In accordance with Art. 13 EU Regulation 2016/679
Dear Data Subject,
the Datrix Group considers the protection of the personal data of its current and/or potential users to be of fundamental importance.
With this document (the ‘Privacy Policy’), we would like to renew our commitment to ensuring that the processing of your personal data collected while browsing our platform is carried out in full compliance with the protections and rights recognised by Regulation (EU) 2016/679 (“GDPR” or the “Regulation”) and Legislative Decree 196/2003 (“Privacy Code”), as amended and supplemented, as well as by further applicable regulations on the protection of personal data.
The term personal data refers to the definition contained in Article 4, paragraph 1 of the Regulation, namely “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (the “Personal Data”).
This Privacy Notice describes the methods for managing the website https://datrixgroup.com (the “Website”) with reference to the processing of users’/visitors’ Personal Data.
The purpose of this Privacy Policy- drawn up on the basis of the principle of transparency and including all the elements required by Art. 13 of the Regulation – is to provide, in a simple and intuitive manner, all the useful and necessary information so that the provision of personal data can be provided in a conscious and informed manner and, in the event of a change in circumstances, all the rights provided for by the GDPR may be exercised.
THE DATA CONTROLLER
Pursuant to Article 26 of the Regulation, the companies that will process your Personal Data for the purposes indicated in this Notice and that will therefore act as data controllers or, where applicable, joint controllers, are the companies belonging to the Datrix Group, in particular:
Datrix S.p.A., registered office at Foro Buonaparte no. 71, 20121 – Milan, VAT no. 08417670968.
3rdPlace S.r.l., registered office at Foro Buonaparte no. 71, 20121 – Milan, VAT no. 04838460964.
PaperLit S.r.l., registered office at Foro Buonaparte no. 71, 20121 – Milan, VAT no. 03297020921.
ByTek S.r.l., registered office at Foro Buonaparte no. 71, 20121 – Milan, VAT no. 13056731006.
(individually the “Controller”, jointly the “Datrix Group”).
The Datrix Group has entered into a joint controllership agreement under which the individual companies undertake to jointly:
• determine certain purposes and means of processing your Personal Data;
• establish, in a clear and transparent manner, the procedures for promptly responding should you wish to exercise your rights, as provided for in Articles 15, 16, 17, 18 and 21 of the Regulation, as well as in cases of data portability pursuant to Article 20 of the Regulation;
• define this Notice in the sections of common interest, indicating all information required by the Regulation.
The essential content of the agreement is available from the Datrix Group and may be provided upon specific request by the Data Subject using the contact details indicated in this Notice.
THE DATA PROTECTION OFFICER
The Data Controller, in order to facilitate relations with Data Subjects, has appointed its Data Protection Officer (the “DPO”), identifying SAPG Legal Tech S.r.l., with registered office in Corso Europa n. 7, 20122 – Milan.
Pursuant to Article 39 of the Regulation, the DPO is required, among other things, to:
• inform and advise the Datrix Group and employees carrying out processing operations regarding obligations arising from the Regulation and other applicable data protection provisions;
• monitor compliance with the Regulation, applicable laws and internal policies regarding the protection of Personal Data;
• provide support in responding to Data Subjects;
• cooperate with the competent Supervisory Authority.
As provided for in Article 38 of the GDPR, the Data Subject may freely contact the DPO for all matters relating to the processing of Personal Data and/or in case he/she wishes to exercise his/her rights as provided for in this Notice, by sending a written communication to the e-mail address: dpo.privacy@sapglegal.com.
TYPES OF DATA PROCESSED AND PURPOSES
The Personal Data collected by the Controller for the purposes described below may include:
• common data: first name and surname;
• contact data: email address and telephone number;
• professional data: job role, department, internal communications;
• IT and browsing data: IP addresses, access logs, online identifiers;
• financial data: bank details and IBAN.
No special categories of personal data referred to in Article 9 of the Regulation are processed, except for any data voluntarily included in CVs submitted by applicants.
Personal Data may be processed according to the following purposes and related legal bases.
- Improving the browsing experience and monitoring the proper functioning of the Site.
The information systems and software procedures used to operate the platform acquire, during their normal course of operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.
This category of data includes, by way of example, your information relating to: your IP address, operating system, access time, time spent on the individual page, internal path analysis, other parameters relating to your operating system and computer environment.
This technical/informational data is collected and used exclusively in an aggregate and non-identifying manner and could be used to ascertain liability in the event of hypothetical computer crimes against the platform.
