Mme/ Dear Sir,
We would like to inform you that the European Data Protection Regulation No. 2016/679 (“GDPR”) states that the entity that processes personal data is obliged to inform the data subject (i.e., the person to whom the data refers) regarding some qualifying elements of the processing, which has to be performed with correctness, lawfulness and transparency, protecting the confidentiality and rights of the data subjects themselves. In compliance with Art. 13 of aforesaid Regulation, we are relaying the following information.
1. Data Controller and Data Protection Officer
The Data Controller is CLIVET S.p.A., based in Villapaiera – Feltre (BL), Via Camp Lonc 25, TAX and VAT CODE 00708410253. For the purpose of the exercise of the rights provided by the Regulation and for any other request regarding your personal data, you may address the Data Controller, by sending a communication to the electronic mail address email@example.com.
The Data Protection Officer is Atty. Susanna Greggio, e-mail: firstname.lastname@example.org, tel. 0444547317
2. Purposes and lawful basis of the processing
The data is gathered and processed exclusively for the first operations of the CLIVET machines and for any aftersales repairs and assistance. The lawful basis is therefore that referred to in Art. 6 c. 1 letter b) (“the processing is necessary for the performance of a contract in which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract”) and/or letter c) (“the processing is necessary for compliance with a legal obligation to which the controller is subject”) of the GDPR.
3. Categories of data gathered and processing methods
The data gathered for the aforesaid purposes are common personal data such as: name, surname, address, telephone number. These are processed, exclusively by processors authorised by CLIVET SPA, with automated and non-automated tools, and with methods that ensure the safety and confidentiality of the data. The provisions of the data are obligatory for the aforesaid purposes.
The refusal to provide part or all of your personal data, will imply the impossibility on our part to perform the activities indicated under “purposes.” The personal data referred to in this circular letter is not processed through automated decision-making processes.
4. Recipients of the data gathered
For the abovementioned purposes, the data may be disclosed or made accessible to:
a) Employees or collaborators of the Data Controller, the Authorised entity in charge of processing;
b) Companies that are part of the Midea Group
c) Third-party companies engaged in outsourcing activities on behalf of the Data Controller,
or who process data on behalf of the Data Controller, in their capacity as Data Processors, also when this reveals to be necessary to fulfil an obligation provided by law, a regulation or Union norm.
5. Retention period
The personal data you furnish will be retained for the time necessary to fulfil the purposes referred to in point 2 and therefore, in compliance with the prescription terms provided in Italy, 10 years and 6 months from the sale of the machine by Clivet or from the expiry of the warranty term of the product supplied by CLIVET, except for interruptive events of the prescription itself. A longer data retention period may be determined by requests formulated by the Public Administration or another legal, governmental or regulatory Body or by the involvement of this company in law proceedings that entail the processing of the personal data you furnish.
6. Possible transfer of data to Third Countries
The data shall be prevalently processed in Italy or however within the European Union, however some processing activities could be performed in countries outside the EU. In such case, CLIVET S.p.A. ensures that the transfer of the data will be to Countries which the European Commission has retained to guarantee an adequate level of protection or after the stipulation of standard contract clauses approved by the Commission itself, in conformity with the provisions of Article 44 and subsequent amendments, of the GDPR.
Possible transfers from the parent company, Midea, to other companies of the group established outside the EU shall be performed adopting the same procedures in matters of personal data processing (Corporate Binding Rules approved by the competent Supervisory Authority). Any exceptions to the above may be performed only in compliance with Art. 49 of the GDPR.
7. Data subject’s rights
The data subject has the right to obtain from the Data Controller, access to the personal data. In particular, the data subject has the right to obtain: a) information on the origin of the personal data, the purposes and methods of the processing, the logic applied in case of processing performed with the use of electronic tools; b) the update or rectification; c) the erasure or restriction of the processing of his or her own data (transformation in anonymous form, blocking of data processed in breach of law, including those for which retention is not necessary in relation to the purposes for which the data was gathered or subsequently processed); d) the portability of the data processed in a structured manner. The data subject is entitled to lodge a complaint to the Data Protection Authority, represented in Italy by the Italian Personal Data Protection Authority, based in Rome, Piazza Monte Citorio, 121.