PRIVACY POLICY PURSUANT OF ART. 13 OF THE EU REGULATION 2016/679 (“GDPR”) regarding the processing of personal data through the website www.epipoli.com

Welcome to www.epipoli.com (thereafter referred to also as “The Website”).For EPIPOLI S.p.A. (“EPIPOLI”) Your Privacy and the security of Your personal data are very important, thus we collect and manage Your personal data with utmost attention, and we adopt specific security measures to keep them safe.Hereinafter You will find information about the processing of Your personal data by EPIPOLI in relation to Your navigation on the Website and to the usage of the offered services. To receive detailed information about how EPIPOLI manage Your personal data we invite You to read this Privacy Policy.We invite You to also read the “Cookie Policy” of www.epipoli.comRegarding the recipients of this privacy policy, for everything that is not expressly reported here, You can fully refer to the other specifics, and already provided by the Data Controller, privacy policies.

Data controller and the Data Protection Officer

The Data Controller is Epipoli S.p.A., with its registered offices in Viale Edoardo Jenner, 53, 20159 Milano (MI), F.C. e VAT number n. 13169720151, which can be contacted at the e-mail address:
gdpr@epipoli.com
Data Protection Officer:
The Data Protection Officer can be contacted at the e-mail address: dpo@epipoli.com

Lawfulness and purposes of the processing activities

Your personal data will be processed for the purposes in the paragraphs below.
1. Purposes based upon the fulfilment of a contract or to fulfill pre-contractual measures (Art. 6, paragraph 1 (b) of the GDPR)
a. Management of information requests and quotations, also for any orders by our Customer Service, which uses the collected personal data to fulfill the information and assistance requests (whenever the person seeking information or quotations is not a customer or a user of our products and services, the lawful base for processing will not be the fulfillment of a contract but consent as for Art. 6 paragraph 1 (a) of the GDPR).

The retention period for personal data, in relation to the above listed purpose is:
For purpose a.: Until the request has been fulfilled, including the fulfillment of any obligations and activities related to the request itself, safe for when the responses and the information exchanged are necessary to prove the fulfillment of any contractual obligation or for obligations deriving from any legal relationship or safe when information given by the data subject are necessary to start a legal relationship at the latter’s request, including the fulfillment of any purchase order (in such case the retention period will be the one listed in the appropriate and specific policies, provided by the Controller during the establishment of such legal relationships).

2. Purposes based upon the data subject’s consent (Art. 6, paragraph 1 (a) of the GDPR)
Personal data can be processed also for specific purposes for which the data subject has given her/his consent, which are:
a. Subscription to the Data Controller newsletter, containing previews on news and promotions, which also include the sending of additional informational material connected and similar, which will be of a commercial and promotional nature, and it will be sent through automated means (e.g.: calls without a human operator, e-mail, SMS, and various chatting systems, including the instant messaging systems and the internet based ones and also the ones directed to mobile phones) and non-automated means (by mail and by call with a human operator).
The retention period for personal data, in relation to the above listed purpose is:
For purpose a.: for the duration of the subscription to the newsletter service, safe for cancellation or revocation of the data subject’s consent.

Categories of processed personal data.

Data processed by the Data Controller are exclusively “personal data” (as defined in art. 4.1 of the GDPR).
In particular, the categories of personal data which could be processed, as a mere non exhaustive example, are:
Data relating to any purchases made or purchase order, including data relating to payment and other common personal data.

  • Personal details, identification data, contact data, (as a mere and non-exhaustive example: name, surname, e-mail address, IP address, telephone number, social security code, VAT number);
  • Data relating to any purchases made or purchase order, including data relating to payment and other common personal data.

Recipients or categories of recipients of personal data (ex-art. 13 paragraph 1 (e) of the GDPR)

In connection with the above listed purposes, the Data Controller can communicate Your personal data to:

  • Internal offices and personnel of the Data Controller itself;
  • Internet providers and companies specialized in IT and online services;
  • Any courier and companies which provide logistic services;
  • Any Public Authority competent for compliance with legal obligations and/or regulation made by Public Entities, including the Law Enforcement, Judicial Authorities and Public Administrations in general.

Recipients or categories of recipients of personal data (ex-art. 13 paragraph 1 (f) of the GDPR) and transfer outside the EU

