Privacy Policy

Information under art. 13 of Regulation (EU) no. 679/2016 (“GDPR”)

COMAL SpA – HEADQUARTERS: Industrial Zone “2 Pini” S.S. Aurelia km133 – 01014 Montalto di Castro- Viterbo – Lazio – Italy – REA number: VT-121332 – VAT NUMBER: 01685280560 (hereinafter referred to as OWNER) protects the confidentiality of personal data and guarantees them the necessary protection from any event that could put them at risk of infringement.

As required by the European Union Regulation no. 679/2016 (“GDPR”), and in particular to art. 13, below we provide the user (hereinafter referred to as INTERESTED) with the information required by law relating to the processing of their personal data.

 

SECTION I

Who we are and what data we process (Article 13, 1st paragraph, letter a, Article 15, letter b GDPR)

COMAL SpA, in the person of its legal representative p.t., acts as DATA CONTROLLER and can be contacted at privacy@comalgroup.com and collects and/or receives information concerning the INTERESTED PARTY, such as:

Data category Example of the types of data

Personal data Name, Surname, Physical Address, Nationality, Province and Municipality of Residence, Landline and/or Mobile Telephone, Fax, Fiscal Code, Address (s) e-Mail

OWNER does not require the INTERESTED PARTY to provide data so-called “Particular,” or, according to the provisions of the GDPR (Article 9), personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to identify a person uniquely, data relating to the health or sexual life or sexual orientation of the person. However, in the event that the service requested from OWNER requires the processing of such data, the INTERESTED PARTY will receive specific information in advance and will be required to give appropriate consent.

The DATA CONTROLLER has appointed a Data Protection Officer (DPO) who can be contacted for any information and request:

e-mail: info@comalgroup.com

 

SECTION II

For what purposes do we need the data of the INTERESTED PARTY (Article 13, 1st paragraph of the GDPR)

The DATA CONTROLLER uses the data to follow up the request for registration and the supply contract of the chosen Service and/or the Product purchased, manage and execute the contact requests forwarded by the INTERESTED PARTY, provide assistance, fulfill legal and regulatory obligations which the CONTROLLER is required to do according to the activity carried out. In no case does OWNER resell the INTERESTED PARTY’s personal data to third parties or use them for undeclared purposes.

In particular, the data of the INTERESTED PARTY will be processed for:

1 a) job applications and requests for contact and/or information material

The processing of the data subject’s personal data takes place to carry out the preliminary activities and consequent to the management of requests for information and contact and/or the sending of information material and the fulfillment of any other obligation arising.

The legal basis of these treatments is the fulfillment of the services related to the request for information and contact and/or the sending of information material and compliance with legal obligations.

1 c) promotional activities on Services / Products similar to those purchased by the INTERESTED PARTY (Recital 47 GDPR)

The DATA CONTROLLER, even without your explicit consent, may use the contact details communicated by the INTERESTED PARTY, for the direct sale of their Services / Products, limited to the case in which they are Services / Products similar to those covered by the sale unless the DATA SUBJECT explicitly opposes.

1 d) commercial promotion activities on Services / Products other than those purchased by the INTERESTED PARTY

The data subject’s personal data may also be processed for commercial promotion purposes, surveys, and market research concerning Services / Products that the DATA CONTROLLER offers only if the DATA SUBJECT has authorized the processing and does not object to this.

This treatment can take place, in an automated way, in the following ways:

1. E-mail;

2. SMS;

3. Telephone contact and can be done:

If the INTERESTED PARTY has not revoked his consent for the use of the data.

1 e) IT security

stored or transmitted.

The DATA CONTROLLER will promptly inform the INTERESTED parties if there is a particular risk of violation of their data, without prejudice to the obligations deriving from the provisions of art. 33 of the GDPR relating to notifications of infringement of personal data.

The legal basis of these treatments is compliance with legal obligations and the legitimate interest of the OWNER to carry out treatments related to the protection of the company assets and security of the OWNER’s offices and systems.

