International World Wide Consulting AG, with registered office in Lugano (CH) 6900 Via Emilio Bossi n. 1, VAT number/ fiscal code : CH411199095, as Data Controller (hereinafter “Data Controller”) inform the Users that, in accordance with EU Regulation 2016/679 ("GDPR") and the national legislation on data protection currently in force, their personal data will be processed in the manner and for the purposes indicated below:
1) Subject of data processing
1.1. The Data Controller processes the personal data of the Registered User and/or the Business User (in particular name, surname, e-mail address, telephone number, IP address, etc. - hereinafter "Personal data") provided while browsing the website https://www.openmould.com/ (hereinafter “Website”), in order to use the B2B e-commerce Platform called Open Mould (hereinafter “Platform”).
2) Purposes and legal basis of the processing
The data will be processed for the following purposes:
2.1. Without prior consent, for the following service purposes:
a) the fulfilment of contractual and/or pre-contractual obligations and commitments: management of registration and/or validation requests; management of navigation on the Website during the use of the Platform.
b) the fulfilment by the Data Controller of the obligations provided by laws, regulations or imposed by the Authorities;
c) the pursuit of a legitimate interest by the Data Controller, or for the management and maintenance of the Website; the prevention and identification of fraudulent activities or harmful events for the Website; the exercise of the rights of the Data Controller.
2.2. Only with the consent of the Registered User and/or the Business User, for the following marketing purposes: a) sending by the Data Controller to the e-mail address communicated by the User when registering, communications and materials, with promotional, advertising content, including by e-mail, SMS or other messages, newsletters and/or multimedia services related to the services offered by the Owner.
3) Purposes and mode of data treatment
3.1. The processing of personal data is carried out - electronically - through operations of collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, access and communication, suspension, cancellation and destruction of data.
3.2. In particular, the use of the Platform provided by the Data Controller involves the processing of data in the following ways:
b) Management of e-mail communications: the Data Controller uses the Odoo and Tinext services to manage a database of e-mail contacts, telephone contacts or any other type, in order to communicate with the Registered User and/or with the Business User.
f) User Device: the Platform can save the unique identification code of the devices with which the Registered User and/or the Business User logs in, for statistical purposes or to keep the expressed preferences.
4) Retention of data
4.1. The Data Controller processes the data of the Registered User and/or the Business User for the time necessary to satisfy the purposes indicated above, and in any case for the period necessary for the management of the service offered (or for a maximum period of 5 years) or for a maximum period of 2 years from collection for marketing purposes.
4.2. However, and in addition to the above specified, the Data Controller may retain the personal data of the Registered User and/or the Business User for longer periods of time, for example where this is required for tax purposes, or where such data are necessary to confirm the existence of a legal right or contract. In this case, the User’s personal data will be stored and maintained for the period imposed by the applicable legislation, or for the duration of the limitation periods. When the User’s personal data are no longer needed, they will be deleted or anonymized.
5) Access to data
5.1. The data of the Registered User and/or the Business User may be accessible, for the purposes indicated above, to:
a) employees and/or collaborators of the Data Controller, in their capacity as data processors and/or internal contacts and/or system administrators;
b) third-party companies or other entities (eg., IT assistance, consultants, suppliers, banking institutions, external consultants, etc.) that carry out outsourcing activities for the Data Controller, as Data Processors as provided for in Article 27 GDPR.
6) Data communication
6.1. The personal data may also be communicated, even without prior consent and for the purposes indicated above, to control bodies, police or judicial authorities, upon their explicit request, who will treat them as independent data controllers for institutional and/or legal purposes during the course of investigations and checks. The data may also be communicated to third parties (e.g. partners, professionals, agents, etc.) as independent data controllers for the performance of activities instrumental to the aforementioned purposes.
7) Transfer of non-EU data
7.1. The Personal data will be disclosed and transferred for the above-mentioned purposes to countries outside the European Union (Switzerland). To this end, the Data Controller makes use of the hosting service offered by Tinext SA available at the following link https://www.tinext.com/. In order to ensure an adequate level of protection of personal data, the transfer takes place in accordance with the Federal Data Protection Law (LPD, 19 June 1992) as well as complying with the provisions of EU Regulation 679/2016 GDPR
8) Provision of data
8.1. The provision of personal data is essential for the achievement of service purposes. In the event that the Registered User and/or the Business User decides not to provide their data, the Data Controller will not be able to execute its requests relating to the use of the Platform and to provide the services offered by the Platform.
8.2. The provision of data for further marketing purposes is discretionary, and the lack of consent does not prevent the User from using the services of the Data Controller. In the event that the Registered User and/or the Business User decides not to provide their data, will not be able to receive news about the initiatives of the Data Controller.
