PRIVACY POLICY

Information Notice on the processing of personal data ex art. 13-14 EU Reg. 2016/679

Stakeholders: Customers

SEFO srl, in its capacity as Data Controller of your personal data, pursuant to and for the purposes of EU Regulation no. 2016/679 hereinafter referred to as 'GDPR', hereby informs you that the aforementioned legislation provides for the protection of data subjects with regard to the processing of their personal data and that such processing will be based on the principles of correctness, lawfulness, transparency and protection of your confidentiality and your rights.
The Data Controller is
SEFO S.r.l., in the person of its legal representative pro tempore (Fiscal Code no. 01475680516) with registered office in Arezzo 52100 (Italy) Loc. Ponte alla Chiassa n. 141 - Tel. +39 0575 342010 mail: info@sefo.it.
 
Your personal data will be processed in accordance with the legal provisions of the aforementioned legislation and the confidentiality obligations therein contained.
Purpose and legal basis of processing: Your personal data are processed without your consent (Art. 6 lett. b, c, f, GDPR), for the following purposes related to the implementation of fulfilments related to legislative or contractual obligations:
a.         legally required fulfilments in the field of taxation and accounting;
b.         fulfilment of pre-contractual and contractual obligations arising from a possible contractual relationship (supply of goods or services);
c.         consulting activities;
d.         litigation management and possible credit recovery activities;
e.         customer management, including after-sales services;
f.          services to protect consumers and users, including insurance services;
g.         internal control services;
h.         brokering services;
i.          customer invoicing history;
j.          information and promotional activities relating to commercial and/or professional services, events and services, distribution of material of an informative nature, sending out of newsletters and publications of commercial nature directly related to the Controller's activities; as well as sector studies on an anonymous basis, aimed at the provision of information and disclosure services by the Controller
k.         customer satisfaction survey;
l.          storage of information relating to these activities.
The provision of data for the purposes set out in points a) to i) is mandatory. Any refusal to provide such data would make it impossible for the Controller to conclude the contract and fulfil its contractual obligations.
The processing of data for the purposes set out in points (j) to (l) is necessary to pursue a legitimate interest of the Data Controller, after verifying that the fundamental rights and freedoms of the Data Subject are not overridden by such interests.
The Controller's legitimate interests include, but are not limited to, responding to requests received from you or from third parties, as well as optimizing the experience of its customers and the effective and appropriate communication of information relating to the services and operational activities carried out by the Controller, and the provision of information, dissemination and update services.
The interested party will have the possibility to refuse the sending of these communications by simply sending a request by e-mail to the address: info@sefo.it, or by clicking on the link inside each e-mail sent and following the relevant procedure.
For the purposes of the aforementioned processing operations, the Data Controller may become aware of special categories of personal data and in detail: racial or ethnic origins, as derived from images that may be present in identity documents. The processing of personal data for these special categories is carried out in compliance with Article 9 of the GDPR.
Method of processing. Your personal data may be processed in the following ways:
•           entrusting third parties with processing operations;
•           processing by means of electronic computers;
•           manual processing by means of paper archives.
All processing is carried out in compliance with the methods set out in Articles 6, 32 of the GDPR and through the adoption of appropriate security measures.
In accordance with Art. 4, no. 1, GDPR for 'personal data' and within the scope of the purposes of the above-mentioned processing operations, only personal data relating to, by way of example, name and surname, tax code, date of birth, VAT number, residence, domicile, shipping address, passport number and/or other identity document, user name, payment and invoicing method, email or PEC address, telephone and fax number, SDI unique code, possible pick-up point for the goods purchased, etc. will be processed. Personal Data may be associated with online identifiers produced by the electronic devices, applications, tools and protocols used, such as IP addresses, temporary markers (technical cookies or automatic logs) or other identifiers.
