This page describes the management of the web site of RUPES S.p.A. (“RUPES”) which can be reached at www.rupes.com (hereafter, the “Website”) as regards the processing of the personal data of users registering on the same Website in order to access contents reserved for registered users and to subscribe to the newsletter service provided by RUPES.
The present information only applies to the Website (including sub-domains such as download.rupes.com) and does not concern any websites that may be visited by a user via third-parties links contained in the Website.
This information is provided also according to Article 13 of EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR) to any entity having to do with the web-based services that are made available by RUPES. The information provided is also based on the guidelines contained in Recommendation no. 2/2001, which was adopted on 17 May 2001 by the European data protection authorities within the Working Party set up under Article 29 of European Directive 95/46/EC in order to lay down minimum requirements for the collection of personal data online – especially with regard to arrangements, timing and contents of the information to be provided by data controllers to users visiting web pages for whatever purpose.
The processing of personal data of the Website user shall be, in any case, based on the fairness, lawfulness and transparency principles as well as on the principle of protection of confidentiality and of the rights of the data subject, in accordance with the GDPR provisions, the national applicable legislation and the Italian Data Protection Authority’s guidelines.
1. THE DATA CONTROLLER
Visiting the Website may result in the processing of data concerning identified or identifiable natural persons.
The “Data Controller” is RUPES S.p.A., with registered office in viale Bianca Maria 13, Milano (MI), headquarter in Via Marconi 3A, 20080 Vermezzo (MI), VAT IT05094230157, Hereinafter called “RUPES” or “Data Controller”.
2. PLACE WHERE DATA IS PROCESSED AND RECIPIENTS
The processing operations related to the Website services are carried out in Italy at the aforementioned office of RUPES exclusively by technical staff in charge of said processing, or in Europe (FR) at the seat of the company that manages RUPES servers. RUPES does not make data transfers to third countries outside the EEA.
Data are or may be disclosed to the following recipients (nominated as data processors under the GDPR):
- To other companies of the group of undertakings which RUPES belongs to, with their premises within the EU territory
- To entities providing RUPES with Website hosting services, its maintenance and updating (exclusively if such disclosure is strictly necessary in order to ensure the performance of the services demanded by the users), newsletters, etc.
- To suppliers of consulting services related to tax and fiscal obligations, in the event the disclosure is necessary due to the data processing category (e.g. in cases where the user purchases RUPES goods or services giving rise to tax or fiscal obligations).
- To other categories of entities to which RUPES has to disclose personal data in order to execute contracts between RUPES and users or with a view to fulfil legal obligations or upon the request of public authorities.
3. CATEGORIES OF PROCESSED DATA
Navigation Data. The information systems and software procedures relied upon to operate this Website acquire personal data as part of their standard functioning; the transmission of such data is an inherent feature of Internet communication protocols.
Such information is not collected in order to relate it to identified data subjects, however it might allow user identification per se after being processed and matched with data held by third parties.
This data category includes IP addresses and/or the domain names of the computers used by any user connecting with this Website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of such requests, the method used for submitting a given request to the server, returned file size, a numerical code relating to server response status (successfully performed, error, etc.), and other parameters related to the user’s operating system and computer environment.
These data are only used to extract anonymous statistical information on Website use as well as to check its functioning; they are erased immediately after being processed. The data might be used to establish liability in case computer crimes are committed against the Website; except for this case, currently any data on web contacts is retained for no longer than seven days.
Data Provided Voluntarily by Users. The completion of the registration process and sending e-mail messages to the addresses mentioned on this Website, which is done on the basis of a freely chosen, explicit, and voluntary option, entails the acquisition and the processing of personal data of the data subject, which is necessary in order to enable him/her to access the reserved contents available on the Website and/or to perform the newsletter service demanded by him/herself or to reply to any data subject’s request filed via e-mail or chat provided for on the Website, as well as of such additional personal data as contained in the e-mails or chat message.
The RUPES download centre will collect the following information: first name, last name and company name, contact information including e-mail address, business sector.
Specific summary information notices will be shown and/or displayed on the pages of the Website that are used for providing services on demand.
Cookies. No personal data concerning users is acquired by the Website in this regard.
No cookies are used to transmit personal information, nor are so-called persistent cookies (except for the ones below) or user tracking systems implemented.
Use of the so-called session cookies (which are not stored permanently on the user’s computer and disappear upon closing the browser) is exclusively limited to the transmission of session ID’s (consisting of server-generated casual numbers) as necessary to allow secure, effective navigation of the Website.
The so-called session cookies used by this Website make it unnecessary to implement other computer techniques that are potentially detrimental to the confidentiality of user navigation, whilst they do not allow acquiring the user’s personal identification data.
If you chose to remain logged into the Website, a cookie that helps with keeping you logged in may be stored on your computer.
Geo-localization Cookies. This Website uses geo-localization systems to determine from where the User accesses the Website and to decide automatically what language to display, a cookie with said data may be stored on your computer.
Third-party Cookies. This Website might use third-party cookies to aid with services rendered by other websites, such as to display YouTube videos, depending on whether you decide to use said services and/or watch said videos.
4. DATA PROCESSING PURPOSES
Personal data is collected and processed by RUPES for the following purposes:
1) To allow users to securely and effectively navigate the Website;
2) In case the user registers to the Website, to allow him/her to download the materials contained in the download centre;
3) To provide the newsletter service as per the users’ request to RUPES;
4) To provide the contact service with RUPES or/and its distributors as per the users’ request;
5) To comply with laws, regulations or Community legislation.
