Caffè Pavin S.r.l., having its head office in Tombolo (PD) – 35019, Via Chiesa 47
tel: +39 0495969130
e-mail del Titolare: firstname.lastname@example.org
sito web: www.pavincaffe.com
In the figure of its legal representative, in the capacity of data controller (hereinafter, “Controller”), informs you that, pursuant to art. 13 and 14 of EU Regulation No. 2016/679 (hereinafter, “GDPR”) and in compliance with Decree-Law No. 196/03 (hereinafter, “Privacy Code” as amended by Decree-Law 101/18), your data will be processed with the following methods and for the following purposes:
1) Subject of the processing
Given the services and products offered by our organization, the Data Controller processes personal, identifying and non-specific data (for example: name, surname, tax code, email, telephone number (hereinafter, “personal data” or “data”)) communicated by you when requesting services from our organization and/or when defining contractual agreements and/or promotional initiatives and for the purposes indicated below. For some services, the processing of special data may be necessary, that is, personal data suitable for identifying racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or union nature, health condition and sexual life. (hereinafter special data). For some legislative requirements, judicial data may become necessary.
2) Purpose and legal basis of the processing
Your personal data is processed:
A) Without your express consent, because deriving from legal and/or contractual obligations or referring to legitimate interests (Privacy Code and art. 6 – GDPR), for the following purposes:
- Managing and maintaining the services requested by the interested party and finding the interested party for the organization of the services requested;
- Fulfilling the pre-contractual, contractual and fiscal obligations deriving from existing relationships with you;
- Fulfilling the obligations provided for by the law, a regulation, EU legislation or an order by the Authorities, including for accounting and tax matters;
- Preventing or detecting fraudulent activities or harmful abuses and/or for the purposes envisaged by the current legislation on money laundering.
- Compulsory obligations deriving from organizational and managerial model requirements based on specific recognized standards (for example ISO, UNI standards, etc) required by law and/or specific contractual requirements requested by the interested party and/or explained as a service requirement.
- Exercising the rights of the Controller, for example the right to defend itself in court.
- Availability of the interested party for information concerning the requested services and their management;
- Allowing to register to the services and allowing sending useful information to the interested party for the requested services;
- For legitimate interest referring to commercial communication updates on the initiatives of our organization.
Regarding the data collected by the website
- Allowing registration to the website
- Allowing you to answer your questions in the contract “form”;
- Managing and maintaining the website;
- Preventing or discovering fraudulent activities or malicious abuse of the website; For needs related to operation and maintenance, and any third-party services it uses may collect system logs, which are files that record the interactions and that may also contain Personal Data, such as the User IP address.
- For legitimate interest referring to communications (including commercial) updating on our organization’s initiatives and/or deriving from applicable legislative requirements
B) Only with your specific and separate consent (art. 7 GDPR and as per Decree-Law 196/03), for the following Purposes
B.1 Processing of data to improve services and not necessary to carry out the operations indicated in point 2A, but aimed at improving the services requested, and in any case always obtained directly from the interested party. Fulfilments for the development of the processes and services required by the management systems and implemented organizational models, but not mandatory and not related to specific standards. The data will be used to expedite subsequent requests for our organization’s services
B.2 Marketing and/or commercial: Sending you newsletters, commercial communications and/or advertising material on products or services offered by the organization. We inform you that if you are already a customer of ours, we may send you commercial communications relating to services and products similar to those you have already received, unless you have objected to it (Privacy Code). Sending informative, promotional, advertising, marketing material,
For other purposes it will be the Controller’s responsibility to define specific information and related consent needs and/or treatment additions.
This statement does not include any processing by other parties that can be reached through any links on our site and for which reference should be made to the specific statement.
3) Method and duration of the treatment
The processing of your personal data is carried out using the operations indicated in Decree-Law 196/03 and art. 4 No. 2) GDPR and more precisely: data collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction. Your personal data is processed both on paper and electronically as well as automatically.
The Data Controller will process the personal data for the time necessary to fulfil the aforementioned purposes and in any case for longer than 10 years from the termination of the relationship for the Aims referred to in point 2.A (except for other legislative requirements). For the purposes referred to in point 2B, instead, it will treat the data until the revocation of the consent or 5 years after the interruption of the relations/communications with the interested party from first collection.
Profiling: no data profiling is performed
4) Access to data
You can have access to your data at any time by making a simple request to the addresses listed in this statement.
5) Data communication
Your data may be made accessible and/or communicated for the purposes referred to in art. 2.A) and 2.B):
Without prejudice to communications and disclosures made in compliance with legal obligations, the Data Controller may communicate your data, in Italy and/or abroad (as indicated in the following points) to:
- employees and collaborators of the Data Controller, in their capacity as appointees and/or data processors and/or system administrators;
- technicians and/or collaborators for administrative, fiscal and accounting management purposes and/or to fulfil specific legal obligations or for which external suppliers have been identified.
- our network of agents; factoring companies; credit institutions; debt collection companies; credit insurance companies; commercial information companies for the services requested; professionals and consultants; companies operating in the transport sector; technicians and collaborators appointed to provide the services/products requested, Supervisory Bodies, judicial authorities and all other subjects to whom the communication is mandatory by law for the fulfilment of the said purposes. Legal entities entrusted with services referred to in this statement.
