Sede legale in Diecimo loc. Renaccio snc
55023 Borgo a Mozzano (LU)
CF e P. IVA 00249040460
Privacy Information related to the website www.mondialcarta.it on the processing of personal data in accordance with EU GDPR Regulation no. 2016/679 and current national legislation on data protection
Privacy Information related to the website www.mondialcarta.it on the processing of personal data in accordance with EU GDP Regulation no. 2016/679 and current national legislation on data protection
Introduction This “privacy notice” describes the “processing of personal data” of users carried out by Mondialcarta S.p.A. through the web pages: www.mondialcarta.it. By “processing of personal data,” we mean any operation or set of operations, whether or not by automated means, applied to personal data or sets of personal data, even if not recorded in a database, including collection, recording, organization, structuring, storage, processing, selection, blocking, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination, or any other form of making available, comparison, or interconnection, limitation, erasure, or destruction. Mondialcarta S.p.A. recognizes the importance of protecting personal data and considers their protection one of the main objectives of its activities. Therefore, in accordance with Articles 13/14 of the European Regulation 679/2016 on the protection and processing of personal data, as well as the free circulation of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation), users are invited to carefully read the following information as it contains important details about the protection of personal data and the security measures taken to ensure data confidentiality. This information is included on the website www.mondialcarta.it to provide information to interested users about the use of data held by the Data Controller.
In accordance with current national and European Union data protection legislation (including the General EU Data Protection Regulation 2016/679 hereinafter referred to as “GDPR”), the Data Controller for personal data is Mondialcarta S.p.A. with registered office at Diecimo loc. Renaccio snc 55023 Borgo a Mozzano (LU) CF and VAT Number 00249040460, email address: email@example.com and PEC (Certified Email): firstname.lastname@example.org
General Principles Applied to Processing
Based on Article 5 of the European Regulation 679/2016 on the protection and processing of personal data, data is processed lawfully, fairly, and transparently with respect to the data subject (“lawfulness, fairness, and transparency”); collected for specified, explicit, and legitimate purposes, adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”).
Types and Collection of Processed Data The personal data processed by the Data Controller are those provided directly by the User when placing an order and those collected during internet
Purposes of Processing
The Data Controller may process the User’s personal data for one or more of the following purposes, based on the legal basis described below:
- Establishment and execution of contractual relations and related obligations
Legal basis for processing: Fulfilment of contractual obligations to which the User is a party and compliance with legal obligations related to the contract.
The Data Controller may process the User’s personal data for the purpose of establishing and executing contractual relationships and, therefore, to conclude and execute the purchase contract of products offered on the website www.mondialcarta.it, to fulfil pre-contractual and contractual obligations, and to provide the requested services.
The Data Controller may as well use contact details, particularly the User’s email, to provide the User with information about the service. Providing data is a necessary requirement for managing the contractual relationship, and failure to provide it would prevent any negotiation between the user and Mondialcarta spa.
- Sending periodic newsletters
Legal basis for processing: Fulfilment of contractual obligations to allow the User to receive newsletters. The Data Controller may also process contact data to send periodic newsletters to the User by email, containing news and insights on various products and topics of interest, if the User explicitly requests it by subscribing to the related information service on the website.
Providing data is mandatory to manage the contractual relationship; otherwise, the User cannot subscribe to and receive the newsletter.
Sending communications for the promotion of products and services similar to those previously purchased, in compliance with Article 130, paragraph 4, of the Privacy Code (Legislative Decree no. 196/2003, as amended by Legislative Decree no. 101/2018)
Legal basis for processing: Lawful interest of the Data Controller in maintaining an effective contractual relationship with the User.
The Data Controller may process contact data, specifically email addresses, for promotional purposes related to products and services similar to those purchased by the User.
Regarding the use of the email address provided by the Data Subject at the time of contract conclusion, the Data Controller may process contact data to send (without the need for specific consent, as provided for in Article 130, paragraph 4, of the Privacy Code) informational and advertising material related exclusively to products and/or services similar to those already used.
- Defense of rights in judicial, administrative, or extrajudicial proceedings, or in disputes pertaining to the services offered
Legal basis for processing: Lawful interest of the Data Controller in protecting its rights.
Contact and payment data may be processed by the Data Controller to defend its rights, take action, or assert claims against the User or third parties.
Providing data for this purpose is compulsory because, without it, the Data Controller would be unable to defend its rights.
- Execution of promotional, advertising, and marketing activities in a broad sense
Personal data provided by the user may also be processed by the Data Controller for commercial promotion, advertising communication, solicitation for purchase behaviour, market research, surveys (including telephone, online, or form-based surveys), statistical processing (in an identifiable form), other marketing sampling research (including prize events, games, and contests) through automated contact methods (email, SMS, MMS, chat, instant messaging, social networks, and other mass messaging tools, push notifications, etc.) and traditional contact methods (e.g., telephone calls with operators).
