It should be noted, as of now, that the reserved sections of this website are not intended to be used by persons under the age of sixteen years, to whom is therefore posed prohibition to create an account or otherwise provide its own personal information.
INFORMATION ON THE PROCESSING OF PERSONAL DATA
Articles 12-13 EU Regulation n. 679/2016
INFORMATION AND CONTACT DETAILS OF THE CONTROLLER
Art. 13, paragraph 1(a), EU Regulation n. 679/2016
LABELADO s.r.l., whose registered office is at Corso Asti 8/A, 12051 Alba (CN), VAT n° 03767650041
Contact details of the Controller:
Contact details of the Data Protection Officer:
The Controller business activities do not comply with the hypotheses provided by art. 37 of EU Regulation n. 679/2016.
LABELADO s.r.l., an Italian company whose registered office is at Corso Asti 8/A, 12051 Alba (CN), VAT n° 03767650041, as the Controller of your personal data (hereinafter also "Controller"), informs you, within the meaning of Articles 12 and 13 of EU Regulation n. 679/2016 (General Data Protection Regulation, henceforth called for brevity "GDPR"), that your personal data will be processed by subjects specifically authorized to and limited to the purposes and with the means specified hereafter, with reference to the functionality of the website www.labelado.com.
Object and purposes of the processing
The Controller informs you that it will process your personal data, and specifically:
(i) Your identifying personal common data - such as name and surname, address, tax code, telephone/fax number/email;
(ii) Your accounting, tax, credit card and banking data;
(iii) Your identifying IP addresses and/or domain names,
in accordance with the purposes and means, as defined and specified here below.
The website users’ personal data, as described above, will be subject to processing in the ways and in the forms prescribed by the GDPR for the carrying out of specific functionalities of the website http://www.labelado.com, with particular and specific reference to:
(1) the procedures provided for data collection, concerning the registration and login filling form to the reserved area of the website "Register a new user", functional to the purchase of products and services offered by the Controller, on Registration page;
(2) the procedures provided for data collection, concerning the subscribe filling form to the newsletter of the Controller, in the specific section "Subscribe to newsletter";
(3) the procedures provided for data collection, concerning the product samples sending request filling form, in the specific section "Request a sample";
(4) the procedures provided for data collection, concerning the products and services information request filling form, in the specific section "Information Request".
In particular, the personal data provided by yourself, as data subject, to the Controller, will be processed for the pursuit of the following purposes:
a) To allow the registration to the reserved area of the website, in order to be able to take advantage of the services reserved to registered users, “Fidelity Coins” service included, and with specific reference to the possibility of making online purchases through the e-commerce website http://www.labelado.com;
b) To allow the sending of product samples on specific request, in particular through the section "Request a sample", and then to allow the possible conclusion of a contract for the purchase of products and services offered by the Controller on the website and to allow the correct execution of all the operations connected to it, including the after-sale assistance activities;
c) In response to the specific requests from to the user/data subject to the Controller through the website and its instruments of communication, in particular through the section "Information Request" finalized to the vehiculation of requests for any kind of information relating to the products and services offered by the Controller on the of e-commerce website http://www.labelado.com;
d) For the purposes of direct and/or indirect marketing, especially through the section "Subscribe to newsletter", to allow sending newsletters, information about products, discount vouchers, activities and services, commercial and promotional initiatives from the Controller and from the commercial network belonging to the company itself or of third parties, signalling advertising events, and the promotion of them through letters, telephone, advertising material, communication systems, Internet; to provide statistical surveys aimed at the needs of monitoring the progress of business relations with customers, market research or measurements of the degree of satisfaction on the quality of the services rendered by the company and the activity carried out by means of personal interviews or phone calls, questionnaires;
e) For internal administrative-accounting purposes, as well as to fulfill any obligations of the national and/or European law and/or regulation;
f) To allow the administrative management of contracts, orders, deliveries and invoices;
g) To allow the management of disputes - breach of contract; caveats; transactions; recovery; arbitration; disputes and litigation;
h) To allow the exercise of the internal audit services of security, productivity, quality of services, the integrity of the assets.
