Here is the link to the full pdf

The Company, Gummy Industries S.r.l. with a registered office in Viale Venezia 20, 25123 – Brescia (BS), in its capacity as Data Controller (hereinafter also referred to as ‘Data Controller’), protects the personal data of Data Subjects by ensuring confidentiality and compliance with applicable legislation and guarantees the necessary level of protection against any event that might put them at risk of being breached.

Types of personal data processed

In particular, the following personal data concerning you may be processed:

• identifying information such as name, surname, tax code, address, email, and phone number, relating directly to you if you are a natural person or sole proprietorship, or relating to natural persons who represent, belong to, or are otherwise associated with your organization if it is a legal entity;
• bank details

Purpose and legal basis of processing

Your personal data will be processed for the following purposes:

1. pre-contractual activities; 
2. execution and management of the contractual relationship established with you;
3. implementation and management of the consequent regulatory compliance (such as, for example, the fulfillment of economic and financial accountability obligations under Presidential Decree No. 633/1972, No. 600/73, and No. 917/86);
4. sending promotional and marketing communications, including newsletters and market research; it should be noted that the Data Controller collects a single consent for the marketing purposes described herein, according to the General Provision of the Personal Data Protection Authority “Advertising and Anti-Spam Guidelines”, July 4th, 2013; if, in any case, you wish to object to the processing of your personal data for marketing purposes carried out in the manner and by the means indicated above, as well as to withdraw the consent given, you may do so at any time by contacting the Data Controller at the addresses indicated in this notice, without prejudice to the lawfulness of the processing based on the consent given before the revocation;

This personal data processing activity takes place for: 

• to send you advertising material relating to the services offered by the Data Controller;
• to send you information and/or promotional material through newsletters;
• to carry out surveys and improve the services offered (customer satisfaction).

The Data Controller has implemented and uses systems for sending promotional/commercial communications in the form of newsletters, equipped with reporting mechanisms to improve the results of the communications. As a result of the use of such tools, the Data Controller may know, for example: 

• number of readers, message opens and clicks by users on messages;
• type of device used to read the communication (desktop, mobile);
• number of users who have not yet confirmed their subscription (‘suspended’ users); 
• number of emails sent by date/time/minute;
• details of emails delivered vs. emails sent; unsubscribers from the newsletter;
• email opens and clicks on individual links;
• link tracking (number of clicks on links in the message);
• click tracking (which links were clicked).

All this data is used to compare and possibly improve the results of the communication.

The legal basis for the processing operations and purposes listed under letters (a), (b), and (c) of this section is the following: 

Art. No 6.1(b) GDPR ‘processing is necessary to execute a contract to which the Data Subject is a party or for pre-contractual measures taken at the request of the Data Subject’. 

The legal basis for the processing operations and purposes listed under letter (d) of this paragraph is the following: 

Art. 6.1(a) GDPR ‘the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes’.

• Processing modalities

Your personal data will be processed mainly with the aid of computer tools and paper media by people within the Data Controller’s company duly authorized and instructed for this purpose in a manner and by appropriate means to ensure the security and confidentiality of personal data, under the GDPR. 

The Data Controller carries out regular checks to ensure that personal data not necessary for the processing and its purposes are not collected, filed, or stored, as listed in point no. 2 of this notice.

In carrying out the aforementioned activities, Gummy Industries undertakes to: 

1. ensure that the personal data processed is accurate and up to date, and promptly respond to any corrections and/or additions you request;
2. notify you of any personal data breaches within the timeframes and in the cases provided for by applicable law;
3. ensure that processing operations comply with applicable law.

Personal data recipients

Personal data processed for the purposes set out in point 2 of this notice may be disclosed:

• to duly authorized internal staff of the Data Controller for those parts of the processing operations that fall within their competence;
• to external parties such as:
• accountants and/or external advisers on accounting, tax and legal matters;
• credit institutions; 
• lawyers and/or legal consultants for the management of any litigation;
• information and IT support companies;
• companies providing marketing services;
• IT infrastructure and solutions providers.

The communication concerns the categories of personal data whose transmission to the aforementioned third parties is necessary to carry out the activities and for the purposes indicated in this notice and, in any case, in connection with the contractual relationship established with you.

Your consent is not required for the processing in question, as the processing is carried out for the performance of the contract you have entered into with the Data Controller to fulfill any legal obligations arising therefrom or for the protection of a right of the Data Controller.

Under no circumstances will there be any disclosure of your personal data.

Extra EU/EEA transfer

The Data Controller will not transfer your personal data abroad (the term “abroad” is to be understood as any country not part of the European Economic Area).

Data Retention

Concerning the purposes indicated at point 2, letters a), b), and c), your personal data will be processed by the Data Controller for the time necessary to carry out the activities related to the management of the contract you have entered into with the Data Controller and for the fulfillment of the resulting obligations, including legal obligations. The data referred to in your contract will be kept for ten (10) years from the date of its conclusion, given the applicable statute of limitations and, in any case, from the time at which any rights under the said contract may be enforced under and for Article 2935 in conjunction with Articles 2946 and 2947 of the Civil Code. 

Where there are specific legal requirements, longer retention periods may apply, or if the Data Controller is required to do so by any governmental authority or for any other reason to protect your rights or the rights of the Data Controller. 

Personal data processed by the Data Controller for marketing purposes (point 2, letter d), for sending commercial communications by newsletter or other means, will be kept for twenty-four (24) months, unless you proceed to revoke the consent you have given and/or object to having it processed. 

Once the above time limits have expired, the Data Controller will delete the data concerning you. 

Data subject rights

Under EU Regulation No. 2016/679, you have the right to:

• obtain confirmation of the processing of your personal data carried out by the Data Controller;
• access to and know the origin of your personal data (if your personal data is not collected directly from you but from third parties), the purposes of the processing, the Data Subjects to whom the data are communicated (recipients), the data retention period, or failing that, the criteria for determining it;
• obtain the rectification of your personal data;
• obtain the deletion of your personal data from the Data Controller’s databases if they are no longer necessary for the purposes for which they were collected or if the processing is unlawful, and in the other cases referred to in Article 17 of the GDPR;
• limit the processing of your personal data e.g. where its accuracy is disputed, for the period necessary for the controller to verify its accuracy, and in all other cases referred to in Article 18 of the GDPR; 
• receive the personal data concerning you in electronic form in order to be able to communicate them to another Data Controller (portability).

You may exercise your rights by writing to the Controller at: privacy@gummyindustries.com.

The Data Controller shall act promptly and within one month of receiving the request at the latest. This period may be extended by two months. In this case, the Data Controller will always inform you within thirty days of the reasons for the extension.

Complaint 

You have the right to lodge a complaint with the Data Protection Authority. In the event that you reside in another member state, or if the violation of personal data protection regulations occurs in an EU country other than the one where Gummy Industries S.r.l. is based, you are required to lodge a complaint with the competent authority responsible for overseeing compliance with data protection laws in that respective country. 

Filing the Complaint shall not prevent any other legal action.

Data provision and consequences

The provision of your personal data is optional but necessary for the purposes set out in point 2 of the disclosure.

The refusal to provide the requested personal data may result in the impossibility of performing or, if applicable, continuing the relationship established with the Data Controller.