Policy on the processing of personal data

(Articles 13 and 14, GDPR 679/2016)

Pursuant to Article 13 of EU Regulation 2016/679 (hereinafter, “GDPR”), as Data Controller, Cartai Bassanesi S.p.A., sole-shareholder company, located at Via Santa Caterina 258, 31011 Asolo (TV), Italy, VAT no. 02213280247, email cartai@cartaibassanesi.it (hereinafter, “Data Controller”), informs you that your data will be processed in the following manner and for the following purposes:

1. Subject of data processing

The Data Controller processes personal, identity and non-sensitive data (in particular, first and last name, tax code, VAT number, email address, telephone number—hereinafter “personal data” or “data”) communicated by you during business relations.

2. Purpose of data processing

Your personal data are processed:
  1. without your express consent (Article 6(b) GDPR), for the following Service Purposes:
    1. to comply with pre-contractual, contractual and fiscal obligations arising from dealings with you
    2. to comply with obligations required by a law, regulation, EU legislation or an order by the Data Protection Authority
    3. to exercise the Data Controller’s rights, e.g., the right of defence in court
  2. only with your specific and direct consent, for the following Marketing Purposes:
    1. to send you by email newsletters, commercial communications and/or information on products or services offered by the Data Controller
If you are already our customer, we may send you commercial communications regarding the Data Controller’s services and products similar to those you have already used, unless you refuse (Article 130 par. 4 of the Italian Privacy Code).

3. Processing method

Your personal data are processed by means of the operations indicated in Article 4 of the Italian Privacy Code and Article 4.2 of the GDPR: collection, recording, organisation, storage, consultation, processing, modification, selection, retrieval, comparison, use, networking, blocking, dissemination, deletion or destruction. Your personal data undergo both paper and electronic and/or automated processing.

The Data Controller processes your personal data for the time necessary to fulfil the aforementioned aims, and in any case, for no more than ten years after termination of the relationship for Service Purposes and no more than two years after the collection of the data for Marketing Purposes.

Your data may be made accessible for the purposes set out in Articles 2.1) and 2.2):
  • to employees and collaborators of the Data Controller of Cartai Bassanesi S.p.A., sole-shareholder company, in their capacity as internal processing agents and/or managers and/or system administrators
  • partners with which Cartai Bassanesi S.p.A., sole-shareholder company, collaborates (e.g., for support activities in examining the feasibility of the customer's project, for technical management of the project, for the storage of personal data, etc.) or with third parties (e.g., website management and maintenance providers, suppliers, credit institutions, professionals, etc.) performing outsourcing activities on the Data Controller’s behalf, in their capacity as external data processors
  • With Scotton S.p.A. for all outsourced management services, and by virtue of the contractual agreements related to data processing between the two companies

4. Communication of personal data

The Data Controller may communicate your data without your express consent for the purposes set out in Article 2.1) to supervisory bodies, judicial authorities and to all other persons to whom communication is required by law for the specified purposes. Your data will not be disclosed.

5. Transfer of personal data

Personal data will be managed and stored on the servers of the Data Controller and/or third-party companies entrusted with this service and duly appointed as data processors located within the European Union. The data will not be transferred outside the European Union. In any case, it is understood that the Data Controller may change the location of the servers in Italy and/or the European Union and/or non-EU countries, if necessary. In this case, the Data Controller hereby guarantees that data will be transferred outside the EU in accordance with applicable legal provisions, by entering into agreements guaranteeing adequate protection and/or by adopting the standard contractual clauses provided for by the European Commission, if necessary.

6. Nature of the provision of personal data and consequences of refusal to respond

The provision of personal data for the purposes set out in Article 2.1) is mandatory. If personal data are not provided, we will be able to guarantee neither registration on the site nor the Services under Article 2.1).

The provision of personal data for the purposes set out in Article 2.2) is optional. Therefore, you may decide not to provide any data or to subsequently deny processing of data already provided: in this case, you will not receive newsletters, commercial communications or advertising material related to the services offered by the Data Controller. In any case, you will continue to be entitled to the Services mentioned in Article 2.1).

7. Rights of the data subject

As a data subject, you have the rights established in Articles 15 et seq. of the GDPR, and in particular:
  • to receive confirmation of the existence or otherwise of personal data concerning you, even if not yet registered, and their communication in an intelligible form
  • to obtain information on: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied for processing using electronic media; d) identification details of the data controller, managers and representative appointed in accordance with Article 5, paragraph 2 of the Italian Privacy Code, and Article 3, paragraph 1 of the GDPR; e) the subjects or categories of subjects to whom personal data may be communicated or that may become aware of them as designated representatives in the State, managers or processors
  • obtain: a) updating, correction or, when necessary, integration of the data; b) deletion, transformation into anonymous form or blocking of data processed in violation of the law, including data not required to be stored for the purposes for which they were collected or subsequently processed; c) proof that the operations and their content referred to in points (a) and (b) have been brought to the attention of those to whom the data have been communicated or disclosed, except where this would be impossible or involves the use of means that are patently disproportionate to the right protected;
  • oppose, in whole or in part: a) the processing of personal data concerning you for legitimate reasons, even if processing is relevant to the purpose of data collection; b) processing of personal data concerning you for the purpose of sending advertising materials, for direct sales or for market research or commercial communication, using automated calling systems without human intervention, through email and/or through traditional marketing methods by telephone and/or post. Please note that the data subject’s right of opposition, as set out in point b) above, for direct marketing purposes using automated methods extends to traditional methods as well, and that the data subject is entitled to exercise the right of opposition even in part. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither type of communication.
You also have the right to lodge a complaint with the Data Protection Authority.

8. Means of exercising these rights

You may exercise your rights at any time by sending an e-mail to Data Controller

9. Data controller, managers and processors

The Data Controller is Cartai Bassanesi S.p.A. An up-to-date list of data managers and processors is kept at the Data Controller’s premises.

10. Modifications to this Notice

This Notice may change. Therefore, we recommend that you regularly review it and refer to its most current version.