INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679
Clessidra Factoring S.p.A., with registered office in Padova, Via San Marco, 9/M, in its capacity as Data Controller of your personal data, pursuant to and for the purposes of Regulation (EU) 2016/679, hereby informs you that the aforementioned legislation provides for the protection of Data Subjects with respect to the processing of personal data and that such processing will be based on the rights of correctness, lawfulness, transparency and protection of your confidentiality and your rights.
Your personal data will be processed in accordance with the provisions of the above-mentioned legislation and the confidentiality obligations provided therein.
1. Identity and contact details of the data controller
The data controller is Clessidra Factoring S.p.A., with registered office in Via San Marco, 9/M – Padova. Clessidra Factoring S.p.A., as Data Controller, has appointed a Delegate who can be contacted for any information relating to the processing of your personal data at the following addresses: Via San Marco, 9/M – 35129 – Padova, email: firstname.lastname@example.org; tel. +39 049.6365800, fax +39 049.6365806.
2. Category of personal data
Clessidra Factoring S.p.A processes your personal data falling into the category “Categories of personal data” within the limits strictly necessary for the management of the factoring relationship to be concluded or already in existence by the clients that you represent at any level and grade. The personal data processed are: First and Last Name, Identification Code, Location Data, Economic Data, and in some cases data relating to political opinions, if the person concerned is identified as a politically exposed person pursuant to Legislative Decree 231/07.
3. Purposes of the processing for which the personal data are intended and the legal basis of the processing
Clessidra Factoring S.p.A, as Data Controller, informs you that the personal data in its possession, collected directly from the data subject or from third parties, including with reference to assigned debtors, are processed for the following purposes:
- In the implementation of the factoring relationship, to fulfil the requirements dictated by laws, regulations and EU legislation (e.g. anti-money laundering, tax and fiscal assessments), as well as to comply with provisions issued by Authorities legitimated to do so by law and by Supervisory and Controlling Bodies (e.g. the Central Office of Risks, Supervisory Reports). The provision of personal data necessary for such purposes (par. 3, sub. 1) is compulsory and its processing does not require the mandatory consent of the persons concerned.
- To provide the services requested within the framework of the factoring relationship in which the data subject may be a direct contracting party (sole proprietorships) or may represent the beneficial owner or executor for the purposes of Legislative Decree 231/07.
a) Pre-contractual negotiations, including the acquisition of all information useful and/or necessary for the stipulation of the contract, also in relation to credit risk mitigation requirements.
b) Execution of contractual obligations arising from the contract itself and management of customer relations such as, for example, accounting management, administration, management of payment or collection systems and credit protection, checks and assessments on the progress of customer relations and related risks, for the insurance of assigned receivables.
The provision of personal data necessary for these purposes (par. 3, sub. 2) is not compulsory, but failure to provide such data, or the provision of partial or incorrect data, could make it impossible for Clessidra Factoring S.p.A. to provide the service in question, in relation to the relationship between the data and the service requested. Their processing does not require the consent of the person concerned.
In the event that Clessidra Factoring S.p.A., as Data Controller, intends to process personal data for a purpose other than that for which they were collected, prior to such further processing it will provide the data subject with information regarding this different purpose.
4. Recipients or categories of recipients of personal data
In order to pursue the purposes set forth in paragraph 3, Clessidra Factoring S.p.A. needs to communicate the personal data of the data subject in its possession to:
- Directors and Controlling Bodies of Clessidra Factoring S.p.A;
- Employees of Clessidra Factoring S.p.A;
- Agents in financial activity with whom Clessidra Factoring S.p.A. has a mandate relationship;
- Supervisory and Controlling Bodies in fulfilment of an obligation imposed by law, regulation or EU legislation;
- Public Authorities;
- Financial intermediaries and/or banks with which Clessidra Factoring S.p.A. has dealings;
- Service providers for purposes strictly connected and structural to the management of relations, consultants, auditors and other legal, tax and administrative advisors of Clessidra Factoring S.p.A. for purposes connected to the performance of services essential to the performance of activities deriving from the contractual relationship with customers;
- Persons employed by external companies appointed by Clessidra Factoring S.p.A. as External Data Processors.
