PRIVACY AND PERSONAL DATA PROCESSING

Privacy notice within the meaning of art. 13 of European Regulation 2016/79 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data

Fattoria San Michele a Torri Società Agricola S.r.l.., with registered office in Via di San Michele n. 36, Scandicci (FI) Italy, Tax Code and VAT no. 06274470480 (hereinafter, “Controller”), in its capacity of data Controller, informs you, pursuant to art. 13 of Regulation (EU) no. 2016/679 (hereinafter, “GDPR”) that your data will be processed lawfully, fairly and transparently with the methods and for the purposes set out below:

1. Purposes and methods of data processing.

1.1 Your data are acquired by the Controller directly from the data subjects, and are processed:

A) without your explicit consent (art. 6 b), GDPR), for the following Purposes: – to enter into contracts for the services offered by the Controller; – to fulfil pre-contractual and tax obligations deriving from the company’s relationships with you; – to comply with obligations laid down by law, regulations, European law or orders issued by the Authority (e.g. on anti-money laundering); – to exercise the Controller’s rights, for example the right of defence in Court;

B) with your prior, specific and separate consent (art. 130 Privacy Code and art. 7 GDPR), for the following Marketing Purposes:

– to send you by email, mail and/or SMS text messages and/or phone calls, any newsletters, business communications and/or advertising material on products or services offered by the Controller and for customer satisfaction surveys;

– to send you by email, mail and/or SMS text messages and/or phone calls, any business and/or promotional communications of third parties (e.g. business partners).

The data collected are processed as part of the ordinary agricultural activity with cultivation of the fund and production and sale of agricultural products, for the following purposes: a) to establish relationships with its Customers (formalisation of Pre-orders), in particular to fulfil contractual, accounting and tax obligations established by law; b) to offer, promote and/or sell agricultural products with retail and wholesale and of any partner companies, whether using traditional communications or automated systems, in particular to send updated information on products bought.

1.2 Personal data are processed using manual, electronic, computerised and telematic tools, with logics that are strictly connected with the said purposes and, in any case, in compliance with the precautions, guarantees and necessary measures required by the applicable rules, designed to ensure the confidentiality, integrity and availability of Data and to avoid any material or non-material damages (e.g. loss of control over personal data or limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage). Personal data are processed on the basis of the data held by the Contrtoller and with your commitment to report promptly any correction, addition and/or update.

You may withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of previous processing operations.

The Controller, as far as necessary to pursue the purposes set out in paragraph 1, may acquire data which are defined by the Regulation as special data (e.g. data revealing racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation). These special data may be processed with the Data Subject’s explicit consent: i) where processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; ii) where processing relates to personal data which are manifestly made public by the Data Subject ; iii) to establish, exercise or defend legal claims: iv) where processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; v) where processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 of GDPR; vi) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; vii) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 of GDPR based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; viii) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

In any case, any special data acquired will be processed in strict accordance with the Regulation and with any general and special measures adopted in this respect by the Supervisory Authority and, in any case, with the utmost confidentiality. Special data may not be disseminated and may communicated to the recipients referred to in paragraph 5 solely to pursue the declared purposes and in accordance with the obligations of confidentiality indicated above.

The Controller will process personal data for the time necessary to fulfill the purposes referred to above and in any case for no more than 10 years from termination of the relationship for Service and Marketing Purposes. Upon expiry of this period, the Data will be cancelled or transformed into anonymous form, unless they need to be kept to meet statutory obligations or to fulfil orders issued by Public Authorities and/or Supervisory Bodies.

2. Nature of data supply.

Without prejudice to the data subject’s personal autonomy, the supply of data indicated as required in the form is strictly necessary to achieve the purposes referred to in paragraph a) point 1.1.

3. Consequences of refusal to provide personal data.

The refusal to supply data indicated as required will result in: the impossibility to establish or continue the relationship, or to carry out given operations, if your data are necessary to perform the relationship or the operation; the impossibility to carry out given operations that require the communication of data to subjects that are functionally related to the performance thereof; the non-communication of data to subjects who engage in further activities, not functionally related to performance of the relationship.

