Liked Search

Privacy Policy

Privacy notice pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)

Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”), we hereby inform you of the processing of your personal data collected in the context of contractual and pre-contractual relationships with Simonelli Group S.p.A., as well as in connection with any further interactions with the same company.

Data controller

The Data Controller is SIMONELLI GROUP S.P.A., with registered office in Belforte del Chienti (MC), Via E. Betti n. 1, Tax Code and VAT number 01951160439 (hereinafter, the “Controller”).

Processing no. 1. Contractual relationships with customers and suppliers

Where personal data are provided by the data subject for the purpose of entering into and performing contractual relationships with the Controller, as well as for the related preparatory and subsequent activities, the following processing operations shall be carried out.

Categories of personal data processed

The personal data processed by the Controller include the following:

  • identification data (first name, last name, date and place of birth, tax identification number or VAT number, etc.);
  • employment-related data (company or entity of affiliation, position, role, etc.);
  • contact details (addresses and contact information, email addresses, certified email (PEC), telephone and fax numbers);
  • accounting and payment data (banking details, IBAN, etc.);
  • tax, administrative and accounting documents (invoices, receipts, orders, etc.);
  • any other data provided in connection with the contractual relationship;
  • correspondence.

Purposes of the processing and legal basis

The Data shall be processed by the Controller for the following purposes:

  1. performance of the contract and the fulfilment of obligations and requests arising therefrom, including the pre-contractual phase, and in particular: sending communications of various kinds through different means of communication (landline telephone, mobile phone, SMS, messaging applications, email, postal mail); submitting or responding to requests; exchanging information aimed at the conclusion and performance of the contractual relationship, including activities necessary to comply with pre-contractual, contractual, tax and administrative obligations arising from the relationship with the Data Subject;
  2. compliance with all operations required by the application of the management systems adopted by the Company;
  3. compliance with obligations imposed by law, regulations, EU legislation or orders issued by competent Authorities, in relation to accounting, tax, administrative matters, personal data processing and similar requirements;
  4. the establishment, exercise and defence of the Controller’s rights in judicial and out-of-court proceedings.

No automated decision-making processes are envisaged.

The legal basis for the processing is as follows:

  • the performance of contractual and pre-contractual measures, for the purpose referred to under point a);
  • compliance with legal obligations related to the contractual relationship (Article 6(1)(c) GDPR), for the purpose referred to under point c).

The provision of data for the above purposes is entirely optional. Any refusal by the data subject to provide personal data, lack of consent or withdrawal thereof shall result in the impossibility for the Controller to publish or continue to publish the data of the data subject.

  • the legitimate interest of the Controller (Article 6(1)(f) GDPR) in the proper implementation and application of the Company’s management systems, for the purpose referred to under point b);
  • the legitimate interest of the Controller (Article 6(1)(f) GDPR) in the judicial and out-of-court protection of its rights, for the purpose referred to under point d).

The provision of the Data is mandatory for the achievement of the purposes set out above; therefore, failure to provide the data, whether in whole or in part, or the provision of inaccurate data, may result in the objective impossibility for the Controller to establish or properly manage the contractual relationship.

Data retention period

Personal data shall be retained for the period necessary for the performance of the contract and for a further ten (10) years thereafter, without prejudice to any longer retention periods required by applicable law. Personal data shall also be retained for any additional period that may be necessary for the establishment, exercise or defence of the Controller’s rights in out-of-court and judicial proceedings.

Upon expiry of the above retention periods, the Data shall be deleted or anonymised, insofar as this is compatible with the technical procedures for data erasure and backup.

Disclosure of personal data

Personal data may be disclosed to external parties which, where they process data on behalf of the Controller, shall be duly appointed as Data Processors pursuant to Article 28 of the GDPR, as well as to Public Authorities and Judicial Authorities, in compliance with legal, administrative or judicial obligation.

In particular, the data processed may be disclosed to the following categories of recipients:

  • suppliers;
  • insurance companies;
  • self-employed professionals;
  • banks and credit institutions;
  • entities entitled to access the Data pursuant to laws, regulations or EU provisions;
  • entities to whom the disclosure of the Data is necessary or otherwise functional to the management of the contractual relationship;
  • providers of corporate management software, hosting services and/or entities responsible for the implementation, management and maintenance of the Controller’s IT infrastructure.

