Stakeholders: Customers
SEFO srl, in its capacity as Data Controller of your personal data, pursuant to and for the purposes of EU Regulation no. 2016/679 hereinafter referred to as 'GDPR', hereby informs you that the aforementioned legislation provides for the protection of data subjects with regard to the processing of their personal data and that such processing will be based on the principles of correctness, lawfulness, transparency and protection of your confidentiality and your rights.
The Data Controller is
SEFO S.r.l., in the person of its legal representative pro tempore (Fiscal Code no. 01475680516) with registered office in Arezzo 52100 (Italy) Loc. Ponte alla Chiassa n. 141 - Tel. +39 0575 342010 mail:
[email protected].
Your personal data will be processed in accordance with the legal provisions of the aforementioned legislation and the confidentiality obligations therein contained.
Sefo S.r.l. has appointed a “Data Protection Officer” (“DPO”) in the person of Lawyer Antonio Virgallita, who can be reached at the email: [email protected].
You may freely contact the DPO for all matters relating to the Processing of your Personal Data and/or should you wish to exercise your rights, as set out and described below, by sending a written communication to the email
In accordance with Art. 4, no. 1, GDPR for 'personal data' and within the scope of the purposes of the above-mentioned processing operations, only personal data relating to, by way of example, name and surname, tax code, date of birth, VAT number, residence, domicile, shipping address, passport number and/or other identity document, user name, payment and invoicing method, email or PEC address, telephone and fax number, SDI unique code, possible pick-up point for the goods purchased, etc. will be processed. Personal Data may be associated with online identifiers produced by the electronic devices, applications, tools and protocols used, such as IP addresses, temporary markers (technical cookies or automatic logs) or other identifiers.
In accordance with the principle of minimization set out in Article 5(1) GDPR, you therefore undertake to refrain from sending personal data to the Data Controller, unless such data is strictly necessary for the performance of contractual and/or commercial activities. In the latter case, personal data must be transmitted to the Data Controller in anonymous form or through the use of pseudonyms, as expressly provided for by the GDPR.
If, for the purposes of the performance of the contractual relationship with a customer (legal person, hereinafter, the 'Customer'), it becomes indispensable to process personal data other than that of the customer's legal representatives and/or contact persons, and the same cannot be acquired in anonymous or pseudonymized form, the Customer declares and guarantees that he/she will lawfully process, in compliance with the GDPR, all personal data that he/she will communicate to the Controller, during the course of the contract, and, in particular, declares that he/she has provided the Data Subjects with adequate information expressly mentioning the possibility of providing personal data to third party companies and that he/she has obtained any consents necessary for this purpose.
The Customer also undertakes to indicate to its employees and/or collaborators that this Information Notice is also available on the website https://www.cncracing.com/it/privacy/, so that it can be provided by the Data Controller to the Interested Parties pursuant to Articles 13 and 14 of the GDPR.
Purpose and legal basis of processing: Your personal data are processed without your consent (Art. 6 lett. b, c, f, GDPR), for the following purposes related to the implementation of fulfilments related to legislative or contractual obligations:
a. legally required fulfilments in the field of taxation and accounting;
b. fulfilment of pre-contractual and contractual obligations arising from a possible contractual relationship (supply of goods or services) even through e-commerce;
c. consulting activities aimed at the identification of goods and/or services to which the client is interested;
d. litigation management and possible credit recovery activities;
e. customer management, including after-sales services;
f. services to protect consumers and users, including possibly and upon specific agreement insurance services;
g. internal quality control services;
h. customer invoicing history;
i. information and promotional activities relating to commercial and/or professional services provided by the Controller, events and services, distribution of material of an informative nature, sending out of newsletters and publications of commercial nature directly related to the Controller's activities; as well as sector studies on an anonymous basis, aimed at the provision of information and disclosure services by the Controller
j. customer satisfaction survey;
k. storage of information relating to these activities.
The provision of data for the purposes set out in points a) to h) is mandatory. Any refusal to provide such data would make it impossible for the Controller to conclude the contract and fulfil its contractual and pre-contractual obligations.
The processing of data for the purposes set out in points i) to k) is necessary to pursue a legitimate interest of the Data Controller, after verifying that the fundamental rights and freedoms of the Data Subject are not overridden by such interests.
The Controller's legitimate interests include, but are not limited to, responding to requests received from you or from third parties, as well as optimizing the experience of its customers and the effective and appropriate communication of information relating to the services and operational activities carried out by the Controller, and the provision of information, dissemination and update services.