5. Transfer of data abroad
Clessidra Factoring S.p.A. does not intend to transfer personal data to a third country or international organisation. It should be noted that pursuant to Article 44 of the Regulation, the transfer takes place only if the Data Controller and the Data Processor comply with the provisions of Chapter V of EU Regulation 2016/679.
6. Period of retention of personal data
Pursuant to Art. 5, paragraph 1, letter e) of the EU Regulation, personal data shall be kept in a form which permits identification of the Data Subject by means of computer files for a period of time not exceeding the achievement of the purposes for which they are processed and specifically:
• Name and Surname of the interested party – Tax code of the interested party – Location data (Storage limit: 10 years from termination of the relationship pursuant to art. 31 Legislative Decree 231/07);
• Economic data of the interested party taken from the Modello Unico Persone Fisiche (Retention limit: 2 years from the end of the relationship; 1 year from the end of the preliminary investigation if negative);
• Political opinions if the data subject qualifies as a Politically Exposed Person pursuant to Legislative Decree 231/07 (Storage limit: 10 years in fulfilment of obligations relating to Anti-Money Laundering – Legislative Decree 231/2007 and subsequent amendments).
7. Rights of the interested party
The Data Subject may exercise the rights set out in Articles 15-21 of the EU Regulation, namely: the right to access, rectify and erase (“right to be forgotten”) the data, except in the case of a retention obligation imposed by specific applicable regulations, the right to restrict processing, the right to data portability, the right to object to processing, as set out at the end of this notice.
Requests to exercise these rights must be sent to Clessidra Factoring S.p.A., with registered office in Via San Marco, 9/M – Padova, tel. +39 049.6365800, fax +39 049.6365806, e-mail: email@example.com
Pursuant to Art. 13 paragraph 2 letter F, we inform you that Clessidra Factoring S.p.A. does not use an automated decision-making process relating to natural persons, including profiling as per Art. 22 of the Regulation.
9. Right to lodge a complaint with the supervisory authority
Pursuant to art. 77 paragraph 1 of the Regulation, without prejudice to any other administrative or judicial recourse, the Data Subject, who considers that the processing concerning him/her is in breach of this Regulation, has the right to lodge a complaint with a supervisory authority, namely in the Member State in which he/she resides habitually, works or in which the alleged breach occurred.
Clessidra Factoring S.p.A. as Data Controller, if the personal data have not been obtained from the Data Subject, is obliged to provide the Data Subject, pursuant to Article 14 of EU Regulation 2016/679, at the time when the personal data are obtained, with the additional information set out in paragraph 10, with respect to those indicated above:
10. Source of Personal Data – Art. 14 paragraph 2 letter f)
• Legal representative of the Client or signatory of the Identification and Adequate Verification Form pursuant to Articles 17 et seq. of Legislative Decree no. 231 of 21.11.2007 and subsequent amendments and additions;
• Computerised Risk Profile Management (GPR) systems used in the Anti-Money Laundering area;
• Agents in financial activity (ex art.128 quater D.Lgs 1 September 1993, n.385);
• Sources accessible to the public (Chamber of Commerce, land registry searches, information service company reports).
Please note that pursuant to Art. 14, paragraph 3, in the event of data collection from a third party, the Data Controller shall provide the data subject with the information:
a) within a reasonable period of time after obtaining the personal data, and in any case within one month;
b) where the personal data are intended for communication with the Data Subject, at the latest at the time of the first communication to the Data Subject;
c) where the personal data are intended for communication to another recipient, no later than the first communication of the personal data.
Rights of the data subject – EU Regulation 2016/679
Data subject’s right of access – Art. 15
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him or her are being processed and, if so, to obtain access to the personal data and to the following information:
(a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organisations; (d) where possible, the period for which the personal data are to be stored or, if this is not possible, the criteria used to determine that period; (e) the existence of the right of the data subject to request from the controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her or to object to their processing; (f ) the right to lodge a complaint with a supervisory authority; (g) where the data are not collected from the data subject, all available information as to their source; (h) the existence of automated decision making, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, significant information on the logic used and the importance and envisaged consequences of such processing for the data subject.
