Privacy Policy - Bel-Fer Shop

In accordance with and for the purposes (i) of EU Regulation 2016/679 concerning the “protection of natural persons with regard to the processing of personal data and the free movement of such data”, the “GDPR”, Art. 13 and 14, and (ii) Legislative Decree 30 June 2003, no. 196, the “Privacy Code”, laws jointly referred to as “Privacy Legislation”, there exist a series of obligations for those who process – “collect, record, organise, structure, store, adapt or alter, retrieve, consult, use, disclose by transmission or dissemination, or otherwise make available, align, combine, restrict, erase, or destroy” – (hereinafter referred to as “Processing”) personal data related to other individuals.

BEL-FER DI BELOTTI OTTAVIO & C. S.N.C., located at Via Virgilio 1 – 24060 Gorlago (BG) Italy, informs you, in the following sections, of the methods by which and the purposes for which your personal data will be processed.

Data Controller
The Data Controller is the entity that determines the purposes and means of processing personal data (the “Controller”) and is identified as BEL-FER DI BELOTTI OTTAVIO & C. S.N.C.. The Controller can be contacted by mail at the registered address: Via Virgilio 1 – 24060 Gorlago (BG) Italy, or via e-mail at: ordini@belfershop.eu
Categories of Data Subject to Processing
Data processed by the Controller may include:
1. Personal information, including name, last name, home address, e-mail address, telephone number, and banking details, as well as any other information necessary for the initiation and execution of the professional agreement;
2. Sensitive/special data as per Article 9 of the GDPR “including personal data that reveals racial or ethnic origin, political opinions, religious or philosophical believes, or union membership, as well as genetic data, biometric data intended to unequivocally identify an individual, and data related to an individual’s health, sex life, or sexual orientation”,as well as any data related to criminal convictions or offences or their associated security measures as per Article 10 of the GDPR;
3. Data related to browsing (i.e. information related to the ways in which the Firm’s website is used) or data collected through cookies or other tracking technologies (hereinafter also referred to as “Data”).
Purposes and Legal Basis for Processing
In accordance with Privacy Regulations, the processing of personal data must be justified by one of the various legal grounds specified in Article 6 of the GDPR. These grounds are expressly indicated below for each purpose for which the Controller may process your data:
1. Fulfilment of Professional Services: The Controller may process data in response to any request for information regarding services offered by the Firm or to obtain any other preliminary information necessary for the execution of the professional agreement.
  Legal Basis for Processing: To fulfil the agreement of which you are a part or to comply with any of your preliminary requests (Article 6(1)(b) of the GDPR) or, in the case of personal data processing, your consent as the Data Subject (Article 9(2)(a) of the GDPR).
  Data Retention Policy: The data provided within the scope of your request or to formalise an estimate will be stored for a maximum of five years. The data processed in order to fulfil the agreement may be saved for the entire duration of the contract as well for an additional ten years from the date of its completion.
2. Fulfilment of Legally Binding Obligations: The Controller processes data to comply with any civil, administrative, tax, or accounting obligations required by law, regulation, European legislation, or an order from the authorities arising from the existing relationship(s) with you.
  Legal Basis for Processing: To fulfil the contract of which you are a part (Article 6(1)(b), to comply with a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR).
  Data Retention Policy: Data may be retained for the time necessary to fulfil legal obligations and, in any case, for the entire duration of the contract as well as for an additional ten years from the date of its completion.
3. Legal Defence of the Controller’s Rights: Where required, the Controller will provide information about you to the authorities and entities responsible for enforcing the law, regulations, and judicial actions, as well as to third parties involved in legal disputes.
  The Controller reserves the right to process data in order to prevent potential risks and fraud, as well as to defend his/her rights arising from the contract in judicial or extrajudicial proceedings, including for possible debt recovery purposes, directly or through third parties (credit recovery agencies/companies) to whom data will be disclosed only for these aforementioned purposes.
  Legal Basis for Processing: For the pursuit of a legitimate interest on the part of the Controller consisting in the prevention of potential fraud or defence of his/her own rights or to assert claims related to the contract, as long as your fundamental interests or rights take precedence (Article 6(1)(f) of the GDPR).
  Data Retention Policy: The data may be stored for up to three years after the termination of the contractual relationship between the parties.
4. Responding to Your Specific Requests: The data voluntarily provided through completion of the forms on the company’s website will be used to respond to your specific requests for information and/or services. Providing data marked with an asterisk (*) is mandatory, while providing additional data is optional. The Data Subject is solely responsible for the accuracy and/or completeness of the data provided.
  Legal Basis for Processing: Processing is carried out to fulfil a user’s request and is based on the execution of a contract or of pre-contractual measures (Article 6(1)(b) of the GDPR).
  Data Retention Policy: Your data will be kept for the time strictly necessary for the purposes for which it was collected. For unfulfilled requests, data will be stored for no more than 90 days.
5. Sending of Notices or Invitations to Events/Conferences: Your data may be processed in order to send you notices – via e-mail through circulars and/or newsletters – regarding topics of interest and/or services provided by the Firm, as well as invitations to events or conferences. At the time of collection and on occasion of each notice sent, you will be informed of the option to object to the processing at any time, easily and at no cost.
