Privacy Policy

Under and for the purposes of (i) Legislative Decree June 30, 2003, no. 196, the “Privacy Code”, (ii) EU Regulation 2016/679 concerning the “protection of individuals with regard to the processing of personal data and on the free movement of such data”, the “GDPR”, articles 13 and 14, rules collectively also referred to as the “Privacy Legislation”, a series of obligations are provided for those who carry out processing – “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, comparison, interconnection, limitation, erasure or destruction” – (hereinafter the “Processing”) of information concerning an identified or identifiable natural person (the “Data Subject”).

VALETUDO SRL, VAT and Tax Code 00978150167, with registered office at Via Ghiaie n.6, 24030 Presezzo (BG) (the “Company”) wishes to inform you, in the following sections, about the methods and purposes of the Processing of your personal data.

 

Data Controller

The data controller is the subject who determines the purposes and means of Processing of personal data (the “Controller”), and is identified in the Company, by the current CEO.

The Data Controller can be contacted via email at: privacy@valetudo.com

 

Data Subject’s Data Collection Methods

The Controller may become aware of Your data in the following circumstances:

  • in case of contact request sent through company websites, by email or by phone, in order to request information about products and services offered by the Company;
  • during the execution of a contract (purchase of a good or service), including pre-contractual negotiations;
  • when providing Your data during the personnel selection and recruitment process;
  • when providing Your data to receive commercial communications, newsletters, and/or to be updated on events organized and marketing initiatives undertaken by the Company;
  • when authorizing Your data to allow the Company to carry out market analysis and research activities;
  • when providing Your data by interacting with the Company’s social channels.
  • where the Company’s business partners have legitimately communicated Your personal data.

 

Categories of Processed Data

The following categories of personal data concerning you exemplify the types of data that may be collected through the various services and contact channels described in this document:

Identifying Data – name, address, email address, phone number, gender, date of birth, identity document, tax code.

Financial Data – bank details and IBAN.

Biographical Data – education, professional experience, continuous training.

Profiling Data – demographic, behavioral, interaction, usage, consumption.

(“Data”)

Processing Purposes – Legal Basis – Retention Policy

Your personal data will be processed, mainly using computerized tools, for the following purposes:

  • Responding to specific requests: Your Identifying Data will be used to provide a response or a specific service requested by You through the communication and contact channels of the Controller (email, websites, phone).

It is necessary to provide the data marked with an asterisk in online forms in order to complete the request.

Legal Basis: to execute pre-contractual measures or a contract of which You are a party (Art.6 par.1 lett. b of the GDPR).

Retention Policy: The Data will be retained for the time strictly necessary to pursue the purposes for which they were collected and in any case not beyond ten years from the receipt of the request.

  • Establishment of the relationship and execution of the contract: Your Identifying and Financial Data will be used to respond to any of Your commercial requests, to obtain any other preliminary information necessary for the establishment of the relationship, or for the execution of the contract with You in place.

The provision of the Data is mandatory as required for compliance with legal and contractual obligations. Any refusal to provide them or any subsequent opposition to the Processing may result in the impossibility for the Controller to carry out contractual relationships.

Legal Basis: to execute pre-contractual measures or a contract of which You are a party (Art.6 par.1 lett. b of the GDPR).

Retention Policy: The Data provided in the context of Your request or for the mere formalization of a quote will be kept for a maximum period of ten years. Data processed to execute a contract may be retained for the entire duration of the relationship as well as for the subsequent ten years from the date of termination of the same.

  • Compliance with legal obligations and fraud prevention: Your Identifying and Financial Data, provided in the context of the Purposes referred to in point b), may be used to fulfill any civil, administrative, tax, accounting obligations provided by law, regulation, European legislation or an order of the Authority and arising from the relationship(s) with You.

The Controller reserves the right to process the Data to prevent possible risks and fraud, as well as to defend its rights arising from the contract in judicial or extrajudicial proceedings, also for the purpose of any credit recovery, directly or through third parties (credit recovery agencies/companies) to whom they will be communicated only for these purposes.

