INFORMATION FOR THE PROCESSING OF PERSONAL DATA OF Le Sette Sorelle S.R.L.S.
Le Sette Sorelle S.R.L. (also Le Sette Sorelle) with registered office in Via On. F. Napolitano 35, Nola (Na) – 80035, VAT no.: 10414311216 (hereinafter, "Owner"), as data controller, informs you of pursuant to the art. 13 Legislative Decree 30.6.2003 n. 196 (hereinafter, "Privacy Code") and art. 13 EU Regulation no. 2016/679 (hereinafter, "GDPR") that your data will be processed in the following ways and for the following purposes:
PERSONAL INFORMATION WE COLLECT.
In every contact or interaction with the guest and in all other aspects of our work, we may collect personal information. This personal information may include: your contact information; payment information, such as your payment card number and other card information, as well as authentication information and other billing and account details related to electronic invoicing; preferences, regarding marketing and communication. We would like to underline that the data requested represents the minimum information necessary to be able to provide. We need this information to be able to manage customer orders.
OBJECT OF THE TREATMENT
The Data Controller processes personal, identifying data (for example, name, surname, company name, address, telephone, e-mail, bank and payment details, hereinafter "personal data" or also "data") communicated by you on the occasion of registration on the website www.le7sorelle.it
PURPOSE OF THE TREATMENT
Your personal data is processed: to fulfill legal, accounting and tax obligations; execute contracts for the purchase and sale of products or assignments for the provision of services; send promotional communications via e-mail on products or services similar to those purchased by the interested party; sending promotional communications
Without your express consent (art. 24 letter a), b), c) Privacy Code and art. 6 lett. b), e) GDPR), for the following Service Purposes: - conclude contracts relating to the purchase of products and/or services offered by the Owner; - fulfill pre-contractual, contractual and tax obligations deriving from existing relationships with you; - fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority (such as for example in the field of anti-money laundering); - exercise the rights of the Owner, for example the right of defense in court.
Only subject to your specific and distinct consent (articles 23 and 130 Privacy Code and article 7 GDPR), for the following Marketing Purposes: - send you via e-mail, post and/or text message and/or telephone contacts, newsletters, communications commercial and/or advertising material on products offered by the Owner and measurement of the degree of satisfaction with the quality of the services.
We would like to inform you that if you are already our customers, we will be able to send you commercial communications relating to products of the Owner similar to those you have already used, unless you disagree (art. 130 c. 4 Privacy Code).
ADDITIONAL PURPOSES
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of internet communication protocols. This information is not collected to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified.
This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the addresses in URI (Uniform resource Identifier) notation of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error...) and other parameters relating to the operating system and the user's IT environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning and are deleted immediately after processing. The data could also be used to ascertain responsibility in the event of hypothetical computer crimes against the site.
SUBSCRIPTION TO THE NEWSLETTERS
By registering for the Newsletter of www.le7sorelle.it, owned by Le Sette Sorelle
Via On. F. Napolitano 35, Nola (Na) – 80035- P.Iva.: 10414311216
as Data Controller, you will use the data provided by you to:
- allow registration for the Website Newsletter www.le7sorelle.it
Furthermore, by providing consent, Le Sette Sorelle as Data Controller will process the data for:
- send advertising and promotional material, also personalized according to your preferences, and update (via newsletter, e-mail, telephone, instant messaging, posts, messages or communications of initiatives on social networks and applications, etc.), on products, services or initiatives (e.g. promotions, competitions, games, activities, events) that Le Sette Sorelle S.r.l reserves for members.
The processing will take place for the entire duration of your subscription to the Newsletter www.le7sorelle.it and will be based on the specific consent given; however, consent may be revoked at any time (simply by using the link in all our Newsletters).
By writing to the Owner, at info@le7sorelle.it, You will always be able to access your data, update them, delete them, revoke or modify your consent, request to receive or transmit data to another data controller in a structured, commonly used and machine-readable format. You can also always object to the processing of data carried out, in particular, for marketing purposes or analysis of your preferences; you can also lodge a complaint with the Guarantor for the protection of personal data (www.garanteprivacy.it) or with the Guarantor Authority of the country in which you habitually reside, work or the place where the alleged violation occurred.
THE PRIVACY OF MINORS
Our website is aimed at a general audience and does not offer services aimed at children. If a minor has provided personal information without parental or guardian permission, we will immediately delete that information.
TREATMENT METHODS
The processing of your personal data is carried out by means of the operations indicated in the art. 4 Privacy Code and art. 4 no. 2) GDPR and precisely: collection, recording, organisation, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.
Your personal data is subjected to both paper and electronic processing.
The Data Controller will process personal data for the time necessary to fulfill the aforementioned purposes and in any case for no more than 10 years from the termination of the relationship for the Service Purposes and for no more than 2 years from the collection of the data for the Marketing Purposes. You will be able to know which data are being processed by "Le Sette Sorelle" Srl and, where the conditions apply, exercise all rights relating to their use, as well as object for legitimate reasons to their particular processing and in any case to their use for purposes commercial.
ACCESS TO DATA
No data deriving from the web service (navigation data specified above and cookies) is communicated or disseminated (except for communication to judicial or police bodies if necessary).
Your data may be made accessible for the purposes referred to in the art. 3 of this information:
- to employees and collaborators of the Data Controller, in their capacity as internal data processors and/or managers and/or system administrators who have also authorized "Le Sette Sorelle" Srl to process their personal data.