Communication to third parties and categories of recipients (Article 13, 1st paragraph of the GDPR)

The communication of the data subject’s personal data takes place mainly towards third parties and/or recipients whose activity is necessary for the performance of the activities related to the relationship established and to respond to certain legal obligations, such as:

Categories of recipients Purpose

COMAL SpA Administrative, accounting, and contractual obligations.

Subjects formally delegated or with recognized legal title Legal representatives, curators, guardians, etc.

The DATA CONTROLLER does not transfer your personal data to countries where the GDPR is not applied (non-EU countries) unless otherwise specified, for which the INTERESTED PARTY will be informed in advance, and your consent will be requested if necessary.

The legal basis of these treatments is the fulfillment of the services inherent to the established relationship, compliance with legal obligations, and the legitimate interest of COMAL SpA to carry out treatments necessary for these purposes.

 

SECTION III

What happens if the INTERESTED PARTY does not provide the data identified as necessary for the performance of the requested service? (Article 13, paragraph 2, letter and GDPR)

The collection and processing of personal data are necessary to follow up on the requested services and the provision of the service and/or the supply of the requested Product. Suppose the INTERESTED PARTY does not provide the personal data expressly provided as necessary in the order form or the registration form. In that case, the CONTROLLER will not be able to process the processing related to the management of the requested services and/or the contract and the Services / Products connected to it, nor to the obligations that depend on them.

What happens if the INTERESTED PARTY does not provide consent to the processing of personal data for commercial promotion activities on Services / Products other than those purchased?

In the event that the INTERESTED PARTY does not give his consent to the processing of personal data for these purposes, said processing will not take place for the same purposes, without these having effects on the provision of the requested services, nor for those for which he has already given their consent if required.

In the event that the INTERESTED has given consent and should subsequently revoke it or oppose the processing for commercial promotion activities, his data will no longer be processed for such activities, without this entailing consequences or prejudicial effects for the INTERESTED PARTY and the required performance.

How we process the data of the INTERESTED PARTY (Article 32. GDPR)

The HOLDER arranges for the use of adequate security measures to preserve the confidentiality, integrity, and availability of the INTERESTED PARTY’s personal data and imposes similar security measures on third-party suppliers and Managers.

 

Where we process the data of the INTERESTED PARTY

The INTERESTED PARTY’s personal data are stored in paper, computer, and telematic archives located in countries where the GDPR is applied (EU countries).

How long are the data of the INTERESTED PARTY kept? (Article 13, paragraph 2, letter a GDPR)

Unless they explicitly express their will to remove them, the INTERESTED PARTY’s data will be kept as long as necessary for the legitimate purposes for which they were collected.

In particular, they will be kept for the entire duration of the communication and in any case no later than a maximum period of 12 months of its inactivity, or if, within this period, they are not associated with the Services and/or purchasing the Products through the registry itself.

It should also be added that, if the DATA SUBJECT forwards unsolicited or unnecessary personal data to the CONTROLLER for the performance of the requested service or the provision of a service strictly connected to it, the CONTROLLER cannot be held responsible for these data, and will delete them as soon as possible.

Regardless of the determination of the INTERESTED PARTY to remove them, the personal data will, in any case, be stored according to the terms established by current legislation and/or national regulations for the exclusive purpose of ensuring the specific requirements of some Services.

It should also be added that if the DATA SUBJECT forwards unsolicited or unnecessary personal data to the CONTROLLER for the performance of the requested service or the provision of a service strictly connected to it, the CONTROLLER cannot be held responsible for these data and will delete them as soon as possible.

Regardless of the determination of the INTERESTED PARTY to remove them, the personal data will, in any case, be stored according to the terms established by current legislation and/or national regulations for the exclusive purpose of ensuring the specific requirements of some Services.

The cases in which the rights from the relations between the parties are to be asserted in court are reserved, in which case the INTERESTED PARTY’s personal data, exclusively those necessary for these purposes, will be processed for the time needed for their pursuit.