Privacy Policy – IMALPAL Group

PRIVACY POLICY IMALPAL Group

This privacy policy refers to web site https://www.imalpal.com.it (referred to hereinafter as simply the “site”) only and not to any other websites which the user may have consulted from links present on the site. The policy is based on Recommendation no. 2/2001 dated 17 May 2001, Opinion n° 04/2012 on Cookie Consent Exemption dated 7 June 2012 and the Working Document 02/2013 providing guidance on obtaining consent for cookies dated 2 October 2013 which the European Authorities for personal data protection, as the working group ex art. 29 of Directive no. 95/46/CE, adopted to identify some minimum requirements for the collection of personal data on-line, and, in particular, the modality, times and nature of the information which the Data Controller must provide to Users when consulting the web pages irrespective of the reasons for such consultation.

This policy also applies as an extended policy for customers with respect to the short version which appears in the Data Controller’s forms “We use – through external collaborators as well – your data for administrative and accounting purposes. Detailed information, in relation to access and other rights may be found at www.imalpal.com”.

DATA CONTROLLER

After consulting this site and/or sending any requests to the contacts listed in the various sections, data relating to identified or identifiable persons may be processed. The Data Controllers are, severally and independently, the companies named below:

IMAL S.r.l. in the person of its pro tempore legal representative, with registered office in Via Rosalba Carriera, 63 – 41126 San Damaso (MO) Italy, Tel: +39 059 465500, e-mail: privacy@imal.com

PAL S.r.l. in the person of its pro tempore legal representative, with registered office in Via delle industrie, 6/B – 31047 Ponte di Piave (TV) Italy, Tel: +39 0422 852300, e-mail: privacy@pal.it

GLOBUS S.r.l. in the person of its pro tempore legal representative, with registered office in Viale Fauser, 3 – 28066 Galliate (NO) Italy, Tel: +39 0321 862702, e-mail: privacy@globussrl.it

WHERE THE DATA ARE PROCESSED

The data related to the site’s web service are processed at the above registered offices and are handled by the Data Controllers and the Consulting Company which assists the Data Controllers with site maintenance. The optional, explicit and voluntary transmission of e-mails to the addresses indicated on this website involves the subsequent acquisition of the sender’s address, necessary to respond to the requests as well as any other personal data included in the message.

TYPE OF DATA PROCESSED

Information collected automatically when browsing through the site.

Computer systems, software processes applied in the operation of this web site acquire, through their normal operation, some personal data, the transmission of which is implicit in the use of Internet communication protocols. This is information which is not collected to be associated with those who have been identified as interested, but which by their very nature, could, through processing and associations with data held by third parties, allow the user to be identified, the computer used by the user to connect to the site, the URI (Uniform Resource Identifier) addresses, the time the request was made, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the state of the response from the server (sent successfully, error, etc.) and other parameters related to the operating system and to the User’s computer environment. The following details are collected automatically when you visit the site:

1. Hostname of the User. The hostname or address of the User’s Internet Protocol requesting access to the site.
2. http and https headers and the “user agent” string which includes: type of browser and version used and the operating system with which the browser runs.
3. System date. The date and moment the User visited.
4. Full request. The exact request made by the User.
5. Content length. The consistency, in bytes, of each document sent to the User.
6. Method. Type of request used.
7. Universal Resource Identifier (URI). The collocation of the resources in the server.
8. The request string of the URI, or rather everything that comes after the question mark in the URI.
9. Type of device used to consult the site.
10. Protocol. Transmission protocol and version used.

The information collected by the Data Controller, when accessing the site, is used to improve the quality of the service offered to site users.

Should the processing also involve personal data that fall under the groups of special categories ex art. 9 GDPR (sensitive data, that is data revealing racial or ethnic origin, religious or philosophical beliefs or other kinds, political opinions, members of trade unions, political parties, religious, philosophical, political or trade union associations or organizations, as well as any other personal data revealing the health, or a natural person’s sexual orientation ) or related to criminal convictions and offences (art. 10 GDPR, “Processing of personal data relating to criminal convictions and offences”) processing shall be carried out within the limits indicated by the General Authorizations of the Guarantor, pursuant to Act 196/2003 and UE Regulation 2016/679 and solely for the purposes strictly necessary for the regular performance of the activity, of the operations related to the supply of products/services and the fulfilment of contractual and/or legal/regulation obligations.

