Privacy Policy

SPALAUTOMOTIVE WEBSITE PRIVACY NOTICE

 IN ACCORDANCE WITH ARTICLE 13 OF REGULATION (EU) 2016/679

With specific reference to your personal data as defined under Article 4(1)(1) of Regulation (EU) 2016/679 (“General Data Protection Regulation - GDPR”) in your capacity as “Data Subject”, the enterprise, SPAL AUTOMOTIVE S.R.L., (VAT and  Tax Identification Number 01755790357), acting through its pro tempore legal representative, based in Correggio (RE), via Per Carpi, 26/B, in its capacity as “Controller” under Article 4(1)(7) of the GDPR, hereby provides you with this notice to inform you of its privacy policy and so you can understand how it manages your personal data when you use its services on www.spalautomotive.it (“Website”)

 1. Who is the Data Controller?

1.1. The “Controller” of the processing of your personal data, as specified in Article 4(1)(7) of the GDPR is the enterprise, SPAL AUTOMOTIVE S.R.L., (VAT and Tax Identification Number 01755790357), acting through its pro tempore legal representative, based in Correggio (RE), via Per Carpi, 26/B; you can contact the Controller by email at privacy@spal.it

1.2. The “Data Protection Officer”, as specified in Article 37 of the GDPR is  Sara Mandelli of BALDI & PARTNERS, who you can contact by email at dpo@spal.it     

1.3. Please note that any changes or updates to the data of the above specified Data Protection Officer will be duly published on the website of the undersigned Controller.

 

2. Nature and type of data that we collect and process.

We may collect your Personal Data because you voluntarily submitted it (e.g. when you set up a personal account in order to receive the services provided by the Controller) or simply by analysing your site browsing behaviour.

We process the following Personal Data collected via the website:

 2.1. Name, contact details and other Personal Data

In different sections of the site, particularly the section where you set up your personal account, you will be asked to enter information such as your name, surname, telephone number, email address, country of residence, address etc.

2.2 Applications

When you register in the Website section relative to applications for advertised jobs to work at Spal Automotive on the website : www.spalautomotive.it,  ("Job Opportunities”), you will be asked to provide  information such as your name, surname, telephone number, email address, date of birth, country of birth, address, education, current position and to upload your Curriculum Vitae in a dedicated field.

2.3 Browsing data

The IT systems and software procedures utilised to run this Website acquire some user-generated Personal Data as part of their normal functioning; the transmission of such data is implicit in internet communication protocols. These data are not collected to be associated with any identified data subjects; however, by their very nature, they may make users identifiable after being processed and matched with data held by third parties. This data category includes IP addresses or domain names of the computers used to connect to the Website, URI (Uniform Resource Identifier) addresses of the requested resources, the time of such requests, the method used to submit the request to the server, the size of the returned file, the numerical code of the server response status (completed, error, etc.) and other parameters relating to the user's operating system and IT environment. These data are used only to collect anonymous statistical data about use of the Website, and to make sure it is working properly, as well as to identify any abnormalities and/or misuse, and are deleted as soon as they are processed. The data may be used to investigate culpability in the event of hypothetical cybercrime against the Website or third parties: except for this possibility, the data on web contacts do not persist for more than 60 days.

 

3. Purposes of data processing

3.1. In accordance with Article 5(1)(b) of the GDPR, we hereby inform you that the Controller will process your personal data collected via the Website to:

  • provide Services, such asrequests for after-sales services for all the Spal Automotive products (“Provision of Service“);

  • examine the Applications received via the Website and select personnel(“Recruitment“);

  • comply with legal obligations that require Data Controllers to collect and/or further process certain types of Personal Data (“Compliance”);

  • prevent or detect any misuse of the Website, or any fraudulent activity and therefore enable the Data Controller to protect themselves before the courts (“Misuse/Fraud”).

