INFORMATION NOTICE PURSUANT TO ARTICLE 13 OF THE REGULATION (EU) 2016/679 (“GDPR”)
Forvet S.p.A. provides you with the information requested by Art. 13 of the GDPR concerning the processing of data subjects’ personal information collected by filling in the contact form.
1) Who the “data controller” of the personal data processing is (that is, who decides the purpose and means of processing) and how it can be contacted
Data controller is Forvet S.p.A., with registered office in Str. Piossasco, 46, 10040, Volvera (TO, Italy), VAT 0616984001, e-mail firstname.lastname@example.org (hereinafter, “Forvet”).
2) How the “data protection officer” (“DPO”) can be contacted
The DPO can be contacted at email email@example.com.
3) Data processing purposes, legal basis and data retention
What is the data processing purpose?
The data you provide when filling in the contact form will be processed in order to reply, by e-mail or telephone, to your contact/information requests.
What is the legal basis of the data processing?
The processing is necessary to fulfil specific requests of the data subject. The legal basis of the processing is therefore the performance of a contract to which the data subject is party.
How long do we keep the data?
This data will be processed as long as necessary to respond to requests, up to a maximum of 24 months.
Once the above data retention terms have expired, data will be destroyed or anonymized, compatibly with the technical procedures of erasure and backup.
4) Provision of personal data
Pursuant to Article 13(2)(e) of GDPR, the provision of personal data marked with an asterisk is necessary; therefore, any refusal to provide them will make it impossible to process your contact request.
5) Who the categories of recipients are
Data are processed by the controllers’ employees – responsible for carrying out the activities outlined above – expressly authorized and instructed to process the data.
The data are also processed by third parties who provide Forvet with services instrumental to the purposes indicated in this information notice, designated by Forvet as data processors pursuant to art. 28.3 of the GDPR, giving them appropriate instructions, such as the group companies, suppliers (e.g. the company that manages the website, the supplier of the management software used by Forvet in its business processes Oracle Italia S.p.A. and the company that supplies the CRM software saleforce.com EMEA Limited, with registered office in the UK) and agents.
Data may be disclosed to entities acting as controllers, such as supervisory authorities legally authorized to access to data and professional firms.
6) Data transfer outside EU
Data may be transferred to countries outside the European Union (EU) or the European Economic Area (EEA) not been deemed adequate by the European Commission. In such cases, the “transfer tools” referred to in Article 46 of the GDPR (such as standard contractual clauses or binding corporate rules “BCR”) will be used, assessing the possible provision of “supplementary measures” to ensure a level of protection essentially equivalent to that guaranteed within the EU.
Salesforce.com has adopted the BCR for Processors to legitimize the transfer of personal data outside the European Union to companies within its group that process such data on behalf of data controllers established in a member state as data processors and/or sub-processors.
Salesforce’s Processor Binding Corporate Rules are available at the following link https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/Salesforce-Processor-BCR.pdf.
For further information, please see the following links https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/EU-Data-Transfer-Mechanisms-FAQ.pdf e https://help.salesforce.com/articleView?id=000314281&type=1&mode=1 (“Where is my Salesforce instance located?”).
As indicated at the following link, https://www.oracle.com/ie/legal/privacy/services-privacy-policy.html, in order to perform the aforementioned purpose, Oracle Italia S.p.A. may transfer data to its affiliates or third parties (data processors) located in countries outside EU and EEA. In this regard, Oracle Italia S.p.A. has adopted the Binding Corporate Rules (“BCR”) for Processors to legitimize the transfer of personal data to group companies which process them on behalf of data controllers established in a member state as processors and/or sub-processors, available at the following link https://www.oracle.com/it/a/ocom/docs/corporate/bcr-privacy-code-051719.pdf.
7) Data subjects’ rights
You may exercise your rights under Articles 15 to 22 of GDPR. In particular, you have the right:
- request access the data concerning the information under article 15 (purposes of processing, categories of personal data, etc.)
- to obtain the erasure of data in the cases provided for by Article 17 GDPR if the Company no longer has the right to process them1;
- to obtain the rectification of inaccurate data or the right to have incomplete personal data completed;
- to obtain restriction of processing (i.e., the temporary subjecting of data to the storage operation only) in the cases provided for by Article 18 GDPR2;
- to object at any time, easily and free of charge, on grounds relating to the particular situation, to the processing of data carried out in the legitimate interest of the controller;
- where the processing is based on consent or contract and is carried out by automated means, to receive the data in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
In order to exercise your rights, you can contact Forvet by sending a written communication or to address indicated above an e-mail to firstname.lastname@example.org.
Data subjects shall have the right to lodge a complaint with the competent supervisory authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement.
1 The data subject shall have the right to obtain from the controller the erasure of personal data in the following cases:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2 The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.