EXTENDED PRIVACY NOTICE PURSUANT TO ARTICLES 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER GDPR)
The data controller provides below the Privacy Notice pursuant to Articles 12, 13 and, where applicable, 14 of the GDPR regarding the processing of personal data provided by the Client/Data Subject through the completion and signing of the Contract to purchase products/services offered for sale by the data controller, by voluntarily uploading personal data to this website (in particular by filling out forms) or simply by browsing it.
1. Data Controller and Contact Information
The Data Controller is LABEL ITALY SRL, located in Modena, Via S. Allende, 59, C.F. 02578750362, P.I. 02578750362, tel. +39 059362993, email TECH@labelitaly.it, web https://www.labelitaly.it/ (hereinafter the Website).
2. Principles Applicable to Data Processing
In accordance with the GDPR, the Data Controller constantly strives to ensure that personal data is:
- Processed lawfully, fairly, and transparently;
- Collected for specified, explicit, and legitimate purposes and subsequently processed in a manner not incompatible with those purposes;
- Adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed;
- Accurate and, where necessary, kept up to date;
- Retained for no longer than necessary to achieve the purposes for which they are processed;
- Processed, through appropriate technical and organizational measures, to ensure their security;
- Processed, where based on consent, by free decision of the Client/Data Subject, on the basis of a request clearly distinguishable from the rest, in an understandable and easily accessible form, using plain and clear language.
The Data Controller adopts appropriate technical and organizational measures to ensure the protection of personal data by design and to ensure that, by default, only necessary data is processed for each specific purpose.
The Data Controller collects and considers feedback, observations, and opinions from the Client/Data Subject sent to the contacts listed above, to implement a dynamic privacy management system that ensures the effective protection of individuals regarding their data.
This Privacy Notice may undergo changes in line with the evolution of reference legislation and the technical and organizational measures adopted by the Data Controller; therefore, the Client/Data Subject is invited to periodically visit this section of the Website to view updates and the current version of the Notice.
3. Methods of Processing Personal Data
Personal data is processed manually and electronically, with logic strictly related to the purposes outlined below and, in any case, in a manner that ensures the security and confidentiality of the data.
4. Purposes of Processing Personal Data
(4a) Purposes for which data processing is necessary
The personal data provided by the Client/Data Subject is mainly processed for the execution of the Contract and credit management, and more generally, for the relationship arising from the Contract itself.
Providing data in the Contract or subsequently during the contractual relationship for the aforementioned processing purposes is mandatory; therefore, failure, partial, or incorrect provision of such data makes it impossible to conclude and/or execute the Contract, preventing the Client/Data Subject from benefiting from the products/services offered by the Data Controller, potentially exposing the Client/Data Subject to liability for contractual non-compliance.
The personal data provided by the Client/Data Subject may also be processed if necessary to comply with a legal obligation to which the Data Controller is subject, to protect the vital interests of the Client/Data Subject or another natural person, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or for the pursuit of the legitimate interests of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the Client/Data Subject do not override them. In these cases, providing data is mandatory; failure to provide or incorrectly providing such data may expose the Client/Data Subject to liability and sanctions under the legal system.
(4b) Additional Purposes Following Specific and Express Consent from the Client/Data Subject
In addition to the purposes outlined above, personal data provided/acquired may also be processed, subject to the Client/Data Subject’s consent (expressed by selecting the <<Consent>> checkbox on the Contract or the Website), for market research and for commercial and promotional communications via telephone (including mobile numbers) and automated contact systems (email, SMS, MMS, fax, etc.) about products/services of the Data Controller or companies within the Group to which the Data Controller may belong.
Consent for the processing purposes in this section (4b) is optional; therefore, in the event of refusal, data will be processed solely for the purposes specified in section (4a).
5. Categories of Personal Data Processed
The Data Controller primarily processes identifying/contact data (name, surname, addresses, types and numbers of identification documents, phone numbers, email addresses, tax/billing information) and, in the event of commercial transactions, financial data (bank information, account numbers, credit card numbers).
6. Source of Personal Data
The personal data processed by the Data Controller is collected directly from the Client/Data Subject during navigation of the Website or through social/web applications of the Data Controller.
7. Retention Period
For the purposes mentioned in section (4a), personal data is retained for the duration of the statutory period, typically 10 years. For the purposes mentioned in section (4b), data is retained until consent is withdrawn or, if not withdrawn, for one year after the termination of the relationship.
8. Circulation of Personal Data
(8a) Disclosure of Personal Data – Categories of Recipients
In addition to employees and collaborators of the Data Controller (authorized by the Data Controller through appropriate written operational instructions to ensure data confidentiality and security), some processing operations may also be carried out by third parties to whom the Data Controller entrusts certain activities, or parts thereof, necessary for the
purposes outlined in section (4a). These activities are performed both to fulfill contractual and legal obligations. Examples include but are not limited to: commercial and/or technical partners; companies providing banking and financial services; document archiving companies; debt collection agencies; auditing and accounting certification firms; rating agencies; professionals providing assistance and consultancy to the Data Controller; customer care services; factoring companies, credit securitization firms, or other entities acquiring credit rights; companies within the Group to which the Data Controller may belong; providers of commercial information; and IT service companies.
