Dear Data Subject,
CōDICEDS values deeply the protection of its current and future customers’ data and their privacy. In fact we want our customers to feel totally comfortable when browsing our website www.codiceds.com and to be aware that CōDICEDS as Data Controller regards the respect of Privacy as a primary element of its brand.
The term Personal Data refers to the definition contained in Art. 4(1) of the Regulation, that is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (or “Personal Data”).
The Regulation stipulates that before any processing of Personal Data occurs – as for the definition of processing stated in Art. 4(2) of the Regulation, “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (or “the Processing”) – it is necessary that the person who the Personal data belong to is informed on the reasons why these data are requested and how they are going to be used.
Pursuant to Art.13 of the Regulation, the processing by CōDICEDS of your Personal Data will be according to the principles of lawfulness, fairness and transparency, as well in safeguard of your privacy and of your rights.
Based on the above we inform you of the following.
1) Data Controller
The Data Controller – that Art. 4(7) of the Regulation defines as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” – is CODICEDS di Davighi Leonardo e Porcacchia Sanpaolesi Filippo Maria S.N.C. headquartered in Rome, Italy, Via Napoleone III 6, 00185 (or “The Controller”). Controller’s contact data are: email: firstname.lastname@example.org or email@example.com; PEC: firstname.lastname@example.org;
2) Purpose and legal basis of the Processing
The Processing of your Personal Data – collected at the time of your registration on our website www.codiceds.com or at the time of purchase on the same website – will be carried out for the purposes indicated below. The legal basis for the Processing of Personal Data relevant to each purpose is specified next to each purpose. When consent is indicated as legal basis of the Processing, it is clear that the Controller will process such data for those purposes only after receiving your consent. The legal basis relevant to the performance of a contract does not require any consent and allows the Controller to process Personal Data conferred on the basis of the undertaken contractual obligations (such as selling a product). For what concerns the legitimate interests indicated, they refer to the following cases: a) the Data Subject has already expressed interest for that same product market by purchasing relevant products or services, and the Controller has a specific and justified interest to continue to send the Data Subject communications on products and services similar to those already purchased; b) the Controller has interest in processing the Data Subject’s browsing data for the purpose of allowing the browsing of the website.
Your Personal Data will be processed for the following purposes:
- to manage the procedure of the registration on the website, filling of the online forms sent to request information, send messages and contact the Controller; Legal Basis of the Processing: Performance of the Contract;
- to allow the online purchase of the selected products in accordance with the conditions laid down in the Terms and Conditions; Legal Basis of the Processing: Performance of the Contract;
- to send, for marketing purposes – via email, post, social network, text messages and specific apps – newsletters, special offers, promotions, discounts and event invitations; Legal Basis of the Processing: Consent of Data Subject;
- to profile, through the reading and analysis, via automated decision-making, purchasing behavior using data relevant to your payments, with the objective to improve our commercial offer and present specific promotions and offers as close as possible to your needs and profile, even through market research; Legal Basis of the Processing: Consent of Data Subject;
- to send – exclusively to the email address provided at the time of your registration or during the purchase of a product on the website –promotional messages on products similar to those you have already bought, and only if you have not opposed to this Processing following the indications provided below, as per Art. 130(4) of Italian Legislative Decree 196/2003 and subsequent modifications and integrations – so called soft spam -. Legal Basis of the Processing: Legitimate Interest
- to allow the browsing of the website; Legal Basis of the Processing: Legitimate Interest.
3) Possibility or obligation to bestow Personal Data and consequences of a non bestowal of your data
The bestowal of Personal Data has in no instance an obligatory nature for any of the purposes, nonetheless it is necessary to register your account or to make purchases on the website. The bestowal of data in the fields marked by an asterisk is mandatory as without them it will be impossible to either complete your registration on the website or to purchase a product. At the same time, the conferral of data in the fields not marked by an asterisk is optional as without these data you can still complete the registration or purchasing procedure, although their conferral might facilitate your relationship with us.
