CIRCULAR LETTER ON PERSONAL DATA PROCESSING  PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679  

www.clivet.com

Date of last update: 16/12/2022 

Clivet S.p.A., owner of the website www.clivet.com (hereinafter only the "Website"), hereby intends to provide information on how it manages the Website itself in relation to the processing and protection of personal data ("data") of the persons who browse the Website or who in any event contact Clivet S.p.A. in any of the ways envisaged on the Website (hereinafter "users" or "data subjects").

This document is a Circular Letter pursuant to Article 13 of European Regulation No. 679 of 27 April 2016 (hereinafter referred to as "GDPR") and is valid solely and exclusively for the Website and not for other websites or web pages that the user can access through interactive links found on the Website. Users are therefore invited to read the information on data processing provided by the owners of each website to which they may be redirected during browsing.

Please note that this Privacy Policy may be subject to change following the introduction of new legislation or as a result of changes to the Website, and users are therefore invited to occasionally check the "Privacy&Cookies" section of the Website.

This Circular Letter does not exclude the possibility that further information on the processing of personal data may also be given to the data subjects in a different manner or at a different time, e.g. by sending or making available specific information following, for example, the activation of, or request for a specific service (e.g. request for intervention/after-sales service, etc.).

1.    Identity and contact details of the Data Controller
The Data Controller of the processing of personal data for the purposes described in this Circular Letter is Clivet S.p.A., VAT no. and Tax Code: 00708410253, with registered office in Via Camp Lonc n. 25, CAP 32030, Loc. Villapaiera, Feltre (BL) (hereinafter also referred to as the "Controller" or "Company"). 

For all questions relating to the processing of data and the exercise of rights arising from the Regulation (on this point, see paragraph 10 below) and for any doubts or clarifications concerning this Policy, the data subject may contact the Controller by sending a registered letter with acknowledgement of receipt to the above address, or a message to the following e-mail address: privacy@clivet.it.

2.    Contact details of the Data Protection Officer (DPO)
We would like to inform you that the Data Controller has appointed a Data Protection Officer, who the data subject can contact via e-mail at: dpo@clivet.it.

3.    Purposes and lawful basis of the processing
Personal data collected through the Website are processed for the following purposes:
a.    to ensure proper functioning of the web pages and their content, and obtain statistical information on the use of the services; 
b.    to provide assistance/make contact with the user and/or in any case answer/follow up requests for information or assistance made by the user, in the manner envisaged on the Website (by way of example but not limited to: the "contact us" section, "request information", telephone contact, etc.), requesting the use of specific services (by way of example but not limited to: creation of a reserved account, request for participation in events, use of free tickets, etc.) and manage all activities related to the provision of the services requested;
c.    to assess applications for vacancies published in the 'Work with us' section or spontaneous applications sent by data subjects to the Company;
d.    to permit direct marketing by the Data Controller: to send to the data subject - by post, e-mail, text message, telephone calls with or without an operator or other means used by the Data Controller - information material, promotional, commercial and advertising communications or communications relating to the Data Controller's events and initiatives, and to carry out market research and satisfaction surveys concerning the Data Controller's services. Please note that if, while browsing the Website, the user consents to the use of profiling cookies (on this point, see the cookie policy in more detail), the Controller may send commercial communications, offers, invitations, etc. that are customised according to the profile and/or interests of the individual user (e.g. commercial communications and specific advertising campaigns, dedicated offers based on the user's profile, etc.);
e.    to allow the participation of the data subject in "Clivet University" training events (seminars, training courses, events, etc.) organised by or with the involvement of the Company, and to manage the activities related to the organisation of the event.

 We also inform you that:
●    in relation to the purposes referred to in point a) above, the legal basis lies in the legitimate interest of the Data Controller (Art. 6.1(f) GDPR) in ensuring the proper functioning and improvement of the Website;
●    in relation to the purposes referred to in point b) above, the legal basis lies, depending on the case: in the need to implement pre-contractual measures taken at the request of the data subject (Art. 6.1(b) GDPR); in the legitimate interest of the Data Controller (Art. 6.1(f) GDPR) consisting in the need to respond to the data subject's requests, taking into account the data subject's reasonable expectations;
●    in relation to the purposes referred to in point c) above, the legal basis for the processing of personal data is mainly that envisaged in Article 6(b) of the GDPR: 'processing is necessary for the performance of pre-contractual measures taken at the request of the data subject'. In the case of processing of data disclosing the health of the data subject, e.g. for the purpose of employing people belonging to protected categories, processing shall be carried out in accordance with Article 9(2)(b) of the GDPR: "Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or data subject in the field of employment, social security and social protection law in so far as it is authorised by Union or Member State law or by a collective agreement under Member State law, subject to appropriate safeguards for the fundamental rights and interests of the data subject." If the data subject voluntarily provides data that are not pertinent to the purpose of search and recruitment of personnel, the Data Controller shall refrain from processing such information, in compliance with the legislation in force;
●    in relation to the purpose referred to in point d), processing will be carried out only after obtaining the express consent of the data subject (Art. 6.1(a) of the GDPR), except for the cases of so-called "soft spam" as described below. Data subjects are informed that in Italy the Privacy Code (Art. 130(4) of Legislative Decree 196/2003 as amended) allows soft spam. This means that it is not necessary to obtain the explicit consent of the data subject to use the e-mail address provided with a previous purchase for the purpose of direct sales of services similar to those that the data subject has already purchased from the Controller, on condition that the data subject does not object to such use. It should be noted that the data subject may object to this processing at any time by contacting the Controller at the addresses mentioned in point 1) or by clicking on the relevant link to object to the receipt of e-mails with commercial content sent by the Controller that are considered to be unsolicited. 
●    in relation to the purposes referred to in point e), the legal basis lies, depending on the case: i) in the need to execute a contract to which the data subject is party or pre-contractual measures taken at the data subject's request (Art. 6.1(b) of the GDPR); ii) in the legitimate interest of the Data Controller (Art. 6.1(f) of the GDPR) (e.g. free events).

