Customer and supplier privacy information

PRIVACY POLICY STATEMENT UNDER ARTICLES 13-14 OF THE GDPR (REGULATION (EU) 2016/679)

DATA CONTROLLER

PRINCIPLES

SOURCES OF PERSONAL DATA

CATEGORIES OF DATA SUBJECTS

CATEGORIES OF PERSONAL DATA PROCESSED

PURPOSES OF THE PROCESSING

DESCRIPTION OF THE PURPOSES

RECIPIENTS OF THE DATA

NATURE OF THE PROVISION OF DATA

PARTIES AUTHORISED TO PROCESS THE DATA

DATA CONTROLLER
IVELA srl con socio unico
Address: Via B. Buozzi, 15, 20050 Liscate (MI), ITALY
Telephone n. +39 02 9500121
Fax n. +39 02 95001205
E-mail privacy: infoprivacy@ivela.it
PEC certified email: pecivela@legalmail.it
VAT no. and tax code: IT 10889890157
Share capital: €3,000,000 fully-paid
Milan Chamber of Commerce
www.ivela.it
www.ialux.it

PRINCIPLES
One of our fundamental objectives is the protection of personal data.
The data are processed in a lawful, proper and transparent manner, must be adequate, relevant and limited to what is necessary, accurate and, if necessary, updated, collected for specific, explicit and legitimate purposes pursuant to articles 5 and 6 of the EU Data Protection Regulation 2016/679 and based on the provision of consent where needed.
The data are processed in such a way as to ensure their adequate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage (integrity and confidentiality) through appropriate technical and organizational measures.
We notify users in the event of substantial changes to this Privacy Policy and the related data processing, providing the option to authorize us or otherwise to process the data for the purposes set out below.

SOURCES OF PERSONAL DATA
Collected from the Data Subject:
 Offices of the Data Controller;
 Offices of the Data Subject;
 Web pages and/or social profiles of the Data Controller;
 Trade shows and/or other events that the data Controller participates in.
NOT collected from the Data Subject:
 Private Databases (Credit Information Systems, etc.);
 Public Databases (Telephone Directories, Lists of Members of Orders or Registers, Chambers of Commerce, Other Lists, etc.);
 Internet / Search Engines/ Social Networks;
 Specialist Trade Journals.

CATEGORIES OF DATA SUBJECTS
 Customers, potential customers, users: legal persons and other operators in the sector, including workers and similar of Customer Companies and potential Customers.
 Suppliers, potential suppliers: legal persons and other operators in the sector, including workers and similar of Supplier Companies and potential suppliers.

CATEGORIES OF PERSONAL DATA PROCESSED
COMMON
Identification, accounting, tax and trading data, contact data: of Legal Entities, herein including data relating to the employees and equivalent, company representatives, shareholders, etc, data of customer Companies and potential customers / Supplier Companies and potential suppliers.
DATA PROVIDED BY THE USER IN THE CONTACT FORM ON THE WEBSITE www.ivela.it; www.ialux.it (and sub-domains)
Identifying and contact information and any other information provided by the Data Subject (name and surname, address, country, occupation, e-mail address, reason for the request-message).

PURPOSES OF THE PROCESSING
1. EXECUTION OF PRE-CONTRACTUAL MEASURES
DESCRIPTION OF THE PURPOSES
Purposes connected to the establishment of negotiations and the execution of pre-contractual measures, such as:
 information, consulting, feasibility, quotations, assistance, monitoring of quotation status, measurement of satisfaction limited to the management of the request and precontractual negotiations, etc.;
 sending of catalogues, white papers, registration for events, etc;
 to enable the access to the reserved area of the website www.ivela.it and to use its features (e.g. to place orders);
 including the necessary processing of other Parties used for promotion, placement and conclusion of the contract. These Parties contribute to the proper and complete management of requests (commercial sales network).
LEGAL BASIS FOR PROCESSING
 Execution of pre-contractual measures;
DURATION OF THE PROCESSING AND STORAGE PERIOD
 for the period strictly necessary for the proper and complete management of the request/negotiation.
 subsequently for a period of 12 months, except for further processing and storage upon the specific request of the Data Subject, the halting of processing and deletion.
2. EXECUTION OF CONTRACTUAL MEASURES.

