Information TO VISITORS

regarding the protection of personal data

pursuant to art. 13 of the EU Regulation 2016/679

Dear Visitor,

in compliance with the provisions of art. 13 of the EU Regulation 2016/679 (the “GDPR”) and in application of the principles set by the GDPR itself, we inform you that in order to access the premises of our company it is necessary that each visitor (the “Data Subject”) is identified and registered through the exhibition of a valid identity document and upon signing of a consent to the recording of the requested data (the “Personal Data”). We therefore deliver this information to you in order to make you aware of the characteristics and methods of processing (the “Processing”), on our part, of Personal Data.

  1. Data Controller (the “Data Controller”).

The Data Controller is the company Texapel S.p.a. tax code and VAT number 01443570484, in the person of the legal representative pro tempore, with registered office in Prato (PO) at Via Rimini n. 49 – 59100, tel. 0574/62561, fax 0574/020142, PEC: texap-el@pec.texnet.it, e-mail: info@texappel.it, website: http://www.texapel.it/.

Any communication concerning the Processing, also pursuant to the following articles, must be sent, by you and/or by the interested party, by registered mail, PEC or email to the addresses indicated above.

  1. Purpose of Processing (the “Purposes”) and legal basis.

The Personal Data collected, from the interested party (art. 13 GDPR) or otherwise (art. 14 GDPR), will be used by us exclusively for the purpose of:

  • protect the safety of the premises and the people present therein;
  • control and protect the information connected to the exercise of the activity carried out within our premises and guarantee the protection of the personal data of third parties;
  • fulfil the pre-contractual and contractual obligations towards you;
  • fulfil and demand the fulfillment of specific obligations deriving from laws and regulations.

The legal basis of the treatment consists of:

  • from the need on our part to execute a contract of which the interested party is a party or to pre-contractual measures adopted at the request of the same;
  • from our need to comply with a legal obligation.
  1. Mandatory or optional nature of the provision of Personal Data.

The communication by you of personal data is optional, but necessary, since any refusal to release it, as well as the incorrect communication of the same data and/or the failure to show your identity document, makes it impossible for the ‘Interested in accessing our premises.

For the same reasons, as well as for the purpose of correct management of the existing relationship, we also ask you to inform us of any changes to the Personal Data already collected, as soon as they have occurred.

  1. Communication of Personal Data.

Personal data is processed internally by persons authorized to process it (the “Authorised”) under the responsibility of the Data Controller for the purposes indicated above.

Personal data may be communicated to subjects external to us, in charge of carrying out instrumental and/or accessory functions for the performance of our corporate activity, who will process said data on our behalf. These subjects will be appointed by us as External Data Processors (the “External Managers”), in accordance with the provisions of art. 28 GDPR. An updated list of External Managers is available at the Data Controller’s registered office, which will be provided to the Data Subject upon written request to the aforementioned addresses.

Apart from the cases above, the Personal Data may also be communicated to further recipients and/or categories of recipients (the “Recipients” and the “Categories of Recipients”), only for the performance of the activities inherent to the relationship pre-contractual and/or contractual agreement established between us and/or to fulfill legal obligations and/or orders from the Authorities, and in any case always in compliance with the guarantees provided by the GDPR and by the guidelines of the Italian Guarantor Authority, as well as by the Commission established in compliance with the aforementioned GDPR.

Without prejudice to the foregoing, Personal Data will in no case be disclosed and/or communicated to third parties, unless specifically consented to by the Data Subject and in any case always only where necessary for the fulfillment of the Purposes.

  1. Processing of “special categories of personal data” and of “personal data relating to criminal convictions and offences”.

If, as part of the Processing, the Data Controller becomes aware of Personal Data belonging to:

(i) to “particular categories” pursuant to art. 9 GDPR (i.e. those “that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as process genetic data, biometric data intended to uniquely identify a natural person , data relating to the person’s health or sex life or sexual orientation“), said data will be processed, always exclusively for the purposes indicated, only with the consent of the interested party or, in any case, as long as the treatment is necessary to fulfill the obligations and exercise the specific rights of the Data Controller or the Data Subject in the field of labor law and social security and social protection, to the extent that it is authorized by European Union or Member State law or by a contract collective under the law of the Member States, in the presence of appropriate guarantees for the fundamental rights and interests of the data subject;

(ii) to “criminal sentences and crimes or related security measures” pursuant to art. 10 GDPR, the Processing will take place only under the control of the Public Authority or if the Processing is authorized by the law of the European Union or of the Member States which provides appropriate guarantees for the rights and freedoms of the interested parties. Any complete register of criminal convictions must only be kept under the control of the public authority.

