Privacy Policy

Information pursuant to Art. 13 of EU Regulation No. 2016/679 of 27 April 2019 and compliance for GDPR / CCPA.

This information is provided pursuant to and for the purposes of art. 13 of the EU Regulation no. 2016/679 of 27 April 2016 (hereinafter also "GDPR") and of Legislative Decree June 30, 2003, n. 196 containing the "Code regarding personal data" as amended by Legislative Decree 10 August 2018, n. 101, containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as free circulation of such data and repealing Directive 95/46 / EC (general regulation on data protection)".
Specifically, Gritti Group S.p.A. with registered office in Via Zanica 6 / F, 24050, Grassobbio, Bergamo, (the "Company") wishes to inform you that, in implementation of the obligations deriving from the GDPR, it is required to provide some information regarding the methods and purposes of data processing personal, which the same may come into possession following the consultation and use of the website by the user.

DATA CONTROLLER AND DATA PROCESSOR

The Data Controller is the person who determines the purposes for which and the manner in which personal data are to be processed (the "Data Controller") and is identified in Gritti Group S.p.A.
The Data Controller may be contacted at the address Via Zanica 6/F, 24050, Grassobbio, Bergamo, or by e-mail at the following address: privacy@grittigroup.com
Personal data may be processed on behalf of the Data Controller by another person appointed by the Data Controller, the "Data Processor".
If you require more information on the updated list of our Data Processors, you may send a written request to the Data Controller address mentioned above.

MODALITIES TO COLLECT DATA FROM THE DATA SUBJECT

The Data Controller may acquire your personal data under the following circumstances:

• if you contact us through our website, by email or phone, to require information about our services and products;
• if you buy a product and/or a service carried out by our Company, including pre-contractual negotiations;
• if you provide your data to receive direct marketing communications, newsletters and/or to be updated on the events organised and the marketing initiatives carried out by the Company;
• if the commercial partners of the Data Processor transfer to the Controller your personal data lawfully;
• if the Data Controller acquires your personal data from other sources in accordance with the applicable laws and the requirements under Art. 14 of the GDPR (i.e. public registers, directories, acts or documents available to whoever within the limits and under the conditions provided by law on their knowability).

CATEGORIES OF DATA SUBJECT TO PROCESSING

Data processed by Data Controller may include:
Contact details - information concerning name, address, phone number, email address;
Other personal data - information that you provide us, necessary for the correct and complete management of you requests;
Data concerning the contractual relationship - customer/supplier number, purchase order/contract number;
Use of the company's website: information concerning the modalities in which you use our company's website, including the information collected through the use of cookies and other profiling technologies
Information on the purchase of a product or service and support - information concerning purchase, customer care and technical support, including complaints;
Pictures - pictures of you collected through photos and/or videos realised during events organised by the Company.

PURPOSES AND LEGAL BASIS OF THE PROCESSING

Within the meaning of the Privacy Policy, the processing of personal data must be legitimised by one of the legal provisions provided by art 6 of the GDPR. These are specifically described for each purpose under which the Data Controller processes your data:

• Provide the customer the information requested: to fulfill your requests (for example require an estimate and/or services and products offered by the Company) the Data Controller collect your data (i.e. "Contact details" and "Other personal data") through its own channels in order to respond your requests or they are received from other commercial partners to carry out the same activities.
  Legal basis: processing is necessary for the performance of a contract in order to take steps at your request prior to entering into a contract (art. 6 par. 1 letter b of the GDPR).
  Data storage policy: the data provided under your request will be stored for a maximum period of three years. The data that we collect only for an estimate will be stored for a maximum period of five years
• Management of the contractual relationship: the Data Controller shall process your "Contact details" to fulfil the preliminary requirements for the conclusion of the contract as well as "Other personal data", "Data concerning the contractual relationship" and "information on the purchase of a product or service and support' for the execution of the contract. Also, your data may be used to carry out the administrative, fiscal and accounting activities related to the outstanding relationship.
  Legal basis: processing is necessary for the performance of your contract (art. 6 par. 1 letter b of the GDPR).
  Data storage policy: the processed data to fulfill any pre-contractual and contractual obligation with you may be stored for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question, in order to deal with any tax assessment and/or dispute.
• Fulfilment of the legally binding obligations: the Data Controller processes your "Contact details" and "Data concerning the contractual relationship" to perform any contractual obligation deriving from the outstanding relationship, as well as any other obligation provided by law, a regulation, the European legislation or by an order of the Authorities.
  Legal basis: processing is necessary for the performance of your contract (art. 6 par. 1 letter b of the GDPR).
  Data storage policy: the processed data to fulfill any pre-contractual and contractual obligation with you may be stored for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question, in order to deal with any tax assessment and/or dispute.
• Defend the case for the Data Controller's rights: if necessary, the Data Controller will provide all the information dealing with you ("Contact details" and "Data concerning the contractual relationship") to the Authorities and the bodies responsible for the enforcement of law, regulations and judicial documents, as well as to third parties into formal dispute. The Data Controller reserves the right to process your personal data to defend his or her rights deriving from the Contract before a judge.
  Legal basis: processing is necessary for the purposes of the legitimate interest pursued by the controller, in order to defend a right or make further demands on the outstanding contractual relationship, except where such interests are overridden by the interests or fundamental rights (art. 6 par. 1 letter f of the GDPR).
  Data storage policy: your data may be stored for the necessary period of time in order to allow the Company to take actions or defend against eventual claims towards you or third parties.
• Customer loyalty and marketing activities: the controller collects the personal data such as "Contact details". "Other personal data" and "Use of the company's website", and shall use the "Information on the purchase of a product or service and support" received from you, also retrieved from the controller's website to contact you for commercial offers (generic or responding to your preferences) or to invite you to promotional events, as well as to carry out market research and customer satisfaction surveys.
  Legal basis: you have given your consent as data subject of the processing (art. 6 par. 1 letter a of the GDPR). You can withdraw consent to the abovementioned processing at any time.
  Data storage policy: the personal data processed for marketing purposes may be stored for twenty-four months or ten years from the acquisition date of your last consent for this purpose, according to whether you are a potential or retained customer of the Company respectively (unless you withdraw consent to receive further communications).
• Direct marketing activities: to promote the activities carried out by the controller on his or her website, social medias or other means of communication. During promotional events, the Controller shall collect personal data pertaining to you, without any compensation, in order to promote the core business of the Company by sharing your image on any means of communication, on the company's website, on social medias (for instance Facebook) or in the local, national or international newspapers as well as on any other means (existing or to be invented in the future).
  Legal basis: you have given your consent as data subject of the processing (art. 6 par. 1 letter a of the GDPR). You can withdraw consent to the abovementioned processing at any time.
  Data storage policy: data concerning your image will be stored in the controller's database for twenty-four months. Then, they will be erased, except where they have been shared on the internet, social medias or commercial brochures. You can withdraw consent to the abovementioned processing at any time.
  If the Controller intend to process your data for other purposes than those mentioned above, he or she is required to inform you of these other purposes before performing it.

