Privacy Policy: Prospect
This information is provided in compliance with Articles 13 and 14 of the EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”) to potential customers (so-called “prospect”) interested in products and/or services offered by the Company (as defined below).
The personal data you provide at trade fairs, conferences, and events, on any online and/or paper forms, or acquired from third parties, may be processed, in accordance with the following, in order to be able to send you promotional communications.
In the event that the relationship relates to a legal person, this privacy notice is addressed to the company contact persons acting for that legal person.
1. Data Controller and Data Protection Officer
The data controller is [Name of Engineering Group’s Company] [1] with registered office in […], tax code and VAT number […] (the “Company” or the “Data Controller”).
The Data Controller has appointed a Data Protection Officer or “DPO”, who can be reached at the following e-mail address: dpo.privacy@eng.it.
2. Categories of personal data processed
The data that the Data Controller may process, within the limits of the purposes and methods described in this privacy notice, include only your so-called common personal data, which includes your identification data (first name and surname) and contact data (such as, for example, your e-mail address).
3. Purpose of processing and legal bases
The Controller will process your data for marketing activities related to the promotion of services and/or products of the Company or companies other than the Controller that are part of the same group of companies.
In particular, your personal data will be processed:
a. for sending commercial and/or promotional communications to the interested party concerning products and/or services offered by the Controller. The legal basis for the processing of the data referred to in this point is the specific consent given by the data subject pursuant to Article 6(1)(a) of the GDPR;
b. for sending commercial and/or promotional communications to the data subject regarding products and/or services offered by other Engineering Group companies. The legal basis for the processing of the data referred to in this point is the specific consent expressed by the data subject pursuant to Article 6, par. 1, lett. a) of the GDPR;
c. for conducting market analysis and research carried out by the Data Controller or its partners. The legal basis for the processing of data under this point is the specific consent given by the data subject pursuant to Article 6(1)(a) of the GDPR;
d. to ascertain, perform data and network security audits and to prevent and counter possible computer crimes, thus in the pursuit of the legitimate interest of the Data Controller to maintain the protection of internal information systems and apply adequate security measures, as well as to assert, exercise or defend a right in court [Art. 6(1)(f) of the GDPR].
Any consents given for the pursuit of purposes a), b) and c) may be revoked at any time, thereby discontinuing the conduct of said commercial and promotional activities, by writing to the addresses indicated in this notice.
The provision of your personal data for the purpose d) is mandatory. Failure to do so will make it impossible for the Controller to establish business relations with you or your company, either in whole or in part.
4. Data processors and authorized persons
The Data Controller will share your personal data with its employees and collaborators specifically identified and instructed by a written deed pursuant to Article 29 of the GDPR (“Authorized Persons”), who will process them, under the authority of the Data Controller, exclusively for the purpose of performing their respective work duties.
Your personal data may also be shared with third parties, appointed as data processors by the Data Controller in writing pursuant to Article 28 of the GDPR, or, where required by applicable law, as autonomous data controllers.
With reference to these categories of third-party recipients, it is specified that your data may be shared with public authorities if this is required by law or by order of the competent authorities.
5. Processing methods
The processing will be carried out on paper and with the aid of electronic instruments.
Data will be processed lawfully, fairly and transparently. The data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, accurate and updated; they will be processed with the utmost confidentiality, in compliance with the principles dictated by the GDPR, with any prescriptions issued by the Supervisory Authority and in any case in such a way as to ensure adequate security, including protection, with appropriate technical and organisational measures, from unauthorised or unlawful processing, as well as from loss, including accidental loss.
6. Transfer of data outside the EU
In pursuit of the above-mentioned purposes, some of your personal data may be shared with recipients located outside the European Union/European Economic Area. In such circumstances, the Data Controller ensures that the transfer of such data takes place in compliance with the provisions of Chapter V of the GDPR (Transfers of Personal Data to Third Countries or International Organisations), therefore on the basis of an adequacy decision of the European Commission pursuant to Article 45 GDPR or, failing that, with the adoption of the appropriate safeguards referred to in Article 46 of the GDPR, such as the Standard Contractual Clauses in the latest version published by the European Commission.
7. Data Retention Periods
Your personal data will be stored, with logic strictly related to their security and to the resilience of the systems used for their processing, for the time strictly necessary to achieve the purposes for which they were collected. In particular, the storage and processing of your data will be carried out in full compliance with the principles of data minimisation and storage limitation pursuant to Article 5 of the GDPR.
Contact data processed for the purpose of conducting promotional activities on the basis of your consent will be processed for twenty-four (24) months from the date the consent was given, unless revoked. This period may be extended by the data subject renewing consent to the processing for this purpose.
In addition, the Controller may keep your personal data for a further period in order to fulfil contractual and legal obligations applicable to it and, where necessary, to assert, exercise or defend its own rights in and out of court, in any case for the maximum period permitted by the law in force at the time.
8. Rights of data subjects
Pursuant to current legislation, you have the following rights.
You may exercise your rights, in the manner set out in Article 12 of the GDPR and within the limitations set out in Article 23 of the GDPR, by writing to the Data Controller’s contact details set out in this notice or to the DPO’s address: dpo.privacy@eng.it.
Without prejudice to any other administrative or judicial remedy, you are also granted the right to lodge a complaint with the competent supervisory authority (for Italy, the Garante per la protezione dei dati personali) if you consider that your data protection rights have been infringed. Further information is available on the website https://www.garanteprivacy.it
[1] The data controller will have to vary depending on the ENG Group company for which the marketing vs. prospect activity is actually carried out, be careful to vary the address of the registered office accordingly.