Personal data may also be disclosed to any third parties, other than the Controller, who are recipients of the goods or services covered by the contract.

The processing of data takes place within the European Union and no transfer of personal data to third countries or international organisations is envisaged, except where required for technical reasons related to data hosting. In such cases, all necessary safeguards shall be adopted in order to ensure the highest level of protection of personal data, by relying on: a) adequacy decisions adopted by the European Commission with respect to the recipient third countries; b) appropriate safeguards provided by the recipient third party pursuant to Article 46 of the Regulation; ore c) the adoption of binding corporate rules.

Processing no. 2. Marketing

Where the data subject has given consent to receive direct marketing communications, including through newsletters and/or personalised communications, as well as in cases where the Controller sends so-called soft spam communications in accordance with applicable law, the following processing activities shall be carried out.

Categories of personal data processed

The personal data processed by the Controller include the following:

  • identification data (first name, last name, date and place of birth, tax identification number or VAT number, etc.);
  • contact details (addresses and contact information, email addresses, certified email (PEC), telephone and fax numbers);
  • data relating to purchases and interactions with the Controller’s products and/or services;
  • browsing data (cookies, website access logs and interactions with newsletters);
  • any additional data voluntarily provided by the data subject in connection with events, trade fairs or direct contacts.

Purposes of the processing and legal basis

The Data shall be processed by the Data Controller for the following purposes:

  1. sending newsletters containing commercial and informational communications, surveys, or requests for feedback and reviews, subject to the data subject’s prior consent;
  2. sending direct marketing communications, including personalised communications, through automated contact systems (such as email, SMS, messaging applications, etc.) and traditional means (such as postal mail or telephone calls with an operator), subject to the data subject’s prior consent;
  3. sending, to the email address provided, proposals relating to products and services similar to those previously purchased, pursuant to Article 130(4) of Legislative Decree No. 196/2003 (Italian Privacy Code), without prejudice to the data subject’s right to object at any time to such processing, pursuant to Article 21 of the GDPR, including by using the specific link provided at the bottom of each email communication (so-called “unsubscribe”);
  4. profiling activities, namely the analysis of preferences and purchasing and/or interaction habits, for the purpose of personalising commercial offers, subject to the data subject’s prior consent;
  5. initial re-contact of the data subject following events, trade fairs, direct contacts or the exchange of business cards, for the purpose of proposing registration in the customer database and/or participation in marketing activities, based on the legitimate interest of the Data Controller and on the pre-contractual measures requested by the data subject;
  6. the establishment, exercise and defence of the Data Controller’s rights in judicial and out-of-court proceedings.

The legal basis for the processing is as follows:

  • the data subject’s explicit consent (Article 6(1)(a) GDPR) for the purposes referred to under points a), b) and d). The data subject has the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out prior to such withdrawal. For further information on the exercise of the right to withdraw consent, please refer to the section “Exercise of Data Subject Rights”;
  • the legitimate interest of the Data Controller (Article 6(1)(f) GDPR) for the purposes referred to under points c), e) and f);
  • the performance of pre-contractual measures requested by the data subject (Article 6(1)(b) GDPR) for the purpose referred to under point e).

Data retention period

Personal data shall be processed and retained as follows:

  • for direct marketing and profiling purposes, until the withdrawal of consent and, in any event, no longer than twenty-four (24) months from the date of collection or from the last relevant interaction;
  • for so-called soft spam purposes, for a period of up to twenty-four (24) months from the last purchase, unless the data subject objects to such processing;
  • for re-contact purposes, for a period of up to twelve (12) months from the date of data collection;
  • upon expiry of the applicable retention periods, the data shall be deleted or anonymised, insofar as this is compatible with the technical procedures for data erasure and backup.

Without prejudice to the above, the sending of communications relating to the purposes referred to under points a), b), c) and d) shall continue for the entire period during which the Data Controller maintains the relevant service active, until the data subject withdraws consent or exercises the right to object. The data subject shall be informed of the possibility to exercise such rights in each communication and, where such communications are sent less frequently, through a specific reminder message sent once a year.