The interested party will have the possibility to refuse the sending of these communications by simply sending a request by e-mail to the address: [email protected], or by clicking on the link inside each e-mail sent and following the relevant procedure.
For the purposes of the aforementioned processing operations, the Data Controller may become aware of special categories of personal data and in detail: racial or ethnic origins, as derived from images that may be present in identity documents which will be collected only where absolutely necessary for the performance of the contract or where mandatory on the basis of any legal provision. The processing of personal data for these special categories is carried out in compliance with Article 9 of the GDPR and with application of all appropriate technical and organizational security measures.
Method of processing. Your personal data may be processed in the following ways:
• entrusting third authorized parties with processing operations;
• processing by means of electronic computers;
• manual processing by means of paper archives.
All processing is carried out in compliance with the methods set out in Articles 6, 32 of the GDPR and through the adoption of appropriate security measures.
In cases where the Controller considers initiating a debt recovery procedure for which you are a debtor, it may need to process personal data relating to your heirs exclusively in order to identify the successor in title and/or the person liable for payment.
Your data will only be processed by personnel expressly authorized by the Controller and, in particular, by the following categories of employees:
• Members;
• Administration Office.
Communication: Your data may be communicated to external parties for the proper management of the relationship and in particular to the following categories of Recipients who will be appointed as Data Processors, if necessary:
• banks and credit institutions;
• legal communication relating to anti-money laundering regulations (Law no. 197 of 5 July 1991, as amended; Legislative Decree no. 56 of 20 February 2004; Law no. 29 of 25 January 2006; Ministerial Decree no. 141, 142 and 143 of 3 February 2006; UIC (Italian Foreign Exchange Office) Order of 24 February 2006);
• consultants and freelancers, also in associated form;
• within the scope of public and/or private entities for which the disclosure of data is mandatory or necessary in order to comply with legal obligations or is in any case functional to the administration of the relationship;
• insurance companies;
• constitutional bodies or bodies of constitutional importance;
• third parties (e.g., providers for the management and maintenance of the website, providers of consulting services, provision of shipping services, couriers and shippers, credit recovery and, in general, third parties with whom the Controller has entered into any contractual relationship for the purpose of achieving the above purposes) who perform outsourced activities on behalf of the Controller and who, where necessary, will be appointed as Data Processors;
Please note that specific and express consent will be requested from the Data Subject in the event of the need for data to be disclosed to third parties for purposes outside the above categories.
Dissemination: Your personal data will not be disseminated in any way.
The Data Controller declares that the management and storage of personal data takes place on servers located within the European Union owned and/or at the disposal of the Data Controller and/or third-party companies appointed and duly appointed as Data Processors. Should it become necessary, the transfer of data abroad to non-EU countries will, in any case, take place in accordance with the provisions contained in Chapter V, GDPR (Article 46), through the adoption of standard clauses drafted on the basis of versions no. 2004/915/EC and no. 2010/87/EU drawn up by the European Commission. The Data Controller is entitled to move the location of the servers to non-EU countries.
Retention Period. We would like to inform you that, in accordance with the principles of lawfulness, purpose limitation and data minimization, pursuant to Article 5 of the GDPR, the retention period for your personal data is:
• established for a period of time not exceeding the fulfilment of the purposes for which they are collected and processed and in compliance with the mandatory time limits prescribed by law, in particular, your Personal Data will be processed until the termination of the existing contractual relationship between you and the Data Controller, without prejudice to an additional storage period that may be imposed by law.
You have the right to obtain from the data controller the erasure (right to be forgotten), limitation, updating, rectification, portability, opposition to the processing of personal data concerning you, as well as in general you may exercise all the rights provided for in Articles 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR.
In accordance with the provisions of Chapter III, Section I, GDPR, you have the right to exercise the rights contained therein and in particular:
(i) access to your personal data;
(ii) obtain the rectification or erasure of your persona data or the restriction of the processing concerning your data. In case of a request for deletion, the Data Subject also has the right to obtain that the Controller - taking into account available technology and implementation costs - takes reasonable measures, including technical measures, to inform the controller that is processing the personal data of the Data Subject's request to delete any link, copy or reproduction of his/her personal data;
(iii) object to the processing;
(iv) to request data portability;
(v) revoke consent, if any, at any time, without, however, affecting the lawfulness of the processing based on the consent given before revocation;
(vi) to lodge a complaint with the supervisory authority.
You may exercise these rights by simply sending an e-mail request to the address of the privacy contact person:
[email protected].