KANBANBOX S.R.L., with registered office in 36100 Vicenza, Via Zamenhof 817, Tax Code and VAT number 04520390289, tel. +39 04441620653 – e-mail firstname.lastname@example.org.
Categories of personal data processed
Personal data of natural person related to the customer and/or supplier including name and surname, position held, contact information (phone, e-mail, address), and potentially other data necessary or useful for the management of the Relationship. Each person with whom the Controller interacts represents to be authorized or anyhow to have the power to lawfully transmit to the Controller the personal data - his/her own and other natural persons connected to the customer and/or supplier – as necessary for the establishment, management and performance of the Relationship.
Special categories of personal data
For the negotiation, establishment and management of the Relationship, the Controller does not process special categories of data (i.e. data concerning religious beliefs, trade union membership, sexual preferences and the others listed in art. 9 of the Regulation - or data concerning criminal convictions and offenses referred to in art. 10 of the Regulation). Should it be necessary to process this type of personal data, we will request the prior consent of the data subject.
Purpose of the processing and its lawfulness
|The purpose of the processing is the establishment and management of the Relationship, including all related legal, fiscal and contractual obligations in general.||
In the case of freelance customers/suppliers: lawful processing as necessary for the execution of a contract of which the data subject is a party or for the execution of pre-contractual measures adopted at the request of the same - art. 6.1.(b) of the Regulation.
In case of corporate customers/suppliers: processing admitted, as necessary for the pursuit of a lawful interest of the controller - art. 6.1.(f) of the Regulation. The lawful interest of the Controller is represented by the need to manage relationship with its corporate customers and suppliers, thus interacting with the natural persons connected to that customer and/or supplier.
|Fulfillment of legal obligations (i.e. processing and filing of accounting documents (e.g. invoices) relating to the Relationship and communications and other fulfillments to which the Controller is subject under national and international regulations relating, for example, to tax, administrative-accounting and anti-money laundering matters.||Lawful processing admitted as necessary to fulfill a legal obligation to which the Controller is subject to - art. 6.1 (c) of the Regulation.|
|Direct marketing activities through the sending of communications or material (e.g., by e-mail, newsletter) compared to products/services similar to those already provided by the Controller to the customer, or in any case news of interest regarding the activities carried out by the Controller (e.g., notice on temporary closures for holidays).||Processing admitted, as necessary for the pursuit of a lawful interest of the controller - art. 6.1.(f) of the Regulation. The lawful interest of the Controller is represented by the promotion of its activity through direct marketing as well as in the correct and complete performance of its activities towards its customers – see Recital no. 47 of the Regulation.|
The provision of personal data is mandatory for the achievement of the purpose of establishing and managing the Relationship.
Consequences of non-disclosure
Any refusal to provide all or part of the personal data requested by the Controller may make it impossible for the Controller to implement the Relationship or to correctly carry out all the obligations connected to it. Non-disclosure of the data and/or the request not to use them for direct marketing purposes does not hinder the performance of the Relationship.
Categories of recipients
- employees of the Controller and/or its affiliated companies;
- lawyers, accountants and other consultants of the Controller;
- companies providing additional services, such as software houses, web agencies and similar
- companies supplying other products or services related to the performance of the activity covered by the Relationship.
In addition, personal data are communicated to subjects, entities, authorities to whom it is mandatory to communicate the data of the data subjects in accordance with legal provisions and orders of the Authorities. At the request of the data subject, the Controller will make available the detailed list of third parties to whom the personal data have been transmitted and/or made accessible.
Transfers of personal data
In some cases, personal data may be processed by the Controller through third party services that involve their possible transfer outside the European Economic Area (EEA) (e.g. Microsoft 365). In these cases, the Controller undertakes to select reputable providers and to verify their commitment to comply with the provisions of the Regulation in relation to transfers of personal data outside the EEA.
Personal data are stored in the archives of the Controller and are processed using paper and computerized methods, without prejudice to the adoption of appropriate security measures in order to avoid unlawful processing.
Personal data is retained for the entire duration of the contractual Relationship, and also subsequently, for 10 years term from the termination – whatever the cause - of the Relationship. The retention period shall be determined taking into account the period of limitation of any disputes arising from the Relationship.
Rights recognized to the data subject
At any moment, the data subject may exercise towards the Controller, the rights provided for in art. 15 to 22 of the Regulation, i.e. the right to ask for:
- access to personal data, or to be informed by the Controller of his/her personal data kept by the Controller, the purposes for which these data are processed, their origin and other information required by art. 15 of the Regulation;
- the rectification of personal data in case of inaccuracy of the same;
- the cancellation of personal data (so-called ‘right to be forgotten’);
- the limitation of the processing of personal data, or the right to obtain the suspension of the processing of personal data for the period necessary to verify the request for revision of personal data, or in other cases provided for by art. 18 of the Regulation;
- the right to the portability of data, i.e. the right to receive personal data in a structured format, commonly used and machine-readable format- even by requesting the direct transfer to another owner (with respect to data whose processing is carried out by automated means);
- the right to object to the processing data pursuant to art. 6, paragraph 1, letters e) or f) of the Regulation (the right to object).
Requests must be sent in writing to the Controller at the addresses above. The Controller will give an adequate reply as soon as possible and in any case within one month of receiving the request.
Each data subject has the right to lodge a complaint pursuant to Articles 77 et seq. of the Regulation to a supervisory authority, which for the Italian State is identified in the Italian Data Protection Authority (Garante per la protezione dei dati personali). The methods of complaint are indicated at this link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524.