4. Legal basis and mandatory and/or optional nature of processing

According to the purposes specified in paragraph 3 above, the Controller processes your Personal Data according to the following legal basis:

Provision of Service: processing for this purpose is necessary to be able to deliver the Services you request and, therefore, to perform the contract that you are a party to. You are not required to give your Personal Data to the Controller for this purpose, but failure to do so means we will not be able to provide you with the Service.

Recruitment: the Controller processes your Data for this purpose in order to consider your Application and, therefore, it is necessary to be able to launch the selection process in order to offer you a job, where applicable. You are not required to give your Personal Data to the Controller for this purpose, but failure to do so means we will not be able to consider your Application. If you wish to provide special categories of personal data (e.g. data concerning your health, religious beliefs. etc.), Spal Automotive will need your specific consent to processing such data at the bottom of your Application.

Compliance: processing in this case is necessary for the purposes of carrying out legal obligations, where applicable. When you give your Personal Data to the Controller, they must be processed according to the applicable law, which means they may be stored and disclosed to the Authorities for accounting, taxation or other kinds of legal obligations.

Misuse/Fraud: the data collected for this purpose will only be used to prevent and/or detect any fraudulent activity or misuse of the Website and therefore enable the Controller to protect themselves before the courts.

5. Recipients of your Personal Data

In order to pursue any of the purposes described in paragraph 3 above, the Controller will disclose your Personal Data to its collaborators, who will act as persons authorised to process personal data.

Furthermore, for the purposes described in paragraph 3 above, your Personal Data will be processed by third parties belonging, by way of example, to the following categories:

a) any subsidiary, parent or associated company of the Controller, including:

FISPA s.r.l., via per Carpi 26/b – 42015 Correggio (RE) Italy – VAT number 01329080350

G.F. s.r.l., via dell’Industria 1 – 42015 Correggio (RE) Italy – VAT number 00123220352

THD S.p.A., via dell’Industria 1 – 42015 Correggio (RE) Italy – VAT number 02111430357

Fregoli s.r.l., single member, via per Carpi 26/b – 42015 Correggio (RE) Italy – VAT number 02777280351

b) entities providing IT system management services, including server hosting and backup services;

c) entities that provide the Controller with tax, legal, judicial and compliance advice;

The entities listed above operate, in some cases, independently as separate data controllers, and in other cases, as data processors specifically appointed by the Data Controller in accordance with Article 28 of the GDPR.

Disclosure of your data to the above categories does not require your consent, as it is based on the legitimate overriding interest of the Data Controller, given that such disclosure is necessary for the purposes mentioned in paragraph 3 above. 

You can ask the Controller for the complete, updated list of the entities to which your Personal Data may be disclosed.

Moreover, with regard to the Provision of the Italian Data Protection Authority (Garante) made on 27 November 2008 “Misure e accorgimenti prescritti ai titolari dei trattamenti effettuati con strumenti elettronici relativamente alle attribuzioni delle funzioni di Amministratori di sistema” (Measures and mechanisms required by data processing controllers using electronic media with regard to attributing the functions of system administrator), as Data Subject you may also ask the Controller the names of the System Administrators of the operating systems containing the personal data collected.

 

The personal data processed by the Controller are not disclosed.

 

Transferring personal data outside the European Union

Spal Automotive does not intend to transfer your personal data to any non-EU countries. However, if, in execution of the purposes listed above, Spal Automotive should transfer your data outside the European Union, the Controller will proceed to carry out such transfer only after establishing that one of the conditions laid down in Articles 44 et seq. of the GDPR is met, in order to ensure an adequate level of protection of your personal data.

 

6. Period of storage of collected and processed personal data

The Controller will store Personal Data collected for the purposes of Provision of Services for as long as strictly necessary to provide the services requested. In any case, since those Personal Data are processed to provide the Services, the Controller may store them for longer, particularly if this is necessary in order to protect the interests of the Controller from any complaints that may be made about the Services.

The Controller will store Personal Data collected for the purposes of Recruitment for the time the position the Application was submitted for remains open or for one (1) year, whichever is shorter.

