Heko S.r.l., with registered office in Via Pontebbana, 9 – 33098, Valvasone Arzene (PN) Tax Code and VAT Reg. no. 01773580939, through its Legal Representative, in the capacity of Data Controller (hereinafter, “Data Controller”), pursuant to Article 13 of Legislative Decree no. 196 of 30.6.2003, (hereinafter, “Privacy Code”) and Article 13 EU Regulation no. 2016/679 (hereinafter, “GDPR”) hereby informs you that your data will be processed as follows:
1) Scope of processing
The Data Controller processes personal, identifying and non-sensitive data (in particular, name, surname, tax code, VAT number, email address, telephone number - hereinafter, “personal data” or even “data”) provided by you during registration on the website of the Data Controller and/or when subscribing to the newsletter published by the Data Controller.
2) Purpose of processing
Your personal data are processed:
A) Without your express consent (Article 24, letters a, b and c of the Privacy Code, Article 6, letter b and e of the GDPR), for the following Service purposes:
• Fulfil pre-contractual, contractual and tax obligations deriving from our professional relations with you;
• Fulfil the requirements established by the law, statutory provisions, EU legislation or an order of the Authority;
• Prevent or discover fraudulent activity or malicious use of the website;
• Exercise the rights of the Data Controller, such as, by way of example, the right to defence in court.
B) Only with your specific and distinct consent (Articles 23 and 130 of the Privacy Code and Article 7 of the GDPR), for the following purposes:
- Register and maintain access to the reserved area of the site www.heko.it
• Email newsletters, commercial communication and/or advertising material to you about products or services offered by the Data Controller. Please note that if you are already a customer, we may send you commercial communication relating to services and products of the Data Controller similar to those you have already used, unless you do not provide your consent (Article 130, paragraph 4 of the Privacy Code).
3) Processing methods and data retention period
Your personal data are processed by means of the operations discussed in Article 4 of the Privacy Code and Article 4 no. 2) of the GDPR, governing: data collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction.
Your personal data are processed both on paper and in electronic and automated form.
The Data Controller will process personal data for the time required to fulfil the aforementioned purposes and, in any case, for no more than 10 years from termination of the relationship, as it pertains to Service Purposes, and for no more than 2 years from the collection of data for Marketing Purposes, notwithstanding the exercise of the rights of the concerned party and/or other legal requirements.
4) Access to and communication of data
You can access your data at any time by a simple request to the addresses provided herein.
5) Communication of data
Your data may be made accessible and/or disclosed for the purposes referred to in Articles 2.A) and 2.B):
Without prejudice to communication and dissemination carried out in compliance with legal obligations, the Data Controller may share your data, in Italy and/or abroad (as further indicated below) with:
• Employees and collaborators of the Data Controller, in their capacity as data processors and/or process managers and/or system administrators;
• Technicians and/or collaborators for administrative, tax and accounting management, and/or to fulfil specific legal obligations, or external suppliers who have been entrusted with such purposes.
• Our network of agents; factoring companies; credit institutions; debt collection companies; credit insurance companies; commercial information companies for services requested; professionals and consultants; companies operating in the transport sector; technicians and collaborators appointed to provide requested services/products, Supervisory bodies, judicial authorities, as well as all the other subjects who are legally mandated to receive such data for the accomplishment of the aforementioned purposes. Legal entities entrusted with the services referred to herein.
• Companies or other legal entities, qualified and appointed pursuant to Art. 28 of Regulation 679/16, for support activities including: management and development of communication, management and development of business processes and projects, communication and promotion systems, for storage of personal data.
Access may be granted to third parties and associated companies, which provide services deemed necessary and/or useful by the Data Controller for the management of activities and related support processes, or requested by you. Suppliers also include IT systems management companies; credit institutions, professional firms, companies that provide services on IT systems/platforms whose services the Data Controller deems useful to engage, and companies that carry out outsourcing activities on behalf of the Data Controller, in their capacity as external data controllers.
6) Data transfer
The management and storage of personal data will be carried out on servers of the Data Controller, located within the European Union, and/or of third-party companies duly appointed as Data Processors. At present, our servers are located in Italy. Data will not be transferred outside the European Union.
7) Compulsory or optional nature of the provision of data and consequences of refusal to respond
The provision of data for the purposes referred to in Art. 2. A) is mandatory. If you chose not to provide your data, we guarantee neither your registration to the site nor the delivery of Services described in Art. 2.A).
The provision of data for the purposes referred to in Art. 2.B) is optional. You may therefore decide not to provide any data or to subsequently withdraw your consent to further process data already provided: in this case, the services referred to in Art. 2.B may not be provided. In any case, you will continue to be entitled to the Services referred to in Art. 2.A).
8) Rights of the concerned party
In your capacity as a concerned party, you are afforded the rights set forth in Art. 7 of the Privacy Code and Art. 15 of the GDPR and, namely, the right to:
A) Obtain confirmation of the existence, or not, of personal data concerning you, even if not yet registered, and their provision in an intelligible form;
B) Obtain information on: origin of personal data; purposes and methods of processing; logic applied in case of processing carried out with the support of electronic instruments; identification details of Data Controller, managers and designated representative, pursuant to Art. 5, paragraph 2 of the Privacy Code and Art. 3, paragraph 1, of the GDPR; and subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as designated representative in the country, as well as managers or agents;
C) Obtain: updating, amendment or, when desired, integration of data; deletion, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which data were collected or subsequently processed; attestation that the operations referred to in Articles 8.A) and B) have been brought to the attention, also with regard to their content, of those to whom data have been communicated or disseminated, except in the case where this fulfilment proves impossible or involves the use of means patently disproportionate to the protected right;
D) Object, in whole or in part: for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose of collection; the processing of personal data concerning you for the purpose of sending advertising materials or direct sales or for carrying out market research or commercial communication, through traditional marketing methods by telephone and/or paper mail and/or e-mail. The concerned party can, in any case, exercise the right to oppose, even if only partially. Therefore, the concerned party can decide to receive communication using only traditional methods, namely paper mail, or via e-mail, or neither of them.
Where applicable, you also have the rights referred to in Articles 16-21 of the GDPR (Right to amend, be forgotten, limit processing, data portability, and oppose), as well as the right to lodge complaints with the Data Protection Authority.
9) How to exercise your rights
You can exercise your rights at any time, by sending:
• Registered letter with return receipt addressed to: Heko S.r.l., Via Pontebbana, 9 – 33098, Valvasone Arzene (PN)
• Email to firstname.lastname@example.org
• Certified email to email@example.com
This site and the services of the Data Controller are not intended for minors under the age of 18 years, and the Data Controller does not intentionally collect personal information about minors. In the event that information on minors was unintentionally registered, the Data Controller will delete it in a timely manner, at the request of users.
11) Data Controller, Manager and Agents
The Data Controller is Heko S.r.l., in the figure of its pro-tempore legal representative, with registered offices in Via Pontebbana, 9 – 33098, Valvasone Arzene (PN). The updated list of data processors and managers is kept at the Data Controller's headquarters.
12) Data Protection Officer
The Data Protection Officer (DPO) is not applicable to our organization.
13) Changes to this Notice
This Notice may change. It is therefore advisable to regularly review this Statement and refer to the most up-to-date version available on the website indicated above.
Valvasone Arzene, 28/05/2018