PRIVACY POLICY

Under the terms and for the purposes of Articles 13 and 14 of Regulation 2016/679 EU (hereinafter also referred to as “GDPR”), this document details the methods for processing the personal data of users who visit and use the services contained in the website of Laghezza S.p.A. (hereinafter also referred to as “LAGHEZZA” or “Owner”) accessible by electronic means at the following address: www.laghezza.com

This information does not concern other sites, pages or online services that can be reached through hypertext links that may be published on the site but related to resources other than this domain.

MAIN DEFINITIONS AND LEGAL REFERENCES

Personal data

Any information relating to an identified or identifiable physical person (‘data subject’); an identifiable physical person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

Special categories of personal data

This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a physical person, data concerning a person’s health or sexual life or sexual orientation, and judicial data.

Usage data

Any information collected automatically by the sites or third party applications that the sites use, such as IP addresses or the domain names of the computers used by the Interested Party/User that connects, addresses in URI (Uniform Resource Identifier) notation, the method used to submit the request to the server, the size of the file obtained in response, the number code indicating the status of the response from the server, the country of origin, the characteristics of the browser and operating system used by the visitor, the time stamps of the visit and the details of the navigation route followed within the site, with particular reference to the sequence of pages viewed, the parameters relating to the operating system and the computer environment of the user.

Data subject

The physical person to whom the Personal Data refers. In the case of site navigation, the individual who uses the site and who must coincide with the Data Subject (or person authorised by him/her) and whose Personal Data is being processed.

User

The individual using this website who, unless otherwise specified, corresponds to the Data Subject.

Processing Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.

Controller

The physical or legal person, public authority, service or other body which alone or jointly with others establishes the purposes and means of personal data processing; where the purposes and means of such processing are defined by Union or Member State laws, the Data Controller or the specific criteria applicable to its designation may be established by Union or Member State legislation.

Data Protection Officer (DPO)

The physical or legal person who informs and advises the Data Controller on the processing of personal data, oversees compliance with the GDPR, advises on the impact assessment (DPIA), cooperates and acts as a point of contact with the Data Protection Authority.

Processor

The physical or legal person, public authority, service or other body that processes personal data on behalf of the Data Controller.

Recipient

The physical or legal person, public authority, service or other body receiving communication relating to personal data, whether a third party or not. However, public authorities that may receive communication of personal data in the context of a specific investigation in accordance with Union or Member State laws are not considered recipients. The processing of these data by such public authorities complies with the applicable data protection rules relating to the purposes of the processing.

Website and Data Base

The computer tool in which the Data Subjects’ Personal Data are also collected.

Cookies Small portion of data stored in the data subject’s device.

Legal references

Legislative Decree 196/2003 as amended and supplemented and EU Regulation 2016/679 (GDPR).

Changes to the Privacy policy

The Data Controller retains the right to make changes to this Privacy policy at any time. Users are therefore invited to consult the page frequently, paying attention to the revision date at the end of the page.

Further information on the processing of Personal Data

Further information relating to the processing of Personal Data may be requested at any time from the Data Controller using the contact details. Requests will be processed within 30 days.

DATA CONTROLLER

The Data Controller is Laghezza S.p.A., Viale San Bartolomeo, 103, 19126 La Spezia (SP) Italy. E-mail address of the Data Controller: privacy@laghezza.com

TYPES OF DATA PROCESSED

As a result of visiting and using the website, data relating to identified or identifiable physical persons may be processed.

Full details on each type of data collected are provided in the dedicated sections of this Privacy policy or by means of specific information texts displayed prior to the collection of such data.

Personal Data may be freely provided by the User or, in the case of User Data, automatically collected when using this site.

Among the Personal Data collected by this website, either independently or through third parties, are: Cookie; Usage Data; first name; last name; e-mail. The potential use of Cookies – or of other tracking tools – by this website or by the owners of third party services used by this site, unless otherwise specified, is intended to provide the service requested by the User, in addition to the further purposes described in this document and in the Cookies Policy.

The User takes responsibility for the Personal Data of third parties obtained, published or shared through this site and guarantees that he/she has the right to communicate or disseminate them, freeing the Owner from any liability towards third parties.

Based on the above, the collected Data can be divided into two broad categories:

· Usage data

The IT systems and software procedures used to operate this site acquire, as part of their standard operation, some Personal Data, the transmission of which is implicit in the use of Internet communication protocols.

This category of data includes the IP addresses or domain names of the computers and terminals employed by users, the addresses in URI/URL (Uniform Resource Identifier/Locator) notation of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer network. This information is captured by means of cookies, small text files that websites transmit to the device used by the user (PC, smartphone, tablet).

Surfing data will be stored, in an anonymised form, for statistical purposes.

· Data provided by the User

These are the Personal Data voluntarily provided by the User.

There are 4 sections on the site that require data to be entered by the User:

1. “Newsletter” section;

2. “Work with us” section;

3. “Private area” section;

4. “Whistleblowing” section.