- Ascertaining, exercising or defending a right of the Data Controller in judicial and/or extrajudicial proceedings.
| The legal basis for the exercise or defence of a right of the Controller shall be that of legitimate interest, as referred to in art. 6, paragraph 1, letter f of the GDPR. |
- Direct marketing by the Data Controller.
The term refers to the conduct of promotional activities (using both automated and traditional methods) for the services of your interest provided by the Data Controller. Regarding this direct marketing purpose, it should be pointed out that, by virtue of Article 6, paragraph 1, letter f) of the Regulation and art. 130, paragraph 4, of the Privacy Code (the so-called soft spam exception), the Data Controller may carry out this activity on the basis of your legitimate interest, regardless of your explicit consent, as explained in greater detail in Recital 47 of the Regulation, which states “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This will be possible as a result of the assessments made by the Data Controller regarding the possible and possible prevalence of your interests, rights and fundamental freedoms requiring the protection of your Personal Data over its own legitimate interest in sending direct marketing communications. Moreover, you may lawfully object at any time (even partially) to receiving promotional communications, without this affecting in any way the processing for the other purposes.
| This processing, therefore, will be legally based on the legitimate interest of the Data Controller pursuant to art. 6, paragraph 1, letter f), of the GDPR. |
- Sending the Newsletter – through automated contact methods (e.g., SMS, MMS, email, etc.) –more specifically, sending promotional and commercial communications, advertising material related to the activities including:
• inspirational content;
• reminders;
• surveys to assess satisfaction with services provided;
• personalized suggestions also based on browsing behavior.
If you wish to receive our newsletter, you may subscribe by providing your consent through an opt-in mechanism.
Should you later decide that you no longer wish to receive the newsletter, you may unsubscribe at any time by exercising your opt-out right through the dedicated link included in each newsletter or commercial message received. Alternatively, you may contact us by email as indicated in this Notice.
| This purpose of processing is justified by your optional, freely given, and revocable consent at any time (pursuant to art. 6, paragraph 1, letter a), of the GDPR). |
- Contacting us
These data are also essential for managing your requests for assistance and/or information about the services offered, existing contracts, and payments.
| This purpose of processing is legitimised by the performance of pre-contractual measures or of the contract to which you are party (pursuant to art. 6, paragraph 1, letter b) of the GDPR). |
- Applying for job positions.
Your Personal Data will be provided for the purpose of carrying out personnel selection and evaluation activities, in the interest of the Company. Data collection is done by sending information about your professional experience also in the form of a Curriculum Vitae (“CV”) through spontaneous application by filling in the form available on the dedicated page.
| This purpose of processing is legitimized for the execution of pre-contractual measures taken on the basis of your request (pursuant to Art. 6, para. 1(b), GDPR). Also pursuant to Article 111-bis, Legislative Decree 196/2003, consent is not required. |
The Data Controller, in order to proceed with generic marketing activities and those in respect of which you have given your consent, will create a personal profile for you internally in its centralised management system (CRM). Your potential request to opt-out with respect to generic marketing activities and/or the revocation of any consent you may have given does not entail the deletion of the aforementioned personal profile from CRM as well, unless you exercise your right to do so in the manner provided for in this policy in the section entitled “Fundamental rights of the data subject”. After the above mentioned storage periods, the Personal Data will be destroyed, deleted or anonymized, compatible with the technical procedures of deletion and backup and with the requirements of accountability on the part of the Data Controller.
Please note that consent is free, optional and revocable. Therefore, where under any form only one consent is required, where it is issued, it will be understood as specific for that purpose and no other purpose that provides the legal basis of the consent.
If you have given consent (in whole or in part) to the processing of your Personal Data for the purposes set out above, you may at any time withdraw it in whole and/or in part without prejudice to the lawfulness of the processing based on the consent given before withdrawal. The possible revocation of the consent will require the Data Controller to cease processing your Personal Data for these purposes. The methods of revoking consent are very simple and intuitive: you will just need to contact the Data Controller using the contact channels listed in this Policy.
Area OF COMMUNICATION AND DISSEMINATION OF DATA
Your Personal Data may be managed, on behalf of the Data Controller, exclusively by personnel expressly authorised to process them (pursuant to art. 29 of the Regulations and art. 2-quarter decies of the Privacy Code) and by third parties expressly appointed as data processors (pursuant to art. 28 of the Regulations), in order to properly perform all processing activities necessary to pursue the purposes set out in this Policy.
For illustrative purposes only, some categories of individuals to whom your Personal Data may be communicated are listed below:
• third parties carrying out processing activities and/or related instrumental activities on behalf of the Controller or the Datrix Group;
• employees and collaborators of the Controller or the Datrix Group authorized to process Personal Data.