The data are processed by personnel specifically appointed in writing to process the data (administrative personnel and those responsible for relations with the public, including those external to the Company, those responsible for managing information systems, also external to the Company who can also perform system administrator functions and are in in this case appointed as such, staff from the marketing sector, including those external to the Company, interns, data controllers and their collaborators, those in charge of the specific sector to which a request is addressed, site management staff, including those external to the Company) only if the processing is necessary to carry out their duties by carrying out only the operations necessary to carry out the duties themselves. They may also be processed by data controllers (including companies external to the Company that carry out shipping, marketing, and server management and storage activities). External companies can also process the data through persons specifically appointed in writing who can carry out the same activities and process the data for the same purposes, for which the managers have been appointed by Le Sette Sorelle. The data provided by the user may be communicated to subjects for whom there is an obligation to communicate pursuant to the law or a need for communication to assert a fair right of the company with the relevant bodies;
- to third-party companies or other subjects (for example, consultants) who carry out outsourced activities on behalf of the Data Controller, in their capacity as external data controllers or to the transport companies entrusted by the Data Controller for the delivery of shipments.
The person responsible for data processing is the Director of Information Systems and Process Organization available at the company. It is also possible to contact the data controller to obtain the complete list of other possible data controllers and in order to exercise the rights referred to in the art. 7 of Legislative Decree 196/03 and art. 15 GDPR
For any information you can also write to info@le7sorelle.it with the subject "privacy" to the attention of the data controller.
PLACE OF TREATMENT
The data will be processed by the data controller at its registered office and operational headquarters.
Personal data is stored on servers located in Italy within the European Union.
NATURE OF THE PROVISION OF DATA AND CONSEQUENCES OF THE REFUSAL TO RESPOND TO THE PROVISION OF DATA FOR THE PURPOSES REFERRED TO IN ART. 2.A) IT IS MANDATORY.
In their absence, we will not be able to guarantee the Services of the art. 2.A).
The provision of data for the purposes referred to in art. 2.B) is instead optional. You can therefore decide not to provide any data or to subsequently deny the possibility of processing data already provided: in this case, you will not be able to receive newsletters, commercial communications and advertising material relating to the Services offered by the Data Controller. You will however continue to be entitled to the Services referred to in the art. 2.A).
RIGHTS OF THE INTERESTED PARTY
Le Sette Sorelle guarantees that it can exercise the rights provided for by the art. at any time. 12 of the GDPR. In particular: – to know if the Data Controller holds and/or processes personal data relating to you and to access it in full, including obtaining a copy (art. 15 Right to access); – to the rectification of inaccurate personal data or the integration of incomplete personal data (Art. 16 Right of rectification); – to the cancellation of personal data held by the Data Controller if one of the reasons provided for by the GDPR exists (Art. 17 Right to Erasure). In this case, the procedure involves the following operational steps:
· cancellation request by the User via the appropriate form;
· export of the Customer's data and communication of the same via PEC (if the user has indicated that he wishes to receive them via certified mail);
· deletion of data from online archives (such data will be saved on offline media for legal purposes only, as required by current legislation).
– to request and receive all your personal data processed by the owner, in a structured format, commonly used and readable by automatic device or request transmission to another owner without impediments (Art. 20 Right to Portability); – to object in whole or in part to the processing of data for the purpose of sending advertising material and market research (so-called Consent) (art. 21 Right to object); – to object in whole or in part to the processing of data in automatic or semi-automatic mode for profiling purposes (so-called Consent). The exercise of these rights can be exercised by communicating to the Data Controller whose contact details are indicated in the specific section of this information. Where applicable, you also have the rights referred to in the articles. 16-21 GDPR (Right of rectification, right to be forgotten, right to limit processing, right to data portability, right to object), as well as the right to complain to the Guarantor Authority. We inform you, specifically, that, if you notice that your data is being processed inconsistently with the consent expressed by you, you can lodge a complaint with the Guarantor for the protection of personal data, in the manner indicated on the Guarantor's website; - it is the interested party's right, in fact, to revoke consent at any time without prejudice to the lawfulness of the processing based on the consent given; - for your convenience we reproduce the articles in full. 13 – 14 of EU Regulation 2016/679.
EU Regulation 2016/679
ARTICLE 13 - INFORMATION TO BE PROVIDED IF PERSONAL DATA IS COLLECTED FROM THE INTERESTED PARTY
1. In the event of collection of data concerning him or her from the interested party, the data controller shall provide the interested party with the following information at the time the personal data are obtained:
a) the identity and contact details of the data controller and, where applicable, his representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes of the processing for which the personal data are intended as well as the legal basis of the processing;
d) where the processing is based on Article 6, paragraph 1, letter f), the legitimate interests pursued by the data controller or by third parties;
e) any recipients or categories of recipients of the personal data;
f) where applicable, the controller's intention to transfer personal data to a third country or to an international organization and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47, or Article 49, second paragraph, the reference to the appropriate or appropriate guarantees and the means to obtain a copy of such data or the place where they have been made available.
2. In addition to the information referred to in paragraph 1, when the personal data are obtained, the data controller shall provide the interested party with the following additional information necessary to guarantee correct and transparent processing:
a) the period of retention of the personal data or, if this is not possible, the criteria used to determine this period;
b) the existence of the right of the interested party to ask the data controller for access to personal data and the rectification or cancellation of the same or the limitation of the processing concerning him or her or to oppose their processing, in addition to the right to data portability ;
c) if the processing is based on Article 6, paragraph 1, letter a), or on Article 9, paragraph 2, letter a), the existence of the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given before revocation;
d) the right to lodge a complaint with a supervisory authority;
e) whether the provision of personal data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract, and whether the interested party is obliged to provide the personal data as well as the possible consequences of failure to provide such data;
f) the existence of an automated decision-making process, including profiling referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the 'interested.
3. Qif the data controller intends to further process the personal data for a purpose other than that for which they were collected, before such further processing it will provide the interested party with information regarding this different purpose and any further relevant information referred to in paragraph 2.
