Customer Privacy Notice

PRIVACY NOTICE PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 (GDPR) FOR CUSTOMERS

Dear Data Subject (Customer),
with this document, Industree Hub s.r.l. provides you with information on the characteristics and methods of processing your personal data.
This is done in accordance with the provisions of the GDPR and the Italian Privacy Code currently in force.

Any processing of your personal data will be carried out in compliance with the principles of lawfulness, fairness, and transparency.

 

1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER

The Data Controller, hereinafter also referred to as the “Data Controller”, is Industree Hub s.r.l., represented by its legal representative pro tempore.
VAT No. 02909990356.
Registered office: Via Benedetto Croce no. 15, 42123 Reggio Emilia, Italy.

The Data Controller may be contacted at the registered office indicated above or via the following channels:
Phone: +39 0522 325270
Email: privacy@industree.it
Certified email (PEC): industreehub@pec.industree.it

 

2. DATA PROTECTION OFFICER (DPO)

The Data Controller has appointed Piramis S.r.l. as Data Protection Officer.
Contact details:
Email: dpo@easygdpr.it
Phone: +39 030 9658901

 

3. TYPES OF PERSONAL DATA PROCESSED. PURPOSES AND LEGAL BASIS OF PROCESSING

The Data Controller collects and processes personal data that can directly or indirectly identify you.
This includes, by way of example, personal identification data, contact details, and financial and banking data.

Such data are collected and processed for the following purposes:

  • the establishment and performance of a contract to which the data subject is a party, or the implementation of pre-contractual measures taken at the request of the data subject (“contractual purposes”);

  • compliance with obligations arising from laws, regulations, or provisions issued by competent authorities or supervisory bodies (“legal purposes”).

The legal bases for the processing are as follows:

  • for pre-contractual and contractual purposes, the necessity to properly manage and perform the pre-contractual and contractual relationship (Art. 6, para. 1, letter b, GDPR). For this reason, your explicit consent is not required;

  • for legal purposes, the necessity to comply with obligations imposed by national and EU legislation (Art. 6, para. 1, letter c, GDPR). In this case as well, your explicit consent is not required.

 

4. METHODS OF DATA PROCESSING

Personal data will be processed using both manual and electronic tools.
These include, by way of example, corporate IT devices, internet and intranet networks, management software, corporate email systems, and access control systems.

Processing will be carried out using methods and tools suitable to ensure the highest level of security.
It will comply with the principles of fairness, lawfulness, transparency, and necessity, while safeguarding data confidentiality.

Personal data will not be subject to any automated decision-making process.

 

5. DATA RETENTION PERIOD

The data retention period starts from the moment the data are provided, which coincides with the start of the service.
Personal data will be retained for the time strictly necessary to achieve the purposes for which they were collected, or for the periods required by applicable national and EU laws and regulations.

In particular:

  • for both personal identification data and payment data, in compliance with current legislation and considering statutory limitation periods, the applicable retention period is ten years. This period starts from the end of the service.

This is without prejudice to cases in which contractual rights must be enforced in court.
In such cases, only the personal data strictly necessary for these purposes will be processed for the time required to pursue them.

Purpose of processing: Management of the contractual relationship

Categories of data processed: Personal identification data, contact details, contract-related data, and data relating to the requested service

Retention period: For the entire duration of the contractual relationship and until its full performance

Legal basis: Performance of a contract to which the data subject is a party or pre-contractual measures (Art. 6, para. 1, letter b, GDPR)

Purpose of processing: Compliance with legal obligations (administrative, accounting, and tax-related)

Categories of data processed: Personal identification data, contact details, invoicing data, payment data, and any other data contained in accounting records

Retention period: 10 years from the date of the last accounting entry. Compliance with a legal obligation (Art. 6, para. 1, letter c, GDPR).
This retention period is required by Art. 2220 of the Italian Civil Code on the retention of accounting records.

Purpose of processing: Protection of rights in judicial proceedings

Categories of data processed: Data strictly necessary to establish, exercise, or defend a legal claim

Retention period: 10 years from the termination of the contractual relationship, corresponding to the ordinary limitation period pursuant to Art. 2946 of the Italian Civil Code.
In the event of litigation, the data will be retained for the entire duration of the proceedings and until the expiry of all appeal deadlines.

Legal basis: Legitimate interest of the Data Controller (Art. 6, para. 1, letter f, GDPR) and the need to defend legal claims, which constitutes an exception to the right to erasure (Art. 17, para. 3, letter e, GDPR).

 

6. SUBJECTS INVOLVED IN DATA PROCESSING. RECIPIENTS OF PERSONAL DATA

Authorized personnel of the Data Controller process personal data in accordance with their respective duties.
Data Processors formally appointed in writing perform processing activities within the scope of their assigned responsibilities.

Processing is carried out in accordance with the instructions provided by the Data Controller.
Appropriate security measures are adopted to protect the data and ensure confidentiality.

The full list of Data Processors is available upon request.
Personal data may also be disclosed to third parties where this is necessary to achieve the purposes described above.

 

7. TRANSFER OF DATA TO NON-EU COUNTRIES

The collected data will not be transferred by the Data Controller to countries outside the European Economic Area (EEA) or to international organizations.

However, some personal data may be shared with recipients located outside the EEA.
If such a transfer becomes necessary, the Data Controller ensures that it will take place in compliance with applicable regulations.
Appropriate safeguards will be applied, such as adequacy decisions, standard contractual clauses approved by the European Commission, or other lawful transfer mechanisms.

 

8. NATURE OF DATA PROVISION

The provision of personal data is necessary in order to comply with legal and contractual obligations.
Any refusal to provide such data, in whole or in part, may result in the impossibility for the Data Controller to perform the contract or comply with its legal obligations.

 

9. RIGHTS OF THE DATA SUBJECT

Under Articles 15 to 22 of the GDPR, the data subject is granted specific rights.
These include the right to obtain confirmation as to whether personal data concerning them are being processed, access to such data in an intelligible form, and the right to rectification, erasure, or restriction of processing.

The data subject also has the right to object to processing for legitimate reasons, to withdraw consent at any time where applicable, and to request data portability for data processed on the basis of consent.
The right to request data updates is also included.

The data subject has the right to know the origin of the data, the purposes and methods of processing, the logic applied to processing, and the identification details of the Data Controller and any recipients of the data.

The data subject may also request anonymization, restriction, or blocking of data processed in violation of the law.
In addition, a complaint may be lodged with the Italian Data Protection Authority in relation to unlawful data processing, following the procedures published on the Authority’s website (http://www.garanteprivacy.it/).

Requests to exercise these rights may be addressed to the Data Controller using the contact details provided above, without formalities.
Alternatively, the standard form made available by the Italian Data Protection Authority may be used and downloaded from the following website:
http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924.

The Italian Data Protection Authority is based in Rome, Piazza Monte Citorio no. 121.
Fax: +39 06 69677 3785
Telephone: +39 06 696771
Email: garante@gpdp.it
Certified email (PEC): protocollo@pec.gpdp.it

 

10. RIGHT TO LODGE A COMPLAINT

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority.
This may be done by email at garante@gpdp.it or by post to the Italian Data Protection Authority, Piazza Venezia 11, Staircase B, 00187 Rome, Italy, as provided for in Art. 77 of the Regulation.

You also have the right to seek judicial remedies in accordance with Art. 79 of the Regulation.

 

11. CHANGES TO THIS PRIVACY NOTICE

This privacy notice may be subject to changes over time.
Such changes may result from the entry into force of new regulations, updates and or introduction of new services, or technological developments.

Place and date of last update.

Reggio Emilia
01/01/2025