Privacy Policy

pursuant to Art. 13 and 14 EU Regulation 2016/679

Dear Data Subject,

Vectorium Holding SLP. considers the protection of the personal data of its customers and users, actual and/or potential, to be of fundamental importance.

With this document (hereafter, the “Information”), we intend to renew our commitment to ensure that the processing of personal data carried out in any way, both automated and manual, takes place in full compliance with the protections and rights recognized by Regulation (EU) 2016/679 (hereafter, “GDPR” or “Regulation”) and by the additional applicable rules on the protection of personal data.

The term personal data refers to the definition contained in art. 4 co. 1 of the Regulation, i.e. “any information concerning an identified or identifiable individual; the individual who can be identified, directly or indirectly, with particular reference to an identifier such as name, identification number, location data, an online identifier or one or more elements characteristic of his physical, physiological, genetic, psychic, economic, cultural or social identity” (hereafter, “Personal Data”) is considered identifiable.

The Regulation provides that, before proceeding to the processing of Personal Data – with this term having to understand, according to the relative definition contained in art. 4 co. 2 of the Regulation, “any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, deletion or destruction” (hereafter, the “Processing”) – the person to whom such Personal Data belongs must be informed about the reasons why such data are requested and how it will be used.

In this regard, this Information – written based on the principle of transparency and inclusive of all the elements required by art. 13 of the Regulation – is intended to provide you simply and intuitively with all the useful and necessary information so that you can confer your Personal Data in a conscious and informed way and, at any time, exercise your rights.

A. THE DATA CONTROLLER

The company that will process your Personal Data for the purposes referred to in Section C of the Policy and which, therefore, will play the role of data controller according to the relative definition contained in art. 4 co. 7 of the Regulation, i.e., “the individual or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of processing personal data” is:

  • Vectorium Holding SLP (below, the “Controller”), with registered office in 34, Rue Notre Dame – Luxembourg (below, the “Headquarters”).

B. CONTACTS OF THE PROCESSOR FOR THE PROTECTION OF PERSONAL DATA

In order to facilitate relations between you, as a data subject, i.e., the “identified or identifiable individual” to whom personal data refer pursuant to art. 4 co. 1 of the Regulation (below, the “Data Subject”) and the Data Controller, the Regulation has provided, in some specific cases, for the appointment of a control and support figure who, among the various tasks entrusted, also acts as a point of contact with the Data Subject.

The Data Protection Officer has adopted this figure of “data protection officer”, so-called “Data Protection Officer”, identifying and appointing, in accordance with art. 37 of the Regulation, SAPG Legal Tech S.r.l. (hereafter, the “DPO”).

The DPO, pursuant to and for the effects referred to in Art. Under Rule 39 of the Rules of Procedure, you are called upon to carry out, among other things, the following activities:

  • inform and advise the Data Controller as well as the employees who carry out the Processing operations regarding the obligations deriving from the Regulation or other provisions of the Union or member states relating to the protection of Personal Data;
  • monitor and supervise compliance with the Regulations, applicable regulations regarding the protection of Personal Data as well as the policies and procedures adopted by the Data Controller;
  • provide support in the feedback to the Data Subject;
  • cooperate with the competent Data Protection Authority.

As required by art. 38 of the Regulation, you can freely contact the DPO for all matters related to the Processing of your Personal Data and/or if you wish to exercise your rights as provided for in Section G of this Policy, sending a written communication to the e-mail: dpo.privacy@sapglegal.com.

C. PURPOSE AND LEGAL BASIS OF THE PROCESSING

The Data Controller, in order to allow your registration on his website www.vectorium.co (below, the “Site”) – in the sections where it is possible to register and/or send requests for information using the contact forms and/or registration to the newsletter service – collects some of your Personal Data as well as browsing data (also through cookies) in accordance with the Cookie Policy present on the Site and available at the following link.

The Processing of your Personal Data will be conducted by the Data Controller to allow you, therefore, to get in touch with the company, send requests for information, download free resources, buy courses and products as well as take advantage of all the other services offered from time to time by the Site in which you are browsing.

In order to allow the Data Controller to carry out the Processing activities for the above purposes, it will be necessary to provide personal data marked with the symbol [*].

Such processing will be lawful under art. 6(1)(b) of the Regulation.

In the absence of the provision of even one of the marked data, it will not be possible to proceed with the processing of your Personal Data, consequently, and it will not be possible to provide you with the information and services requested.

The Personal Data that will be requested for the pursuit of the above purposes, will be those reported in the registration and/or contact form and/or purchase form or, but not limited to: name, surname, e-mail address, shipping address, telephone numbers of fixed and /or mobile users.

Personal Data relating to your health and, in general, particular categories of personal data referred to in art. 9 of the Regulation are not processed.

In addition to the above purposes, your Personal Data may be processed for promotional activities of the products and services provided by the Data Controller, in order to provide you with a better service, promote products and services of interest to you sold and/or provided by Archypelagus (or Vectorium).