Legal basis for processing: Consent.
To proceed with processing for promotional, advertising, and marketing activities in a broad sense, specific, expressed, documented, and entirely optional consent is mandatory. The failure to provide consent will not have any consequences on contractual relationships. Consent can be revoked at any time.
e) Processing of personal data for commercial profiling purposes
For marketing and service improvement purposes, the Data Controller may also carry out
“profiling” of so-called personal data, processing contact data, other personal data, website usage data, and other data regarding the User’s interests through their statistical processing, to create an individual profile of the User and send them commercial communications in line with their preferences, based on the use of data obtained from the services offered.
Legal basis for processing: Consent.
To proceed with processing for profiling purposes, specific, expressed, documented, and entirely optional consent is mandatory.
Lack of consent will not have any consequences on contractual relationships.
Consent can be revoked at any time.
Processing Methods: The processing will be carried out in an automated and/or manual manner, using paper-based, computerized, telematic, or other telecommunication systems, in compliance with Article 32 of the GDP 2016/679 regarding security measures. It will be performed by specifically authorized personnel and in accordance with what is provided in Article 29 of GDPR
Retention Period of Personal Data: The data controller will retain the user’s personal data only for the time necessary to achieve the purposes for which they were collected or for any other legitimate related purpose. Therefore, if personal data are processed for two different purposes, they will be retained until the purpose with the longer retention period ceases, and personal data will no longer be processed for the purpose whose retention period has expired. The data controller will limit access to personal data only to those who need to use them for relevant purposes. Personal data that are no longer necessary or for which there is no longer a legal basis for retention will be irreversibly anonymized (and thus may be retained) or securely destroyed.
Below are the retention periods for the different purposes listed above:
- Establishment and execution of contractual relationships and related obligations: Data processed to fulfil any contractual obligation may be retained for the entire duration of the contract and in any case not beyond the subsequent 10 years, for the purpose of verifying any outstanding matters, including accounting documents (e.g., invoices).
- Operational management and purposes strictly connected to access to the website, especially to reserved areas: Data processed for this purpose may be retained for the entire duration of the contract and in any case not beyond the subsequent 10 years from the last website access.
- Sending periodic newsletters: Data processed for this purpose may be retained for the entire duration of the relationship and in any case not beyond the subsequent 2 years from the last purchase.
- Purposes related to obligations established by laws, regulations, or EU legislation, by provisions/requests of authorities authorized by law, and/or by supervisory and control bodies: In such cases, the data controller will retain the data for the time strictly necessary to achieve these purposes.
- Analysis and improvement of services – customer satisfaction: Data processed for this purpose may be retained for 24 months from the last purchase.
- Sending communications for the promotion of products and services similar to those previously purchased (in accordance with the limits allowed by Article 130, paragraph 4 of the Privacy Code (Legislative Decree no. 196/2003, as amended by Legislative Decree 101/2018)): Data processed for the purpose of promoting similar services or products may be retained for 24 months from the date of the previous purchase.
- Defense of rights in judicial, administrative, or extrajudicial proceedings and in disputes arising in relation to the services offered: In such cases, the data controller will process and retain the data for the time strictly necessary to achieve these purposes.
- Marketing to meet the needs of the User and profiled marketing to provide promotional offers also in line with the User’s preferences: Data processed for these purposes may be retained for 24 months from the last purchase.
- Execution on behalf of third parties of marketing activities for products and services of companies within the Group and also of third parties: Data processed for marketing purposes may be retained for 24 months from the date of collection.
Recipients of the Data
The data are processed by personnel duly trained by Mondialcarta S.p.A. as the data controller and will not be disclosed. For organizational and functional needs, personal data may also be shared, for the purposes mentioned above in point no. 7 and its subordinates, with subjects acting as external data processors or independent data controllers.
These subjects have been evaluated and selected by the data controller for their proven reliability and competence and belong to the following categories: a companies and professionals used by the data controller for consultancy or assistance in carrying out its business activities, including lawyers, auditors, tax and labour consultants, individuals, companies, professional firms providing accounting and administrative consulting services, auditors, surveillance bodies, supervisory bodies, certification bodies, freight forwarders, IT and internet security service providers, IT and technical maintenance service providers (including network equipment maintenance);
- any contractors or subcontractors of the data controller for the execution of contractual activities;
- public bodies or legal authorities if required by applicable regulations or at the request of the authority itself;
- other possible third parties if considered necessary to carry out all or part of the contractual and administrative-accounting activities of the relationship. The updated and detailed list of Data Processors involved in the contractual relationship with the User can be obtained by contacting the Data Controller at the contact details previously indicated, namely: Mondialcarta S.p.A. VAT and tax code 00249040460, email address: email@example.com, PEC: firstname.lastname@example.org Personal data may also be transmitted to the police forces and judicial and administrative authorities, in accordance with the law, for the detection and prosecution of crimes, the prevention and protection against threats to public security, to enable the data controller to establish, exercise, or defend a right in court, as well as for other reasons related to the protection of the rights and freedoms of others. Upon obtaining additional, separate, additional, documented, explicit, and entirely optional informed consent, personal data may also be disclosed to commercial partners who intend to process personal data for their distinct and additional promotional, advertising, and marketing purposes in the broadest sense, as previously indicated in point 7.8.1.