This Privacy Information is effective only with reference to the above mentioned website http://www.labelado.com, but not with reference to other and different websites, accessible through links present therein, of which the Controller is not in any way the holder.
Lawfulness of processing
Apart from what is specified above for navigation data, the communication from the data subject to the Controller of the personal data, as above described, has as prerequisites for lawfulness of processing, the following legal bases:
- Art. 6, para. 1, letters (b) and (c) of GDPR, concerning the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject to entering into contact and the compliance with a legal obligation to which the Controller is subject, for the purposes referred to in points a), b), c), e), f) g), h).
- Art. 6, para. 1, letter (a) of GDPR, concerning the data subject freely given, specific, informed and unambiguous consent, withdrawn at any time, for the purposes referred to in point d).
The processing of your personal data is therefore necessary for the integral fulfilment of the purposes referred to in points a), b), c), e), f), g), h), and consequently your refusal to provide the above mentioned data may result in the failure to carry out all the functions and services of the website http://www.labelado.com.
Instead, the processing of your personal data is merely optional with regard to the completion of commercial activities and direct and/or indirect marketing referred to in point d), and therefore the possible lack of consent does not prevent the fulfilment of the other purposes as above indicated. In any case, the consent from you possibly loaned, may be from you withdrawned at any time, with the immediate effect of intermitting the connected activities and business services, without affecting the lawfulness of processing based on consent before its withdrawal.
Method of processing
The processing of the personal data communicated by yourself to the Controller is realized by means of the operations indicated in art. 4, n. 2) of the GDPR, and precisely: "collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".
The above described personal data are subjected to automated processing for the time strictly necessary to achieve the purposes for which they have been collected, with technical and organizational measures adopted to prevent the loss of data, incorrect criminal use and/or unauthorized access, and such, therefore, to ensure a level of security appropriate to the risk within the meaning of art. 32 of GDPR, by subjects specifically authorized, in compliance with the provisions of art. 29 of GDPR, i.e. employees and/or collaborators of the Controller as authorized subjects and/or system administrators, which can carry out operations of consultation, use, processing, comparison and any other appropriate operation in compliance with the provisions of the law necessary to ensure, inter alia, the confidentiality and security of data as well as the accuracy, updating and relevance of the data in relation to the purposes and methods declared.
It should be noted, in particular, that the above mentioned personal data will be processed only under the controller’s approval, except as specified below, it will be not, therefore, disseminated and, within the meaning of art. 13, paragraph 1, lett. (e), it will be processed only by authorized persons and/or any processor (in person of individual professionals and/or complex professional associations), and/or by entities that operate as autonomous controllers, the list of which is available from the Controller and is supplied after the written request from the data subject, among which ranks, explicitly, the hosting company and/or by technical personnel in charge of the management and/or maintenance of the website, but only and exclusively for the purposes above expressly and specifically indicated.
Dissemination of the data
In relation to the above mentioned purposes, the provided personal data will or may be communicated to the following subjects and/or categories of subjects listed below, or will or may be communicated to companies and/or to persons, providing services, also external, on behalf of the Controller.
First of all, it should be noted that, together with the order you will place, your personal data will be transmitted to the printers with which the Controller currently runs a commercial contractual partnership, having as its object the production of the product you have purchased via the website http://www.labelado.com.
Furthermore, your personal data may be transmitted to the following subjects or categories of subjects - for the sake of greater clarity, but not limited to: professionals and consultants, also as professional firms; subjects the company relies on for the acquisition of commercial information related to contractual or precontractual requirements; companies, external subjects, banks and credit institutions, financial intermediaries not banking, insurance professionals in respect of the standard limits; individuals who perform control activities, review and certification of activities carried out by the company, possibly also in the customers’ interest; subjects that provide computer and telematic services for the management of the computer system used by the Controller and of the telecommunications networks (including the email management and websites and Internet sites - hosting - services cloud storage); the competent authorities and/or supervisory bodies for the performance of the obligations of law; lawfirms for the protection of the contractual rights; individuals who perform fulfilments of control, audit and certification of activities carried out by the Controller; fiscal consultancy companies or consultants; labor consultants; market analysis companies, marketing and advertising consulting.