Concerning the purpose of direct marketing, it should be pointed out that, pursuant to Art. 6 co. 1 (f) of the Rules of Procedure and Art. 130 co. 4 Privacy Code (so-called soft spam exception), the Data Controller may carry out this activity based on his legitimate interest, regardless of your explicit consent and in any case up to your opposition or limitation (in accordance with section F-lit. d) and f) of the Information) to such Processing, as best explained in recital 47 of the Regulation, in which it is “considered the legitimate interest of the data controller to process personal data for direct marketing purposes”.

This will be possible following the assessments made by the Data Controller regarding the possible prevalence of your fundamental interests, rights and freedoms that require the protection of Personal Data on their legitimate interest in sending direct marketing communications.

Moreover, you can legitimately and at any time object to the receipt of promotional communications, without this in any way prejudicing the processing for the other purposes.

The contact methods aimed at direct marketing activities can be both automated and traditional (providing in some cases calls from our operators, according to your specific requests). In any case, as in the following best specified in Section F of this Policy, you can also partially oppose it (for example by consenting only to traditional contact methods).

D. SUBJECTS TO WHOM YOUR PERSONAL DATA MAY BE DISCLOSED

Your Personal Data may be communicated to specific subjects considered recipients of such Personal Data. It is for the national court to determine whether, in the light of the circumstances of the case, 4 co. 9 of the Regulation defines as the Recipient of a Personal Data “the individual or legal person, the public authority, the service or another body that receives communication of personal data, whether or not it is a third party” (hereafter, the “Recipients”).

With this in mind, in order to correctly carry out all the Processing activities necessary to pursue the purposes referred to in this Policy, the following Recipients may be in a position to process your Personal Data:

  • third parties who carry out part of the processing activities and/or activities related to and instrumental to them on behalf of the Data Controller. These subjects have been appointed Data Processors pursuant to art. 28 GDPR, having to be understood individually by that phrase, pursuant to art. 4. 8 of the Regulation, “the individual or legal person, public authority, service or other body that process Personal Data on behalf of the Data Controller” (hereafter, the “Data Processor”);
  • individuals, employees and/or collaborators of the Data Controller, to whom specific and/or multiple processing activities have been entrusted on your Personal Data. These individuals have been given specific instructions regarding the security and correct use of Personal Data – also through specific training activities – and are defined, in accordance with art. 4 co. 10 of the Regulation, “persons authorized to process Personal Data under the direct authority of the Data Controller or Data Processors” (hereafter, the “Authorized Persons”).

Where required by law or to prevent or repress the commission of a crime, your Personal Data may be communicated to public bodies or the judicial authority without these being defined as Recipients. In fact, under Article 10 of the Directive, the Commission is not in a state of law. 4 co. 9 of the Regulation, “public authorities that may receive communication of Personal Data as part of a specific investigation in accordance with Union or Member State law shall not be considered Recipients”.

E. TREATMENT TIME

One of the principles applicable to the Processing of your Personal Data concerns the limitation of the retention period, regulated by art. 5, co. 1-point (c) of the Regulation which states “Personal Data shall be kept in a form that allows the identification of the Data Subjects for a period of time not exceeding the achievement of the purposes for which they are processed; Personal Data may be stored for longer periods provided that they are processed exclusively for the purposes of archiving in the public interest, scientific or historical research or for statistical purposes, in accordance with art. 89(1), without prejudice to the implementation of appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of the Data Subject”.

In the light of this principle, your Personal Data will be processed by the Data Controller limited to what is necessary for the pursuit of the purpose referred to in Section C of the Information.

In particular, your Personal Data will be processed for a period of time equal to the minimum necessary, as indicated by recital 39 of the Regulation, that is, until the termination of the existing relationships between you and the Data Controller regarding your requests for information, without prejudice to the legitimate interest of the Data Controller referred to in recital 47 of the Regulation as well as a further retention period that may be imposed by legal rules as also provided for in Recital 65 of the Regulation.

