Svolta
Information pursuant to art. 13 of Regulation (EU) no. 679/2016 (“GDPR”)
Svolta protects the confidentiality of personal data and guarantees them the necessary protection from any event that could put them at risk of violation.
As required by European Union Regulation no. 679/2016 (“GDPR”), and in particular art. 13, below we provide the user („Interested Party“) with the information required by law relating to the processing of their personal data.
SECTION I
Who we are and what data we process (art. 13, 1st paragraph letter a, art. 15, letter b GDPR)
Svolta, in the person of its legal representative, acts as Data Controller and can be contacted at aline.stoll@svolta.ch and collects and/or receives information concerning the interested party, such as:
| Data category | Exemplification of data types |
| Personal data | name, surname, physical address, nationality, province and municipality of residence, landline and/or mobile telephone, fax, tax code, e-mail address(es) |
| Telematic traffic data | Log, IP address of origin. |
Svolta does not require the interested party to provide so-called „particular“ data, that is, in accordance with the provisions of the GDPR (art. 9), personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data relating to the person’s health or sexual life or sexual orientation. In the event that the service requested from Svolta requires the processing of such data, the interested party will receive specific information in advance and will be asked to give specific consent.
SECTION II
For what purposes do we need the data of the interested party (art. 13, 1st paragraph GDPR)
The data is used by the Data Controller to follow up on the request for registration and the contract for the supply of the chosen Service and/or the purchased Product, manage and execute the contact requests forwarded by the Interested Party, provide assistance, fulfill legal and regulatory obligations which the Data Controller is required to do based on the activity carried out. Under no circumstances will Svolta resell the personal data of the interested party to third parties or use them for undeclared purposes.
In particular, the data of the interested party will be processed for:
a) registration and requests for contact and/or information material
The processing of the interested party’s personal data takes place to carry out the preliminary and consequent activities to the request for registration, to manage requests for information and contact and/or to send information material, as well as for the fulfillment of any other obligation arising.
The legal basis of such processing is the fulfillment of the services inherent to the request for registration, information and contact and/or sending of informative material and compliance with legal obligations.
b) the management of the contractual relationship
The processing of the personal data of the interested party takes place to carry out the preliminary and consequent activities to the purchase of a Service and/or a Product, the management of the relevant order, the provision of the Service itself and/or the production and/or the shipment of the purchased Product, the related invoicing and payment management, the handling of complaints and/or reports to the assistance service and the provision of the assistance itself, the prevention of fraud as well as the fulfillment of any other obligation arising from the contract.
The legal basis of these treatments is the fulfillment of the services inherent to the contractual relationship and compliance with legal obligations.
c) promotional activities on Services/Products similar to those purchased by the interested party (Recital 47 GDPR)
The data controller, even without your explicit consent, may use the contact data communicated by the interested party, for the purposes of direct sales of its own Services/Products, limited to the case in which they are Services/Products similar to those covered by the sale, unless the interested party explicitly objects.
d) commercial promotion activities on Services/Products different from those purchased by the interested party
The personal data of the interested party may also be processed for commercial promotion purposes, for surveys and market research with regard to Services/Products that the Data Controller offers only if the interested party has authorized the processing and does not object to this.
This processing can take place automatically in the following ways:
e-mail;
sms;
telephone contact
and can be done:
1. if the interested party has not revoked his consent for the use of the data;
2. if, in the event that the processing takes place through contact with a telephone operator, the interested party is not registered in the register of objections referred to in Presidential Decree no. 178/ 2010;
The legal basis of such processing is the consent given by the interested party prior to the processing itself, which can be revoked by the interested party freely and at any time (see Section III).
e) IT security
The Data Controller, in line with the provisions of Recital 49 of the GDPR, processes, also through its suppliers (third parties and/or recipients), the personal data of the interested party relating to traffic to a strictly necessary and proportionate extent to guarantee the security of the networks and information, i.e. the ability of a network or information system to resist, at a given level of security, unexpected events or illicit or malicious acts that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted.
The Data Controller will promptly inform the Interested Parties if there is a particular risk of violation of their data without prejudice to the obligations deriving from the provisions of the art. 33 of the GDPR relating to notifications of personal data breaches.
