INFORMATION ON THE PROCESSING OF PERSONAL DATA

This notice is provided to you pursuant to Articles 13 and 14 of European Regulation 2016/679 on the protection of personal data (“Regulation” or “GDPR”) and is addressed to:

• Visitors/users of the website www.citteriofiorentino.it (“website” or “site”), whose data are collected—either independently or through third parties—via the website itself;
• Clients who use the services provided by the Data Controller;
• Job applicants submitting applications through this website or other channels;
• Suppliers of the Data Controller in the context of existing contractual relationships.

This Privacy Policy aims to inform users about the methods of processing their personal data. All data are processed lawfully, fairly, and transparently in relation to the data subject, in compliance with the general principles established by EU Regulation No. 2016/679 and the current regulations on personal data protection.

1. DATA CONTROLLER

The Data Controller, to whom you may refer to exercise the rights outlined in Article 8 below, is Citterio Fiorentino S.r.l., with registered office in Bergamo, via Antonio Ghislanzoni 41, VAT No. 02187540162. The Data Controller can be contacted by email at cf.info@citteriofiorentino.it.

2. PROCESSING OF PERSONAL DATA OF WEBSITE VISITORS AND USERS

TYPES OF DATA COLLECTED

The website provides informational and, at times, interactive content. While browsing the Site, information about the visitor may be collected in the following ways:

Browsing Data
The computer systems and software procedures responsible for the operation of this website acquire, during their normal use, certain personal data whose transmission is implicit in the use of Internet communication protocols. These are pieces of information that are not collected to be associated with identified individuals but, by their very nature, could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users connecting to the site, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.), and other parameters related to the user’s operating system and IT environment. These data are used solely to obtain anonymous statistical information on the use of the site and to check its proper functioning. They are deleted immediately after processing. The data could be used to determine responsibility in the event of hypothetical cyber crimes against the site.

Data Voluntarily Provided by the User
No personal information about visitors to the website is collected or used. The only exception concerns personally identifiable information necessary to process the user’s contact requests and fulfill contractual obligations for service provision. The voluntary, explicit sending of emails to the addresses listed on this site entails the acquisition of the sender’s email address, as well as any other personal data included in the message, necessary to respond to requests.
Forms on the site collect identifying and contact data, voluntarily provided by the user. Failure to provide this information may result in the inability to fulfill the request. The Data Controller will use this information solely to respond to the user’s requests and to provide the requested services.

PURPOSE AND LEGAL BASIS OF PROCESSING

The processing of Users’ personal data is carried out for the following purposes:

a) ensuring access to the Website, navigation, and the use of online services made available in connection with the Website itself;

b) with the User’s prior consent, for information and commercial promotion of the Controller’s services;

c) establishing liability in case of potential cyber crimes against the Website.

The legal basis for processing is:

METHODS, LOCATION, AND DURATION OF PROCESSING

Personal data is processed using IT and/or telematic tools. The processing is carried out with organizational methods and logic strictly related to the purposes indicated.

The Data Controller has implemented technical and organizational measures to provide an adequate level of security and confidentiality for personal data. These measures take into account the state of the art of technology, the costs of implementation, the nature of the data, and the risks associated with its processing. The aim is to protect data from accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access, and other unlawful forms of processing.

Data is processed at the operational offices where the Company is organized and at designated companies duly appointed as Data Processors.

Data processing is carried out for the time strictly necessary to achieve the purposes mentioned above, subject to any retention periods required by law or regulations.

CATEGORIES OF RECIPIENTS TO WHOM DATA MAY BE DISCLOSED

The data collected by the Data Controller will only be shared for the purposes outlined above; we will not share or transfer your personal data to third parties other than those indicated in this Privacy Policy.

In the course of our activities and solely for the same purposes listed in this Policy, your personal data may be shared with the following categories of recipients:

3. PROCESSING OF PERSONAL DATA OF CUSTOMERS USING THE CONTROLLER’S SERVICES

PROCESSING OF DATA PROVIDED BY CUSTOMERS FOR SERVICE PURCHASE AND USE

The Controller collects and processes various personal data from customers to provide the requested services. Without such data, the indicated services cannot be provided.

The legal basis for this processing is the need to fulfill the data subject’s request and the performance of the relevant contract.

The Controller may also process the aforementioned data for direct marketing purposes aimed at its customers, who retain the right to object to such processing at any time and free of charge. If they object, their personal data will no longer be processed for these purposes.

