Privacy Notice on the Processing of Personal Data
The data controller provides below the Privacy Notice pursuant to Articles 12, 13 and, where applicable, 14 of the GDPR concerning the processing of personal data supplied by the Customer/data subject by completing and signing the Contract to purchase the products/services offered for sale by the data controller, by voluntarily uploading personal data to this website (in particular through the completion of forms), or simply by browsing it.
1. Data Controller and Contact Details
The data controller is SIROKI OFTALMICA SRL, registered office in TRIESTE (TS) – 34122, VIA DANTE ALIGHIERI 14, VAT No. 00918300328, tel. +39 040636487, e-mail AMMINISTRAZIONE@SIROKI.IT, website https://www.sirokitrieste.it/ (hereinafter, the “Site”).
2. Principles Applicable to Processing
In accordance with the GDPR, the data controller constantly endeavours to ensure that personal data are:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and subsequently processed in a manner that is not incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary for the purposes for which they are processed;
- processed, by means of appropriate technical and organisational measures, in a manner that ensures their security;
- processed, where based on consent, pursuant to a freely given decision by the Customer/data subject, on the basis of a request presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
The data controller adopts appropriate technical and organisational measures to ensure data protection by design and to guarantee that, by default, only the personal data necessary for each specific processing purpose are processed.
The data controller gathers and gives the utmost consideration to the indications, comments and opinions of the Customer/data subject sent to the above contacts, with a view to implementing a dynamic privacy management system that ensures effective protection of individuals with regard to the processing of their data.
This Notice may be amended in line with the evolution of the applicable regulations and the technical and organisational measures adopted by the data controller from time to time; the Customer/data subject is therefore requested to visit this section of the Site periodically to review updates and the Notice as in force from time to time.
3. Methods of Processing Personal Data
Personal data are processed manually and by electronic means, according to logics strictly related to the purposes indicated below and, in any event, in a way that ensures the security and confidentiality of the data.
4. Purposes of Processing Personal Data
(4a) Purposes for Which Processing Is Necessary
The personal data provided by the Customer/data subject are primarily processed for the performance of the Contract and credit management and, more generally, for managing the relationship arising from the Contract itself.
The provision of data in the Contract or thereafter during the contractual relationship for the aforementioned processing purposes is mandatory; accordingly, failure to provide, partial provision or inaccurate provision of such data makes it impossible to enter into and/or perform the Contract and, for the Customer/data subject, to use the products/services offered by the data controller, potentially exposing the Customer/data subject to liability for contractual breach.
The personal data provided by the Customer/data subject may also be processed where necessary to comply with a legal obligation to which the data controller is subject, to safeguard the vital interests of the Customer/data subject or of another natural person, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, or for the purposes of the legitimate interests pursued by the data controller or by third parties, provided that the interests or fundamental rights and freedoms of the Customer/data subject do not prevail; in these cases too, the provision of data is mandatory and, therefore, failure to provide, partial provision or inaccurate communication of data may expose the Customer/data subject to any liabilities and penalties provided for by the legal system.
(4b) Additional Processing Purposes Following the Specific and Express Consent of the Customer/Data Subject
In addition to the processing purposes referred to above, the personal data provided/acquired may, subject to the Customer/data subject’s consent—expressed by ticking the <<“Give consent” box>> in the Contract or on the Site (or using other social or web applications of the data controller)—also be processed for conducting market surveys and for sending commercial and promotional communications, by telephone (including using the mobile number provided) and by automated contact systems (e-mail, SMS, MMS, fax, etc.), concerning products/services of the data controller or of companies belonging to any Group of which the data controller may be a member.
Consent for the processing purposes referred to in this point (4b) is optional; therefore, if consent is refused, the data will be processed solely for the purposes indicated in point (4a) above, without prejudice to what is specified below with reference to the legitimate interests of the data controller or of third parties.
5. Categories of Personal Data Processed
The data controller mainly processes identification/contact data (first name, last name, addresses, type and number of identity documents, telephone numbers, e-mail addresses, tax/billing data, among others) and, where commercial transactions are envisaged, financial data (banking data—specifically current account identifiers, credit card numbers—among other data connected to the aforesaid transactions).
The processing carried out by the data controller, both for the performance of the Contract and on the basis of the Customer/data subject’s express consent, generally does not concern special categories of personal data (so-called “sensitive” data revealing racial or ethnic origin, political opinions, religious beliefs, health status or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (relating to criminal convictions and offences).
However, it cannot be ruled out that, in order to fulfil the obligations arising from the Contract, the data controller may have to store and/or need to process sensitive, genetic and biometric or judicial data of the Customer/data subject or of third parties in respect of which the Customer/data subject acts as data controller; in such a case, the processing by the data controller takes place by virtue of, and under the conditions and within the limits set out in, the Customer/data subject’s appointment of the same data controller as data processor.
