Compliance with Art.13 of EU Regulation 679/2016 (“GDPR”)
Bluegreen Strategy Srl (short “Bluegreen”) protects the confidentiality of personal data and guarantees to them the necessary protection from any event that could put them at risk of violation. As required by the European Union Regulation no. 679/2016 (“GDPR”), and in particular to the art. 13, below we provide the User with the information required by law concerning the processing of their personal data.
Who we are and what data we process (article 13, paragraph 1 letter a, article 15, letter b GDPR)
Bluegreen Strategy Srl, in the person of its legal representative, with office in Casalecchio di Reno (BO), Via Isonzo n. 59/2, operates as Data Controller and can be contacted at firstname.lastname@example.org and collects and / or receives information concerning the interested party, such as: name, surname, physical address, nationality, province and municipality of residence, landline and / or mobile phone, fax, tax identification number, social security number, e-mail address.
Bluegreen does not require the User to provide “particular” data, that is, according to the provisions of the GDPR (Article 9), personal data revealing racial or ethnic origin, political opinions, religious or philosophical convictions, or union membership, as well as genetic data, data biometrics designed to uniquely identify a natural person, data relating to a person’s health or sexual life or sexual orientation. In the event that the service requested to Bluegreen requires the processing of such data, the interested party will receive prior notice and will be required to give appropriate consent.
For what purposes we need the data of the interested party (Article 13, paragraph 1 of the GDPR)
The data are used by the Data Controller to follow up the contact request and the contract for the supply of the selected Service and / or the purchased Product, manage and execute the contact requests sent by the User, provide assistance, comply with legal and regulatory obligations. Under no circumstances does Bluegreen resell the personal data of the interested party to third parties nor use them for undeclared purposes. In particular the data of the interested party will be processed for:
a) registration and contact requests and / or information material
The processing of personal data of the interested party takes place to carry out the preliminary activities and consequent to the registration request, to the management of requests for information and to contact and / or sending information material, as well as for the fulfillment of any other obligation arising. The legal basis of these treatments is the fulfillment of the services inherent to the request for registration, information and contact and / or sending of informative material and compliance with legal obligations.
b) management of the contractual relationship: The processing of personal data of the interested party takes place to carry out preliminary activities and consequent to the purchase of a Service and / or a Product, the management of the related order, the provision of the Service itself and / or production and / or the shipment of the purchased Product, the related invoicing and management of the payment, the handling of complaints and / or reports to the assistance service and the provision of the assistance itself, the prevention of fraud and the fulfillment of any other obligation arising from the contract. The legal basis of these treatments is the fulfillment of the services inherent in the contractual relationship and compliance with legal obligations.
c) promotional activities on Services / Products similar to those purchased by the Interested Party: The data controller, even without your explicit consent, may use the contact details provided by the Interested Party, for the purpose of direct sale of their Services / Products, limited to the case in which the Services / Products are similar to those object of the sale, unless the interested party explicitly objects.
Communication to third parties and categories of recipients (Article 13, 1st paragraph GDPR)
The personal data will be communicated mainly to third parties and / or recipients whose activity is necessary for the performance of the activities related to the relationship established and to meet certain legal obligations, such as:
- Companies controlled by Bluegreen Strategy srl, for the purpose of delivering the contracted services.
- Third-party suppliers of Bluegreen, for the provision of services related to the requested service.
- Credit and digital payment institutions, banking / postal institutions for management of payments and refunds related to the contractual performance.
- External professionals / consultants and consulting firms, for fulfillment of legal obligations, exercise of rights, protection of contractual rights, recovery of credit.
- Financial administration, public bodies, judicial authorities, supervisory authorities for compliance with legal obligations, defense of rights and for lists and registers held by public authorities or similar bodies on the basis of specific legislation, in relation to the contractual performance.
- Formally delegated subjects or having a recognized legal title (legal representatives, curators, tutors, etc.).
What happens if the Data Subject does not provide his data identified as necessary for the execution of the requested service? (Article 13, paragraph 2, letter and GDPR)
The collection and processing of personal data is necessary to follow up the requested services as well as the provision of the Service and / or the supply of the requested Product. If the Data Subject does not provide the personal data expressly provided for as necessary in the order form or the registration form, the Data Controller will not be able to process the processing of the requested services and / or the contract and the Services / Products connected to it, or to the obligations that depend on them.
How we process the data of the interested party (Article 32 GDPR)
The Data Controller provides for the use of adequate security measures to preserve the confidentiality, integrity and availability of the personal data of the interested party and imposes similar security measures on third parties and on the Managers.