F. RIGHTS

As required by art. 15 of the Regulation, you can access your Personal Data, request its rectification and updating, if incomplete or incorrect, request its deletion if the collection has taken place in violation of a law or regulation, as well as oppose the Processing for legitimate and specific reasons. In particular, we will report below all your rights that you can exercise, at any time, towards the Data Controller: a. RIGHT OF ACCESS You will have the right, pursuant to art. 15 co. 1 of the Regulation, to obtain from the Data Controller confirmation that a Processing of your Personal Data is in progress and, in this case, to obtain access to such Personal Data and the following information: a) the purposes of the Processing; b) the categories of Personal Data in question; c) the Recipients or categories of Recipients to whom your Personal Data has been or will be communicated, in particular if recipients of third countries or international organizations; d) where possible, the expected retention period of Personal Data or, if not possible, the criteria used to determine that period; e) the existence of the right of the Data Subject to ask the Data Controller to rectify or delete Personal Data or limit the Processing of Personal Data concerning him or to oppose their Processing; (f) the right to lodge a complaint with a supervisory authority; g) if personal data is not collected from the Data Subject, all available information about their origin; (h) the existence of an automated decision-making process, including the profiling referred to in Art. 22 paragraphs 1 and 4 of the Regulation and, at least in such cases, significant information on the logic used as well as the importance and expected consequences of such processing for the Data Subject. All this information can be found within this Policy that will always be at your disposal within the Privacy Policy section of the Site.  b. RIGHT OF RECTIFICATION You can obtain, pursuant to Article 16 of the Regulation, the rectification of your Personal Data that is inaccurate. Taking into account the purposes of the Processing, you can also obtain the integration of your Personal Data that are incomplete, also providing a supplementary declaration.  c. RIGHT TO CANCELLATION You may obtain, pursuant to Art. 17 co. 1 of the Regulation, the deletion of your Personal Data without undue delay and the Data Controller will have the obligation to delete your Personal Data, if there are even one of the following reasons: a) Personal Data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) you have opposed the Processing pursuant to art. 21 co. 1 or 2 of the Regulation and there is no longer any prevailing legitimate reason to proceed with the processing of your Personal Data; c) your Personal Data has been illegally processed; d) it is necessary to delete your Personal Data in order to comply with a legal obligation provided for by a Community or domestic law rule. In some cases, as required by art. 17 co. 3 of the Regulation, the Data Controller is entitled not to provide for the deletion of your Personal Data if their Processing is necessary, for example, for the exercise of the right to freedom of expression and information, for the fulfillment of a legal obligation, for reasons of public interest, for the purposes of archiving in the public interest, scientific or historical research or for statistical purposes, for the verification, exercise or defense of a right in court.  d. RIGHT TO LIMITATION OF PROCESSING You may obtain the limitation of the Processing, pursuant to art. 18 of the Regulation, in the event that one of the following hypotheses occurs: a) you have disputed the accuracy of your Personal Data (the limitation will last for the period necessary for the Data Controller to verify the accuracy of such Personal Data); b) the Processing is illegal but you have opposed the deletion of your Personal Data asking, instead, that its use be limited; c) although the Data Controller no longer needs it for the purposes of processing, your Personal Data serves for the assessment, exercise or defense of a right in court; d) you have opposed the Processing pursuant to art. 21 co. 1 of the Rules of Procedure and you are waiting for verification regarding the possible prevalence of the legitimate reasons of the Data Controller over yours. In case of limitation of the Processing, your Personal Data will be processed, except for storage, only with your consent or for the verification, exercise or defense of a right in court or to protect the rights of another individual or legal person or for reasons of relevant public interest. We will inform you, in any case, before this limitation is lifted.  e. RIGHT TO DATA PORTABILITY You may, at any time, request and receive, pursuant to Art. 20 co. 1 of the Regulation, all your Personal Data processed by the Data Controller in a structured format, common and legible use or request its transmission to another Data Controller without hindrance. In this case, it will be your responsibility to provide us with all the exact details of the new Data Controller to whom you intend to transfer your Personal Data, providing us with written authorization.  f. RIGHT OF OPPOSITION Pursuant to Art. 21 co. 2 of the Regulation and as also reiterated by recital 70, you may object, at any time, to the Processing of your Personal Data if these are processed for direct marketing purposes.

G. RIGHT TO MAKE A COMPLAINT TO THE SUPERVISORY AUTHORITY

Without prejudice to your right to appeal in any other administrative or judicial body, if you believe that the Processing of your Personal Data conducted by the Data Controller takes place in violation of the Rules and/or applicable legislation, you may lodge a complaint with the competent Data Protection Authority. To exercise all your rights as identified above, simply contact the Data Controller in the following ways:

H. PLACES OF TREATMENT

Your Personal Data will be processed by the Data Controller within the territory of the European Union.

If for technical and/or operational reasons it is necessary to use subjects located outside the European Union, we inform you now that these subjects will be appointed Data Processors pursuant to and for the effects referred to in art. 28 of the Regulation and the transfer of your Personal Data to such subjects, limited to the performance of specific Processing activities, will be regulated in accordance with the provisions of Chapter V of the Regulation.

All necessary precautions will therefore be taken in order to guarantee the total protection of your Personal Data based on this transfer: a) on adequacy decisions of the recipient third countries expressed by the European Commission; b) adequate guarantees expressed by the third party addressee pursuant to Rule 46 of the Rules of Procedure; c) on the adoption of binding corporate rules, so-so-necessary binding corporate rules; d) adopting standard contractual clauses approved by the European Commission.

In any case, you can request more details from the Data Controller if your Personal Data has been processed outside the European Union requesting evidence of the specific guarantees adopted.