PRIVACY NOTICE DATA PROCESSING FOR MARKETING PURPOSES
DATA PROCESSING FOR MARKETING PURPOSES
Users who provide their personal data through the form have the possibility of deciding whether or not to authorize the use of this information for marketing purposes. Data processing for this purpose, if authorized, is carried out by BKT Europe Srl, the processing controller, in accordance with the specifications set out hereafter.
WHO IS THE CONTROLLER AND HOW TO CONTACT THEM
The Controller of data processing for marketing purposes is BKT Europe Srl, in the person of the pro tempore legal representative, with its registered office in Viale Bianca Maria 25, 20122 Milan and offices in Viale della Repubblica 133, 20831 Seregno (province of Monza and Brianza), VAT no. 05404270968. The Company can be contacted through the email firstname.lastname@example.org
WHAT DATA IS PROCESSED
The data processed is identifying and contact data provided by the user by compiling the specific form.
The platform used by the controller to send emails enables, through tracking systems, the detection of information such as the opening of a message, the clicks made on hypertext connections contained in the email, from which IP address or with which type of browser the email is opened, and other similar details.
WHAT ARE THE PURPOSES AND LEGAL BASES OF THE PROCESSING?
The personal data provided by the user through the specific form is used for marketing purposes (i.e. to send advertising or direct sale material or to undertake market research or commercial communication of the business and services offered by the controller through traditional means, such as phone contact with an operator, as well as automatic means, such as email, SMS and other types of message, also through DM on social networks to which the user's account refers in the case indicated).
The legal basis of the processing of the data is the agreement which can be withdrawn at any time.
Any agreement given for marketing purposes on the basis of art. 130, paragraphs 1 and 2, of Leg. Decree 196/2003 (Privacy Code), implies the receipt of promotional and commercial communications and materials, not only through automated means of contact, but also through traditional means, such as postal deliveries or operator calls.
The data acquired through the tracking system of the platform used to handle email can be processed automatically to assess the preferences and habits of the data subject (profiling) and, on the basis of this data, plan the sending of promotional communications and notices.
The legal basis of such processing is the agreement which can be withdrawn at any time.
Should it be necessary, the data can also be used given a legitimate interest of the controller, which involves verifying the security and correct functioning of the IT systems used and carrying out defensive initiatives.
HOW IS THE DATA MANAGED?
The data collected is processed with IT instruments and only residually with print-based methods. Adequate security measures are adopted to prevent the loss of data, illegal or incorrect use and unauthorized access.
Transferring data abroad
The data will be transferred outside the European Union and the European Economic Space by the supplier of the services used by the Controller to store the data and for email services. Data will be transferred to non-EU countries, in the absence of adequacy decisions by the European Commission, but the transfer will be supported by adequate safeguarding measures; in particular for the storage, standard contractual clauses will be used backed by contractual supplementary measures; to manage marketing campaigns, standard contractual clauses will be used as approved on June 4, 2021 by the European Commission, and, if necessary, the supplementary measures implemented by the supplier to guarantee compliance with the General Data Protection Regulation, also in the case of the transfer of personal data outside of the EU.
The data is kept until any request by the user to oppose its use and in any case for no more than two years from when agreement to the processing is given. The data used for profiling is kept for a year.
This is done without prejudice to any defensive needs for which the data can be kept also beyond the indicated deadlines.
WHAT HAPPENS IF THE DATA IS NOT PROVIDED
Transfer of the data is optional. Without this, it will not be possible to use the data for the marketing and profiling purposes described. It is noted that the user can decide to transfer the data only for purposes connected to sending the request through the form, without authorizing the processing of the data for marketing and profiling purposes.
WHO CAN SEE THE DATA
The data will be processed by employees of the Controller who are authorized to process it.
The data can be seen by companies which provide IT supply services and by consultants to manage disputes and for legal assistance should there be any disputes due to which it is necessary to involve them.
It is noted that some of the indicated subjects act as controllers and others as data processors and that communication to those who operate as autonomous controllers is carried out since prescribed by legal obligations or is necessary to fulfil the obligations arising from the pre-contractual relationship or the legitimate interest of the controller in maintaining the security of the IT systems and in adopting defensive initiatives through legal consultants.
The detailed list of the subjects to whom the data can be communicated can be requested by contacting the Controller.
It is noted that communication of the personal data is in any case limited to the sole categories of data the transmission of which is necessary to undertake the activities and purposes being pursued.
WHAT ARE THE DATA SUBJECT'S RIGHTS?
The law recognizes for the data subject the right to ask the Data Controller for access to the personal data and its rectification or cancellation or limitation of the processing regarding them or to object to its processing, as well as the right to data portability.
In particular, it is noted that there is the possibility to object to the processing of data done for marketing purposes.
