CIRCULAR LETTER ON PERSONAL DATA PROCESSING PURSUANT TO ART. 13 OF THE GDPR - Reg. (EU) 2016/679 - Clivet Eye

Date of last update: 14 December 2021

The European General Data Protection Regulation No. 2016/679 (‘GDPR’) states that the party that processes personal data is required to inform the data subject (i.e., the person to whom the data refers) correctly, lawfully and transparently about certain matters related to processing, protecting the confidentiality and rights of the data subject. 

With this document (‘Circular letter’), we intend to inform data subjects, in accordance with Art. 13 of the GDPR, that their personal data (‘Data’) will be processed by Clivet S.p.A. (hereinafter, the ‘Owner’ or ‘us’) via Clivet Eye and related Services, as defined hereinafter. 

Clivet Eye is a Cloud monitoring system (‘System’) developed by Clivet S.p.A., a company that is part of the Midea Group, which can be used to always keep Clivet appliances (‘Appliance’) under control via PC, tablet and mobile phone, through the dedicated website www.cliveteye.com (‘Portal’) or via the Clivet Eye App (‘App’). The System can be activated at any time and for as long as necessary by installing an Internet connection device in the Appliance, via sim card or Ethernet cable. 

Clivet Eye enables the user to remotely control and manage the unit, to monitor the operating levels of the Appliance and send service messages to the user, such as status notifications and alerts or information regarding new features and the operating levels of the Appliance (hereinafter, for the sake of brevity, the use of the System by the data subject and provision to the latter of the above-mentioned services will be referred to as ‘Services’). 

This Circular Letter does not rule out the possibility that additional information on the processing of the Data may be provided in other ways, including sending specific information after activation or after requesting certain services.

1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER 
With reference to the processing of the Data referred to in this Circular Letter, Clivet S.p.A., VAT No. 00708410253, with registered office in Via Camp Lonc, n. 25 - 32032 Z.I. Villapaiera, Feltre (Belluno), Italy (‘Clivet’) acts as the Data Controller.
The data subject may contact the Data Controller at any time, for any queries or clarifications concerning this Circular Letter or to exercise the rights referred to in point 10 below, by e-mailing privacy@clivet.it or by sending a registered letter to Clivet’s registered office, which is specified above, for the attention of the Privacy contact person.

2. CONTACT DETAILS OF THE DATA PROTECTION OFFICER (DPO)
We would like to inform you that the Data Controller, Clivet S.p.A., has appointed a Data Protection Officer, who can be reached via e-mail at: dpo@clivet.it 

3. THE DATA AND INFORMATION WE PROCESS
In order to provide the Services, we collect and process the following information and Data:

a) Personal data
In order for the Services to be provided, the data subjects, when connecting the Appliance to Clivet Eye, must create a user account (‘System Activation’) via the Portal or the App. The information to be entered into the account includes personal details, namely, general Data (such as e-mail address, physical address, etc.). Mandatory fields for creating an account are clearly marked.

b) Technical data 
Once System Activation is complete, we automatically collect some technical information about the Appliance. This information includes, among other things, the model and serial number, software version, status and condition of the Appliance, power consumption, configuration settings, wear and tear warnings and error codes, temperature values, and the fluid flow rate. After being collected and transmitted to our servers, this information is stored as set out in this Circular Letter. Please note that, as per applicable legislation, the information mentioned above does not normally comprise any personal data. Nevertheless, we undertake to always process such information with the utmost confidentiality and under the terms described in this Circular Letter.

4. PURPOSES AND LEGAL BASES OF PROCESSING 

a) To provide the Services
We process the information and the Data specified in section 3 a) and b) in order to:
▪    provide the user with a service that allows the Appliance to be remotely controlled; 
▪    monitor the operating levels of the Appliance;
▪    send the user, unless the latter has disabled the dedicated feature, service messages, such as status notifications and alerts or information regarding new features and the operating levels of the Appliance;
▪    provide technical support for the System or Appliance, if requested by the user. In this case, if necessary to provide the requested service, the Data Controller may disclose the information and the Data to qualified personnel (such as service centres). The Data will be processed in accordance with the ‘Intervention reports’, which can be found in the privacy section on www.clivet.it.
For the above-mentioned purposes, processing of the Data complies with the requirements of Art. 6.1   (b) of the GDPR, which states that processing is necessary for the performance of a contract to which the data subject is party.

b) To improve the Services and Appliances
We may process the information and the Data specified in section 3 a) and b) in order to improve the Services and Appliances. 
Specifically, we will combine and analyse information and the Data to conduct research and process statistics, also anonymously, which will allow us to improve our Services and Appliances and to offer our customers a better service. 
Should it be impossible to render the Data anonymous, it will be processed for the purposes of our legitimate interest – pursuant to Art.  6.1  (f) of the GDPR – which reflects the need to improve our Appliances and our customers’ satisfaction.
In order to ensure that the above-mentioned processing pursues our legitimate interest, we have previously weighed such interest against the data subject’s interest in confidentiality, in accordance with Art.  6.1  (f) of the GDPR and by taking into due consideration the data subject’s reasonable expectations arising from the relationship with the Data Controller, as set out in Recital No.  47 of the GDPR. 
Please be informed that you also have the right to object at any time, for any reason relating to your specific situation (see also point 10 below), to processing for the purposes of our legitimate interest.

