POLICY ON THE PERSONAL DATA PROTECTION
Below the Data Controller reports the Policy, pursuant to Articles 12, 13 and, if required, 14 of the GDPR related to the processing of personal data provided by the Customer/potential Customer by completing and entering into the Contract (or through preliminary communications to it) to purchase the products/services offered for sale by the Data Controller, sending spontaneously your personal data by e-mail, fax, telephone.
Nex Medical Antiseptics s.r.l is committed to being transparent also regarding the data we collect, the way we use it and the people we share data with. It is our will to make sure that our customers choose us for the guarantees of experience, ability and reliability to ensure full compliance with the current provisions on data protection, including the security profile.
Given the above, we inform you that the current contractual relationship involves the processing of your personal data. Your personal data will be used only for the purposes and the methods shown below.
The Data Controller of personal data is NEX MEDICAL ANTISEPTICS S.R.L., Via per Arluno 37/39, 20010 Casorezzo (MI), Tel. +39 02 9029 7821 Fax. +39 02 9038 3137 Email: firstname.lastname@example.org – VAT 08555480964
PURPOSE AND LEGAL BASIS OF THE PROCESSING
The personal data provided are collected for the execution of pre-contractual measures taken at the request of the Customer and for the execution of a contract of which the Data Subject is a party, as defined by the contractual agreements including ancillary and auxiliary activities (accounting, administrative, organizational, management) as well as for the fulfillment of legal, accounting and tax obligations.
- Consulting and Services Division
The processing, limited to the services and tasks outsourced, may concern personal data for the provision of business assistance services in the areas of regulation, logistics, privacy, management systems, environment and hygiene.
The legal basis that legitimizes the processing is therefore contractual (execution of pre-contractual agreements at the request of the Data Subject or of a contract of which the Data Subject is a party) and for the fulfillment of legal obligations. The Data Controller may use the data provided to exercise the legitimate interest in recovering any credit.
- Sales Division
The processing, limited to sales and tasks outsourced, may concern personal data for the management of sales of corporate products.
The legal basis that legitimizes the contractual processing (execution of pre-contractual agreements at the request of the Data Subject or a contract of which the Data Subject is a party) and for the fulfillment of legal obligations. The Data Controller may use the data provided to exercise the legitimate interest in recovering any credit.
In addition to any personal data referring to the Customer (personal data, bank details), the execution of the contract may entail the processing of data concerning the Customer’s ownership referred to third parties (workers, contractors, etc.). The processing of such data will be governed by the contract/legal act by which the Customer will appoint Nex Medical Antiseptics s.r.l as responsible for the processing of such data.
If the contract includes the possibility of processing particular categories of personal data (Article 9 of the Reg.), with particular reference to data on health status for the management of incident reporting in the use of company products, the Customer undertakes to have acquired the consents of the Data Subjects in accordance with the current legislation and certifies that they are kept at its premises.
These data will not be disclosed to third parties, except to fulfill any specific legal obligations.
For the Post Market Surveillance/Supervision service, the health data are processed exclusively by the Supervisor, who was appointed as sole Data Processor.
INTERNAL/EXTERNAL PROCESSING MANAGER
The personal data collected for the performance of the activities defined by the contractual agreements may be disclosed to, and then processed on a specific appointment:
– third parties in charge of accounting/administrative management (by way of example: administrative accounting consultants and firms, banking institutions), credit recovery and any third-party entities for the purposes of the law.
– We also inform you that Nex Medical Antiseptics srl takes advantage of application services, with the relevant databases, Hosting Solutions (webmail – data center located in the EU), HR Portal and Ad Hoc (management software – data center located in the EU), Team Viewer (remote access), Aruba (certified webmail – data center located in the EU)
The recipients listed above are appointed as Data Processors. Nex Medical Antispetics s.r.l does not authorize processing in third countries without adequate guarantees. The Data Subject can ask the owner, at any time, the name of the recipients of personal data.