The Data Controller does not want to transfer Your personal data to States which are not member of the EU or the EEA for the above listed purposes, safe for some transfers due to IT services providers and/or Website related services providers which are located in the USA, limited to the purposes of requests management, for drafting quotations and to acquire orders, and for the collection of Your personal data for promotional purposes, specifying that subsequently the collection of Your personal data, the management of the above mentioned requests and the above mentioned promotional activities will be made in EU territory. The United States have been considered, by the EU and Italian Authorities (competent in the subject of personal data protection) as a Country which do not guarantee an adequate level of personal data protection. Thus, whenever Your personal data will be transferred outside the EU, the Data Controller will adopt safeguards, to guarantee that the transferred personal data will be limited to those collected through the form on the Website, as mentioned before, and only when one of the legitimate condition established by the GDPR is present which are hereinafter presented. In particular, as stated before, Your data may be communicated in the “USA”, but, in coherence with article 49 of the EU Regulation 2016/679, only with Your prior free and specific consent which will be always revocable, in regard to the above mentioned transfer to the companies and subjects which are located in the USA. In regard to personal data transferred in such manner in territories outside the EU, You can obtain information and/or exercise the right  to revocation of the above mentioned consent, asking to cease any transfer and the subsequent cancellation of personal data stored and processed in the USA or, as an alternative and if it is technically feasible, the transfer of such personal data in servers located in the EU’s territories, by asking the Data Controller through a communication to the following e-mail address: gdpr@epipoli.com
The lack of consent to transfer personal data to the USA will result in the impossibility to satisfy the request of information and the collection of Your personal data for promotional and commercial purposes. Also, the later revocation of consent to transfer could, in some cases, result in the impossibility to satisfy Your request of information or the complete satisfaction of it

Data Subject’s Rights

The data subject, in relation to the personal data mentioned in this privacy policy, has the possibility of exercising recognized by the EU Regulation, as fully listed in the subsequent paragraph 12, as follow:

  • Right of access by the data subject [art. 15 of EU Regulation] (possibility to be informed on the treatments carried out on his personal data and, if necessary, receive a copy of them);
  • Right to rectification [art. 16 of EU Regulation] (data subject has the right to rectify incorrect data concerning him);
  • Right to erasure without unjustified delay (“right to be forgotten”) [art. 17 of EU Regulation] (data subject has the right to delete his personal data);
  • Right to restriction of processing, as provided by article 18 of EU Regulation, among the other cases, in case of illicit processing or contestation of the accuracy of personal data by the data subject [art. 18 of EU Regulation];
  • Right to data portability [art.20 of EU Regulation], (data subject has the right to receive the personal data concerning him/her, which he/she or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as provided by the same article);
  • Right to object to processing [art. 21 of EU Regulation] (the data subject has the right to object processing of personal data as provided by article 21 of EU Regulation);
  • Right to not be subject to automated individual decision-making [art. 22 of EU Regulation] (The data subject shall have the right not to be subject to a decision based solely on automated processing

Regarding those purposes for which consent is required, you can revoke your consent at any moment and its effects will be applicable from the moment of the revocation, safe for retention periods established by law. In general terms, the revocation of consent affects only the future.The lack or partial lack of consent (or its revocation) may not guarantee the complete performance of the requested services or activities, in regard to single purposes for which consent is negated or revoked, and it will not affect or impede other purposes (and their connected activities) not directly involved by the negation or revocation of consent or not based upon such legal basis.Relativamente alle finalità per le quali fosse richiesto il consenso, potrai revocare il consenso in qualsiasi momento e gli effetti decorreranno dal momento della revoca, fatti salvi i termini previsti dalla legge. In termini generali la revoca del consenso ha effetto solo per il futuro.

The above mentioned right to revoke consent can be exercised as established by the EU Regulation by sending an e-mail to gdpr@epipoli.com.In regard to the above listed purpose in section 2.2 lett. a), which is the purpose of performing marketing and commercial activities, You will be able, at any moment, to interrupt these communications simply by clicking on the specific link “unsubscribe”, which will be present at the footer of every communication (You can also send an e-mail to gdpr@epipoli.com).

Please note that You could receive additional communication by us even after having communicated your cancellation request, as some of the communication could have been already planned, and our systems take time to perform Your request, as explicated in the following paragraphs.The definitive cancellation or the irreversible anonymization process will take place within thirty days from the above listed terms (which is from the moment the cancellation request or revocation of consent is sent).Please not that, in regard to information requests, not connected to the performing of a contract and thus which are based upon consent, while consent is free and optional, it is necessary to perform the requests.Thus, sending a request or an equivalent manifestation of willingness will be deemed as giving consent, which will always be revocable with the above-mentioned consequences.
When personal data is not needed anymore, it will be cancelled, and whenever its cancellation will be impossible or only possible with a disproportioned effort due to a method of specific method of retention, personal data will not be processed anymore, and it will be archived in non-accessible areas.

Right to lodge a complaint (art. 13 paragraph 2 (d) of the GDPR)

If the data subject considers that his/her right has been compromised, he/she has the right to lodge a complaint to the supervisory authority (or Data protection Supervisor), according to the methods indicated by the same authority. If you are Italian, you can refer to the following link:  http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 or by lodging a complaint by mail to the Italian Authority for the Protection of Personal Data.

Potential consequences of failure to provide personal data and nature of the data provision (art. 13 paragraph 2 (e) of the GDPR)

We inform You that whenever the processing’s purposes are based upon a legal or a contractual obligation (including a precontractual one) You must provide the requested data.

