Stakeholders: Customers
SEFO srl, in its capacity as Data Controller of your personal data, pursuant to and for the purposes of EU Regulation no. 2016/679 hereinafter referred to as 'GDPR', hereby informs you that the aforementioned legislation provides for the protection of data subjects with regard to the processing of their personal data and that such processing will be based on the principles of correctness, lawfulness, transparency and protection of your confidentiality and your rights.
The Data Controller is
SEFO S.r.l., in the person of its legal representative pro tempore (Fiscal Code no. 01475680516) with registered office in Arezzo 52100 (Italy) Loc. Ponte alla Chiassa n. 141 - Tel. +39 0575 342010 mail:
[email protected].
Your personal data will be processed in accordance with the legal provisions of the aforementioned legislation and the confidentiality obligations therein contained.
Sefo S.r.l. has appointed a “Data Protection Officer” (“DPO”) in the person of Lawyer Antonio Virgallita, who can be reached at the email: [email protected].
You may freely contact the DPO for all matters relating to the Processing of your Personal Data and/or should you wish to exercise your rights, as set out and described below, by sending a written communication to the email
In accordance with Art. 4, no. 1, GDPR for 'personal data' and within the scope of the purposes of the above-mentioned processing operations, only personal data relating to, by way of example, name and surname, tax code, date of birth, VAT number, residence, domicile, shipping address, passport number and/or other identity document, user name, payment and invoicing method, email or PEC address, telephone and fax number, SDI unique code, possible pick-up point for the goods purchased, etc. will be processed. Personal Data may be associated with online identifiers produced by the electronic devices, applications, tools and protocols used, such as IP addresses, temporary markers (technical cookies or automatic logs) or other identifiers.
In accordance with the principle of minimization set out in Article 5(1) GDPR, you therefore undertake to refrain from sending personal data to the Data Controller, unless such data is strictly necessary for the performance of contractual and/or commercial activities. In the latter case, personal data must be transmitted to the Data Controller in anonymous form or through the use of pseudonyms, as expressly provided for by the GDPR.
If, for the purposes of the performance of the contractual relationship with a customer (legal person, hereinafter, the 'Customer'), it becomes indispensable to process personal data other than that of the customer's legal representatives and/or contact persons, and the same cannot be acquired in anonymous or pseudonymized form, the Customer declares and guarantees that he/she will lawfully process, in compliance with the GDPR, all personal data that he/she will communicate to the Controller, during the course of the contract, and, in particular, declares that he/she has provided the Data Subjects with adequate information expressly mentioning the possibility of providing personal data to third party companies and that he/she has obtained any consents necessary for this purpose.
The Customer also undertakes to indicate to its employees and/or collaborators that this Information Notice is also available on the website https://www.cncracing.com/it/privacy/, so that it can be provided by the Data Controller to the Interested Parties pursuant to Articles 13 and 14 of the GDPR.
Purpose and legal basis of processing: Your personal data are processed without your consent (Art. 6 lett. b, c, f, GDPR), for the following purposes related to the implementation of fulfilments related to legislative or contractual obligations:
a. legally required fulfilments in the field of taxation and accounting;
b. fulfilment of pre-contractual and contractual obligations arising from a possible contractual relationship (supply of goods or services) even through e-commerce;
c. consulting activities aimed at the identification of goods and/or services to which the client is interested;
d. litigation management and possible credit recovery activities;
e. customer management, including after-sales services;
f. services to protect consumers and users, including possibly and upon specific agreement insurance services;
g. internal quality control services;
h. customer invoicing history;
i. information and promotional activities relating to commercial and/or professional services provided by the Controller, events and services, distribution of material of an informative nature, sending out of newsletters and publications of commercial nature directly related to the Controller's activities; as well as sector studies on an anonymous basis, aimed at the provision of information and disclosure services by the Controller
j. customer satisfaction survey;
k. storage of information relating to these activities.
The provision of data for the purposes set out in points a) to h) is mandatory. Any refusal to provide such data would make it impossible for the Controller to conclude the contract and fulfil its contractual and pre-contractual obligations.
The processing of data for the purposes set out in points i) to k) is necessary to pursue a legitimate interest of the Data Controller, after verifying that the fundamental rights and freedoms of the Data Subject are not overridden by such interests.
The Controller's legitimate interests include, but are not limited to, responding to requests received from you or from third parties, as well as optimizing the experience of its customers and the effective and appropriate communication of information relating to the services and operational activities carried out by the Controller, and the provision of information, dissemination and update services.
The interested party will have the possibility to refuse the sending of these communications by simply sending a request by e-mail to the address: [email protected], or by clicking on the link inside each e-mail sent and following the relevant procedure.
For the purposes of the aforementioned processing operations, the Data Controller may become aware of special categories of personal data and in detail: racial or ethnic origins, as derived from images that may be present in identity documents which will be collected only where absolutely necessary for the performance of the contract or where mandatory on the basis of any legal provision. The processing of personal data for these special categories is carried out in compliance with Article 9 of the GDPR and with application of all appropriate technical and organizational security measures.
Method of processing. Your personal data may be processed in the following ways:
• entrusting third authorized parties with processing operations;
• processing by means of electronic computers;
• manual processing by means of paper archives.
