Privacy Policy

We inform you that your data will be processed in the following ways and for the following purposes:

Data controller

The data controller is Grati Srl, with legal representative Cristiana Grati, registered office at Via Fiorentina 33, 50068 Rufina (FI), C.F. / P. IVA 05580830486, (hereinafter referred to as “Controller“).

Types of data processed, purpose and legal basis for processing

The Data Controller processes personal data, identification (for example, name, surname, company name, address, telephone, email, bank and payment references – hereinafter, “personal data” or even “data”) communicated by you when concluding contracts for the services of the Data Controller.
1) Conclude contracts for the services of the Data Controller;
2) To fulfil the pre-contractual, contractual and tax obligations arising from our relationship with you;
3) Management of administrative activities, accounting, orders, shipments, invoicing, services
4) Comply with obligations under the law, a regulation, Community legislation or an order of the Authority;
5) Exercise the rights of the Data Controller, for example the right of defence in court;
The processing takes place without your express consent (art. 24 lett. a), b), c) Privacy Code and article 6, letters b, c, f, GDPR)
The legal basis for processing is:
Art. 6 lit. B) – GDPR – the processing is necessary for the execution of a contract to which the data subject is a party or for the execution of pre-contractual measures taken at the request of the same.
Art. 6 lit. C – GDPR – The processing is necessary to fulfill a legal obligation to which the data controller is subject.
Art. 6 lit. F) – GDPR – the processing is necessary for the pursuit of the legitimate interest of the holder. Pursuant to art. 6 lit. B, C and F – GDPR processing does not require the consent of the data subject.

Provision

The provision of data is mandatory for the establishment of the contractual relationship, in case of failure to provide it will not be possible to establish the contractual relationship.

Methods of processing

The processing of your personal data is carried out by means of the operations indicated in art. 4 Privacy Code and art. 4 n. 2) GDPR and precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data. Your. personal data may be processed in both paper and electronic and/ or automated.

Data retention period

Your data will be kept for the administration, accounting and management of any litigation: 10 years after the termination of the contractual relationship or for the time required and/or imposed by regulatory requirements and in any case until the expiry of the limitation period in order to be able to assert any existing legal claims;
The storage will be carried out for a period of time not exceeding the achievement of the purposes for which they are processed and/ or for the time necessary for legal obligations.

Data access

Your data may be made accessible for the purposes of art. 2:
– to employees and collaborators of the Controller, in their capacity as data processors and/or internal controllers and/or system administrators;
– to third-party companies or other entities (as an indication, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, etc.) that carry out outsourcing activities on behalf of
Data controller, in their capacity as external processors.

Communication and disclosure of data

The collected data will not be disseminated, sold or exchanged with third parties without the express consent of the interested party, except for any communication to authorized third parties – committed to confidentiality or in case appointed as responsible for processing pursuant to art. 28 of Regulation (EU) 2016/679 (such as companies operating in the information technology sector and computer assistance and hosting companies, web marketing and telemarketing companies) where necessary for the purposes set out in this policy. The complete and up-to-date list of data processors is available, upon request, through the methods indicated in this information. The data may be communicated to the competent authorities, in accordance with the law.

Security

The data are stored and controlled by adopting appropriate preventive security measures, aimed at minimizing the risks of loss and destruction, unauthorized access, unauthorised processing and different from the purposes for which the processing is carried out.o.

Data transfer

The management and storage of personal data will take place in the territory of the European Union.

Rights of the person concerned

As a data subject, you have the right under art. 15 GDPR to:
i. obtain confirmation of the existence or not of personal data concerning you, even if not yet recorded, and their communication in an intelligible form;
ii. obtain the indication: a) of the origin of the personal data; b) of the purposes and methods of processing; c) of the logic applied in case of processing carried out with the aid of electronic means; d) of the identification details of the holder, of the persons responsible and the representative designated pursuant to art. 5, paragraph 2 Privacy Code and art. 3, paragraph 1, GDPR; e) the subjects or categories of subjects to whom personal data may be communicated or who may become aware of it as a designated representative in the territory of the State, responsible for or entrusted with;
iii. obtain: a) the updating, rectification or integration of data; b) the deletion, transformation into anonymous form or blocking of data processed in violation of law, including those for which retention is not necessary in relation to the purposes for which the data were collected or subsequently processed; c) an attestation that the operations referred to in letters a) and b) have been made known; also as regards their content, of those to whom the data have been communicated or disseminated, except where such fulfilment proves impossible or involves a use of means manifestly disproportionate to the protected right;
iv. object, in whole or in part for legitimate reasons to the processing of personal data concerning you, even if relevant to the purpose of the collection.
Where applicable, you also have the rights set out in art. 16-21 GDPR (Right of rectification, right to be forgotten, right to restriction of processing, right to data portability, right of opposition), as well as the right to complain to the Supervisory Authority.