5. CATEGORIES OF RECIPIENTS OF DATA
The Data will not be generally disclosed. The Data may be disclosed within Clivet S.p.A. and may only be processed by authorised personnel (e.g. employees, associates of the Data Controller) or, outside of Clivet S.p.A., by parties appointed as Data Processors in accordance with Art. 28 of the GDPR or, if relevant, by parties who are authorised to access the Data in their capacity as independent Data Controllers. The list of data processors is kept at the headquarters of Clivet S.p.A. and is available for consultation on the data subject’s request.

6. DATA TRANSFER
The Data are not transferred to non-EU/EEA countries. 

7. NATURE OF THE PROVISION OF DATA AND CONSEQUENCES OF REFUSAL
In order to be able to offer the Services, it is necessary to provide the Data. If you refuse to provide us all or part of the Data, it will be impossible for us to provide the Services.

8. PROCESSING METHODS
The Data are processed electronically or in paper form, and in such a way as to ensure security and confidentiality. Please note that the processing referred to in this Circular Letter does not involve automated decision-making processes.

9. RETENTION PERIOD OF THE DATA
The Data are retained for no longer than the time required to fulfil the purposes for which they are collected and processed. The Data may be retained for longer periods of time, where necessary in order to comply with legal obligations, to fulfil legitimate requests made by Authorities or to settle disputes concerning the processing of the Data.
If the data subject should ask us to delete his or her account, the latter will be deactivated. From then on, the user will no longer be able to remotely control the Appliance and use the Services. Nevertheless, the information gathered using the System may still be processed by the Data Controller for the purposes set out in point 4 b). 

10. RECOGNISED RIGHTS OF THE DATA SUBJECT
The data subject may exercise the rights granted to him or her by the GDPR against the Data Controller at any time. Specifically, by e-mailing privacy@clivet.it or sending a registered letter (for the attention of the privacy contact person) to the registered office at Via Camp Lonc, n. 25 – 32032 Z.I.  Villapaiera, Feltre (Belluno), Italy, the data subject may exercise the following rights:

Right of access
The data subject may ask us whether or not we are processing his or her personal data and, if we are, may be granted access to a copy of such data. In fulfilling a request to access such data, we will also provide additional information, such as the purposes of processing, the categories of personal data concerned, and any other information required to exercise the relevant right. 

Right to rectification
The data subject has the right to request that the Data be rectified if inaccurate or incomplete. If requested, we will correct inaccurate personal data and supplement any incomplete Data, taking into account the purpose of processing. 

Right to erasure
The data subject also has the right to request that his or her personal data be erased. The Data can only be erased in certain cases, as mandated by law and listed in Art. 17 of the GDPR. This includes cases in which personal data are no longer required for the initial purposes for which they were processed, and cases in which they have been processed in an unlawful manner. For the type of Services referred to in this Circular Letter, please be advised that it may take some time for backup copies to be erased.

Right to restriction of processing
The data subject has the right to obtain restriction of processing of his or her personal data, which means that we can stop processing the Data for a certain amount of time. This right may apply to circumstances (Art. 18 of the GDPR) including situations in which the accuracy of personal data has been questioned, but we may need time to verify its (in)accuracy. This right does not prevent us from continuing to store personal data. We will in any case inform the data subject before the restriction is lifted. 

Right to object
The data subject also has the right to object to the processing of his or her personal data, which means that the data subject can ask us to stop processing such personal data. This right is only granted under specific circumstances (Art. 21 of the GDPR) and, specifically, in cases in which the legal basis for processing is the Data Controller’s legitimate interest.

Right to data portability
The right to Data portability entails that the data subject may request us to provide his or her personal data in a structured, commonly used and machine-readable format, and may also request that such data be transmitted directly to another Data Controller, provided this is technically feasible.

11. RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY
The data subject may also apply to the relevant Supervisory authority for the protection of personal data if he or she has reason to believe that his or her Data are being processed in violation of his or her rights or of the applicable legislation. The data subject may exercise this right in accordance with the complaint procedures laid down by each National supervisory authority, which are available at: https://www.garanteprivacy.it/web/guest/home/footer/link 

12. CHANGES AND UPDATES TO THE CIRCULAR LETTER
This Circular Letter is regularly updated. We will notify the data subjects of any changes by sharing the updated Policy as we deem appropriate (e.g. by posting it on the Site or with a notification via the APP).