This information notice is prepared in accordance with Articles 13 et seq. of the EU Regulation 2016/679 (hereinafter also GDPR) and contains important information on the processing of your Personal Data. The data controller informs you that it will process your Personal Data in compliance with the Privacy, Personal Data Protection Regulations and the principles of lawfulness, fairness, transparency, purpose limitation and storage, data minimisation, accuracy, integrity, confidentiality.
Therefore, in relation to the above, the data controller provides the following information.
1 DATA CONTROLLER
The data controller is AMBRA s.r.l., Strada del Petriccio e Belriguardo 35, 53100 Siena (SI), Medicinal Research Center – Toscana Life Sciences Foundation, 0577 381421, P. IVA 01504290527, in the person of its legal representative.
2 PURPOSE, LEGAL BASIS OF THE PROCESSING AND NATURE OF THE CONTRIBUTION
The Personal Data you provide through the Website will be processed by the Controller for the following purposes:
2.1. Website navigation. Art. 6(1)(f) and recital 47 of the GDPR: processing is necessary for the purposes of pursuing the legitimate interests of the data controller or a third party, provided that the interests or the fundamental rights and freedoms of the data subject which require the protection of personal data are not overridden, having regard to the reasonable expectations of the data subject based on his or her relationship with the data controller. Activities strictly necessary for the operation of the website and the provision of the platform navigation service, therefore, the provision is necessary.
2.2. Contact request via the Contact form. Art. 6(1)(b) GDPR: processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject’s request. The provision of personal data necessary for the provision of the services requested by the Data Subject is necessary. Failure to provide the data will make it impossible to obtain what has been requested or to use the services of the data controller.
2.3. Organisational management of the contractual relationship, including payments and invoicing. Art. 6 para. 1 lit. b GDPR: the performance of a contract to which the data subject is a party.
2.4. Fulfilment of legal, accounting, administrative and tax obligations. Art. 6 par. 1 lett. c GDPR: the fulfilment of legal obligations to which the data controller is subject.
2.5. Soft-spam activity. In the context of a purchase via the Website, in order to allow the direct offer by the Data Controller of products similar to what has already been purchased, provided that you do not object to such processing in the manner set out in this Policy. The legal basis of the processing is the legitimate interest of the Data Controller, which may be deemed equivalent to the interest of the data subject in receiving “soft-spam” communications pursuant to Section 130, paragraph 4, of Legislative Decree No. 196/2003, as amended.
3 RECIPIENTS OF PERSONAL DATA
The processed data will not be disclosed to third parties. The following may become aware of your data, in relation to the purposes of processing set out above: a) subjects who may access the data by virtue of legal provisions provided for by the law of the European Union or by the law of the Member State to which the data controller is subject; b) subjects appointed by the data controller as authorised processors pursuant to Art. 29 GDPR and Art. 2-quaterdecies of Legislative Decree 196/2003 and subsequent amendments and additions; c) persons who process data on behalf of the data controller who have been appointed, by contract or other legal act, as data processors pursuant to Art. 28 GDPR.
4 TRANSFER OF PERSONAL DATA
The management and storage of personal data will take place on servers located within the European Union and, therefore, your personal data will not be transferred to countries outside the European Economic Area. However, should it be necessary to move the location of the servers, the data controller ensures that the transfer of data outside the European Economic Area will take place in accordance with the law and by entering into agreements, if necessary, that guarantee an adequate level of protection and/or by adopting the standard contractual clauses provided by the European Commission.
5 PERSONAL DATA RETENTION PERIOD
Your personal data will be kept for the period necessary to pursue the purposes related to the point entitled “PURPOSES OF THE PROCESSING” of this policy. Specifically, they will be processed for a period of time equal to the minimum necessary pursuant to Recital 39 of the GDPR, without prejudice to a further retention period that may be imposed by law pursuant to Recital 65 of the GDPR.
6 RIGHTS OF THE DATA SUBJECT
You, or a person delegated in writing, may exercise the following rights: a) the right of access under Art. 15 of EU Reg. 2016/679; b) the right of rectification under Art. 16 of EU Reg. 2016/679; c) the right to be forgotten under Art. 17 of the EU Reg. 2016/679; d) the right to restriction of processing when one of the cases provided for in Art. 18 of the EU Reg. 2016/679 is applicable; e) the right to request certification that the operations carried out pursuant to Articles 16, 17 and 18 of the EU Reg. EU 2016/679 have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except where this proves impossible or involves a manifestly disproportionate use of means compared to the protected right; f) the right to data portability provided for by Art. 20 of EU Reg. 2016/679; g) the right to object to the processing of personal data provided for in Art. 21 of EU Reg. 2016/679; h) the right to withdraw consent at any time, as provided for in Art. 7 of EU Reg. 2016/679.
7 COMPLAINT AND JUDICIAL REVIEW
In addition to the above, you may exercise: a) the right to lodge a complaint pursuant to Art. 77 GDPR; b) the right to lodge a judicial appeal pursuant to Art. 79 GDPR.
Should you wish to exercise your rights as provided for by law or consult the list of data processors, you may contact one of the contacts listed in point 1 of the information notice entitled “DATA CONTROLLER”.
In any event, the data controller remains available at all times for any need and, in the event that the processing should be modified with respect to what has been described above, the controller will immediately provide updated information.