4. Paragraphs 1, 2 and 3 shall not apply if and to the extent that the data subject already has the information.
ARTICLE 14 - INFORMATION TO BE PROVIDED IF THE PERSONAL DATA HAS NOT BEEN OBTAINED FROM THE INTERESTED PARTY
1. If the data have not been obtained from the interested party, the data controller provides the interested party with the following information:
a) the identity and contact details of the data controller and, where applicable, his representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes of the processing for which the personal data are intended as well as the legal basis of the processing;
d) the categories of personal data in question;
e) any recipients or categories of recipients of the personal data;
f) where applicable, the intention of the controller to transfer personal data to a recipient in a third country or to an international organization and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47, or Article 49, second paragraph, the reference to adequate or appropriate guarantees and the means to obtain a copy of such data or the place where they have been made available.
2. In addition to the information referred to in paragraph 1, the data controller provides the interested party with the following information necessary to guarantee correct and transparent processing towards the interested party:
a) the period of retention of the personal data or, if this is not possible, the criteria used to determine this period;
b) where the processing is based on Article 6, paragraph 1, letter f), the legitimate interests pursued by the data controller or by third parties;
c) the existence of the right of the interested party to ask the data controller for access to personal data and the rectification or cancellation of the same or the limitation of the processing of personal data concerning him and to oppose their processing, in addition to the right to data portability;
d) if the processing is based on Article 6, paragraph 1, letter a), or on Article 9, paragraph 2, letter a), the existence of the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent before revocation;
e) the right to lodge a complaint with a supervisory authority;
f) the source from which the personal data originates and, if applicable, whether the data originates from publicly accessible sources;
g) the existence of an automated decision-making process, including profiling referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the 'interested.
3. The data controller provides the information referred to in paragraphs 1 and 2:
a) within a reasonable period of obtaining the personal data, but at the latest within one month, taking into account the specific circumstances in which the personal data are processed;
b) in the event that the personal data are intended for communication with the interested party, at the latest at the time of the first communication to the interested party; or
c) if communication to another recipient is envisaged, no later than the first communication of the personal data.
4. If the data controller intends to further process the personal data for a purpose other than that for which they were obtained, he or she shall, prior to such further processing, provide the data subject with information regarding that different purpose and any relevant information referred to in paragraph 2.
5. Paragraphs 1 to 4 do not apply if and to the extent that:
a) the interested party already has the information;
b) communicating such information is impossible or would involve a disproportionate effort; in particular for processing for archiving purposes in the public interest, scientific or historical research or statistical purposes, without prejudice to the conditions and guarantees referred to in Article 89, paragraph 1, or to the extent that the obligation referred to in paragraph 1 of this article risks making it impossible or seriously jeopardizing the achievement of the purposes of such processing. In such cases, the data controller takes appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, including by making the information public;
c) the obtaining or communication is expressly provided for by Union or Member State law to which the data controller is subject and which provides for appropriate measures to protect the legitimate interests of the interested party; or
d) where the personal data must remain confidential in accordance with an obligation of professional secrecy governed by Union or Member State law, including a statutory obligation of secrecy.
COLLEGAMENTI ESTERNI
If any pages of this website or sections of our applications contain links to other sites, they are not bound by this Privacy Policy. We recommend that you carefully read the privacy policies available on these external sites and review their practices for the collection, use and disclosure of personal information that they use.
REFUSAL TO PROVIDE DATA
The interested party may refuse to provide the Data Controller with his/her navigation data. To do this, you must disable it by following the instructions provided by the browser you are using. Disabling cookies can make navigation of the site's features worse
METHOD OF EXERCISE OF RIGHTS
You can exercise your rights at any time by sending:
- registered letter return :
Le Sette Sorelle srl Via On. F. Napolitano 35, Nola (Na) – 80035, VAT number 10414311216, a company registered with the C.C.I.A.A. of Naples REA number NA- 1104493
OWNER, MANAGER AND OFFICERS
This site is managed by the Data Controller, identified in the person of the owner and legal representative. of society
Le Sette Sorelle S.R.L., with registered office in Via On. F. Napolitano 35, Nola (Na) – 80035, VAT number: 087296109 – The updated list of data controllers and persons in charge of processing is kept at the registered office of the Data Controller of the treatment.
The Data Controller guarantees the security, confidentiality and protection of which they are in possession, at any stage of the processing process of the same. The data collected is used in compliance with current legislation on privacy (Legislative Decree 196/2003 and GDPR 679/2016). The data controller is Mr. Di Stasio Carlo (Avellino 29.10.82), contact details: info@le7sorelle.it
COOKIES INFORMATION
Types of Cookies
Cookies are divided into two families:
– Those installed by the owner or manager of the site, called first-party cookies;
– Those installed by managers unrelated to the site, called third-party cookies.
The responsibility and management of first-party cookies is assumed directly by the Owner.
The responsibility and management of third-party cookies falls instead on their respective owners and managers who must offer adequate refusal mechanisms in their privacy policies.
In general, there may be cookies belonging to six different types:
1. Technical, session and analytical cookies
These cookies are necessary for the correct functioning of the site and allow you to manage access operations (so-called login) to the sites, record configuration preferences where available or integrate plug-ins necessary for viewing certain contents.
Cookies used for statistical and performance analyzes are also considered technical cookies, provided they are configured to collect data in aggregate and anonymous form which offer a general picture of the performance of the sites and contents.
2. Traffic and performance analysis cookies
These cookies allow us to know how visitors use a site, what content they access and which geographical regions they come from in order to evaluate and improve the functioning of the site and favor the production of content that best meets the information needs of users. These cookies are subject to consent by users and refusal can be expressed directly to the respective managers.
3. Profiling cookies aimed at marketing and advertising
These are cookies used to deliver advertising content within a site or application. These cookies are used, for example, to track the position of the advertisement and check whether a user has already seen the advertising message but also to follow the user during his navigation to define his profile and present him with advertisements linked to personal interests and preferences. its sociodemographic characteristics.
4. Widgets and other tools for interconnection with external sites and functions
These are cookies, often associated with a graphic element of the site such as an action button or a specific logo (for example the Facebook "like" button), used to integrate the functions of other sites within the one you are using. sailing. These cookies are the responsibility of their managers and it is possible to oppose their use directly on the information pages of the respective manager.