In accordance with the principle of minimization set out in Article 5(1) GDPR, you therefore undertake to refrain from sending personal data to the Data Controller, unless such data is strictly necessary for the performance of contractual and/or commercial activities.  In the latter case, personal data must be transmitted to the Data Controller in anonymous form or through the use of pseudonyms, as expressly provided for by the GDPR.
If, for the purposes of the performance of the contractual relationship with a customer (legal person, hereinafter, the 'Customer'), it becomes indispensable to process personal data other than that of the customer's legal representatives and/or contact persons, and the same cannot be acquired in anonymous or pseudonymized form, the Customer declares and guarantees that he/she will lawfully process, in compliance with the GDPR, all personal data that he/she will communicate to the Controller, during the course of the contract, and, in particular, declares that he/she has provided the Data Subjects with adequate information expressly mentioning the possibility of providing personal data to third party companies and that he/she has obtained any consents necessary for this purpose. The Customer also undertakes to indicate to its employees and/or collaborators that this Information Notice is also available on the website https://www.cncracing.com/it/privacy/, so that it can be provided by the Data Controller to the Interested Parties pursuant to Articles 13 and 14 of the GDPR.
In cases where the Controller considers initiating a debt recovery procedure for which you are a debtor, it may need to process personal data relating to your heirs exclusively in order to identify the successor in title and/or the person liable for payment.
Your data will only be processed by personnel expressly authorized by the Controller and, in particular, by the following categories of employees:
•           Members;
•           Administration Office.
Communication: Your data may be communicated to external parties for the proper management of the relationship and in particular to the following categories of Recipients including all duly appointed Data Processors:
•           banks and credit institutions;
•           legal communication relating to anti-money laundering regulations (Law no. 197 of 5 July 1991, as amended; Legislative Decree no. 56 of 20 February 2004; Law no. 29 of 25 January 2006; Ministerial Decree no. 141, 142 and 143 of 3 February 2006; UIC (Italian Foreign Exchange Office) Order of 24 February 2006);
•           consultants and freelancers, also in associated form;
•           within the scope of public and/or private entities for which the disclosure of data is mandatory or necessary in order to comply with legal obligations or is in any case functional to the administration of the relationship;
•           insurance companies;
•           constitutional bodies or bodies of constitutional importance;
•           third parties (e.g. providers for the management and maintenance of the website, suppliers of consultancy services, credit recovery and, in general, third parties with whom the Data Controller has entered into a possible contractual relationship for the purpose of carrying out the activities referred to in paragraph 3 above) who carry out activities in outsourcing on behalf of the Data Controller, in their capacity as data processors;
Please note that specific and express consent will be requested from the Data Subject in the event of the need for data to be disclosed to third parties for purposes outside the above categories.
Dissemination: Your personal data will not be disseminated in any way.
The Data Controller declares that the management and storage of personal data takes place on servers located within the European Union owned and/or at the disposal of the Data Controller and/or third-party companies appointed and duly appointed as Data Processors. Should it become necessary, the transfer of data abroad to non-EU countries will, in any case, take place in accordance with the provisions contained in Chapter V, GDPR (Article 46), through the adoption of standard clauses drafted on the basis of versions no. 2004/915/EC and no. 2010/87/EU drawn up by the European Commission.  The Data Controller is entitled to move the location of the servers to non-EU countries.
Retention Period. We would like to inform you that, in accordance with the principles of lawfulness, purpose limitation and data minimization, pursuant to Article 5 of the GDPR, the retention period for your personal data is:
•     established for a period of time not exceeding the fulfilment of the purposes for which they are collected and processed and in compliance with the mandatory time limits prescribed by law, in particular, your Personal Data will be processed until the termination of the existing contractual relationship between you and the Data Controller, without prejudice to an additional storage period that may be imposed by law.
 
You have the right to obtain from the data controller the erasure (right to be forgotten), limitation, updating, rectification, portability, opposition to the processing of personal data concerning you, as well as in general you may exercise all the rights provided for in Articles 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR.
 