The legal basis for this processing is the legitimate interest of the Data Controller in conducting direct marketing initiatives toward its customers, considering the established relationship with them and ensuring the protection of their fundamental rights and freedoms, including the right to object mentioned above.

Only if the customer expressly consents, the aforementioned data may be processed by the Controller for informational or commercial promotion purposes by the Controller.

PROCESSING OF DATA PROVIDED IN THE EVENT OF REPORTS, COMPLAINTS, OR REQUESTS FOR COMPENSATION / REIMBURSEMENT / DAMAGES

If reports, complaints, or requests for compensation/reimbursement/damages related to the provided transportation service are received, the Data Controller processes the personal data provided only if permitted by applicable regulations and solely for the purpose of managing the complaint/request for compensation.

The categories of data subjects and the data being processed are determined by the author of the report, complaint, or request, under their own responsibility. The subsequent processing of personal data by the Data Controller will take place exclusively in compliance with applicable regulations.

The legal basis for such processing is, therefore, the necessity to handle the report, complaint, or request.

PROCESSING METHODS AND RETENTION PERIOD

The personal data covered by this notice are processed both in paper and electronic formats, with the adoption of appropriate measures to ensure their protection. Personal data may be shared, in compliance with applicable regulations and solely for the specified purposes, with public entities for legal obligations or with data processors or joint controllers with whom appropriate agreements are in place.

Personal data processed for legal and contractual obligations will be retained for 10 years; personal data processed for the Data Controller’s legitimate interest will be retained for the time necessary to achieve the intended purposes; processing carried out with the Customer’s consent will continue until consent is withdrawn.

In the event of a dispute with a data subject or a specific request from competent Authorities, personal data may be retained for as long as necessary to protect the Data Controller’s interests or to comply with the Authority’s request.

DATA DISCLOSURE

The collected and processed data may be disclosed exclusively for the specified purposes to entities belonging to the following categories:

• Professionals or service companies used by the Data Controller for service provision;
• Competent authorities, where the Data Controller believes they are legally authorized to do so or if necessary.

4. PROCESSING OF PERSONAL DATA OF JOB APPLICANTS

PURPOSE OF PROCESSING AND NATURE OF DATA

The personal data processed include identification and contact details, as well as any other information contained in the Curriculum Vitae or otherwise provided by the candidate to the Data Controller for the aforementioned purposes.

Additionally, during any subsequent interviews with the candidate for assessing employment possibilities, the Data Controller may collect further relevant information regarding the selection process and the job role in question. If necessary, this may include special categories of data, such as health data relevant to job suitability.

Providing this data is necessary for evaluating the candidate in view of a potential employment relationship with the Data Controller; therefore, refusal to provide data, in whole or in part, may prevent the Data Controller from establishing the employment contract.

LEGAL BASIS FOR PROCESSING

Processing is carried out to fulfill the request for the evaluation of the application, which the data subject expresses, even implicitly, by simply sending their CV and/or cover letter or any other similar communication, for the purpose of a potential employment relationship. The legal basis for processing is, therefore, the execution of pre-contractual measures taken at the request of the candidate.

PROCESSING METHODS AND RETENTION PERIOD

The above-mentioned personal data may be processed by employees or collaborators of the Data Controller, duly trained for this purpose, or by Data Processors duly appointed, in electronic or paper format, in compliance with applicable regulations and internal provisions ensuring confidentiality and protection. Decisions made by the Data Controller will never be based solely on automated processing, as human intervention is essential for candidate evaluation.

The provided personal data will be retained for 24 months from the last submission (e.g., last interview, job application, phone call, or evaluation) or from the completion of the selection process for the specific position the candidate applied for. This is without prejudice to the Data Controller’s right to defend its interests in all appropriate venues, particularly in the case of any pending legal proceedings.

The data will not be transferred outside the European Union. However, should it become necessary, the Data Controller reserves the right to relocate servers to non-EU countries. In such cases, the Data Controller guarantees that data transfer will be carried out in compliance with applicable laws, entering into agreements where necessary to ensure an adequate level of protection.

DATA COMMUNICATION

The data collected and processed may be communicated, exclusively for the purposes specified above, to individuals belonging to the following categories:

• Professionals or service companies engaged by the Data Controller for the provision of services related to human resource management and IT systems;
• Where applicable, medical or forensic studies for the fulfillment of obligations related to physical and aptitude suitability control;
• Competent authorities, when the Data Controller believes to be legally authorized to do so or when necessary.

