1. General provisions
1.1 Introduction. Coesia S.p.A. (“Company”) is the holding company of an industrial group made up of several entities operating internationally (“Coesia Group’ Companies”), including, in particular, the Coesia companies listed on the website as hereby defined. Company, in accordance with the Coesia Group commitment to international compliance with data protection laws, is accordingly committed to protecting personal data collected through the “Contact us” form of the Coesia Group Companies’ websites (“Website”), according to any national legislation in force on personal data protection (“National Data Protection Laws”) and the EU General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing the Directive 95/46/EC (“GDPR”). This Privacy Policy explains how information and data identifying individuals (“Personal Data”) received by Coesia Group’ Companies through their Websites are processed.
1.2 Joint-Controller. Coesia S.p.a. and its worldwide affiliates (“Coesia Group”), act as joint-controllers under art. 26 of GDPR of the personal data that you decide to provide us through the website.
1.3 Amendments. Coesia Group reserves the right to amend and update the Privacy Policy because of any further new or revised provisions of any national and EU laws and regulations on personal data protection. Any new release of the Privacy Policy shall be published on the Website as a replacement of the previous version and shall be valid and enforceable from the publication date, unless otherwise specified.
1.4 Applicable rules. Coesia Group processes Personal Data in accordance with: (i) provisions of National Data Protection Laws in force as of the date of the Privacy Policy; (ii) provisions of the GDPR and, in particular, with the principles set forth in the same, such as, inter alia, lawfulness, fairness and transparency, purpose limitation, data adequacy and minimisation, accountability, accuracy, and – prior to any processing activity – the principles of privacy by design and privacy by default; (iii) guidelines and decisions issued by the competent supervisory authority (“Supervisory Authority”).
2. Data subjects and scope of application
2.1 Data subjects. Coesia Group processing activities relate to any individual who decides to fill in the “Contact us” form on the Websites. For the purposes of this Privacy Policy, these persons are to be intended as Data Subjects, as defined in the National Data Protection Laws and in the GDPR.
2.2 Scope of application. The Privacy Policy shall be applicable to Data Subjects, provided that Coesia Group’ Companies, in their capacity as Joint-Controller, are only liable for the processing of Personal Data, which are under its own powers, duties and liabilities.
3. Types and source of processed Personal Data
3.1 Source. Coesia Group processes the Data Subjects’ Personal Data – as hereinafter specified – provided directly by the Data Subjects through the “Contact us” form of the Websites.
3.2 Identification data. Coesia Group processes Data Subjects’ Personal Data, that consist of your identification data (such as, for example, name, surname, company, e-mail address, citizenship, city, phone number ecc.). Furthermore, Coesia Group will process all information – which however shall only include – if any - common personal data - that you will decide to provide us through the “Message” field in the “Contact us” form on the Websites.
4. Legal basis for and purposes of processing the Personal Data. Period of data retention
4.1 Legal basis. The legal basis for the processing of Personal Data is: (i) the execution of a contract or pre-contractual steps to be taken at the request of Data Subjects prior to entering into a contract about purpose under art. 4.2 A); (ii) the consent given by Data Subjects to the processing of their Personal Data; (iii) Legitimate Interest about purpose under art. 4.2 C).
4.2 Purposes. Coesia Group processes Personal Data for the following purposes, as specified in the table here in below, in which is furthermore highlighted (a) if an express consent to processing of Personal Data is needed (or not ) as well as (b) the period of data retention:
Purposes
Consent
Data retention
A) Processing of personal data in order to reply to queries concerning the company activities
Not required
Until the purpose is achieved
B) Processing of personal data in order to send newsletters, promotional and advertising and/or other materials for marketing communication purposes by Coesia Group’s companies
Required
Until the withdrawal of consent or until a denial has been communicated
C)
Processing of personal data in order to send to customers email marketing communications, concerning Coesia Group’s services or products similar to those already supplied, by virtue of previous business relationship (“soft spam”), unless a communication to refuse or unsubscribe from marketing (“opt out”) has been made by said customers, according to applicable laws.
Not required
Until the “opt out” has been communicated
4.3 Optional/Mandatory supply of Personal Data. Subject to what specified above, the provision of Personal Data is optional and free. However, failure to provide Personal Data may prevent Data Subjects from receiving communications and/or replies to their queries concerning the company activities.
5. Persons in charge of the processing and processors
5.1 Persons in charge of the processing. As specified above, Coesia Group processes Personal Data collected from the Data Subject through the Websites. Directors, shareholders and independent collaborators (independently from the contractual relationship concerned) of the Coesia Group may process Personal Data in their capacity as persons in charge of the processing, according to National Data Protection Laws and to art. 29 of the GDPR. The persons in charge of the processing are duly trained and empowered to allow access to Personal Data according to the Privacy Policy and subject to their tasks being performed and assignments.
5.2 Processors. The Coesia Group may designate as processors entities/individuals for the purposes described above. The complete list of all processors may be required by Data Subjects to the Coesia Group, by sending an email to the email address cpo@coesia.com.
6. Method of processing, storage of Personal Data and security measures
6.1 Methods of processing. The Personal Data of Data Subjects are processed almost exclusively through automated procedures, by using computerized systems and softwares or, in a limited number of cases, through manual means (e.g. on paper), provided however that in any event such Personal Data are processed adopting methods which are strictly related to the purposes for which such data have been collected and anyway to ensure their security, in accordance with the GDPR and the National Data Protection Laws.
6.2 Place of automated data processing. Processing of Personal Data is made by the Coesia Group as joint-controllers and/or – if appointed – by the processors. Personal Data are stored in the head offices of the Coesia Group’s companies where the physical servers are and in some cases on servers of third parties, which provide cloud services to allow storage of Personal Data.
6.3 Transfer of Personal Data. Personal Data may be transferred in order to achieve the purposes described above to Coesia Group acting as joint-controllers, whether they are located in EU or in third countries outside the EU, provided however that in the latter case, the transfer of Personal Data as above specified shall be made subject to the Coesia Group’s assessment of full compliance with the provisions of chapter V of the GDPR and in particular with article 49.1 B).
6.4 Dissemination of Personal Data. Personal Data will not be disseminated.
7. Data Subjects’ rights
7.1 Rights. Data Subjects, when they are individual/natural persons, may directly address to the Company or the processor/s designated by the same in order to enforce their rights according to provisions of National Data Protection Laws and to the GDPR (articles 15 and subsequent articles), and, in particular, to have access to their own Personal Data, obtain updating and rectification or erasure of the same, restriction of processing, as well as obtain data portability by sending an email to the email address privacy@coesia.com or, with specific regard to the newsletter, by clicking the “unsubscribe” button or following the instructions published on the Website.
7.2 Right to object. With the same procedures described above, Data Subjects may object, in whole or in part, to the processing of Personal Data concerning them, where the relevant legal basis is constituted by the legitimate interests of Coesia Group, pursuant to and with the effects provided for by Article 21 of the GDPR, having regard in particular to direct marketing.
7.3 Complaint. The above notwithstanding, according to article 77 of the GDPR, Data Subjects, when they are individual/natural persons, may lodge a complaint with the competent Supervisory Authority, in order to enforce their rights, as specified above.