4. Access to, communication and dissemination of data.

The personal data collected with the methods described herein may be communicated to companies related to the Controller, in particular to public Entities and Authorities, Controller’s professionals and/or consultants, in order to fulfil statutory obligations. People in charge of processing requests may acquire knowledge of such data. The said data shall not be disclosed.

5. Data transfers

Personal data are stored on physical or virtual servers, either internal or external, or on paper archives located at the offices of Sigma Gi S.r.l.. In so far as necessary to achieve the purposes referred to in paragraph 1, the Data Subject’s data may be transferred abroad to Countries/organisations outside the EU which ensure an adequate level of protection according to the European Commission or in any case on the basis of other appropriate safeguards, such as a contract or the Standard Contractual Clauses adopted by the European Commission for countries that do not ensure an adequate level of protection.

A copy of any Data transferred abroad and the list of Countries/organisations outside the EU to which Data have been transferred, can be requested to the Controller by using the contact details referred to in paragraph 8 below.

6. Nature of data supply and consequences of the refusal to answer.

6.1 The supply of data for the purposes referred to in art. 1.1A) is required. In their absence, we will be prevented from ensuring the Services referred to in art. 1.1A).

6.2 The supply of data for the purposes referred to in art. 1.1B) is optional. You may thus decide not to supply any data or may subsequently refuse the processing of data previouly supplied; in this case, you will not receive any SMS text messages, newsletters, business communications and advertising material concerning the Services offered by the Controller. In any case, you will continue to be entitled to receive the Services referred to in art. 1.1A).

7. Rights of the data subject

In your capacity of data subject, you may exercise the rights granted by art. 15 GDPR; specifically:

i. you may obtain confirmation as to whether or not personal data concerning you are being processed, even if not yet recorded, and their communication in an intelligible form;

ii. you may obtain information on: a) on the source of your personal data; b) the purposes and methods of processing; c) the logics applied in case of electronic processing; d) the identity details of the controller, processors and the designated representative within the meaning of art. 3 paragraph 1 GDPR; e) the subjects or categories of subjects to whom personal data may be communicated or who may acquire them in their capacity of designated representative in the State territory, processors or persons in charge;

iii. you may obtain: a) the updating, rectification or, where interested therein, the integration of data; b) the cancellation, transformation into an anonymous form or blocking of data processed against the law, including those whose storage is not necessary for the purposes for which the data were collected or subsequently processed; c) the confirmation that the operations described in letters a) and b) have been brought to the knowledge, even as regards their content, of those to whom the data have been communicated or disseminated, unless this proves impossible or it involves a manifestly disproportionate effort compared to the protected right;

 iv. you may object, in whole or in part: a) on legitimate grounds, to the processing of your personal data, even where pertaining to the purpose of collection; b) to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for market surveys or commercial communications using automated call systems without an operator, emails and/or traditional marketing methods (phone and/or mail). It should be noted that the data subject’s right of objection, set out in point b) above, for the purpose of direct marketing using automated methods, extends to traditional ones; in any case, it does not prejudice the data subject’s right to object even only in part. Therefore, the data subject may decide to receive only communications using traditional methods or only automated communications or none of the two types of communication. Where applicable, the data subject has the rights granted by art.s 16-21 GDPR (Right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object), as well as the right to lodge complaints with the Supervisory Authority.

The rights in question may be exercised, also through a representative of the data subject, by sending a request to the Controller, by registered letter or email, to the registered email address fattoriasanmichele@registerpec.it.

8. Controller and Processors

The Controller is: Fattoria San Michele a Torri Società Agricola S.r.l., acting through its legal representative, Paolo Nocentini domiciled for his office at the registered office of the Company in Via di San Michele n. 36, Scandicci (FI) Italy. The up-to-date list of processors and persons in charge of processing is kept at the registered office of the Controller. The Controller has not appointed a Data Protection Officer since it is not required to do so.

See also Cookies Policy