  Legal Basis for Processing: Your consent as the Subject of the data being processed (Article 6(1)(a) of the GDPR).
  Data Retention Policy: Your data may be stored until the revocation of your freely given consent.
  If the Controller intends to process your data for purposes other than those described above, he/she is obligated to inform you of these additional purposes before carrying out the processing.
Nature of Data Provision
The provision of data for the purposes referred to in points a), b), c), and d) is mandatory as it is required to fulfil legal and contractual obligations. Any refusal to provide this data or any subsequent lack of authorisation for its processing may make it impossible for the Controller to proceed with the existing contractual relationship.
The provision of data for the purpose referred to in point e) is, however, optional and failure to provide this data or authorize its processing will result in the inability to carry out the indicated activities.
Data Processing Methods
In relation to the aforementioned purposes, the Firm processes data, in compliance with the security measures specified in Article 32 of the GDPR, using manual, computer, and telematic tools designed to store, manage, and transmit the data solely for the purposes for which it was collected and, regardless, in such a way as to ensure its security and confidentiality, as well as comply with the principles of propriety, legality, and transparency.
Scope of Data Disclosure
Your data may be made accessible to:
1. employees and collaborators of the Controller in their capacity as persons authorised and/or delegated to process data and/or system administrators;
2. external third parties who, on behalf of the Controller, perform outsourcing activities for supportive, administrative, accounting, or tax purposes or for purposes related to the management of the consultancy/supply relationship, specifically appointed by the Controller as external Data Processors pursuant to Article 28 of the GDPR;
3. supervisory bodies, judicial authorities, and all institutional entities to whom communication is mandatory by law for the fulfilment of the aforementioned purposes.
Transfer of Data to a Third Country or an International Organization
Personal data is processed within the European Union and stored on servers located there. It is understood, however, that the Controller, if necessary, may transmit this data to a third country or international organisation and/or move the servers outside of the EU. In this case, the Controller ensures forthwith that the transfer of data outside the EU will be carried out in accordance with applicable legal provisions as provided in Articles 44 and following of the GDPR.
Rights of the Data Subject
Finally, the Firm informs you that, according to privacy regulations (articles 15-22 of the GDPR), you may exercise specific rights at any time and, in particular, you may request the following from the Controller:
1. Right of Access or rather the ability to obtain confirmation, from the Controller, of whether or not the processing of personal data is taking place and, if so, to access your personal data;
2. Right to Rectification, including the right to have incomplete personal data completed;
3. Right to Erasure of data promptly and obligatorily upon the Data Subject’s request in the event that:
  - the personal data is no longer necessary for the purposes for which it was collected;
  - the consent on which the processing is based is revoked and there are no other legal grounds for the processing;
  - the personal data has been processed unlawfully;
  - the personal data must be erased to comply with a legal obligation under EU law or the law of a member state;
  - the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing as per the cases specified in Article 21(2) of the GDPR (personal data processed for direct marketing purposes).
4. Right to Restriction of Processing where the accuracy of the personal data is contested by the Data Subject (for the period of time necessary to the Controller to verify the accuracy of the same personal data) or where the processing is unlawful and/or the Data Subject has objected to the processing and requested the restriction of its use;
5. Right to Data Portability which gives the Data Subject the right to receive their personal data from the Controller in a a structured, commonly used, and machine-readable format and to transmit this data to another Controller, only in cases in which the processing is based on consent and is carried out by automated means;
6. Right to Object to the Processing of Personal Data subject to the Controller’s right to demonstrate the existence of legitimate grounds for proceeding with the processing regardless;
7. Right to Withdraw Consentat any time, where processing is based on explicit consent, without affecting the lawfulness of the processing which took place up until it was withdrawn;
8. Right to Lodge a Complaint With a Supervisory Authorityof the member state in which one resides or works, or of the state in which the alleged violation occurred, without affecting one’s right to seek other administrative or legal remedies if one’s personal data has been processed in violation of the aforementioned regulations.

If you believe that the processing of your personal data violates privacy regulations or that the Controller has not complied with his/her obligations related to the exercise of the aforementioned rights, then you have the right, under Article 77 of the GDPR, to lodge a complaint with the supervisory authority in the member state where you habitually reside or work, or where the alleged violation occurred. Any other administrative or judicial remedy remains unaffected.

If you wish to obtain more information about data processing and exercise any of the above mentioned rights, you can send a written request using the contact methods provided in the “Data Controller” section of this privacy policy. In the event that you request information regarding your data, the Controller will respond as soon as possible – unless this proves impossible or involves a disproportionate effort – and regardless no later than within thirty days after the request. Any impossibility or delay on the part of the Controller in fulfilling the requests will be adequately justified.