INFORMATION ON THE PROCESSING OF PERSONAL DATA

(Art. 13 EU Regulation 679/2016 – GDPR)

FMTS Group, a corporate group consisting of companies subject to the management and coordination of the parent company Formamentis S.p.A. Società Benefit in accordance with and for the purposes of Article 2359 of the Italian Civil Code (hereinafter the “FMTS Group”), has for years considered the protection of the personal data of its current and/or potential customers and users to be of fundamental importance, and intends to ensure that the processing of personal data – carried out by any means, whether automated or manual – takes place in full compliance with the protections and rights recognised by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the “Regulation”) and by the further applicable rules on the protection of personal data.

In particular, FMTS Group, in the pursuit of all its purposes, may become aware of or request Personal Data from you, such as your name and surname, e-mail address, telephone and postal addresses, tax code or VAT number, date of birth and other data that could make you identifiable.

This information notice has therefore been drawn up on the basis of the principle of transparency in order to contain all the elements required by Articles 13 and 14 of the Regulation and is divided into individual sections, each of which deals with a specific topic, in order to make reading quicker, easier and more intuitive.

1. DATA CONTROLLERS

The companies in the FMTS Group that will process your Personal Data independently or jointly, for one or more of the purposes as set out in this notice, which is provided at the time of collection of Personal Data, are the following:

  • Formamentis S.p.A. Società Benefit, with registered office in Rome (RM), at via Barberini 67, 00187, with VAT number 04009110653;
  • FMTS Experience S.r.l., with registered office in Pontecagnano Faiano (SA) at Via L. da Vinci 15, 84098, with VAT number 04044560656;
  • FMTS Formazione S.r.l., with registered office in Pontecagnano Faiano (SA) at Via L. da Vinci 15, 84098, with VAT number 04927890659;
  • FMTS Lavoro S.r.l., with registered office in Pontecagnano Faiano (SA) at Via L. da Vinci 15, 84098, with VAT number 05731800651;
  • Euformed S.r.l., with registered office in Tito (PZ) at Contrada Serra SNC – fraction of Tito Scalo, 85050, with VAT number 01904740766;
  • Copi S.r.l., with registered office in Pontecagnano Faiano (SA) at Via L. da Vinci 15, 84098, with VAT number 01306850593;
  • Literalia Formazione S.r.l., with registered office in Formia (LT) at Via O. Spaventola Snc, 04025, with VAT number 02568220590;
  • Consulman S.r.l., with registered office in Torino (TO) at corso Orbassano 336 – Torre C, with VAT number 06068820015;
  • Consulservice S.r.l., with registered office in Torino (TO) at corso Orbassano 336, with VAT number 08077920018;

The aforementioned companies may act independently as data controllers according to the definition contained in Article 4(7) of the Regulation, or act as external data processors by virtue of specific agreements pursuant to Article 28 of the Regulation.

The Data Controller can be contacted via the following channels:

  • by writing to the FMTS Group Privacy Office at the parent company Formamentis S.p.A. Benefit Society, at Via L. Da Vinci 15, Pontecagnano Faiano (SA) – 84098;
  • by sending an e-mail to the e-mail address privacy@fmtsgroup.it to the kind attention of the FMTS Group Privacy Office;
  • by calling the number 0828/370305 and asking for the FMTS Group Privacy Office.

2. PURPOSE OF PROCESSING AND RELATED LEGAL BASIS

The data processed are those provided by the data subject when signing pre-contractual and contractual documen-tation, visits or telephone calls, direct contacts for participation in events, meetings, conventions, etc., meetings, or those entered in forms or requests for information sent by e-mail.

Each Data Controller may process your Personal Data for the Processing purposes set out below:

A) information request:

the Data Controller, in order to respond to your request for information received by the same through the modality present on its website, needs to process some of your Personal Data, as requested in the collection form and/or as spontaneously provided by you.

Processed data: name, surname, e-mail address, telephone number.

Legal basis and lawfulness of processing: pre-contractual legal basis pursuant to Article 6(b) of the Regulation – the Processing of your Personal Data will be conducted by the Data Controller in order to respond to your request for information and will be legally based on the pre-contractual relationship between you and the Data Controller.

B) access to company premises:

the Data Controller, in order to allow you access to the FMTS Group’s business premises, needs to collect some of your Personal Data, as requested by the visitor identification officers and/or the ‘Welcome App’ software.

Processed data: name, surname, e-mail address.

Legal basis and lawfulness of processing: legitimate interest within the meaning of Article 6(c) and (f) of the Regu-lation – the Processing of your Personal Data will be conducted by the Data Controller and will be legally based on its legitimate interest in safeguarding and protecting its premises, its corporate assets and its employees and col-laborators.