The Controller will store Personal Data collected for the purposes of Compliance for the period required by specific legal obligations or by applicable law.

The Controller will store Personal Data collected for the purposes of avoiding Misuse/Fraud for as long as strictly necessary for that purpose and, therefore, for the time the Controller is required to store them to protect themselves before the courts by disclosing those data to the competent Authorities.

7. How will your Personal Data be processed?

Your data will be processed in both paper form and/or using electronic and/or computerised and/or telecommunications media and instruments; the logic involved and the procedures used are strictly connected to the purposes specified and, in any case, adopting methods that ensure the security and confidentiality of the data in compliance with the provisions of Article 32 of the GDPR.

 

8. Rights of the Data Subject

8.1. With regard to your Personal Data that are processed by the Controller SPAL AUTOMOTIVE S.r.l.  We hereby inform you that you are entitled to exercise the following rights under Articles 15 to 21 of the GDPR and, in particular:      

  • Right of access – Article 15 of the GDPR: the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data – including a copy of them – and the following information:

    1. the purposes of the processing

    2. the categories of personal data processed

    3. the recipients to whom the personal data have been or will be disclosed

    4. the envisaged period for which the personal data will be stored or the criteria applied

    5. the existence of the Data Subject's right to request from the controller rectification or erasure of personal data or restriction of processing

    6. the right to lodge a complaint

    7. where your personal data are not collected from you, any available information as to their source

    8. the existence of automated decision-making, including profiling;

  • right to rectification – Article 16 of the GDPR: the right to obtain without undue delay the rectification of inaccurate personal data concerning you and the right to have incomplete personal data completed;

  • right to erasure (‘right to be forgotten’) – Article 17 of the GDPR: the right to obtain the erasure of personal data concerning you without undue delay, where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  • you withdrew your consent and there is no other legal ground for the processing;

  • you successfully objected to the processing of your personal data;

  • your personal data have been unlawfully processed;

  • your personal data have to be erased for compliance with a legal obligation;

  • your personal data were collected in relation to the offer of services referred to in Article 8(1) of the GDPR.

    The right to erasure shall not apply to the extent that processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims.

  • right to restriction of processing – Article 18 of the GDPR: the right to obtain restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject;

  • the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;

  • the personal data are required by the data subject for the establishment, exercise or defence of legal claims;

                  right to object – Article 21 of the GDPR: the right to object to the processing of your personal data unless the controller demonstrates compelling legitimate grounds for the processing;

  • right to data portability – Article 20 of the GDPR:  the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance, where the processing is based on consent and the processing is carried out by automated means.  In exercising your right to data portability, you also have the right to have the personal data transmitted directly from the Controller to another, where technically feasible;

  • right to lodge a complaint with the Italian Data Protection Authority (Garante), Piazza Venezia 11 , 00187 Rome (RM).

 

8.2. In accordance with Article 12(1) of the GDPR, SPAL AUTOMOTIVE S.r.l.  undertakes to provide the communication under Articles 15 to 22 of the GDPR in a concise, transparent, intelligible and easily accessible form. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

8.3. In accordance with Article 12(3) of the GDPR, the Controller informs you that it undertakes to provide information on action taken on a request under Articles 15 to 22 to you without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

8.4. If you, the Data Subject want to exercise your rights as specified in more detail in this Article, you can use the contact information specified in Article 1 of this “Notice”.

8.5 Any action you take as Data Subject is provided free of charge, pursuant to Article 12 of the GDPR. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

Lastly, please note that the Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.

CUSTOMERS PRIVACY NOTICE

For Data processing Pursuant to articles 13 and 14 of EU Regulation 2016/679

With specific reference to your personal data as defined under Article 4(1)(1) of Regulation (EU) 2016/679 (“General Data Protection Regulation - GDPR”) in your capacity as “Data Subject”, the  “Controller” under Article 4(1)(7) of the GDPR, hereby provides you with this notice to inform you of its privacy policy and so you can understand how it manages your personal data.

