Information on Processing of Personal Data - Customers and Suppliers | Dr. Vranjes Firenze

INFORMATION ON PROCESSING OF PERSONAL DATA

FOR CUSTOMERS AND SUPPLIERS

This notice (hereinafter referred to as Privacy Notice) relates to the Processing of your Personal Data carried out by Dr. Vranjes Firenze S.p.A., with registered office at Via S. Pertini, 5 - Antella 50012 Bagno a Ripoli (FI), Italia, VAT Reg. No. 01648260, e-mail info@drvfirenze.com (hereinafter referred to as the “Controller”), pursuant to the Regulation (EU) 2016/679 (hereinafter referred to as “GDPR”).

1. Identity and contact details of the data controller

The Data Controller is established in Italy; therefore, no representative has been appointed.

2. DPO contact data

The Data Controller has appointed a Data Protection Officer (“DPO”) pursuant to Art. 37 GDPR. The DPO can be contacted at the following address dpo@drvfirenze.com

3. Third-party data

Should the customer and/or supplier provide the Data Controller with personal data belonging to third parties, their employees and/or collaborators, for the purposes of executing the contract, the customer and/or supplier must inform the third party of this circumstance, as well as provide the third party with this privacy policy and obtain, where necessary, appropriate consent.

4. Purpose and legal basis of processing

Personal data will be processed for the following purposes:

a) For contractual purposes and/or purposes related to the execution of pre-contractual measures adopted at your specific request, as well as to fulfil any legal obligations related to such purposes. In this case, the legal basis is the need to process the data for the purpose of performing the contract and/or managing pre-contractual relations.
b) to send you direct marketing communications, newsletters, advertising material, using traditional contact methods and automated IT systems, including direct marketing information via email or SMS, or for market research and analysis. The legal basis for the processing is the consent, given pursuant to the Privacy Notice.
c) to identify your habits and preferences through profiling, in order to provide you with a personalised service. The legal basis is your consent, given pursuant to the Privacy Notice. With regard to personal data processed, provision of personal data is not a contractual obligation. You may choose to provide your personal data. If you fail to provide this information, the Company will not be able to provide you with a personalised service.
d) for purposes related to relevant legal obligations. The legal basis for processing is the legal obligation of the Data Controller to process personal data according to the applicable legislation.

5. Conditions for consent

Consent, where required, may be expressed by signing a paper or electronic document, or even by ticking specific flag boxes.

6. Processing methods and logic

With regard to personal data processed and stored for the purposes referred to in point a), number 4 of this notice (contractual and pre-contractual purposes), processing will be carried out using paper-based tools, automated logic and CRM management software, which will enable us to better manage the fulfilment of our contractual obligations.
With regard to personal data processed for the purposes referred to in point b) number 4 of this Privacy Notice (marketing purposes), processing will be carried out using software designed to send direct marketing information.
With regard to personal data processed for the purposes referred to in point c) number 4 (profiling), processing will be carried out using CRM software that allows us to define tastes and preferences in order to offer you personalised services and information. For further details, please go to the next point of the Privacy Notice.
With regard to personal data processed and stored for the purposes referred to in point d), number 4 (legal purposes), processing will be carried out using paper-based tools, automated logic and CRM management software, which will enable us to better manage compliance with legal obligations.

7. Automated decision-making and profiling

If you authorise the processing of your personal data to benefit from personalised services through profiling, your personal data may be subject to automated decision-making process, with a specific algorithm deciding which information is most suitable for your profile or which may be of most interest to you. The expected result of such processing, by way of example, could consist in sending highly profiled direct marketing information, discounts, invitations to events deemed to be of interest, etc.

Pursuant to Art. 22 GDPR, you have the right to:

obtain human intervention by the Controller in the decision-making process.
express your opinion.
obtain clarifications on the decision made by the Controller.
challenge the above decision.

8. Source of personal data

Only data provided in accordance with this policy will be processed. Personal data from publicly accessible sources will not be processed.

9. Recipients and any recipient categories of personal data

Personal data may be sent to the following recipients:

companies offering information society services, including, in particular, those offering hosting services.
auditing firms.
the Data Controller's partner companies.