The legal basis for such processing is compliance with legal obligations and the legitimate interest of the Data Controller in carrying out processing relating to the protection of company assets and the safety of Svolta’s offices and systems.
f) profiling
The personal data of the interested party may also be processed for profiling purposes (such as analysis of the data transmitted and the chosen Services/Products, proposing advertising messages and/or commercial proposals in line with the choices expressed by the users themselves) exclusively in the event that the interested party has provided explicit and informed consent. The legal basis of such processing is the consent given by the interested party prior to the processing itself, which can be revoked by the interested party freely and at any time (see Section III).
g) fraud prevention (recital 47 and art. 22 GDPR)
the personal data of the interested party, with the exception of particular data (Art 9 GDPR) or judicial data (Art 10 GDPR) will be processed to allow checks for the purpose of monitoring and preventing fraudulent payments, by software systems that carry out checks in a manner automated and prior to the negotiation of Services/Products;
passing these checks with a negative result will make it impossible to carry out the transaction; In any case, the interested party may express his/her opinion, obtain an explanation or contest the decision by justifying his/her reasons to the Customer Support service or to contact aline.stoll@svolta.ch
personal data collected for anti-fraud purposes only, unlike the data necessary for the correct execution of the requested service, will be immediately deleted at the end of the control phases.
h) the protection of minors
The Services/Products offered by the Owner are reserved for subjects legally able, on the basis of the relevant national legislation, to conclude contractual obligations.
In order to prevent illegitimate access to its services, the Data Controller implements prevention measures to protect its legitimate interest, such as checking the tax code and/or other checks, when necessary for specific Services/Products, the correctness of the data identifiers of identity documents issued by the competent authorities.
Communication to third parties and categories of recipients (art. 13, 1st paragraph GDPR)
The communication of the interested party’s personal data occurs mainly towards third parties and/or recipients whose activity
necessary for carrying out the activities inherent to the established relationship and to respond to certain legal obligations, such as:
| Categories of recipients | Purpose |
| Third party suppliers and Turnaround Companies * | Provision of services (assistance, maintenance, delivery/shipping of products, provision of additional services, network providers and electronic communications services) connected to the requested service |
| Credit and digital payment institutions, banking/postal institutions | Management of collections, payments, reimbursements connected to contractual performance |
| External professionals/consultants and consultancy companies | Fulfillment of legal obligations, exercise of rights, protection of contractual rights, debt collection |
| Financial administration, public bodies, judicial authorities, supervisory and control authorities | Fulfillment of legal obligations, defense of rights; lists and registers kept by public authorities or similar bodies based on specific legislation, in relation to contractual performance |
| Subjects formally delegated or having recognized legal title | Legal representatives, curators, guardians, etc. |
The Data Controller requires its third party suppliers and Data Processors to comply with security measures equal to those adopted for the Interested Party, restricting the scope of action of the Data Processor to the processing connected to the service requested.
The Data Controller does not transfer your personal data to countries in which the GDPR is not applied (non-EU countries) unless specifically indicated otherwise for which you will be informed in advance and your consent will be requested if necessary.
The legal basis of such processing is the fulfillment of the services inherent to the established relationship, compliance with legal obligations and the legitimate interest of Svolta. to carry out processing necessary for these purposes.
SECTION III
What happens if the interested party does not provide his/her data identified as necessary for the execution of the requested service? (Art. 13, 2nd paragraph, letter e GDPR)
The collection and processing of personal data is necessary to follow up on the requested services as well as the provision of the Service and/or the supply of the requested Product. If the interested party does not provide the personal data expressly foreseen as necessary in the order form or registration form, the Data Controller will not be able to carry out the processing related to the management of the requested services and/or the contract and the Services/ Products connected to it, nor to the obligations that depend on them.
What happens if the interested party does not provide consent to the processing of personal data for commercial promotion activities on Services/Products other than those purchased?
In the event that the interested party does not give his consent to the processing of personal data for these purposes, said processing will not take place for the same purposes, without this having any effect on the provision of the services requested, nor for those for which he has already given your consent, if requested.
In the event that the interested party has given consent and should subsequently revoke it or oppose the processing for commercial promotion activities, his/her data will no longer be processed for such activities, without this leading to consequences or prejudicial effects for the interested party and for the required performances.
How we process the data of the interested party (art. 32 GDPR)
The Data Controller arranges for the use of adequate security measures in order to preserve the confidentiality, integrity and availability of the interested party’s personal data and imposes similar security measures on third party suppliers and Managers.
Where we process the data of the interested party
The personal data of the interested party are stored in paper, computer and electronic archives located in countries where the GDPR is applied (EU countries).
How long are the interested party’s data stored for? (art. 13, 2nd paragraph, letter a GDPR)
Unless the latter explicitly expresses their desire to remove them, the personal data of the interested party will be kept for as long as they are necessary for the legitimate purposes for which they were collected.
In particular, they will be kept for the entire duration of your registration and in any case no longer than a maximum period of 12 (twelve) months of inactivity, or if, within this period, no Services are associated and/or no Products are purchased through the the registry itself.