This privacy notice is addressed to customers (natural persons) and employees, directors and contact persons of customers whose data must be processed by the Data Controller in order to enter into or give effect to the requested order contract.

1. Who is the Data Controller and the Data Protection Officer.

 The “Controller” of the processing of your personal data, as specified in Article 4(1)(7) of the GDPR is the enterprise, SPAL AUTOMOTIVE S.R.L., (VAT and Tax Identification Number 01755790357), acting through its pro tempore legal representative, based in Correggio (RE), via Per Carpi, 26/B; you can contact the Controller by email at privacy@spal.it

 The “Data Protection Officer”, as specified in Article 37 of the GDPR is BALDI & PARTNERS, who you can contact by email at dpo@spal.it     

 

2.The personal data we process

2.1 Common personal data

For the purposes indicated in this Privacy Notice, the Data Controller may process the personal data of customers (natural persons) or employees, directors and contact persons of customers such as, for example, personal data (first name, surname, address, telephone number, email and other contact details, an identification number), financial data (IBAN), data relating to the relationship with the Data Controller.

2.2 Source of personal data

The personal data processed by the Data Controller are those provided directly by you or collected by the Data Controller from third parties (for example, the company you work for, a customer of the Data Controller). This Privacy Notice also covers the processing of your personal data acquired from third parties.

3.Purpose and legal basis of processing, nature of provision and consequences of a refusal to provide personal data

The processing which your personal data will undergo is exclusively for the purpose of carrying out the activities connected with the stipulation and execution of contracts/orders for the order placed by you (including the management of delivery obligations and of logistics and transport functional thereto) and/or the granting of appointments and mandates, the subsequent management of administrative, accounting and fiscal requirements, the possible settlement of disputes, as well as the fulfilment of obligations provided for by laws, regulations and Community legislation, as well as by provisions issued by authorities legitimated to do so by law and by supervisory and control bodies.

The processing of your personal data, for the sole purposes mentioned above, may also take place without your explicit consent inasmuch as:

  • in the event of your being the customer (natural person), the legal basis for the processing of your personal data is the execution of the contract and the fulfilment of legal obligations;

  • in the event of your being the employee, director or contact person of the customer (legal entity), the legal basis for the processing of your personal data for the fulfilment of the purchase contract is the prevailing legitimate interest of the Data Controller.

     

The provision of personal data is a necessary requirement for the establishment or execution of the purchase contract. Failure to provide data will, therefore, make it impossible for the Data Controller to conclude and/or perform the contract.

In any case, your personal data will be processed for the duration of the purchase agreement and/or your employment relationship /cooperation with the customer (legal entity) and, after that date, only for the period of time necessary to comply with current legislation (including the provisions of ordinary ten-year limitation of rights).

4.How will your Personal Data be processed?

Your data will be processed in both paper form and/or using electronic and/or computerised and/or telecommunications media and instruments; the logic involved and the procedures used are strictly connected to the purposes specified and, in any case, adopting methods that ensure the security and confidentiality of the data in compliance with the provisions of Article 32 of the GDPR.

5. Recipients of your Personal Data

In order to pursue any of the purposes described in paragraph 3 above, the Controller will disclose your Personal Data to its collaborators, who will act as persons authorised to process personal data

Your personal data may be communicated, for the purposes mentioned above, to banks, public administrations, social security institutions, for the fulfilment of obligations under the law, as well as to the categories of entities and external companies which perform services of various types on behalf of the Data Controller, such as, by way of example only: services for the management of the computer system, accounting services, shipping services of goods or correspondence, documentation filing services, etc. Your data may also be transferred to other companies belonging to the same group as the Data Controller for administrative and accounting purposes at group level.

The entities listed above operate, in some cases, independently as separate data controllers, and in other cases, as data processors specifically appointed by the Data Controller in accordance with Article 28 of the GDPR.

Disclosure of your data to the above categories does not require your consent, as it is based on the legitimate overriding interest of the Data Controller, given that such disclosure is necessary for the purposes mentioned in paragraph 3 above. 