10. Data categories

Personal data will be processed, including, but not limited to personal details, contact details. Under no circumstances may special categories of data be processed pursuant to Article 9 of the GDPR.

11. Transfer of personal data

The Data Controller intends to transfer personal data to third countries outside the European Union or international organisations Such entities could include, for example:

Communication companies that carry out communication activities on behalf of the Data Controller.
Service provider of the communication company.
Subsidiaries and/or parent companies.

The transfer of personal data to such entities, if located in a third country or an international organisation, is carried out if an adequacy decision has been issued by the European Commission, which has verified that the third country, the territory or one or more specific sectors within the third country, or the international organisation in question, ensure an adequate level of protection of rights. However, the Data Controller reserves the right, if he/she deems it appropriate, to enter into specific separate agreements that oblige such parties to adopt adequate security measures, including organisational measures, aimed at providing appropriate guarantees regarding rights. The data may be then transferred to the following countries: United States of America, United Kingdom, Japan. To obtain a copy of such data or the location where it has been made available, simply send a request to the Data Controller at the addresses listed above.

12. Personal Data retention period

Personal data processed and stored for the purposes referred to in points a) and d), number 4 (contractual and pre-contractual purposes and fulfilment of legal obligations) are processed and stored by the Data Controller in accordance with current legislation, in any case for a period of time not exceeding 10 years from the termination of the contract in the event of its conclusion, unless otherwise required by law;
Personal data processed for the purposes referred to in point b) number 4 of this policy (marketing purposes) are processed and stored by the Data Controller until you request their deletion and/or revocation, as the Data Subject.
Personal data processed for the purposes referred to in point c) number 4 (preference setting purposes) are processed and stored by the Data Controller for a period not longer than 12 months from the collection.

13. Optional nature of consent and implications of failed consent

With regard to personal data processed for the purposes referred to in point a) number 4 of this notice (contractual and pre-contractual purposes) the disclosure of personal data is mandatory. If you fail to provide such personal data, no contracts will be signed.
With regard to personal data processed for the purposes referred to in point b) number 4 of this notice (marketing purposes), the provision of personal data is not a contractual obligation. You may choose to provide your personal data. If you fail to provide such personal data, the Data Controller will not be able to carry out any marketing activity.
With regard to personal data processed for the purposes referred to in point c) number 4 of this policy (setting preferences purpose), the provision of personal data is not a contractual obligation. You may choose to provide your personal data. Should you fail to provide your personal data, the Company will not be able to carry out any profiling activity.
With regard to personal data processed for the purposes referred to in point d) number 4 of this policy (legal obligations), the provision of personal data is a legal obligation.

14. Right to object

The data subject shall have the right to object according to the following terms:

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. It should be noted that the data subject's right to object to the processing of their personal data for the aforementioned purposes may also be exercised in part, i.e. by objecting, for example, only to the sending of promotional communications via automated and/or digital means, or to the sending of paper communications.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

15. Other rights

The Data Controller also intends to provide information of the following rights:

Right of access: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is that is the case, access to the personal data and specific information pursuant to Art. 15 GDPR;
Right to rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement, pursuant to Art. 16 GDPR.
Right to erasure of personal data, including the right to withdrawal of consent: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where the grounds provided for by Art. 17 GDPR apply. With regard to the right to withdrawal, the data subject also has the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given prior to withdrawal.
Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing where the cases provided for by Art. 18 GDPR apply.
Right to data portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller in the events and at the conditions provided for by Art. 20 GDPR.
Right to object of the data subject to marketing information: the data subject shall have the right to object at any time, free of charge, to receiving direct marketing information.

16. Exercise of rights

Requests to exercise the rights indicated in this policy, including the right to erasure and the right to withdraw consent, should be addressed directly to the Data Controller at the following email address: privacy@drvfirenze.com. Alternatively, you may exercise your rights by sending a registered letter with return receipt to the Data Controller's registered office.

17. Accessibility to the Privacy Notice

The privacy notice is available from the Data Controller. If expressly requested, the information may also be provided verbally, provided that the identity of the requester is verified, by means of a telephone request to the Data Controller's contact details.

