Privacy information notice pursuant to art. 13 of European Regulation 679/2016
Dear Sir, Dear Madam,
USCO S.p.A. - VAT ID No.: 01893120368 - with registered office in Modena (MO), Via delle Nazioni no. 65, in the person of the interim legal representative, as controller of the data processing (hereinafter “Controller”), wishes to inform you that, pursuant to art. 13 of EU Regulation no. 679/2016 (hereinafter also the "GDPR"), it needs to process the personal data you provided when signing the Agreement and/or Sales Order for the supply of goods or when receiving the goods (e.g. through a transport document or CMR note), in compliance with current regulations, as specified more clearly below.
1. Purpose of the Processing and categories of data processed:
The Controller processes the personal identification data collected from you when signing the Agreement and/or Sales Order for the supply of goods (through the e-commerce section of the USCO S.p.A. website) or upon receipt of the goods (e.g. through a transport document or CMR note). By way of example, these data may include personal details (e.g. name, surname, address, tax code, identity card of the legal representative of the client company and/or any representatives thereof), contact information (such as phone numbers or email addresses) or financial information (e.g. bank account details).
The Controller does not knowingly collect personal data from persons under 18 years of age.
2. Purpose and legal basis of the processing and the consequences of the failure to communicate the data
Your data are processed lawfully and in accordance with propriety for the purposes described below.
A. The need to complete the Agreement or perform pre-contractual activities at your request.
This need provides the legal basis legitimising the subsequent processing, as the Controller needs to perform all the preliminary activities required to meet your request to purchase goods (e.g. by means of an agreement or sales order, etc.) and those relating to carrying out the consequent contractual obligations, including the resolution of any problems subsequent to the purchase and the fulfilment of administrative and accounting duties (including, by way of example, billing, filing and credit recovery - also implemented through invoicing, credit insurance, credit transfer, etc.).
The provision of the necessary data for such purposes is, in each case, a contractual obligation or necessary requirement for the conclusion of the Agreement. If the data are not provided, the Controller may be unable to establish the contractual relationship or implement the Agreement.
B. Need to fulfil legal requirements.
The Controller is obliged to fulfil the legal, accounting, fiscal, administrative and contractual obligations related to the provision of the services requested, as well as to properly manage relations with authorities, control bodies and third-party public bodies for purposes related to particular requests, the fulfilment of legal obligations or other procedures.
Provision of the data necessary for these purposes is a legal obligation. In the event of failure to provide them, the Controller may be unable to complete the agreement and could be required to issue reports to the competent authorities under the given circumstances.
C. Legitimate interest.
The Controller also needs to process your personal data in order to prepare specific protection measures against credit risk, including verification of the Customer’s identity and financial reliability.
The Controller’s legitimate interests also extend to the processing of your personal data as part of audit and control activities, whether conducted internally by USCO S.p.A. or by third parties.
In these cases, the processing is based on the Controller’s legitimate interests and is therefore necessary in order to respond to your requests.
D. Business promotion, sales, improvement of products and services and market research (direct marketing).
Entirely subject to your specific and clear consent (art. 7 GDPR), which you are free to grant or withhold, these activities are designed to:
D.1. allow the Controller to conduct market research and analysis aimed at determining the level of customer satisfaction with the quality and type of services provided and initiatives for improvement of the services provided, as well as to send you promotional material and/or communications and information of a commercial and direct marketing nature on new products on sale and new services offered by the Controller or by third parties (including other USCO Group S.p.A. companies), as well as related offers for discounts and any other promotional and loyalty initiative reserved to you, by means of conventional contact systems (printed mail or operator calls);
D.2. allow the Controller to conduct market research and analysis aimed at determining the level of customer satisfaction with the quality and type of services provided and initiatives for improvement of the services provided, as well as to send you promotional material and/or communications and information of a commercial and direct marketing nature on new products on sale and new services offered by the Controller or by third parties (including other USCO Group S.p.A. companies), as well as related offers for discounts and any other promotional and loyalty initiative reserved to you, with the use of automated calling systems or call communication systems without operator intervention, or by email and/or SMS (Short message Service).
The processing of data for the above purposes (both "D.1." and "D.2.") is permitted in relation to the free circulation of data as provided for in the GDPR and may be implemented in activities designed to meet the legitimate commercial interests of the Controller, including commercial development activities carried out by the latter.
The provision of data for these purposes is optional. You can therefore decide not to provide any information or revoke consent to the processing of data already provided: if this case, you will not receive commercial communications and promotional material regarding the services offered by the Controller.
E. Provision of "tailored" products and services and processing of information regarding preferences, habits and consumption choices (profiling).
Entirely subject to your specific and clear consent (art. 7 GDPR), which you are free to grant or withhold, the Controller may need to process information about preferences, habits and consumption choices aimed at dividing stakeholders into homogeneous groups based on behaviours or characteristics (profiling), also through the use of advanced techniques or algorithms and computer systems and through data enrichment in order to develop, promote and provide "tailored” services from the Controller or from third parties [also including other companies in any way associated with USCO S.p.A. (parent, subsidiaries and/or affiliate companies)].
The provision of data for these purposes is optional. You can therefore decide not to provide any information or revoke consent to the processing of data already provided: in this case, you will not receive dedicated commercial communications.
3. Methods of data processing:
The processing of your data is carried out by means of the operations indicated in art. 4 no. 2) GDPR and namely: collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of the data.
Your data may be processed on paper means as well as using electronic and/or automated means.
The data acquired will be processed in full compliance with the law, as well as with the principles of lawfulness, propriety, transparency, moderation and protection of your privacy and rights.