5. PROCESSING OF PERSONAL DATA OF SUPPLIERS

PREMISE

The Data Controller may process certain personal data concerning the supplier, if a natural person, and/or the employees and collaborators of the supplier (in this second case even if the supplier is a legal entity) for the purpose of entering into and executing contracts with the suppliers.

The Data Controller makes every effort to inform each relevant individual mentioned above about this notice, primarily through the publication of this document on its website. However, it must be noted that communicating this information to all concerned parties, particularly to each employee and collaborator of each of its suppliers from whom personal data is received or collected, would involve an unreasonable effort for the Data Controller or, in some cases, may even be impossible. Therefore, the supplier is responsible for communicating and disseminating this notice to the relevant individuals involved in the processing described above, i.e., to their employees and collaborators (however named, including all natural persons whose data may be communicated to or known by the Data Controller for the purpose of entering into and executing the supply contract) using suitable means.

TYPE OF DATA PROCESSED AND PURPOSES OF PROCESSING

The Data Controller processes certain personal data received or collected for the purpose of stipulating or executing supply contracts for goods, services, or works related to Citterio Fiorentino S.r.l.’s procurement needs. Specifically, this may involve identification and contact data concerning the supplier as a natural person and/or the supplier’s workers and collaborators (whether a natural or legal person), which they may communicate to the Data Controller as part of the normal activities involved in the supply relationships that have been or are intended to be established. If the supplier or their employee visits the Data Controller’s premises, images captured or recorded by the CCTV system in operation at the Data Controller’s locations will also be processed. The processing of these personal data serves the following purposes:

a. concluding the contract and fulfilling the obligations arising from it;

b. fulfilling legal obligations related to the execution of the contract and business operations (e.g., civil, tax, accounting, health and safety regulations);

c. exercising rights in judicial and extrajudicial matters, related to the relationship (e.g., managing potential disputes);

d. selecting and qualifying the supplier;

e. managing physical access and images captured by the CCTV system.

Without these data, it may not be possible to properly establish or execute such contracts. In particular, as access to monitored areas involves the collection, recording, storage, and general use of the individuals’ images, refusal to provide such data would result in the impossibility of allowing the individual to access the Data Controller’s premises.

LEGAL BASIS FOR PROCESSING

The processing of personal data is justified by the following legal bases:

I. Selecting the Supplier, entering into, and executing the contract, for the purposes outlined in the previous point, letter a), d)

II. Complying with legal obligations to which the Data Controller is subject, for the purposes outlined in the previous point, letter b);

III. Pursuing the legitimate interest of the Data Controller in defending a right in judicial matters in case of potential disputes related to the contract, for the purposes outlined in the previous point, letter c);

IV. Pursuing the legitimate interest of the Data Controller in protecting security and assets, for the purposes outlined in the previous point, letter e).

PROCESSING METHODS AND RETENTION PERIODS

The Data Controller adopts appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of personal data. Processing is carried out using IT, telematic, and paper tools, with organizational methods and logic strictly related to the purposes outlined.

Data is processed at the operational locations where the Company is organized, and at companies appointed and duly designated as Data Processors. The data will not be transferred outside the European Union. However, should the need arise, the Data Controller has the right to relocate the servers to non-EU countries. In such cases, the Data Controller ensures that the data transfer will comply with applicable laws, and if necessary, agreements will be established to guarantee an adequate level of protection.

The personal data subject to this notice will be retained by the Data Controller for the time necessary to achieve the purposes indicated for its processing and no longer.

In case of disputes with the supplier or any other interested party or a specific request from the competent authorities, personal data may be kept for as long as necessary to protect the Data Controller’s interests or comply with the authorities’ request.

Contact data will be kept for at least the entire duration of the contract; personal data processed for legal obligations will be kept for at least ten years. Images captured by the CCTV system are kept for 72 hours from the moment they are recorded, unless special requirements for further retention arise due to holidays or office closures, or if there is a specific investigative request from judicial or law enforcement authorities. Personal data collected for physical access control (other than CCTV) are kept for six months from the moment the recording was made, unless there is a need for further retention due to office closures or a specific investigative request from judicial or law enforcement authorities.

COMMUNICATION OF DATA.

The personal data of suppliers collected may be communicated to companies that provide services related to the purposes of the processing. Personal data may also be shared when required by law and/or government authorities. Except in cases explicitly permitted by law or provided for in this Privacy Policy, personal data will not be communicated or shared without the consent of the interested user.