EMS Group S.P.A. – Via Galileo Galilei n.29, 42027 – Montecchio Emilia RE – VAT no: 01137820351 (“Data Controller” or “Controller“) constantly strives to protect the online privacy of individuals while browsing the website https://emsgroup.com/ (hereinafter “Portal“) and all related internet pages.
This document describes every aspect related to the processing of Personal Data operated towards users/visitors and users of the services of this website (hereinafter “Data Subjects“) in accordance with the provisions of Art. 13 of the EU Regulation No. 2016/679 (hereinafter “Regulation“).
1. Data controller
The Data Controller is EMS Group S.P.A. – Via Galileo Galilei n.29, 42027 Montecchio Emilia (RE), VAT No: 01137820351, as defined above and can be contacted as indicated in the “Contacts” section (see art. 11).
2. Processed data
a) Navigation data: The computer systems and software procedures responsible for the operation of this Portal acquire, in the course of their normal operation, some personal data, for example:
• IP addresses;
• URI (Uniform Resource Identifier) notation addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.);
• other parameters related to the operating system (e.g. browser user-agent string in the http request) and the user’s computing environment, the transmission of which is implicit in the use of Internet communication protocols.
This information is not collected to be associated with identified data subjects, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified.
This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Portal and to monitor its proper functioning, to identify anomalies and/or abuses. Except in cases where the data are used to ascertain liability in case of hypothetical computer crimes against the Portal or third parties, such data do not persist for more than seven days.
c) Data voluntarily provided by the user: the following personal data are provided by the user through special forms in the different sections of the Portal:
• Contact form: First name*, Surname*, Company, Reason for contact*, Sector, E-mail*, Telephone*, Country*, Message* (Any personal information, including special categories of personal data formerly art. 9 GDPR, voluntarily communicated by the data subjects through the Message sent via the contact form. With reference to these hypotheses, the Data Controller urges the Data Subject to never enter information, except in cases of absolute necessity, which may fall under the special categories of personal data referred to in Art. 9 of the Regulation “ […] personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning a person’s health or sexual life or sexual orientation”. In case of communication by the data subject of particular categories of personal data ex art. 9 GDPR, sending the message containing such information will be equated with explicit consent to the processing of personal data formerly art. 6 (1)(a) -9 (2)(a).
• Work with us: First name*, Surname*, E-mail*, Telephone*, Curriculum Vitae*.
3. Purpose of the processing
The Data Controller uses the Personal Data referred to in the preceding paragraph in pursuit of the following purposes:
a) Evaluate and respond to any questions, complaints, applications and pre-contractual requests submitted by the user through the appropriate forms in the different sections of the Portal (“Service Provision“);
b) Prevent fraud committed through the use of the Portal and the Services offered by the Owner and allow the Owner to protect itself in court (“Abuse/Fraud“);
c) Monitor user interactions with Portal content, understand how to improve services and evolve them, and perform market analysis (“Statistics“);
d) Send the user commercial communications, concerning services/products of the Owner corresponding and/or related to those previously purchased, via e-mail and other traditional communication systems (sms, telephone) (“Soft Spam“);
e) Send the user commercial communications, concerning services, products, promotions and future events of the Owner via e-mail and other traditional communication systems (sms, telephone) (“Marketing“);
f) User profiling by autonomous third parties aimed at retargeting and presenting personalized advertisements while browsing the web (“Profiling“).
4. Legal basis and nature of the provision of Personal Data
The legal bases used by the Data Controller to process your personal data for the purposes stated in Art. 3 above are as follows:
• Service provision: the processing of data for this purpose (Art. 3.a) is based on Art. 6 (1) (b) of the Regulation (“[…] processing is necessary for the performance of a contract to which the data subject is part of or for the performance of pre-contractual measures taken at the request of the data subject”). The provision of the Personal Data necessary for the performance of this purpose is optional, but in the absence of such provision, it will not be possible to deliver the Services provided through the Portal or to respond to questions, complaints, applications and pre-contractual requests from the user;
• Abuse/fraud: the processing of data for this purpose (Art. 3.b) is based on Art. 6 (1) (f) of the Regulations (“[…] processing is necessary for the purposes of pursuing the legitimate interests of the data controller or a third party”); the Personal Data collected for this purpose will be used to prevent and/or detect any fraudulent activity or abuse in the use of the Portal and allow the Data Controller to protect itself in court;
• Statistics: processing for this purpose (art. 3(c) is based on Art. 6(1)(a) of the Regulations (“[…] the data subject has given consent to the processing of his or her personal data for one or more specific purposes”). The provision of Personal Data for this purpose is, therefore, entirely optional and does not affect the use of the Portal services. If, in any case, you wish to object to the processing of your data for statistical purposes and withdraw your consent, you may do so at any time by changing your choices through the Portal’s cookie preference selection form;
• Soft Spam: processing for this purpose (Art. 3.d) is based on Art. 6(1)(f) of the Regulation (“[…] processing is necessary for the purposes of pursuing the legitimate interests of the data controller or a third party, provided that the interests or the fundamental rights and freedoms of the data subject which require the protection of personal data are not overridden, in particular where the data subject is a child”);
• Marketing: processing for this purpose (art. 3 e) is based on Art. 6(1)(a) of the Regulations (“[…] the data subject has given consent to the processing of his or her personal data for one or more specific purposes”). The provision of Personal Data for this purpose is, therefore, entirely optional and does not affect the use of the Portal services. If, in any case, you wish to object to the processing of your data for the purpose of marketing and revoke your consent, you may do so at any time by sending a communication to the Data Controller at the references indicated under “Contact Us” (see Art. 11);
• Profiling: processing for this purpose (art. 3 f) is based on Art. 6(1)(a) of the Regulations (“[…] the data subject has given consent to the processing of his or her personal data for one or more specific purposes”). The provision of Personal Data for this purpose is, therefore, entirely optional and does not affect the use of the Services. If, in any case, you wish to object to the processing of your data for profiling purposes and withdraw your consent, you may do so at any time by changing your choices through the Portal’s cookie preference selection form.
