This Policy – pursuant to art. 13 and ss. of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter also only GDPR) – is made to inform the natural person (hereinafter “Interested“) about the processing of his personal data (hereinafter “Personal Data“) collected by the data controller, System Innovation s.r.l., (hereinafter “Data Controller“).

The Data Controller may modify or simply update, in whole or in part, this information by notifying the Data Subjects where necessary also through communication on the corporate website www.systeminnovation.it (“Site“).

1. Data controller

The Data Controller is: System Innovation s.r.l., with registered office in Via Diocleziano n° 107, Fabbricato B, Scala B – 80125 Napoli, CF/VAT number 08000011216, registered in the Commercial Register of Naples with number REA 924460, share capital €.100.000,00 i.v.

For any request or report relating to the processing of personal data also for the exercise of their rights, the interested party may send a communication without formality to the following e-mail address privacy@systeminnovation.it.

2. Categories of Personal Data processed

The Data Controller processes the following types of Personal Data provided voluntarily by the Data Subject or acquired directly by the Data Controller:

• Personal data: name, surname, date of birth, tax code, address of residence/domicile, e-mail, telephone, any further information sent by the interested party, etc.
• Tax and payment data: VAT, bank details, credit/debit card, bank account details, etc.
• Employment data: data entered in the curriculum vitae, data relating to spouse or children, social security data, health data etc.
• Particulars: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or union membership, as well as genetic data, biometric data to uniquely identify the natural person, data relating to health or sexual life or sexual orientation, collected with the consent of the data subject, authentication credentials.
• Judicial data: data relating to pending and/or defined judicial proceedings, including criminal convictions.

The provision of data by the interested party except for data for which there is a legal obligation, is optional but could be a necessary requirement for the conclusion and execution of the contract with the Data Controller and could make it impossible to establish or continue the relationship with the Data Subject.

The Data Subject you communicate to the Data Controller is directly and exclusively responsible for their origin, collection, processing, communication or dissemination.

3. Legal basis and purpose of processing

The legal bases of the processing, depending on the purposes and functions, are:

a) fulfilment of pre-contractual and contractual obligations;
b) legitimate interest of the Data Controller;
c) legal obligations to which the Data Controller is subject;
d) consent of the data subject

The following are indicated, by way of example and not exhaustive, the activities underlying the pursuit of the purposes for which the data are collected and processed:

1) For the purposes connected, ancillary and/or instrumental to the execution of the contract to which the interested party is party, the data are processed to formulate estimates, configure commercial offers and for the supply of the goods and services requested. More generally, the data will be processed for the management of the entire contractual relationship, including: i) pre-contractual activities (for example: analysis, estimates, etc. ); ii) administrative, accounting and/or technical activities (for example: invoicing, budgets, handling of requests and complaints from the customer and any litigation, protection and possible recovery of credit, technical services, etc. ); iii) communications relating to the services and goods supplied; iv) logistics and provisioning activities (for example: data entry, activation, provision, delivery and assistance relating to goods and services provided, if any); v) activities related to fulfilment, in general, obligations arising from the contract, national and Community laws and regulations, as well as from orders, orders and/or requests from public and regulatory authorities.

The provision of data for these processing purposes is optional but necessary for the purpose of concluding the contract and the subsequent provision of the Services, therefore, the absence of some or all personal data necessary for these purposes, may not allow the conclusion of the contract and the complete provision of the Services or the continuation of their provision.

2) For the purposes related, ancillary and/or instrumental to the monitoring of relations with the Customer and the control of credit risks and fraud related to the Services provided, data of the Data Subject relating to any protests, injurious entries or transcripts (such as foreclosures, insolvency proceedings, seizures, mortgages, judicial claims) and chamber and balance sheet data are collected from archives and/ or public registers and/ or through access to the Database of companies authorized and processed exclusively for the purpose of the verification of creditworthiness of the Customer to protect the Holder’s reasons of credit.

These data can also be acquired through access to the information systems of authorized companies and are processed exclusively for the purpose of verifying the reliability of the Customer and for the protection of the Data Controller’s credit reasons.

3) For purposes related, ancillary and/ or instrumental to the conduct of surveys, statistical and market research, the data of the interested party are collected, processed, stored and analyzed in order to know and evaluate the opinion and the degree of satisfaction of the interested party with regard to the services provided (cd. “Customer Satisfaction”), to verify the correspondence of current and potential demand and the supply of goods and services, to acquire relevant information for business decisions on products, distribution, effectiveness of advertising and promotional techniques. These activities may be carried out directly by the Data Controller or through the help of third parties.

