Articles 13 and 14, EU Regulation 2016/679 (GDPR)
Identification of the “Data Controller”
The data controller is the company KLONDIKE SRL (Tax Code and VAT number 11496400968), in the person of its pro-tempore legal representative, with registered office in Milan, Viale Sarca 336/F Telephone (+39) 02 – 37901352; E-mail email@example.com; PEC certified email firstname.lastname@example.org
(hereinafter the “Company” or the “Holder“)
Object and Methods of Processing:
The Company undertakes to protect the privacy and rights of the data subject, and the processing of the data provided will be based on principles of accuracy, lawfulness and transparency.
The data controller processes the personally identifiable data provided by the data subject.
The processing of personal data is carried out on the basis of the operations indicated in Article 4, no. 2), GDPR and precisely: collection, also through the use of electronic and automated tools; recording for specific, explicit and legitimate purposes and use in further processing operations, however, compatible with these purposes; organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.
The data will be processed in compliance with the requirements for security and confidentiality and will be subject to both paper and electronic and/or automated processing.
The Data Controller will process personal data for the time necessary to fulfill the above purposes, taking care to keep them, however, within the limits specified below.
Purposes of the processing of personal data:
The data is collected and processed here:
a) without express consent (see Art. 6 GDPR), for the following Service purposes:
• To conclude contracts for the services of the Data Controller;
• To fulfil pre-contractual, contractual and fiscal obligations arising from existing relations with the data subject;
• To fulfil obligations provided for by law, regulation, Community legislation or an order of the Authority;
• To prevent or detect fraudulent activities or abuse harmful to the website;
• To exercise the rights of the Data Controller, for example the right to defense in court.
b) only after specific and separate consent (see art. 7 GDPR), for the following marketing purposes:
• To send by e-mail, mail and/or sms and/or telephone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller and to survey the degree of satisfaction with the quality of the services offered, pointing out that, if the data subject is already our customer, we may send commercial communications relating to services and products of the Data Controller similar to those from which the data subject has already benefited, unless otherwise opposed (see art. 21 GDPR);
• send by e-mail, mail and/or sms and/or telephone contacts, commercial and/or promotional communications of third parties (for example: business partners, insurance companies, etc.);
Details on the processing for “Marketing Purposes” and “Profiling”
For the benefit of the data subject, the following should be noted:
A. The personal data collected will also be processed for the purposes of commercial promotion, advertising communication, solicitation of purchasing behavior, market research, surveys (also by telephone, online or using forms), statistical processing (in identifiable form), other sample marketing research in the broadest sense of the products and/or services relating to the Company (hereinafter referred to as “Processing for Marketing Purposes“) both through “generic” marketing and “profiling”, i.e. consequent to “profiling activities” (see definition “Profiling” – art. 4.4 “Definitions”: “any form of automated processing of personal data consisting in the use of such data to evaluate certain personal aspects relating to a natural person […]”) and consisting in the collection of data relating, for example, to the customer’s personal data, his or her postal and e-mail address, his or her profession, preferences with respect to the commercial information he or she wishes to receive, the registration of his or her purchases and the creation and offer of targeted marketing partners, personalized services and additional benefits for all those who will be registered in Customer Relationship Management (CRM);
B. For maximum transparency aimed at the provision of informed consent by the data subject, we specify that the registration to the site, to be understood also as a condition for downloading the version (DEMO) of KLONDIKE, must be understood as aimed at receiving promotional or advertising communications from the Data Controller and, therefore, the use of the data of the data subject also for Marketing Purposes and possible “Profiling” where given specific consent, also in the latter sense. Consequently, the user who intends to register must necessarily give his or her consent to the processing of data by the data controller for the above mentioned “Marketing Purposes”.
C. If you do not wish to give your consent to the “Processing for Marketing Purposes” you shall not (nor shall you be able to) register or download the (DEMO) version of klondike. You may browse and view the contents of the Site as an unregistered user.