You can ask the Controller for the complete, updated list of the entities to which your Personal Data may be disclosed.

 The personal data processed by the Data Controller are not subject to disclosure. In any case, we inform you that, for administrative purposes, your data may be communicated to other companies in the Group of which the Data Controller is a member on the basis of the prevailing legitimate interest of the Data Controller, of an organizational and administrative nature.

Transferring personal data outside the European Union

Spal Automotive does not intend to transfer your personal data to any non-EU countries. However, if, in execution of the purposes listed above, Spal Automotive should transfer your data outside the European Union, the Controller will proceed to carry out such transfer only after establishing that one of the conditions laid down in Articles 44 et seq. of the GDPR is met, in order to ensure an adequate level of protection of your personal data.

6.Rights of the Data Subject

 With regard to your Personal Data that are processed by the Controller SPAL AUTOMOTIVE S.r.l.  We hereby inform you that you are entitled to exercise the following rights under Articles 15 to 21 of the GDPR and, in particular:      

  • Right of access – Article 15 of the GDPR: the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data – including a copy of them – and the following information:
    1. the purposes of the processing

    2. the categories of personal data processed

    3. the recipients to whom the personal data have been or will be disclosed

    4. the envisaged period for which the personal data will be stored or the criteria applied

    5. the existence of the Data Subject's right to request from the controller rectification or erasure of personal data or restriction of processing

    6. the right to lodge a complaint

    7. where your personal data are not collected from you, any available information as to their source

    8. the existence of automated decision-making, including profiling;

  • right to rectification – Article 16 of the GDPR: the right to obtain without undue delay the rectification of inaccurate personal data concerning you and the right to have incomplete personal data completed;
  • right to erasure (‘right to be forgotten’) – Article 17 of the GDPR: the right to obtain the erasure of personal data concerning you without undue delay, where one of the following grounds applies:
  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  • you withdrew your consent and there is no other legal ground for the processing;

  • you successfully objected to the processing of your personal data;

  • your personal data have been unlawfully processed;

  • your personal data have to be erased for compliance with a legal obligation;

  • your personal data were collected in relation to the offer of services referred to in Article 8(1) of the GDPR.

    The right to erasure shall not apply to the extent that processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims.

  • right to restriction of processing – Article 18 of the GDPR: the right to obtain restriction of processing where one of the following applies:
  • the accuracy of the personal data is contested by the data subject;

  • the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;

  • the personal data are required by the data subject for the establishment, exercise or defence of legal claims;

              right to object – Article 21 of the GDPR: the right to object to the processing of your personal data unless the controller demonstrates compelling legitimate grounds for the processing;

  • right to data portability – Article 20 of the GDPR:  the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance, where the processing is based on consent and the processing is carried out by automated means.  In exercising your right to data portability, you also have the right to have the personal data transmitted directly from the Controller to another, where technically feasible;
  • right to lodge a complaint with the Italian Data Protection Authority (Garante), Piazza Venezia 11 , 00187 Rome (RM).

 If you, the Data Subject want to exercise your rights as specified in more detail in this Article, you can use the contact information specified in Article 1 of this “Notice”.

 Any action you take as Data Subject is provided free of charge, pursuant to Article 12 of the GDPR. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

SUPPLIERS PRIVACY NOTICE

For Data processing Pursuant to articles 13 and 14 of EU Regulation 2016/679

With specific reference to your personal data as defined under Article 4(1)(1) of Regulation (EU) 2016/679 (“General Data Protection Regulation - GDPR”) in your capacity as “Data Subject”, the  “Controller” under Article 4(1)(7) of the GDPR, hereby provides you with this notice to inform you of its privacy policy and so you can understand how it manages your personal data.

This privacy notice is addressed to suppliers/consultants (natural persons) and employees, directors and contact persons of suppliers/consultants whose data must be processed by the Data Controller in order to enter into or give effect to the requested purchase contract.

