Poltrona Frau S.p.A. (hereinafter referred to as the "Data Controller"), as a Data Controller, wishes to inform its B2B customers, dealers, resellers and other contractual counterparties ("B2B Party") about the methods of processing their personal data, in compliance with the national legislation of reference and with the European Regulation on the protection of personal data n. 679/2016 (hereinafter, "European Regulation").
1. Data Controller and Data Protection Officer
The data controller in relation to the processing of personal data described in this statement is Poltrona Frau S.p.A. with sole shareholder, a company subject to management and coordination activity by Haworth Italy Holding S.r.l., VAT no. 05079060017, with registered office in Via Busnelli, no. 1, 20821 Meda (MB), which can be contacted at the following e-mail address [email protected].
The Data Controller has designated a data protection officer ("DPO"), who can be contacted at the references indicated in paragraph 11 of this privacy notice.
2. Who does the Policy apply to?
- B2B customers, dealers, resellers and other contractual counterparties, in the case of natural persons or sole proprietorships;
- legal representatives, shareholders (natural persons), directors, attorneys, members of the board of statutory auditors, members of the supervisory body, technical directors, other persons with powers of representation and / or management and / or control who are natural persons, as well as employees and collaborators of B2B customers, dealers, resellers, and other contractual counterparties;
(hereinafter jointly referred to as the "Interested" or “Data Subject”).
3. What data are processed?
The Data Controller collects the personal data relating to the Data Subject directly from the latter - where the contractual counterpart of the Data Controller is a natural person - or from the company / body to which the Data Subject refers for the event in which the interested party intends to participate, to register on the digital platform interactive by Poltrona Frau or during the negotiation and / or conclusion phase and / or execution and / or termination of the commercial relationship established with the Data Controller. Furthermore, the Data Controller may collect personal data relating to the Data Subject from lists, registers and other publicly accessible sources - such as, for example, the data reported on the company registration certificate of the Data Subject - as well as from databases of subjects who offer information on the commercial reliability of entrepreneurs and managers.
Depending on the purpose and time of collection the Data Controller processes the following types of personal data relating to the Data Subject:
- personal data, contact details, identity document and the role held at the company / body to which the data subject belongs;
- the company name, the address of the main office and any secondary offices, the VAT number and / or the tax code, the details of the bank account or current accounts of the data subject, in the event that this is a natural person or sole proprietorship;
- additional personal data relating to the data subject that may be collected by the Data Controller during the negotiation and / or conclusion and / or execution and / or termination of the contract with the Data Controller;
(hereinafter jointly the "Data").
Data subjects are recommended not to provide the Data Controller with data that are not necessary for the pursuit of the purposes referred to in this information on the processing of personal data.
4. For what purposes are the Data processed?
The Data Controller processes the Data of the Data Subjects for:
a) carry out negotiations and execute the contract to which the interested party is a party during an online purchase or at the showroom, to register for one of the events organized by Poltrona Frau or to register on the interactive digital platform (hereinafter "Contractual Purposes");
b) fulfill the obligations deriving from the applicable legislation, including tax legislation (hereinafter "Purpose of the Law"); and
c) pursue the legitimate interest of the Data Controller to carry out the negotiations and execute the contract of which the company / body to which the same Data Subject refers is part;
d) pursue the legitimate interest of the Data Controller to verify the safety and commercial and financial reliability of its B2B customers, dealers, resellers and other contractual counterparties, to prevent fraud, to guarantee the soundness of management and the correct execution of commercial relationships between the Data Controller and its B2B customers, dealers, resellers, and other contractual counterparties,
e) assert and defend their rights, also in the context of credit recovery procedures, against the Data Subject or third parties in any litigation;
f) carry out activities functional to company and business unit transfers, acquisitions, mergers, demergers or other transformations and for the execution of such operations;
g) to send communications of a commercial nature, on collections, exhibitions and events relating to the Data Controller or to the companies of the group to which the Data Controller belongs. We will make these communications periodically indicatively no more than 2 times a month or on the occasion of particular initiatives (eg Salone del Mobile) by e-mail to the addresses of the interested parties indicated from time to time in the context of the contractual relationship between the Data Controller and the company / body to which the interested party refers.
(the purposes referred to in letters c) to g) are jointly defined as the "Purposes of Legitimate Interest").
5. On what legal basis are the Data processed?
The processing of data is necessary with reference to the Contractual Purposes and the Legal Purposes referred to in paragraph 4, letter a) and b), in order to participate at the event, register on the platform, negotiate, stipulate, execute and / or terminate the contract between the Data Controller and the Data Subject., as well as in order to comply with the provisions of the applicable legislation. Failure to provide the data for these purposes will make it impossible for the owner to participate at the event, register on the platform, enter into the aforementioned contract.
The processing of data for the purposes of legitimate interest is carried out pursuant to article 6, letter f) of the European Regulation for the pursuit of the legitimate interest of the Data Controller, which is equally balanced with the legitimate interest of the interested parties, as the Personal Data processing activity is limited to what is strictly necessary for the execution of the economic operations and other activities indicated in the previous lett. from c) to f) and it's functional to maintaining commercial relations between Poltrona Frau and its professional customers, for the activities referred to in point g). The processing for the purposes of legitimate interest is not mandatory and the Data Subject may oppose this processing in the manner indicated in paragraph 11 of this information, but if the Data Subject objects to said processing, his data cannot be used to the Purposes of Legitimate Interest.