DESCRIPTION OF THE PURPOSES
Purposes connected to the establishment, fulfilment, execution and termination of the contract which involves:
 conclusion of the contract and relative execution of obligations deriving from the contract, its performance and/or its termination;
 administration, accounting, contract management, orders, shipment, services, invoicing, complaints, and anything else necessary;
 including the necessary processing of other Parties used for promotion, placement and conclusion of the contract. These Parties contribute to the proper and complete management of requests (commercial sales network).
LEGAL BASIS FOR PROCESSING
 Execution of contractual measures;
DURATION OF THE PROCESSING AND STORAGE PERIOD
 Duration for the period strictly necessary for the proper and complete management of the establishment, execution and termination of the contractual relationship or assignment.
 After the termination of the contract, longer retention dictated by legal provisions.
3. LEGAL OBLIGATIONS.
DESCRIPTION OF THE PURPOSES
Fulfilment of precise obligations envisaged by regulations and applicable European and national laws.
LEGAL BASIS FOR PROCESSING
 Compliance with legal obligations.5
DURATION OF THE PROCESSING AND STORAGE PERIOD
 Duration and Storage dictated by legal provisions.
4. DEFENSIVE RIGHTS.
DESCRIPTION OF THE PURPOSES
Assessment, exercise or defense of the rights of the Data Controller, both in and out of court
LEGAL BASIS FOR PROCESSING
 Legitimate Interest of the Data Controller.
DURATION OF THE PROCESSING AND STORAGE PERIOD
 Duration of the in- or out-of-court dispute until the claims are time-barred.
5. SO CALLED SOFT SPAM
DESCRIPTION OF THE PURPOSES
Communications by e-mail for the purpose of the direct sale of products or services similar to the object of a previous contract with the Customer.
LEGAL BASIS FOR PROCESSING
 Legitimate Interest of the Data Controller (LIA) for legal persons and pursuant to art. 130, paragraph 4 of the Italian Privacy Code for natural persons;
 in the absence of initial refusal and without prejudice to the right to object at any time.
DURATION OF THE PROCESSING AND STORAGE PERIOD
 12 months from the last contract between the Parties;
 at expiry, halting of processing and / or deletion and only statistics in aggregate mode.
6. NEWSLETTER

DESCRIPTION OF THE PURPOSES
Sending of the Newsletter via e-mail.
Please note that statistical tracking systems may be used for the Newsletter email (which are currently sent through the MailUp® platform), to show whether the message has been opened and the links (hypertext connections in the e-mail) clicked, in particular identifying their quantity and data according to the technical specifications based on said platform’s Privacy Disclosure (https://mailup.com/privacy-statement/).
LEGAL BASIS FOR PROCESSING
 Consent (optional and may be withdrawn at any time using the link included in all the e-mails).
DURATION OF THE PROCESSING AND STORAGE PERIOD
 up to 24 months from the expression of the Consent or until its revocation.
 Near the expiration of these terms, new request for consent, otherwise halting of processing and/or deletion and only statistics in aggregate mode.
METHOD OF CONTACT
Traditional:
 Telephone;
 Standard mail.
Automated:
 Fax;
 Text message;
 Chat or messaging systems (WhatsApp and other comparable instant messaging solutions);
 E-mail.

RECIPIENTS OF THE DATA
The data may be disclosed and processed by external parties acting as data controllers such as, by way of example:
Italy:

1. Authorities and supervisory and control authorities;
2. Police and judicial authorities;
3. Parties who are transferees of a company, of a business unit, of legal relationships that can be identified as a whole or of individual legal relationships (e.g. the transfer of receivables, contracts);
4. Public and private databases, including Fraud Prevention, Identity Theft, etc.;
5. Tax records;
6. Partis that offer professional consulting services, including in associated form;
7. Public and private databases for the verification of solvency;
8. Insurance companies;
9. Banking institutions;
10. Financial institutions;
11. Adjusters and liquidators;
12. Law firms;
13. other professional insurance intermediaries.