4.    Nature of data provision
The provision of data for the purposes referred to in letter a) above is optional and in any case necessary for the correct functioning and use of the Website. Any refusal to provide data in relation to the aforementioned purpose could therefore result in the impossibility of browsing the Website, viewing its content, and accessing the related services. The provision of data for the purposes referred to in letters b), c) and e) is optional; however, any refusal to provide data in relation to the aforementioned purposes will make it impossible to process your requests (e.g. obtaining information on products or services, etc.), to evaluate your application or to allow your participation in the Clivet University training event. The provision and consent to the processing of your data for the purposes referred to in letters d) is completely optional. Any refusal will make it impossible for the Data Controller to send you marketing material, but will not have any negative consequences with regard to the purposes referred to in letters a), b), and e).

5.    Type of data processed 
In pursuit of the purposes indicated above, the following categories of data will be processed: 
●    Browsing data: during their operation, the computer systems and software used for the functioning of the Website will acquire certain types of personal data whose transmission is implicit in the use of Internet communication protocols. These data are not collected to be associated with identified data subjects, but by their very nature could allow users to be identified through processing and association with data held by third parties. This category of data includes the IP addresses or domain names of the computers used by users connecting to the Website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error etc.) and other parameters relating to the user's operating system and computer environment. These data are used solely to compile statistics on the use of the Website and to verify its correct operation. The data can be used to ascertain responsibility in the event of hypothetical computer crimes against the Website or other users, only at the request of the supervisory bodies in charge. The above information can be collected automatically through cookies and other similar technologies. For more information and to personalise your browsing choices, please refer to our cookie policy.
●    Data provided by the user: identification data (name, surname); contact data (telephone number, e-mail address, etc.); location data (address of residence/domicile); job/role/employer; etc. Any further personal data voluntarily provided in the compilation of data collection forms and/or through the voluntary sending of e-mails will be processed according to the principles of correctness, lawfulness and transparency, as well as in compliance with the principle of "minimisation", or by acquiring and processing the data limited to what is necessary for pursuit of the purposes. With specific reference to the collection of data in relation to any applications, both spontaneous and in response to vacancies published in the "Work with Us" section), the data collected consist of identification data (name, surname, place and date of birth, any photographs), contact data (address, telephone number, e-mail) and data relating to training, higher education, professional experience and technical knowledge of the data subject. Given the purpose of the processing (search and recruitment of personnel), data subjects are required to indicate in the Curriculum Vitae only the data necessary to assess their application and arrange for a possible interview, refraining from entering information not strictly relevant to the aforementioned purpose. It should be noted that further or specific information on the processing of personal data may be made available to the data subjects during the recruitment procedure.

6.    Processing methods
The processing of personal data will be carried out on paper and in electronic form, in compliance with the provisions on the protection of personal data and, in particular, with the appropriate technical and organisational measures referred to in Article 32.1 of the GDPR, and any precautionary measures that guarantee their integrity, confidentiality and availability. 

7.    Categories of recipients of data
Personal data will not be distributed unless required by law or regulation or EU legislation. The data will be processed, exclusively for the above purposes, by persons specifically authorised by the Data Controller, who have received specific operating instructions pursuant to Art. 29 of the GDPR. It should be noted that the data may be known by the other companies of the Midea Group, to which the Company belongs. Personal data may also be communicated, strictly for the purposes indicated above, to the following subjects or categories of subjects: 
a.    third parties and companies that provide services to the Data Controller, such as - by way of example - the management of the information system and telecommunications networks (including e-mail), the development and management of the Website, the sending of commercial communications, etc.; 
b.    studies, companies or professionals in the context of assistance and consultancy relationships;
c.    with regard to participation in Clivet University courses: professional and trade associations/schools/universities; area agencies, distributors; service providers for food, lodging and transport;
d.    technical service centres; area agencies;
e.    competent authorities for the fulfilment of legal obligations.
We also inform you that the subjects referred to in letter e) will process the data as independent Data Controllers. In relation to the categories of subjects referred to in letters a), b), c) and d), the Data Controller undertakes to rely exclusively on subjects who provide adequate guarantees regarding the protection of data, appointing them, where required by current legislation, Data Processors pursuant to Art. 28 of the GDPR. The list of Data Processors is available from the Data Controller and the data subject may view it on request.