In the case of data provided to the Data Controller for the purposes of commercial promotion for services other than those already acquired by the interested party, for which he initially gave consent, these will be kept for 24 months, unless the consent given is revoked.
In the case of data provided to the Data Controller for profiling purposes, these will be kept for 12 months, unless the consent given is revoked.
It should also be added that, in the event that a user forwards unsolicited or unnecessary personal data to Svolta for the purpose of carrying out the requested service or for the provision of a service strictly connected to it, Svolta cannot be considered the owner of these data , and will delete them as soon as possible.
Regardless of the interested party’s determination to remove them, the personal data will in any case be stored according to the terms established by current legislation and/or national regulations, for the exclusive purpose of guaranteeing the specific obligations specific to some Services (by way of example but not exhaustive, Certified Email, Digital Signature, Substitutive Storage – in this regard, see the relevant section).
Furthermore, personal data will in any case be kept for the fulfillment of obligations (e.g. fiscal and accounting) which remain even after the termination of the contract (art. 2220 cc); for these purposes the Data Controller will only retain the data necessary for the relevant pursuit.
This is without prejudice to cases in which the rights deriving from the contract and/or registration must be asserted in court, in which case the personal data of the interested party, exclusively those necessary for these purposes, will be processed for the time necessary for their pursuit.
What are the rights of the interested party? (articles 15 – 20 GDPR)
The interested party has the right to obtain from the data controller the following:
a) confirmation of whether or not personal data concerning him or her are being processed and, if so, to obtain access to the personal data and the following information:
1. the purposes of the processing;
2. the categories of personal data in question;
3. the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients are from third countries or international organizations;
4. when possible, the expected retention period of personal data or, if this is not possible, the criteria used to determine this period;
5. the existence of the right of the interested party to ask the data controller to rectify or delete personal data or to limit the processing of personal data concerning him or to oppose their processing;
6. the right to lodge a complaint with a supervisory authority;
7. if the data are not collected from the interested party, all available information on their origin;
8. the existence of an automated decision-making process, including profiling, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the interested party.
9. the adequate guarantees provided by the third country (non-EU) or an international organization to protect any data transferred
b) the right to obtain a copy of the personal data being processed, provided that this right does not harm the rights and freedoms of others; In case of further copies requested by the interested party, the data controller may charge a reasonable fee based on administrative costs.
c) the right to obtain from the data controller the rectification of inaccurate personal data concerning him without unjustified delay
d) the right to obtain from the data controller the deletion of personal data concerning him without unjustified delay, if the reasons provided for by the GDPR in art. exist. 17, including, for example, in the event that they are no longer necessary for the purposes of the processing or if this is considered unlawful, and always if the conditions established by law exist; and in any case if the processing is not justified by another equally legitimate reason;
e) the right to obtain from the data controller the limitation of processing, in the cases provided for in the art. 18 of the GDPR, for example where you have contested its accuracy, for the period necessary for the Data Controller to verify its accuracy. The interested party must also be informed, within a reasonable time, of when the suspension period has been completed or the cause of the limitation of the processing has ceased to exist, and therefore the limitation itself revoked;
f) the right to obtain communication from the owner of the recipients to whom the requests for any corrections or cancellations or limitations of the processing carried out have been transmitted, unless this proves impossible or involves a disproportionate effort.
g) the right to receive personal data concerning him in a structured, commonly used and machine-readable format and the right to transmit such data to another data controller without impediments on the part of the data controller to whom he provided them , in the cases provided for by the art. 20 of the GDPR, and the right to obtain the direct transmission of personal data from one data controller to another, if technically feasible.
For any further information and in any case to send your request you must contact the Data Controller at aline.stoll@svolta.ch. In order to guarantee that the above-mentioned rights are exercised by the interested party and not by unauthorized third parties, the Data Controller may request at the same time to provide any further information necessary for this purpose.
How and when can the interested party object to the processing of their personal data? (Art. 21 GDPR)
For reasons relating to the particular situation of the interested party, the interested party may object at any time to the processing of their personal data if it is based on legitimate interest or if it takes place for commercial promotional activities, by sending the request to the Data Controller at the address aline.stoll @svolta.ch
The interested party has the right to have their personal data deleted if there is no overriding legitimate reason of the Data Controller compared to that which gave rise to the request, and in any case in the event that the interested party has objected to the processing for commercial promotion activities.
To whom can the interested party lodge a complaint? (Art. 15 GDPR)
Without prejudice to any other administrative or judicial action, the interested party may submit a complaint to the competent supervisory authority on Italian territory (Personal Data Protection Authority) or to the one that carries out its tasks and exercises its powers. in the Member State where the violation of the GDPR occurred.
