Information to customers pursuant to art. 13 and 14 of EU Regulation 2016/679

ICOS S.p.A. (hereinafter “the Company”), with registered office in Via Monsignor L. Maverna, 4 – 44122 Ferrara, VAT no. 01031270380, informs that personal data will be processed in compliance with the legislation dictated by the EU Regulation.

The processing of personal data relating to legal entities does not fall within the scope of application of the personal data protection regulations established by EU Regulation 2016/679. For the purposes of clarity and transparency towards its Customers, the Company also makes this information note to legal persons, describing the methods and purposes of all the treatments that it carries out or has the right to carry out on the personal data of the interested parties such as defined below.

The Company acts as “Data Controller”; The Data Controller is whoever processes personal data, establishing the purposes and methods of processing the personal data.

Specifically, the processing of personal data of “interested subjects” may be carried out by subjects specifically authorized by the Company to carry out processing operations.

This information concerns the “interested subjects”, meaning the natural persons to whom the personal data refer, or all those subjects who operate in the name and on behalf of the legal entity Client of the Company and whose personal data are processed by the same .

Purpose and legal basis of the processing of personal data

The collection and/or processing of personal data by the Company takes place for the purposes indicated below:

1. the execution of pre-contractual activities and the acquisition of preliminary information for the purpose of stipulating the contract;
2. the execution of contractual obligations (for example: administration, accounting, contract management, billing/payment services);
3. the management of relations between the Client and the Company (by way of example, the management of disputes, or credits deriving from a contract and/or collateral deeds, factoring).

In relation to the aforementioned purposes, the processing is carried out to fulfill the contractual/pre-contractual obligations and the legal obligations connected to the relationship established with the Company; consequently consent to the treatment is not necessary.

It should also be noted that the personal data collected could be used for marketing and commercial promotion purposes according to and within the limits of what is permitted by art. 130 paragraph 4 of the Privacy Code, as amended by Legislative Decree 101/2018, with regard to the c.d. “soft spam”; therefore, without the need to obtain the prior consent of the interested parties, the Company may use the e-mail coordinates provided in the context of a previous sale for the purpose of direct sale of further products or services, provided that they are products and services similar to those object of the previous sale. It should be noted that the interested parties may object, at any time, to the aforementioned processing by writing to the Company’s e-mail address, as identified in the specific point of this information.

Source of personal data

Personal data, acquired or to be acquired in relation to contractual relationships or in the pre-contractual phase, are collected directly from the interested party, from commercial partners or qualified commercial consultants. All personal data collected is treated in compliance with current legislation and, in any case, with due confidentiality.

Nature of the provision of personal data

The provision of personal data is mandatory for those personal data in relation to which there is a legal or contractual obligation to provide it; likewise, the provision of personal data necessary for pre-contractual obligations is mandatory. Any refusal to provide such “mandatory” personal data could lead to the non-execution of the contract. Any refusal to provide personal data strictly functional to the execution of contractual relationships, but for which there is no obligation to provide it, will in principle not entail any consequence, except for the possible impossibility of following up on the connected operations to such personal data or the impossibility of establishing new relationships.

Processing methods and storage time of personal data

The processing of personal data will be carried out in a lawful and correct manner and in any case in compliance with the applicable legislation, using suitable tools to guarantee the security and confidentiality of personal data; the processing of personal data will mainly be carried out through IT tools in order to memorize, manage and transmit the data.

The processing of personal data will be carried out, mainly, by company personnel specifically authorized and instructed by the Company regarding the completion of processing operations.

With reference to the additional subjects who could process the personal data of the interested subjects, please refer to the specific point of this information.

The retention of personal data will take place in a form that allows the identification of the interested parties for a period of time not exceeding that necessary for the pursuit of the purposes for which the data are collected and processed.

In particular in relation to the management of the contractual relationship, personal data will be kept for the times defined by the reference legislation as well as, upon termination of the contractual relationship, for the ten-year term for the conservation of data of a civil nature only.