9) Rights of the Registered and/or Business User
9.1. The Data Controller inform the Registered User and/or the Business User that, as Users, and in the absence of limitations provided by law, they are entitled to:
a) obtain confirmation of the existence or otherwise of personal data concerning him, even if not yet recorded, and their communication in an understandable way;
b) obtain the indication and, if necessary, the copy of:
a) source and category of personal data;
b) logic applied in the case of processing carried out by electronic means;
c) purposes and methods of processing;
d) the identification references of the Data Controller and the Data Processors;
e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them, in particular if the recipients are non-EU countries or international organizations;
e) the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;
f) the existence of an automated decision-making process; and, in this case, information on the logic involved, meaning and consequences for the Registered User and/or for the Business User;
g) the existence of adequate guarantees in case of transfer of personal data to a non-EU country or to an international organization;
c) obtain, without undue delay, the update, rectification or integration of incomplete data; exercise the right to withdraw consent at any time, easily and without hindrance, using, if possible, the same means used to provide consent;
d) obtain the deletion or oblivion of data: processed in violation of the law; no longer necessary in relation to the purposes for which they were collected or subsequently processed; for which the consent on which the processing is based has been revoked and there is no other legal basis for the processing; for which there has been opposition to the processing and there are no legitimate imperative reasons for the processing; in compliance with a legal obligation.
e) the Data Controller may refuse to delete data when processing is necessary: to exercise the right to freedom of expression and information; in compliance with a legal obligation, for the performance of a task in the public interest or in the exercise of public authority; for reasons of public interest; for the achievement of objectives in the public interest, scientific or historical research or statistics; for making legal claims;
e) obtain the restriction of processing data when: the accuracy of personal data is contested; the processing is unlawful and the Registered User and/or Business opposes the deletion of personal data; the data are requested by the Registered User and/or the Business User for the exercise of legal actions; waiting to verify if the legitimate interests of the Data Controller prevail over those of the Registered User and/or the Business User;
g) receive, where the processing is carried out by automated means, in a structured, commonly used and legible format, personal data concerning him in order to transmit them to another data controller or, where technically possible, to obtain direct transmission to another Data Controller;
h) oppose, in whole or in part: for legitimate reasons to the processing of personal data concerning him, even if pertinent to the purpose of data collection; the processing of personal data concerning him for the purpose of sending advertising material or for market research or commercial communication, by means of automated call systems without the intervention of an operator, e-mail and/or traditional marketing methods by telephone and/or paper mail; submit a complaint on data protection to the competent supervisory authority.
9.2. In the cases mentioned above, where necessary, the Data Controller shall communicate any exercise of the rights of the Registered User and/or the Business User to each third party to which the personal data have been communicated, except in specific cases such as, for example, if this proves impossible or involves a disproportionate effort.
9.3. The Registered User and/or the Business User also have the right to lodge a complaint with the Data
Protection Authority if they believe that the processing of their personal data is in breach of a law in force. As known in Italy the Data Protection Authority is responsible of the personal data protection (https://www.garanteprivacy.it/ ).
10) Methods od data processing
10.1. The Registered User and/or the Business User will be able to exercise their rights at any time by sending a registered letter with acknowledgement of receipt at the registered office of the Data Controller; sending an e-mail to email@example.com.
11) Data Controller, Data Processor, Data Protection Officer
11.1. Data controller is International World Wide Consulting AG, with registered office in Lugano (CH) 6900 Via Emilio Bossi n. 1, VAT number/ fiscal code : CH411199095.
11.2. The Data Processor pursuant to art 27 GDPR is Dott.ssa Andreea M. Iordache residing in Seriate (BG) Post Code 24068, Fiscal Code RDCNRM81S45Z129Q, VAT number 04034280166, e-mail firstname.lastname@example.org PEC email@example.com.
11.3. The Company has identified and appointed within its organization, the "Data Protection Officer (DPO)", as required by Article 37 GDPR. The Data Protection Officer has the specific task of overseeing compliance with the Regulation, assessing the risks to data subjects (customers, collaborators, employees, suppliers, consultants), of any processing of personal data carried out by the Company.
11.4. In order to contact the DPO for all matters relating to the processing of Personal Data and/or to exercise the rights provided by the Regulations, you must contact International World Wide Consulting AG, with registered office in Lugano (CH) 6900 Via Emilio Bossi n. 1, VAT number/ fiscal code : CH411199095 - Email: firstname.lastname@example.org. The updated list of Data Processors is kept in the offices of the Data Controller at the registered office.
12) Consent to the processing of data for marketing purposes