DATA PROCESSING BY DR. VRANJES FIRENZE S.P.A. FOR MARKETING AND PROFILING PURPOSES

This statement regulates the handling of personal data when using the website at https://drvranjes.com/eu/privacy-policy, Dr. Vranjes Firenze S.p.A., with head offices in Via S. Pertini, 5 - Località Antella 50012 Bagno a Ripoli (Florence), Italy, VAT no. 06511260488, email dpo@drvranjes.it, (herein “Holder”), in compliance with current rules governing data protection, including, in particular, the EU Regulation 2016/679 (herein “GDPR”).

1. Identity and contact details of the data holder

Data Holder is Dr. Vranjes Firenze S.p.A. No representative has been appointed as the Holder is based in Italy.

2. Contact details of the person in charge of the data protection

The Holder has placed Simone Bonavita in charge of data protection and can be contacted at the holder’s head offices or via e-mail at dpo@drvranjes.it

3. Data handling methods

3.1 Cookie and environmental data

TECHNICAL COOKIES

Navigation, functional and session cookies: allow the site to work properly. Use of so called session cookies (that are not stored permanently on the device in question and are automatically deleted when the browser is shut down) is strictly limited to the transmission of identification codes for the individual sessions and is employed for the safe and efficient use of the site. They can be divided into:

- activities strictly required for operational purposes: cookies used to save the User session and carry out other activities solely required to operate the application, for example in relation to the distribution of traffic;

- saving preferences, optimisation and statistics activities: cookies used to save the browsing preferences and optimise the User’s browsing experience. These Cookies include, for example, those for language setting and the assessment or management of statistics by the site's Holder.

Statistical cookies: the site uses statistical cookies created directly by the data holder, as first party, or supplied by third parties. In the latter case, suitable measures have been adopted to reduce identification power, via the masking of significant parts of the IP addresses handled. Furthermore, the use of these third party statistical cookies is dependent on contractual limitations that commit the third party to use them exclusively for providing the service, storing them separately and not “enriching them” or “intersecting them” with other information that they are in possession of. As far as the Google Analytics cookies are specifically concerned, the information that can be retrieved from the cookies on the use of the site by users will be transmitted by the browser of the person in question to Google Inc. based in 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States and stored in the company’s servers.

The Google privacy regulations that we would ask you to read can be found at the following address:

http://www.google.com/intl/it/privacy/privacy-policy.html

The privacy statement relative to Google Analytics services can be found at the following address:

http://www.google.com/intl/en/analytics/privacyoverview.html

Browsing data and environmental variables: The computing systems and procedures designated to operating the site, automatically acquire certain personal data about the browsing of the person in question, during regular operations, including environmental variables. Some examples of the data in this category include:

IP addresses of the computers employed by the user availing themselves of the service;

number of accesses;

pages viewed;

date and time when access was made;

URL where the browser was before displaying this page;

browser type;

operational system used.

NON-TECHNICAL COOKIES

Profiling cookies: the site uses profiling cookies supplied by third parties. In detail, the following are used:

- interaction with social networks and external platforms: this kind of service allows you to interact with social networks, or with other external platforms, directly from this application’s pages. The interaction and information acquired by this application is, in any case, subject to the User's privacy settings specific to each social network.

If an interaction service with the social networks is installed, it is possible that, even if Users do not use the service, traffic data will still be collected regarding the pages where it is installed.

AddThis (Addthis Inc.): is a service provided by Clearspring Technologies Inc. that displays a widget that allows for interaction with social networks and external platforms and sharing the contents of this application. Depending on the configuration, this service can show widgets belonging to third parties, for example, handlers of social networks on which to share the interactions. In this case, even third parties that distribute widgets will be informed of the interaction made and the data used relative to the pages on which this service is installed.

Personal Data collected: Cookies and Data used.

Data handling location: USA – Privacy Policy.

Re-marketing and behavioural targeting: allows this application and its partners to communicate, optimise and provide adverts based on past use made of this Application by the User. This activity is performed by tracing the data used and the use of cookies, information that is transferred to partners with whom the activity of re-marketing and behavioural targeting is linked. In addition to the possibilities of carrying out opt-outs offered by the services given below, the User can opt to exclude receipt of cookies linked to a third party service, by visiting the Network Advertising Initiative opt-out page.