5. Tracking pixels or web beacons
These are application code (script) and/or images that do not interfere with the aesthetics of the site but which allow a third party to track traffic trends. For example, they are used by advertisers to independently measure the progress of an advertising campaign and directly collect information that is otherwise not available. These cookies are also subject to the user's consent and their renunciation is possible within the information of the respective managers.
6. Usability tools
They are features written in application code that allow the site manager to analyze the way in which users interact with the contents and features in order to verify ease of use, the quality of the design and plan improvements. These scripts are configured not to capture user-typed elements that would undermine their privacy and are subject to explicit consent. The refusal of consent, when present on the pages of this site, is managed directly by the Owner.
INFORMATION ON NAVIGATION AND COOKIES OF THE WEBSITE
This Policy broadly describes the practices we have adopted. On this page we describe how the site is managed in relation to the processing of personal data of users who consult it. The processing is always based on principles of lawfulness and correctness in compliance with all current regulations and suitable security measures are adopted to protect the data. This privacy policy is also given as a brief information pursuant to art. 13 of Legislative Decree 196/2003 and pursuant to art. 13 GDPR 679/2016 European Regulation on privacy, as well as pursuant to the Provision on cookies n. 229 of 8 May 2014, we wish to inform visitors to the site about the use of the data entered and the cookies used by the site itself. The information is also provided pursuant to Recommendation no. 2/2001 adopted by the Working Group established by art. 29 of directive no. 95/46/EC. to those who interact with the web services of this site, for the purpose of protecting personal data, accessible electronically from the address: By using any of our services and/or by accepting this Information, for example in the context of By registering for one of our services, you consent to the collection and use of Personal Information as described in this Policy.
For more information read our Cookie Policy
· Information not contained in this policy
Further information in relation to the processing of Personal Data may be requested at any time from the Data Controller using the contact information.
· Changes to this privacy policy
The Data Controller reserves the right to make changes to this privacy policy at any time by publicizing them to Users on this page. Please therefore consult this page often, taking as reference the date of last modification indicated at the bottom. In case of non-acceptance of the changes made to this privacy policy, the User is required to cease using this Application and may request the Data Controller to remove their Personal Data. Unless otherwise specified
· AUTOMATED DECISION MAKING PROCESSES
The Data Controller does not carry out processing that consists of automated decision-making processes. Privacy information on cookies.
· Legal references
This information is drawn up in fulfillment of the obligations established by Legislative Decree 196/2003 and GDPR 679/16 by art. 10 of Directive no. 95/46/EC, as well as the provisions of Directive 2009/136/EC regarding Cookies. This privacy policy applies only to this website.
ATTACHED
MDPA
MAIN AGREEMENT FOR THE PROCESSING OF PERSONAL DATA – MASTER DATA PROCESSING AGREEMENT (ex art. 28 of EU Regulation 2016/679)
BETWEEN
This agreement for the protection of personal data is concluded between the Supplier, as defined below, and the customer who accepts this agreement. "Supplier" means one or more of the following entities:
Le Sette Sorelle srl – Via On. F. Napolitano 35, Nola (Na) – 80035, VAT number 087296109
the person indicated in the Contract as the customer (hereinafter the "Customer"), hereinafter, jointly, the "Parties" or severally the "Party >"
GIVEN THAT
a) the Customer has signed one or more contracts with the Supplier (hereinafter the "Contract");
b) the Parties intend to regulate in this "main agreement for the processing of personal data - Master Data Processing Agreement" (hereinafter "MDPA" or "Agreement") the conditions and methods of processing of personal data carried out by the Supplier within the scope of the Contract and the provision of the Services and the responsibilities connected to the processing itself, including the commitment undertaken by the Supplier as Data Processor of personal data pursuant to art. 28 of the European General Data Protection Regulation of 27 April 2016 n. 679 (hereinafter "GDPR");
c) the specific characteristics of the processing of Personal Data are described in the "privacy information" above and available on the site www.le7sorelle.it which constitute an integral and essential part of this Agreement.
Given the above, the Parties agree as follows:
1. DEFINITIONS AND INTERPRETATION
1.1.The premises constitute an integral part of this Agreement. In the Agreement the following terms and expressions will have the meanings associated with them herein:
“Agreement Effective Date” means the date on which the Customer signs or accepts this Agreement;
“Personal Data” has the meaning set out in the Personal Data Protection Legislation and shall include, by way of example only, all data provided, stored, sent, received or otherwise processed, or created by Customer, or by the End User in relation to the use of the Services, to the extent that they are subject to processing by the Supplier, on the basis of the Contract. A list of the categories of Personal Data is reported in the DPA – Special Conditions;
“Adequacy Decision” means a decision of the European Commission based on Article 45 (3) of the GDPR as to whether the laws of a certain country ensure an adequate level of protection, as required by the Personal Data Protection Legislation;
“Working Days” indicates each calendar day, with the exception of Saturdays, Sundays and days on which ordinary credit banks are not normally open in Milan, for the exercise of their activity;
“Notification email” means the email address (or addresses) provided by the Customer, upon subscribing to the Service or provided through another official channel to the Supplier, to which the Customer intends receive notifications from the Supplier;
“Instructions” means the written instructions given by the Owner in this Agreement (including the relevant DPA – Special Conditions) and, possibly, in the Contract;
“Personal Data Protection Legislation” means the GDPR, and any further implementing rules and/or regulations issued pursuant to the GDPR or otherwise in force in Italy regarding the protection of Personal Data, as well as any binding provision that is issued by the competent supervisory authorities regarding the protection of Personal Data (e.g. Guarantor for the protection of personal data) and retains binding effect (herein including the requirements of the General Authorizations for the processing of sensitive and judicial data, if applicable and where they retain their binding effect after 25 May 2018);
“Supplier Personnel” indicates the managers, consultant employees, and other personnel of the Supplier, with the exclusion of the personnel of the Additional Data Processors;
“Request” means a request for access by an interested party, a request for deletion or correction of Personal Data, or a request to exercise one of the other rights provided by the GDPR;
“Additional Processor” means any subcontractor to whom the Supplier has subcontracted any of the contractual obligations and who, in fulfilling such obligations, may need to collect, access, receive, store or otherwise process Personal Data ;
“Service(s)” indicates the service or services which are the subject of the Contracts signed from time to time between the Customer and the Supplier;
“End User” means the eventual end user of the Service, Data Controller; and "Personal Data Security Breach" means a security breach resulting in the accidental or unlawful destruction, loss, modification, unauthorized disclosure of or access to Personal Data occurring on systems managed by the Supplier or in any case over which the Supplier has control.