In addition, where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the existence of appropriate safeguards within the meaning of Article 46 relating to the transfer.
The controller shall provide a copy of the personal data being processed. In case of further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request by electronic means, and unless otherwise specified by the data subject, the information shall be provided in an electronic format in common use. The right to obtain a copy referred to in paragraph 3 shall not infringe the rights and freedoms of others.
Right of rectification -Art. 16
The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data relating to him without undue delay. Having regard to the purposes of the processing, the data subject shall have the right to obtain completion of incomplete personal data, including by providing a supplementary declaration.
Right to erasure (“right to be forgotten”) – Art. 17
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them without undue delay and the controller shall be obliged to erase the personal data without undue delay if any of the following grounds applies
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws the consent on which the processing is based in accordance with point (a) of Article 6(1) or point (a) of Article 9(2) and if there is no other legal basis for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there is no overriding legitimate ground for processing, or objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data must be erased in order to comply with a legal obligation laid down by Union or Member State law to which the controller is subject; (f ) the personal data have been collected in connection with the provision of information society services referred to in Article 8(1).
2. Where the controller has made personal data public and is obliged, pursuant to paragraph 1, to erase them, the controller shall, having regard to available technology and the costs of implementation, take reasonable steps, including technical measures, to inform the controllers who are processing the personal data of the data subject’s request to erase any link, copy or reproduction of their personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that the processing is necessary:
(a) for the exercise of the right to freedom of expression and information; (b) for compliance with a legal obligation requiring the processing laid down in Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3); (d) for archiving in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to make it impossible or seriously prejudicial to achieve the objectives of such processing; (e) for the establishment, exercise or defence of legal claims.
Right to restriction of processing -Art. 18
1. The data subject shall have the right to obtain from the controller the restriction of processing when one of the following cases occurs:
(a) the data subject disputes the accuracy of the personal data, for the period necessary for the controller to verify the accuracy of such personal data; (b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead that their use be restricted; (d) the data subject has objected to the processing pursuant to Article 21(1), pending the verification as to whether the legitimate grounds of the controller prevail over those of the data subject.
2. Where processing is restricted pursuant to paragraph 1, such personal data shall, except for storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.
3. A data subject who has obtained a restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction is lifted.
Obligation to notify in case of rectification or erasure of personal data or restriction of processing – Art. 19
The controller shall communicate to each of the recipients to whom the personal data have been transmitted any rectification or erasure or restriction of processing carried out pursuant to Article 16, Article 17(1) and Article 18, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of such recipients if the data subject so requests.
Right to data portability – Art. 20
1. The data subject shall have the right to receive in a structured, commonly used and machine-readable format personal data concerning him or her that have been provided to a data controller and shall have the right to transmit those data to another data controller without hindrance by the data controller to whom he or she has provided them where:
(a) the processing is based on consent within the meaning of Article 6(1)(a) or Article 9(2)(a) or on a contract within the meaning of Article 6(1)(b); and (b) the processing is carried out by automated means.
2. When exercising his or her rights in relation to data portability pursuant to paragraph 1, the data subject shall have the right to obtain the direct transmission of personal data from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not affect the rights and freedoms of others.
Right to object – Articolo 21
1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data relating to him or her pursuant to points (e) or (f ) of Article 6(1), including profiling on the basis of those provisions. The controller shall refrain from further processing the personal data unless the controller demonstrates the existence of compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her carried out for such purposes, including profiling insofar as it is related to such direct marketing.
3. Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information at the latest at the time of the first communication with the data subject.
5. In the context of the use of information society services and without prejudice to Directive 2002/58/EC, the data subject may exercise his/her right to object by automated means employing specific techniques.
6. Where personal data are processed for scientific or historical research or statistical purposes pursuant to Article 89(1), the data subject shall have the right to object, on grounds relating to his/her particular situation, to the processing of personal data relating to him/her, except where processing is necessary for the performance of a task carried out in the public interest.