Information pursuant to Article 13 of Regulation (EU) 2016/679 on Personal Data Protection
With this document (“the Policy“), the Data Controller, as defined below, wishes to inform you about the purposes and modalities of the processing of your personal data and about your rights as a data subject.
1 – Who is the Data Controller. The Data Controller is Whysol Investments S.r.l. (the “Controller “), with registered office at Via Meravigli 3, 20123 Milan. You may contact the Controller to exercise your rights, listed in paragraph 8 below, as well as to receive any information relating to the processing of your personal data, by writing to Whysol Investments S.r.l., with registered office at Via Meravigli 3, 20123 Milan and/or to the following email address: info@whysol.com.
2 – The personal data we process. For the purposes specified in this Policy, the Controller shall only process your personal data, such as name, surname, position within the company, and email address.
3 – Purposes of the processing and legal basis.
3.1 – Registration on our Portal. The processing of your personal data by the Controller is necessary for registration on the Portal managed by the Controller and, consequently, to enter into and give effect to the contract between the Controller and the company for which you work, as well as to offer the services covered by the contract. The personal data you disclose shall be processed by the Controller exclusively to meet your requests and conclude and manage the contractual relationship between the Controller and the company for which you work. Therefore, the legal basis for the processing is represented by the need to satisfy your request, in accordance with Article 6(1)(b) of the GDPR. Consequently, obtaining your prior consent to the processing is unnecessary.
3.2 – Regulatory compliance. In addition, your personal data shall be processed for the fulfilment of obligations under national or EU laws and/or regulations with which the Controller is required to comply when providing the requested services. In this case, the legal basis for the processing is represented by the need to comply with a legal obligation, in accordance with Article 6(1)(c) of the GDPR. Consequently, obtaining your prior consent to the processing is unnecessary.
3.3 – Regulatory compliance. For the purposes of managing your requests, the Controller may also process the personal data provided by you for the fulfilment of related regulatory obligations under national or EU rules and/or regulations. In this case, the legal basis for the processing is represented by the need to fulfil a legal obligation, in accordance with Article 6(1)(c) of the GDPR. Consequently, obtaining your prior consent to the processing is unnecessary. Your personal data shall be processed for the time necessary to comply with regulatory obligations; after this time, your personal data shall be stored exclusively for 10 years, in line with the limitation period provided for by the Italian Civil Code.
3.4 – Commercial communications. If you provide your email address, your personal data shall also be processed to send commercial communications to the email address provided, addressed to the company for which you work, which is one of the Controller’s clients. The legal basis for the processing is the legitimate interest of the Controller in sending its clients commercial communications regarding products similar to those already covered by an agreement between the Controller and its client, in accordance with Article 6(1)(f) GDPR. Therefore, your personal data shall be processed only to the extent that it is strictly necessary to send commercial communications to the company for which you work, which is one of the Controller’s clients.
3.5 – Right to object to direct marketing activities. We inform you that you shall have the right at any time to object to marketing activities by contacting the Controller to one of the contract addresses indicated in paragraph 1 of this Policy.
3.6 Legitimate interests of the Controller and/or third parties. Finally, your personal data may also be used for the exercise of the rights and legitimate interests of the Controller and/or third parties, for example, the right of defense in court, the management of complaints and situations of litigation, the recovery of receivables, if any, the prevention of cases of fraud and/or unlawful activities. In these cases, even if the disclosure of your personal data is not compulsory, it is in any case necessary in that such data are strictly connected and expedient to the pursuance of the said legitimate interests, which do not prevail on your fundamental rights and freedoms, and any refusal to disclose them could cause the impossibility to provide the services required.
4 – Nature of disclosure and consequences of a refusal to disclose personal data. The disclosure of your personal data is a prerequisite for the conclusion and performance of the contract signed between the Controller and the company for which you work. Therefore, any failure to disclose the requested data shall make it impossible for the Controller to meet the requests of the company for which you work.
5 – Storage of your personal data. For the purposes of performing the contract signed between the Controller and the company for which you work, as well as for the purposes of fulfilling the related regulatory obligations, the Controller shall use your personal data only for the time necessary to manage the existing relationship and perform the contract, as well as for the fulfilment of the legal obligations under the applicable legislation. In any case, your personal data shall be stored for a period of 10 years, starting from your last access to the Portal, in accordance with the limitation period provided for by the Italian Civil Code. If you register on the Portal, but no contract is concluded within 3 months between the Controller and the company for which you work, your personal data shall be immediately erased. In any case, the erasure of your personal data shall not preclude a new, subsequent registration on your part.