1. Who is the Data Controller and the Data Protection Officer.

 The “Controller” of the processing of your personal data, as specified in Article 4(1)(7) of the GDPR is the enterprise, SPAL AUTOMOTIVE S.R.L., (VAT and Tax Identification Number 01755790357), acting through its pro tempore legal representative, based in Correggio (RE), via Per Carpi, 26/B; you can contact the Controller by email at privacy@spal.it

 The “Data Protection Officer”, as specified in Article 37 of the GDPR is BALDI & PARTNERS, who you can contact by email at dpo@spal.it     

2.The personal data we process

2.1 Common personal data

For the purposes indicated in this Privacy Notice, the Data Controller may process the personal data of suppliers/consultants (natural persons) or employees, directors and contact persons of suppliers/consultants such as, for example, personal data (first name, surname, address, telephone number, email and other contact details, an identification number), financial data (IBAN), data relating to the relationship with the Data Controller.

 

2.2 Source of personal data

The personal data processed by the Data Controller are those provided directly by you or collected by the Data Controller from third parties (for example, the company you work for, a customer of the Data Controller). This Privacy Notice also covers the processing of your personal data acquired from third parties.

3.Purpose and legal basis of processing, nature of provision and consequences of a refusal to provide personal data

The processing which your personal data will undergo is exclusively for the purpose of carrying out the activities connected with the stipulation and execution of contracts/orders for the order placed by you (including the management of delivery obligations and of logistics and transport functional thereto) and/or the granting of appointments and mandates, the subsequent management of administrative, accounting and fiscal requirements, the possible settlement of disputes, as well as the fulfilment of obligations provided for by laws, regulations and Community legislation, as well as by provisions issued by authorities legitimated to do so by law and by supervisory and control bodies.

The processing of your personal data, for the sole purposes mentioned above, may also take place without your explicit consent inasmuch as:

  • in the event of your being the suppliers/consultants (natural person), the legal basis for the processing of your personal data is the execution of the contract and the fulfilment of legal obligations;

  • in the event of your being the employee, director or contact person of the suppliers/consultants (legal entity), the legal basis for the processing of your personal data for the fulfilment of the purchase contract is the prevailing legitimate interest of the Data Controller.

     

The provision of personal data is a necessary requirement for the establishment or execution of the purchase contract. Failure to provide data will, therefore, make it impossible for the Data Controller to conclude and/or perform the contract.

In any case, your personal data will be processed for the duration of the purchase agreement and/or your employment relationship /cooperation with the suppliers/consultants (legal entity) and, after that date, only for the period of time necessary to comply with current legislation (including the provisions of ordinary ten-year limitation of rights).

4.How will your Personal Data be processed?

Your data will be processed in both paper form and/or using electronic and/or computerised and/or telecommunications media and instruments; the logic involved and the procedures used are strictly connected to the purposes specified and, in any case, adopting methods that ensure the security and confidentiality of the data in compliance with the provisions of Article 32 of the GDPR.

5. Recipients of your Personal Data

In order to pursue any of the purposes described in paragraph 3 above, the Controller will disclose your Personal Data to its collaborators, who will act as persons authorised to process personal data

Your personal data may be communicated, for the purposes mentioned above, to banks, public administrations, social security institutions, for the fulfilment of obligations under the law, as well as to the categories of entities and external companies which perform services of various types on behalf of the Data Controller, such as, by way of example only: services for the management of the computer system, accounting services, shipping services of goods or correspondence, documentation filing services, etc. Your data may also be transferred to other companies belonging to the same group as the Data Controller for administrative and accounting purposes at group level.

The entities listed above operate, in some cases, independently as separate data controllers, and in other cases, as data processors specifically appointed by the Data Controller in accordance with Article 28 of the GDPR.

Disclosure of your data to the above categories does not require your consent, as it is based on the legitimate overriding interest of the Data Controller, given that such disclosure is necessary for the purposes mentioned in paragraph 3 above. 

You can ask the Controller for the complete, updated list of the entities to which your Personal Data may be disclosed.

