Dear Customer,
Gestioni S.p.A. whose registered office is in Italy Albino (BG) Via Roma, 110, post code 24021 Cod.Fisc. 01653140168, VAT number 04334290162, ph. 035776111, e-mail address fassi@fassi.com, certified email address gestioni@legalmail.it, in accordance with the transparency principle, provides you with the following information in order to make you aware of the features and procedures of the processing of your personal data:

• Who we are and what data we process.
Gestioni S.p.A. represented by its Legal Representative, as Data Controller, grants you the highest confidentiality while processing your personal data, their accuracy and their updating, as established by the current legislation on data protection. We care about the security of your personal data and to prevent any loss, misuse, non-authorized use as well as non-authorized access, we use and apply some specific security measures.
The Controller processes the personal data (for instance name, surname, physical address, country and city of residence, telephone and/or mobile phone number, fax number, fiscal code, VAT number, company name, personal e-mail, bank and payment information, as e.g. IBAN, SDI unique code), hereafter identified as the “data”, which you communicated on the occasion of the signature of agreements for the services offered by the Controller and/or for marketing purposes. Moreover, the Controller might even save the cookies, as described more in detail in the Cookie Policy available on the official website of the company.
• Purposes of the process and legal basis
The Controller requires the data to follow up the registration request and the supply agreement for the chosen Service and/or the purchased product, to manage and perform the contact requests forwarded by the customer, to give assistance, to meet the law obligations and the regulations to which the Controller is subject according to the activity performed. In no case can the Controller use your data for undeclared purposes. In particular, your data will be processed for the following purposes:
1. For the registration and the requests for contact and/or informative material
Your personal data are processed to perform the preliminary activities following the registration request, to manage the information/contact requests and/or the requests for informative material, as well as to fulfill any other related obligation.
The legal basis of this processing is the accomplishment of the performances concerning the request for registration, for information and for contact and/or the supply of informative material in the interest of the data subject and in compliance with the law obligations.
2. For the management of the contractual relationship
Your personal data are processed to perform the preliminary activities following the purchase of one of our services, the management of the order, the provision of the service, the related invoicing and the management of the payment, as well as the fulfilment of any other obligation resulting from the contract, to fulfil the obligations foreseen by the law, by a regulations, by the EU laws or by an instruction from an Authority (for instance in matters of anti-money laundering) or to exercise the rights of the Controller (for instance the right of legal defense).
The legal basis of this processing is the accomplishment of the performances related to the contractual relationship and the observance of the legal obligations.
3. For the communication activities for direct marketing
The Controller, even without an explicit consent, may use the contact data transmitted by the Data Subject/Customer, for the purpose of direct marketing of its own Services, unless the customer explicitly opposes it.
The legal basis is the legitimate interest of the Controller.
If the Controller wants to process your personal data for a purpose that is different from the one for which the data were collected, it will inform you about the different purpose and it will provide you with any related information, before proceeding with this further processing.