4) Recipients or categories of recipients of Persona Data
Your Personal Data might be disclosed to a number of specific entities identified as recipients.
In fact Art. 4(9) of the Regulation defines recipient of a Personal Data “natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” (or the “Recipients”).
Therefore, the Recipients of your Personal Data relevant to the processing in question, for the above mentioned purposes, might be:
- third party entities to whom the Controller might outsource some activities and whom therefore provide specific instrumental services and in any case related to the processing and the purposes describe above, such as administrative, accounting, fiscal, auditing, credit collection, management of information systems, storage and call center services. These entities carry out data processing on behalf of the Controller and are authorized to do so in their capacity of Data Processors, as indicated in Art. 4(8) and according to the provisions of Art. 28 of the GDPR.
- those inside the Controller’s organization who might need to receive your data to complete their tasks. These subjects are “the persons who, under the direct authority of the Controller or the Processor, are authorized to process personal data”, as per Art. 4(10) of the GDPR (or, Authorized Persons”).
- Entities whose activities are necessary for the performance of the contracts which you are part of, or to respond to specific requests (such as: transport operators, suppliers of goods and services, national subcontractors or operating in the territory of the European Union, companies and institution of the banking, credit and insurance sectors, factoring companies, financial intermediaries, providers of commercial information, letter services companies).
5) Storage Period
6) Your rights
As per Articles from 15 to 22 of the EU Regulation2016/679 you can, at any time, perform your right to:
- obtain confirmation as to whether or not Personal Data concerning the data subject are being processed by the Controller and when that is the case, access to the data and the following information:
- the purpose of the processing
- the categories of data concerned
- recipients or categories of recipients to whom your Personal Data have been or will be disclosed
- the storage criteria and, when possible, timing; (Art.15)
- right to rectification, (Art.16)
- right to erasure, (Art.17);
- right to restriction of processing, (Art,18);
- right to data portability, that is to receive your Personal Data from the Controller in a structured, commonly used and machine-readable format, and share them with another Controller without impediments, (Art.20);
- right to object to the processing of your Personal Data at any time (Art.21). In particular you can object to the processing of your data for the purpose indicated in Art. 21(2)(e) (“soft spam”), by selecting the link unsubscribe at the bottom of each marketing email sent by the Controller. That will prevent the Controller from sending you any communication promoting sales of products similar to those you have already purchased;
- right to object to an automated decision-making, including profiling (Art.22);
- right to withdraw your consent at any time without prejudice to the lawfulness of the Processing based on your consent before the revoke, (Art.7(2));
- right to lodge a complaint to the Data Protection Authority (Art.77), whenever you believe the Processing of your data is contrary to current legislation.
- You can perform your rights by sending a written request to the following email address: email@example.com.
7) Places of Processing
Your Personal Data will be processed by the Controller within the territory of the European Union. Whether for technical or operational reasons it becomes necessary to get support from third parties operating outside of the European Union, we inform you that these entities will be nominated Data Processors as per the provisions of Art.28, and the transfer of your Personal Data to these third party subjects will be limited exclusively to the required processing and regulated in conformity to the provision of Chapter V of the Regulation. Therefore, all necessary measures to guarantee the highest level of protection of your Personal Data will be undertaken, and the transfer of the data will be based on: (a) adequacy decisions of the receiving third countries as expressed by the European Commission; (b) appropriate safeguards provided by the third party subject as per Art.46 of the Regulation; (c) the adoption of binding corporate rules as per Art.47; (d) standard contractual clauses approved by the European Commission. In any event you can ask the Controller for further details should your Personal Data be processed outside of the European Union, demanding evidence of the specific safeguards being adopted.
8) Our Partners’ Privacy Policies
Hosting Provider: Netsons s.r.l. – Contract
Electronic Invoicing: TeamSystem S.p.A. – Privacy
Analytics: Google – Privacy
Analytics: Google SCCs (EU Controller to Processor) – Privacy
Marketing: Mailchimp – Privacy
Marketing: Facebook – Privacy
Marketing: Instagram – Privacy