the provisions of the law or orders by the authorities.
- Your data may be accessible to other companies of the Sofidel Group for the same purposes as above and/or for administrative and accounting purposes pursuant to Art. 6(1)(f) and Recitals 47 and 48 of the Regulation.
6. TRANSFERS OF PERSONAL DATA
Some of your personal data is shared with persons who may be located outside the European Economic Area. The Data Controller ensures that the processing of your personal data by these parties is carried out in compliance with Articles 44 – 49 of the Regulation. Transfers may be based on an adequacy decision, on Contractual Clauses approved by the European Commission or on another appropriate legal basis. Further information is available by sending a written request to the Data Controller at the addresses indicated in the ‘Contact’ section of this policy.
7. RETENTION OF PERSONAL DATA
Personal data processed for the purposes set out in points a) and b) shall be kept for the time strictly necessary to achieve those purposes.
For the purposes referred to in points c) and d), your personal data shall instead be processed for the period strictly necessary to achieve the purposes for which they were collected, respecting the principle of minimisation referred to in Article 5(1)(c) of the GDPR and, in any event, until your consent is withdrawn. Upon withdrawal of consent, the data processed for the purposes of points c) and d) above shall be permanently deleted or anonymised.
In general, the Data Controller reserves the right to retain your data for as long as necessary to comply with any legal obligation to which it is subject or to meet any defensive needs. This is without prejudice to the possibility for the Data Controller to retain your personal data for the period of time provided for and permitted by law to protect its interests (Art. 2947 of the Civil Code).
Further information on the data retention period and the criteria used to determine this period may be requested by sending a written request to the Data Controller at the addresses indicated in the ‘Contact’ section of this policy.
8. RIGHTS OF THE DATA SUBJECT
In accordance with Articles 15-22 of the Regulation, you have the right to access your personal data at any time. In particular, you shall be able to request the rectification (Article 16), erasure (Article 17), restriction (Article 18) and portability of your data (Article 20), not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar way (Article 22), as well as to withdraw any consent you have given (Article 7(3)).
Furthermore, you may lodge a request to object to the processing of your personal data, stating the reasons for your objection: the Data Controller reserves the right to evaluate the request, which shall not be accepted if there are legitimate grounds for the data processing which override your interests, rights and freedoms. We also inform you that you have the right to object at any time and without justification to the profiling and the sending of direct marketing by automated means (e.g. text message, multimedia message, email, automated call systems without operator, use of social networks, push notifications, WhatsApp, fax) and non-automated means (paper mail, telephone with operator). Moreover, with regard to direct marketing, this right may also be exercised in part, for example, in this case, by objecting only to the sending of promotional communications by automated means.
Requests should be addressed in writing to the Data Controller at the addresses indicated in the ‘Contact’ section of this policy.
To exercise the above rights or for any other request, please write to the Data Controller at firstname.lastname@example.org.
You can also contact the Data Protection Officer at the Data Controller’s head office at the above address and/or by e-mail at email@example.com.