Legal Basis: to execute the relationship of which You are a party (Art. 6 par. 1 lett. b of the GDPR), to comply with a legal obligation to which the Controller is subject (Art. 6 par. 1 lett. c of the GDPR), to pursue a legitimate interest of the Data Controller consisting in preventing possible frauds or defending its own right or asserting claims arising from the commercial relationship with You, unless Your interests or fundamental rights prevail (Art. 6 par. 1 lett. f of the GDPR).

Retention Policy: The Data may be retained for the time necessary to fulfill legal obligations and, in any case, for the entire duration of the contract in addition to the subsequent ten years from the end of the fiscal year following that of competence.

  • Candidates selection: Your Identifying and Biographical Data communicated during the selection process and present in the curriculum vitae will be used to assess Your skills, experiences, and qualifications, in order to select the most suitable profiles for open positions, as well as to contact You for further interviews or inform You about the outcome of the selection process.

Legal Basis: to execute pre-contractual measures or a contract of which You are a party (Art.6 par.1 lett. b of the GDPR).

Retention Policy: The Data will be kept for the time strictly necessary to pursue the purposes for which they were collected and in any case not beyond six months following the conclusion of the selection.

  • Customer loyalty and marketing: Your Identifying Data will be used to provide You with news and offers – via automated contact methods (such as email, SMS) and/or traditional methods (such as postal mail) related to the services offered by the Company – and/or invitations to events, webinars, and conferences.

The provision of Data is optional and failure to provide it or failure to authorize Processing will result in the inability to carry out the activities indicated.

Legal Basis: consent expressed by You as a Data Subject (Art. 6 par. 1 lett. a of the GDPR).

Retention Policy: The Data may be processed until the withdrawal of Your freely expressed consent.

At the time of each communication, You will be informed of the possibility to object at any time to the Processing, easily and free of charge.

  • Market research and satisfaction survey: Your Identifying Data, provided in the context of

the Purposes referred to in points b) and e), may be used for sending questionnaires, conducting market research and/or measuring Your satisfaction level.

Legal Basis: to pursue a legitimate interest of the Data Controller consisting in understanding customer preferences, market trends, and allowing the Company to improve the services offered (Art. 6 par. 1 lett. f of the GDPR).

Retention Policy: The Data may be kept until the exercise of the right to object to the Processing. At the time of each communication, You will be informed of the possibility to object at any time to the Processing, easily and free of charge.

  • Profiling: Your Identifying and Profiling Data may be used to evaluate personal aspects, analyze or predict consumption preferences, through data analysis models, statistical algorithms, and predictive models.

Legal Basis: consent expressed by You as a Data Subject (Art. 6 par. 1 lett. a of the GDPR).

Retention Policy: The Data may be kept for the time strictly necessary and in any case for a period not exceeding 7 years.

  • Interactions on Social Networks: Your Identifying Data collected from interactions, such as private messages and comments sent on our Social channels, may be used to improve our understanding of Your needs, preferences, and interests.

Legal Basis: to execute pre-contractual measures or a contract of which You are a party (Art.6 par.1 lett. b of the GDPR).

Retention Policy: Data collected through private messaging on Social channels will be kept for the time strictly necessary to pursue the purposes for which they were collected. Data communicated publicly, through comments, are subject to the retention period defined by the Social channel policies used by You to interact with the Company.

  • Defense in legal proceedings for the rights of the Controller: where required by law, the Controller will provide Your Data to the Authorities and bodies responsible for law enforcement, regulations, and judicial acts, as well as to third parties in litigation.

Legal Basis: to pursue a legitimate interest of the Data Controller consisting in the protection of its rights and/or of third parties or in cooperation with Authorities or bodies responsible for law enforcement, unless Your interests or fundamental rights prevail (Art. 6 par. 1 lett. f of the GDPR).

Retention Policy: The Data will be retained for the time strictly necessary to pursue the purposes for which they were collected. In the case of a contractual relationship, the Data may be kept for up to three years following the termination of the contractual responsibility between the parties.

If the Controller intends to process Your Data for purposes other than those described above, it is obliged to inform You of such additional purposes before carrying out the Processing.

