In this document we describe the management of the Website with reference to processing of personal data of the users visiting it.
The information herein is provided, in compliance with Section 13 of the European Regulation 2016/679 (hereinafter GDPR) regarding protection of personal data, to all users of the Galleria Forni sas di Forni Paola & c., internet services accessible through the address www.galleriaforni.com.
The information and data you provide or that can be otherwise obtained while using our services on the web site (hereinafter called “services”) will be subject to processing in compliance with the GDPR rules as well as the privacy commitment inspiring the activity of the Controller.
According to the rules set forth in the GDPR, any processing performed by Galleria Forni sas di Forni Paola & c. will be based on the principles of lawfulness, correctness, transparency, limited finality and preservation, data minimization, precision, integrity and discretion.
The information is provided solely for the www.galleriaforni.com website (hereinafter called “Site”), and not for possible other web sites that may be accessed by the user through any link.
1. CONTROLLER OF PROCESSING
The controller of processing is Galleria Forni sas di Forni Paola & c., 26/F, 40124 Bologna Italy, C.F. IT 00571770379, VAT N° IT 00571770379.
2. PERSONAL DATA SUBJECT TO BEING PROCESSED
Further to visiting our Web site the Controller will process personal data that may consist of identification instruments, like a name, an on-line code, a postal address, an e-mail address, a phone number (both land line and/or mobile) or one or more characteristics regarding the physical, as well as physiological, psychic, economic or social identity, through which the person is or may be identified (hereinafter called “Personal Data”).
In particular, the Personal Data processed through our Web Site, are as follows:
- Web-surfing data
In the course of time the computer systems and the software regarding the operation of the Site acquire some Personal Data, transmission of which is mandatory with the use of Internet communication protocols. These data, though not being collected for being associated to identified interested parties, owing to their very nature may allow identification of the users by means of processing and association with data held by third parties. This category includes the IP address data or the computer dominium names used by the users connecting to the site, the URI (Uniform Resource Identifier) addresses of the required resources, the time of request, the method used to submit the request to the server, the dimension of the file obtained in return, the numerical code specifying the state of the reply provided by the server (successful, error, etc.) as well as other parameters regarding the operative system and the user’s IT environment. These data are used to the sole purpose of obtaining anonymous statistical data on the use of the site and to monitor its proper operation, to identify any anomalies and/or misuse, and are cancelled immediately after having been processed. In case of possible cybercrimes against the site or third parties, the data concerned could be used for ascertainment of responsibility. Except for the latter case, the data gathered by the site are eliminated within a short lapse of time.
- Special categories of personal data
Sending by email specific data/demands, like Curriculum Vitae for possible job application, could mean conferral of particular categories of Personal Data as per Art. 9 of the GDPR (namely “(…) personal data disclosing the racial or ethnic origin, political opinions, religious or philosophical beliefs, or pertaining to trade unions, as well as (…) genetic data, biometric data for unequivocal identification of a natural person, data regarding health or sex life or sexual orientation of the person (…)”). You are kindly requested to refrain from providing such data, if not strictly necessary. We should like to point out, moreover, that in case of transmission of such data, but without specific consent to the relevant processing, the Controller cannot be held responsible in any way, nor can he be subject to any claims, as in such case processing is allowed, because it concerns data that have been clearly provided by the person concerned, according to art. 9, subsection 1, letter e) of the GDPR. We anyhow wish to highlight, as already stated above, how important it is to explicitly consent to processing of the special categories of Personal Data, if you intend to share this information with us.
- Data voluntarily provided by the user.
Optional, explicit and voluntary sending of e-mails, that is messages directed to the addresses stated on the site, causes successive acquisition of the sender’s address, needed to answer the message, as well as other possible Personal Data contained in the message. By using the Services offered by the Site it may happen that Personal Data of third parties sent by you to the Controller are submitted to processing. With regards to this hypothesis you are to be considered the autonomous Controller of processing and, in this manner, all the subsequent obligations and responsibilities set forth by law or regulations are on your account. In this connection you hold the Controller fully harmless against any complaint, claim, request for indemnification of damages caused by processing etc, directed against him by third parties whose Personal Data are processed further to your use of the Site functions by violating the applicable rules regarding protection of Personal Data.
In any case, if by using the Site you provide or in any other manner process Personal Data of third parties, you guarantee as of now – by accepting any connected responsibility – that such particular hypothesis of processing is based on a proper legal base ex art. 6 of GDPR, legitimating the processing of the information concerned.