C) purchase of products and/or services:

the Data Controller, in order to allow you to purchase its products and/or services, needs to collect some of your Personal Data, as requested in the subscription or purchase form.

Processed data: name, surname, address, telephone number, e-mail, bank details (credit card/PayPal).

Legal basis and lawfulness of processing: contractual legal basis ex Article 6 letter b) of the Regulation – the Pro-cessing of your Personal Data will be conducted by the Data Controller to enable you to receive what you have requested and purchased and will therefore be legally based on the contractual relationship that will be created between you and the Data Controller;

D) website browsing:

the Data Controller, in order to enable you to use its website, needs to collect some of your Personal Data.

Processed data: browsing data (IP addresses, type of browser used, operating system, domain name and addresses of websites accessed or exited from, information on pages visited within the site, access time, time spent on indi-vidual pages, session and analytical cookies, internal per-path analysis and other parameters relating to the user’s operating system and computer environment;

Legal basis and lawfulness of processing: legitimate interest within the meaning of Article 6(f) of the Regulation – the Processing of your Personal Data will be based on the legitimate interest of the Data Controller; in relation to mar-keting and profiling cookies, the legal basis is the consent of the person concerned pursuant to Article 6(a) of the Regulation – The Processing of your Personal Data will be conducted by the Data Controller and will be legally based on your free, express and unambiguous consent;

E) participation in events:

the Data Controller, in order to allow you to participate in the events organised by itself, needs to collect some of your Personal Data, as requested in the event registration form/form.

Processed data: name, surname, address, telephone number, e-mail address.

Legal basis and lawfulness of processing: contractual legal basis under Article 6 letter b) of the Regulation – the Processing of your Personal Data will be conducted by the Data Controller in order to register you for the event and ensure your participation and, therefore, will be legally based on the contractual relationship that will be created;

F) participation in prize competitions, prize events or contests:

the Data Controller, in order to allow you to participate in a prize competition, prize event or contest organised by the same, needs to collect some of your Personal Data, as requested in the participation form/form.

Processed data: name, surname, email address, telephone number.

Legal basis and lawfulness of processing: contractual legal basis pursuant to Article 6 letter b) of the Rules – the Processing of your Personal Data shall be conducted by the Data Controller to enable your participation in the competition, prize event or contest and shall therefore be legally based on the contractual relationship that will be created between you and the Data Controller following your acceptance of the rules of the initiative;

G) execution of contractual documentation:

the Data Controller, in order to carry out the contractual relationship between you and the Data Controller, as well as the related fulfilments, needs to collect and process some of your Personal Data as requested within the single contractual document.

Processed data: personal data, telephone number, bank details, e-mail address.

Legal basis and lawfulness of processing: contractual legal basis pursuant to Article 6(b) of the Regulation – The Processing of your Personal Data will be conducted by the Data Controller in order to follow up the signing of the individual contractual document and will be legally based on the contractual relationship that will be created between you and the Data Controller;

H) administrative and accounting fulfilments:

the Data Controller may process your Data for the management of the accounts, as well as for invoicing in ac-cordance with the requirements of the legislation in force, or for the fulfilment of other obligations laid down by laws, regulations and EU legislation;

Processed data: personal and fiscal data.

Legal basis and lawfulness of processing: the legal basis legitimising the processing of Data for this purpose is Article 6(c) of the Regulation and, therefore, a legal obligation to which the Data Controller is subject.

I) exercise and/or defence of a right in court:

the Data Controller may process your Data in order to assert and/or defend its rights in court.

Processed data: contractual data.

Legal basis and lawfulness of processing: the legal basis legitimising the processing of Data for this purpose is Article 6(f) of the Regulation, i.e. a legitimate interest of the data controller.

J) direct marketing activities:

the Data Controller needs to collect some of your Personal Data in order to carry out its own promotional and/or marketing activities towards you. This category includes all activities carried out to promote products and services sold and/or provided by the Data Controller.

Processed data: name, surname, e-mail address, telephone number.

Legal basis and lawfulness of processing: consent of the data subject under Art. 6(a) of the Regulation – The Pro-cessing of your Personal Data will be conducted by the Data Controller and will be legally based on your free, express and unambiguous consent;

K) profiling activities:

the Data Controller, in order to carry out profiling activities, i.e. the assessment of your tastes, preferences and consumption habits, also in connection with market surveys and statistical analyses, needs to process some of your Personal Data. This category includes any form of automated processing of Personal Data in order to evaluate certain personal aspects, such as, but not limited to, your professional performance, economic situation, personal preferences, interests, trustworthiness, behaviour, location or movements.

Processed data: name, surname, e-mail address, telephone number, interests and preferences.