 The personal data processed by the Data Controller are not subject to disclosure. In any case, we inform you that, for administrative purposes, your data may be communicated to other companies in the Group of which the Data Controller is a member on the basis of the prevailing legitimate interest of the Data Controller, of an organizational and administrative nature.

Transferring personal data outside the European Union

Spal Automotive does not intend to transfer your personal data to any non-EU countries. However, if, in execution of the purposes listed above, Spal Automotive should transfer your data outside the European Union, the Controller will proceed to carry out such transfer only after establishing that one of the conditions laid down in Articles 44 et seq. of the GDPR is met, in order to ensure an adequate level of protection of your personal data.

6.Rights of the Data Subject

 With regard to your Personal Data that are processed by the Controller SPAL AUTOMOTIVE S.r.l.  We hereby inform you that you are entitled to exercise the following rights under Articles 15 to 21 of the GDPR and, in particular:      

  • Right of access – Article 15 of the GDPR: the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data – including a copy of them – and the following information:
    1. the purposes of the processing

    2. the categories of personal data processed

    3. the recipients to whom the personal data have been or will be disclosed

    4. the envisaged period for which the personal data will be stored or the criteria applied

    5. the existence of the Data Subject's right to request from the controller rectification or erasure of personal data or restriction of processing

    6. the right to lodge a complaint

    7. where your personal data are not collected from you, any available information as to their source

    8. the existence of automated decision-making, including profiling;

  • right to rectification – Article 16 of the GDPR: the right to obtain without undue delay the rectification of inaccurate personal data concerning you and the right to have incomplete personal data completed;
  • right to erasure (‘right to be forgotten’) – Article 17 of the GDPR: the right to obtain the erasure of personal data concerning you without undue delay, where one of the following grounds applies:
  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  • you withdrew your consent and there is no other legal ground for the processing;

  • you successfully objected to the processing of your personal data;

  • your personal data have been unlawfully processed;

  • your personal data have to be erased for compliance with a legal obligation;

  • your personal data were collected in relation to the offer of services referred to in Article 8(1) of the GDPR.

    The right to erasure shall not apply to the extent that processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims.

  • right to restriction of processing – Article 18 of the GDPR: the right to obtain restriction of processing where one of the following applies:
  • the accuracy of the personal data is contested by the data subject;

  • the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;

  • the personal data are required by the data subject for the establishment, exercise or defence of legal claims;

              right to object – Article 21 of the GDPR: the right to object to the processing of your personal data unless the controller demonstrates compelling legitimate grounds for the processing;

  • right to data portability – Article 20 of the GDPR:  the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance, where the processing is based on consent and the processing is carried out by automated means.  In exercising your right to data portability, you also have the right to have the personal data transmitted directly from the Controller to another, where technically feasible;
  • right to lodge a complaint with the Italian Data Protection Authority (Garante), Piazza Venezia 11 , 00187 Rome (RM).

 If you, the Data Subject want to exercise your rights as specified in more detail in this Article, you can use the contact information specified in Article 1 of this “Notice”.

 Any action you take as Data Subject is provided free of charge, pursuant to Article 12 of the GDPR. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

VIDEO SURVEILLANCE PRIVACY NOTICE

IN ACCORDANCE WITH ARTICLE 13 OF REGULATION (EU) 2016/679-

  

  1. Who is the Data Controller?

 The “Controller” of the processing of your personal data, as specified in Article 4(1)(7) of the GDPR is the enterprise, SPAL AUTOMOTIVE S.R.L., (VAT and Tax Identification Number 01755790357), acting through its pro tempore legal representative, based in Correggio (RE), via Per Carpi, 26/B; you can contact the Controller by email at privacy@spal.it

 The “Data Protection Officer”, as specified in Article 37 of the GDPR is BALDI & PARTNERS, who you can contact by email at dpo@spal.it    

 

2. Nature and type of data that we collect and process

For the purposes described in paragraph 3 below, the  Controller has installed a video surveillance system at SPAL Automotive s.r.l., via per Carpi n. 26 / b - Correggio (RE).Through the video surveillance system, the Controller  processes  your personal data, consisting of images taken  through the video surveillance system .

