GDPR

PRIVACY POLICY

IN ACCORDANCE WITH ARTICLE 13 OF EU REGULATION 679/2016 "GDPR”

The purpose of this document is to inform the individual (hereinafter “Data Subject”) regarding the processing of their personal data (hereinafter “Personal Data”) collected, used, and managed by the data controller, Baldoni S.r.l., with registered office at 41054 Marano sul Panaro (MO), Via Bernabei, 203, VAT/Tax Code [•], Tel. no. 059.75.20.291, fax 059.7520100, email address: info@baldonisrl.it (hereinafter “Controller”), through the website www.baldonisrl.it (hereinafter “Site”), which provides the user with a showcase of the Controller’s activities as a company specializing in cutting and assembling metal profiles such as iron, stainless steel, aluminum, and other materials.
Changes and updates will be binding as soon as they are published on the Site. In case of non-acceptance of the changes made to the Privacy and Cookie Policy, the Data Subject is required to cease using the Site and may request the Controller to delete their Personal Data (where applicable).

1. CATEGORIES OF PROCESSED PERSONAL DATA.
In the reserved area of the Website, the Data Controller will process the following types of Personal Data:
Navigation and usage data of the Website: such as actions taken, usage patterns, number of clicks, pages visited, etc.
The IT systems of the Website collect some Personal Data, the transmission of which is implicit in the use of Internet communication protocols. These are pieces of information not collected to be associated with the user, but which, by their very nature, could, through processing and association with data held by third parties, allow identification. Among these are IP addresses or domain names of devices used to connect to the Website, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters related to the user’s operating system and IT environment.

These data are used to obtain anonymous statistical information about the use of the Website, to control its proper functioning, to allow the correct delivery of various functionalities requested by the user, for security reasons, and to ascertain responsibility in the event of hypothetical computer crimes against the Website or third parties. They are deleted after 7 days.
The Data Subject who communicates Personal Data of third parties to the Data Controller is directly and exclusively responsible for their origin, collection, processing, communication, or dissemination.

2. COOKIE POLICY
The Application uses cookies and other similar technologies to collect the Data Subject’s Personal Data on the pages, links visited, and other actions performed when the Data Subject uses the Application. They are stored to be transmitted during the Data Subject’s subsequent visits. The complete Cookie Policy can be reviewed at the dedicated link.

3. LEGAL BASES AND PURPOSES OF PROCESSING.
The processing of Personal Data is necessary:
a) for the performance of a contract to which the Data Subject is a party or for the performance of pre-contractual measures taken at the Data Subject’s request, more precisely:
The legal bases for the processing for the purposes mentioned in a) above is Article 6.1.b) of the GDPR.
The provision of data for the above purposes is optional, but the failure to provide such data and the refusal to provide it would make it impossible for the Company to execute and/or conclude the contract and provide the services requested by the Data Subject.
b) to comply with a legal obligation to which the data controller is subject;
c) based on the legitimate interest of the Controller (Article 6.1 letter f) GDPR), for:
purposes necessary to ascertain, exercise, or defend a right in court or whenever the judicial authorities exercise their judicial functions;

4. PROCESSING METHODS AND RECIPIENTS OF PERSONAL DATA.
Personal Data may be disclosed to third-party entities appointed as data processors under Article 28 of the GDPR and/or to independent data controllers, especially to banks, companies active in the insurance field, service providers strictly necessary for business activities, or consultants of the company and/or website managers, where necessary for fiscal, administrative, contractual reasons, or for requirements protected by current regulations.
Your personal data or personal data of third parties under your ownership may also be communicated to external companies, identified from time to time, to which the Controller entrusts the execution of obligations arising from the assignment, and only the data necessary for their requested activities will be transmitted to them. All employees, consultants, temporary workers, or any other “natural person” who performs their activities based on the instructions received from the Controller, in accordance with Article 29 of the GDPR, are appointed “Data Processors” (hereinafter also “Processors”). The Controller provides Processors or any designated Data Processors with adequate operational instructions, with particular reference to the adoption and compliance with security measures, to ensure the confidentiality and security of Personal Data. In reference to aspects of personal data protection, the Data Subject is invited, under Article 33 of the GDPR, to report to the Controller any circumstances or events that may result in a potential “personal data breach” to enable an immediate assessment and adoption of any actions to counteract such an event by sending a communication to the Controller at the contact details indicated below.
The Data will not be disclosed.
The Controller remains obliged to communicate the data to Public Authorities upon specific request.
To request the list of external processors, data subjects can send a request to the following email address info@baldonisrl.it.

5. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES (EXTRA EU AND EEA)
The personal data will not be transferred abroad to countries or international organizations outside the European Union that do not ensure an adequate level of protection, recognized under Article 45 of the GDPR, based on a decision of adequacy by the EU Commission. In case it becomes necessary for the provision of the services of the website, the transfer of personal data to countries or international organizations outside the EU, for which the Commission has not adopted any adequacy decision under Article 45 of the GDPR, will take place only in the presence of adequate safeguards provided by the country or organization receiving the data, under Article 46 of the GDPR, and provided that data subjects have actionable rights and effective remedies.
In the absence of a Commission adequacy decision under Article 45 of the GDPR or adequate safeguards under Article 46 of the GDPR, including binding corporate rules, the cross-border transfer will only take place if one of the conditions set out in Article 49 of the GDPR is met.

6. METHODS, TREATMENT LOGICS AND STORAGE TIMES.
Personal data is collected and recorded in a lawful and fair manner for the purposes mentioned above, respecting the principles and provisions of Article 5(1) of the GDPR.
Personal data will be retained for the period necessary to fulfill the purposes for which they were collected, specifically:
• For purposes related to the execution of the contract between the Data Controller and the Data Subject, they will be retained for the entire duration of the contractual relationship and, after termination, for the ordinary prescription period of 10 years. In the case of judicial disputes, for the entire duration of the dispute, until the expiration of the terms for challenging actions.
• For purposes related to the legitimate interest of the Data Controller, they will be retained until the completion of that interest.
• For compliance with a legal obligation, by order of an authority and for legal protection, they will be retained in accordance with the timeframes provided by such obligations and regulations, and in any case until the expiration of the prescription period prescribed by the current laws.
• For purposes based on the Data Subject’s consent, they will be retained until the consent is revoked.
At the end of the retention period, all personal data will be deleted or stored in a form that does not allow the identification of the Data Subject.

7. RIGHTS OF THE INTERESTED PARTY.
In accordance with, within the limits and conditions provided by the legislation on the protection of personal data regarding the exercise of the rights of the Data Subjects concerning the processing covered by this Information, as a Data Subject, you have the right to request confirmation of whether or not there is processing of your personal data, access the personal data concerning you, and in relation to them, you have the right to request their correction, deletion, notification of corrections and deletions to those to whom the data may have been communicated by our organization, the limitation of processing in the cases provided by the law, the portability of personal data – provided by you – in cases indicated by the law, to object to the processing of your data, and specifically, you have the right to object to decisions concerning you if they are based solely on automated processing of your data, including profiling. In case you believe that the processing concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with the supervisory authority, pursuant to Article 77 of the GDPR.
To exercise their rights, Data Subjects can send a request to the following email address: info@baldonisrl.it. The requests will be promptly handled by the Data Controller and processed as quickly as possible, in any case, within 30 days.