The data subject may assert their rights at any time, without formalities, by contacting the Controller through the email email@example.com
Here below is a breakdown of the rights recognized by the law in force on the protection of personal data.
- The right of access, i.e. the right to obtain from the Data Controller confirmation that processing of personal data regarding the data subject is or is not happening and, if so, to obtain access to the personal data and to the following information: a) the purposes of the processing; b) the categories of personal data in question; c) the recipients or the categories of recipients to whom the personal data has been or will be communicated, in particular if recipients in other countries or international organizations; d) when possible, the retention period of the personal data envisaged or, if not possible, the criteria used to determine this period; e) the existence of the data subject's right to ask the Processing controller to rectify or cancel personal data or to limit the processing of the personal data regarding them or to oppose its processing; f) the right to lodge a complaint to a supervisory authority; g) should the data not be collected from the data subject, all the information available on its origin; h) the existence of an automatic decision-making process, including profiling and, at least in these cases, significant information on the approach used, as well as the importance and consequences envisaged of this processing for the data subject. Should the personal data be transferred to another country or international organization, the data subject then has the right to be informed of the existence of adequate guarantees relating to its transfer.
- The right to rectification, i.e. the right to obtain from the Data Controller the rectification of imprecise personal data regarding them without unjustified delay. Taking account of the purposes of processing, the data subject has the right to integrate incomplete personal data, also by providing an additional statement.
- The right of cancellation, i.e. the right to obtain from the processing controller the cancellation of inexact personal data regarding them without unjustified delay if: a) the personal data is no longer necessary in regard to the purposes for which it was collected or otherwise processed; b) the data subject withdraws their agreement on which the processing is based and if there is no other legal basis for the processing; c) the data subject opposes the processing undertaken because necessary to carry out a public service or connected to the exercise of public powers with which the Controller is invested or to pursue a legitimate interest and there is no prevailing legitimate reason to proceed with the processing, or opposes the processing for direct marketing purposes; d) the personal data was illegally processed; e) the personal data must be cancelled to fulfil a legal obligation envisaged by the law of the European Union or of the Member state to which the Processing controller is subject; f) the personal data was collected in relation to the company's offer of services for information to minors. The request for cancellation cannot, however, be accepted if the processing is necessary: a) to exercise the right to freedom of expression and information; b) to fulfil a legal obligation which requires processing as envisaged by the law of the European Union or of the Member state to which the Data Controller is subject or to execute a task undertaken in the public interest or in the exercise of public powers with which the Data Controller is invested; c) for reasons of public interest in the public health sector; d) for the purposes of archiving in the public interest, scientific or historic research or statistical purposes, to the extent to which cancellation risks making impossible or seriously compromising achieving the goals of such processing; or e) for verifying, exercising or defending a right in the courts.
- The right of limitation, i.e. the right to obtain that data is processed, except for its conservation, only with the agreement of the data subject or to verify, exercise or defend a right before the courts or to protect the rights of another natural person or corporation or for reasons of relevant public interest of the European Union or of a member State if: a) the data subject challenges the preciseness of the personal data, for the period necessary for the Data Controller to verify the exactness of this personal data; b) the processing is illegal and the data subject opposes the cancellation of the personal data and instead asks that its use is limited; c) although the Data Controller no longer needs it for processing purposes, the personal data is necessary for verifying, exercising or defending a right in the courts; d) the data subject has opposed the processing undertaken because necessary to carry out a public service or connected to the exercise of public powers with which the Controller is invested or to pursue a legitimate interest of the Data Controller or of third parties, pending verification of the possible prevalence of the legitimate reasons of the Data Controller over those of the data subject.
- The right to portability, i.e. the right to receive in a structured, shared and legible format from an automatic device the personal data regarding them as provided to the controller and has the right to send this data to another controller with hindrance by the controller to whom they provided the data, as well as the right to obtain the direct transmission of the personal data from one controller to another, if technically feasible, should the processing be based on the agreement or on a contract and the processing is carried out with automated means. This right leaves the right to cancellation unaffected.
- The right to opposition, i.e. the data subject's right to oppose at any time, for reasons connected to their particular situation, the processing of the personal data regarding them undertaken because necessary to carry out a public service or connected to the exercise of public powers with which the Controller is invested or to pursue a legitimate interest of the Data Controller or of third parties. Should the personal data be processed for direct marketing purposes, the data subject has the right to oppose at any time the processing of the personal data regarding them undertaken for these purposes, including profiling to the extent this is connected to such direct marketing.
The data subject is then informed that, should they consider that the processing of their personal data takes place in violation of the provisions of the GDPR, they have the right to make a complaint to the Authority, as envisaged by art. 77 of the Regulation itself or to seek legal redress (art. 79 of the Regulation).
11/4/2022 9:15:28 AM