The submission of Data for the purposes required to use the services on the site is compulsory and failure to provide even a part of the Data expressly indicated as compulsory will make it impossible to use the services.

Where this site indicates some Data as being optional, Users are free to withhold such Data, without this having any consequence on the availability of the service or its operation.

Users who wish to obtain further clarification on which Data are mandatory are invited to contact the Data Controller using the contact details provided.

The User assumes responsibility for third parties’ Personal Data obtained, published or shared through this website and guarantees that he/she has the right to communicate or disseminate it, releasing the Data Controller from any liability towards third parties.

LAGHEZZA reserves the right to interrupt the delivery of its services in the event that the data provided by users proves to be untrue, when illegal uses of the site by users are detected or when access credentials are revoked.

The section dedicated to the whistleblowing service is managed through the TeamSystem Whistleblowing platform.

PURPOSE, LAWFULNESS OF PROCESSING AND DURABILITY OF DATA PROCESSING

The Personal Data collected by Laghezza S.p.A. through its website are needed to:

· Site navigation; user

· Use of the services provided by the site;

· Collection of statistic information on the use of services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.);

· Newsletter subscription;

· Staff selection;

· Use of the reserved area;

· Fulfilment of legal obligations.

The legal grounds for processing, under Art. 6 of EU Regulation 2016/679, are:

1. for the data required for the operation of the site: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;

2. for the data processed to subscribe to the Newsletter service: consent;

3. for the data provided by Users for services in the reserved area and in the “Work with us” section: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

4. for the data required for any processing and communications imposed by the Law: processing is necessary for compliance with a legal obligation to which the controller is subject;

5. for data processed for reporting purposes, the fulfilment of a legal obligation imposed by Community or Member State law and, more specifically, a legal obligation intended to establish internal control procedures in well-defined sectors.

Processing is carried out for the time required to pursue the purposes for which the personal data are collected.

Notably:

a) data used for contractual purposes are processed for 10 years, unless longer legal storage periods apply;

b) data processed for staff recruitment are stored for 1 year after selection.

c) data processed for whistleblowing reports are stored for 5 years.

Users/concerned parties may request more information on the storage terms for the different categories of processed data by following the procedure indicated in the ‘Rights of the data subjects’ section of this notice.

METHOD OF TREATMENT

Personal data collected via this website are processed in accordance with the EU Regulation 2016/679 and the Italian Legislative Decree no. 196/2003 and subsequent amendments and additions.

Personal data are processed by the Data Controller and by the staff authorised by the Data Controller, in compliance with the principles of lawfulness, correctness and transparency.

The staff at LAGHEZZA will manage and archive the Personal Data collected through the use of the site and its various features, which can be activated at the user’s request, using automated and/or paper-based tools, only for the time needed to achieve the purposes for which they were collected or voluntarily communicated by the User.

The Data are processed at the registered office and operational headquarters of the Data Controller and in any other place where the parties involved in the processing are located.

Access to certain areas of the site involves redirecting to other sites and/or platforms where one can manage paperwork, bills, audits, invoices and customs readiness and report offences.

For more information on these sites and platforms, the user should refer to the relevant information notices.

DATA PROCESSORS AND RECIPIENTS

The data collected via the site referring to Laghezza S.p.A. may also be communicated to other service companies for technical and IT purposes (hosting companies, project managers, programmers, system and database administrators, etc.) or to suppliers whose activities are connected, instrumental or supportive to those of LAGHEZZA (e.g. suppliers of recruiting services, business partners and consultants).

In this case, the suppliers will be appointed as Data Processors in compliance with article 28 of the GDPR.

Users/concerned parties may request access to the list of data processors by following the procedure indicated in the “Rights of data subjects” section of this notice.

The Data Controller, by reason of legal or regulatory requirements, may be under an obligation to disclose the data to other physical or legal entities, public authority, service or any other body.

RIGHTS OF DATA SUBJECTS

At any time, the Data Subject may exercise, in accordance with Articles 15 to 22 of the GDPR, the right to:

· request from the Data Controller access to personal data, obtain information on the purposes of the data processing, their categories, the recipients or categories of recipients to whom the personal data have been or will be communicated and, where possible, the storage period;

· request the correction or deletion of the data and the limitations of the processing;

· exercise the right to data portability, object to processing, object to automated decision-making concerning physical persons, including profiling;

· revoke consent, at any time, without prejudice to the lawfulness of the processing based on the consent given before its revocation;

· lodge a complaint with the Data Protection Authority (garante@gdpr.it or protocollo@pec.gdpr.it).

· The User / Interested Party may exercise his/her rights by registered mail addressed to the Data Controller or by electronic communication sent to privacy@laghezza.com.

All communications made by the interested party for the protection of his/her rights or for requesting information on the processing of personal data carried out by Laghezza S.p.A. must state the subject “Exercise of the rights of the interested party”.

The request will be processed within 30 days.

Last updated 11.12.2023