1.2. The terms "including" and "including" will be interpreted as if they were followed by the expression "by way of example only", so as to provide a non-exhaustive list of examples.
1.3. For the purposes of this Agreement, the terms "Data Subject", "Processing", "Data Controller", "Processor", "Transfer" and "Appropriate technical and organizational measures" will be interpreted in accordance with the Protection Legislation. of the applicable Personal Data
2. ROLE OF THE PARTIES
2.1. The Parties recognize and agree that the Supplier acts as Data Controller in relation to Personal Data and the Customer generally acts as Data Controller of Personal Data.
2.2. If the Customer carries out processing operations on behalf of another Data Controller, the Customer may act as Data Controller. In this case, the Customer guarantees that the instructions given and the activities undertaken in relation to the processing of Personal Data, including the appointment by the Customer of the Supplier as further Data Controller resulting from the stipulation of this Agreement has been authorized by the relevant Data Controller and undertakes to show the Supplier, upon simple written request, the documentation certifying the above.
2.3. Each of the Parties undertakes to comply, when processing Personal Data, with their respective obligations deriving from the applicable Personal Data Protection Legislation.
2.4. The Supplier has appointed a Data Protection Officer (DPO), domiciled at the headquarters of Le Sette Sorelle Srl, Mr. Di Stasio Carlo (Avellino 29.10.82) – contact details: info@le7sorelle.it
3. PROCESSING OF PERSONAL DATA
3.1. With the stipulation of this Agreement, the Customer entrusts the Supplier with the task of processing the Personal Data for the purposes of providing the Services, as better detailed in the Privacy Policy document.
3.2. The Supplier undertakes to comply with the Instructions, without prejudice to the fact that, if the Customer requests variations with respect to the initial Instructions, the Supplier will evaluate the feasibility aspects and agree with the Customer on the aforementioned variations and related costs.
3.3. In the cases referred to in art. 3.2 and in the event of Customer requests involving the processing of Personal Data which are, in the opinion of the Supplier, in breach of the Personal Data Protection Legislation, the Supplier is authorized to refrain from carrying out such Instructions and will promptly inform the client. In such cases the Customer will be able to evaluate any changes to the Instructions given or contact the Supervisory Authority to verify the lawfulness of the requests made.
4. LIMITATIONS ON THE USE OF PERSONAL DATA
4.1. When processing Personal Data for the purposes of providing the Services, the Supplier undertakes to process Personal Data:
4.1.1. only to the extent and in the manner necessary to provide the Services or to appropriately fulfill its obligations, provided for by the Contract and this Agreement or imposed by law or by a competent supervisory or control body. In this last circumstance the Supplier will inform the Customer (except where this is prohibited by law for reasons of public interest) by means of a communication sent to the notification email;
4.1.2. in accordance with the Customer Instructions.
4.2 The Supplier's personnel who access or otherwise process Personal Data are responsible for processing such data on the basis of appropriate authorizations and have received the necessary training also regarding the processing of personal data. Such personnel are also bound by confidentiality obligations and the company Code of Ethics and must comply with the confidentiality and personal data protection policies adopted by the Supplier.
5. RELIANCE ON THIRD PARTIES
5.1. In relation to the entrusting of Personal Data processing operations to Additional Data Processors, the Parties agree as follows:
5.1.1. the Customer expressly agrees that some Personal Data processing operations are entrusted by the Supplier to other companies of the Le Sette Sorelle Srl group
5.1.2. The Customer also agrees to the entrusting of Personal Data Processing operations to additional third parties according to the methods set out in the following article
5.1.3. It is understood that the signing of the Standard Contractual Clauses (provided for in point 7 below in the event of transfer of Personal Data abroad) by the Customer with an Additional Data Processor must be understood as consent to the entrusting of the processing operations to the third party.
5.1.4. In cases where the Supplier uses Additional Data Processors for the execution of specific Personal Data processing activities, the Supplier:
5.1.4.1. undertakes to make use of Additional Data Processors who guarantee adequate technical and organizational measures and guarantees that access to Personal Data, and the related processing, will be carried out exclusively within the limits of what is necessary for the provision of subcontracted services;
5.1.5. Any additional information on the list of Additional Data Processors, the processing entrusted to them and their location, is contained in the DPA - Special Conditions relating to the Services activated by the Customer.
6. SAFETY PROVISIONS
6.1. SECURITY MEASURES OF THE SUPPLIER - In processing Personal Data for the purpose of providing the Services, the Supplier undertakes to adopt adequate technical-organizational measures to avoid illicit or unauthorized processing, accidental or illicit destruction, damage, accidental loss, alteration or unauthorized disclosure of, or access to, Personal Data, as described in Schedule 1 to this Agreement ("Security Measures").
6.1.1. Annex 1 to the Agreement contains data store protection measures commensurate with the level of risks present with respect to the Personal Data to enable the confidentiality, integrity, availability and resilience of the Supplier's systems and Services, as well as measures to enable timely restoration of access to Personal Data in the event of a Personal Data Security Breach, and measures to test the effectiveness of such measures over time. The Customer acknowledges and accepts that, taking into account the state of the art, the implementation costs, as well as the nature, scope, context and purposes of processing of Personal Data, the procedures and security criteria implemented by Supplier guarantee a level of protection appropriate to the risk with regards to your Personal Data.