All processing is carried out in compliance with the methods set out in Articles 6, 32 of the GDPR and through the adoption of appropriate security measures.
In cases where the Controller considers initiating a debt recovery procedure for which you are a debtor, it may need to process personal data relating to your heirs exclusively in order to identify the successor in title and/or the person liable for payment.
Your data will only be processed by personnel expressly authorized by the Controller and, in particular, by the following categories of employees:
• Members;
• Administration Office.
Communication: Your data may be communicated to external parties for the proper management of the relationship and in particular to the following categories of Recipients who will be appointed as Data Processors, if necessary:
• banks and credit institutions;
• legal communication relating to anti-money laundering regulations (Law no. 197 of 5 July 1991, as amended; Legislative Decree no. 56 of 20 February 2004; Law no. 29 of 25 January 2006; Ministerial Decree no. 141, 142 and 143 of 3 February 2006; UIC (Italian Foreign Exchange Office) Order of 24 February 2006);
• consultants and freelancers, also in associated form;
• within the scope of public and/or private entities for which the disclosure of data is mandatory or necessary in order to comply with legal obligations or is in any case functional to the administration of the relationship;
• insurance companies;
• constitutional bodies or bodies of constitutional importance;
• third parties (e.g., providers for the management and maintenance of the website, providers of consulting services, provision of shipping services, couriers and shippers, credit recovery and, in general, third parties with whom the Controller has entered into any contractual relationship for the purpose of achieving the above purposes) who perform outsourced activities on behalf of the Controller and who, where necessary, will be appointed as Data Processors;
Please note that specific and express consent will be requested from the Data Subject in the event of the need for data to be disclosed to third parties for purposes outside the above categories.
Dissemination: Your personal data will not be disseminated in any way.
The Data Controller declares that the management and storage of personal data takes place on servers located within the European Union owned and/or at the disposal of the Data Controller and/or third-party companies appointed and duly appointed as Data Processors. Should it become necessary, the transfer of data abroad to non-EU countries will, in any case, take place in accordance with the provisions contained in Chapter V, GDPR (Article 46), through the adoption of standard clauses drafted on the basis of versions no. 2004/915/EC and no. 2010/87/EU drawn up by the European Commission. The Data Controller is entitled to move the location of the servers to non-EU countries.
Retention Period. We would like to inform you that, in accordance with the principles of lawfulness, purpose limitation and data minimization, pursuant to Article 5 of the GDPR, the retention period for your personal data is:
• established for a period of time not exceeding the fulfilment of the purposes for which they are collected and processed and in compliance with the mandatory time limits prescribed by law, in particular, your Personal Data will be processed until the termination of the existing contractual relationship between you and the Data Controller, without prejudice to an additional storage period that may be imposed by law.
You have the right to obtain from the data controller the erasure (right to be forgotten), limitation, updating, rectification, portability, opposition to the processing of personal data concerning you, as well as in general you may exercise all the rights provided for in Articles 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR.
In accordance with the provisions of Chapter III, Section I, GDPR, you have the right to exercise the rights contained therein and in particular:
(i) access to your personal data;
(ii) obtain the rectification or erasure of your persona data or the restriction of the processing concerning your data. In case of a request for deletion, the Data Subject also has the right to obtain that the Controller - taking into account available technology and implementation costs - takes reasonable measures, including technical measures, to inform the controller that is processing the personal data of the Data Subject's request to delete any link, copy or reproduction of his/her personal data;
(iii) object to the processing;
(iv) to request data portability;
(v) revoke consent, if any, at any time, without, however, affecting the lawfulness of the processing based on the consent given before revocation;
(vi) to lodge a complaint with the supervisory authority.
You may exercise these rights by simply sending an e-mail request to the address of the privacy contact person:
[email protected].
Stakeholders: suppliers.
SEFO srl, in its capacity of Data Controller of your personal data, pursuant to and for the purposes of EU Regulation 2016/679 hereinafter 'GDPR', hereby informs you that the aforementioned legislation provides for the protection of data subjects with respect to the processing of their personal data and that such processing will be based on the principles of fairness, lawfulness, transparency and protection of your confidentiality and your rights.
Your personal data will be processed in accordance with the legal provisions of the aforementioned legislation and the confidentiality obligations therein contained.
The Data Controller is:
SEFO S.r.l. (Fiscal Code no. 01475680516), Ponte alla Chiassa n. 141 52100 AREZZO -Tel. and fax 0575 - 342010 mail:
[email protected], in the person of its pro tempore legal representative.
Sefo S.r.l. has appointed a “Data Protection Officer” (“DPO”) in the person of Avv. Antonio Virgallita, who can be reached at the email:
[email protected].
You may freely contact the DPO for all matters relating to the Processing of your Personal Data and/or should you wish to exercise your rights, as set out and described below, by sending a written communication to the email
Pursuant to Article 4, no. 1, GDPR, the 'personal data' that will be processed by the Data Controller, within the purposes of the above-mentioned processing operations, include, by way of example, name and surname, tax code, photocopy and/or number of identity document, VAT number, residence, domicile, place of work, email address or PEC, telephone and fax number, and possibly banking, financial and insurance data, etc.