3. PURPOSE OF DATA PROCESSING
Your Personal Data are processed for the following purposes:
- to enable us to provide you with the required services;
- to reply to any inquiries for assistance or information;
- to analyze the CV and possibly contact the candidates that had sent their application;
- to comply with possible mandatory legal, accounting and fiscal requirements
4. LEGAL BASIS AND MANDATORY OR OPTIONAL NATURE OF PROCESSING
The legal bases of Personal Data processing to the above specified point 3 (i, ii, iii) purpose is art. 6, par. 1, letter b) of GDPR (that is fulfilment of a contract), as such processing is necessary to provide the Services, as well as to reply to any requests made by the user. Conferral of Personal Data to such purpose is optional, but the possible failure to provide the information would make it impossible to trigger the Services provided by the Site, reply to any questions or evaluate the CV.
The legal base for processing as per point 3.iv is found in art. 6, par. 1, letter c), GDPR and, notably, in fulfilment of a legal obligation. Upon conferral of the Personal Data, such processing is necessary to comply with a legal and/or regulatory obligation the Controller is bound to adhere to.
We hereby inform you that, to the purpose of choosing staff, the Controller, further to evaluating the CV, may analyze professional social profiles, freely available in Internet (such as, for ex. the LinkedIn profiles) The legal basis for such processing is to be found in art. 6, par. 1, letter f), GDPR, namely the legitimate interest of the Controller to check any possible risks regarding the suitability of the candidate to vest the position concerned.
5. RECIPIENTS OF THE PERSONAL DATA
To the purposes as per the above point 3, your Personal Data may be shared with:
- any person operating as controller of data processing, that is: 1) persons, companies or professional practices, providing assistance and consulting services to the Controller in terms of accountancy, administration, legal, tax, financial matters, employment contract or payroll drawing up, etc., regarding delivery of the Services; 2) persons with whom it is necessary to interact for delivery of Services (such as for ex. e-mail providers, hosting providers); 3) or else persons in charge of technical maintenance (including both hardware and software maintenance of the PC, network equipment and electronic communication equipment); (collectively “Recipients”);
- any person, body or authority to whom communication of the Personal Data is mandatory due to legal or regulatory provisions, as well as because of any orders by authorities;
- Persons authorized by the Controller to process the Personal Data required to perform activities connected with providing of the Service, that is the other purposes specified in the above point 3, who had committed themselves to confidentiality or who are bound by law to confidentiality (such as for ex. the staff of the Controller).
6. TRANSFER OF PERSONAL DATA
Personal Date are not subject to being transferred beyond the territory of the European Union.
7. MODALITY OF PROCESSING AND DATA PRESERVATION LIMITS
Processing of your Personal Data is carried out by means of the operations listed in art. 4, par. 2, GDPR that is: collection, registering, organizing, preserving, consulting, processing, modifying, selecting, extracting, comparing, using, interconnecting, blocking, communicating, cancelling and destroying of Data.
Your Personal Data are subject to processing both on paper and electronically and/or automated.
The Personal Data collected to the purpose as per Art. 3 (i and ii) will be preserved solely during the period of time required to achieve such purpose. In any case, as it concerns processing for providing Services, the Controller will process the Personal Date during the period of time set forth by the Italian law to protect his rights and interests (ex art. 2946 and succ. off the Civil Law Code).
As far as CV provided through the website or by e-mail as per Art. 3 iii are concerned, the Personal Data are preserved during a period of time considered as being congruous with respect to the purposes to which these data are acquired.
The personal data processed to the purpose set forth in Art.3.iv will be preserved for the period of time provided by the specific obligation or applicable law.
8. RIGHTS OF THE PERSONS CONCERNED
Persuant to Article 13, par. 2, letters b) and d), 15, 18, 19 and 21, GDPR the persons concerned are hereby informed that they are entitled to:
- obtaining confirmation of the possible existence of Personal Data concerning them and to receiving same in intelligible form, in the cases provided by Art. 20 GDPR;
- getting information about the origin of the Personal Data, the finality and the manner of processing, the applied logics in case of processing performed by means of electronic instruments;
- obtaining access to, rectification, limitation (in the case as per Art. 18 GDPR) or integration of the data concerning them;
- obtaining cancelling, transforming into anonymous shape or blocking of the data processed by violating the law, including those whose preservation is necessary to the purpose to which the data had been collected or successively processed;
- obtaining data portability;
- oppose entirely or partly;
- for legitimate reasons, to processing of data concerning them, though being pertinent to the purpose of collection;
- to processing of personal data concerning them, intended for commercial information or sending of advertising material or for direct selling, as well as for performing market research or commercial communication actions
You are always entitled, anyhow, to lodge a complaint before the competent Personal Data Protection Authority pursuant to Art. 77 of GDPR, if you believe that processing of your Personal Data be against the ruling law, by adhering to the procedures and indications published on the official web site of the Authority, www.garanteprivacy.it.
9. HOW TO ASSERT THE RIGHTS
You may assert the rights, any time, by sending an e-mail to the address firstname.lastname@example.org