pursuant to Art. 13 and 14 EU Regulation 2016/679
Dear Data Subject,
Vectorium Holding SLP. considers the protection of the personal data of its customers and users, actual and/or potential, to be of fundamental importance.
With this document (hereafter, the “Information”), we intend to renew our commitment to ensure that the processing of personal data carried out in any way, both automated and manual, takes place in full compliance with the protections and rights recognized by Regulation (EU) 2016/679 (hereafter, “GDPR” or “Regulation”) and by the additional applicable rules on the protection of personal data.
The term personal data refers to the definition contained in art. 4 co. 1 of the Regulation, i.e. “any information concerning an identified or identifiable individual; the individual who can be identified, directly or indirectly, with particular reference to an identifier such as name, identification number, location data, an online identifier or one or more elements characteristic of his physical, physiological, genetic, psychic, economic, cultural or social identity” (hereafter, “Personal Data”) is considered identifiable.
The Regulation provides that, before proceeding to the processing of Personal Data – with this term having to understand, according to the relative definition contained in art. 4 co. 2 of the Regulation, “any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, deletion or destruction” (hereafter, the “Processing”) – the person to whom such Personal Data belongs must be informed about the reasons why such data are requested and how it will be used.
In this regard, this Information – written based on the principle of transparency and inclusive of all the elements required by art. 13 of the Regulation – is intended to provide you simply and intuitively with all the useful and necessary information so that you can confer your Personal Data in a conscious and informed way and, at any time, exercise your rights.
A. THE DATA CONTROLLER
The company that will process your Personal Data for the purposes referred to in Section C of the Policy and which, therefore, will play the role of data controller according to the relative definition contained in art. 4 co. 7 of the Regulation, i.e., “the individual or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of processing personal data” is:
- Vectorium Holding SLP (below, the “Controller”), with registered office in 34, Rue Notre Dame – Luxembourg (below, the “Headquarters”).
B. CONTACTS OF THE PROCESSOR FOR THE PROTECTION OF PERSONAL DATA
In order to facilitate relations between you, as a data subject, i.e., the “identified or identifiable individual” to whom personal data refer pursuant to art. 4 co. 1 of the Regulation (below, the “Data Subject”) and the Data Controller, the Regulation has provided, in some specific cases, for the appointment of a control and support figure who, among the various tasks entrusted, also acts as a point of contact with the Data Subject.
The Data Protection Officer has adopted this figure of “data protection officer”, so-called “Data Protection Officer”, identifying and appointing, in accordance with art. 37 of the Regulation, SAPG Legal Tech S.r.l. (hereafter, the “DPO”).
The DPO, pursuant to and for the effects referred to in Art. Under Rule 39 of the Rules of Procedure, you are called upon to carry out, among other things, the following activities:
- inform and advise the Data Controller as well as the employees who carry out the Processing operations regarding the obligations deriving from the Regulation or other provisions of the Union or member states relating to the protection of Personal Data;
- monitor and supervise compliance with the Regulations, applicable regulations regarding the protection of Personal Data as well as the policies and procedures adopted by the Data Controller;
- provide support in the feedback to the Data Subject;
- cooperate with the competent Data Protection Authority.
As required by art. 38 of the Regulation, you can freely contact the DPO for all matters related to the Processing of your Personal Data and/or if you wish to exercise your rights as provided for in Section G of this Policy, sending a written communication to the e-mail: firstname.lastname@example.org.
C. PURPOSE AND LEGAL BASIS OF THE PROCESSING
The Processing of your Personal Data will be conducted by the Data Controller to allow you, therefore, to get in touch with the company, send requests for information, download free resources, buy courses and products as well as take advantage of all the other services offered from time to time by the Site in which you are browsing.
In order to allow the Data Controller to carry out the Processing activities for the above purposes, it will be necessary to provide personal data marked with the symbol [*].
Such processing will be lawful under art. 6(1)(b) of the Regulation.
In the absence of the provision of even one of the marked data, it will not be possible to proceed with the processing of your Personal Data, consequently, and it will not be possible to provide you with the information and services requested.
The Personal Data that will be requested for the pursuit of the above purposes, will be those reported in the registration and/or contact form and/or purchase form or, but not limited to: name, surname, e-mail address, shipping address, telephone numbers of fixed and /or mobile users.
Personal Data relating to your health and, in general, particular categories of personal data referred to in art. 9 of the Regulation are not processed.
In addition to the above purposes, your Personal Data may be processed for promotional activities of the products and services provided by the Data Controller, in order to provide you with a better service, promote products and services of interest to you sold and/or provided by Archypelagus (or Vectorium).
Concerning the purpose of direct marketing, it should be pointed out that, pursuant to Art. 6 co. 1 (f) of the Rules of Procedure and Art. 130 co. 4 Privacy Code (so-called soft spam exception), the Data Controller may carry out this activity based on his legitimate interest, regardless of your explicit consent and in any case up to your opposition or limitation (in accordance with section F-lit. d) and f) of the Information) to such Processing, as best explained in recital 47 of the Regulation, in which it is “considered the legitimate interest of the data controller to process personal data for direct marketing purposes”.