Any update to this Information will be communicated promptly and by appropriate means and will also be communicated if the Data Controller processes the data of the interested party for purposes other than those referred to in this Information before proceeding and following the manifestation of the relevant consent of the interested party. ‚Interested if necessary.
SECTION IV
COOKIE
General information, deactivation and management of cookies
Cookies are data that are sent by the website and stored by the internet browser on the user’s computer or other device (for example, tablet or mobile phone). Technical cookies and third-party cookies may be installed from our website or its subdomains.
In any case, the user will be able to manage, or request the general deactivation or deletion of cookies, by changing the settings of their internet browser. This deactivation, however, may slow down or prevent access to some parts of the site.
The settings for managing or deactivating cookies may vary depending on the internet browser used, therefore, for more information on how to carry out these
operations, we suggest the User consult the manual of their device or the „Help“ function or “Help” of your internet browser.
Below we indicate to Users the links that explain how to manage or disable cookies for the most popular internet browsers:
Internet Explorer: http://windows.microsoft.com/it-IT/internet-explorer/delete-manage-cookies
Google Chrome: https://support.google.com/chrome/answer/95647
Mozilla Firefox: http://support.mozilla.org/it/kb/Gestione%20dei%20cookie
Opera: http://help.opera.com/Windows/10.00/it/cookies.html
Safari: https://support.apple.com/kb/PH19255
Technical cookies
The use of technical cookies, i.e. cookies necessary for the transmission of communications on an electronic communications network or cookies strictly necessary for the supplier to provide the service requested by the customer, allows the safe and efficient use of our site.
Potranno essere installati cookie di sessione al fine di consentire l’accesso e la permanenza nell’area riservata del portale come utente autenticato.
I cookie tecnici sono essenziali per il corretto funzionamento del nostro sito internet e sono utilizzati per permettere agli utenti la normale navigazione e la possibilità di usufruire dei servizi avanzati disponibili sul nostro sito web. I cookie tecnici utilizzati si distinguono in cookie di sessione, che vengono memorizzati esclusivamente per la durata della navigazione fino alla chiusura del browser, e cookie persistenti che vengono salvati nella memoria del dispositivo dell’utente fino alla loro scadenza o cancellazione da parte dell’utente medesimo. Il nostro sito utilizza i seguenti cookie tecnici:
Cookie tecnici di navigazione o di sessione, utilizzati per gestire la normale navigazione e l’autenticazione dell’utente;
Cookie tecnici funzionali, utilizzati per memorizzare personalizzazioni scelte dall’utente, quali, ad esempio, la lingua;
Cookie tecnici analytics, utilizzati per conoscere il modo in cui gli utenti utilizzano il nostro sito web così da poter valutare e migliorare il funzionamento.
Cookie di terze parti
Potranno essere installati cookie di terze parti: si tratta dei cookie, analitici e di profilazione, di Google Analytics, Google Doubleclick, Criteo, Rocket Fuel, Youtube, Yahoo, Bing e Facebook. Tali cookie sono inviati dai siti internet di predette terze parti esterni al nostro sito.
I cookie analitici di terze parti sono impiegati per rilevare informazioni sul comportamento degli utenti sul sito. La rilevazione avviene in forma anonima, al fine di monitorare le prestazioni e migliorare l’usabilità del sito. I cookie di profilazione di terze parti sono utilizzati per creare profili relativi agli utenti, al fine di proporre messaggi pubblicitari in linea con le scelte manifestate dagli utenti medesimi.
L’utilizzo di questi cookie è disciplinato dalle regole predisposte dalle terze parti medesime, pertanto, si invitano gli Utenti a prendere visione delle informative privacy e delle indicazioni per gestire o disabilitare i cookie pubblicate nelle seguenti pagine web:
Per cookie di Google Analytics:
– privacy policy: https://www.google.com/intl/it/policies/privacy/
– indicazioni per gestire o disabilitare i cookie: https://support.google.com/accounts/answer/61416?hl=it
Cookie di profilazione
Possono essere installati da parte del/dei Titolare/i, mediante software di c.d. web analytics, cookie di profilazione, i quali sono utilizzati per predisporre report di analisi dettagliati e in tempo reale relativi ad informazioni su: visitatori di un sito web, motori di ricerca di provenienza, parole chiave utilizzate, lingua di utilizzo, pagine più visitate.
They may collect information and data such as IP address, nationality, city, date/time, device, browser, operating system, screen resolution, browsing origin, pages visited and number of pages, duration of the visit, number of visits made.