Disclosure of personal data

Personal data may be disclosed to external parties which, where they process data on behalf of the Data Controller, shall be duly appointed as Data Processors pursuant to Article 28 of the GDPR, as well as to Public Authorities and Judicial Authorities, in the cases provided for by law.

In particular, the data may be disclosed to the following categories of recipients:

  • providers of newsletter services, CRM systems, marketing automation tools, hosting services and management of the Data Controller’s IT platforms;
  • legal, tax and business consultants and professionals;
  • third parties and commercial partners involved in the organisation of events or promotional initiatives;
  • banks and credit institutions, where strictly necessary;
  • other entities whose right of access to the data is recognised by applicable laws or regulations.

The processing of personal data takes place within the European Union. Where it is necessary to transfer personal data to third countries, such transfers shall be carried out in compliance with Articles 45 and 46 of the GDPR (adequacy decisions or standard contractual clauses).

Processing no. 3. Website

In relation to navigation on the Data Controller’s website and the use of the contact systems available therein, as well as to the possible provision of personal data by the data subject, the following processing activities are carried out.

Categories of personal data processed

The Data Controller’s website uses technical and analytical cookies. For further information, the extended cookie policy is available at the following link: https://www.iubenda.com/privacy-policy/38935316/cookie-policy.

In addition, the following personal data may be processed, where provided by the data subject: first name, last name, telephone number, company-related data, as well as any additional information voluntarily submitted by the data subject through the contact systems available on the website.

Purposes of the processing and legal basis

The above-mentioned personal data shall be processed for the following purposes:

a. Technical cookies:

  • ensuring the proper functioning of the website.

Such processing is mandatory and is based on the Data Controller’s legitimate interest in the proper and regular functioning of the website (Article 6(1)(f) GDPR).

Failure to provide the data may result in the data subject being unable to use the website, in whole or in part.

b. Analytical cookies:

  • carrying out aggregated and anonymised statistical analysis of the website’s visitors.

Such processing is based on the data subject’s consent (Article 6(1)(a) GDPR), provided at the time of the first access to the website or at a later stage.

The data subject has the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out prior to such withdrawal. For further information on how to exercise the right to withdraw consent, please refer to the section “Exercise of Data Subject Rights”.

The provision of data is optional. Any failure to provide the data and/or withdrawal of consent by the data subject shall result in the impossibility to process the data for the above-mentioned purpose.

c. Communications:

  • submission of communications by the data subject to the Data Controller through the contact systems available on the website.

Where the messages sent by the user are of a contractual or pre-contractual nature, the processing shall be based on the contractual relationship between the Data Controller and the user, pursuant to Article 6(1)(b) GDPR. Messages that are not of a contractual nature shall be processed on the basis of the Data Controller’s legitimate interest in managing messages voluntarily submitted by third parties through its contact systems (Article 6(1)(f) GDPR).

The provision of data is optional; however, failure to provide the data shall result in the Data Controller being unable to process or respond to the request submitted by the user.

d. Judicial and out-of-court protection of the Data Controller’s rights

  • managing any disputes, whether judicial and/or out-of-court, between the Data Controller, the user and any third parties.

Such processing is based on the Data Controller’s legitimate interest in the protection of its rights (Article 6(1)(f) GDPR).

The provision of data for this purpose is optional; however, it may be necessary for the pursuit of other purposes. Failure to provide the data may result in the impossibility to pursue the other purposes for which the data are requested.

e. Compliance with legal obligations:

  • complying with obligations imposed by law, regulations, EU legislation or orders issued by Administrative or Judicial Authorities (e.g. administrative, accounting, civil, tax, anti-money laundering obligations, etc.).

Such processing is based on compliance with legal obligations (Article 6(1)(c) GDPR).

The provision of data for this purpose is mandatory. Failure to provide the data may result in the impossibility to pursue the other purposes for which the data are requested.

No automated decision-making processes are envisaged.

With regard to the processing of personal data related to the sending of newsletters, please refer to the specific section set out above.

Data retention period

Personal data shall be retained for the following periods.

