Privacy Notice pursuant to Articles 13 and 14 of EU Regulation 2016/679 and Legislative Decree 196/2003,
as amended by Legislative Decree 101/2018
The Data Controllers (“Controllers”) and, for processing for Marketing and Communication purposes, the Joint Controllers (“Joint Controllers”), as defined below, pursuant to Article 13 of EU Regulation 2016/679 (“Regulation”), wish to explain the purposes for which they collect your personal data, which will be processed according to the principles of fairness, lawfulness and transparency, while safeguarding confidentiality and in compliance with the above-mentioned legislation.
1. Data Controllers/Joint Controllers
| ALKEMY S.p.A. |
(“Data Controller”)
|
| Registered office |
Via San Gregorio, 34 – 20124 Milan (MI) |
| e-mail |
privacy@alkemy.com
|
| ALKEMY PLAY S.r.l. |
(“Data Controller”)
|
| Registered office |
Via San Gregorio, 34 – 20124 Milan (MI) |
| e-mail |
privacy@alkemy.com
|
| COSMIC S.r.l. |
(“Data Controller”)
|
| Registered office |
Via Monte Rosa, 91 – 20149 Milan (MI) |
| e-mail |
gdpr@retex.com
|
| D.COM S.r.l. |
(“Data Controller”)
|
| Registered office |
Via San Gregorio, 34 – 20124 Milan (MI) |
| e-mail |
gdpr@retex.com
|
| DIGITAL RETEX S.r.l. |
(“Data Controller”)
|
| Registered office |
Via San Gregorio, 34 – 20124 Milan (MI) |
| e-mail |
gdpr@retex.com
|
| RETEX S.p.A. |
(“Data Controller”)
|
| Registered office |
Via San Gregorio, 34 – 20124 Milan (MI) |
| e-mail |
gdpr@retex.com
|
| WTL S.r.l. |
(“Data Controller”)
|
| Registered office |
Via San Gregorio, 34 – 20124 Milan (MI) |
| e-mail |
gdpr@retex.com
|
| XCC S.r.l. |
(“Data Controller”)
|
| Registered office |
Via del Commercio, 36 – 00154 Rome (RM) |
| e-mail |
privacy@alkemy.com
|
|
hereinafter, collectively, the “Companies”, the “Controllers” or, for processing for “Marketing and Communication” purposes, the “Joint Controllers”. |
| 1.1 |
For the purposes related to the performance of contracts, compliance with legal obligations, and protection of rights in court, as better specified in paragraph 4 below, the Companies act as independent Data Controllers pursuant to the Regulation, each independently determining the purposes and means of processing. With reference to Marketing and Communication activities, as better specified in paragraph 4, the Companies act as Joint Controllers, jointly defining, each within the scope of its competence, the purposes and means of processing. In their capacity as Joint Controllers, the Companies have signed a specific agreement pursuant to Article 26 of the Regulation, an excerpt of which is available for consultation upon request by data subjects.
|
2. Data Protection Officer (DPO)
| 2.1 |
The Controllers/Joint Controllers have appointed a Group-level Data Protection Officer (DPO), who can be contacted for all matters relating to the processing of your personal data — including with regard to the excerpt of the agreement under Article 26 of the Regulation — and to the exercise of rights under the Regulation.
The DPO’s contact details are as follows:
privacy@alkemy.com
.
|
3. Types of data processed
| 3.1 |
Processing may concern common personal data, identification and contact data, acquired directly or through third parties, such as — by way of example and without limitation — identifying data (first name, last name, address, telephone number, business email, data relating to company/firm, sector, job role, function and other similar data), including data of contact persons, employees, collaborators or persons otherwise connected to your business, as well as, for contract management purposes, tax and administrative data (tax code, VAT number, IBAN and bank/postal data). No special categories of personal data are processed.
|
4. Purposes and legal basis of processing
| 4.1 |
Management of the contractual relationship. Each Data Controller
will process the personal data of its customers/users to provide the requested services
and for purposes strictly related and instrumental to the
management and execution of the pre-contractual and/or contractual relationship,
as well as for purposes connected to obligations required by laws and/or
regulations, and by provisions issued by authorities legally entitled
under the law. In such cases, the processing of the data of the
Data Subject takes place in order to carry out preliminary and
subsequent activities related to the purchase of a service and/or product,
such as management of the related order, provision of the service itself
and/or production and/or shipment of the purchased product, related
invoicing and payment management, handling of complaints and/or
reports to customer support and provision of
support itself, sending communications of an informational nature
related to the service and/or contract, as well as fulfilling any other
obligation arising from the contract. The legal basis for processing for the
purposes indicated above is Article 6.1 letters b), c).
|
| 4.2 |
Defending a right in judicial or out-of-court proceedings. The processing
of the Data Subject’s personal data takes place in order to ascertain, exercise or
defend a right of the Controller and/or to defend against third-party claims,
in judicial or out-of-court proceedings. The legal basis for processing for
the purposes indicated above is Article 6.1 letter f).
|
| 4.3 |
Marketing and Communication. The Joint Controllers will jointly process the data
collected in the exercise of their activities for Strategic
Marketing, Brand and Corporate Communication purposes, including those related to:
| i) |
sending advertising material, direct selling, carrying out
market research and commercial communication for offers, discounts
and promotions of the Joint Controllers’ services/products through
traditional means (e.g., regular mail, phone calls with an operator) and/or
automated means (e.g., email, SMS, instant messaging
applications, web and mobile push notifications), as well as sending
newsletters;
|
| ii) |
profiling data relating to interests, preferences and habits,
such as analysis of transmitted data and purchased services/products
in order to propose promotional messages and/or commercial proposals
in line with the choices expressed;
|
The legal basis for processing for the purposes referred to in points i) and ii)
above is Article 6.1 letter a), i.e., the data subject’s consent.
| iii) |
the Joint Controllers will jointly process the collected data for the
purpose of sending email communications regarding promotions and
offers of services/products identical and/or similar to those covered by
the ongoing contract with the Data Subject, unless the Data Subject
has objected to such processing initially or on the occasion of
subsequent communications. The legal basis for such processing is
Article 130, paragraph 4 of the Privacy Code (Legislative Decree 196/2003).