D. Access to and navigation of the site are free, but the possibility of receiving marketing communications is allowed only after registration of the data subject. The registration process consists of filling in an online form in which it is required to indicate certain personal data for the activation of authentication credentials (login + password) with which the data subject will access all the functions reserved for registered users to manage the receipt of marketing communications and related changes (including revocation or modification of consent). Therefore, further primary purposes of the processing are represented by the need to allow the completion of the required procedures of prior online registration and the creation of an account as well as to allow the site managers the generation and subsequent technical and administrative management (including for the purposes of providing support and technical assistance on request) of the account, Client IDs, activation codes, passwords and similar authentication credentials as created by the data subject during the registration process.
E. By giving consent to the “Processing for Marketing Purposes” and “Profiling” the data subject specifically acknowledges the promotional, commercial and marketing purposes in the broad sense of the processing (including the consequent management and administrative activities) and expressly authorizes such processing both by telephone with operator or by other non-electronic, non-telematic means or those not supported by automatic mechanisms and/or procedures, electronic or telematic, or by e-mail, fax, sms, mms, automatic systems without operator intervention and similar, including electronic platforms and other telematic means, and – finally – pursuant to art. 6, paragraph 1, letter (a) of the GDPR. Providing, therefore, optional consent, the data subject specifically acknowledges and authorizes such processing and/or processing that pursues similar purposes.
F. In any case, even if the data subject has given his or her consent, he or she will be free at any time to revoke it, changing the settings of the consents in the dedicated area by prior verification received by email. Following receipt of this opt-out request, the Data Controller will promptly remove and delete the data from the databases used for “Processing for Marketing Purposes” and “Profiling” and will inform any third parties to whom the data has been communicated for the same purposes of cancellation.
G. If the indication of the data subject’s telephone number is required for the purposes illustrated above, and the data subject has given optional and specific consent (which also covers the processing of such personal data) for the purposes of commercial promotion, marketing and profiling illustrated above, the Data Controller informs the data subject that it may legally process telephone users for marketing and profiling purposes even if they are registered in the Public Register of Oppositions, as they are processed from sources other than public telephone directories and covered by specific consent, except for the right to object after processing if consent is formally revoked.
H. We inform you specifically and separately, as required by art. 21 of GDPR, that you have the right to object at any time to the processing of personal data concerning you carried out for such purposes and that if you object to the processing for direct marketing and profiling purposes, your personal data may no longer be processed for such purposes.
I. The Data Controller informs the data subject that the data may also be communicated to third party business partners. Consent to the “Processing for Marketing Purposes” and “Profiling” – where given by the data subject – does not also cover the different and further marketing processing represented by the communication of data to third parties for the same purposes. In order to proceed with such external communication, it is mandatory to obtain further, separate, additional, documented, express and completely optional informed consent from the data subject.
J. Personal data that is subject to “Processing for Marketing Purposes” will not be disclosed. The personal data subject to “Profiling” will not be disclosed to third parties or disseminated.
Possible recipients and/or categories of recipients of personal data
Personal data may be communicated: to employees and/or collaborators of KLONDIKE SRL who, in turn, may process it always in full compliance with the principles governing the processing itself and within the limits and for the purposes already indicated. The data may also be communicated to professional companies / firms that provide assistance, advice or collaboration to the Data Controller, in accounting, administrative, fiscal, legal, tax and financial matters, to Public Administrations for the performance of institutional functions within the limits established by law or regulations and to third party service providers to whom the communication is necessary for the performance of the services covered by the contract. Personal data will not be disclosed. Furthermore, without the need for express consent, the Data Controller may communicate the data of the data subject for the purposes set out in letter A) of the above-mentioned paragraph entitled “Purposes of the processing of personal data”, to Supervisory Bodies, Judicial Authorities, and all other subjects to whom communication is required by law for the fulfilment of the aforementioned purposes.
