Pursuant to Article 13 of Regulation (EU) 2016/679
This policy is provided in accordance with the European General Data Protection Regulation (EU) 2016/679 (“GDPR”), as subsequently amended and/or supplemented, and national laws or regulations on the processing of personal data, as applicable from time to time (“Privacy Legislation”), to ensure that the processing of personal data is carried out in accordance with the rights and freedoms of persons with particular regard to the protection of personal data.
The term “personal data” means any information relating to a natural person who is identified or identifiable, even indirectly, by reference to any other information, including a personal identification number.
The term “processing” means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The term “data subject” refers to the natural person to whom the personal data relate.
1. Data controller
OpenSymbol Srl is the Data Controller (“Data Controller” or “OpenSymbol”) having its registered office at Via Vecchia Ferriera, 5 (VI) Tax code and VAT no. 03184500241 for the purposes described in paragraph 3 below and is part of the Impresoft Group. The list of companies belonging to the Impresoft Group can be found in the following section of the website https://www.impresoftgroup.com/en/group of Impresoft S.p.A. (“Group Companies”).
The Data Controller can be contacted at the following e-mail address: firstname.lastname@example.org.
In accordance with Article 37 of the GDPR, the Data Controller has also appointed a Data Protection Officer (“DPO”), who can be contacted at the following addresses: by e-mail: email@example.com; by post: Via Vecchia Ferriera, 5 (VI).
2. Sources and Type of data processed
Data are collected directly from the customer/potential customer and may include, but are not limited to:
- first and surname;
- contacts (e-mail address, telephone number);
- data on professional life (role/function within the company).
3. Purpose and legal basis of the processing carried out by the Data Controller
The Data Controller may process the personal data of the data subject for the processing purposes set out below:
- Purposes strictly connected with and ancillary to the conclusion and performance of a contract to which the data subject is party, in accordance with Article 6(1)(b) of the GDPR. The provision of personal data does not require consent, but is necessary for the establishment, performance or continuation of the contractual relationship with the Data Controller.
- Responding to requests for information made by the data subject to the Data Controller. The provision of personal data does not require consent as the processing is necessary to carry out pre-contractual measures taken at the request of the data subject, in accordance with Article 6(1)(b) of the GDPR.
- Fulfilment of legal obligations, regulations, EU legislation, provisions issued by authorities empowered to do so by law or by supervisory and control bodies pursuant to Article 6(1)(c) GDPR. The provision of personal data for the purposes set out in this point is obligatory and does not require consent.
- Purposes of business analysis in an anonymous form: to improve the business and own services (for example, to measure customer satisfaction with the quality of the services provided and the activities carried out by the Data Controller, by carrying out studies and market research). The provision of personal data is not compulsory and the relevant processing does not require consent due to the existence of a legitimate interest of the Data Controller in carrying out business analysis activities in accordance with Article 6(1)(f) of the GDPR.
- Marketing purposes for the promotion and sale of products and services similar to those already purchased by the data subject (so-called soft spam), through commercial communications sent by e-mail. The provision of data is not compulsory and their processing does not require consent due to the existence of a legitimate interest of the Data Controller in carrying out marketing activities towards its customers, in accordance with Article 6(1)(f) GDPR.
- Own marketing purposes: through the use of automated contact tools (such as automated calls, e-mails) or through traditional contact tools (cold calling), directly or through third party companies, with reference to their products and services i) sending and/or proposing by telephone informative, commercial, advertising and promotional material, also personalised/of specific interest ii) sending newsletters and invitations to events and initiatives. The provision of data is not compulsory and their processing requires consent, which may be given and withdrawn, even for only some of the above activities, by writing to the e-mail address below. If the data subject does not provide personal data, he/she will not be able to receive information about the products and/or services offered by the Data Controller, but there will be no consequences for the existing contractual relationship with the Data Controller.
- Communication of data to the Group Companies which, with reference to their products and services and those of the Group Companies belonging to the ICT and consultancy sector, may, directly or through third parties, using automated contact tools (such as automated calls, e-mails) or traditional contact tools (cold calling), i) send and/or propose by telephone informative, commercial, advertising and promotional material, also personalised/of specific interest ii) send newsletters and invitations to events and initiatives. The provision of data is not compulsory and their processing requires the consent of the data subject, which may be withdrawn at any time without prejudice to the processing carried out prior to the withdrawal.
- Legal defence: where necessary to establish, exercise or defend one’s rights in a court of law. The provision of personal data is compulsory and the relevant processing does not require consent due to the existence of a legitimate interest of the Data Controller, in accordance with Article 6(1)(f) GDPR.
4. Where and how personal data are processed
In relation to the aforementioned purposes, personal data will be processed using manual, computerised and electronic tools, with logic strictly related to these purposes and in any case in such a way as to guarantee the security and confidentiality of the data.
