PRIVACY STATEMENT

IPV PACK SRL (hereinafter, the “Data Controller”), acting as Data Controller pursuant to art. 13 of Regulation (EU) 2016/679 (hereinafter, the “Privacy Regulation”), as amended and supplemented, collects and subsequently processes personal data relating to its Customers and Suppliers (hereinafter, the “Data Subject”).

Personal data processed includes:

General personal data. This includes, for example, personal and contact details (e-mail and telephone number).

The Data Subject’s personal data is processed as part of the Data Controller’s normal business activities for the following purposes:

1. Adequate and complete performance of all obligations arising from the signed contract (hereinafter, the “Contract”);
2. Fulfilling administrative and accounting requirements closely connected with the Contract;
3. Fulfilling specific obligations pursuant to the law, specific regulations or EU legislation;
4. Promotional activities, such as sending newsletters, concerning products and services similar to those already purchased.

Data is processed, with the say-so of the Data Controller, by purposely appointed parties authorised and trained to process same under art. 29 of the Privacy Regulations, using manual, computer or electronic instruments, strictly for the purposes referred to above and, in any case, ensuring the security and confidentiality of all data. Data may also be processed, on behalf of the Data Controller, by Data Processors duly appointed under art. 28 of the Privacy Regulation.

With regard to the purposes set forth herein, in paragraph 2, points 1,2 and 3, the provision of data is mandatory and necessary to ensure fulfilment of the Contract and the relating tax and administrative obligations. Failure to provide data will make it impossible to receive the services covered by said Contract. The legal basis for processing, therefore, is the correct performance and management of the Contract.

With reference to purpose no. 4) – activities involving acquired customers – the legal basis for processing is the lawful interest of the Data Controller. The customer may unsubscribe from such communications at any time by e-mail.

With regard to and within the limits of the aforementioned processing purposes, the Data Subject’s personal data will or may be communicated to the following categories of parties:

1. Financial and other public authorities, where required by same or by law;
2. Credit institutes to arrange payments or other financial activities functional to the fulfilment of the Contract;
3. External parties that conduct control activities, such as independent auditors, the Board of Statutory Auditor, or the Supervisory Body;
4. External companies and organisations for credit management purposes and/or for protecting interests and rights;
5. Parties designated as external data processors under art. 28 of the Privacy Regulation, for activities associated with and functional or consequent to performance of the Contract.

Data Subjects may contact the Data Controller for the full, up-to-date list of external data processors.

Personal data will not be transferred outside the EU; however, should the need subsequently arise to transfer data to countries and/or organisations outside the EU for reasons connected with performance of the Contract or with the fulfilment of legal obligations, any such transfer shall be conducted in compliance with applicable laws and regulations. Transfers shall take place with appropriate safeguards, such as adequacy decisions, standard contractual clauses approved by the European Commission, or other legal instruments.

The Data Subject’s personal data is stored c/o the Data Controller for the time required to fulfil the purposes set forth in paragraph 2 above (points 1 to 3), and for the time required by statutory, tax and regulatory standards, and in any case for no more than 10 years from termination of the contractual relationship.

With regard to promotional activities involving acquired customers (paragraph 2, point 4), the Data Subject’s personal data will be processed until said Data Subject exercises the right to object (this right may be exercised straight away, on sending individual communications and/or through direct contact with the Data Controller).

Once the retention period has elapsed, the Data Subject’s personal data will be rendered anonymous or deleted, unless its storage is required for other purposes expressly required by law.

Artt. 15 et seq. of the Privacy Regulation grant the Data Subject the right to:

• access his or her personal data (or a copy thereof) and any further information on data currently being processed;
• obtain from the Data Controller the rectification or updating of incomplete or obsolete personal data concerning him or her.
• obtain from the Data Controller the erasure of personal data concerning him or her in the cases prescribed by current legislation;
• request restriction of data processing by the Data Controller;
• receive the personal data concerning him or her in a structured, commonly used and machine-readable format;
• object to processing of personal data concerning him or her by the Data Controller (e.g. for promotional activities).

The Data Subject may exercise the above rights by emailing IPV PACK SRL at info@ipvpack.com.

In any case, the Data Subject always has the right to lodge a complaint with a supervisory body (in Italy, the Italian Data Protection Authority, or Garante per la protezione dei dati personali).

The Data Controller reserves the right to change, update, add or delete sections of this Privacy Statement, in which case it shall inform the Data Subjects.

Privacy Statement updated as of March 2021