6 – How your personal data are processed. Your personal data shall be processed in compliance with the provisions of the GDPR, by paper, computer and telecommunication means, with logics strictly related to the purposes indicated and, in any case, in such a way as to ensure the security and confidentiality of data in accordance with the provisions of Article 32 of the GDPR.
7 – Persons to whom your personal data may be disclosed and persons who can get to know your personal data. For the purposes described in paragraph 3 above, your personal data shall be known by the employees, by the contractors regarded as employees and by the consultants of the Controller, who shall act as persons authorised to process personal data, specifically appointed as persons in charge of processing. In addition, your personal data shall be processed by third parties belonging, by way of example, to the following categories:
a) parties which provide and manage, for the Controller, the information systems and the related security measures;
b) parties of which the Controller avails itself for various reasons for the management of the Portal;
c) parties of which the Controller avails itself for the storage of the personal data processed;
d) parties that fulfil administrative and fiscal formalities for the Controller;
e) entities providing legal and/or tax advice;
f) third parties that may access the Portal subject to the prior authorisation of the client for which you are acting (for example, banks the client resorts to in order to obtain a loan, or guarantees or other services);
g) supervisory and control authorities and bodies, and in general public or private entities in charge of providing information to the public.
The parties belonging to the above-mentioned categories operate, in some cases, fully independently as distinct Controllers, in other cases, as Processors specifically appointed by the Controller in accordance with Article 28 of the GDPR.
The complete and updated list of persons to whom your personal data may be communicated can be requested at the registered office of the Controller indicated in point 1 above of this Policy. Your personal data shall not be transferred outside the European Union and shall not be disclosed.
8 – Rights you have as a data subject. In relation to the processing operations described in this Policy, as a data subject you may, subject to the conditions provided for by the GDPR, exercise the rights set out in Articles 15 to 21 of the GDPR including, in particular, the following rights:
I. Right of access – Article 15 GDPR: Right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data in question – including a copy thereof – and to the following information:
a) purposes of the processing;
b) the categories of personal data concerned;
c) recipients to whom these personal data have been or will be disclosed;
d) the period for which the personal data will be stored or the criteria used
e) rights of the data subject to request from the Controller rectification or erasure of personal data, or restriction of processing, or the right to object to such processing;
f) the right to lodge a complaint;
g) the right to receive information on the origin of my personal data if they have not been collected from the data subject;
h) the existence of automated decision-making, including profiling;
II. Right of rectification – Article 16 GDPR: Right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or to have incomplete personal data completed;
III. Right to erasure (right to be forgotten) – Article 17 GDPR: Right to obtain, without undue delay, erasure of personal data concerning you, when:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) you successfully opposed the processing of personal data;
c) the personal data have been unlawfully processed;
d) the personal data have to be erased for compliance with a legal obligation;
e) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
The right to erasure shall not apply to the extent that the processing is necessary for the fulfilment of a legal obligation or for the performance of a task in the public interest or for the establishment, exercise or defence of legal claims;
IV. Right to restriction of processing – Article 18 GDPR: Right to obtain restriction of processing when:
a) the data subject contests the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the personal data are necessary for the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing, as indicated below, pending the verification whether the legitimate grounds of the Controller override those of the data subject;
V. Right to data portability – Article 20 GDPR: Right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance, where the processing is based on consent or on a contract and is carried out by automated means. Moreover, you shall have the right to have the personal data transmitted directly from the Controller to another controller if this is technically feasible;
VI. Right to object – Article 21 GDPR: Right to object at any time to processing of personal data concerning you, based on the legitimacy of your particular situation, including profiling, unless the Controller has the right to continue processing on the basis of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
VII. file a complaint with the Data Protection Authority, Piazza di Montecitorio 121, 00186 Rome (RM).
The above rights may be exercised vis-à-vis the Controller by contacting the persons indicated in paragraph 1 above.
The Controller shall take your request into consideration providing you, without undue delay and, in any case, within no later than one month from receipt of the request, with any information regarding the action taken in relation to your request.
The exercise of your rights as a data subject shall be free of charge pursuant to Article 12 of the GDPR. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may charge a reasonable fee taking into account the administrative costs incurred to take the action requested, or refuse the satisfaction of your request.
Finally, we inform you that the Controller may request further information necessary to confirm your identity.