This will be possible following the assessments made by the Data Controller regarding the possible prevalence of your fundamental interests, rights and freedoms that require the protection of Personal Data on their legitimate interest in sending direct marketing communications.
Moreover, you can legitimately and at any time object to the receipt of promotional communications, without this in any way prejudicing the processing for the other purposes.
The contact methods aimed at direct marketing activities can be both automated and traditional (providing in some cases calls from our operators, according to your specific requests). In any case, as in the following best specified in Section F of this Policy, you can also partially oppose it (for example by consenting only to traditional contact methods).
D. SUBJECTS TO WHOM YOUR PERSONAL DATA MAY BE DISCLOSED
Your Personal Data may be communicated to specific subjects considered recipients of such Personal Data. It is for the national court to determine whether, in the light of the circumstances of the case, 4 co. 9 of the Regulation defines as the Recipient of a Personal Data “the individual or legal person, the public authority, the service or another body that receives communication of personal data, whether or not it is a third party” (hereafter, the “Recipients”).
With this in mind, in order to correctly carry out all the Processing activities necessary to pursue the purposes referred to in this Policy, the following Recipients may be in a position to process your Personal Data:
- third parties who carry out part of the processing activities and/or activities related to and instrumental to them on behalf of the Data Controller. These subjects have been appointed Data Processors pursuant to art. 28 GDPR, having to be understood individually by that phrase, pursuant to art. 4. 8 of the Regulation, “the individual or legal person, public authority, service or other body that process Personal Data on behalf of the Data Controller” (hereafter, the “Data Processor”);
- individuals, employees and/or collaborators of the Data Controller, to whom specific and/or multiple processing activities have been entrusted on your Personal Data. These individuals have been given specific instructions regarding the security and correct use of Personal Data – also through specific training activities – and are defined, in accordance with art. 4 co. 10 of the Regulation, “persons authorized to process Personal Data under the direct authority of the Data Controller or Data Processors” (hereafter, the “Authorized Persons”).
Where required by law or to prevent or repress the commission of a crime, your Personal Data may be communicated to public bodies or the judicial authority without these being defined as Recipients. In fact, under Article 10 of the Directive, the Commission is not in a state of law. 4 co. 9 of the Regulation, “public authorities that may receive communication of Personal Data as part of a specific investigation in accordance with Union or Member State law shall not be considered Recipients”.
E. TREATMENT TIME
One of the principles applicable to the Processing of your Personal Data concerns the limitation of the retention period, regulated by art. 5, co. 1-point (c) of the Regulation which states “Personal Data shall be kept in a form that allows the identification of the Data Subjects for a period of time not exceeding the achievement of the purposes for which they are processed; Personal Data may be stored for longer periods provided that they are processed exclusively for the purposes of archiving in the public interest, scientific or historical research or for statistical purposes, in accordance with art. 89(1), without prejudice to the implementation of appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of the Data Subject”.
In the light of this principle, your Personal Data will be processed by the Data Controller limited to what is necessary for the pursuit of the purpose referred to in Section C of the Information.
In particular, your Personal Data will be processed for a period of time equal to the minimum necessary, as indicated by recital 39 of the Regulation, that is, until the termination of the existing relationships between you and the Data Controller regarding your requests for information, without prejudice to the legitimate interest of the Data Controller referred to in recital 47 of the Regulation as well as a further retention period that may be imposed by legal rules as also provided for in Recital 65 of the Regulation.
G. RIGHT TO MAKE A COMPLAINT TO THE SUPERVISORY AUTHORITY
Without prejudice to your right to appeal in any other administrative or judicial body, if you believe that the Processing of your Personal Data conducted by the Data Controller takes place in violation of the Rules and/or applicable legislation, you may lodge a complaint with the competent Data Protection Authority. To exercise all your rights as identified above, simply contact the Data Controller in the following ways:
- sending an email to the DPO’s e-mail email@example.com;
- sending an email to the Controller at the box firstname.lastname@example.org registered letter to the Controller’s Office.
H. PLACES OF TREATMENT
Your Personal Data will be processed by the Data Controller within the territory of the European Union.
If for technical and/or operational reasons it is necessary to use subjects located outside the European Union, we inform you now that these subjects will be appointed Data Processors pursuant to and for the effects referred to in art. 28 of the Regulation and the transfer of your Personal Data to such subjects, limited to the performance of specific Processing activities, will be regulated in accordance with the provisions of Chapter V of the Regulation.
All necessary precautions will therefore be taken in order to guarantee the total protection of your Personal Data based on this transfer: a) on adequacy decisions of the recipient third countries expressed by the European Commission; b) adequate guarantees expressed by the third party addressee pursuant to Rule 46 of the Rules of Procedure; c) on the adoption of binding corporate rules, so-so-necessary binding corporate rules; d) adopting standard contractual clauses approved by the European Commission.
In any case, you can request more details from the Data Controller if your Personal Data has been processed outside the European Union requesting evidence of the specific guarantees adopted.