  • Cookies: as specified in the cookie policy;
  • Contacts: for the time strictly necessary to manage the message and to prepare any response. In the case of communications of a contractual or pre-contractual nature, personal data shall be retained for ten (10) years from the date of the communication or from the full performance of the contract;
  • Other processing activities: for ten (10) years from the date on which the data are provided or from the full performance of the contract to which they relate, without prejudice to longer retention periods required by applicable law or necessary for the establishment, exercise or defence of the Data Controller’s rights in the event of disputes.

Disclosure of personal data

In particular, the personal data processed through our website may be disclosed to the following categories of recipients:

  • technical experts and software houses assisting the Data Controller in the development, maintenance and management of the website;
  • companies providing hosting services and other IT tools and third-party services used for the operation of the website;
  • entities assisting the Data Controller in the performance of contractual obligations:
  • professionals providing accounting, legal and tax consultancy services;
  • entities assisting or cooperating with the Data Controller in the performance of its business activities.

Where, for logistical and operational reasons related to hosting services, personal data are required to be transferred to countries outside the European Union, such transfers shall take place only where the recipient country is subject to an adequacy decision adopted by the European Commission or where appropriate safeguards are provided in accordance with Article 46 of the GDPR.

No dissemination of the personal data processed is envisaged.

Processing no. 4. Events

During events organised by the Data Controller, video recordings, photographs and audiovisual recordings may be taken, which may depict members of the public.

Categories of personal data processed

Photographic and audiovisual content relating to the data subject.

Purposes of the processing and legal basis

The personal data collected by the Data Controller for the documentation of each event may be published and/or otherwise disseminated, including for informational and/or promotional purposes, on the website, on social media channels and on any other communication media of the Data Controller or of third parties, in order to promote the event and any subsequent editions thereof.

The data thus collected shall be used and retained exclusively for the above purposes and in any event in compliance with the principle of data minimisation, without prejudice to each data subject’s right to object.

The processing of such data is based on the legitimate interest in documenting the event and in using such documentation for informational and promotional purposes, as well as for the establishment, exercise and defence of the Data Controller’s rights in judicial and out-of-court proceedings.

Data retention period

Personal data shall be retained for a period of ten (10) years following the relevant event, without prejudice to the effects of any dissemination already carried out. Personal data shall also be retained for any longer period that may be necessary for the establishment, exercise or defence of the Data Controller’s rights in out-of-court and judicial proceedings.

Disclosure of personal data

Personal data may be disclosed to external parties which, where they process the data on behalf of the Data Controller, shall be duly appointed as Data Processors pursuant to Article 28 of the GDPR, as well as to Public Authorities and Judicial Authorities, in compliance with legal, administrative or judicial obligations.

In particular, the data processed may be disclosed to the following categories of recipients:

  • technical experts and software houses responsible for the implementation and maintenance of the Data Controller’s IT infrastructure;
  • third parties and sponsors involved in the planning, organisation and promotion of the event, including subsequent editions thereof;
  • legal, commercial and tax professionals.

Within the limits of the processing purposes set out above, and without prejudice to the data subject’s right to object, any data collected during the event (including video recordings, photographs and audiovisual recordings) may be published and/or otherwise disseminated on the Association’s website, on its social media channels and on any other communication media, including, where applicable, to countries outside the European Union for which an adequacy decision has been adopted by the European Commission or where appropriate safeguards are provided pursuant to Article 46 of the GDPR.

Without prejudice to the above cases of dissemination, the processing of personal data takes place within the European Union and no transfer of such data to third countries or international organisations is envisaged, except for technical requirements related to data hosting. In such cases, all necessary safeguards shall in any event be adopted in order to ensure the highest level of protection of personal data, by relying on: a) adequacy decisions adopted by the European Commission with respect to the recipient third countries; b) appropriate safeguards provided by the recipient third party pursuant to Article 46 of the Regulation; or c) the adoption of binding corporate rules.

Processing no. 5. Recruiting

Within the scope of recruiting activities, namely the processes of search, selection and assessment of personnel aimed at the recruitment of new resources, the Data Controller collects and processes the personal data freely provided by the data subject through the submission of a curriculum vitae or through other application methods. In this context, the following processing activities are carried out.