6.1.2. The Supplier may update and modify the Security Measures indicated above over time, without prejudice to the fact that such updates and modifications may not lead to a reduction in the overall security level of the Services. The Customer will be notified of such updates and changes by sending a communication to the notification email.
6.1.3. If the Customer requests to adopt additional security measures with respect to the Security Measures, the Supplier reserves the right to evaluate their feasibility and may apply additional costs to be paid by the Customer for such implementation.
6.1.4. The Customer acknowledges and accepts that the Supplier, taking into account the nature of the Personal Data and the information available to the Supplier as specifically reported in the relevant DPA - Special Conditions, will provide assistance to the Customer in ensuring compliance with the security obligations referred to in the articles . 32-34 of the GDPR in the following ways:
6.1.4.1. implementing and keeping the Security Measures updated in accordance with the provisions of the previous points 6.1.1, 6.1.2, 6.1.3;
6.1.4.2. complying with the obligations referred to in point 6.3.
6.1.5. It is understood that, in the Contracts concerning products installed at the Customer's premises or at the Customer's suppliers (on premises installations), the Security Measures indicated above will apply exclusively in relation to the Services which provide for the Processing of Personal Data by the Supplier or of its entrustees (e.g. remote support and assistance, migration services).
6.1.6. If the product allows integration with third-party applications, the Supplier will not be responsible for the application of the Security Measures relating to the third-party components or the operating methods of the product deriving from the integration carried out by the third parties.
6.2. CUSTOMER SECURITY MEASURES - Without prejudice to the obligations referred to in the previous point 6.1 of the Supplier, the Customer acknowledges and accepts that, in the use of the Services, the Customer remains exclusively responsible for adopting adequate security measures in relation to the use of the Services by its staff and those authorized to access said Services.
6.2.1. To this end, the Customer undertakes to use the Services and the Personal Data processing functions in such a way as to guarantee a level of protection adequate to the actual risk.
6.2.2. The Customer also undertakes to adopt all appropriate measures to protect the authentication credentials, systems and devices used by the Customer or by users at the End User to access the Services, and to save and backup Personal Data for the purpose to guarantee the restoration of Personal Data in compliance with the law.
6.2.3. Any obligation or responsibility on the part of the Supplier regarding the protection of Personal Data that the Customer or the End User, if applicable, retain or transfer outside the systems used by the Supplier and its Additional Data Processors (for example, in archives) remains excluded. paper, or at its own data centers, as in the case of Contracts relating to products installed at the Customer's premises or at the Customer's suppliers).
6.3. SECURITY BREACHES – Except in the case of Contracts concerning products installed at the Customer's premises or at the Customer's suppliers for which this point 6.3 does not apply, if the Supplier becomes aware of a Personal Data Security Breach, the same:
6.3.1. will inform the Customer without unjustified delay by means of a communication sent to the notification email;
6.3.2. will take reasonable measures to limit the possible harm and security of Personal Data;
6.3.3. will provide the Customer, as far as possible, with a description of the Personal Data Security Breach including the measures taken to avoid or mitigate potential risks and the activities recommended by the Supplier to the Customer for managing the Security Breach;
6.3.4. will consider confidential information pursuant to the provisions of the Contract, the information relating to any Security Violations, the related documents, press releases and notices and will not communicate data information to third parties, except in cases strictly necessary for the fulfillment of the Customer's obligations deriving from the Legislation regarding the Protection of Personal Data without the prior written consent of the Data Controller.
6.4. In the cases referred to in the previous point 6.3, it is the exclusive responsibility of the Customer to fulfill, in the cases provided for by the Legislation regarding the Processing of Personal Data, the obligations of notifying the Security Breach to third parties (to the End User if the Customer is a Data Controller of the Processing) and, if the Customer is the Data Controller, to the Supervisory Authority and the interested parties.
6.5. It is understood that the notification of a Security Breach or the adoption of measures to manage a Security Breach does not constitute acknowledgment of non-compliance or liability on the part of the Supplier in relation to such Security Breach.
6.6. The Customer must promptly notify the Supplier of any improper use of accounts or authentication credentials or any Security Violations of which it has become aware regarding the Services.
7. LIMITATIONS ON THE TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)
7.1. The Supplier will not transfer Personal Data outside the EEA except in agreement with the Customer.
7.2. If, for the purposes of storage or processing of Personal Data by a Data Controller, it is necessary to transfer Personal Data outside the EEA to a country which does not have an adequacy decision from the European Commission pursuant to of the art. 45 of the GDPR, the Supplier:
7.2.1. will ensure that the Additional Data Processor stipulates the standard contractual clauses provided for in the European Commission Decision 2010/87/EU, of 5 February 2010, for the transfer of personal data to data processors established in third countries (the "Contractual Clauses Type"), or their equivalent, if modified over time. Copies of the Standard Contractual Clauses signed by the Supplier on behalf of the Customer will be made available to the Customer;
7.2.2. may propose to the Customer other methods of transferring Personal Data that comply with the provisions of the Personal Data Protection Legislation (e.g. Privacy Shield in the case of Additional Data Processors located in the United States and for which compliance can be verified through the official channels and registers, or intra-group transfers of the Additional Data Processor who is part of a corporate group that has obtained BCR approval for Data Processors).
7.3. In the cases referred to in the previous point 7.2.1, with this Agreement the Customer expressly mandates the Supplier to sign the Standard Contractual Clauses with the Additional Data Processors reported in the relevant DPA - Special Conditions. If the Data Controller is the End User, the Customer undertakes to inform the End User of this transfer and declares that the authorization to make use of the Additional Processor located outside the EEA is equivalent to the above mandate.