In relation to the completion of processing operations connected to the c.d. “soft spam”, the personal data collected will be kept for the time strictly necessary for the management of the purposes indicated above according to criteria based on compliance with current regulations and correctness as well as the balance between the legitimate interest of the Company and the rights and freedoms of the subjects concerned . Consequently, in the absence of specific rules that provide for different storage times, the Company will take care to use the personal data for the aforementioned marketing and commercial promotion purposes for a time that is congruous with respect to the interest shown by the interested parties in the products and services of the company itself.

In any case, the Company will take every care to avoid the use of personal data for an indefinite period, proceeding periodically to verify in an appropriate manner the effective persistence of the interest in having the processing carried out for marketing and commercial promotion purposes.

Recipients of personal data

In relation to the personal data of the interested parties, the Company may make communications deriving from an obligation of law, regulation or community legislation. For the purposes referred to in point 1, let. a), b), c) of this information (i.e. for the purposes connected with the execution of the contract, the pre-contractual measures and the management of the relationship between the Customer and the Company).

The communication, even through the simple consultation or making available of the personal data of the interested parties, can also take place towards the following subjects:

1. bodies, supervisory bodies, authorities or public institutions;
2. natural or legal persons who provide specific services, such as data processing, customer satisfaction surveys, administrative, tax and/or accounting consultants, organization of trade fairs and communication events;
3. commercial intermediaries, banks and credit institutions, legal consultancy companies, financial intermediation companies, natural or legal persons responsible for credit recovery, auditing and/or certification of financial statements and quality systems, independent collaborators of the Company, agents and whistleblowers , insurers and brokers;
4. natural and/or legal persons who request references/data for the purpose of participating in public tenders, or in the context of the execution of supply contracts with customers by the Company.

The subjects referred to in point 1), 3), 4) operate as independent Data Controllers.

The subjects referred to in point 2) operate as Data Processors, specifically appointed.

In any case, only the personal data necessary and pertinent to the purposes stated in this statement are transferred to the subjects mentioned.

The list of such third parties will be constantly updated and accessible by interested parties upon request to the Company.

Where necessary for the execution of contractual relationships, personal data may be transferred to third countries not belonging to the European Union (EU) or the European Economic Area (EEA) on the basis of the existence of adequacy decisions by the European Commission or on the basis of the adoption of duly adopted model contractual clauses or specifically authorized binding corporate rules.

Personal data will not be disclosed and therefore will not be disclosed to the public or to an indefinite number of subjects.

Rights of the interested party pursuant to articles 15, 16, 17, 18, 20 and 21 of the EU Regulation

Each interested party can exercise the rights of access to personal data provided for by art. 15 of the EU Regulation and the rights provided by the articles 16, 17, 18, 20 and 21 of the same Regulation regarding the rectification, cancellation, limitation of treatment, portability of personal data, where applicable and opposition to the processing of personal data.

The rights can be exercised by writing to the following address: privacy@icos.it

If the Company fails to respond to the request from each interested party within the timeframe set by the legislation or the response to the exercise of rights is not suitable, the interested party may lodge a complaint with the Guarantor Authority for the Protection of Personal Data.

Here are the coordinates:

Guarantor for the Protection of Personal Data
Website: www.garanteprivacy.it – www.gpdp.it
Email: garante@gpdp.it

Data Protection Officer
It should be noted that SeSa S.p.A., a company that performs the function of holding company in the SeSa S.p.A. business group to which ICOS S.p.A. belongs has proceeded to appoint the Personal Data Protection Manager for the companies belonging to the same business group.

The Personal Data Protection Officer supervises compliance with the regulations on the processing of personal data and provides the necessary advice. Furthermore, where necessary, it cooperates with the Personal Data Protection Authority.

Below is the indication of the contact details of the Personal Data Protection Officer:
dpo@sesa.it