The provision of data for these purposes is optional and may be revoked at any time by the interested party.

4) For purposes related, ancillary and/or instrumental to the fulfilment of obligations provided for by national and/or Community legislation, as well as by measures, orders and/or requests adopted by the Public Authorities and the Armed Forces entitled to do so, as well as for purposes related to the protection of public order, the detection and repression of crimes, the data subject’s data could be collected and processed to comply with the obligations.

5) For purposes related, ancillary and/or instrumental to the conduct of commercial information campaigns, sending advertising material and/or direct marketing, the processing of data may be carried out by sending advertising/information/promotional material and/or invitations to participate in initiatives, events, carried out by paper and/or electronic mail or by contact via telephone operator, including through “automated” systems.

The consent to the processing of personal data for these purposes is optional and may be revoked at any time by the Data Subject.

4. Methods of processing Personal Data

The processing of Personal Data is carried out by means of automated paper and computer tools, which can only be accessed by the parties in charge in accordance with current legislation, with organizational methods and with logics strictly related to the pursuit of the purposes indicated in this statement and through the adoption of appropriate security measures.

Subject to the Data Subject’s explicit consent, the Data Controller does not use fully automated decision-making processes that may produce legal effects for the Data Subject. In any case, the Data Subject has the right to request a reassessment of his subjective position.

Personal data will be processed according to the principles of correctness, lawfulness, necessity, minimisation and transparency, in compliance with the rights of the Data Subject and in order to guarantee the accuracy, the security and confidentiality of the data themselves through appropriate protection measures to eliminate or reduce the risk of data breach.

5. Categories of persons to whom the data may be disclosed and who may become aware of the data in their capacity as data processors or agents

The personal data of the Data Subjects will not be disclosed to third parties and/or disseminated except for the fulfilment of the purposes described above. In particular, the Data Controller may communicate, in Italy and possibly abroad, including non-EU countries that have ensured an adequate level of protection of personal data based on an adequacy decision on standard clauses defined by the European Commission or on Binding Corporate Rules (cd.”BCR”)the Data Subject’s personal data to third parties, entities, natural or legal persons, belonging to the following categories:

• persons appointed by the Data Controller to process Personal Data;
• subjects that operate independently as separate data controllers or by subjects designated as data processors by the Data Controller in order to carry out all the processing activities necessary to pursue the purposes referred to in this statement (for example, business partners, consultants, IT companies, service providers, hosting providers);
• subjects or entities to which it is mandatory to communicate Personal Data by legal obligation or by order of the authorities (public, judicial, regulatory, armed forces, etc.)

In order to ensure compliance with the principles set out in this Policy and to reduce the risk of violations, the Data Processors and Processors designated, the Data Controller shall issue appropriate operational instructions, the way in which the data are processed and stored, and the adoption of appropriate security measures to ensure the confidentiality and security of the data.

5. Rights of the Data Subject

Data subjects may exercise certain rights with regard to the Personal Data processed by the Data Controller.

a) RIGHT OF ACCESS TO THE DATA SUBJECT (Art. 15 GDPR)

i. The data subject has the right to obtain confirmation from the data controller that personal data concerning him or her are being processed or not and, in this case, to obtain access to personal data and information concerning the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if recipients of third countries or international organisations; where possible, the envisaged retention period for personal data or, if not possible, the criteria used to determine that period; the existence of the data subject’s right to ask the data controller to correct or delete personal data or to restrict the processing of personal data concerning him or her or to object to their processing; the right to lodge a complaint with the supervisory authority; if the data are not collected from the data subject, all the information available on their origin; the existence of an automated decision-making process, including profiling pursuant to art. 22 paragraphs 1 and 4 and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject.

ii. Where personal data are transferred to a third country or an international organisation, the data subject has the right to be informed of the existence of adequate safeguards pursuant to art. 46 relating to the transfer.

iii. The controller shall provide a copy of the personal data processed. In the event of requests for additional copies from the data subject, which do not infringe the rights and freedoms of others, the controller may charge a reasonable fee for the costs of the related administrative costs. If the data subject makes the request by electronic means – and unless otherwise indicated by the data subject – the information will be provided in electronic format.

b) RIGHT OF RECTIFICATION (Art. 16 GDPR)

The data subject has the right to obtain, from the Data Controller, the rectification of inaccurate personal data concerning him, without justified delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.

