INFORMATION on processing of personal data
(ex art. 13 and 14 of EU Regulation 679/16)
Morrow Sodali S.p.A., with registered office in Rome (Italy) – Via XXIV Maggio, 43, CF and VAT number IT08082221006, acting as Controller ex art. 4 of the EU Regulation n. 679/2016 (hence on “GDPR”) and pursuant to art. 13 of the GDPR, with this informs you, the User (hence on “Data Subject”), that your personally identifiable data (hence on “personal data”) will be processed as per what follows:
- The Data we process
The data that the Data Controller collects are those provided directly by the Data Subject in his/her request. Examples of personal data
(a). Generic personal & Contact data:
- First Name and Last name
- Company name
- Telephone and e-mail address
Such generic personal data are collected directly from the Data Subject.
- Purpose and Legal Basis for Processing
The purpose of the Website is providing financial information and reports to Data Subjects.
The generic personal data referred to as (a), may be processed for the following purpose ex art. 6 of the GDPR:
- processing is necessary for the purposes of the legitimate interests of the Controller, its Clients and the Data Subjects of providing financial information relevant to the data subject. The legitimate interest pursued by the controller override the risk to the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The generic personal data referred to as (a) in the previous section 1 may be processed for
the following purpose ex art. 6 of the GDPR:
- processing is necessary for the purposes of the legitimate interests of pursued by the controller to perform direct marketing activities performed by the controller and/or Morrow Sodali Group companies (such as newsletters, surveys, invitations to events etc.), when those interests are not overridden by the risk to fundamental rights and freedoms of data subjects.
- Type of Processing
Processing your personal data may include all or a subset of the following list: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, transmission, cancellation and destruction of data.
Your personal data may be processed and stored both in paper and electronic form with manual and/or automated processing.
- Data retention
The Controller will process your data only for the time strictly necessary to fulfill the aforementioned purposes and to respond to any legal/normative National, European, or Global obligation that the Controller is subject to.
- Data Access
Your data may be made accessible for the purposes referred to in art. 2.
- To employees and collaborators with the controller in their capacity as persons in charge of and/or internal processing managers and/or system administrators.
Personal data are stored on servers managed by Service Providers appointed by the Data Controller and located in the EU. Personal data may be stores on servers outside the EEA only if a suitable provision of protection of natural persons guaranteed by the GDPR (ex. art. 44 to 48) has been implemented by the Service Provider.
- Data Transfer
In the fulfillment of the purpose stated in section 2 of this document, your generic or special category personal data may be transferred to the following recipients or categories of recipients:
- Third party companies or other subjects that process data on behalf of the Controller as Data Processor ex art. 28 of the GDPR; an updated list of processors is kept at Controller’s registered office and can be requested at any time.
- Other Morrow Sodali entities or located in third Countries that the Commission has decided there is an adequate level of protection (ex art. 45 of the GDPR) or where a set of Binding Corporate Rule has been approved by the National Supervisory Authority of Italy (ex. Art 47 of the GDPR).
- Morrow Sodali Client’s, that may be located outside the EEA. In such case the transfer is performed under the provision of art. 49.c of the GDPR, i.e. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- Supervisory Bodies, Judicial Authorities, as well as to those subjects to whom transmission is mandated by law. These subjects will process the data as independent data controllers.
- Data subject’s rights
You, as data subject, have following rights set forth by the GDPR; and in particular:
a) Right to obtain confirmation as to whether or not personal data concerning you are being processed by the Controller, and, where that is the case, access to the personal data in an intelligible form and to the other information as per art. 15 of the GDPR.
b) Right to rectification of inaccurate personal data concerning you. Considering the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
c) Right to be forgotten or the right to obtain the erasure of personal data concerning you to the provisions and limitation stated in art. 17 of the GDPR;
d) Right to obtain from the Controller restriction of the processing of your personal data according to the provisions and limitations of art. 18 of the GDPR.
e) Right to object, on grounds relating your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
f) Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
g) When the legal basis for the processing is based onto your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- Right to complain with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, as per art. 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
- How to exercise rights
You may exercise your rights by sending an e-mail to the following address: firstname.lastname@example.org.
- Contact details
Data Protection Officer (DPO)
Ing. Guido Zucchelli