8. CHECKS AND CONTROLS
8.1. The Supplier periodically audits the security of the Personal Data processing systems and environments used by it for the provision of the Services and the locations in which such processing takes place. The Supplier will have the right to appoint independent professionals selected by the Supplier to carry out audits according to international standards and/or best practices, the results of which will be reported in specific reports ("Reports"). These Reports, which constitute confidential information of the Supplier, may be made available to the Customer to allow him to verify the Supplier's compliance with the security obligations set out in this Agreement.
8.2. In the cases provided for by the art. 8.1, the Customer agrees that his right of verification will be exercised through the verification of the Reports made available by the Supplier.
8.3. The Supplier recognizes the Customer's right, in the manner and within the limits indicated below, to carry out independent audits to verify the Supplier's compliance with the obligations set out in this Agreement and in the respective DPA - Special Conditions, and with the provisions of the law. The Customer may make use of its own specialized personnel or external auditors for these activities, provided that these subjects are previously bound by suitable confidentiality commitments.
8.4. The Supplier may object in writing to the appointment by the Customer of any external auditors who are, in the Supplier's sole opinion, not adequately qualified or independent, are competitors of the Supplier or are obviously inadequate. In such circumstances the Client will be required to appoint other auditors or conduct the audits themselves.
9. COMPLIANCE ASSISTANCE
9.1. The Supplier will provide assistance to the Customer and will cooperate in the ways indicated below in order to allow the Customer to comply with the obligations established by the Legislation regarding the Protection of Personal Data.
9.2. If the Supplier receives Requests or complaints from a Data Subject in relation to Personal Data, the Supplier will recommend that the Data Subject contact the Customer or the End User, in the event that the latter is the Data Controller. In such cases the Supplier will promptly inform the Customer of receipt of the Request by sending a notification email and will provide the Customer with the information available to it together with a copy of the Request or complaint. It is understood that this cooperation activity will be carried out on an exceptional basis, as the management of relationships with the interested parties remains excluded from the Services and it is the Customer's responsibility to manage any complaints directly and ensure that the point of contact for the exercise of rights by the interested parties either the Customer himself, or the End User if Data Controller. It will be the responsibility of the Customer, or of the End User if he is the Data Controller, to follow up such Requests or complaints.
9.3. The Supplier will promptly inform the Customer, except where this is prohibited by law, with a notification email of any inspections or requests for information presented by supervisory authorities and police forces with respect to profiles that concern the processing of Personal Data.
9.4. If, for the purposes of processing the Requests referred to in the previous points, the Customer needs to receive information from the Supplier regarding the processing of Personal Data, the Supplier will provide the necessary assistance to the extent reasonably possible, provided that such requests are submitted with adequate notice.
9.5. The Supplier, taking into account the nature of the Personal Data and the information available to it, will provide reasonable assistance to the Customer in making useful information available to allow the Customer to carry out impact assessments on the protection of Personal Data in the cases provided for by law. In this case, the Supplier will make general information available based on the Service, such as the information contained in the Contract, in this Agreement and in the DPA - Special Conditions relating to the Services concerned. Any personalized assistance requests may be subject to the payment of a fee by the Customer. It is understood that it is the exclusive responsibility and burden of the Customer, or of the End User if Data Controller, to proceed with the impact assessment based on the characteristics of the processing of Personal Data carried out by the same in the context of the Services.
9.6. The Supplier undertakes to provide Services based on the principles of minimization of processing (privacy by design & by default), without prejudice to the fact that it is the exclusive responsibility of the Customer, or of the End User, if Data Controller, to ensure that the processing is then carried out concretely in compliance with said principles and verify that the technical and organizational measures of a Service satisfy the Company's compliance requirements, including the requirements established by the Legislation regarding the protection of personal data.
9.7. The Customer acknowledges that, in the event of requests for portability of Personal Data made by the respective interested parties, and only in relation to the Services that generate Personal Data relevant for this purpose, the Supplier will provide assistance to the Customer by making available the information necessary to extract the requested data in a format compliant with the provisions of the Legislation on the Protection of Personal Data.
9.8. The previous points 9.5 and 9.7 are not applicable in the case of Contracts concerning products installed at the Customer's premises or at the Customer's suppliers.
10. CUSTOMER OBLIGATIONS AND LIMITATIONS
10.1. The Customer undertakes to issue Instructions in compliance with the legislation and to use the Services in a manner compliant with the Personal Data Protection Legislation and only to process Personal Data that has been collected in accordance with the Personal Data Protection Legislation.
10.2. Any processing of Personal Data referred to in the articles. 9 and 10 of the GDPR will be permitted only where expressly provided for in the DPA - Special Conditions; outside of these cases, any processing of such Personal Data will be permitted only by prior written agreement between the Parties in accordance with the provisions of point 3.2.
10.3. The Customer undertakes to fulfill all obligations placed on the Data Controller (and, in cases where such obligations are on the End User, guarantees that similar obligations are imposed on the End User) by the Legislation in regarding the Protection of Personal Data, including the information obligations towards the interested parties. The Customer also undertakes to ensure that the processing of Personal Data carried out through the use of the Services occurs only in the presence of a suitable legal basis.
10.4. If the release of the information and the obtaining of consent must take place through the product covered by the Contract, the Customer declares to have evaluated the product and that it meets the Customer's needs. It is also the Customer's responsibility to evaluate whether any forms made available by the Supplier to facilitate the fulfillment of the information and consent obligations (e.g. privacy policy model for Apps or information present in the applications), when available, comply with the Legislation regarding the Protection of Personal Data and adapt the same where deemed appropriate.
10.5. It is also the exclusive responsibility of the Customer to manage the Personal Data in accordance with the Requests made by the Interested Parties, and therefore to provide, for example, for any updates, additions, rectifications and cancellations of the Personal Data.