Where we process the data of the interested party
The personal data of the interested party are stored in paper, computer and electronic archives located in countries where the GDPR (EU countries) is applied.
How long are the data of the interested party stored? (Article 13, paragraph 2, letter to GDPR)
Unless he expressly expresses his will to remove them, the personal data of the interested party will be kept until they are necessary with respect to the legitimate purposes for which they were collected. In particular, they will be kept for the entire duration of their registration and in any case no longer than a maximum period of 12 (twelve) months of inactivity, or if, within this period, no Services and / or purchased Products are associated the registry itself. In the case of data provided to the Owner for the purposes of commercial promotion for services other than those already acquired by the Data Subject, for which he initially consented, these will be retained for 24 months, subject to revocation of the consent given. In the case of data provided to the Owner for the purposes of profiling, these will be retained for 12 months, unless revocation of consent given. Furthermore, personal data will in any case be kept for the fulfillment of the obligations (eg fiscal and accounting) that remain even after the termination of the contract (Article 2220 of the Italian Civil Code); for these purposes the Data Controller will retain only the data necessary for the relative prosecution. Except in cases where the rights deriving from the contract and / or registration, in which case the personal data of the interested party, exclusively those necessary for such purposes, will be processed for the time necessary to their pursuit.
What are the rights of the interested party? (Articles 15 – 20 GDPR)
The interested party has the right to obtain from the data controller the following:
a) confirmation of whether or not personal data processing is being processed and, in this case, to obtain access to personal data and the following information: 1. the purposes of the processing; 2. the categories of personal data in question; 3. the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations; 4. when possible, the retention period of the personal data provided or, if not possible, the criteria used to determine this period; 5. the existence of the right of the data subject to request the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment; 6. the right to lodge a complaint with a supervisory authority; 7. if the data are not collected from the data subject, all information available on their origin; 8. the existence of an automated decision-making process, including profiling, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of this treatment for the data subject. 9. the adequate guarantees provided by the third country (non-EU) or an international organization to protect any data transferred.
b) the right to obtain a copy of the personal data being processed, provided that this right does not affect the rights and freedoms of others; In case of further copies requested by the interested party, the data controller may charge a reasonable fee contribution based on administrative costs.
c) the right to obtain from the data controller the correction of inaccurate personal data concerning him without undue delay.
d) the right to obtain from the data controller the cancellation of personal data concerning him without undue delay, if the reasons provided for by the GDPR in art. 17, among which, for example, in the case in which they are no longer necessary for the purposes of the processing or if this is assumed to be illegal, and the conditions provided for by law still exist; and in any case if the treatment is not justified by another equally legitimate reason.
e) the right to obtain from the data controller the limitation of processing, in the cases provided for by art. 18 of the GDPR, for example where you have challenged its accuracy, for the period necessary for the Data Controller to verify its accuracy. The interested party must be informed, in reasonable time, also of when the suspension period has been completed or the cause of the limitation of the treatment has ceased, and therefore the limitation itself revoked.
f) the right to obtain communication from the holder of the recipients to whom the requests for any corrections or cancellations or limitations of the processing have been transmitted, unless this proves impossible or involves a disproportionate effort.
g) the right to receive personal data concerning him in a structured, commonly used and automatically readable format, and the right to transmit such data to another data controller without impediments by the data controller who provided them , in the cases provided for by art. 20 of the GDPR, and the right to obtain direct transmission of personal data from one controller to another, if technically feasible.
How and when can the data subject oppose the processing of personal data? (Article 21 GDPR)
For reasons relating to the particular situation of the interested party, the same may oppose at any time the processing of their personal data if it is based on legitimate interest or if it takes place for business promotion, sending the request to the owner at email@example.com. The interested party has the right to cancel his / her personal data if there is no legitimate overriding reason for the Data Controller than the one giving rise to the request, and in any case in case the Data Subject opposes the processing for commercial promotion activities.
To whom can the interested party submit a complaint? (Article 15 GDPR)
Without prejudice to any other action in administrative or judicial, the interested party may lodge a complaint with the competent supervisory authority on the Italian territory (Authority for the protection of personal data) or the one carrying out its duties and exercising its powers in the Member State where the GDPR violation took place. Each update of these provision will be promptly communicated and by means of reasonable means and will also be communicated if the Data Controller processes the data of the Data Subject for further purposes than those referred to in this Notice before proceeding and following the manifestation of the relative consent of the Interested Party if necessary.