  1. Methods of Treatment.

The Processing takes place with the aid of electronic and/or paper instruments and, in any case, by adopting suitable organizational and IT procedures and measures to protect its security, confidentiality, relevance and non-excess.

  1. Territorial scope.

Personal data will be processed within the territory of the European Union.

If, for technical and/or operational reasons, it becomes necessary to make use of subjects located outside that territory, they will be appointed as External Managers and the transfer of Personal Data to them, limited to the performance of specific Treatment activities, will be regulated in accordance with the provisions of the GDPR, adopting all the necessary precautions in order to guarantee the total protection of Personal Data and basing this transfer on the evaluation of appropriate guarantees (including, by way of example, adequacy decisions of third country recipients expressed by the European Commission, adequate guarantees expressed by the third party recipient pursuant to Article 46 of the GDPR, etc.).

In any case, the interested party may request further details from the Data Controller if the personal data have been processed outside the European Union, requesting evidence of the specific guarantees adopted.

  1. Period of retention.

Personal Data will be kept by the Data Controller for the period strictly necessary for the pursuit of the Purposes and in any case within the maximum term of 3 years, except in the case in which they are necessary for the establishment of pre-contractual and/or contractual relationships, in which case said Personal data will be kept until the termination of the relationships or for the further retention period that may be imposed by law.

As regards the spontaneously transmitted CVs, they will be kept for a period not exceeding 3 years from sending, or the different maximum period indicated by the Guarantor Authority for the protection of personal data.

In order to manage any disputes or disputes, and in any case for the assessment, exercise or defense of a right in court, the Personal Data may be kept for a further period, equal to that of the limitation period of the right itself.

  1. How to release the information.

The Data Controller specifies that he will proceed with the release of the information to the interested party, by posting it on his premises.

However, it should be noted that it can be consulted on our company web website or that it will be sent upon simple written request to the addresses indicated above.

  1. Rights of the interested party and methods of exercise.

The interested party, at any time, may exercise the rights recognized by the GDPR (the “Rights of the interested party”), and in particular:

  • 15 – Right of access of the interested party: the interested party has the right to access their data and the related treatments. This right consists in the possibility of obtaining confirmation as to whether or not personal data is being processed, or in the possibility of requesting and receiving a copy of the data being processed;
  • 16 – Right of rectification: the interested party has the right to obtain from the Data Controller the rectification of inaccurate personal data concerning him without unjustified delay. Taking into account the Purposes, the interested party has the right to obtain the integration of incomplete personal data, also by providing a supplementary declaration;
  • 17 – Right to cancellation (“right to be forgotten”): the interested party has the right to request the Data Controller that the personal data concerning him be canceled and no longer subjected to processing and in some cases, where there are extremes, to obtain cancellation without unjustified delay when the purpose of the Treatment has been fulfilled, consent has been revoked, opposition has been made to the Treatment or when the Treatment of your Personal Data is not otherwise compliant to the GDPR;
  • 18 – Right to limit processing: the interested party has the right to limit the processing of their personal data in the event of inaccuracies, disputes or as an alternative measure to cancellation;
  • 20 – Right to data portability: the interested party, with the exception of the hypothesis in which the data are stored through non-automated processing (e.g. in paper format), has the right to receive in a structured format, commonly used and readable by an automatic device, the Personal Data concerning him, where reference is made to data provided directly by the interested party, with express consent or on the basis of a contract, and to request that the same be transmitted to another data controller, if technically feasible;
  • 21 – Right to object: the interested party has the right to object at any time, for reasons connected with his particular situation, to the processing of personal data concerning him.

If the interested party wishes to exercise one of the rights listed above, he must address his request directly to the Data Controller at the addresses indicated above, except for the right to lodge a complaint to be sent to the Guarantor Authority or to lodge an appeal before the competent judicial authority.

The deadline for responding to the interested party by the Data Controller is, for all rights (including the right of access) and also in the event of refusal, 1 month, which can be extended up to 3 months in particularly complex cases.

However, the art. 12 GDPR.

  1. Withdrawal of consent.

In cases where the processing must take place only following the consent of the interested party and the latter has provided it, he has the right to revoke the consent given at any time by sending a written request to the Data Controller at the addresses indicated above.

The withdrawal of consent does not affect the lawfulness of the treatment based on the consent given before the withdrawal.

In force since 25/05/2018