The data may also be processed on IVELA’s behalf by external parties designated as data processors, to which appropriate operating instructions are given. These parties are essentially included in the following categories:
Italy:

1. Parties that carry out control, review and certification activities, including in the interest of customers;
2. Agents or other commercial entities authorized to distribute our products and services based on their territorial coverage corresponding to the same area as the customer or potential customer
3. Parties that offer ongoing compliance support services;
4. Parties that offer IT, ICT, cloud, web and digital marketing services;
5. Parties that offer paper, digital and alternative storage services;
6. Parties that offer traditional and automated postal services;
7. Parties that offer support in preparing market studies;
8. Companies or consultants that offer other sundry services;
9. Parties that offer debt collection services.

European Union

1. Agents or other commercial entities authorized to distribute our products and services based on their territorial coverage corresponding to the same area as the customer or potential customer.
2. Parties that offer IT, ICT, cloud, web and digital marketing services.

NATURE OF THE PROVISION OF DATA
With regard to the purposes set out in points 1, 2, 3 and 4, the provision of data is necessary, and therefore the failure to provide the data, or the provision of partial or inaccurate data, will result in the inability to proceed with negotiations and execution of pre-contractual measures, to conclude the contract, to execute or fulfil the contract, to fulfil the legal obligations, and exercise defensive rights.
In relation to the purpose pursuant to point 5 (so called soft spam), the provision of data is optional. Therefore, in the event of initial refusal, the Data Subject will not receive communications via e-mail concerning offers of products or services analogous to those subject to any previous contract between the Parties.
With regard to the purpose pursuant to point 6 (Newsletter), the provision of data is necessary but optional, therefore the failure to provide the data will make it impossible for the Data Controller to send the Newsletter, without any other consequence.

PARTIES AUTHORISED TO PROCESS THE DATA
The data may be processed by employees and workers of the business functions assigned to carry out the above purposes, who have been expressly authorized to process the data, who have received appropriate operating instructions, and who have been adequately informed and trained.
TRANSFER OF THE PERSONAL DATA TO NON-EU COUNTRIES
Any transfer of data outside the EU/EEA will take place in compliance with the principles and conditions set out by the legislation.
RIGHTS OF THE DATA SUBJECT – LODGING COMPLAINTS WITH THE SUPERVISORY AUTHORITY
By contacting IVELA by email at infoprivacy@ivela.it, Data Subjects may ask the Data Controller to give them access to their data, block their data, correct inaccurate data, complete incomplete data, restrict processing in the cases envisaged by article 18 of the GDPR, as well as object to processing in the case of the legitimate interest of the Data Controller.
The Data Controller shall provide the data subject with the information relating to the request for the exercise of the data subject's rights (pursuant to articles 15 to 22 of the GDPR) without undue delay, and in any event at the latest within one month of receiving the request, as envisaged in article 12 of the GDPR.
Furthermore, in the event that the processing is based on consent or a contract and is performed with automated tools, the data subjects have the right to receive the data in a structured, commonly used and machine-readable format, and, if technically feasible, to have them sent to another data controller without impediment (Right to Portability), and to request the simultaneous or subsequent definitive cancellation of such data (Right to Be Forgotten). Without prejudice to initial refusal, data subjects are entitled to object at any time to receiving communications via email concerning products and services analogous to those subject to any previous contract between the Parties (Soft Spam) using the link provided for that purpose in each communication. If the processing is based on consent for one or more purposes (art. 6, paragraph 1, letter A of the GDPR) and for the processing of particular data (art. 9, paragraph 2, letter A of the GDPR), the withdrawal of consent at any time does not affect the legality of the processing based on consent before such withdrawal.
Data Subjects shall have the right to lodge a complaint with the Supervisory Authority having jurisdiction in the Member State of their habitual residence, place of work or place of the alleged infringement.