The User is invited not to disclose sensitive and judicial data which, being superfluous with respect to the activity carried out by the Data Controller, could lead to the destruction of the message.

Apart from what is specified below for navigation data, the User is free to provide personal data contained in any information request forms. Failure to provide such data may make it impossible to obtain what has been requested. Personal data is also processed using automated methods for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are taken to prevent data loss, illicit or incorrect use and unauthorized access.

DATA PROVISION

The optional, explicit and voluntary transmission of e-mails to the addresses indicated on this site involves the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the message.

Apart from what has been stated for information collected automatically, the User is free to provide personal data contained in the request forms or indicated in the contacts to request the sending of informative material or other communications. It should be noted that the data requested to enable the request to be processed are name, surname, e-mail address, telephone number and subject matter of the request. Failure to provide data may make it impossible to obtain what has been requested.

Within the commercial scope, the provision of data is mandatory for the fulfilment of all related legal and contractual obligations, and failure to provide data may make it impossible to establish or continue the contractual relationship correctly.

PURPOSE OF THE PROCESSING AND LEGAL BASIS

The processing of the data collected by the Data Controllers is carried out in compliance with the rules on confidentiality and protection of personal data in force and with the principles of correctness, lawfulness, transparency, pertinence, completeness and non-excess information; moreover, the personal data collected, automatically or voluntarily by the User, will be processed solely for the purposes indicated below and kept for the period strictly necessary for the same purposes.

CATEGORIES OF RECIPIENTS

The data provided may only be known by employees and collaborators of the Data Controllers that have been specifically authorized to process such data as Persons in Charge and Managers, for the sole purpose of completing the activities requested by the customer/user of the site. These persons are bound to secrecy and confidentiality also on the basis of specific internal regulations.

The persons or categories of persons who, within the scope of the purposes illustrated in this policy, could become aware of the data or to whom they may be communicated are, as they are involved in the organization of the site and in the management of orders, the specifically appointed internal personnel (administrative and technical) and third parties (suppliers of third party technical services, hosting providers, IT companies, consultants, banks, insurance companies for any insured risks, couriers) also appointed, if necessary, as Data Processors by the Data Controllers. In the commercial sphere, the personal data of customers may be communicated to a trusted professional (accountant) on the basis of a legitimate interest of the Data Controllers.

The data may also be communicated to public bodies, police forces or other public and private entities, but exclusively for the purpose of fulfilling legal obligations, regulations or community legislation.

STORAGE DURATION

The data are processed and stored for the time required by the purposes for which they were collected. Therefore:

• Personal data collected for purposes related to the execution of a contract or a pre-contractual request between the Data Controllers and the User/Client will be kept until the complete execution of the contract and also subsequently by legal obligation (e.g. 10 years for invoices) or to protect or enforce or defend a right of the Data Controller.
• When the treatment is based on the User’s consent, the Data Controllers may keep the personal data for longer, until such consent is revoked or until the service is interrupted by the Data Controllers. Furthermore, the Data Controllers may be obliged to keep Personal Data for a longer period in compliance with a legal obligation or by order of an Authority.
• The data processed by law are processed for the entire duration established by the legal regulations applicable to each individual processing.
• The data processed on the basis of a legitimate interest are processed until the interested party expresses his opposition (e.g. sending commercial communications to its customers – Art. 6, comma 1, letter f) of the Regulation (EU) 2016/679 (legitimate interest) and Art. 21 comma 1  Regulation (EU) 2016/679 (opposition).
• The personal data will be deleted when the storage period expires. Therefore, upon expiry of this term, the right of access, cancellation, rectification and the right to data transferability can no longer be exercised.

The Data Controllers will be pleased to provide any further information on the storage period.

RIGHTS OF THE DATA SUBJECT

You may, at any time exercise, without particular formalities, your rights towards the Data Controllers, pursuant to article 15 of the Regulation and those which follow, in particular to obtain confirmation from the Data Controllers of the existence or otherwise of any data processing which concerns you, to know its origin, to request access to personal data, updating, rectification, cancellation or to request the limitation of personal data processed or to object to its processing, to request their transferability. These articles also provide for the right of the party concerned to lodge a complaint with a European Supervisory Authority (in Italy it is the Guarantor for the protection of personal data) or appeal before the Judicial Authority. Requests are to be addressed to the Data Controllers utilizing the form prepared by the Data Controllers.

The above rights may be exercised by those entitled towards all the Data Controllers or towards some of them.