pursuant to art. 13 of EU Regulation no. 679/2016 (EU General Data Protection Regulation "GDPR")
DIRECTA S.I.M.p.A., data controller ("Controller" or "Directa") with registered office in Via Bruno Buozzi, 5 - 10121 Turin, informs you that it uses the personal data in its possession in compliance with the provisions of the GDPR and that such use is based on principles of fairness, lawfulness, transparency and protection of confidentiality of the persons to whom the data refer ("data subject").
1. LAWFULNESS, PURPOSE, LEGAL BASIS OF THE PROCESSING AND NATURE OF THE DATA
Personal data, collected directly from the data subject, or from third parties, are processed by the controller - in accordance with the principle of lawfulness as per Art. 6 letter a) of the GDPR - in the context of its activity for the pursuit of the following purposes:
a) provide the requested services and manage client relations. The provision of the personal data necessary for these purposes is not mandatory, but refusal to provide them makes it impossible to perform what was requested;
b) comply with the requirements of national and EU regulations (e.g. anti-money laundering, tax and fiscal assessments, provision of investment services) as well as with the provisions issued by the Supervisory and Control Bodies. The provision of personal data for these purposes is mandatory and the respective processing does not require consent.
c) send information notices also concerning the Controller's products and services. The provision of data is not mandatory and the Data Subject can decide at any time not to receive these communications by opting for the relative cancellation (for example, "opt out" at the bottom of the e-mail).
With regard to the above, the legal bases for data processing are as follows:
- with regard to letter a), the stipulation and execution of a contract to which the data subject is a party, or the assistance and response to the data subject’s requests;
- with regard to letter b), fulfilment of legal obligations, regulations and orders of the Authorities (in compliance with legal and regulatory obligations such as, for example, those to prevent money laundering and the funding of terrorism, to comply with current regulations on sanctions and embargoes, to combat tax fraud and fulfil tax control and reporting obligations, to respond to an official request from a public or judicial authority in the cases provided for by law).
- with regard to lett. c), the legitimate interest of the Controller who intends, for example, to report on the status of the activity, design and manage new products and services, and provide financial information to the Data Subjects.
Directa does not carry out automated processing (including profiling) of the personal data in its possession.
2. PROCESSED DATA
The subject of processing is personal data that generally consist of elements of personal identification collected directly from the data subjects.
The data will remain confidential and will not be disclosed to third parties for purposes other than those listed in paragraph 1.
3. CATEGORY OF SUBJECTS TO WHOM DATA MAY BE COMMUNICATED AND DATA DISSEMINATION
Personal data will not be disclosed and may be communicated to companies contractually linked to Directa within and outside the European Union, in order to comply with the purpose for which they were collected. The data may be communicated to:
- third party companies and/or companies connected to the Controller;
- responsible subjects appointed by the Controller (for example, consultants and/or financial analysts, professionals, studios or companies in the context of assistance relationships);
- competent authorities with responsibility for fulfilment of any legal obligations and/or provisions of public bodies;
- personnel of the Controller who carries out processing activities as subjects authorized by the Controller.
4. DATA TRANSFER TO A THIRD COUNTRY AND/OR AN INTERNATIONAL ORGANISATION AND GUARANTEES
Personal data are not transferred on the initiative of Directa abroad (inside or outside the European Union) except in certain cases (for example, for a class action) for which the personal data of the clients concerned are communicated to competent foreign authorities as well as to subjects appointed for this purpose by Directa.
In addition, some third parties, service providers, may have their own servers physically located abroad (as in the case, for example, of server providers). In such cases, the transfer of data abroad will take place exclusively within the scope of and in compliance with current legislation.
5. METHODS OF PROCESSING, DATA STORAGE AND PLACE OF PROCESSING
Personal data are processed automatically and manually, using methods and tools designed to ensure maximum security and confidentiality, by persons specifically mandated in compliance with the provisions of arts. 28 and 29 of the GDPR.
In accordance with the provisions of art. 5, par. 1, letter e) of the GDPR, the personal data of the data subject are stored in a form that allows identification for a period of time not exceeding the achievement of the purposes for which the data were collected and subsequently processed and, in any case, no later than 10 years after termination of the relationship, for compliance with regulatory obligations but not beyond the period set by law for the prescription of rights.
The processing of personal data of which Directa is in possession takes place at the aforementioned premises and is carried out by persons authorised to carry out such processing.
6. RIGHTS OF DATA SUBJECTS
The data subject may exercise his rights as established by the GDPR, by contacting DIRECTA S.I.M.p.A. with registered office in Via Bruno Buozzi, 5 (Turin), directly at the following e-mail address: firstname.lastname@example.org or the Data Protection Officer (DPO) at the following e-mail address: email@example.com; the data subject has the right at any time to:
- obtain from Directa access to personal data and request information regarding the purposes, categories of personal data processed, the recipients to whom the personal data will be communicated (including any recipients in third countries), the period for which personal data will be stored or, where this is not possible, the criteria for their definition, and the existence of an automated decision-making process, including profiling;
- rectify, delete or limit the processing of personal data. If the data subject has given his consent to the processing of personal data concerning him for one or more specific purposes, such consent may be revoked at any time;
- be informed of the existence of appropriate safeguards with regard to the transfer of his data to a third country or an international organisation;
- request the portability of personal data; in this case, Directa will provide the personal data of the data subject, in a commonly used structured format, readable by an automatic device, transmitting them to another data controller, if requested;
- oppose, for reasons connected to his situation, the processing of personal data even if such processing is based on the specific needs of the controller. The controller therefore refrains from further processing, unless he proves: 1. the existence of legitimate binding reasons that prevail over those of the data subject, or, 2. the existence of an assessment, exercise or defence of a right in court;
- not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or which has a significantly similar effect on his person;
- lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data is in breach of the provisions of the GDPR, without prejudice to any other administrative or judicial recourse.
Via Bruno Buozzi, 5
+39 011 530101