Pursuant to and by effect of the provisions of Regulation EU 2016/679 (“GDPR”) on the protection of personal data and Italian Legislative Decree (D.Lgs.) no. 196 of 30/06/2003 (“Privacy Code”) in the national privacy law, including any amendments, please be informed that the data to which this privacy policy applies shall be processed in the methods and for the purposes indicated below;

The privacy policy shall not be considered valid, and the Controller shall not be considered in any way responsible, for databases, websites, other forms of disclosure or collection of information (social media, telephone directories, etc.) even where consulted via links or other forms of connections present on the websites managed by the Controller or in any other form but not managed directly and on behalf of the Controller; please consult the third party privacy policy for the related methods, purposes and rights of the data subjects.

Controller and Data Processor

The Controller, whom you may contact for your rights, is Brema Group S.p.A., with registered office in Via dell’industria, 10 – 20035 Villa Cortese (MI) - Italy.

Type of data

Depending on the purpose, the data, provided exclusively with responsibility and voluntarily by the data subject or public sources (telephone directories, social media, chamber of commerce, etc.) may be:
•    Personal data; any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, including a personal identification number.
•    Identification data; personal data allowing the direct identification of the data subject (e.g., name, surname, date of birth, address, e-mail address, telephone number, company name, tax ID code, VAT reg. no., etc…).
•    Data provided voluntarily; the optional, explicit and voluntary sending of postal or e-mail addresses, and/or data provided by compiling forms or other types of collection, leads to the subsequent collection of the data required to respond to requests, as well as any other data communicated in an aware manner, including other contact information on social media: Facebook, LinkedIn, Instagram etc.

use of the website or similar instruments;

•    Navigation data; during normal operation, the computer systems and software procedures for the operation of this website acquire some personal data which is implicitly transmitted in the use of Internet communication protocols. This information is not gathered in order to be associated to the identified Data Subjects, but which by its very nature could, if processed and associated to data held by third parties, lead to the identification of the users. This category of data includes the IP addresses or names of computer domains used by the users when connecting to the website, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in reply, the numerical code indicating the state of the reply given by the server (OK, error, etc.) and other parameters concerning the operating system and computer environment of the user.
•    Cookies; Please refer to the cookie policy published on the website.

Place of processing and retention

The data are currently processed and retained at:

•    The executive office of the undersigned, in Via dell’industria, 10 – 20035 Villa Cortese (MI) - Italy.
•    The data may also be processed on behalf of the undersigned by professionals and/or third parties, having checked the compliance with the conditions of lawfulness, persons appointed to perform technical, development, management, administrative, accounting and regulatory activities.

Purposes of the processing

Without express consent (Art. 24(a), (b), (c) of the Privacy Code and Art. 6(b), (e) of the GDPR) and provided by the data subject or also retrievable from public sources in order to:
•    fulfil requirements relating to any laws, regulations, Community law or any orders from the authorities (for example relating to anti-money laundering); exercise the rights of the Controller, for example the right to defence before the courts;
•    perform the operations strictly linked and instrumental to the start of contractual relations, including the acquisition of information prior to the conclusion of the contract; the management of relations for administration, accounting, orders, shipments, invoicing, services, variations in names and company data and the management of any disputes, supplies, payments and contributions; evaluations and activities on the basis of the specification of the “quality system” certifications;

Only with your specific and express consent (articles 23 and 130 of the Privacy Code and art. 7 of the GDPR), for the following purposes:

•    communication of technical information, verification of the level of satisfaction, statistical analyses, profiling, updating or changes to the services and contractual conditions;
•    communication of commercial information relating to new offers of products and services, marketing, promotions, opinion surveys and company news, invitations to events and other opportunities.
In any case, the data shall be processed in compliance with the principles of correctness, lawfulness, transparency and the protection of rights and confidentiality. The contractual purposes, the purchase, sale of products and services, for commercial disputes and not for promotional purposes, payments and contract goods concerning the processing of personal data will be processed for the whole duration of the contractual relations established and also thereafter to fulfil all legal requirements.

Data retention time

The data provided will be retained, for no longer than to achieve the purposes for which they were processed (Art. 5(1)e) of the GDPR), according to the following parameters:

•    For administration, accounting, orders, management of quotations and the whole process of production, assistance and maintenance, shipment, invoicing, services, management of any disputes, salaries and contributions: 10 years as established by Law, without prejudice to any specific cases (e.g., delayed payments of amounts due, legal actions, etc.) which justify an extension;
•    For marketing purposes and accessory services: 24 months.

Methods of processing

The data processing for the indicated purposes, as provided for in Art. 4 of the Privacy Code and Art. 4(2) of the GDPR, takes place using both automated and manual means, on electronic or magnetic supports or hard copies, in compliance with the confidentiality and safety rules laid down in the laws, consequent regulations and internal provisions.
 
