HPDC by Gefond - Privacy Policy

1. INFORMATION ON THE PROCESSING OF PERSONAL DATA (Ex Art. 12 and 13 of EU Regulation 2016/679 Of the European Parliament and of the Council)
Dear Sirs,
The Company HPDC S.r.l. with registered office in Via Montefeltro, 6 – 20156 Milan P.IVA 11426450968, as the Data Controller, informs you that the EU Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), establishes rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules relating to the free movement of such data. The Regulation protects the fundamental rights and freedoms of natural persons, in particular the right to protection of personal data. The data controller (a natural or legal person who determines the purposes and means of the processing of personal data) shall take appropriate measures to provide the data subject with all information about the processing. According to the indicated regulations, such processing will be based on the principles of fairness, lawfulness and transparency and protection of your privacy and rights. Pursuant to Articles 12 and 13 of the EU Regulation 2016/679, in the event that data relating to the data subject is collected from the data subject, the Data Controller shall provide the data subject with the following information at the time the personal data is obtained:.

2. Object of Treatment
The Data Controller processes personal, identifying data concerning a natural person (data subject) such as, for example, first name, last name, identification number, company name, address, telephone, e-mail, banking and payment references etc. disclosed by you in connection with the conclusion of contracts for the Holder’s services.

3. Data Controller and Representative of the Data Controller.
The Data Controller is: HPDC S.r.l.
c/o HPDC S.r.l. with registered office in Via Montefeltro, 6 – 20156 Milan P.IVA 11426450968, Tel +39 02 3340154 / Fax +39 02 33401961, info@hpdc.it
The Representative of the Data Controller (where applicable) is: HPDC SRL
An up-to-date list of Data Processors (where applicable) and data processors is kept at the registered office of the Data Controller.

4. Data Protection Officer (where applicable)
The Data Protection Officer is: HPDC SRL

5. Purpose of data processing
The data you provide will be processed without your express Consent for the following purposes :
2A) execution of a contract
3A) execution of pre-contractual measures
4A) legal obligation to which the data controller is subject.
7A) pursuit of the legitimate interest of the Data Controller or third parties.
Data processing is lawful in that:
2C) the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject,
3C) processing is necessary to comply with a legal obligation to which the data controller is subject, 4C) processing is necessary to safeguard the vital interests of the data subject or another natural person;
6C) the processing is necessary for the pursuit of the legitimate interests of the data controller or a third party, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data are not overridden, particularly if the data subject is a child).
The Holder, pursuant to Art. 13 para. 3, undertakes not to use the personal data acquired for processing purposes other than those for which they were collected, without having provided further information to the data subject regarding such other purpose and any additional relevant information as referred to in paragraph 2, or without having requested additional consent (where mandatory).

6. Legitimate interests of the data controller
(where applicable only if the conditions for lawful processing in 3 are of type 6C)
Data processing is based on the following legitimate interests: possible right of defense in court.

7. Methods of data processing
The processing of personal data is carried out by means of the operations specified in Art. 4 paragraph 2) namely: collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, restriction, deletion or destruction;
Data are processed using appropriate tools and procedures to ensure their security and confidentiality.
Personal data will be processed in the following ways :
■ paper manual
■ computerized manual (without automated decision making)
■ Other: Videography

8. Data dissemination.
Without the need for express consent (ex art. 6 lett. (b) and c), the Data Controller may communicate your data for the above purposes to Supervisory Bodies, Judicial Authorities, insurance companies, as well as to those subjects to whom the communication is obligatory by law for the fulfillment of the said purposes. These parties will process the data in their capacity as autonomous data controllers.
■ data may/will be disclosed to the following categories of recipients: external data processors who take part in the business process solely to fulfill specific legal obligations and in compliance with contractual obligations, public and private entities with tax, social security, welfare and insurance purposes
Dissemination of data to a third country or international organization
■ Personal data will not be transferred to a Third Country or to an International organization.

9. Nature of data provision and consequences of refusal to respond
The Data Controller has an obligation to inform the data subject whether the disclosure of personal data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract, and whether the data subject has an obligation to provide the personal data as well as the possible consequences of not providing such data;
The provision of data is:
■ mandatory (Item 4, letters A)
Where the provision of data for the specified purposes is mandatory, the reason for the obligation is due to performance of a contract or pre-contractual measures.
In the event that the provision of data for the stated purposes is mandatory, any refusal to provide such data is mandatory:
■ could result in non-performance of the contract,
■ could result in partial performance of the contract,
■ failure to continue the relationship,
■ the failure to provide services.

10. Data Retention
The Data Controller will process personal data for the time strictly necessary to fulfill the above purposes and in any case for no longer than 10 years after the termination of the relationship for the Service Purposes.
■ Personal data processed will be kept until: 10 years after the contract is terminated.

11. Security Measures.
The Holder, in accordance with Art. 32 of EU Regulation 2016/679, has taken physical, technical, and organizational data protection measures to ensure an adequate level of security against the risk of accidental or unlawful destruction, loss, misuse, or alteration.

12. Rights of the data subject
At any time the data subject may exercise his or her rights against the data controller.
Art. 13 letter b) of EU Regulation 2016/679, stipulates that when personal data is obtained, the data controller shall provide the data subject with the existence of the following rights necessary to ensure fair and transparent processing of personal data:
– access to data (Art. 15)
– rectification of data processing (art. 16)
– deletion of data (Art. 17)
– limitation of data processing (Art. 18)
– Opposition to data processing (Art. 21)
– to data portability (Art. 20). In addition to the rights under Article 13, the EU Regulation provides that the data subject may exercise additional rights:
– withdrawal of consent (Art. 7)
– Propose a complaint to a supervisory authority (Art. 77).
Attached are the articles that specifically deal with individual rights of the Data Subject.

13. Right to withdraw consent (Art. 7)
Article 7 paragraph 3, stipulates that the Data Subject has the right to withdraw his or her consent at any time in the following cases: – where the processing is based on consent given to the processing of his or her data for one or more specific purposes (Art. 6(1)(a),
– if the processing relates to the special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation) and is based on the consent given to the processing of one’s own data for one or more specific purposes (Article 9(2)(a)).
Withdrawal of consent does not affect the lawfulness of processing based on the consent given before the withdrawal.
Before giving consent, the person concerned shall be informed of this. Consent is withdrawn as easily as it is granted.

14. Right to file a complaint with a supervisory authority (Art. 77)
Art. 77, stipulates that the data subject, if he or she considers that the processing concerning him or her is in violation of this Regulation, has the right to lodge a complaint with a supervisory authority, namely in the member state where he or she normally resides, works or of the place where the alleged violation occurred. – Without prejudice to any other administrative or judicial recourse. The data controller shall inform the data subject of the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status or outcome of the complaint, including the possibility of judicial review under Article 78. The ‘data subject also has the right to an effective judicial remedy if the supervisory authority that does not deal with a complaint or does not inform the data subject within three months of the status or outcome of the proposed complaint. – Without prejudice to any other administrative or judicial recourse.

15. Ways of exercising the rights of the data subject
The data subject may exercise the rights at any time by sending to the Data Controller and/or the Data Processor (where appointed):
– a registered letter A.R to the address: c/o HPDC S.r.l. with registered office in Via Montefeltro, 6 – 20156 Milan P.IVA 11426450968,
– an e-mail to: hpdcsrl@sicurezzapostale.it

The Data Controller
HPDC S.r.l. Milan Li 30.05.2021