 

Data Processing Methods

In relation to the above purposes, the Company carries out the Processing of Data, in compliance with the security measures referred to in art. 32 of the GDPR using manual, computerized, and telematic tools, suitable for storing, managing, and transmitting the same Data, solely for the purpose of pursuing the purposes for which they were collected and, in any case, in such a way as to guarantee their security and confidentiality, as well as compliance with the principles of fairness, lawfulness, and transparency.

The Controller carries out Processing that consists of automated decision-making processes on the processed Data.

 

Scope of Data Communication

Your Data may be made accessible to:

  • employees and collaborators of the Company in their capacity as authorized and/or designated persons for Processing and/or system administrators;
  • consultants and suppliers who – on behalf of the Controller – carry out administrative, accounting, tax, or legal activities outsourced;
  • IT service providers offering services related to information technology and computer infrastructure;
  • marketing agencies for managing targeted advertising campaigns;
  • supervisory Bodies, Judicial Authorities, as well as to all institutional bodies to which communication is mandatory by law for the fulfillment of said purposes;
  • other third parties in order to provide the specifically requested services. Only the information necessary to carry out their functions is provided to such third parties.
  • all external subjects to the organization are authorized and instructed to process Your Data in accordance with Article 28 of the GDPR.

 

Data Transfer to a Third Country or an International Organization

The Data is processed within the European Union and stored on servers located therein. It is understood, however, that the Controller, if necessary, has the right to transmit such data to a third country or an international organization and/or move the servers also outside the EU. In this case, the Controller assures in advance that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, pursuant to art. 44 of the Privacy Code and art. 46 et seq. of the GDPR.

 

Data Subject’s Rights

The Company informs You, finally, that under the current legislation on the protection of personal data, You may exercise specific rights at any time – under articles 15-22 of the GDPR – and in particular You may ask the Controller:

the right of access, i.e., the possibility of obtaining from the Controller confirmation of whether or not personal data concerning You are being processed and, in this case, access to Your personal data;

a. the right to rectification, including the integration of incomplete personal data;

b. the right to erasure of data without delay upon request of the Data Subject and mandatorily if:

c. the personal data are no longer necessary in relation to the purposes for which they were collected;

  • the consent on which the Processing is based is revoked and there is no other legal basis for the Processing;
  • the personal data have been unlawfully processed;
  • the personal data must be erased to comply with a legal obligation under EU or Member State law.
  • the Data Subject objects to the Processing and there are no overriding legitimate grounds for the Processing, or the Data Subject objects to the Processing in the cases provided for in Article 21(2) of the GDPR (personal data processed for direct marketing purposes);

d. the right to restriction of Processing in cases where the accuracy of personal data is contested (for the period necessary for the Controller to verify the accuracy of such personal data) or the Processing is unlawful and/or the Data Subject opposes the Processing requesting the restriction thereof;

e. the right to data portability as the right to receive from the Controller Your personal data in a structured, commonly used, and machine-readable format and to transmit such data to another Controller, only for cases where the Processing is based on consent and for the data processed by

automated means;

f. the right to object to the Processing of Your personal data except where the Controller demonstrates compelling legitimate grounds for the Processing;

g. the right to withdraw consent at any time, where the Processing is based on Your explicit consent, without affecting the lawfulness of the Processing carried out until the withdrawal;

h. the right to lodge a complaint with a supervisory authority of the Member State where You reside or work habitually or where the alleged infringement occurred, without prejudice to any other administrative or judicial remedy, in case of violations of the provisions of the aforementioned Regulation.

 

If You wish to have more information about the Processing of Your personal data and to exercise the above-mentioned rights, You can send a written request using the contacts provided in the “Data Controller” section of this notice. In case of a request from You for information regarding Your data, the Controller will respond as soon as possible – unless this proves impossible or involves a disproportionate effort – and in any case not later than thirty days from the request. Any impossibility or delay on the part of the Controller in fulfilling the requests will be adequately motivated.

Moreover, You always have the right to lodge a complaint with the Supervisory Authority for the Protection of Personal Data, reachable at the address garante@gpdp.it or through the website http://www.gpdp.it.

Last update: February 2024