Customer Privacy Notice

NOTICE PURSUANT TO ART. 13 OF EUROPEAN REGULATION 2016/679 (GDPR) FOR CUSTOMERS

Dear Data Subject (customer)
with this document, Industree Hub s.r.l. provides you with information regarding the characteristics and methods of processing your personal data, pursuant to and for the purposes of the legislative provisions of the GDPR as well as the privacy code currently still in force.

Any processing of your personal data will be carried out in accordance with the principles of lawfulness, fairness, and transparency.

1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER.

The Data Controller, hereinafter also referred to as the “Data Controller” or simply the “Controller”, is Industree Hub s.r.l., represented by its legal representative pro tempore, VAT no. 02909990356, with registered office at Via Benedetto Croce no.15, 42123 Reggio Emilia, contactable, in addition to the aforementioned registered office, at the following contacts: tel. +39 0522325270, email: info@industree.it and certified email (PEC): industreehub@pec.industree.it;

2. DATA PROTECTION OFFICER (DPO)

The Data Controller has appointed Piramis S.r.l. as Data Protection Officer, whose contact details are: e-mail: dpo@easygdpr.it, tel: +39 0309658901.

3. TYPES OF PERSONAL DATA PROCESSED. PURPOSES AND LEGAL BASIS OF PROCESSING.

The Data Controller collects and processes personal data capable of identifying you directly or indirectly, such as, by way of example, identification data, contact data, economic and banking data. The Controller collects and processes such data for the following purposes:

establishment and performance of a contract to which the data subject is a party or implementation of pre-contractual measures adopted at the request of the same (“contractual purposes”);
fulfilment of obligations arising from laws, regulations, provisions issued by authorities entitled to do so or by supervisory and control bodies (“legal purposes”);
sending promotional communications relating to services or products similar to those already purchased by the data subject, through the email address provided in the context of a previous sale of services (“marketing purposes for similar services” or “soft spam”);
establishment, exercise and defence of a right of the Controller in judicial, arbitration or extrajudicial proceedings (“rights protection purposes”).

The legal bases that make the data processing lawful are:

for pre-contractual and contractual purposes, the necessity to ensure the proper management and execution of the pre-contractual and contractual relationship (Art. 6(1)(b) GDPR); therefore, your explicit consent is not required;
for legal purposes, the necessity to ensure compliance with obligations established by national and supranational legislation (Art. 6(1)(c) GDPR); therefore, your explicit consent is not required;
for marketing purposes regarding similar services (soft spam), the legitimate interest of the Controller (Art. 6(1)(f) GDPR) in promoting its services to existing customers, in accordance with Art. 130(4) of Legislative Decree 196/2003. Such processing is permitted without your prior consent, without prejudice to your right to object at any time, easily and free of charge;
for rights protection purposes, the legitimate interest of the Controller (Art. 6(1)(f) GDPR) in asserting, exercising or defending its rights in judicial, arbitration or extrajudicial proceedings. This legal basis also constitutes an exception to the right to erasure pursuant to Art. 17(3)(e) GDPR; therefore, your explicit consent is not required.

4. METHODS OF DATA PROCESSING.

The Data will be processed both through manual and IT tools (such as, by way of example, company IT devices, internet and intranet networks, management software, company email, access control systems, etc.) with methods and tools suitable to ensure maximum security.

The processing will be carried out in accordance with the principles of fairness, lawfulness, transparency, necessity, and in such a way as to protect the confidentiality of the Data. The Data will not be subject to any automated decision-making process.

5. RETENTION PERIOD.

The retention period for personal data begins from the moment the data is provided, simultaneously with the start of the service; personal data will be retained for the time necessary to fulfil the purposes for which they were requested or for the periods established by national and EU laws, rules and regulations with which the Company must comply.

In particular, we remind you that:

for both personal data and payment data, in compliance with the regulations currently in force and in relation to the limitation period established by law for rights arising from the service, the retention period currently applicable and, in this specific case, applied, is ten years (starting from the end of the service).