4. Data storage period:
The Controller retains the data in compliance with local laws and internal corporate policies and procedures for the time necessary to fulfil the aforementioned purposes and to satisfy their own legitimate business interests and legal obligations or to establish, exercise or defend legal rights. Once the need to retain the data for these purposes is finished, the data will be eliminated in a secure manner. For more information on the retention of documents, see the <USCO S.p.A..> personal data retention policy on the website: www.usco.it
5. Categories of personal data recipients:
Your data may be disclosed for the purposes described above:
- to the Controller’s employees and collaborators in Italy or abroad, in their capacity as data processors and/or sub-processors, namely persons authorised to process personal data in accordance with the GDPR, and/or persons provided with specific functions and tasks pursuant to art. 2 quaterdecies of Legislative Decree no. 196/2003;
- to other companies connected in any way (parent, subsidiaries and/or affiliate companies) with USCO S.p.A. in Italy or abroad and to their employees and associates, where appropriate (for example, for administrative and accounting purposes);
- to other companies or entities (merely by way of example, banks, financial intermediaries, credit insurance institutions, professional firms, consultants, travel agencies for the organization of trips - booking flights, trains, overnight stays - etc.) that perform outsourced activities on behalf of the Controller in their capacity as external data processors, including suppliers or persons appointed to provide services which are accessory or instrumental to the purposes indicated above, with whom the Controller signs special agreements.
The Controller also reserves the right to make personal data accessible to certain third parties, including: IT providers for system development and technical assistance purposes; auditors and consultants to ensure compliance with internal and external requirements; legal entities, law enforcement agencies and stakeholders, in accordance with legal obligations regarding disclosure or claims; any successors or business partners of the Controller or of companies associated with them (parent companies, subsidiaries and/or affiliates) in the case of sale, transfer or other extraordinary transactions, also including other companies engaged by the Controller in the above transactions for various purposes, where appropriate; police forces, armed forces and other public administrations, for the fulfilment of legal obligations, regulations or EU legislation.
If these parties are based in non-EU Countries, the Controller shall ensure that the transfer of data outside of the EU is done in accordance with the applicable legal provisions, subject to drafting of the standard contractual clauses required by the European Commission, as specified in the article below.
6. Data Transfer:
The data are stored on servers and storage devices within the European Union. It is in any case understood that, should the need arise, the Controller may also transfer the data to countries outside the European Union or the European Economic Area recognised by the European Commission that guarantee an adequate level of protection of the personal data or, otherwise, only if a level of personal data protection compared with that of the European Union is contractually guaranteed and the rights of the data subjects are ensured. In this event, the Controller hereby assures that data shall be transferred to non-EU Countries in compliance with applicable law provisions, subject to the standard contractual clauses to be stipulated as provided by the European Commission.
The Controller shall implement all necessary protection measures in the aforementioned transfers pursuant to the current legislation on privacy.
7. Rights of the data subject:
In your capacity as data subject, you have rights under Articles 13, paragraph 2 (b), (c) and (d), 15, 16, 17, 18, 19 and 21 of the GDPR (where compatible in relation to each data processing relevant for the purposes of the GDPR) and specifically the rights to:
˗ obtain confirmation on the existence or non-existence of your personal data, even if not yet recorded, and to receive communication thereof in an intelligible form;
˗ obtain information about: a) the source of the data (if they have not been obtained from the data subject); b) the purposes and methods of the processing, as well as its legal basis; c) the methods and criteria applied for data processing using electronic means; d) the identification details of the Controller, the data processors, the data protection officer and any representative appointed pursuant to art. 13, paragraph 1 of the GDPR; e) the persons or categories of persons to whom the data may be communicated, or who could gain knowledge of them as data processors or appointed representatives within the territory of the State;
˗ obtain: a) the updating, the correction or, when of interest, the integration of data; b) the deletion, conversion to an anonymous form or blocking of the information processed in violation of the law, there including any data that do not need to be stored in relation to the purposes for which they were collected or processed at a later date; c) a statement certifying that the operations provided for under letters a) and b) have been made known, including their content, to the persons whom the data were communicated or divulged, except in the event that such certification is impossible or involves the use of means that are clearly non-proportional with respect to the protected right;
˗ oppose, in whole or in part, for legitimate reasons, to the processing of your personal data, even if they pertain to the scope of data collection;
˗ where applicable, you also have the rights referred to in Articles 16-21 of the GDPR (the right of rectification, right to be forgotten, right of limitation of treatment, right to data portability, right of opposition), as well as the right of complaint to the Data Protection Authority (the contact details of the Data Protection Authority can be found on the website www.garanteprivacy.it);
˗ revoke the consent you have given at any time, it being understood that the non-availability of certain categories of data will prevent the company from managing the contractual relationship.
8. How to exercise your rights:
You may at any time exercise your rights or make a request by sending: a registered letter with return receipt to USCO S.p.A. - VAT ID No.: 01893120368 - with registered office in 41122 Modena (MO), Via delle Nazioni no. 65, in the person of the interim legal representative, or an e-mail to the address: firstname.lastname@example.org.
The deadline for the reply is one month. This period may be extended by two months in particularly complex cases: where this occurs, the Controller shall send a notification regarding the reasons for the extension within one month.
The Controller has the right to request information necessary for the identification of the applicant.
In general terms, the exercise of these rights is free, except in cases of manifestly unfounded or excessive demands, for which the Controller may reserve the right to require the data subject to make a reasonable expense contribution based on the administrative costs involved.
9. Controller and Data processors:
The Controller is USCO S.p.A. - VAT ID No.: 01893120368 - with registered office in 41122 Modena (MO), Via delle Nazioni no. 65, in the person of the interim legal representative.
The updated list of the categories of data processors is kept at the Controller’s main office.