Personal data means any information relating to an identified or identifiable natural person (hereinafter "Data subject") in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2. Who is the controller for the processing of the data collected pursuant to this policy?
The controller of the personal data collected is Fimap S.p.A., VAT no. 02520310232, Tax Code 09224090150, with registered office in Via Invalidi del Lavoro n. 1, Santa Maria di Zevio – 37059 (Verona – Italy), email/PEC: firstname.lastname@example.org (hereinafter "Fimap" or "Controller").
3. What types of data does Fimap process?
- Data of customers, prospective customers and suppliers, including their consultants and other representatives, provided voluntarily.
Any contact with Fimap, including through the services provided on its web pages, or the optional, express and spontaneous sending of electronic or traditional mail messages to Fimap addresses, or at the conclusion of contractual relations, involves the subsequent acquisition of personal data sent, for the sole purpose of performing the requested service or to respond to requests or stipulate and manage the contractual relationship. Fimap collects and processes the following personal data: IP addresses, email addresses, telephone numbers, place of residence, date of birth, tax/ VAT code, names, qualifications, duties, bank details, as well as other personal data included in the relevant service and/or communication forms.
- Browsing data.
The computer systems and programmes used for the operation of Fimap websites collect some personal data whose transmission is implicit in the use of Internet communication protocols (e.g., IP addresses or domain names of the computers used by users who connect to the website, information on visits, browser software and other parameters relating to the user's operating system and computer environment). These data are used for the sole purpose of obtaining statistical information not associated with any user identification data on the use of the website and to check its correct functioning; they are, therefore, deleted immediately after processing.
- Credit card details
By accessing the e-commerce platform (store.fimap.com), customers need to provide information on their credit card to complete the purchase (card number, holder, expiration date, security code). These data will be acquired by the payment service provider who will act as an independent data controller, without passing through the Fimap server which, therefore, will not process these data in any way. The data will be acquired in encrypted format and according to the security requirements of the PCI certification. The Payment Service uses the TLS/SSL Protocol. Customers may request, through the e-commerce website, the saving of such data. However, the data will be saved directly by the payment service provider and will not be acquired by Fimap which will keep track only of the last four digits that make up the credit card number only and exclusively to prevent fraud in online payments.
4. For what purposes are personal data collected by Fimap processed?
Personal data will be processed for the purposes indicated below:
- administrative and accounting purposes related to the obligations imposed by the applicable laws or regulations and by provisions issued by the responsible authorities/surveillance and control bodies;
- purposes closely related and/or necessary to the fulfilment of its contractual obligations and the exercise of its contractual rights, including after-sales activities;
- purposes related to registration on the website to use the services offered by Fimap, including the possibility of making an online purchase;
- purposes related to the execution of any other request received by Fimap;
- with prior consent, for purposes of information and promotion of the activity carried out by Fimap and/or the marketed products. Fimap may send communications for the above purposes either by traditional means (e.g., paper mail, telephone calls by an operator) or by automated means of communication such as e-mail (e.g., newsletters) and SMS. Limited to the e-mail details provided as part of the purchase of a product or service offered and sold by Fimap, the latter may use for the sending of information and promotional communications (including the newsletter) of similar products or services without the need for the express and prior consent of the Data Subject and on condition that the Data Subject does not exercise the right of opposition (so-called soft spamming);
- subject to prior consent, for the purpose of processing preferences by collecting the type and frequency of purchases for sending information and/or advertising material of specific interest to the Data Subject by email and improving the commercial proposals sent by Fimap (so-called profiling).
5. What is the legal basis for the processing of the personal data collected? Can I withdraw my consent?
Legal basis for data processing under the GDPR..
The legal basis for the processing of personal data for the above purposes is as follows:
- for the purposes of point 4, letter (a), compliance with a legal obligation;
- for the purposes of point 4, letter (b), the fulfilment of Fimap's contractual obligations;
- for the purposes of point 4, letter (c), the provision of the requested service;
- for the purposes of point 4, letter (d), a feedback to any other request received by Fimap;
- for the purposes of point 4, letter (e) and (f), the user's consent.
Withdrawal of consent
For the purposes of point 4, letters (e) and (f), the Data Subject may withdraw his/her consent at any time by writing to email@example.com.
The right of the Data Subject to object to the processing of his/her personal data for marketing purposes by automated means of contact (e-mail, SMS) also extends to traditional ones (post).
Limited to the sending of the newsletter, the Data Subject may also object to data processing concerning him or her through the appropriate link at the bottom of any e-mail with promotional content sent by Fimap which allows automatic unsubscription from the newsletter.