Without prejudice to cases in which rights arising from the contract must be asserted in court, in which case the personal data of the Data Subject, exclusively those necessary for such purposes, will be processed for the time strictly necessary to pursue them.

Purpose of Processing: Management of the contractual relationship

Categories of Processed Data: Identification data, contact data, data relating to the contract and the requested service.

Retention period: For the entire duration of the contractual relationship and until its complete execution.

Legal basis: Performance of a contract to which the data subject is a party or pre-contractual measures (Art. 6(1)(b) GDPR).

Purpose of processing: Compliance with legal obligations (administrative, accounting, tax)

Categories of processed data: Identification data, contact data, invoicing data, payment data and any other data contained in accounting records.

Retention period: 10 years from the date of the last accounting record. Compliance with a legal obligation (Art. 6(1)(c) GDPR).
This retention period is imposed by Art. 2220 of the Italian Civil Code concerning the retention of accounting records.

Purpose of processing: Protection of rights in judicial proceedings. Data strictly necessary to establish, exercise or defend a right in court.

Retention period: 10 years from the termination of the contractual relationship (corresponding to the ordinary limitation period under Art. 2946 Italian Civil Code). In the event of litigation, the data will be retained for the entire duration thereof, until the expiry of the deadlines for possible appeals.

Legal basis: Legitimate interest of the Controller (Art. 6(1)(f) GDPR) and necessity of legal defence, which constitutes an exception to the right to erasure (Art. 17(3)(e) GDPR).

Marketing purposes for similar services (Soft Spam):

categories of processed data: contact data (in particular, the email address);

retention period: until your objection (opt-out) and in any case no longer than 24 months from the last purchased service or significant interaction with the Controller;

Legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR) in conjunction with Art. 130(4) Legislative Decree 196/2003.

6. PARTIES PROCESSING THE DATA. RECIPIENTS OF PERSONAL DATA.

The authorized personnel of the Controller are entrusted with carrying out the processing according to their respective duties. The Data Processors, appointed in writing pursuant to Art. 28 GDPR, perform the same function within the scope of their respective responsibilities, in compliance with the instructions provided by the Controller and by adopting appropriate security measures for the protection and confidentiality of the processed data. The complete list of Data Processors is available upon request.

Your personal data may also be disclosed, for the purposes described above and within the limits strictly necessary to pursue them, to the following categories of recipients:

legal, tax and accounting consultants, for the management of tax and accounting obligations and for the protection of the Controller’s rights in any disputes;
banks and financial intermediaries, for the management of collections, payments and banking obligations;
IT and technological service providers (e.g. hosting providers, management software, event and webinar management platforms, email systems), acting as Data Processors appointed pursuant to Art. 28 GDPR;
Public Authorities, supervisory and control bodies (e.g. Italian Revenue Agency, INPS, INAIL, judicial authorities), only in cases where disclosure is required by law or by order of the authority;
professional firms and consulting companies acting as Data Processors or independent Controllers, limited to the data necessary for carrying out the assigned task.
The data will not be transferred to third parties for their own purposes, unless otherwise specified within any consents provided by the data subject. Recipients located in third countries outside the European Economic Area are processed in accordance with the section “TRANSFER OF DATA TO NON-EU COUNTRIES”.

7. TRANSFER OF DATA TO NON-EU COUNTRIES.

The collected data will not be transferred by the Controller to countries outside the European Economic Area (EEA) or to an international organization.

Some personal data, however, may be shared with recipients who may be located outside the European Economic Area. Should this circumstance occur and should it become necessary to transfer the provided data to servers located in non-EU countries, the Controller ensures that the transfer and processing will take place in compliance with applicable regulations, applying appropriate safeguards such as adequacy decisions, standard contractual clauses approved by the European Commission or other legal instruments.

8. NATURE OF DATA PROVISION.

The provision of personal data is necessary in order to comply with legal and contractual obligations and, therefore, any refusal to provide them, in whole or in part, may make it impossible for the Controller to execute your contract and fulfil the legal obligations incumbent upon the Controller.