- companies or other legal entities, qualified and appointed pursuant to art. 28 of Regulation 679/16, for support activities including: communication management and development, management and development of corporate processes and projects, communication and promotion systems, for the storage of personal data. Access may be granted to third parties and related companies, which provide services deemed necessary and/or useful by the Controller for the management of the company and the related support processes or requested by you. IT system maintenance companies, credit institutions, professional firms, companies that provide services on computer systems/platforms which the Data Controller deems useful, companies that carry out outsourced activities on behalf of the Data Controller, in their capacity as external processors, are included in the suppliers.
- It may be necessary to disclose data to recipients for legislative obligations and/or deriving from the Controller’s organizational structures that involve the presence of independent subjects with the possibility of being data recipients to fulfil the legislative obligations deriving from the role covered. Among these recipients we could identify supervisory bodies, third-party inspectors, people who carry out audits of our organization, subjects and/or entities that carry out checks at our organization.
6) Data transfer
The management and storage of personal data will take place on servers located within the European Union of the Data Controller and/or of third-party companies duly appointed as Data Processors. Currently our internal servers are located in Europe. The data will not be transferred outside the European Union. In any case, it is understood that the Controller, if necessary, will have the right to move the location of the servers to non-EU countries. In this case, the Data Controller now ensures that the extra-EU data transfer will take place in compliance with the applicable legal provisions, stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided for by the European Commission. For some mailing or “storage” services we rely on “cloud” platforms, which can have servers in non-EU countries, but the data is only temporarily stored for the requested service.
7) Mandatory or optional nature of providing data and consequences of the refusal to answer
The provision of data for the purposes referred to in art. 2.A) is mandatory. In its absence, we could not guarantee the services referred to in point 2.A). The provision of data for the purposes referred to in point 2.B) is instead optional.
You can therefore decide not to provide any data or subsequently deny the possibility of processing data already supplied: in this case, you may not receive commercial communications and advertising material relating to the Services offered by the Controller. In any case, you will continue to be entitled to the Services referred to in art. 2.A).
8) Rights of the interested party
In your capacity as interested party, you have the rights referred to in Decree-Law 196/03 and art. 15-22 GDPR and precisely the rights to:
A) Obtain confirmation as to whether personal data are being held on you or not, including data not yet recorded, and ask for a copy of them in intelligible form;
B) Obtain: the source of personal data; the purposes of processing and the processing practices employed; the logic applied in the event of processing carried out by electronic means; the details of the data controller, the data managers or processors and the designated representative in accordance with article 3, paragraph 1 of the GDPR; the parties or categories of parties that personal data may be communicated to or the parties that may otherwise gain knowledge of the data during the course of their activities as designated representatives in the country, or as those in charge of data processing or their delegates;
C) Obtain: the updating, correction or integration of the data; the deletion, transformation into anonymous format or blocking of data processed against the law, including data which it is not necessary to store in relation to the purposes for which it was collected or subsequently processed; the certification that the operations as per art. 8.A) and B) were brought to the knowledge, also in terms of content, of those to whom the data was communicated or disclosed, unless this is impossible or implies the use of means clearly disproportionate to the protected right;
D) Oppose, in whole or in part: for legitimate reasons, the processing of personal data concerning you, even if pertinent to the purpose of collection; to the processing of personal data concerning you for the purpose of sending advertising materials or for direct sales or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by email and/or through traditional marketing methods by telephone and/or mail. Please note that the interested party’s right of objection, set out in the previous point B), for direct marketing purposes through automated methods extends to the traditional ones and that the possibility for the interested party to exercise the right of opposition even partially also remains valid. Therefore, the interested party can decide to receive only communications using traditional methods or only automated communications or neither of the two types of communication.
Where applicable, he/she also has the rights set out in Articles 16-21 GDPR (Right of correction, right to be forgotten, right to limitation of processing, right to data portability, right to object), as well as the right to complain to the Privacy Authority.
9) How data subjects can exercise their rights
Subjects can exercise their rights at any time by sending:
- A registered letter with acknowledgement of receipt to: Caffè Pavin S.r.l., having its head office in Tombolo (PD)
- An email to email@example.com
The Controller’s services are not intended for children under 14 years and the Controller does not intentionally collect personal information referring to minors. In the event that information on minors is unintentionally recorded, the Controller will delete it in a timely manner, on the users’ request. For any needs regarding the processing of minors, specific consent and authorization will be requested from the person exercising parental authority and/or from the holder of parental responsibility (as envisaged by Article 8 of Regulation 679/16).
11) Owner, manager and appointees
The data Controller is Caffè Pavin S.r.l. – in the person of its pro-tempore legal representative. The Controller is available at the above addresses. The updated list of data processors and data managers is kept at the data Controller’s offices.
12) Data Protection Officer
The Data Protection Officer (D.P.O.) is not applicable to our organization.
13) Changes to this Statement
This statement may be subject to change. We therefore recommend that you regularly check this statement and refer to the most up-to-date version.
Cookies consist of portions of code installed in the browser that assist the Owner in providing the Service according to the purposes described. Some of the purposes for which Cookies are installed may also require the User’s consent.
Where the installation of Cookies is based on consent, such consent can be freely withdrawn at any time following the instructions provided in this document.
Technical Cookies and Cookies serving aggregated statistical purposes
Activity strictly necessary for the functioning of the Service
Activity regarding the saving of preferences, optimization, and statistics
Other types of Cookies or third parties that install Cookies
Some of the services listed below collect statistics in an anonymized and aggregated form and may not require the consent of the User or may be managed directly by the Owner – depending on how they are described – without the help of third parties.
This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).