Introduction

Definitions and Legal References

Personal Data (or Data): Any information that, directly or indirectly, in connection with any other information, including a personal identification number, makes a natural person identified or identifiable.

Usage Data: Information collected, including: IP addresses or domain names of the computers used by the User connecting to the Website, URI (Uniform Resource Identifier) addresses, request time, method used in submitting the request to the server, size of the file obtained in response, numerical code indicating the status of the response from the server (successful, error, etc.), country of origin, characteristics of the browser and operating system used by the visitor, various temporal connotations of the visit (e.g., the time spent on each page), and details about the path followed within the Application, with particular reference to the sequence of pages consulted, parameters related to the operating system, and the User's IT environment. Data collected by the Data Controller in any form and means, both in paper and digital format.

Data Subject: The natural person to whom the Personal Data refers.

Data Controller (or Controller): The natural or legal person, public authority, service, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data and the tools adopted, including the security measures related to the operation and use of this Website. The Data Controller, unless otherwise specified, is the owner of this Website.

Service: The service provided by the Data Controller for which this Information is granted, consent is requested, and the data is processed. This Website, as defined in the relevant terms (if present) on this website/application.

European Union (or EU): Unless otherwise specified, any reference to the European Union in this document is intended to include all current member states of the European Union and the European Economic Area.

Legal References: This Privacy Policy is drawn up on the basis of multiple legislative systems: Article 13 of EU Regulation No. 2016/679 (hereinafter, "GDPR"), as well as the amendments introduced by Legislative Decree 30.6.2003 No. 196 as updated by Legislative Decree 101/2018 (hereinafter, "Privacy Code").

With that stated, OFFICINE MALAGUTI SRL informs you that your data will be processed according to the following methods and purposes.

1. Object of Processing

The Data Controller processes personal data, identifying (e.g., name, surname, company name, address, telephone, email address, banking and payment references hereinafter, "personal data" or also "data") communicated by you on the occasion of requests for information, access, and subscription to the Officine Malaguti newsletter, or for the conclusion of contracts for services provided by the Data Controller.

2. Processing Purposes

Your personal data are processed:

a. Without your express consent (Article 6 letters b and e GDPR), for the following Service Purposes. To conclude contracts for the services of the Data Controller; fulfill pre-contractual, contractual, and tax obligations arising from relationships with you; fulfill obligations provided by law, regulations, EU legislation, or an order of the Authority (such as in the field of anti-money laundering), exercise the rights of the Data Controller, such as the right to defense in court;

b. Only with your specific and separate consent (Article 7 GDPR), for Marketing Purposes such as, for example, sending you via email, mail and/or SMS and/or phone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller and satisfaction surveys on the quality of services; sending you via email, mail and/or SMS and/or phone contacts, commercial and/or promotional communications. We inform you that if you are already our customer, we may send you commercial communications related to services and products of the Data Controller similar to those you have already used, unless you expressly disagree (Article 130, paragraph 4 of the Privacy Code).

3. Processing Methods

The processing of your personal data is carried out using the operations indicated in Article 4(2) of the GDPR, namely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of data. Your personal data is subject to processing both in paper and electronic and/or automated form.

The Data Controller will process personal data for the time necessary to fulfill the purposes described above and, in any case, for no more than 10 years after the termination of the relationship for Service Purposes and for no more than 2 years from the collection of data for Marketing Purposes.

4. Access to Data

Your data may be made accessible for the purposes of Article 2.A) and 2.B) to employees and collaborators of the Data Controller, in their capacity as internal processors and/or system administrators; or to third-party companies or other entities (indicatively, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, etc.) that carry out outsourcing activities on behalf of the Data Controller, in their capacity as external processors pursuant to Article 28 of the GDPR.

5. Data Disclosure

a. Without the need for express consent (Article 6 letters b and c GDPR), the Data Controller may communicate your data for the purposes previously indicated to supervisory authorities, judicial authorities, insurance companies for the provision of insurance services, consultants, and professionals (Lawyers, Accountants, labor consultant, etc.), as well as to those subjects to whom communication is mandatory by law for the fulfillment of said purposes. These subjects will process the data in their capacity as Processors under Article 28 of the GDPR. Your data will not be disclosed to third parties other than those previously indicated, except in cases where this is necessary by law and/or at the request of the Authority, and in any case, after informing the interested parties.

b. Only with your specific and separate consent (Article 7 GDPR), the Data Controller may communicate your data to third-party companies and/or companies controlled or controlling the Data Controller (as defined by Article 2359 of the Civil Code) for Marketing Purposes and/or for promotional and advertising purposes. For example, but not exclusively, to send you via email, mail and/or SMS and/or phone contacts, newsletters, commercial communications and/or paper advertising material, on products or services offered by the Data Controller and/or for the satisfaction survey on the quality of services; as well as to send you via email, mail and/or SMS and/or propose for phone contact commercial and/or promotional communications.