This Website may share some of the data collected with IT services localized outside of Italy and of the European Union area. In particular with Google, Facebook and Microsoft also through social plugin and the service of Google Analytics. The transfer of personal data outside the EU area is authorized on the basis of specific decisions of the European Union Commision and of the Supervisory Authority for the protection of personal data; in particular, please refer to the Commission Implementing Decision (EU) 1250/2016, so that we do not need further consent, unless subsequent amendments (i.e. “Privacy Shield”: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/6109035).In any case, in the hypothesis that a personal data transfer off EU area would be necessary, the Controller, as for now, ensures, that the data transfer will be in accordance with all the provisions of applicable law, and in particular in accordance with Articles 44 - 45 - 46 - 47 - 48 and 49 of GDPR.
Retention period od data
We draw your attention to the fact that, in compliance with the principles of lawfulness of processing, purpose limitation and data conservation and minimization, within the meaning of Art. 5 of GDPR, the retention period of your personal data is established for a period not greater than the achievement of the purposes for which they were collected and processed, i.e. for the entire duration of the fulfilment of the above mentioned purposes, and therefore, exhausted the processing finality, your data will be erased from any physical and logical support.
The Controller reserves the possibility to store your personal data for a maximum period of 10 (ten) years after the date of your purchase on the website http://www.labelado.com, corresponding to the contractual limitation term, but in the latter case only and exclusively for the eventual fulfilment of law and/or administrative obligations, or for defense purposes in judgment and/or in order to assert a right in a judicial/out-of-court lawsuit.
At the end of this retention period, your personal data will be erased from any Data Base, computer application and archive, and thus from any physical and logical support.
The automated individual decision-making processes and automated profiling
The Controller informs you that:
(i) for the purposes of the personal data processing, does not avail itself of the decision-making automated processes, i.e. those directed to take decisions based solely on technological means on the basis of predetermined criteria (i.e. without the human involvement);
(ii) Under a specific consent on Art. 22, para. 2, letter (c) of GDPR on the use of first and third party profiling cookies, and under a specific consent on Art. 22, para. 2, letter (c) of GDPR, provided by yourself in order to register to the reserved area of the website, on the page /accounts/register/, and/or provided by yourself in order to submit a sending request for a product sample, will process your personal data, limited to the navigation data, as well as to certain common personal data provided before the registration to the website reserved area (i.e.: tax code, telephone number, Zip code, email address), in order to carry out profiling activities with automated means aimed to provide a more personalised service. These activities may consist specifically:
- In monitoring and tracking of user behavior (patterns) through the collection and recording of navigation data (es: visited pages, displayed product categories, if you have or not purchased a product, abandoned baskets, access device) and data purchase (e.g.: type of product purchased, frequency of purchases, amounts spent, payment);
- In the analysis and processing of navigation data, where provided, together with the common data communicated by the user before the registration to the website as mentioned above, in
Information on the processing of personal data order to display banners with personalized offers to the user, as well as in order to identify and offer, as a result of the user registration on the website, products considered to be of greater potential interest for the user itself.
The profiling activity carried out by the Controller is exclusively aimed to provide the user with customized products and services and, then, a better and more complete use experience of the website http://www.labelado.com, and does not produce legal effects affecting significantly on the person.
Rights of data subject
Right of access ex art. 15 of the GDPR and Right to rectification ex art. 16 of the GDPR
As the data subject, within the meaning of Art. 15 of the GDPR, you have the right to obtain from the Controller the confirmation of the existence or not of a personal data processing concerning yourself, to obtain access to them and to all the information referred to in Article 15, paragraph 1, letters (a) to (h), by release of the copy of the processed data in structured, of common use, readable by automatic device and interoperable format.
Pursuant to Art. 16 of the GDPR, you also have the right to obtain from the Controller the rectification and/or integration of the processed data, if they are not accurate and/or updated and/or incorrect and/or incomplete.