The entities belonging to the aforementioned categories process personal data either as independent data controllers or as data processors, with respect to specific processing operations related to the contractual services performed for the benefit or on behalf of the Data Controller. Data processors are provided with appropriate written operational instructions by the Data Controller, particularly regarding the adoption of minimum security measures to ensure the confidentiality and security of the data.
Some processing operations may also be carried out by third parties entrusted by the Data Controller with certain activities, even for the purposes described in section (4b). These may include, but are not limited to: commercial and/or technical partners; companies providing institutional marketing services; advertising agencies; and entities providing assistance and consultancy for contests and prize operations. The entities in these categories process personal data either as independent data controllers or as data processors, depending on the specific processing operations involved in the services performed on behalf or in the interest of the Data Controller.
A list of the data processors with whom the Data Controller maintains relationships is available, subject to periodic updates, upon written request sent to the Data Controller’s office.
Furthermore, personal data may be disclosed to competent authorities upon request, in compliance with legal obligations.
(8b) Transfer of Personal Data to Third Countries
The Client/Data Subject’s personal data may also be transferred abroad, both within the European Union and to countries outside the European Union. In the latter case, the transfer will occur either based on an adequacy decision, within the framework of adequate safeguards as provided by the GDPR (such as standard contractual clauses for data protection approved by the European Commission), or, outside of these scenarios, by relying on one or more of the derogations provided by the GDPR. These include explicit consent from the Client/Data Subject, the performance of a contract concluded by the Client/Data Subject, or the execution of a contract between the Data Controller and another natural or legal person for the benefit of the Client/Data Subject, particularly for activities entrusted to the Data Controller as part of the performance of the contract concluded with the Client/Data Subject.
In cases where data is transferred to countries outside the European Union, the Client/Data Subject may, upon written request to the Data Controller’s office, obtain information on the appropriate safeguards or derogations legitimizing the cross-border data processing.
It is understood that, in the event of data transfers to non-EU countries, the Client/Data Subject may always contact the Data Controller to exercise the rights recognized by the GDPR.
9. Criteria for Determining the Retention Period of Personal Data
For the purposes outlined in section (4a), the retention period for personal data provided by the Client/Data Subject, and the subsequent potential processing, coincides with the statutory limitation period for rights/duties (legal, tax, etc.) arising from the Contract, typically 10 years, unless interruption events extend this period.
For the purposes described in section (4b), the retention period for data provided by the Client/Data Subject and its subsequent processing ends upon withdrawal of the previously granted consent, or, in the absence of such withdrawal, one year after the termination of any relationship between the Data Controller and the Client/Data Subject.
10. Rights of the Client/Data Subject
The Data Controller recognizes – and facilitates the exercise of – all the rights provided by the GDPR to the Client/Data Subject. These include the right to request access to their personal data and obtain a copy (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), data portability (Article 20 GDPR, where applicable), and objection to processing (Articles 21 and 22 GDPR, in cases such as marketing or automated decision-making, including profiling, that produces legal effects or similarly significantly affects them).
Where processing is based on consent, the Data Controller also recognizes the right of the Client/Data Subject to withdraw that consent at any time without affecting the lawfulness of the processing carried out before the withdrawal. The Client/Data Subject may unsubscribe at any time via the Website (or other social or web applications of the Data Controller) or by using the link in the footer of each commercial communication received, or by contacting the Data Controller at the contacts listed above.
Additionally, the Data Controller informs the Client/Data Subject of their right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) and to seek judicial remedy, both against the Authority’s decisions and the Data Controller and/or a data processor.
11. Security of Systems and Personal Data
Taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, the Data Controller adopts technical and organizational measures deemed appropriate to ensure a level of security appropriate to the risk. These measures include ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services (including data encryption, where necessary) and the ability to restore data availability promptly in the event of a physical or technical incident. The Data Controller also implements internal procedures to regularly test, verify, and evaluate the effectiveness of the security measures.
12. Automated Decision-Making, Including Profiling
The Data Controller may perform automated processing, including profiling, for the purposes described in section (4b), to optimize Website navigation (or use of other social or web applications of the Data Controller) and improve the purchasing experience. However, the Client/Data Subject’s rights to object and withdraw consent remain unaffected.
Profiling refers to any form of automated processing of personal data aimed at evaluating specific aspects relating to a natural person, particularly to analyze or predict aspects such as personal preferences, interests, or location, in order to create profiles or homogeneous groups based on characteristics, interests, or behaviors.
The Data Controller does not perform automated processing that produces legal effects concerning the Client/Data Subject or similarly significantly affects them, except where necessary for the conclusion or performance of a Contract, authorized by law, or based on the Client/Data Subject’s explicit consent. In any case, the Client/Data Subject retains the right to obtain human intervention, express their opinion, and contest the decision.