You shall refrain from sending personal data to the Data Controller that is not strictly necessary for the performance of contractual and/or commercial activities. Otherwise, personal data shall be transmitted to the Data Controller in anonymous or pseudonymized form, in accordance with the principle of minimization set out in Article 5(1) GDPR.
In the event that, in the performance of the contractual relationship, the supplier (a legal person, hereinafter, the "Supplier") communicates to the Controller (in a non-anonymous or non-pseudonymized manner) personal data in addition to those of the legal representatives and/or contact persons of the same, the Supplier declares and warrants that it legitimately processes all such personal data in compliance with the GDPR, and also declares that it has already provided the Data Subjects with adequate information, which expresses the possibility of providing personal data to third party companies and that it has obtained any necessary consents for this purpose. The Supplier also undertakes to indicate to its employees and/or collaborators that this Information Notice is accessible on the website
https://www.cncracing.com/it/ and on
https://sefo.it/, so that it can be provided by the Data Controller to the Data Subjects pursuant to Articles 13 and 14 of the GDPR.
Purposes and legal basis of the processing: in particular, your data will be processed without your consent (Article 6, letters b, c, f, GDPR) for the following purposes related to the fulfillment of legal or contractual obligations, or to the legitimate interest of the Data Controller:
-
negotiation and execution of goods and/or services supply contracts in favor of the Controller;
-
performance of contractual obligations;
-
legally required fulfilments in the field of taxation and accounting;
-
supplier management;
-
quality management;
-
obligations under applicable laws;
-
programming of activities;
-
supply order history;
-
exercise the Controller's rights, in particular, of defense in court.
The provision of data for the above-mentioned purposes is mandatory. Failure to provide the data and/or any express refusal to process the data will make it impossible for the Data Controller to perform its contractual obligations or may result in the breach of requests by the competent authorities.
Method of processing. Your personal data may be processed in the following ways:
-
entrusting third authorized parties with processing operations;
-
processing by means of electronic computers;
-
manual processing by means of paper archives.
All processing is carried out in compliance with the methods set out in Articles 6, 32 of the GDPR and through the adoption of appropriate security measures.
Your data will only be processed by personnel expressly authorized by the Controller and, in particular, by the following categories of employees:
Communication: Your data may be communicated to external parties for the proper management of the relationship and in particular to the following categories of Recipients, appointed as Data Processors, if applicable:
-
banks and credit institutions;
-
consultants and freelancers, also in associated form;
-
third parties (e.g. providers for the management and maintenance of the website and/or IT systems, suppliers, etc.) who perform outsourcing activities on behalf of the Data Controller, in their capacity as data processors;
-
within the scope of public and/or private entities for which the disclosure of data is mandatory or necessary in order to comply with legal obligations or is in any case functional to the administration of the relationship.
Dissemination: Your personal data will not be disseminated in any way.
The Data Controller declares that the management and storage of personal data takes place on servers located within the European Union owned by and/or at the disposal of the Data Controller and/or third party companies duly appointed as Data Processors. Should it become necessary, the transfer of data abroad to non-EU countries will, in any case, take place in compliance with the provisions contained in Chapter V, GDPR (Article 46), through the adoption of standard clauses drafted on the basis of versions no. 2004/915/EC and no. 2010/87/EU drawn up by the European Commission. The Data Controller is entitled to move the location of the servers to countries outside the EU.
Retention Period. We would like to inform you that, in accordance with the principles of lawfulness, purpose limitation and data minimization, pursuant to Article 5 of the GDPR, the retention period for your personal data is:
-
established for a period of time not exceeding the achievement of the purposes for which they are collected and processed for the performance and fulfilment of contractual purposes;
-
established for a period of time not exceeding the achievement of the purposes for which they are collected and processed and in compliance with the mandatory time barring limits prescribed by law.
-
In any case, the personal data collected for the above-mentioned purposes will be processed and stored for the entire duration of the contractual relationship established. From the date of termination of such relationship for whatever reason or cause, the data will be kept for the duration of the prescriptive terms applicable by law.
You have the right to obtain from the Controller the deletion (right to be forgotten), limitation, updating, rectification, portability, opposition to the processing of personal data concerning you, as well as in general you may exercise all the rights provided for in Articles 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR.
In accordance with the provisions of Chapter III, Section I, GDPR, you have the right to exercise the rights contained therein and in particular:
(i) access to your personal data;
(ii) obtain the rectification or erasure of your persona data or the restriction of the processing concerning your data. In case of a request for deletion, the Data Subject also has the right to obtain that the Controller - taking into account available technology and implementation costs - takes reasonable measures, including technical measures, to inform the controller that is processing the personal data of the Data Subject's request to delete any link, copy or reproduction of his/her personal data;
(iii) object to the processing;
(iv) to request data portability;
(v) revoke consent, if any, at any time, without, however, affecting the lawfulness of the processing based on the consent given before revocation;
(vi) to lodge a complaint with the supervisory authority.
You may exercise these rights by simply sending an e-mail request to the address of the privacy contact person:
[email protected].