Withdrawal of consent by the Data Subject shall not in any way affect Fimap's right to process the user's data if such processing is necessary in order to comply with Fimap's contractual obligations and/or to the extent that Fimap is required to process the data subject's personal data in order to comply with a legal obligation or to defend its rights in a dispute with the data subject, to prevent fraud or abuse.
6. How are personal data collected by Fimap processed? With whom could Fimap share such data?
The processing of personal data mainly takes place with the help of electronic or automated instruments, according to methods and means suitable to ensure the security and confidentiality of the data, in accordance with the provisions of legislation on the protection of personal data. In particular, Fimap uses technical, IT, organisational, logistical and procedural security measures in order to guarantee the minimum level of data protection required by law, allowing access only to those appointed.
Scope of data dissemination
The personal data of Data Subjects may be communicated to the following entities:
- Fimap employees and/or collaborators, for the performance of administration, accounting, after-sales, IT and logistic support activities;
- entities carrying out customer assistance activities and providing centralised services also for the benefit of Fimap, including marketing services, as well as after-sales services;
- companies or consultants responsible for the installation, maintenance and management of Fimap hardware and software (including the Fimap web pages);
- external companies or consultants providing banking, financial, insurance, legal, personnel recruitment and selection services;
- company of the group controlled by Comac S.p.A. to which Fimap belongs;
- supervisory and control authorities and bodies and, in general, public or private persons acting as public officials or persons in charge of a public service;
- parties that perform activities involving the filing of documentation and data entry.
With reference to personal data communicated to them, the parties that belong to the above-mentioned categories can operate, depending on the case, as processors or persons in charge of processing, or as separate data controllers.
Personal data shall not be in any way disseminated or communicated to other external entities, except where disclosure is required by law or necessary.
7. For how long will personal data collected by Fimap be kept?
Personal data shall be kept for the time necessary from an operational and/or legal point of view as follows:
- for the purposes referred to in point 4, letters (a), (b) and (c) and (d) above for a period not exceeding ten (10) years, without prejudice to any specific legal obligations regarding the keeping of accounting records and, in any case, according to statutory limitation periods;
- for the purposes referred to in point 4, letter (e), until consent has been withdrawn;
- for the purposes referred to in point 4, letter (f), above, for a maximum period of 12 months.
In any case, Fimap may keep the personal data collected for a period of time longer than that indicated above in the event of potential or real legal disputes or to prevent fraud or abuse.
In any case, at the end of the period for which the personal data are stored, the data shall be deleted or aggregated or anonymised.
8. Will personal data collected by Fimap be transferred abroad?
It may be that Fimap shares personal data collected with selected entities who may process such data in countries both within and outside the EU/EEA. In the case of transfers to countries where the laws do not offer the same level of data protection as the GDPR, Fimap shall use various legal mechanisms, including standard EU contractual clauses, to ensure that the rights and protections granted by Fimap travel together with the transferred data.
Further information regarding the international transfer of data may be sent to the contacts available at the end of this policy.
9. What are the rights of the Data Subject?
This section lists the rights of the Data Subject that can be exercised at any time by writing to firstname.lastname@example.org.
The Data Subject shall have the right to:
- obtain from Fimap confirmation as to whether or not your personal data are being processed and, if so, access to the information referred to in article 15 of the GDPR;
- obtain the rectification of personal data concerning you, or, taking into account the purposes of processing, the integration of incomplete personal data;
- obtain the erasure of your personal data if one of the reasons referred to in Article 17 of the GDPR applies;
- obtain the limitation of the processing of your personal data in cases provided for by the applicable law;
- object to the processing of their personal data for reasons connected with your particular position;
- •receive, in a structured, commonly-used and legible electronic format, any personal data relating to you, which they have provided, and transmit this data to another Data Controller without impediment by the Data Controller, if technically possible, in the cases and within the limits referred to in article 20 of the GDPR.
Depending on the amount or complexity of the requested information, an appropriate fee may be charged.
The Data Subject shall also have the right to lodge a complaint with a supervisory authority (for Italy: the Personal Data Protection Supervisor), if he or she considers that the processing of his or her personal data is carried out in violation of the GDPR
In any case, the Data Subject is invited to contact Fimap, which undertakes to process the matter with the utmost courtesy, seriousness and discretion.
Our products and services are primarily intended for an adult audience. Fimap does not knowingly solicit or collect personal data from or about persons under the age of 16 without the consent of a parent or guardian. Should Fimap learn that personal data relating to children have been sent without the consent of a parent or guardian, Fimap shall make every reasonable effort to do so:
- delete such personal data from your files as soon as possible; and
- ensure that these personal data are not further used for any purpose and are not further disclosed to third parties.
11. Amendments and updates to this Policy
Last updated on 20 January 2020.
Do you want to stay up-to-date with the latest Fimap News?Sign up to our Newsletter