c) RIGHT TO ERASURE – c.d. “RIGHT TO BE FORGOTTEN” (Art. 17 GDPR)

Except in the cases expressly provided for by current legislation, the data subject has the right to obtain from the data controller the cancellation of personal data concerning him, without undue delay and the controller is obliged to delete the personal data without undue delay, if one of the following reasons exists:

i. Personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

ii. The data subject revokes the consent on which the processing is based, in accordance with art. 6, paragraph 1, lit. a), or art. 9, paragraph 2, lett. a) of the GDPR in epigraph and if there is no other legal basis for the processing itself. In this case, the interested party acknowledges that his revocation could affect the correct execution of the goods/services purchased, thus freeing the relevant seller/supplier from any liability in this regard.

iii. The data subject opposes the processing pursuant to art. 21, paragraph 1 of the GDPR and there is no overriding legitimate reason to proceed with the processing, or opposes the processing pursuant to paragraph 2 of the same art. 21;

iv. Personal data shall be processed unlawfully;

v. Personal data must be deleted in order to fulfil a legal obligation under Union law or by the Member State to which the controller is subject;

vi. The personal data has been collected in relation to the provision of information society services under Art. 8, paragraph 1 GDPR.

d) RIGHT TO RESTRICTION OF PROCESSING (Art. 18 GDPR)

The data subject has the right to obtain the limitation of the processing, by the data controller, in one of the following cases:

i. The data subject contests the accuracy of the personal data, for the period necessary for the controller to verify the accuracy of such personal data;

ii. The processing is unlawful and the data subject opposes the deletion of personal data and requests instead that its use be restricted;

iii. Although the data controller no longer needs it for the purposes of processing, personal data are necessary for the data subject to establish, exercise or defend a right in court;

iv. The data subject has opposed the processing pursuant to Article 21, paragraph 1, of the GDPR, pending the verification of the possible prevalence of legitimate grounds of the data controller compared to those of the data subject;

If the treatment is limited pursuant to paragraph 1 of art. 18 in the words, such personal data are processed, I was that for storage, only with the consent of the data subject or for verification, the exercise or defence of a right in court or to protect the rights of another natural or legal person or on grounds of major public interest of the Union or a Member State.

The data subject who has obtained the restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction is lifted.

The interested party acknowledges that, the limitation of the treatment obtained, could affect the correct execution of the goods/services purchased, thus freeing the relative seller/supplier company from any responsibility in this regard.

e) RIGHT TO DATA PORTABILITY (Art. 20 GDPR)

The data subject has the right to receive the personal data concerning him, provided to a data controller, in an organized, commonly used and machine-readable format.

The same data subject also has the right to transmit such data to another data controller, without hindrance by the data controller to whom he has provided them, if the processing:

i. Based on consent under Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), or a contract under Article 6, paragraph 1, letter b) of the aforementioned Reg. EU;

ii. It is carried out by automated means;

In exercising their rights regarding data portability, pursuant to art. 20, paragraph 1, in epigraph, the data subject has the right to obtain – if feasible from a technical point of view – the direct transmission of personal data from one data controller to another.

The exercise of the right referred to in paragraph 1 of Art. 20 is without prejudice to Article 17. This right shall not apply to the processing necessary for the performance of a task in the public interest or relating to the exercise of official authority by the controller.

The right referred to in paragraph 1 shall not affect the rights and freedoms of others.

f) RIGHT TO OBJECT (Art. 21 GDPR)

The data subject has the right to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him pursuant to article 6, paragraph 1, letters e) or f), of art. 21 in the epigraph, including profiling on the basis of these provisions. The data controller shall refrain from further processing of personal data unless he demonstrates the existence of compelling legitimate grounds for processing that outweigh the interests, rights and freedoms of the data subject or for verification, the exercise or defence of a right in court.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling to the extent that it is related to such direct marketing.

If the data subject objects to the processing for direct marketing purposes, the personal data are no longer processed for such purposes.

The right referred to in paragraphs 1 and 2 of the same art. 21, is explicitly brought to the attention of the data subject and is presented clearly and separately from any other information at the latest at the time of the first communication with the data subject.

In the context of the use of information society services and without prejudice to Directive 2002/58/EC, the data subject may exercise his right of objection by automated means using technical specifications.

To exercise their rights, data subjects can address a request, without any formalities, to the following e-mail address: privacy@systeminnovation.it. Requests will be taken over by the Data Controller immediately and processed as soon as possible, in any case within 30 days.

Last update: 18/04/2023