8.    Transfer of personal data to third countries 
The data may be transferred to countries outside the European Union/EEA Area. In particular, the data may be transferred to the other companies of the Midea Group, to which the Data Controller belongs, as well as to the Midea Parent Company in China. The Data Controller guarantees that any transfer of personal data will take place in full compliance with the conditions set out in Chapter V of the GDPR (Articles 44 et seq.), in order to ensure that the level of protection afforded to natural persons by the GDPR is in no way affected. Any transfer will therefore only be made to those countries that the European Commission has judged can guarantee an adequate level of protection, in accordance with the provisions of Art. 44 of the GDPR or in compliance with particular set contractual clauses approved by the European Commission pursuant to Art. 46 of the GDPR, and only on condition that the recipient of the data provides adequate guarantees and that the data subjects have enforceable rights and effective remedies. In this case, the Data Subject is informed that he/she has the right to request a copy of the standard contractual clauses signed by the Data Controller. Any exceptions to the above will only occur in full compliance with Art. 49 of the GDPR.

9.    Retention period 
For each purpose of processing data (see point 3), the data retention period or the criterion for determining it is indicated below:
a)    for the purposes referred to in letter a) the data are processed for a period of time not exceeding that required to achieve the purposes for which the data are processed;
b)    the personal data collected in order to respond to the requests of users will be kept for the time necessary to provide the response and in any case for no longer than 5 years from the processing of the request, unless a contractual relationship is subsequently established, in which case the data will be kept for a period of 10 years from the termination of the relationship, in compliance with current legislation.  With specific reference to the creation of the Account, the data will be kept until the data subject requests cancellation of the Account or, in the event of non-use, after 6 month of inactivity of the Account;
c)    personal data relating to any applications will be kept for a period of 60 months from receipt of the curriculum vitae or from the first interview, if carried out. 
d)    for direct marketing activities, the data will be kept for a period of 5 years from the collection of consent, unless renewed; 
e)    Clivet University: the personal data provided will be retained for the entire duration of the chosen course and in any case up to the end of the related procedures. 
The personal data may be kept for longer if requested by the Public Administration or any other Juridical, governmental or ruling Body, or if this Company is involved in judicial procedures that entail processing of the data.

10.    Recognized rights of the data subject
The data subject may exercise the rights granted to him or her by the GDPR at any time, in the manner described in paragraph 1 above. In particular, the Data Subject has the following rights:

Right of access
The data subject may ask us whether or not we are processing any of his or her personal data and, if we are, may be granted access to a copy of such data. When the data subject requests access to such data, we will also provide additional information, such as the purposes of processing, the categories of personal data concerned, and any other information required for the data subject to exercise this right.

Right to rectification
The data subject has the right to request that his or her Data be rectified if inaccurate or incomplete. If requested, we will correct inaccurate personal data and supplement any incomplete data, taking into account the purpose of processing.

Right to erasure
The data subject has the right to request that his or her personal data be erased. The erasure of personal data can only take place in certain cases, listed in Article 17 of the GDPR. This includes cases in which the personal data of the data subject are no longer required for the initial purposes for which they were processed, and cases in which they have been processed unlawfully. In relation to how we provide certain services, we inform you that it may take some time before backup copies are erased. We also inform you that the Data Controller will, within the limits of the state of the art, erase the personal data of the data subject, unless the storage of the same is required by law.

Right to restriction of processing
The data subject has the right to obtain restriction of processing of his or her personal data, which means that we stop processing the data of the data subject for a certain amount of time. This right may apply to circumstances (Art. 18 of the GDPR) including situations in which the accuracy of personal data has been questioned, but it may take time to verify its (in)accuracy. If the data subject has obtained restriction of the processing of his or her data, we will inform him or her before this restriction is revoked.

Right to object
The data subject has the right to object to the processing of his or her personal data, which means that the data subject can ask us to stop processing such personal data for certain purposes (e.g. direct marketing). This right is only granted to the data subject under specific circumstances (Art. 21 of the GDPR) and, specifically, in cases in which the legal basis for processing is the Data Controller’s legitimate interest.

Right to Data Portability
The right to Data portability entails that the data subject may request us to provide his or her personal data in a structured, commonly used and machine-readable format, and may request that such data be transmitted directly to another Data Controller, provided this is technically feasible. 

Right to withdraw consent
The data subject has the right to withdraw his or her consent to the processing of personal data at any time, if the processing is based on his or her consent (e.g. direct marketing). In any case, the withdrawal of consent does not jeopardize the lawfulness of the processing based on the consent before the withdrawal.

11.     Right to lodge a complaint with the supervisory authority
The data subject also has the right to lodge a complaint with the supervisory authority, if he or she considers that the processing of his or her data violates the GDPR and/or current legislation on the processing of personal data. Please note that in Italy this Authority is represented by the Guarantor for the Protection of Personal Data, based in Rome. The data subject residing abroad may lodge complaints with the designated Supervisory Authorities in the country of residence.
        
12.     Inexistence of an automated decision-making process
The processing referred to in this Circular is not subject to automated decision-making processes.