Categories of personal data processed

The personal data processed by the Data Controller include the following:

  1. personal identification data (first name, last name, date and place of birth, tax identification number or VAT number, residential address, etc.);
  2. contact details (addresses and contact information, email addresses, certified email (PEC), telephone and fax numbers);
  3. data relating to education and professional background (education and training, diplomas, degrees, training courses, previous work experience, etc.);
  4. health-related data (where applicable);
  5. trade union membership or membership in trade union associations or organisations;
  6. political, religious and philosophical beliefs (where applicable);
  7. membership of protected categories;
  8. any additional data provided by the data subject in the curriculum vitae.

Personal data are freely provided by the data subject.

Purposes of the processing and legal basis

The provision of the above-mentioned data constitutes a free choice of the data subject. Personal data shall be processed for the following purpose:

  • management of applications for employment positions.

Such processing is based on the data subject’s consent (Articles 6(1)(a) and 9(2)(a) GDPR), given at the time the data are provided.

The data subject has the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out prior to such withdrawal. For information on how to exercise the right to withdraw consent, please refer to the section “Data Subject Rights”.

Failure to provide the data or the withdrawal of consent by the data subject shall result in the impossibility to process the data for the above-mentioned purpose.

Data retention period

Personal data shall be retained for the period necessary to carry out the personnel selection process; otherwise, they shall be retained for a period of up to two (2) years from the submission of a spontaneous application.

Disclosure of personal data

Personal data may be disclosed to external parties which, where they process such data on behalf of the Data Controller, shall be duly appointed as Data Processors pursuant to Article 28 of the GDPR, as well as to Public Authorities and Judicial Authorities, in compliance with legal or judicial obligations.

In particular, the data may be processed by the following categories of recipients:

  • IT technical experts and software houses assisting the Data Controller in the development, maintenance and management of its IT infrastructure and internal management systems;
  • labour law and recruiting consultants.

The processing of personal data takes place within the European Union and no transfer of such data to third countries or international organisations is envisaged, except for technical requirements related to data hosting. In such cases, all necessary safeguards shall in any event be adopted in order to ensure the highest level of protection of personal data, by relying on: a) adequacy decisions adopted by the European Commission with respect to the recipient third countries; b) appropriate safeguards provided by the recipient third party pursuant to Article 46 of the Regulation; or c) the adoption of binding corporate rules.

No dissemination of personal data is envisaged.

Security measures

Personal data shall be processed both in paper-based and electronic form. To this end, all appropriate technical and organisational measures shall be adopted in order to ensure the confidentiality, integrity and availability of the information, in compliance with applicable laws and regulations.

Data subject rights

Pursuant to Articles 13 to 21 of the GDPR, and subject to the conditions set forth therein, the data subject may at any time exercise the following rights regarding the Data Controller:

  • the right to withdraw consent to the processing of personal data (see the section “Purposes of the Processing and Legal Basis”);
  • the right of access (the data subject has the right to obtain confirmation as to whether or not personal data concerning them are being processed, as well as information on the data processed and to receive a copy thereof);
  • the right to rectification (the data subject may request the updating or correction of their personal data);
  • the right to erasure of personal data (the so-called “right to be forgotten”) (the data subject may request the erasure of their personal data, in the cases and under the conditions set out in Article 17 of the GDPR);
  • the right to data portability (in the cases and under the conditions set out in Article 20 of the GDPR, the data subject has the right to receive their personal data in a structured, commonly used and machine-readable format and, where technically feasible, to obtain the transmission of such data to another controller without hindrance);
  • the right to restriction of processing (the data subject may request the restriction of the processing of their personal data in the cases provided for in Article 18 of the GDPR. In such cases, the data may be processed by the Data Controller, in addition to being stored, only with the data subject’s consent or for the establishment, exercise or defence of legal claims or for reasons of public interest);
  • the right to object (where personal data are processed on the basis of public interest or the legitimate interest of the Data Controller, the data subject has the right to object to the processing on grounds relating to their particular situation);
  • the right to lodge a complaint with the competent Supervisory Authority (in Italy, the Garante per la Protezione dei Dati Personali – www.garanteprivacy.it).

Exercise of data subjects rights

In order to exercise the above-mentioned rights, the data subject shall submit a written request to the following contact details:

PEC: [email protected]
Email: [email protected]