5. Method of processing
The processing is carried out manually and/or automatically, including through the use of computer and telematic technologies (e.g. CRM, management software and email marketing services), subject to the application of appropriate technical and organizational security measures to ensure security, integrity and confidentiality, so as to minimize the risks of destruction or loss, unauthorized access, modification and unauthorized disclosure in accordance with the procedures set out in Art. 6, 32 of the GDPR.
6. Transfer of data outside the EU
The Controller does not intend to transfer Personal Data outside the European Economic Area. If, however, in order to meet organizational/productive needs, the need should arise (e.g. sharing of data with other companies controlled by the Data Controller and/or part of the same group, use of cloud services, etc.), guarantee measures will be adopted for the transfer of Personal Data to a third country, which depending on the case may be: verification of the existence of adequacy decisions of the European Commission, signing of standard contractual clauses and/or binding corporate rules, verification of the adoption of any additional measures in transposition of EDPB Recommendation 01/2020.
7. Period of data retention
The Data Controller retains Personal Data only for as long as necessary for the pursuit of the stated purposes, i.e., as long as required by specific regulations.
• Personal Data processed for Service Provision purposes will be kept for a period not exceeding 10 years;
• Personal Data processed for Marketing and Soft Spam purposes will be kept for a period not exceeding 5 years, i.e. until the data subject objects to the processing.
• Resumes submitted by applicants through the dedicated “Work with Us” section will be kept for a period of 2 years.
• This is without prejudice, in any case, to the possibility for the Data Controller to retain Personal Data for the period of time provided for and permitted by Italian law to protect its interests (Art. 2946 and 2947 c1, c.3 c.c.).
After the retention periods identified above have elapsed, Personal Data will be deleted or anonymized, unless held for further purposes under appropriate legal bases.
8. Data recipients
The Personal Data collected by the Data Controller may be disclosed or made accessible, for the performance of the above purposes, to the following categories of individuals:
• Employees and collaborators who assist the Data Controller in processing operations, subject to express authorization and signing of appropriate confidentiality agreement;
• Individuals who provide out sourcing services on behalf of the Data Controller, acting as Data Processors: cloud-based IT service providers, freelancers, companies or professional firms providing assistance and consulting services to the Data Controller, or individuals delegated to perform hosting and technical maintenance and upkeep, including maintenance of software, network equipment and electronic communication networks;
• Autonomous data controllers performing Personal Data processing operations on the Portal in pursuit of their own purposes (third-party profiling for retargeting purposes during web browsing).
• Public authorities, where such disclosure is required by law.
9. Rights of the data subject
At any time, the Data Subject may access the information concerning him or her and request that it be updated, corrected and supplemented, as well as deleted, anonymized, blocked, and portability. You may also object in whole or in part to the processing.
To exercise the rights under Articles 15-22 of the GDPR, the Data Subject may contact the Data Controller in the ways indicated in the “Contact Us” section (see Art. 11). The Data Controller is required within 1 month to give a response to the request, or to notify any delay in response in the case of numerous and/or complex requests (however, the extension may not exceed 2 months). In any case, the Data Subject always has the right to lodge a complaint with the competent Supervisory Authority (Data Protection Authority), pursuant to Art. 77 of the Regulations, if it considers that the processing of its Personal Data is contrary to the applicable legislation.
For more information about the processing on Personal Data operated in the execution of the contract, or to make a request to exercise rights, you can contact the Data Controller at the e-mail address: email@example.com