6. Data Transfer

Personal data is stored on servers located in Italy and, in any case, within the European Union. It is understood, in any case, that the Data Controller, if necessary, has the right to move the servers outside the EU. In this case, the Data Controller ensures from now on that the transfer of data outside the EU will take place in accordance with applicable law, subject to the conclusion of standard contractual clauses provided by the European Commission and any communication to interested parties.

7. Nature of Data Provision and Consequences of Refusing to Respond

The provision of data for the purposes of Article 2.A) is mandatory. In their absence, we cannot guarantee the Services of Article 2.A). The provision of data for the purposes of Article 2.B) is optional. You can therefore decide not to provide any data or to subsequently deny the possibility of processing data already provided: in this case, you will not be able to receive newsletters, commercial communications, and advertising material related to the services offered by the Data Controller. You will continue to have the right to the Services of Article 2.A) and the Data Controller may send you communications regarding services similar to those previously contracted and/or requested by you.

8. Data Subject Rights

As a data subject, you have the rights under Article 15 of the GDPR, namely the following rights.

1. Obtain confirmation of the existence or not of personal data concerning you, even if not yet recorded, and their communication in an intelligible form;

2. Obtain indication: a) of the origin of personal data; b) of the purposes and methods of processing; c) of the logic applied in case of processing carried out with the aid of electronic instruments; d) of the identifying details of the data controller, the processors, and the designated representative under Article 5(2) of the Privacy Code and Article 3(1) of the GDPR; e) of the subjects or categories of subjects to whom personal data may be communicated or who may become aware of it as designated representative in the territory of the State, processors, or appointees;

3. Obtain: a) updating, rectification, or, when interested, integration of data; b) the deletion, transformation into anonymous form, or blocking of data processed in violation of the law, including those for which storage is not necessary in relation to the purposes for which the data was collected or subsequently processed; c) certification that the operations referred to in letters a) and b) have been brought to the attention, including as regards their content, of those to whom the data has been communicated or disseminated, except in the case where such fulfillment is impossible or involves a use of means manifestly disproportionate to the protected right;

4. Object, in whole or in part: a) for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose of collection; b) to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by email and/or through traditional marketing methods by phone and/or paper mail. It is noted that the data subject's right of opposition, as mentioned in the previous point b), for direct marketing purposes using automated methods extends to traditional methods and that in any case the possibility remains for the data subject to exercise the right of opposition only in part. Therefore, the data subject may decide to receive only communications through traditional methods or only automated communications or none of the two types of communication;

5. At any time, you can exercise, in accordance with Articles 15-22 of EU Regulation No. 2016/679, the following rights:

a. ask for confirmation of the existence or not of your personal data;

b. obtain information about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data has been or will be communicated and, if possible, the retention period;

c. obtain rectification and deletion of data;

d. obtain the limitation of processing;

e. obtain data portability, i.e. receive them from a data controller, in a structured, commonly used, and machine-readable format, and transmit them to another data controller without hindrance;

f. oppose processing at any time and also in the case of processing for direct marketing purposes;

g. object to an automated decision-making process relating to individuals, including profiling;

h. ask the data controller for access to personal data and rectification or deletion of the same or limitation of processing concerning him or to object to their processing, in addition to the right to data portability;

i. revoke consent at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation;

j. lodge a complaint with a supervisory authority.

9. Data Subject Information and Contact Information

We inform you below of the contact details to which you can refer for the exercise of your aforementioned rights, or for any necessary information. The Data Controller is OFFICINE MALAGUTI SRL with registered office in Sant'Agata Bolognese (BO), Via XXI Aprile, 1945, No. 60.

You can contact the Data Controller to assert your rights, as provided for in Article 7 of the Code (and related articles) and Chapter III of the Regulation, by sending an email to the address: officine.malaguti@legalmail.it The Data Controller has not appointed a Data Protection Officer.

Sant’Agata Sul Santerno, October 19, 2022

OFFICINE MALAGUTI SRL