Possible data transfer:
The management and storage of personal data will take place on servers located within the European Union of the Data Controller and/or third party companies appointed and duly named as Data Processors. Currently the reference provider is Aruba, whose servers are located within the European Community. The data will not be transferred outside the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to move the location of the servers in Italy and/or the European Union and/or non-EU countries. The Data Controller assures from now on that the transfer of data outside the EU will take place in compliance with the applicable legal provisions by stipulating, if necessary, agreements that guarantee an adequate level of protection and/or by adopting the standard contractual clauses provided by the European Commission.
Period of retention of personal data:
Personal data will be kept for the period strictly necessary to pursue the purposes underlying their processing and/or until the withdrawal of specific consent by the data subject. In any case, the data will be kept for no longer than 10 (ten) years from the termination of the service and/or product supply relationship.
Rights of the data subject:
In accordance with the provisions of the GDPR, the data subject may exercise the following rights:
• ask the data controller for access to personal data in order to be able to confirm whether or not personal data concerning him/her is being processed and, if so, to obtain all the necessary information in accordance with GDPR Article 15 “Data subject’s right of access”;
• ask the data controller to rectify inaccurate personal data concerning him/her as well as to complete any incomplete data in accordance with Article 16 “The right to rectification”;
• ask the data controller to delete the personal data concerning him/her in the event that the data is no longer necessary for the purposes for which it was collected or otherwise processed (letter A); the data subject has revoked his/her consent or there is no legal basis for processing (letter B); the data subject has objected to the processing pursuant to art. 21, paragraphs 1 or 2, and there are no prevailing reasons for processing (letter c); the processing is unlawful (letter d); the deletion of the data constitutes fulfilment of the legal obligation to which the data controller is subject (letter e); where the hypothesis provided for in Article 8, paragraph 1 (letter f) exists, all – in any case – in accordance with what is better provided for and regulated by GDPR Article 17 “The right to deletion” (the “right to be forgotten”);
• to obtain from the controller the restriction of processing when: the data subject contests the accuracy of the personal data (in this case within the limits of the time necessary to verify the accuracy of such data – letter a); in the event of unlawful processing, the data subject opposes – however – the deletion of the data requesting, instead, that the use of the data be limited (letter b); regardless of the fact that the data controller no longer needs the data for the purposes of the processing itself, the data subject needs to keep the data for purposes of verification, exercise or defense in court (letter c); the data subject opposes the processing ex art. 21, paragraph 1, pending verification of whether the legitimate reasons of the data controller take precedence over those of the data subject (letter d), all in accordance – in any event – with what is better provided for and regulated in GDPR Article 18 “The right to the limitation of processing”;
• at any time, on grounds relating to his or her particular situation, object to the processing of personal data concerning him or her pursuant to Article 6(1)(e) or (f), including profiling on the basis of those provisions, in addition to processing of data for marketing purposes including, in this case, profiling in so far as it is related to such direct marketing. All this, in any case, in accordance with what is best provided for and regulated in GDPR Article 21 “The right to object”;
• obtain data portability as best provided for and regulated in Article 20 “The right to data portability”;
• at any time, revoke his or her consent to the processing of data without prejudice to the lawfulness of the processing based on consent before the revocation. All of this, in any case, in accordance with the best provided for and governed by Article 7 “Conditions for consent”’;
• lodge a complaint with a supervisory authority responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of individuals with regard to the processing of personal data. All of this, in any case, as best provided for and regulated by Articles 51 et seq. ‘Supervisory Authority’.
Optional communication of personal data
The user is free to provide their personal data, with the knowledge that failure to provide said data will make it impossible to obtain the requested service.
Exercise of rights by the data subject:
The data subject may exercise his/her rights by writing to the e-mail address email@example.com or by writing to the following address: KLONDIKE SRL (Tax Code and VAT No. 11496400968), in the person of the pro-tempore legal representative, with registered office in Milan, Viale Sarca 336/F
Data Controller and data processors:
The identification details of the company responsible for data processing are as follows:
KLONDIKE SRL (Tax Code and VAT No. 11496400968), in the person of its pro-tempore legal representative, with registered office in Milan, Viale Sarca 336/F, Telephone (+39) 02 – 37901352; E-mail firstname.lastname@example.org; PEC certified email email@example.com