The Data Subject has the right to object at any time to
processing of personal data concerning them for this
purpose.
|
The legal basis for such processing is Article 130, paragraph 4 of the Privacy Code (Legislative Decree 196/2003). The Data Subject has the right to object at any time to the processing of personal data concerning them for this purpose.
|
5. Mandatory or optional nature of data provision and consequences of any refusal to provide data
| 5.1 |
Provision of personal data is considered mandatory for the purposes referred to in points 4.1 and 4.2 above.
|
| 5.2 |
Provision of the data necessary for the purposes referred to in point 4.3 above is optional and processing requires the data subject’s consent; any refusal will have no consequences on the execution of the requested services.
|
| 5.3 |
For the purposes referred to in point 4.3 above, the Joint Controllers have also jointly defined, within the specific agreement, the processing methods and the procedures for responding to data subjects pursuant to Articles 15-22 of the Regulation. The single point of contact for exercising rights is the Data Protection Officer whose contact details are indicated in paragraph 2 above. An excerpt of the joint controllership agreement is available to all data subjects upon express request.
|
6. Methods and duration of processing
| 6.1 |
Personal data processing will be carried out by appointed and specialized personnel, lawfully and fairly, with or without the aid of electronic or otherwise automated means, and will include all operations or sets of operations necessary for the processing in question, including recording and storage, by adopting security measures suitable to ensure confidentiality and to protect personal data from any unlawful use, unauthorized access or disclosure, and to prevent loss of the data. No processing is carried out for the purpose of automated decision-making under Article 22 of the Regulation.
|
| 6.2 |
For the purposes referred to in points 4.1 and 4.2 above, personal data are retained for the period necessary to achieve the purposes for which they were collected and will be processed for the time necessary to carry out data subjects’ requests, to fulfill legal obligations related to administrative, accounting, tax and social security activities (10 years), and for the entire duration of any disputes, without prejudice to further obligations provided by law.
|
| 6.3 |
For the purposes referred to in point 4.3 above, personal data will be retained: a) for the purposes referred to in point 4.3 (i) for a period not exceeding 24 (twenty-four) months from the last interaction; b) for the purposes referred to in point 4.3 (ii) for a period not exceeding 12 (twelve) months from the last interaction; c) for the purposes referred to in point 4.3 (iii) for a period not exceeding 24 (twenty-four) months from termination of the relationship with the data subject.
|
7. Data disclosure
| 7.1 |
Personal data may be disclosed among the Joint Controllers and also to employees, staff, collaborators and, in any case, only to personnel authorized by the Joint Controllers for the purposes indicated in point 4 above.
|
| 7.2 |
Personal data may also be disclosed to third parties in order to comply with legal obligations or to entities, or categories of entities, such as, by way of example, external consultants, banks, financial institutions, independent professionals, IT equipment maintenance companies, entities providing services for management of the information system, including websites, web applications and telecommunications networks, and in any case to all those third parties identified for the above-listed purposes and for execution of existing contractual obligations. Such entities will act as Independent Controllers or Processors on behalf of the Controller or Joint Controllers and according to the instructions provided to them.
|
| 7.2 |
Personal data may also be disclosed to third parties in order to comply with legal obligations or to entities, or categories of entities, such as, by way of example, external consultants, banks, financial institutions, independent professionals, IT equipment maintenance companies, entities providing services for management of the information system, including websites, web applications and telecommunications networks, and in any case to all those third parties identified for the above-listed purposes and for execution of existing contractual obligations. Such entities will act as Independent Controllers or Processors on behalf of the Controller or Joint Controllers and according to the instructions provided to them.
|
| 7.3 |
The updated list of processors is maintained by each of the Companies and is available upon request.
|
8. Data transfer
| 8.1 |
Personal data will not be processed or transferred outside the European Union. Should transfers occur — even for mere archiving needs — to third countries outside the European Union, the rights provided by the Regulation will be guaranteed, in compliance — in any case — with applicable legal provisions and the “Standard Contractual Clauses” approved by the European Commission or other equivalent safeguards.
|
9. Data subject rights
| 9.1 |
We hereby inform you that, pursuant to Articles 15-22 of the Regulation, you have the right to exercise the following rights:
| i) |
access to personal data;
|
| ii) |
receive confirmation as to whether such data exist and know their content and origin;
|
| iii) |
obtain rectification, updating or deletion of such data;
|
| iv) |
object to processing or request restriction of processing;
|
| v) |
data portability;
|
| vi) |
withdraw consent at any time, where applicable: withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal, and object to processing for marketing and/or profiling purposes pursuant to Article 21 of the Regulation;
|
| vii) |
lodge a complaint with the Italian Data Protection Authority.
|
|
| 9.2 |
These rights may be exercised by sending a written communication to the Group Data Protection Officer, at the contact details indicated in paragraph 2 above. |
10. Changes
| 10.1 |
The Controllers/Joint Controllers reserve the right to amend or simply update the content of this notice, in whole or in part, also due to changes in applicable law. In such case, timely communication will be provided.
|