9. DATA SUBJECT RIGHTS (ARTS. 15-22 GDPR)

As a Data Subject, you have the right to exercise at any time the rights provided for by the applicable legislation on personal data protection. Below is a list of your rights and how to exercise them.

1. Right of Access (Art. 15 GDPR)

You have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and the following information:

the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the data have been or will be disclosed;
the retention period of the data or the criteria used to determine it;
the origin of the data, where not collected directly from you.

Upon request, the Controller will provide you with a copy of the personal data being processed.

2. Right to Rectification (Art. 16 GDPR)

You have the right to obtain from the Controller the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by providing a supplementary statement.

3. Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)

You have the right to obtain the erasure of your personal data without undue delay if one of the following grounds applies:

the data are no longer necessary in relation to the purposes for which they were collected;
you withdraw the consent on which the processing is based (where applicable) and there is no other legal ground;
you object to the processing and there are no overriding legitimate grounds for proceeding;
the data have been unlawfully processed.

This right does not apply where the processing is necessary, among other things, for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.

4. Right to Restriction of Processing (Art. 18 GDPR)

You have the right to obtain restriction of processing where one of the following applies:

you contest the accuracy of the personal data, for the period necessary for the Controller to verify such accuracy;
the processing is unlawful and you oppose the erasure of the data, requesting instead the restriction of their use;
the data are necessary for you to establish, exercise or defend a legal claim, although the Controller no longer needs them for processing purposes;
you have objected to the processing, pending verification as to whether the Controller’s legitimate grounds override yours.

5. Right to Data Portability (Art. 20 GDPR)

For processing based solely on consent or on a contract and carried out by automated means, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.

6. Right to Object (Art. 21 GDPR)

You have the right to object at any time to the processing of your personal data.

Objection to Direct Marketing (including "Soft Spam")
Where your personal data are processed for direct marketing purposes, such as communications relating to services similar to those already purchased (so-called “soft spam” pursuant to Art. 130(4) of Legislative Decree 196/2003), you have the right to object at any time, free of charge and without providing any justification, to such processing.

This right is expressly brought to your attention at the time of data collection and on the occasion of each communication. It may be exercised easily:

by clicking the appropriate unsubscribe link contained at the bottom of each promotional email communication received;
by contacting the Controller or the Data Protection Officer directly using the contact details indicated below.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

Objection to Other Processing Activities
For processing based on the legitimate interest of the Controller (other than direct marketing), you have the right to object at any time, on grounds relating to your particular situation. The Controller shall refrain from further processing the data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

7. Right to Withdraw Consent (Art. 7 GDPR)

For processing activities whose legal basis is your consent, you have the right to withdraw such consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

10. HOW TO EXERCISE YOUR RIGHTS

Requests relating to the exercise of the aforementioned rights may be addressed, without formalities, to the Data Controller or the Data Protection Officer at the following contacts:

Data Controller: Industree Hub s.r.l., Via Benedetto Croce no.15, 42123 Reggio Emilia; e-mail: privacy@industree.it; PEC: industreehub@pec.industree.it.

Data Protection Officer (DPO): e-mail: dpo@easygdpr.it; tel: +39 0309658901.

The Controller will respond to your request without undue delay and, in any case, no later than one month from receipt thereof, as provided for by Art. 12 GDPR.

11. RIGHT TO LODGE A COMPLAINT AND SEEK JUDICIAL REMEDY

If you believe that the processing of your personal data is carried out in violation of the Regulation, you have the right to lodge a complaint with the competent supervisory authority, which in Italy is the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), as provided for by Art. 77 of the Regulation.

The Authority’s contact details are:

Address: Piazza Venezia no. 11, 00187 – Rome (RM)
E-mail: garante@gpdp.it
Certified Email (PEC): protocollo@pec.gpdp.it

You also have the right to seek judicial remedy before the competent courts (Art. 79 of the Regulation).

12. CHANGES TO THIS PRIVACY NOTICE

This privacy notice may be amended over time due to the possible entry into force of new regulations, updates and/or provision of new services, or technological innovations.

Place and date of the latest update.