Facebook Re-marketing (Facebook, Inc.): is a Re-marketing and Behavioural Targeting service provided by Facebook, Inc. that links the activity of this Application to the Facebook advertising network.

Personal Data collected: Cookies and Data used.

Data handling location: USA – Privacy Policy – Opt Out.

AdWords Re-marketing (Google, Inc.): is a Re-marketing and Behavioural Targeting service provided by Google Inc. that links the activity of this Application to the AdWords advertising network and Doubleclick Cookie.

Personal Data collected: Cookies and Data used.

Data handling location: USA – Privacy Policy – Opt Out.

- Statistics: the services contained in this section allow the Data Holder to monitor and analyse the traffic data and are used to keep track of the User’s behaviour.

Google Analytics with anonymised IP (Google Inc.): is a web analysis service provided by Google Inc. (“Google”). Google uses the Personal Data collected to track and examine the use of this Application as well as fill in reports and share them with other services developed by Google. Google could use the Personal Data to contextualise and personalise the adverts on its own advertising network. This Google Analytics integration makes your IP address anonymous. Anonymisation works by abbreviating the User’s IP address within the confines of EU member states or other countries adhering to the European Economic Space agreement. Only in exceptional cases will the IP address be sent to Google servers and abbreviated in the United States. Personal Data collected: Cookies and Data used.

Data handling location: USA – Privacy Policy – Opt Out

Monitoring of Facebook Ads conversions (Facebook, Inc.): is a service of statistics provided by Facebook, Inc. that links the data from the network of Facebook adverts with the actions carried out within this Application.

Personal Data collected: Cookies and Data used.

Data handling location: USA – Privacy Policy

Delete or deactivate cookies

As cookies are normal text files, they can be accessed using word processor programs.

In any case, you can set your browser to prevent it handling cookies.

Delete/deactivate cookies with Firefox:

http://support.mozilla.com/it/kb/Eliminare%20i%20cookie

Delete/deactivate cookies with Edge:

https://support.microsoft.com/it-it/help/4027947/windows-delete-cookies

Delete/deactivate cookies with Chrome:

http://support.google.com/chrome/bin/answer.py?hl=it&answer=95647

3.2 Data provided voluntarily by the person in question

The optional data freely provided by the person in question by sending an e-mail to the addresses on the site can be acquired for the ends indicated in point 4.

In particular, as well as the e-mail address needed to reply to the sender, other personal data contained in the relative communication will be handled.

4. Handling purposes and juridical basis for handling

In order to send direct marketing communications, newsletters, advertising, via traditional contact systems and automated IT systems, including sales or advertising communications via e-mail or SMS, or for market research and analysis. In this case, it is the consensus, expressed in compliance with this statement, that represents a juridical foundation.

For profiling activity and to establish habits and preferences. In this case, it is the consensus, expressed in compliance with this statement, that represents a juridical foundation.

5. Means for expressing consensus

Consensus to handle personal data via non-technical cookies can be expressed:

By clicking a specific box in a banner.

6. Source from where personal data originates

Only data provided by the person in question will be handled, in compliance with this regulation, collected from the website.

7. Recipients and possible categories of personal data recipients

Recipients of the person in question’s personal data could be:

communication firms that carry out commercial communication and profiling work on behalf of the Holder and appointed to handle the data;

firms that offer IT company services, in particular, those that offer hosting services.

8. Data categories

The personal data of the person in question will be handled.

9. Data transfer

The Holder's intention is to transfer personal data to a third party Country or international organisation. These subjects could be represented, for example, by

communication firms that perform communication work for the Holder;

firms that offer IT company services, including, in particular, those that offer hosting services;

communication firm service suppliers.

Transfer of personal data to these subjects, if settled in a third party Country or international organisation, is done in the presence of an adequacy decision from the European Commission that has assessed how the third party Country, territory or one or more specific sectors within the third party Country, or international organisation in question, guarantee a suitable level of protection of its rights. In any case, the Holder – should they see fit – reserves the right to finalise specific separate agreements that oblige these subjects to adopt adequate safety measures, including organisational safety measures, aimed at providing appropriated guarantees of their rights. In particular, Google Inc. is contractually bound to guarantee suitable protection of the rights of the person in question. The data could, therefore, be transferred to the following countries: UK and United States of America. In order to receive a copy of this data or the place where it has been made available, just send a request to the following e-mail privacy@drvranjes.it.