Access to data

The data may be made accessible for the purposes listed in art. 2.A) and 2.B):

•    to employees and collaborators of the Controller, or the companies of the Group in Italy and abroad, in their capacity as representatives and/or Internal Data Processors and/or systems administrators;
•    To third companies and other parties (for example credit institutes, professional firms, consultants, insurance companies for the provision of insurance services, etc.) outsourced to perform activities on behalf of the Data Controller, in their capacity as external data processors.

Data communication

Without the need for express consent (Art. 24(a), (b), (d) of the Privacy Code and Art. 6(b) and (c) of the GDPR), the Controller may communicate the data for the purposes given in Art. 2.A), i.e., to parties to whom communication is obligatory by law to achieve the said purposes. These parties will process your data in their capacity as independent controllers, i.e., in Italy the data may be disclosed to:

•    Professionals and consultants, factoring companies, credit institutions, debt collection agencies, insurance companies, commercial information firms, companies working in the transport sector, companies supplying accessory services, etc.;
•    Authorities, Public and private bodies, also following inspections and audits, for example: Financial Administration, Tax Police, Legal Authorities, Italian Exchange rate office, Works Inspectorate, health board, national insurance bodies, ENASARCO, Chamber of Commerce, supervisory bodies, etc.;
•    Other companies in the Brema Group S.p.A.;
•    Subjects who may access your data in accordance with legal provisions;

Sensitive data, even when processed in a completely anonymous form, will not be disclosed in any manner, without prejudice to the close cooperation with companies suitable for the development, implementation, realisation and assistance exclusively to achieve the purposes declared herein and against specific written authorisation.

Transfer of data abroad

The data may be disclosed to third parties (Art. 29 of the GDPR), for technical and operational reasons, also in countries outside the European Union, only to fulfil obligations resulting from the related service contract or to fulfil requirements, prior to the conclusion of the contract, on specific request, i.e., for the conclusion or performance of the contract.

Rights of the data subjects

Relating to personal data, the data subject may exercise the rights laid down in Art. 7 of the Privacy Code and Art. 15 of the GDPR, and where applicable, the rights laid down in articles 16-21 of the GDPR in the limits and at the conditions established. When undersigning any form of consent to processing requested by Brema Group S.p.A. please note that the data subject may withdraw such consent at any time, without prejudice to the obligatory requirements laid down in the laws in force at the time of requesting withdrawal, by contacting the Controller.

•    identification information of the controller, the data processors and the designated representative;
•    confirmation as to whether or not personal data concerning him or her exist, regardless of their being already recorded;
•    origin of the personal data;
•    purposes and methods of the data processing;
•    objection wholly or partly to the purposes of the processing;
•     the logic applied to the processing, if the latter is carried out with the help of electronic means;
•    entities or categories of entity to whom or which the personal data may be communicated and who or which may gain knowledge of said data in their capacity as designated representatives, data processors or authorised persons;
•    the updating, rectification or, where interested, the integration of the data;
•    the viewing or portability to other controllers, and their communication in an intelligible form;
•    the erasure, i.e., the "right to be forgotten”, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;
•    certification to the effect that any operations requested have been disclosed, also in relation to their contents, to those to whom the data were disclosed or notified, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
•    submit a claim to the Data Protection Authority, and any other administrative or legal body, if it is deemed that the personal data is processed by the Controller in breach of the Regulation or applicable law.

Obligatory and optional nature of the provision of data

Some data are indispensable for establishing a contractual relationship or to perform the contract, while others can be defined as accessory to such purposes. The provision of data to the undersigned is obligatory only for the data which require a regulatory or contractual obligation.

Consequences of any refusal to provided data

If the provision of data is required by a regulatory or contractual obligation, any refusal could place the undersigned in a condition to not be able to perform the contract as this would constitute illegal processing. If there is no legal obligation to provide the data, refusal would not lead to the consequences described above but would in any case make it impossible to provide the accessory operations.

Methods of exercising your rights

At any time, you may exercise your rights by contacting the controller or data processor, using the following methods:

•    registered letter with advice of receipt to  Brema Group S.p.A.; Via dell’industria, 10; 20035 Villa Cortese (MI); Italy
•    email to the address privacy@bremaicegroup.it

Requests will be processed within 30 days of receipt.

The updated list, with reference to the processed data, of the data processors and external data managers, the methods and type of data is held at the registered office of the Controller.

Please promptly notify the referred office of the company of any variation of the data in order to allow it to comply with the GDPR, which requires that the data collected be exact, and therefore updated.

Amendments to the privacy policy

The Controller reserves the right to alter, update, add or remove parts of this privacy policy at its sole discretion at any time. The data subjects are required to periodically check any amendments.

Updated to 19/03/2021.

For more information also refer to the "Legal Notice".