10.6. It is the Customer's responsibility to keep the account connected to the notification email active and updated.
10.7. The Customer acknowledges that, pursuant to art. 30 of the GDPR, the Supplier is required to maintain a register of the processing activities carried out on behalf of the Data Controllers (or Processors) and to collect for this purpose the identification and contact data of each Data Controller (and/or Processor) for account on which the Supplier acts and that such information must be made available to the competent authority upon request. Therefore, when requested, the Customer undertakes to give the Supplier the identification and contact data indicated above in the manner identified by the Supplier over time and to keep this information updated through the same channels.
10.8. The Customer therefore declares that the processing activities of Personal Data, as described in the Contracts, in this Agreement and in the related DPA - Special Conditions, are lawful.
11. DURATION
11.1. This Agreement will be effective from the Effective Date of the Agreement and will terminate automatically, on the date of deletion of all Personal Data by the Supplier, as provided in this Agreement and, if provided, in the relevant DPA - Special Conditions.
12. PROVISIONS FOR THE RETURN OR DELETION OF PERSONAL DATA
12.1. Upon termination of the Service, for whatever reason, the Supplier will cease all processing of Personal Data and
12.1.1. will delete the Personal Data (including any copies) from the Supplier's systems or from those over which the Supplier has control within the period set out in the Contract, except in the case in which the retention of the data by the Supplier is necessary in order to comply with a provision of Italian or European law;
12.1.2. will destroy any Personal Data stored in paper format in its possession, except in the case in which the retention of the data by the Supplier is necessary for the purposes of compliance with Italian or European laws; And
12.1.3. will keep the Personal Data available to the Customer for extraction for the period of 12 (twelve) months following the termination of the Contract. During this period, the processing will be limited only to conservation aimed at keeping the Personal Data available to the Customer for the extraction referred to in point 12.2.
12.2. Without prejudice to anything else provided in this Agreement, the Customer acknowledges that it can extract Personal Data, upon termination of the Service, in the ways agreed in the Contract and agrees that it is its responsibility to provide for the total or partial extraction of only the Personal Data that it deems useful to keep and that this extraction must be carried out before the expiry of the deadline referred to in point 12.1.3.
12.3. It is understood that the provisions of points 12.1 and 12.2 do not apply to Contracts relating to products installed at the Customer's premises or at the Customer's suppliers. In such cases, it is the Customer's responsibility to extract, no later than 30 (thirty) days from the end of the Contract Duration, the Personal Data that it deems useful to keep; the Customer acknowledges that after the aforementioned deadline the Personal Data may no longer be accessible. In the cases referred to in this point 12.3, the Customer is also responsible for deleting the Personal Data in compliance with the law.
12.4. Any further or different provisions regarding the deletion of Personal Data provided for in the respective DPA - Special Conditions remain unaffected.
13. RESPONSIBILITY'
13.1. Each Party is responsible for the fulfillment of its obligations under this Agreement and the related DPA - Special Conditions and the Legislation regarding the protection of Personal Data.
13.2. Without prejudice to the mandatory limits of law, the Supplier will be required to compensate the Customer in the event of violation of this Agreement and/or the related DPA - Special Conditions within the maximum limits agreed in the Contract.
14. MISCELLANEOUS PROVISIONS
14.1. This Agreement replaces any other agreement, contract or understanding between the Parties with reference to its subject matter as well as any instructions provided in any form by the Customer to the Supplier prior to the date of this Agreement regarding the Personal Data processed in the context of the execution of the Contract .
14.2. This Agreement may be modified by the Supplier by giving written notice (also via e-mail or with the aid of computer programs) to the Customer. In this case, the Customer will have the right to withdraw from the Contract with written communication sent to the Supplier by registered mail with acknowledgment of receipt within 15 (fifteen) days of receipt of the Supplier's communication. In the absence of exercise of the right of withdrawal by the Customer, in the terms and in the manner indicated above, the modifications to this Agreement will be considered definitively known and accepted by them and will become definitively effective and binding.
14.3. In the event of a conflict between the provisions of this Agreement and what is provided in the Contract for the provision of the Services, or in Customer documents not expressly accepted by the Supplier in derogation of this Agreement and/the respective DPA - Special Conditions, the provisions of this Agreement will prevail. Agreement and in the clauses of the relevant DPA – Special Conditions.
Supplementary Conditions
These supplementary conditions ("Supplementary Conditions") modify and/or integrate the General Conditions of Le Sette Sorelle Srl ("General Conditions") for the purpose of regulating the terms and conditions of use of the site www.le7sorelle.it (or also Software pursuant to the General Conditions). The terms and expressions listed below, when reported with a capital letter and where not expressly defined, must be understood with the meaning attributed to them in the General Conditions.
1. Intellectual property
1.1. All Intellectual Property rights, including economic exploitation rights, on the Infrastructure and Software are owned by the company Le Sette Sorelle Srl.
Privacy Policy
On this page you will find information relating to how your personal data is managed through our site. We provide this information not only to comply with legal obligations regarding the protection of personal data provided for by Regulation (EU) 2016/679 or "Regulation", but also because we believe that the protection of personal data is a fundamental value of our business activity. company and we want to provide you with any information that can help you protect your privacy and control the use that is made of your data in relation to the browsing experience on our site.
We remind you that the processing of personal data carried out in relation to the services/products of Le Sette Sorelle Srls is described in the specific information that will be released upon signing the contract or which will be reported in the appropriately highlighted sections of the site.
Data Controller and Data Protection Officer
The Data Controller of personal data, i.e. the person who takes decisions regarding the methods and purposes of the processing, is Le Sette Sorelle Srls – Via On. F. Napolitano 35, Nola (Na) – 80035, VAT number 10414311216.
Information on the processing of personal data
When you visit this site, or when you fill out the online forms to proceed with the purchase of the Company's products/services or to request support and assistance, or when you access the reserved area of the site, we may process the following personal data (i.e. data relating to identified or identifiable persons). For each type of data you will find information relating to the purpose of processing and the mandatory or optional nature of the provision.