On the contrary, it will be impossible for the Data Controller to proceed with the performing of these specific purposes

.Please note, in relation to the above-mentioned purposes which are based upon consent, that You are able to revoke your consent at any moment and its effect will start from the moment of the revocation, safe for the terms established by law. In general terms, the consent’s revocation will affect only the future. Thus, the processing activities performed before the consent’s revocation will not be affected and will maintain their legitimacy.

The complete or partial lack of consent will not guarantee the complete performing of services, in relation to the individual purposes for which it will be negated. In particular, it must be known that, in regard to the subscription to the newsletter services, while also in this case consent is free and optional, it is necessary to subscribe and to receive the newsletter.

Thus, the consent’s negation for such purposes, will result in the impossibility for the Data Controller to perform these purposes and to perform the connected activities.Also, in relation to the above-mentioned purpose, the subscription to the newsletter (or an equivalent manifestation of willingness) will be deemed as giving consent, limited to such purpose, which will always be revocable with the above-mentioned consequences.

Presence of an automated decision-making process (including profiled activities)

The use of a purely automated decision-making processes as detailed by Article 22 of the GDPR is currently excluded.

Methods of data processing

Personal data will be processed both in an electronic and in a telematic format and when purchasing our services, also on analog format, with methods and instrument which guarantee that maximum of security and confidentiality and which will be accessible only to the Data Controller’s authorized personnel.

Trattamento dei dati di navigazione

The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.This is information that is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified.Among the information that can be collected we have the IP addresses, the type of browser or the operating system used, the addresses in notation URI (uniform resource identifier), the domain name and the addresses of the websites from which the access or exit (referring / exit pages), the time at which the request was made to the server, the method used and information on the response obtained, further information on the user's navigation on the site (see also the related section to cookies) and other parameters relating to the operating system and the user's computer environment.These same data could also be used to identify and ascertain responsibilities in case of any computer crimes against the website.

Exercising the Data Subject’s Rights

The data subject, in relation to personal data included in this privacy policy, has the right to exercise the rights recognized by the EU Regulation as listed below:

  • Right of access by the data subject [art. 15 of the EU Regulation]: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the information listed by the cited article, which are, as a non-exhaustive example, the processing’s purposes, the categories of processed personal data, the categories of recipients, the data retention period, the existence of the right to erasure, correction or limitation, the right to lodge a complaint, all the information available on the data’s origins, the eventual existence of an automated decision making procedure as explicated in art. 22 of the Regulation, and also copy of one’s own personal data;
  • Right to rectification [art. 16 of the EU Regulation]: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her;
  • Right to erasure (“right to be forgotten”) [art. 17 of the EU Regulation]: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one  of the grounds for the cancellation established by the article applies, which can be, as a non-exhaustive example: when personal data is no longer necessary for the performing the purposes, the revocation of consent on which processing is based upon, opposition to the processing whenever the legitimate interest does not prevail, illicit processing of personal data, cancellation of data for legal obligations, personal data of minors processed in the absence of the conditions listed in art. 8 of the Regulation;
  • Right to restriction of processing [art. 18 of the EU Regulation]: in the cases provided by art. 18, including the illicit processing, the contestation of the data’s accuracy, the data subject’s opposition to processing and the end of the need to process by the Controller, the data subject’s data must be processed only to retain them safe for the data subject’s consent and in other cases explicitly listed in the cited article;
  • Right to data portability [art. 20 of the EU Regulation]: When the processing of personal data is based upon consent or the performing of a contract and is performed thanks to automated means, the data subject has the right receive his/her data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
  • Right to object [art. 21 of the EU Regulation]: the data subject has the right to object to the processing of her/his personal data whenever processing activities are based upon the Data Controller’s legitimate interest when it’s not prevailing or when it is made for direct marketing purposes;
  • Right to not be subjected to automated decision-making process [art. 22 of the EU Regulation]: The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (e.g., made exclusively through electronic instruments or IT programs).

Updates on this privacy policy

The constant evolution of our services could imply changes to the characteristics of the processing of your personal data as described in this privacy policy. Thus, this privacy policy may be subjected to changes and additions through time, which can also be necessary due to new regulation, including the ones on the subject of personal data protection.

We invite You to verify periodically this content, whenever possible, we will inform You without unjust delay on the changes made and their consequences. The updated version of this privacy will, in any case, posted in this webpage.

Regulation references and useful links

The processing of Your personal data will be performed by EPIPOLI in compliance with the regulation established by the EU Regulation 2016/679, the General Data Protection Regulation on data protection, by the National laws applicable on the subject of personal data protection and by the ordinances made by the Italian National Data Protection Authority (www.garanteprivacy.it).

The original text of the EU Regulation 2016/679 can be accessed on the Garante per la Protezione dei Dati Personali’s website at the following link: https://www.garanteprivacy.it/il-testo-del-regolamento