NATURE OF CONSENT TO DATA PROCESSING

Consent to data processing for letter a), b), c), d) purposes is compulsory since it is required to perform legal and contractual obligations. Any refusal or successive withdrawal may determine the inability for the Controller to fulfil the outstanding contractual relationship.
Instead, consent to data processing for letter e) and f) is optional and the failure to give consent to the processing to those data will determine the inability to carry out the abovementioned activities.

MODALITIES TO PROCESS PERSONAL DATA

Processing will be carried out by the Company in compliance with the security measures under art. 32 of the GDPR, through manual, information system and computerised tools specifically designed to store, manage and transmit them to pursue only the purposes for which the data were collected and, in any case, to guarantee their security and confidentiality, as well as in full compliance with the principles of fairness, lawfulness and transparency.
No automated tools are used by the Controller to process data.

COMMUNICATION OF DATA

Access may be granted to:

• Controller's employees and associates and/or system administrators;
• External third parties carrying out on behalf of the controller outsourcing activities for purposes dealing with support, administrative, accounting, fiscal areas or for purposes related to supply relationship or legal protection;
• Supervisory bodies, judicial authorities and all other subjects which by law require such communication in order to achieve these purposes.

DATA TRANSFER TO A THIRD COUNTRY OR AN INTERNATIONAL ORGANISATION

Personal data are to be processed within the European Union and stored on servers located in that area. Anyway, if necessary, the Data Controller will have the right to transmit such data to a third country or to an international organisation and / or to move the servers even outside the EU. In this case, the Data Controller ensures that the transfer of non-EU data will be carried out in accordance with the applicable legal provisions under art. 44 and following of the GDPR.

DATA SUBJECT'S RIGHTS

Finally, the Company informs you that, pursuant to articles 15-22 of the GDPR, you, in relation to your personal data, as Data Subject may exercise specific rights at any time, by contacting the Data Controller, such as:

• right to access: the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, as well as to other information such as origin, purpose, category of data processed, recipients of communication and / or data transfer, retention period of personal data or the criteria used to determine this period;
• right to rectification, including the integration of incomplete personal data;
• right to erasure of data without undue delay at the request of the data subject and where one of the following grounds applies:
  the personal data are no longer necessary in relation to the purposes for which they were collected;
  the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
  the personal data have been unlawfully processed;
  the personal data have to be erased for compliance with a legal obligation in the European Uonion or Member State law to which the controller is subject;
  the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR (personal data processed for direct promotional purposes);
• right to restriction of processing where faults in the personal data are found (for the period necessary to the Data Controller to verify the accuracy of such personal data) or the processing is illicit and/or the Data Subject has opposed to the processing requesting its limitation;
• right to ask the Data Controller to communicate to other potential recipients of personal data the erasures, rectifications, as well as the limitations to the processing carried out;
• right to data portability as the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, only where the processing is based on consent and carried out by automated means;
• right to oppose to the processing of personal data, without prejudice to the right for the Data Controller to demonstrate the existence of legitimate and contingent reasons to proceed with the processing anyway;
• right to withdraw consent, in every moment, if the processing is based on your explicit consent, without prejudice to the lawfulness of the processing carried out upon you consent given before the revocation;
• Right to lodge a complaint with a supervisory authority of the Member State in which he or she resides or habitually works, or the State in which the supposed violation has occurred, without prejudice to any other administrative or judicial appeal, in case of a violation to the provisions of the abovementioned Regulation.
  If you need further information on the processing of your personal data and to exercise the abovementioned rights, you can send a written request using the contacts provided in the "Data Controller" section of this statement. If you request more information about your data, the data controller shall respond promptly - unless this proves impossible or involves a manifestly disproportionate effort compared with the right to be protected - and in any case no later than thirty days from the request. The data controller will justify any inability or delay in doing so to meet the request