Updated to EU Reg. 2016/679
(European Regulation on personal data protection)
When provided for by Reg. EU 2016/679, consent by the user will be requested before his data are processed. If the user provides third party personal data, he must make sure that communication of data to Sacchetticio Toscano Srl and later processing for the purposes specified in the privacy information notice comply with Reg. EU 2016/679 and applicable regulations.
2) Type of data processed
Visiting and consulting the Website do not normally involve collection and processing of personal data of the user, except for navigation data and cookies as in the specified Cookies Policy. Besides so-called “navigation data” (see below), personal data voluntarily provided by the user when interacting with the Website functions or asking to make use of the services offered on the Website may be collected. In compliance with the Privacy Code, Sacchettificio Toscano Srl may also collect the user’s personal data from third parties when performing its business.
3) Preservation of personal data
The personal data are kept and processed through information systems belonging to Sacchettificio Toscano Srl and managed by Sacchettificio Toscano Srl or by third party providers of technical services; a list of Third Party Processors is freely available from the company. The data are processed exclusively by specifically authorised staff, including staff assigned to perform extraordinary maintenance operations.
4) Purposes and methods of data processing
Sacchettificio Toscano Srl may process common and sensitive data of the user for the following purposes: use by the user of services and functions present on the Website, handling requests and communications by the users, delivery of newsletters, handling job applications through the Website, etc. Also, and with further and specific optional consent from the user, Sacchettificio Toscano Srl may process personal data for marketing purposes, that is to send the user promotional material and/or commercial communications relevant to Company services, at the addresses given by the user, both with traditional methods and/or means of contact (such as paper mail, phone calls with an operator, etc.) and automatic (such as internet, fax, email, sms, applications for mobile devices such as smartphones and tablet – so-called APPS – social network accounts – e.g. Facebook or Twitter – phone calls with automatic operator, etc.).
Personal data are processed both on paper and electronically and fed into the company information system in full compliance with Reg. EU 2016/679, including the security and confidentiality profiles, and drawing inspiration from principles of correctness and lawfulness in processing. In compliance with Reg. EU 2016/679, the data are kept and preserved for 5 years unless otherwise required by other regulations.
5) Security and quality of personal data
Sacchettificio Toscano Srl engages to protect the security of the user’s personal data and complies with the security requirements laid down in the applicable regulations in order to prevent loss of data, illegitimate or illicit use of the data and unauthorised access to the data, with special reference to the Technical Specification on minimum safety measures. Also, the information systems and IT programmes used by Sacchettificio Toscano Srl are configured so as to cut down to a minimum the use of personal and identifying data; such data are processed only to achieve specific purposes as decided from time to time. Sacchettificio Toscano Srl uses numerous advanced security technologies and procedures to protect users’ personal data; for example, the data are kept on secure servers in places with protected and controlled access. The user can help Sacchettificio Toscano Srl update and keep his personal data correct, by notifying any change in his address, qualifications, contact information, etc.
6) Scope of communication and of access to the data
The user’s personal data may be communicated to:
all those individuals entitled by law to access such data;
our collaborators, employees, in the context of their relevant task; all those individuals and/or legal entities, public and/or private, when communication is necessary or functional to the performance of our business and in the manner and for the purposes illustrated above.
7) Nature of provision of personal data
Provision of certain personal data by the user is obligatory to allow the Company to manage communications, requests coming from the user or to contact the user again in order to follow up his request. Providing this kind of data is obligatory to allow the Company to follow up a request which otherwise could not be answered. On the contrary, collection of other data is optional: failure to provide them will not have any consequence on the user.
The provision of personal data by the user for purposes of marketing, as specified in the section on “Purpose and method of processing”, is optional and failure to provide them will not have any consequence. Consent provided for marketing purposes is also understood to cover the delivery of communications sent using methods and/or means of contact, both automatic and traditional, as specified above.
8) Rights of the data subject
8.1 Art. 15 (right of access), 16 (right to rectification) of Reg. EU 2016/679
The data subject has the right to obtain from the Data Controller confirmation whether personal data concerning him is being processed or not, and, in such case, to obtain access to the personal data and to the following information:
a) Purpose of the processing;
b) The categories of personal data involved;
c) The addressees or categories of addressees to whom the personal data has been or may be communicated, especially if addressees belonging to third countries or international organisations;
d) The period of retention of the personal data or, if this should not be possible, the criteria used to establish such a period;
e) The existence of the right of the data subject to ask from the data controller rectification or erasure of personal data or restriction of processing of the personal data concerning him or to object to their processing;
f) The right to lodge complaint with the authority for the protection of personal data;
h) The existence of an automatic decision-making process, including profiling and, at least in such cases, significant information concerning the logic used, as well as the importance and expected consequences of such processing for the data subject.
8.2 Right under Art. 17 of Reg. UE 2016/679 – right to erasure («right to be forgotten») the data subject has the right to obtain erasure of personal data without unjustified delay and the data controller has the obligation to erase without unjustified delay the personal data, if the following conditions exist:
a) the personal data are no longer necessary for the purposes for which they had been collected or otherwise processed;
b) the data subject recalls the consent on which the processing was based in compliance with Art. 6 (1.a) or Art. 9 (2.a), and if there is no other legal ground for the processing;
c) the data subject objects to the processing, pursuant to Art. 21 (1), and there is no legitimate prevailing reason to carry out the processing, or else objects to processing pursuant to Art. 21 (2);
d) the personal data have been processed illicitly;
e) the personal data must be erased in order to fulfil a legal obligation laid down by the law of the Union or member Country to which the data controller belongs;
f) the personal data which have been collected concern the offer of services of the information company under Art. 8 (1) of Reg. EU 2016/679.
8.3 Right under Art. 18 Right to limitation of processing
The data subject has the right to obtain from the data controller the limitation of processing in any of the following cases:
a) the data subject denies the exactness of the personal data, for the period necessary for the data controller to check the exactness of such personal data;
b) processing is illicit and the data subject objects to erasure of the personal data and demands instead that their use be limited;
c) even though the data controller no longer needs them for purposes of processing, the personal data are still necessary for the data subject to ascertain, exercise or defend a right in court;
d) the data subject has objected to the processing pursuant to Art. 21 (1) Reg. EU 2016/679, while awaiting verification of the prevalence of the legitimate reasons of the data controller compared to those of the data subject.
8.4 Right under Art. 20 Right to data portability
The data subject has the right to receive in a structured format, of common use and readable from an automatic device, the personal data which concern him provided to a data controller, and has the right to transmit such data to another data controller without any hindrance by the data controller.
9. Recall of consent to processing
The data subject has the right to recall consent to processing of his personal data, by return registered mail to the following address: Sacchettificio Toscano Srl Via della Costituzione 1, 3, 5 – 50050 Cerreto Guidi Fraz. Stabbia (FI) together with a photocopy of his identity document, with the following text:
“Recall of consent to processing all of my personal data”. At the end of this operation, your personal data will be removed from the files in the shortest possible time.
If you desire further information concerning the processing of your personal data, or to exercise your rights under item 7 above, you may write a return registered mail to the following address: Sacchettificio Toscano Srl Via della Costituzione 1, 3, 5 – 50050 Cerreto Guidi Fraz. Stabbia (FI). Before providing you with or changing any information, it may be necessary to ascertain your identity having you answer some questions. A reply will be given as soon as possible.