Right to erasure ex art. 17 of the GDPR and Right to restriction of processing ex art. 18 of the GDPR
As the data subject, you have the right to obtain, without undue delay, from the Controller, exclusively in the cases referred to in Art. 17, paragraph 1, letters (a) to (f), of the GDPR, the erasure of the data concerning yourself - with the exception of specific cases provided for by Art. 17, paragraph 3.
As the data subject, within the meaning of Art. 18, paragraph 1, letters (a) to (d) of the GDPR, you have the right to request and obtain from the Controller the restriction of processing of your personal data, i.e. that such data are not subjected to additional processing and can no longer be modified. The Controller ensures, as for now, that the restriction of processing will be carried out by technical devices adapted to ensure their inaccessibility and immutability.
According to the Art. 19 of the GDPR ("Notification obligation regarding rectification or erasure of personal data or restriction of processing"), the controller communicates any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
The Right to data portability ex art. 20 of the GDPR
As the data subject, you have the right to receive, within the meaning of Art. 20 of the GDPR, from the Controller, the personal data concerning yourself, whose processing is performed by automated means, in a structured, commonly used and machine-readable format, and you also have the right to transmit such data to another controller, i.e. to obtain from the Controller, where technically feasible, the direct transmission of such data to another controller specifically identified.
Right to object ex art. 21 of the GDPR
You have the right to object in any moment to the processing of personal data concerning yourself, for reasons related to your particular situation, in cases where the processing of your personal data is necessary (1) for the execution of a task in the public interest and/or connected to the exercise of public powers which is invested the Controller; (2) for the pursuit of a legitimate interest of the Controller or of a third party; (3) for profiling activities performed by the Controller on the basis of the preceding points.
You also have the right to object to the processing of your personal data for reasons related to your particular situation, where the personal data are processed for scientific or historical research or for statistical purposes, in accordance with Article 89, paragraph 1. of the GDPR, except when the processing is necessary for the execution of a public interest task.
Automated individual decision-making, including profiling ex art. 22 of the GDPR
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- is based on the data subject's explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
In the event that a violation, theft and/or loss of personal data subjected to processing occurs, the Controller applies the following Articles 33 and 34 of the GDPR:
Notification of a personal data breach to the supervisory authority ex art. 33 of the GDPR
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
3. The notification referred to in paragraph 1 shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
Communication of a personal data breach to the data subject ex art. 34 of the GDPR
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
4.5.2016 L 119/52 Official Journal of the European Union EN
2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
- it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
How to exercise the rights
You may exercise the rights as listed above by request to be sent to the following email address firstname.lastname@example.org or by registered letter with return receipt to the following address "LABELADO s.r.l., with registered office at Corso Asti 8/A, 12051 Alba (CN)", to the attention of Mrs. Federica Artuffo, as internal referent with regard to users privacy and personal data protection.
The Controller will confirm receipt of your request and will give you the information relating to the action taken with reference to the exercise of your rights provided for in Articles 15 to 22 of the GDPR, within one (1) month after receipt of the request. If necessary, and taking into account the complexity and the number of requests, the Controller may extend this period of two (2) months after communication motivated by transmitting within one (1) month after receipt of the request.
The Controller will communicate any rectification, cancellation, limitation, opposition to all recipients, as identified by the art. 4, paragraph 1, n. 9 of the GDPR, to which such data have been transmitted, unless this proves impossible or involves a disproportionate effort.
Following the sending of your request for correction, cancellation, opposition, limitation, if the Controller has reasonable doubts about your identity will ask you more information to confirm it. These notifications will be sent via email from the following address email@example.com and they will be processed by person specifically authorized for this purpose.
If the Controller does not comply with the request within a period of one (1) month after receipt of the request, it will inform you about the reasons for the non-compliance and about your faculty to lodge a complaint with a Supervisory Authority (i.e. the Italian “Autorità Garante per la protezione dei dati personali”), as specified pursuant to Art. 13, paragraph 2, letter (d), and governed by Articles 77 ff. of the GDPR.