10. Storage period of personal data

The personal data handled for marketing purposes is handled and stored until the person in question revokes consensus or requests its deletion.

Personal data handled for the purpose of establishing preferences is handled and stored for a period no longer than 12 months from when it was collected.

The Holder reserves the right, in any case, to request that the party in question renew their consensus for data handling and/or checks the consensus already expressed.

11. Option to provide consensus and consequences of denied consensus

With regard to handling personal data for marketing purposes, the communication of personal data is not a contractual requirement. Providing personal data is optional; however, if this data is not communicated, no marketing activities will be possible;

With regard to handling personal data for profiling purposes, the communication of personal data is not a contractual requirement. Providing personal data is optional; however, if this data is not communicated, no profiling activities will be possible.

12. Rights of the person in question

12.1 Right to oppose

With regard to the personal data handled via technical cookies in order to allow for the website to work properly, communication of personal data is not a contractual obligation, but one founded on the Holder's legitimate interest, in as much as, without consensus to handle the data, it will not be possible to provide a perfectly functioning website.

Consensus should be considered optional in relation to non-technical cookies. In the latter case, failed communication of this data will only result in the impossibility to provide a personalised service. In relation to data provide voluntarily via e-mail, consensus should be considered optional. However, failure to communicate this data will make it impossible to reply to the person in question;

In relation to the data communicated for contractual and pre-contractual purposes, the communication of personal data is a contractual obligation and a requirement for carrying out the pre-contractual negotiations and to finalise the contract. The person in question has the option to provide personal data; however, in the absence of this data being communicated, it will not be possible to finalise any contract or carry out any contractual negotiations;

With regard to data provided voluntarily via e-mail, failure to communicate this will make it impossible to reply to the person in question.

12.2 Other rights

The Holder also intends to inform the person in question of the existence of the following rights in his/her favour:

Right of access by the person in question: the person in question has the right to obtain confirmation from the Holder that personal data regarding him/her is being handled and, if this is the case, to obtain access to the personal data and specific information, in compliance with art. 15 of the GDPR.

Amendment right: the person in question has the right to obtain an amendment of inaccurate personal data that regards him/her without undue delay. Having taken into account the purposes of handling the data, the person in question has the right to obtain the integration of incomplete personal data, by even providing a supplementary declaration, in compliance with art. 16 of the GDPR.

Right to data deletion, including the right to withdraw consensus: the person in question has the right to have his/her personal data deleted by the Holder without undue delay and the Holder is obliged to delete this personal data without undue delay, or to withdraw consensus, if the reasons defined in art. 17 of the GDPR are present. As far as the right to withdrawal is concerned, the person in question also has the right to withdraw consensus at any time without compromising the legitimacy of the handling based on the consensus presented prior to withdrawal.

Right of data handling limitation: the person in question has the right to obtain a limitation from the Holder on the handling of the data when the circumstances set out in art. 18 of the GDPR are resorted to.

Right to data portability: the person in question has the right to receive the data regarding them in a structured format, for common use and legible from automatic devices, provided by the Holder and has the right to transmit this data to another holder without impediments from the Holder in the cases, and under the conditions, specified in art. 20 of the GDPR.

13. Exercising one’s rights

Requests to exercise one’s rights indicated in this statement, including, in particular, the right to deletion and withdrawal of consensus given, should be addressed to the Holder at the following e-mail privacy@drvranjes.it. Alternatively, it is possible to exercise one’s rights by sending relative communication by registered return post letter to Via S. Pertini, 5 - Località Antella 50012 Bagno a Ripoli (Florence).

14. Statement accessibility

The statement can be accessed at https://drvranjes.com/eu/privacy-policy, as well as from the Holder. If expressly requested by the person in question, the information can also be verbally communicated over the phone to the Holder, as long as the identity of the person in question has been established.