3 .Purposes of data processing and legal base

Personal data will be processed for the purpose of protecting corporate assets.

The processing of data, in accordance with the provisions of the Workers' Statute (Article 4, Law No. 300/1970) has been authorized by the National Labor Inspectorate of, Territorial Direction  of Parma and Reggio Emilia, with provision no. 1579 of 17 January 2019.

The legal base of the processing  the legitimate interests pursued by the controller.

4. Mandatory and/or optional nature of processing

In relation to the purposes of processing the data referred to in paragraph 3, only personal data from the video surveillance system will be processed, ie the images from the mentioned circuit.

It should be noted that the processing of data is necessary as strictly instrumental to access to company premises. Failure to do so means  the Controller will not be able  to let you to  access to company premises. According  to the measures  of the Data Protection  Authority in charge of video surveillance of April 8, 2010 for the pursuit of the purposes of protection of corporate assets, the consent to the processing of your personal data   is not necessary

5. Period of storage of collected and processed personal data

The Controller will store Personal Data for a maximum duration of 24 hours except in the case of special needs for further conservation in relation to holidays or closure of offices and services, as well as the Controller  have to adhere to a specific investigation request by the Judicial Authority or the Judicial Police. At the end of the retention period, images are automatically deleted by overwriting.

It also guarantees the application of security measures and the provision of the Authority for the Protection of Personal Data in the field of video surveillance of April 9, 2010.

6. How will your Personal Data be processed

Your data will be processed  using electronic and/or computerised and/or telecommunications media and instruments; the logic involved and the procedures used are strictly connected to the purposes specified and, in any case, adopting methods that ensure the security and confidentiality of the data in compliance with the provisions of Article 32 of the GDPR.

The visualization of the images taken through the video surveillance system is carried out only by the owner or by persons specifically commissioned in writing. The video surveillance areas are marked with a special signal.

The video areas are marked with a special sign and concern areas of business relevance such as car parks, the road system outside the factory, the areas of access to the plant and the access areas to the departments .

7. Recipients of your Personal Data

The personal data processed by the Controller are not disclosed.

In order to pursue any of the purposes described in paragraph 3 above, the Controller will disclose your Personal Data to its collaborators, who will act as persons authorised to process personal data.

Furthermore, for the purposes described in paragraph 3 above, your Personal Data will be processed by third parties belonging, by way of example, to the following categories:

  • any subsidiary, parent or associated company of the Controller, including:SPAL s.r.l., via per Carpi 26/b – 42015 Correggio (RE) Italy – VAT number 01361210352

  • external subjects in charge of the management / maintenance / administration of the video surveillance system

  • subjects entrusted with the reception and surveillance services

  • subjects entrusted by the surveillance service

  • entities that provide the Controller with tax, legal, judicial and compliance advice;

Moreover, images can be provided to police forces and / or judicial authorities, in case of request

The Controller will store Personal Data in Italy.

You can ask the Controller for the complete, updated list of the entities to which your Personal Data may be disclosed.

Spal Automotive does not intend to transfer your personal data to any non-EU countries

 8. Rights of the Data Subject

With regard to your Personal Data that are processed by the Controller SPAL AUTOMOTIVE S.r.l.  We hereby inform you that you are entitled to exercise the following rights under Articles 15 to 21 of the GDPR (right of access , right to rectification , right to erasure or‘right to be forgotten’, right to restriction of processing right to object, right to data portability).Furthermore, pursuant to art. 77 of the GDPR, if you believe that the processing of personal data concerning you does not comply with EU Reg. 2016/679, you are the right to lodge a complaint with the Italian Data Protection Authority , based in Piazza Venezia 11 - 00187 Rome, following the procedures and indications available on the website www.garanteprivacy.it

SPAL AUTOMOTIVE S.r.l.

(In its capacity as Data Controller)