1 – Who is the Data Controller?
Leonardo Medica s.r.l. (hereinafter also referred to as “LM” or the “data controller” or the “company”),with registered office in Sovigliana-Vinci (FI), via P. Togliatti n. 111 is the data controller.
2- What personal data do we process?
Pursuant to EU Regulation no. 679/2016 (or “GDPR”), personal data means any type of information relatingto an identified or identifiable natural person. LM, depending on the service requested, will process the following personal data:
– to process orders placed on the website www.leonardomedica.it and fulfil the relevant tax, contract and legal obligations: first name, family name, personal contact details (email address and/or telephone number), VAT number, bank details, residential address, province and postcode, tax code, IP address for recording consent. We inform you that the purchase of some products is likely to reveal particular data relating to the health and sex life of the person concerned;
– for the management of the loyalty relationship: first name, family name, email and purchases made;
– to create your personal page on the site: first name, family name, personal contact details (email address and/or telephone number), VAT number, bank details, home address, province and postcode, IP address;
– to receive the newsletter: first name, family name and email address.
3-What is the legal basis for processing your data?
Processing can be validly carried out when one of the legal bases provided for in Article 6, 1st paragraph of the GDPR is present
– letter a): consent;
– letter b): performance of a contract or pre-contract measures;
– letter c): performance of a legal obligation to which we are bound;
– letter f): legitimate interest of the data controller consisting in the defence of a right of the data controller and the sending of advertising e-mails, for the purpose of direct sales of its products or services, to persons who have already provided their e-mail address in the context of the sale of a product or service similar to those sold, as provided for by art. 130, paragraph 4 of Legislative Decree no. 196/2003 (so-called Privacy Code),
and art. 9 II° paragraph of the GDPR
– letter a): consent;
– letter f): processing necessary to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their jurisdictional functions.
We would like to specify that your consent is necessary and indispensable for us to be able to process your order, as some products are able to reveal information about your state of health and your sex life. Consent is optional for receiving the newsletter, and failure to give it does not affect the processing of your order. In
the event that the processing is legitimised by the prior issue of consent, you may revoke it at any time by sending an email to firstname.lastname@example.org, without this affecting the lawfulness of the processing carried out on the basis of the consent up to the time of revocation.
We would also like to point out that in order to stop receiving e-mails sent pursuant to Article 130, paragraph 4 of the Privacy Code, you must express your disagreement by sending an e-mail to email@example.com.
4. For what purposes will we process your data?
We will use your data for the following purposes
– sending the newsletter;
– correct execution of contracts;
– management of the loyalty programme;
– correct execution of orders placed via the e-commerce service provided through the www.leonardomedica.it website;
– creation of a personal page on www.leonardomedica.it;
– processing requests for information
– fulfilling legal obligations to which we are subject;
– ascertaining, exercising or defending a legal right or claim.
5-What are the processing methods?
The processing will be carried out, in compliance with the aforementioned purposes, with or without the aid of electronic instruments by the data controller and/or employees and parties appointed as outside people in charge of data processing.
6-Who has access to your data or to whom may they be communicated?
– to third party companies or other entities that carry out activities on behalf of the Data Controller, also in their capacity as outside data processors;
– to possible recipients of the processing, such as, for example, insurance companies and banks, technicians responsible for the maintenance and/or repair of hardware, software and all computer and telematic equipment, couriers;
– employees and collaborators of the Data Controller or Data Processors, who are specifically authorised to do so;
– to parties who may access the data by force of law, regulations or Community regulations, within the limits laid down by such regulations;
– to parties to whom the data must be communicated by law.
7- Is it necessary for personal data to be provided and consent given?
The provision of data and consent is necessary in order to purchase the data controller’s products. On the other hand, to receive the newsletter or join the loyalty programme, the provision of data and consent is optional.
8-How are your data protected?
In order to guarantee an adequate level of data protection to limit the risk of improper or illegal use of the data, we have adopted technical and organisational security measures that comply with the parameters established by art. 32 of the GDPR. In particular, we use commercially reasonable technical and organisational measures and controls to protect your Personal Information from loss, misuse and unauthorised access.
9-How long will your data be stored?
In accordance with Art. 5(1.e) of the GDPR, we will only process your data for the time necessary to pursue the above-mentioned purposes.
In particular, data provided will be retained by the controller according to the following parameters:
1. for the activities of administration, accounting and management of any disputes:
10 years from the end of the contract relationship or for the time required and/or imposed by regulatory obligations, and in any case until the expiry of the limitation period in order to be able to enforce any existing legal claims;
2. for sending the newsletter: until you decide to revoke your consent by sending an email to firstname.lastname@example.org;
3. for the sending of advertising communications carried out pursuant to Article 130(4) of the Privacy Code: until you expresses your disagreement by sending an email to email@example.com;
4. with regard to the loyalty relationship, your data will be kept as long as the service linked to the loyalty programme is operational; if you decide to withdraw, you must send a notice to firstname.lastname@example.org. In this case, LM will anonymise your data and process them only for its own in-house statistics;
5. The e-mail address of the person concerned will be stored until the request has been processed, after which it will be deleted within 24 hours at the latest. Please note that the content of the conversation may be anonymised and stored by the data controller in order to improve the service provided.
6. for the exercise of the right of guarantee on products purchased and/or services provided: for the period provided for by law or contract, depending on the product or service provided.
10-Can your data be transferred outside the European Economic Area?
Some of your personal data may be transferred to entities that operate as IT service providers, located outside the European Economic Area (EEA). It is therefore possible that your information may be transferred to a country outside the EEA. We would like to remind you that the aforementioned service providers have been expressly appointed as external data processors and that all the safeguards provided by law are put in place to ensure compliance with the regulations set out in EU Regulation 679/2016 (e.g. adequacy decision by the European Commission or Standard Contract Clauses).
11-What rights do you have under the Regulation?
As a data subject, the GDPR grants you the following rights:
– To obtain confirmation whether or not data processing is taking place concerning you and, in this case, to obtain access to your personal data (Right of Access Article 15);
To obtain rectification of inaccurate data without undue delay (Right to rectification Art. 16);
– obtain erasure of personal data without unjustified delay, in compliance with the limits and conditions laid down by the regulation (Right to be forgotten Art. 17);
– obtain limitation of the processing under the conditions laid down (Right to limitation of processing Art. 18);
– request a copy of the protection measures put in place with regard to the transfer of data to third countries, if applicable;
– receive, in a structured, commonly used and machine-readable format, the personal data concerning you and transmit such data to another Data Controller, without hindrance from the Data Controller to whom you have provided them, under the conditions provided for (Right to data portability Art. 20);
– object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you (Right to object art. 21);
– receive without undue delay notice of any unlawful processing of personal data suffered by the Data Controller (Art. 34);
– revoke the consent given at any time (Conditions for consent Art. 7 and Art. 13);
– object to automated decision-making concerning natural persons, including profiling.
The data subject also has the right to lodge a complaint with the Authority for the Protection of Personal Data, following the procedures and indications published on the official website of the Authority at www.garanteprivacy.it; the exercise of rights is not subject to any formal restriction and is free of cost.
The data subject may at any time exercise his/her rights and request the list of processors by e-mail to the address: email@example.com.
12-How do we handle changes to this Policy?
If there are substantial changes to this Policy, we will inform you of these changes in a timely manner.