EU Reg. 2016/679: Arts. 15, 16, 17, 18, 19, 20, 21, 22 - Rights of the Data Subject
1. The data subject shall have the right to obtain confirmation as to whether or not personal data concerning him/her exist, even if they have not yet been recorded, their communication in intelligible form and the possibility to lodge a complaint with the Supervisory Authority.
2. The person concerned has the right to be informed:
a.         the origin of personal data;
b.         the purposes and modalities of the processing;
c.         the logic applied in the event of processing carried out with the aid of electronic instruments;
d.         the identification details of the holder, the persons responsible and the representative designated pursuant to Article 5(2);
e.         of the entities or categories of entity to whom or which the personal data may be communicated or who or which may become aware of them in their capacity as designated representative(s) in the territory of the State, data processor(s) or person(s) in charge of processing.
3. The data subject is entitled to obtain:
a.         updating, rectification or, when interested, integration of the data;
b.         the cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose storage is not necessary in relation to the purposes for which the data were collected or subsequently processed;
c.         certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
d.         data portability.
4. The data subject has the right to object, in whole or in part:
a.         for legitimate reasons to the processing of personal data concerning him/her, even if pertinent to the purpose of collection;
b.   the processing of personal data concerning him/her for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication.
 



Stakeholders: suppliers.

SEFO srl, in its capacity of Data Controller of your personal data, pursuant to and for the purposes of EU Regulation 2016/679 hereinafter 'GDPR', hereby informs you that the aforementioned legislation provides for the protection of data subjects with respect to the processing of their personal data and that such processing will be based on the principles of fairness, lawfulness, transparency and protection of your confidentiality and your rights.
Your personal data will be processed in accordance with the legal provisions of the aforementioned legislation and the confidentiality obligations therein contained.
The Data Controller is:
SEFO S.r.l. (Fiscal Code no. 01475680516), Ponte alla Chiassa n. 141 52100 AREZZO -Tel. and fax 0575 - 342010 mail: info@sefo.it, in the person of its pro tempore legal representative.
Purposes and legal basis of the processing: in particular, your data will be processed without your consent (Article 6, letters b, c, f, GDPR) for the following purposes related to the fulfillment of legal or contractual obligations, or to the legitimate interest of the Data Controller:
•           legally required fulfilments in the field of taxation and accounting;
•           supplier management;
•           quality management;
•           obligations under applicable laws;
•           programming of activities;
•           supply order history;
•           exercise the Controller's rights, in particular, of defense in court.
The provision of data for the above-mentioned purposes is mandatory. Failure to provide the data and/or any express refusal to process the data will make it impossible for the Data Controller to perform its contractual obligations or may result in the breach of requests by the competent authorities.
Method of processing. Your personal data may be processed in the following ways:
•           entrusting third parties with processing operations;
•           processing by means of electronic computers;
•           manual processing by means of paper archives.
All processing is carried out in compliance with the methods set out in Articles 6, 32 of the GDPR and through the adoption of appropriate security measures.
Pursuant to Article 4, no. 1, GDPR, the 'personal data' that will be processed by the Data Controller, within the purposes of the above-mentioned processing operations, include, by way of example, name and surname, tax code, photocopy and/or number of identity document, VAT number, residence, domicile, place of work, email address or PEC, telephone and fax number, and possibly banking, financial and insurance data, etc.
You shall refrain from sending personal data to the Data Controller that is not strictly necessary for the performance of contractual and/or commercial activities.  Otherwise, personal data shall be transmitted to the Data Controller in anonymous or pseudonymized form, in accordance with the principle of minimization set out in Article 5(1) GDPR.
In the event that, in the performance of the contractual relationship, the supplier (a legal person, hereinafter, the "Supplier") communicates to the Controller (in a non-anonymous or non-pseudonymized manner) personal data in addition to those of the legal representatives and/or contact persons of the same, the Supplier declares and warrants that it legitimately processes all such personal data in compliance with the GDPR, and also declares that it has already provided the Data Subjects with adequate information, which expresses the possibility of providing personal data to third party companies and that it has obtained any necessary consents for this purpose. The Supplier also undertakes to indicate to its employees and/or collaborators that this Information Notice is accessible on the website https://www.cncracing.com/it/ and on https://sefo.it/, so that it can be provided by the Data Controller to the Data Subjects pursuant to Articles 13 and 14 of the GDPR.
Your data will only be processed by personnel expressly authorized by the Controller and, in particular, by the following categories of employees:
•           administration office.
Communication: Your data may be communicated to external parties for the proper management of the relationship and in particular to the following categories of Recipients, appointed as Data Processors, if applicable:
•           banks and credit institutions;
•           consultants and freelancers, also in associated form;
•           third parties (e.g. providers for the management and maintenance of the website and/or IT systems, suppliers, etc.) who perform outsourcing activities on behalf of the Data Controller, in their capacity as data processors;
•           within the scope of public and/or private entities for which the disclosure of data is mandatory or necessary in order to comply with legal obligations or is in any case functional to the administration of the relationship.
Dissemination: Your personal data will not be disseminated in any way.
The Data Controller declares that the management and storage of personal data takes place on servers located within the European Union owned by and/or at the disposal of the Data Controller and/or third party companies duly appointed as Data Processors. Should it become necessary, the transfer of data abroad to non-EU countries will, in any case, take place in compliance with the provisions contained in Chapter V, GDPR (Article 46), through the adoption of standard clauses drafted on the basis of versions no. 2004/915/EC and no. 2010/87/EU drawn up by the European Commission. The Data Controller is entitled to move the location of the servers to countries outside the EU.
Retention Period. We would like to inform you that, in accordance with the principles of lawfulness, purpose limitation and data minimization, pursuant to Article 5 of the GDPR, the retention period for your personal data is:
•           established for a period of time not exceeding the achievement of the purposes for which they are collected and processed for the performance and fulfilment of contractual purposes;
•           established for a period of time not exceeding the achievement of the purposes for which they are collected and processed and in compliance with the mandatory time barring limits prescribed by law.
•           In any case, the personal data collected for the above-mentioned purposes will be processed and stored for the entire duration of the contractual relationship established. From the date of termination of such relationship for whatever reason or cause, the data will be kept for the duration of the prescriptive terms applicable by law.
 