• Refusal to provide the data required to implement the requested service
The collection and the processing of the personal data according to a) e b) of the previous point are compulsory to perform the requested services. If you do not want to give the personal data that are considered as necessary, the Controller will not be able to perform the requested services and/or the contract, nor to fulfill the obligations resulting from them.
• Refusal to provide the data required for promotional marketing and profiling activities
The provision of the personal data for the purposes according to c) of the previous point, is optional and you can exercise your right to cancel the data at any time, without affecting the regular performance of the services defined by the contract.
• How data are processed
We inform you that the processing of your personal data is carried out in compliance with the principles of lawfulness, fairness and transparency of the process. We assure to you that the processed data will be suitable, appropriate and won’t exceed what is necessary for the purposes of the process (principle of data minimization).
The data will be processed in electronic and paper form, through means which are suitable to ensure the security and the privacy of the data, in compliance with what is foreseen in Chapter II (Principles) and in Chapter IV (Controller and Processor) of the Regulation.
The processing may be also carried out by using automated systems that can memorize, manage or transmit these data, and, in any case, this will be performed in compliance with the provisions of the Regulation.
The processing of your personal data will be made performing the operations described at the art. 4 n. 2) of the Regulation, that means, collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, spreading or other ways to make them available, comparison or interconnection, restriction, cancellation or destruction.
The Controller uses some appropriate security measures to preserve the privacy, the integrity and the availability of your personal data and it obliges the third-suppliers and processors to apply the same security measures.
Your personal data will be saved in paper files, computer records and telematic files located in the Countries where the GDPR is applied (EU countries).
• Period of data storage
Unless you explicitly express your will to cancel the data, in relation to the different purposes and to the different aims for which they were collected, your personal data will be stored during the time-lapse foreseen by the applicable law, and in any case for a period that is not longer than the one necessary to achieve the purposes previously indicated, and in particular, for those concerning the implementation of the contract for a period of ten years (after this term, the rights resulting from the same contract won’t be prosecutable).
In case of data given for marketing/sales promotion purposes, they will be stored until the withdrawal of the given consent and/or in case of subscription to promotional communication/newsletter service, they will be stored until you ask to unsubscribe. At the end of this period, except for the real transformation in an anonymous form that does not allow, even indirectly or by connecting other databanks, to identify the data subjects, the data will be automatically erased, totally or partially (according to the applicable legislation). In any case, whenever you decide to withdraw the consent or to oppose the process, your data will be erased within 30 days from the request.
In case you send to the Controller some personal data that were not requested or required to perform the requested service, it can’t be considered as the Controller of these data, and it will have to erase them as soon as possible.
• Rights of the Data Subject (art. 15 – 22 GDPR)
At any moment you have the right to obtain the confirmation of the existence or non-existence of your personal data, and to know their contents and their source, to verify if they are right or to ask for their integration or update and even the correction.
In this regard, the Controller suggests sending a written request, including date and signature, by e-mail, by certified mail or by registered letter [or to contact the Data Protection Officer – DPO) at the email address gdpr@fassi.com.
We inform you that we will answer to your requests within one month, except for particularly complex cases, for which the answer might take up to 3 months. In any case, we will explain to you the reasons of the waiting time within a month from your request.
You will receive the reply to your request in writing or electronically. In case you require the correction, the cancellation or the processing limitation, we will engage ourselves to communicate the outcomes of your requests to every recipient of your data, unless this is impossible or requires a disproportionate effort. We remind you that the withdrawal of the consent does not affect the lawfulness of the process, which is based on the consent given before the withdrawal.
With regard to the processing of the above-mentioned data, you have the right to obtain:
1. the confirmation of the existence or non-existence of your personal data, their communication in a comprehensible form and to become aware of their source, as well as of the logics on which the process is based;
2. the cancellation, within an adequate deadline, of your data, their anonymization or the blocking of the data whose process is breaching the law;
3. the update of the data, their correction or their integration, if you are interested in it;
4. a document confirming that the operations as per the previous points 2) and 3), were brought to the attention of the people to whom the data were communicated, unless this is impossible or implies a disproportionate effort;
5. the correction or the cancellation of the data related to you or the limitation of the process.
6. the withdrawal of the consent related to optional processes and not linked to the performance of the contract signed with the Controller;
At last you have also the right to oppose the processing of your personal data due to legitimate reasons, even if they are relevant for the collection, to ask for their portability, to exercise the right to be forgotten, as well as to go before the ordinary Legal Authority and/or the competent Control Authority for personal data protection due to whatever violation you think you have suffered, according to the procedures available on the site of the Supervisor www.garanteprivacy.it.
• Recipient and/or possible recipients of personal data
Your personal data won’t be disclosed and only the employees of the company departments in charge of the pursue of the above-mentioned purposes will be aware of them; those people have been expressly authorized to the processing and have received the adequate operative instructions [company of the FASSI group, controlled or connected companies]. These data could also be transmitted to third parties, as autonomous Controllers or co-controllers, or Managers that are External to the Processing, according to the Article 28 of the GDPR, with an appointing contract including the processing procedures and the security measures that they will have to apply for the management and the storage of the personal data for which the Company is the Controller as:
• External Bodies, even private, performing inspections of whatever nature;
• External Consultants previously appointed;
• Suppliers of the company processing the data on the behalf of the Controller and/or consultants providing services to the company.
The data could be also transmitted to the Public Security Authority after a specific request and to the Legal Authority in case of need.
The complete list of the subjects to which your personal data can be communicated is at your disposal, after you have requested it by e-mail. Your data won’t be transferred in a third-country or to an international company. If the Controller transfers your data outside the European Union, it assures and engages itself that such a transfer is made according to the regulations of the European Commission, in compliance with the applicable law provisions.
We will communicate your data only in case of a legal or contractual obligation, as a requirement to enter an agreement.
• Profiling
We do not use any automated process aiming at profiling

Last update: January 2019