OpenSymbol will process the personal data of the data subject exclusively with technical personnel in charge of such processing, using mainly automated and computerised methods suitable to guarantee, in relation to the purposes for which the data are processed, the security and confidentiality of the data, as well as to prevent unauthorised access to the data. Automated decision making processes are not performed by OpenSymbol.
The processing of the data collected takes place on the premises of OpenSymbol and of the service providers identified by it and appointed, where necessary, as data processors in accordance with Article 28 of the GDPR.
The data collected and processed on the website are stored in the CRM shared by the Group Companies, which is hosted in HubSpot’s servers in Europe (“HubSpot CRM”).
5. Storage of personal data
The data subject’s personal data will only be stored for as long as necessary to achieve the purposes for which they have been collected, in accordance with the principle of minimisation pursuant to Article 5(1)(c) of the GDPR.
In particular, with regard to processing for marketing purposes, the data will be processed and stored until the data subject withdraws his or her consent. In any event, the data subject may at any time request that the processing cease or that the data be erased, as provided for below.
The Data Controller may store some data even after the termination of the relationship, depending on the time required to manage specific contractual or legal obligations as well as for administrative, tax and/or contribution purposes for the period of time required by laws and regulations in force, as well as for the time required to enforce any rights in a court of law.
In any case, the data will be processed not only in accordance with the regulations in force, but also in accordance with the standards of confidentiality to which the Data Controller has always been bound.
The storage period will vary according to the type of data processed, but in general, OpenSymbol refers to these criteria to determine the storage period:
- If there is a legal or contractual need to store the data.
- If the data are needed to provide its services.
6. Categories of parties to which the data may be disclosed
The Data controller may disclose the personal data in order to comply with legal obligations and to service providers who act as autonomous Data Controllers or are designated as Data Processors in accordance with Article 28 of the GDPR if they have to process data on behalf of the Data Controller and essentially fall into the following categories, which are listed by way of example but are not limited to:
- entities performing banking services, including those involved in operating payment systems;
- persons, companies, associations or professional firms providing services or activities of assistance and consultancy to the data controllers, in particular but not exclusively in relation to accounting, administrative, legal, tax and financial, commercial matters;
- business, marketing, legal partners, technical service and/or software platform providers, system administrators, hosting providers, IT companies, communication agencies;
- parties that carry out the control, the audit and the certification of the activities carried out;
- Group Companies that provide services of an IT nature (e.g. the provision of the HubSpot CRM or the support, maintenance, assistance and development of the HubSpot CRM itself);
- all the Group Companies, only if the data subject has given his or her consent for the purposes set out in point 7) of paragraph 3 above.
The updated list of parties to which the personal data of data subjects may be communicated and/or transferred is available from OpenSymbol by contacting us at: firstname.lastname@example.org.
7. Transfer of data outside the EU
Any transfer of data to Third Countries, outside the EU, for the purposes indicated in paragraphs 3 and 4 above, may take place, in accordance with the methods permitted by the laws in force and in particular in accordance with the provisions of the GDPR set out in: i) Article 44 – General principle of transfer; ii) Article 45 – Transfer on the basis of an adequacy decision; iii) Article 46 – Transfer subject to adequate safeguards; iv) Article 49 – Exceptions in specific situations.
The data subject’s data will be shared with Group Companies in the HubSpot CRM with the specific consent of the data subject. Group Companies include Kipcast S.r.l, which is based in Canada. The transfer of data to this Company is guaranteed by the European Commission’s Adequacy Decision 2002/2/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data under the Canadian Personal Information Protection and Electronic Documents Act.
8. Rights of the data subject
Articles 15-22 of the GDPR provide data subjects with specific rights. In particular, the data subject may obtain from the Data Controller: access, rectification, erasure, restriction of processing, withdrawal of consent, and portability of data concerning them. The data subject also has the right to object to processing on legitimate grounds and/or for commercial purposes.
The Data Controller undertakes to reply to the data subject as soon as possible after verifying the identity of the data subject, where necessary.
Where the right of objection is exercised, the Data Controller reserves the right not to process the request and thus to continue processing if there are compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject.
With respect to marketing purposes, this is without prejudice to the possibility of the data subject having given their consent:
- to request, at any time and free of charge, to receive communications only by traditional contact methods, such as cold calling;
- to object, at any time and free of charge, to the processing of data for the above-mentioned purposes. In this case, the right to object to the processing of data via automated contact methods (such as e-mail and automated calls) extends to traditional contact methods (such as cold calling);
- to object, at any time and free of charge, to the processing of data for the above-mentioned purposes only in part, i.e. by expressly choosing how to be contacted.
The aforementioned rights may be exercised by sending a written communication at the following e-mail address: email@example.com.
The data subject is informed that, pursuant to Article 12 of the GDPR, if the data subject’s requests are found to be manifestly unfounded or excessive, in particular due to their repetitive nature, the Data Controller may a) charge a reasonable fee, taking into account the administrative costs incurred in providing the information or communications or in taking the requested action, or b) refuse to comply with the request.
The data subject also has the right to lodge a complaint with the Italian Data Protection Authority.