Nex Medical Antiseptics s.r.l will also define in writing, and from the point of view of the essential principles established by current legislation, internal persons authorized to process personal data under their direct authority. Nex Medical Antiseptics s.r.l undertakes to qualify the designated Internal Managers also in view of the guarantees provided to protect the confidentiality of data. Specifically, the Internal Managers for personal data relating to Customers/potential Customers: Management, sales personnel, regulatory staff.
The collected data will be processed using electronic or automated, computerized and telematic means, or through manual processing with logic strictly related to the purposes for which the personal data were collected and, in any case, in such a way as to guarantee their security.
The processing of data will last from the beginning of the business relationship until the end of the mandate given by the customer, increased up to 10 years.
The legitimate interests of the Data Controller or third parties may constitute a valid legal basis for processing, provided that the interests or the essential rights and freedoms of the Data Subject do not prevail. In general, such legitimate interests may exist when there is a relevant and appropriate relationship between the Data Controller and the Data Subject concerned, for example when the Data Subject is a customer of the Data Controller. In particular, it is the legitimate interest of the Data Controller to process personal data of the Customer/Data Subject: for fraud prevention purposes, for direct marketing purposes, to ensure the free circulation of the same data within the business group to which the Data Controller belongs, or relating to traffic, in order to ensure network and information security, that is to say the ability of a network or a system to resist unforeseen events or illegal acts that could jeopardize the availability, authenticity, integrity and confidentiality of data.
ESSENTIAL RIGHTS OF THE DATA SUBJECT
The Data Subject, pursuant to Art. 15 of EU Regulation 679/2016, has the right to obtain from the Data Controller confirmation that it is or is not undergoing processing of personal data concerning him/her and, in this case, to obtain access to his/her personal data and the following information: Purposes of processing, categories of personal data, categories of recipients to whom the data were or will be disclosed, the storage period of the data or the criteria used to determine such period.
The Data Subject also has the right: pursuant to Art. 16, to obtain from the Data Controller the correction of inaccurate personal data concerning him/her, without unjustified delay; pursuant to Art. 17, to obtain from the Data Controller the cancellation of personal data concerning him/her without unjustified delay; pursuant to Art. 18, to obtain from the Data Controller the limitation of processing when one of the following hypotheses occurs:
- a) the Data Subject disputes the accuracy of personal data for the period necessary for the Data Controller to verify the accuracy of such personal data;
- b) the processing is illegal and the Data Subject opposes the cancellation of personal data and asks instead that their use is limited;
- c) although the Data Controller no longer needs them for processing purposes, personal data are necessary for the Data Subject to verify, exercise or defend a right in court;
- d) the Data Subject has opposed the processing pursuant to Article 21 (1), pending verification of any prevalence of the legitimate reasons of the Data Controller with respect to those of the Data Subject; pursuant to Art. 20, to receive personal data concerning him/her in a structured format, commonly used and readable by automatic device pursuant to Art. 21, to oppose at any time the processing of personal data concerning him/her for marketing purposes (commercial communications sent by the owner).
To exercise his/her rights, the Data Subject can send a specific request to email@example.com. The holder will inform him/her of the receipt and will respond to his/her request within 72 working hours.
Pursuant to Art. 19, the requests relating to the rights referred to in Articles 16, 17 and 18 will be sent by the Data Controller to the recipients shown above.
The Data Subject also has the right to lodge a complaint with the competent supervisory authority.
NEED AND CONSEQUENCES TO REFUSE PERSONAL DATA
Failure to provide data for the purposes show above will prevent the Data Controller from sending the requested commercial information.
The Data Controller will review the information in the event of a change in the processing methods listed or due to regulatory requirements.
To this end, the Data Controller invites the Data Subject to frequently consult its website ww.nexmedical.com
For all the definitions, please refer to the binding standard with particular reference to the European Regulation 679/2016.
Casorezzo, 17 May 2018
(Eng. Silvio Daneluzzi)