PRIVACY INFORMATION NOTICE REGARDING THE PROCESSING OF PERSONAL DATA

    FOR THE PROGRAM “Gewiss Sustainability Oscar” PURSUANT TO REGULATION (EU) 2016/679 (“GDPR”)

    With reference to the processing of personal data provided by you in connection with the program “Gewiss Sustainability Oscar” (the “Program”), the company Gewiss S.p.A. wishes to provide you, as the data subject, (the “Data Subject”), with the following information pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”).

    1. DATA CONTROLLER

    The Data Controller is Gewiss S.p.A. (the “Data Controller”), tax code and VAT number IT 00385040167, with registered offices in Via A. Volta, 1 – 24069 Cenate Sotto BG – Italy, email address privacy@gewiss.com.

    The Data Controller, as part of its organisational structure, appoints the Authorised Persons for the processing of personal data, assigning them specific tasks and roles by means of a specific deed of appointment.

    1. DATA PROTECTION OFFICER

    The Data Controller has appointed a Data Protection Officer (DPO) pursuant to Articles 37 – 39 GDPR. If necessary, the DPO may be contacted at the following email address: dpo@pec.gewiss.com.

    1. CATEGORIES OF PERSONAL DATA PROCESSED

    The personal data (“Data”) being processed belong to the category “Common Data”, as specified in detail below:

      • Forename and surname, general information and contact details of the Data Subject;

      • Video images and audio recording;

      • Video images and audio recording of third parties.

    1. PURPOSE OF PROCESSING AND LEGAL BASIS

    The Data processing is carried out on the basis of the following purposes:

    1. Allow registration and participation to the Program above mentioned and the provision of relative services.

    2. Use of the collected Data exclusively for instrumental purposes related to the realization of the Program.

    The processing of Data by the Data Controller for the aforementioned purposes is based on the following legal bases:

    • For the purposes relating to letter. a) above, the processing is based on the execution of a contract to which the Data Subject is a party, pursuant to art. 6, par. 1, lett. b) GDPR;

    • For the purposes relating to letter b) above, the processing is based on the legitimate interest of the Data Controller, pursuant to art. 6, par. 1, lett. f) GDPR (institutional communications).

    1. METHODS OF PROCESSING DATA

    The Data will be processed by the Data Controller both in paper and digital form. The Data Controller may carry out operations of collection, registration, organisation, storage, consultation, processing, modification, extraction, comparison, use, interconnection, communication, erasure and destruction and any other appropriate operation in compliance with the provisions of the law necessary to guarantee the confidentiality and security of the Data as well as their accuracy, up-to-dateness and relevance to the stated purposes.

    1. DATA STORAGE PERIOD

    The processed Data will be stored according to the specific purposes for which they are processed, in particular:

    • With regard to the purposes relating to art. 4 point a), the data collected will be stored for the duration of the mentioned Program;

    • With regard to the purposes relating to art. 4 point b), the collected data will be stored in the Data Controller’s computer archives exclusively to have a historical memory of the events and activities carried out and will be used for these purposes as well as for institutional use. The maximum storage period is 10 years.

    In case of litigation, the Personal data will be conserved for the entire duration of the litigation process, until the time limits for available legal remedies are exhausted.

    After the retention period has expired, the Data will be destroyed, erased or rendered anonymous.

    1. CATEGORIES OF RECIPIENTS OF THE DATA

    The collected Data will be transmitted to third parties such as companies organizing the Program and the offer of services to registered participants, operating as autonomous Data Controllers.

    The Data collected by the Data Controller, as part of the above purpose, may be communicated in addition to the companies belonging to the Gewiss Group, also to external parties operating as autonomous Data Controllers such as, by way of example, authorities and supervisory bodies and in general public or private entities entitled to request data.

    The Data Subject declares to have been expressly authorized to transmit to Gewiss and, therefore, to third parties involved in the organization of the Program, the personal data of third parties involved in the audio-video shooting (for the purpose of participation in the Program and related services).

    1. TRANSFER OF DATA OUTSIDE THE EEA

    The Data will be processed within the European Economic Area (EEA). If, for technical and/or operational reasons, it is necessary to use parties located outside the EEA, the processing of the data will be regulated in accordance with the GDPR, therefore, all necessary precautions will be taken in order to ensure the protection of the Data, pursuant to Article 46 of the GDPR.

    1. RIGHTS OF DATA SUBJECTS

    The Data Subject, in relation to the Personal Data provided, has the right to exercise at any time and in accordance with the provisions of the GDPR the rights established by the latter and shown below:

      • Right to withdraw consent (art. 7, paragraph 3, GDPR): the right to revoke consent without prejudice to the lawfulness of processing based on consent granted before revocation.

      • Data subject’s right of access (art. 15 GDPR): the right to obtain confirmation of the existence or otherwise of one’s personal data, and a copy thereof in intelligible form.

      • Right to correction (art. 16 GDPR): the right to correct inaccurate personal data.

      • Right to erasure, the “right to be forgotten” (art. 17 GDPR): the right to the erasure of one’s personal data.

      • Right to the limitation of processing (art. 18 GDPR): the right to obtain the limitation of the processing of one’s own data, e.g., if the accuracy of the data is disputed or in the case of unlawful processing.

      • Right to data portability (art. 20 GDPR): the right to receive in a structured, commonly used and machine- readable format one’s own personal data provided to the Controller and the right to transmit said data to another Controller if the processing is carried out on the basis of consent or a contract and by automated means.

      • Right to object (art. 21 GDPR): the right to object to the processing of one’s personal data.

      • Right not to be subject to automated decision-making (art. 22 GDPR): the right not to be subject to a decision based solely on automated processing.

    You may assert your rights as set out in the GDPR by contacting the Controller directly at the following email address privacy@gewiss.com.

    1. RIGHT TO LODGE A COMPLAINT (ART. 77 OF THE EU REGULATION)

    If the data subject considers that their rights have been compromised or infringed, or that the processing of their Data is contrary to applicable law, they have the right to lodge a complaint with the competent Data Protection Authority.

    1. NATURE OF THE PROVISION OF PERSONAL DATA

    The provision of Data is mandatory; failure to provide Personal Data will make the registration and participation in the Program and related services impossible.