Legal basis and lawfulness of processing: consent of the data subject pursuant to Article 6(a) of the Regulation – The Processing of your Personal Data will be conducted by the Data Controller and will be legally based on your free, express and unambiguous consent;

L) communication to third parties for marketing purposes:

the Data Controller is entitled to disclose your Personal Data to third parties specifically identified and indicated in the information provided, where necessary and required, so that such parties can process them for their own com-mercial and marketing purposes;

Processed data: name, surname, e-mail address, telephone number.

Legal basis and lawfulness of processing: consent of the data subject pursuant to Article 6(a) of the Regulation – The Processing of your Personal Data will be conducted by the Data Controller and will be legally based on your free, express and unambiguous consent.

Contact methods for direct, indirect and profiling marketing activities may be either automated (e-mail) or traditional (telephone calls with operator). In any case, and as further specified below, you may object to the processing and/or revoke your consent, even partially, e.g. by consenting only to traditional contact methods.

With regard to the contact methods involving the use of your telephone contacts, we would like to remind you that marketing activities by companies will be carried out subject to verification of your possible registration in the Register of Objections, as established pursuant to and for the purposes of Presidential Decree no. 178 of 7 September 2010, as amended.

3. TREATMENT MODALITIES

Personal data will be processed by means of computer and/or manual systems, using procedures and equipment suitable to guarantee the security, confidentiality, integrity and availability of the data and to prevent any possible falsification.

On some websites, computer techniques may be used for the direct acquisition of personally identifiable user data or profiling systems.

Personal data freely given by the visitor on the website, e.g. to register and/or access a restricted area, request infor-mation on a particular product or service via a form, write to an e-mail address.

4. REDIRECT TO EXTERNAL SITES

Internet Sites may use so-called social plug-ins. Social plug-ins are special tools that make it possible to incorporate social network functions directly into the website (e.g. the Facebook ‘like’ function).

All social plug-ins on the Websites are marked with the respective logo owned by the social networking platform.

When you visit a page on the Internet Sites and interact with the plug-in (e.g. by clicking the ‘like’ button) or decide to leave a comment, the corresponding information is transmitted by your browser directly to the social networking plat-form (in this case Facebook) and stored there.

For information on the purposes, type and manner of collection, processing, use and storage of personal data by the social network platform, as well as on how to exercise your rights, please consult the privacy policy of the individual social network.

5. SECURITY MEASURES

The FMTS Group and third parties working for us take appropriate and adequate security measures to prevent unau-thorised access, disclosure, unauthorised modification or destruction of your data, in accordance with applicable national legislation and the GDPR.

In particular, network, server and programme access control systems are used to prevent the disclosure of data to unauthorised third parties, firewall and antivirus systems are used to protect against viruses and malware that could delete, disclose or render data unusable, data encryption and pseudonymisation techniques are implemented, phys-ical and logistical measures are implemented to protect IT infrastructures, and business continuity and disaster recovery procedures are implemented, as well as data breach procedures in the event of a breach. The sites and any associated data passing through the cloud servers are managed by ARUBA S.p.A. (www.aruba.it), FlameNetworks (www.flamenetworks.com), Hosting Solutions (www.hostingsolutions.it/) and Salesforce (www.salesforce.com).

6. EXTERNAL DATA CONTROLLER

With a view to making specific processing activities more functional to its own interests and those of its customers/users, with regard to the management of the common database present on the CRM (Customer Relationship Management) platform of the FMTS Group, each company of the same has appointed the parent company Formamentis S.p.A. Società Benefit as data processor, with a specific written agreement in compliance with the provisions of Article 28 of the Regulation, which is called upon to manage the phases of registration, organisation, storage, processing, selection, and extraction of personal data of customers/prospects.

Your Personal Data may be disclosed to specific entities considered to be recipients of such Personal Data, meaning natural or legal persons, public authority, service or other body that receives Personal Data, whether or not they are third parties.

7. SUBJECTS TO WHOM YOUR DATA MAY BE DISCLOSED

In this perspective, in order to properly carry out all the Processing activities necessary to pursue the purposes set out in this Policy, the Recipients who may be in a position to process your Personal Data are the following:

– third parties carrying out part of the Processing activities and/or activities related and instrumental thereto on behalf of the Data Controller. These persons have been appointed as data controllers, meaning the natural or legal per-son, public authority, service or other body that processes Personal Data on behalf of the Data Controller;

– individuals, employees and/or collaborators of the Data Controller, who have been entrusted with specific activities involving the processing of your Personal Data. These individuals have been given specific instructions on security and the proper use of Personal Data, and they are defined as the persons authorised to process Personal Data under the direct authority of the Controller or Processor;

– third parties who carry out Processing activities and/or activities connected and instrumental thereto in their ca-pacity as autonomous data controllers, including – by way of example but not limited to – consulting firms, freelance professionals, credit institutions, insurance companies, third-party companies and/or companies belonging to the Group;

– companies with which the Controller has established collaborations by virtue of a contractual relationship.