Where required by law or to prevent or prosecute criminal offences, Personal Data may be disclosed to public authorities or judicial authorities without them being considered recipients pursuant to Article 4(9) GDPR.
To know which parties have received your Personal Data, you may contact the Controller at the email address indicated in this Notice.
PROCESSING METHODS
The data collected will be processed by means of electronic or otherwise automated, computerized and telematic tools, or by means of manual processing with logic strictly related to the purposes for which your Personal Data was collected and, in any case, in such a way as to ensure the security of the same. Your Personal Data will be kept in a form that allows its identification for as long as is strictly necessary for the purpose for which the data was collected and in accordance with the principles of proportionality and necessity.
DATA RETENTION PERIODS
The Personal Data, falling within the applicative scope of Article 2220 of the Civil Code, will be stored and processed as long as the contractual relationship with the Data Controller subsists and in any case for a period of 10 years from the termination of the contractual relationship itself after which it will be deleted, without prejudice to further storage of the same where necessary to comply with specific legal obligations, Authority orders, for the collection of outstanding debts and for the management of disputes, complaints and legal actions.
Where the data subject has provided consent for marketing and profiling purposes, data will be processed for such purposes for 24 and 12 months respectively.
In any case, Personal Data will be subject to periodic review, no longer than every 12 months, aimed at assessing their relevance to the Controller’s activities. Where Personal Data are no longer relevant, they will be promptly deleted. To ensure that your Personal Data is always accurate and up-to-date, and in any case relevant and complete, please notify us of any changes that have occurred to the Controller’s contact details.
TRANSFER TO THIRD COUNTRIES
Your Personal Data will be processed by the Controller within the territory of the European Union and stored on servers located within the European Union.
Should it become necessary, for technical and/or operational reasons, to use entities located outside the European Union, such entities will be appointed as data processors pursuant to Article 28 GDPR and the transfer of Personal Data will take place in compliance with Chapter V GDPR.
Therefore, all necessary precautions will be taken in order to ensure the fullest protection of your Personal Data by basing such transfer: a) on adequacy decisions of third country recipients expressed by the European Commission; b) on adequate safeguards expressed by the third party recipient pursuant to Article 46 of the Regulation; c) on the adoption of binding corporate rules, so called binding corporate rules; d) on standard contractual clauses approved by the European Commission.
In any case, the Data Subject may request more details from the Data Controller if the Personal Data provided has been processed outside the European Union, requesting evidence of the specific safeguards adopted.
FUNDAMENTAL RIGHTS OF THE DATA SUBJECT AND HOW TO EXERCISE THEM
Pursuant to Article 15 of the Regulations, you have the right to obtain from the Data Controller confirmation as to whether or not Personal Data relating to you is being processed and, if so, to obtain access to the Personal Data and the following information: (i) purposes of the processing; (ii) categories of Personal Data; (iii) categories of recipients to whom the data has been or will be disclosed; (iv) data retention period or the criteria used to determine this period.
You also have the right:
– pursuant to Article 16, to obtain from the Controller the rectification of inaccurate Personal Data concerning you, without undue delay;
-in accordance with Article 17, to obtain from the Data Controller the right to erasure of Personal Data concerning him/her;
– pursuant to Art. 18, to obtain from the Data Controller the restriction of the processing when one of the following cases occurs: a) the Data Subject disputes the accuracy of the Personal Data, for the period necessary for the Data Controller to verify the accuracy of such Personal Data; b) the processing is unlawful and the Data Subject objects to the deletion of the Personal Data and requests instead that its use be restricted: (c) although the Data Controller no longer needs it for processing purposes, the Personal Data is necessary for the Data Subject to establish, exercise, or defend a right in court; (d) the Data Subject has objected to the processing pursuant to Art. 21(1), pending verification as to whether the Data Controller’s legitimate reasons prevail over those of the Data Subject;
– pursuant to art. 20, to receive Personal Data concerning you in a structured, commonly used and machine-readable format;
– pursuant to Article 21, to object at any time to the processing of Personal Data concerning you. (commercial communications sent by the Data Controller).
To exercise your rights, you may send a request to: privacy@datrixgroup.com.
We will inform you that we have received it and will follow up on your request without undue delay.
You may also contact the DPO of the Datrix Group at any time using the contact details provided in this Notice.
In any case, if you believe that the processing of Personal Data is contrary to the Privacy Regulations, you also have the right to lodge a complaint under Article 77 GDPR to the competent supervisory authority based on your habitual residence or the place of violation of your rights.
