• Home
  • CUSTOMER PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA

CUSTOMER PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA

Pursuant to Article 13 of Regulation (EU) 2016/679

This privacy notice is provided by COLORIFICIO FERRARIS S.R.L. (in the person of its legal representative pro tempore) as Data
Controller of personal data, pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”), regarding personal data collected from its customers. The purpose of this notice is to ensure transparency about how the company collects, uses, protects, and manages personal data in the context of commercial and contractual activities. The data provided will be processed in full compliance with the principles of lawfulness, fairness, transparency, and confidentiality, with the aim of managing contractual relationships, fulfilling legal obligations, and improving operational efficiency.

DATA CONTROLLER
The Data Controller is COLORIFICIO FERRARIS S.R.L., with registered office at Via Ambrogio Mozzi 55, 24030 – Mozzo (BG), Italy, Tax Code and VAT No. 01547200160.

CATEGORIES OF PERSONAL DATA PROCESSED
– Personal and identification data (name, surname, identity document, place and date of birth, domicile, residence, images, etc.);
– Contact details (phone number, email address, certified email (PEC), business email address, etc.);
– Tax and banking data (payment details, billing information, etc.);
– Order-related data (to manage orders and provide after-sales support).

The personal data processed pertains to natural persons, as well as natural persons acting on behalf of legal entities (e.g., owners, employees, and collaborators).

PURPOSES OF PROCESSING AND LEGAL BASIS
The personal data provided by you will be processed for purposes strictly related and instrumental to the management of customer and supplier relationships, for the execution of pre-contractual and/or contractual obligations, as well as for compliance with legal and regulatory obligations imposed by law.

Specifically, your personal data may be processed in the following cases:

a) Conclusion, management, and execution of a contract to which you are a party, or implementation of pre-contractual measures taken at your request;
b) Compliance with specific legal obligations related to civil, administrative, tax, and accounting regulations, as well as the
implementation of laws, regulations, or EU provisions;
c) Pursuit of one or more legitimate interests of the Data Controller (interest in concluding, managing, and executing contra cts; interest in protecting its rights arising from said contracts, etc.);
d) Commercial information activities via email to the email address provided at the time of sale and/or service, regarding similar products and/or services to those subject to the sale (so-called Soft Spam);
e) Sending newsletters to inform customers or potential customers about offers, discounts, promotions, and commercial updates.

The legal basis for processing data under point A) is found in Article 6(1)(b) GDPR, as “processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.” The legal basis for processing data under point B) is found in Article 6(1)(c) GDPR, as “processing is necessary for compliance with a legal obligation to which the data controller is subject.” The legal basis for processing data under point C) is found in Article 6(1)(f) GDPR, as “processing is necessary for the purposes of the legitimate interests pursued by the data control ler.” For activities under point D) (Soft Spam), the legal basis is Article 130(4) of the Italian Privacy Code (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018) and the Guidelines of the Italian Data Protection Authority on promotional activities and spam prevention dated July 4, 2013. Soft spam involves sporadic and occasional communications, not constituting direct marketing, and therefore does not require the data subject’s consent. However, the data subject retains the right to object at any time by sending a formal request to [email protected] or via PEC to [email protected]. For point E), the legal basis is
Article 6(1)(a) GDPR, which requires the data subject’s consent, expressed via an opt-in checkbox on the company’s e-commerce website.

For the purposes outlined in points A), B), and C), the provision of personal data is mandatory as required by laws, regulati ons, or EU provisions. Failure to provide such data, or providing incomplete data, will make it impossible to execute the contractual relationship or properly comply with legal and contractual obligations. The Data Controller ensures that data is processed in a manner that guarantees appropriate security, including protection through adequate technical and organizational measures, against unauthorized or unlawful processing and accidental loss, destruction, or damage (pursuant to Article 5(1)(f) GDPR – Integrity and Confidentiality).
Furthermore, all personal data is processed in compliance with the principle of data minimization, as provided by Article 5(1)(c) GDPR, and will not be disseminated.

DATA PROCESSING METHODS
Personal data is processed, under the authority of the Data Controller, by specifically authorized and instructed personnel in
accordance with Article 29 GDPR, using electronic and/or paper-based means, strictly related to the purposes outlined, ensuring data confidentiality and security as per Article 32 GDPR. Processing may also be carried out, on behalf of the Data Controller, by Data Processors designated pursuant to Article 28 GDPR. An updated list of authorized personnel and external Data Processors is kept at the Data Controller’s headquarters and is available upon request.

DISCLOSURE OF PERSONAL DATA
Personal data collected for the above purposes may be disclosed, within the scope of their specific competencies, to public and private entities to properly execute the contractual relationship or comply with legal obligations. Examples include: Tax authorities and other public entities, when required by law; Credit institutions and banks, for payment transactions or other financial activities related to contract execution; The Italian Revenue Agency; Specialized agencies or law firms, for debt recovery or protection of the Data Controller’s interests/rights.

DATA TRANSFER OUTSIDE
THE EU Processing takes place within the European Union, ensuring compliance with current data protection laws. If the company relies on service providers or Data Processors using tools or services (such as servers or cloud platforms) located outside the EU, the Data Controller will verify that such transfers comply with Articles 44 et seq. GDPR.

DATA RETENTION
Personal data is retained only for the time strictly necessary to achieve the processing purposes and within the limits set by law. Specifically, accounting and tax records are kept for 10 years in compliance with Article 2220 of the Italian Civil Code.

DATA SUBJECT RIGHTS
Data subjects may exercise their rights under Articles 15-22 GDPR, including: Accessing their data (Article 15 GDPR); Rectifying
inaccurate data (Article 16 GDPR); Erasing data where no legal basis for processing exists (Article 17 GDPR); Restricting processing (Article 18 GDPR); Data portability (Article 20 GDPR); Objecting to processing (Article 21 GDPR); Not being subject to automated decisions (Article 22 GDPR).

Requests should be sent to [email protected] or via PEC to [email protected].

CHANGES TO THIS PRIVACY NOTICE
This notice may be subject to updates due to legal or regulatory changes. The Data Controller will inform the data subjects of any changes where necessary.