Transfer of Personal Data to Non-European Union Countries: Unless otherwise indicated, the recipients will not have their registered office outside the European Community or in any case in
countries not complying with EU regulations. The data will not be transferred or processed outside the European Community or another place considered not adequate under EU regulations. Any transfers of this kind will be duly notified to the data subject with the related instrument used to guarantee the rights and freedoms of the data subject. In any case, the transfer of personal data to countries that do not belong to the European Union and that do not ensure adequate protection levels will only be carried out after the conclusion of specific agreements between the data controller and the third party recipient of the data, containing safeguard clauses and appropriate guarantees for the protection of personal data.
Security Measures: The data controller protects personal data with specific technical and organizational security measures aimed at preventing their illegitimate or fraudulent use. In particular, the data controller uses security measures that ensure:
- Pseudonymization or encryption of personal data;
- Confidentiality, integrity, availability of the data, as well as the resilience of the systems and services processing them;
- The ability to restore data in the event of a data breach.
Rights of the Data Subject: In accordance with Article 7 of the Privacy Code and Articles 13(2)(b) and (d), 15, 18, 19, and 21 of the GDPR, it is informed that the Data Subject has the following rights:
- The right to ask Mondialcarta S.p.A. as the data controller for access to personal data, their correction or deletion, or the limitation of processing concerning them or to object to their processing, in cases provided for;
- The right to lodge a complaint as a Data Subject with the Garante for the Protection of Personal Data, following the procedures and instructions published on the official website of the Authority at www.garanteprivacy.it;
Any corrections or deletions or limitations of processing made at the request of the Data Subject – unless this proves impossible or involves a disproportionate effort – will be communicated by the Data Controller to each of the recipients to whom the personal data have been transmitted. The Data Controller may also inform the Data Subject of these recipients if the Data Subject so requests. In particular, the Data Subject may:
1st) obtain confirmation of the existence or otherwise of personal data concerning them, even if not yet registered, and their communication in an intelligible form; 2nd) obtain information: a) on the origin of personal data;
- the purposes and methods of processing;
- the logic applied in case of processing carried out with the aid of electronic instruments;
- the identifying details of the data controller, data processors, and the designated representative under Article 5(2) of the Privacy Code and Article 3(1) of the GDPR;
- the subjects or categories of subjects to whom personal data may be communicated or who may become aware of them as designated representative in the territory of the State, data processors, or persons in charge;
a) updating, rectification, or, when interested, integration of data; b) the deletion, transformation into anonymous form, or blocking of data processed unlawfully, including data that does not need to be kept for the purposes for which it was collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case where this proves impossible or involves a use of means manifestly disproportionate to the protected right; 4th) object, in whole or in part: a) for legitimate reasons, to the processing of personal data concerning them, even if pertinent to the purpose of collection; b) to the processing of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator via e-mail and/or through traditional marketing methods via telephone and/or paper mail. It is noted that the Data Subject’s right to object, as set out in the preceding point b), for direct marketing purposes using automated methods extends to traditional methods, and in any case, the Data Subject has the possibility to exercise the right to object in part. Therefore, the Data Subject may decide to receive only communications using traditional methods or only automated communications, or none of the two types of communication.
Exercise of Data Subject Rights: The exercise of the rights is not subject to any form constraints and is free of charge. The rights listed above can be exercised by sending the relevant written communication to one of the following PEC (certified email) addresses:
- email@example.com, PEC
- firstname.lastname@example.org or, alternatively, by sending a registered letter with acknowledgment of receipt to the following address: Mondialcarta Sp. A., Diecimo loc.
Renaccio snc 55023 Borgo a Mozzano (LU)
Modifications to this Privacy Notice: The constant evolution of the services of the Data Controller may result in changes to the characteristics of the processing of personal data described so far.
Consequently, this privacy notice may undergo changes and additions over time, which may also be necessary with reference to new legislative interventions on the processing of personal data.
Therefore, Users are invited to periodically check its contents. Where possible, prompt notice will be given of any changes made and their consequences. The updated version of the privacy notice will be published on the website, with an indication of the date of its last update.
Legislative References: The processing of personal data is carried out by Mondialcarta S.p.A. in full compliance with the regulations provided for by Regulation (EU) 2016/679, the General Data Protection Regulation, Italian regulations on the processing of personal data, and the provisions of the Italian supervisory authority (http://www.garanteprivacy.it).
If you have any specific questions or need further clarification on any part of this translation, please feel free to ask.