Information pursuant to art. 13, EU Regulation no. 2016/679 on the protection of individuals with regard to the processing of personal data
With this document, Fonda S.r.l. wishes to inform you that European Regulation no. 679 of April 27, 2016, and subsequent implementing provisions, provide for the protection of individuals (hereinafter referred to as “data subjects”) regarding the processing of their personal data, i.e., data that can directly or indirectly identify an individual.
Fonda protects the personal data of its customers, suppliers, and individuals from whom it receives personal data during its business activities in accordance with the provisions of EU Reg. 679/16 and the relevant implementing regulations.
Pursuant to Article 13 of the same Regulation, we particularly want to provide you with the following information.
- Identification details of the Data Controller
The Data Controller is the company Fonda S.r.l., VAT and tax code 02087650996, with registered office in Genoa, Corso Andrea Podestà, 1, and email address firstname.lastname@example.org.
2. Types of data processed and purposes of processing
In general, the Controller processes common personal data for the purpose of performing services, including healthcare services, requested by the contractor or end user within the scope of its business activities. The Controller may also process health data necessary for the execution of the requested service or product (e.g., glasses, for which it is necessary to know the customer’s visual impairments and their severity).
The processing is carried out for the purpose of the Controller’s business activities, including, for example, the conclusion and execution of contracts, the supply of tools, materials, and services, administrative, accounting, and tax activities carried out within the production activity, and the acquisition, management, and better organization of human resources, for administrative, accounting, and tax activities carried out within the Controller’s activity to enable the data subject to enjoy tax benefits or other legal obligations, for the evaluation of the quality of the service provided, and, if the data subject has given their consent, for the promotion of the Controller’s commercial activities or the promotion and dissemination of commercial initiatives.
Legal basis for processing
The legal basis for processing is, alternatively and predominantly:
- The execution of contracts to which the data subject is a party or pre-contractual activities requested by the data subject (e.g., orders, quotes).
- Compliance with legal obligations incumbent upon the Controller.
- Pursuing the legitimate interests of the Controller (e.g., quality control of the service).
- The express consent given by the data subject for purposes other than those mentioned in points a, b, and c.
3. Processing methods
In relation to the above purposes, the personal data collected—possibly including photographic or video material—are subject to electronic and paper processing and will be processed by personnel specifically designated and instructed by the Controller, and then stored in suitable and specifically designated places.
The personal data collected by Fonda are not transferred to third countries, territories, international organizations, or entities outside the European Union, unless adequate protection measures are adopted in accordance with articles 25, 32, and 46 of EU Regulation 679/16 or unless the transfer is necessary in relation to a contract, pre-contractual activities, or legal action, or in other cases indicated by Article 49 of EU Regulation 679/16.
The collected personal data may be processed and organized using automated procedures and operational, analytical, or collaborative CRM applications. For the purpose of better managing its business activities, the Controller may use automated decision-making processes, excluding any profiling activities, as defined by EU Regulation 679/16.
Personal data—including video or photographic material—provided to Fonda by the data subject and any reviews made by the customer through social networks and other means of communication may be republished, even on analog media, or disseminated on social networks or other mass communication means for the purpose of promoting initiatives or activities carried out by the Controller.
4. Data retention period
If the reason for collecting the data is a contract or pre-contractual activities, or more generally, relationships with the customer or supplier, the provided data will be retained until the expiration of all rights exercised or potentially exercisable by the parties. Therefore, for 10 years after the conclusion of the service object of the contract or, in the case of disputes or communications after this period, for 10 years after the last communication between the Controller and the data subject.
If, on the other hand, the data is processed for the fulfillment of legal obligations or for legitimate interests of the Controller, it will be kept until the final fulfillment of the obligation or the final satisfaction of the legitimate interest.
If the legal basis for processing is exclusively the consent of the data subject (e.g., commercial newsletters), the data will be retained, taking into account the healthcare service performed and the end user’s interest in receiving updates on the service received, for no more than 5 (five) years from the date of giving consent.
The Controller periodically verifies the strict relevance and non-excessiveness of the data concerning the relationship, performance, or assignment to which they refer. Data that, as a result of the checks, are found to be excessive, irrelevant, or unnecessary are destroyed by deletion and subsequent physical destruction or wiping, except for any conservation, as required by law, of the act or document containing them.
5. Scope of communication and dissemination of data
The data is not subject to public disclosure. The data may be communicated to all subjects for whom the right of access to such data is recognized by regulatory provisions, to collaborators and employees, within the scope and limits of their respective duties, appointed to process the data, and to all individuals and/or legal entities, public and/or private, for whom communication is necessary to fulfill explicit legal, contractual, and non-contractual obligations. Additionally, the data may be communicated to the following prevailing categories of recipients:
- Accountants, tax consultants, and labor consultants for accounting and tax obligations related to business activities.
- Other consultants (legal, security, certifying bodies, marketing consultants, etc.) of the Controller or other professionals, in pursuit of the Controller’s interests and rights protection.
- System administrators for the processing of personal data functional to business-related obligations.
- Hosting providers, backup system providers, for the processing of personal data functional to their storage.
- Subcontractors to whom part of the contractual activities is entrusted.
- Opticians and orthoptists collaborating with Fonda.
- Consultants for management applications.
Our employees are subject to specific confidentiality obligations regarding the processed data and are required to comply with the internal regulations specifically issued for this purpose. External collaborators processing personal data on our behalf, including companies and professionals whose advice and services we use, are subject to the obligations indicated in the appointment given to them under Article 28 of EU Regulation no. 679/16.
6. Rights under Articles 7, 15, 16, 17, 18, 20, 21, and 22 of Regulation (EU) 2016/679
We inform you that as a data subject, you have the right:
- To access personal data, including obtaining information such as the purposes and legal basis of the processing, the categories of personal data processed, any recipients of such data, the data retention period, the data subject’s right to access, rectify, delete the data, object to its processing, and complain to the supervisory authority, the source from which the acquired personal data originates, and the existence of any automated decision-making processes based on the provided personal data.
- To request the deletion of personal data concerning you, where the data is no longer necessary for the purposes for which it was collected, the consent given is revoked when consent is the sole legal basis for processing, the processing is unlawful, or there is no overriding legitimate reason for the processing, or deletion is required to comply with a legal obligation to which the Controller is subject.
- To rectify and port personal data (also by direct transmission of the data to a different Controller): the rectification of the data and the portability of the same can be requested at any time by the data subject by sending an email to email@example.com. A response to the request for rectification or portability will be provided as soon as possible and, in any case, within 30 days of receiving the request.
- To revoke the consent to processing, if given, where consent is the exclusive legal basis for the processing carried out. It should be noted that the revocation will have no effect with regard to all data processing for which specific consent is not necessary and that responds to the rights or legitimate interests of the Controller.
- To limit processing where the accuracy of the data is contested and for the time necessary for verification, where processing is necessary for the exercise or defense of a legal claim, and in other cases provided for by Article 18 of EU Regulation 679/16.
- To object to the processing of data for direct marketing purposes by sending an email to firstname.lastname@example.org.
- Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except in cases provided for in Article 22, paragraph 2, of EU Regulation 679/16.
- To lodge a complaint with the competent supervisory authority.