6. How are the Data processed?
In relation to the aforementioned purposes, the Data will be processed both with the aid of IT or automated tools, and on paper, and will be protected through suitable measures to guarantee the confidentiality and security of personal data. In particular, the Data Controller takes appropriate organizational and technical measures to protect the Data in its possession against loss, theft, as well as the use, disclosure or unauthorized modification of the Data.
7. To whom are the Data disclosed to?
For the purposes referred to in paragraph 4, the Data Controller may communicate - in whole or in part - the Data of the Data Subjects to the following categories of subjects:
1. workers of the Data Controller or of the subjects indicated below, as persons in charge of processing, within the scope of their respective duties and within the limits established by law;
2. suppliers of instrumental or support services to those carried out by the Data Controller and therefore, by way of example but not limited to, legal, administrative and tax consultants, banking institutions for the management of collections and payments deriving from the execution of the contract between the Data Controller and the data subject or the company / body to which he refers, auditing companies, companies in charge of event management, companies in charge of sending the newsletters of marketing, technological service providers, as independent data controllers or managers;
3. subcontractors and / or subcontractors engaged in activities related to the execution of the contract between the Data Controller and the Data Subject or the company / body to which they refer, as external data processors;
4. other companies belonging to the group to which the Data Controller is a part, located in Italy and abroad, as data controllers;
5. public bodies and / or judicial and / or control authorities whose right of access to the data of the data subject is provided for by the applicable legislation, as independent data controllers; and
6. assignees of a company or company branch, companies resulting from possible mergers, demergers or other transformations of the Data Controller, as independent data controllers.
Some of the subjects listed above may be located in countries outside the European Union or the European Economic Area. In this case, the data will be communicated in accordance with what is indicated in the following paragraph.
8. Are the Data transferred abroad?
The Data could, in compliance with the applicable regulations, be transferred abroad even in countries not belonging to the European Economic Area and, in particular in the countries where the companies of the group to which the Data Controller belongs, as well as the showrooms and authorized retailers of products and services of the Data Controller; a complete list of these latter subjects is available on the website www.poltronafrau.com, while the complete list of the group companies can be requested from the Data Controller by sending an email to the address referred to in paragraph 11 below. Data in countries located outside the European Economic Area will take place, in any case, in compliance with the appropriate and appropriate guarantees for the purposes of the transfer itself, pursuant to articles 44 et seq. of the European Regulation.
In any case, the Data Subject will be made aware of any transfer of data outside the European Economic Area, by updating this information, in the manner indicated in the following paragraphs.
9. How long are the Data kept?
The Data will be stored by the Data Controller:
- to register for the event, to register on the interactive digital platform or in the event of a positive outcome of the contractual negotiations, for a period equal to the duration of the contract stipulated between the Data Controller and the Data Subject, or the company / body to which he refers, and for 10 years following its termination;
- in the event of a negative outcome of the contractual negotiations, the Data will be deleted at the end of the negotiation phase;
- and except in any case that the further retention of the Data is necessary in order to exercise or defend a right of the Data Controller against the data subject or third parties in a possible dispute.
With reference to the data processed for the purpose of sending commercial communications, the Data Controller will process the data of the interested party until the possible exercise of the right of opposition and, in any case, no later than 2 years from the end of the relationship between the Data Controller and the company / body to which he refers.
At the end of the retention period, the data will be deleted, anonymized or aggregated.
10. What are the rights of the Data Subjects?
Without prejudice to the possibility of the data subject not to provide their data, the data subject, at any time and free of charge, may:
- obtain confirmation of the existence or not of data concerning him;
- know the origin of the Data, the purposes of the processing and its methods, as well as the logic applied to the processing carried out using electronic tools;
- request the updating, rectification or - if interested - the integration of data concerning him;
- obtain the cancellation, transformation into anonymous form or blocking of any Data processed in violation of the law, as well as to oppose, for legitimate reasons, the processing;
- withdraw your consent, if previously given;
- ask the Data Controller to limit the processing of the Data concerning him in the event that (i) the Data Subject contests the accuracy of the Data, for the period necessary for the Data Controller to verify the accuracy of such Data; (ii) the processing is unlawful and the data subject opposes the cancellation of the data and requests instead that its use be limited; (iii) although the Data Controller no longer needs it for processing purposes, the Data is necessary for the Data Subject to ascertain, exercise or defend a right in court or out of court; (iv) the data subject opposed the processing pursuant to article 21, paragraph 1, of the European Regulation pending verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the data subject;
- object at any time to the processing of your data for purposes of legitimate interest;
- request the cancellation of the data concerning him without undue delay; and
- obtain the portability of data concerning him.
The data subject will also have the right to lodge a complaint with the Personal Data Protection Authority to the contacts available on the website www.garanteprivacy.it, where the conditions exist.
Requests for the exercise of rights may be sent in writing to the Data Controller, who can be contacted at the following email address: [email protected]roup.com.
The Data Controller has appointed a DPO who is responsible for the compliance by the Data Controller of the obligations required by the legislation on the protection of personal data.
The data subject may contact the DPO in a secure and confidential manner, at any time, if he has general questions on the processing of his personal data, or for any matter relating to data protection. The email address of the Data Protection Officer is: [email protected].
12. Changes and Updates