Where required by law to prevent or suppress the commission of a criminal offence, your Personal Data may be dis-closed to public bodies or judicial authorities, without these being defined as Recipients. The Regulation provides that public authorities that receive Personal Data in the context of a specific investigation conducted in accordance with the law of the European Union or of the Member States are not regarded as Recipients.

An up-to-date list of our data processors is available at the head office in Pontecagnano Faiano (SA) at Via Leonardo Da Vinci, 15.

8. PRESERVATION

The processing and storage of your personal data will be carried out, in accordance with the provisions of the relevant legislation in force, for a period of time not exceeding that necessary to achieve the purposes for which they are processed, without prejudice to the ten-year period for the storage of civil law data only and the fulfilment of any other legal obligations.

The data you provide for marketing and profiling purposes, on the other hand, will be stored for no longer than 2 years.

Thereafter, your data will be deleted or anonymised and processed for aggregate and anonymous statistical analysis.

9. RIGHTS OF THE DATA SUBJECT

As provided for in the Regulation, you may at any time exercise the following rights vis-à-vis the Data Controller:

– Right of Access: you may obtain confirmation of the existence or non-existence of your personal data, even if not yet recorded, and request that such data be made available to you in a clear and comprehensible mannerIt is your right to ask for guidance and, if necessary, a copy:

a) the origin and category of your personal data;

b) the logic of use, if your information is processed by electronic means;

c) the purposes and methods of processing;

d) the identification details of the holder and the persons responsible;

e) the persons or categories of persons to whom your personal data may be communicated or who may become aware of them;

f) the period for which your data are retained or the criteria used to determine that period, where possible;

g) the existence of an automated decision-making process, also with reference to profiling. In this case, you may request the logic used, its significance and the expected consequences for you;

h) the existence of adequate safeguards in case of transfer of your data to a non-EU country or an international organisation;

– Right of Rectification: may obtain, without justifiable delay, the updating, amendment, rectification of your incorrect data or the supplementation of your incomplete data, should you have an interest in doing so;

– Right of Cancellation: it is your right to have your data deleted, blocked or, where possible, made anonymous:

a) if unlawfully processed;

b) if they are no longer necessary in relation to the purposes for which they were collected or subsequently processed;

c) if the consent on which the processing is based is withdrawn and there is no other legal basis;

d) if you have objected to the processing and there are no further legitimate grounds for continuing to use your data;

e) where required by law;

f) where they relate to minors.

The Data Controller may refuse to delete your data in the event of:

a) exercise of the right to freedom of expression and information;

b) fulfilment of a legal obligation, performance of a task carried out in the public interest or exercise of public authority;

c) reasons of public health interest;

d) archiving in the public interest, for scientific or historical research purposes or for statistical purposes;

e) establishment, exercise or defence of a legal claim;

– Right to Limitation: may obtain restriction of processing in the case of:

a) challenge the accuracy of the personal data, if he/she did not prefer to request their amendment, updating or rectification;

b) unlawful processing by the Controller to prevent its deletion;

c) exercise of your right in court;

d) verification of whether the legitimate motives of the Data Controller prevail over those of the data subject;

– Right to Portability: has the right to receive, if the processing is carried out by automatic means, without hindrance and in a structured, commonly used and readable form, the personal data concerning him/her that he/she has pro-vided to us with his/her consent or under contract, in order to transmit them to another Controller or – if technically feasible – to obtain the direct transmission by the Controller to another Controller;

– Right of Opposition: has the right to object at any time, in whole or in part:

a) the processing of personal data concerning you, for legitimate and overriding reasons relating to your particular situation;

b) to the processing for marketing and/or profiling purposes, where carried out, of personal data concerning you (e.g. you may object to the sending of advertising material, direct sales, market research or commercial communica-tions, through the use of automated calling systems without the intervention of a worker, by e-mail and through traditional marketing methods, by telephone and by paper mail).

For all the cases mentioned above, if necessary, the data controller will inform the third parties to whom your personal data are disclosed of the possible exercise of your rights, except in specific cases (e.g. when such fulfilment proves to be impossible or involves a manifestly disproportionate effort compared to the right protected)).

The data subject has the right to lodge a complaint with the supervisory authority of the State of residence.

10. DATA TRANSFER

As a rule, the personal data collected will not be transferred outside the European Union. Should such a need arise, the transfer will take place in full compliance by the data controller with the principles laid down in Articles 44 et seq. of the Regulation.

11. DPO

In order to facilitate the relationship between you and each Data Controller, FMTS Group has decided to adopt and no-minimize the figure of the Data Protection Officer (DPO), as provided for in Articles 37-39 of the Regulation. FMTS Group has therefore identified this figure in the person of lawyer Pietro Montella and can contact him at the email dpo@fmtsgroup.it.