5. LEGAL BASES FOR THE PROCESSING
The personal data processing made by RUPES with a view to pursue the purposes under art. 4 of the present information has the following legal bases:
- (Art. 6, 1, b) of the GDPR): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (e.g. for the newsletter service or in order to allow the access to contents reserved for the users registered on the Website, the safe and correct use of the Website); or
- (Art. 6, 1, c) of the GDPR): processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. for the fulfilment of tax and fiscal obligations such as the issuance of invoices, customs documents, in the event the user requests from RUPES the supply of goods and/or services requiring such legal obligations); or
- (Art. 6, 1, f) of the GDPR): processing is necessary for the purposes of a legitimate interest pursued by the controller (e.g. should the data subject disclose his/her own data – via the Controller’s Website, during fairs or sector events, by telephone – the Controller has the legitimate interest to retain the contact with his/her own client or possible client in order to send them direct marketing communications, including product information, special offers, training events invitations, ect.). At any time the data subject may object to the processing of his/her own data carried out for those purposes, reporting his/her own objection to the email address email@example.com ; or
- (Art. 6, 1, a) of the GDPR): he data subject has given consent to the processing of his or her personal data for direct or indirect marketing purposes (excluding the totally automated processing and the profiling for commercial purposes), ect. At any time, the data subject may revoke his/her own consent and object to the processing of his/her own data for such purpose, reporting his/her own objection to the email address: firstname.lastname@example.org
6. PROCESSING ARRAGMENTS
Personal data is processed with automated and non-automated means for no longer than is necessary to achieve the purposes for which it has been collected.
Specific security measures are implemented to prevent the data from being lost, used unlawfully and/or inappropriately, and accessed without authorisation.
It is important to remember that whatever the data subject transmits or disclose online can be collected and used by others or unlawfully intercepted by third-parties. No data transmission over the Internet can be guaranteed to be 100% secure. RUPES is committed to use commercially reasonable means to protect the data subjects’ information, but the same cannot guarantee the security of any information exchanged.
The RUPES download centre is password protected. It is forbidden to divulge the password to anyone. At no time RUPES will ask for the registered user password via e-mail. If the user will ever receive such an inquiry, please notify RUPES immediately. The registered user is solely responsible for maintaining the secrecy of its authentication credentials.
7. DATA PROCESSING DURATION
User’s personal data shall be retained for a duration strictly necessary to pursue the specific processing purposes under section 4 and, specifically:
- Personal data shall be processed for the period necessary to the performance of RUPES’ pre-contractual and contractual obligations by virtue of the supply of goods and/or services demanded by the user (e.g. the newsletter, the supply of contents reserved for registered users, ect.) and, in any case, not beyond the term set by the Italian statute of limitation of the rights (by way of contractual and/or extra-contractual liability) linked to the supply of the abovementioned goods and/or services.
- Moreover, data shall be processed for the duration necessary to the fulfilment of legal or regulatory obligations (e.g. the obligation to store data and fiscal documents), in accordance with what foreseen by law and regulations varyingly applicable to such Controller’s obligations.
- In case the data processing is carried out in order to pursue a Controller’s legitimate interest, such processing shall be carried out until such legitimate interest exists or until the request, from Your part, to no longer allow the processing of Your data for such purposes.
- Should the processing of personal data be carried out by virtue of the user’s consent, such processing shall be carried out for no longer than 48 (forty-eight) months from the granting of the user’s consent
8. DATA SUBJECT RIGHTS
At any time, entities whose personal data have been disclosed to RUPES have the right:
a. to ask the Data Controller to have access to his/her own personal data (that is, to be aware whether the Controller is processing such data), to obtain their rectification or erasure, to limit the purposes for which this data is processed or to object to their processing, besides the right to obtain their portability.
b. should the processing be based on article 6, paragraph 1, letter a) (consent), or on article 9, paragraph 2, letter a) of the GDPR, to withdraw his/her own consent at any time without compromising the processing lawfulness based on the consent granted before its withdrawal.
These rights may be exerted by means of a request by the data subject to be sent to the following email address: email@example.com
Moreover, the data subject may lodge a complaint with a supervisory authority, that is, the (ITALIAN) Data Protection Authority, by means of registered mail with return receipt sent to the (ITALIAN) Data Protection Authority, Piazza Monte Citorio, 121 00186 Rome; or by e-mail to the address: firstname.lastname@example.org, or email@example.com; or by fax to the number: 06/69677.3785
9. VOLUNTARY OR MANDATORY CHARACTER OF THE CONSENT
For the data processing aiming to perform contractual or pre-contractual obligations (e.g. newsletter service provision, access to reserved contents, etc.) as well as in order to fulfil the Controller’s legal obligation, the data conferral IS MANDATORY and the eventual refusal to provide such data may entail the missed or partial performance of the services by the Controller, being such data fundamental for the complete and correct performance of the very service and/or for the fulfilment of the Controller’s legal obligations.
For the personal data processing aiming to pursue a Controller’s legitimate interest (e.g. with the purpose of retaining contacts with his/her own clients by means of sending offers, invitation to training events, etc.) THE CONSENT IS NOT NECESSARY. However, the user may object at any time to the processing of Your own data for such purposes, lodging your objection to the following e-mail address: firstname.lastname@example.org
For the processing carried out for direct or indirect marketing purposes and in the absence of a Controller’s legitimate interest, THE CONSENT IS VOLUNTARY, and may be withdrawn, at any time, by sending a request to the Controller to the following e-mail address: email@example.com
You are informed that the consent withdrawal does not jeopardize the processing lawfulness based on the consent granted before the withdrawal.