You have the right to obtain from the Controller the deletion (right to be forgotten), limitation, updating, rectification, portability, opposition to the processing of personal data concerning you, as well as in general you may exercise all the rights provided for in Articles 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR.
EU Reg. 2016/679: Arts. 15, 16, 17, 18, 19, 20, 21, 22 - Rights of the Data Subject
1. The data subject shall have the right to obtain confirmation as to whether or not personal data concerning him/her exist, even if they have not yet been recorded, their communication in intelligible form and the possibility to lodge a complaint with the Supervisory Authority.
2. The person concerned has the right to be informed:
a.         the origin of personal data;
b.         the purposes and methods of processing;
c.         the logic applied in the event of processing carried out with the aid of electronic instruments;
d.         the identification details of the holder, the persons responsible and the representative designated pursuant to Article 5(2);
e.         of the entities or categories of entity to whom or which the personal data may be communicated or who or which may become aware of them in their capacity as designated representative(s) in the territory of the State, data processor(s) or person(s) in charge of processing.
3. The data subject has the right to obtain:
a.         updating, rectification or, when interested, integration of the data;
b.         the cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose storage is not necessary in relation to the purposes for which the data were collected or subsequently processed;
c.         certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
d.         data portability.
4. The data subject has the right to object, in whole or in part:
a.         for legitimate reasons to the processing of personal data concerning him/her, even if pertinent to the purpose of collection;
b.         the processing of personal data concerning him/her for the purposes of sending advertising or direct sales material or for carrying out market research or commercial communications