The data controller also processes, as data controller with reference to the Site and potentially as data processor appointed for that purpose (as described above) by the Customer/data subject, so-called browsing data. The computer systems and software procedures used to operate websites acquire, in the course of their normal operation, certain personal data whose transmission is implicit in the use of internet communication protocols. This information is not collected to be associated with identified individuals, but by its very nature could allow the data subject to be identified. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and addresses of websites from which access was made to or exit from the site, information on the pages visited by users within the site, access times, time spent on individual pages, internal path analysis and other parameters relating to the user’s operating system and IT environment. Such information, by its very nature, enables users to be identified through processing and association, including with data held by third parties.
The Site may also use cookies, both session cookies (which are not stored on the data subject’s computer and disappear when the browser is closed) and persistent cookies, for the transmission of personal information, as well as other systems for tracking data subjects.
6. Source of Personal Data
The personal data processed by the data controller are collected directly by the data controller from the Customer/data subject at the time of, and during, the latter’s browsing on the Site (or the use of other social or web applications of the data controller), or also through its sales representatives upon or after the signing of the Contract, during its performance, or from public sources.
As specified above, in its capacity as data processor appointed for that purpose, in order to fulfil the obligations arising from the Contract the data controller may store and/or process third-party data—particularly browsing data, potentially including sensitive, genetic and biometric or judicial data—in respect of which the Customer/data subject acts as data controller, acquired, with the prior consent of such third parties, at the time of and during their browsing on the Site (or when using other social or web applications referable to the data controller).
7. Legitimate Interests
The legitimate interests of the data controller or of third parties may constitute a valid legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject do not prevail. In general, such legitimate interests may exist where there is a relevant and appropriate relationship between the data controller and the data subject, for example where the data subject is a customer of the controller. In particular, it is a legitimate interest of the data controller to process the Customer/data subject’s personal data: for fraud prevention purposes, for direct marketing purposes, to ensure the free flow of such data within the corporate Group to which the data controller may belong, or data relating to traffic, in order to ensure network and information security, meaning the ability of a network or system to withstand unexpected events or unlawful acts that could compromise the availability, authenticity, integrity and confidentiality of data.
8. Circulation of Personal Data
(8a) Disclosure of Personal Data – Categories of Recipients
In addition to employees and collaborators of the data controller in various capacities (who are authorised by the data controller to process data on the basis of appropriate written operating instructions in order to ensure the confidentiality and security of the data), certain processing operations may also be carried out by third parties to whom the data controller entrusts certain activities, or parts thereof, functional to the purposes referred to in point (4a), thus both in performance of contractual obligations and legal obligations, including, by way of example and inevitably not exhaustive: commercial and/or technical partners; companies providing banking and financial services; companies providing document archiving services; debt collection agencies; auditing and statutory certification firms; rating agencies; entities providing professional assistance and consultancy to the data controller; customer care companies; factoring companies, securitisers of receivables or otherwise assignees of receivables; companies belonging to the Group to which the data controller may belong; commercial information providers; IT service companies. The entities in the aforementioned categories process personal data as independent data controllers or as data processors with reference to specific processing operations that fall within the contractual services those entities perform for/in the interest of the data controller; the data controller issues appropriate written operating instructions to the data processors, with particular reference to the adoption of minimum security measures, in order to ensure the confidentiality and security of the data.
Certain processing operations may be carried out by third parties to whom the data controller entrusts certain activities, or parts thereof, also for the purposes referred to in point (4b), including, by way of example and inevitably not exhaustive: commercial and/or technical partners; companies that institutionally provide marketing services; advertising agencies; entities providing assistance and consultancy in relation to prize contests and promotions. The entities in the aforementioned categories process personal data as independent data controllers or as data processors with reference to specific processing operations that fall within the contractual services they perform for/in the interest of the data controller; the data controller issues appropriate written operating instructions to the data processors, with particular reference to the adoption of minimum security measures, in order to ensure the confidentiality and security of the data.
A list—subject to periodic update—of the data processors with whom the data controller maintains relationships is available upon written request sent to the data controller’s registered office.
Personal data may also be disclosed, upon request, to the competent authorities in compliance with obligations arising from mandatory legal provisions.
(8b) Transfer of Personal Data to Third Countries
The Customer/data subject’s personal data may also be transferred abroad, both to countries within the European Union and to countries outside the European Union and, in the latter case, either on the basis of an adequacy decision or within the framework of and subject to the appropriate safeguards provided by the GDPR (thus, in particular, where standard contractual clauses approved by the European Commission are in place), or, outside the aforementioned cases, by relying on one or more of the derogations provided by the GDPR (in particular, on the basis of the Customer/data subject’s explicit consent, or for the performance of the Contract concluded by the Customer/data subject, or for the performance of a contract concluded between the data controller and another natural or legal person for the benefit of the Customer/data subject, specifically for the performance of activities entrusted to that person by the data controller in order to perform the Contract concluded with the Customer/data subject). In the event of data transfers to countries outside the European Union, the Customer/data subject may, upon written request sent to the data controller’s registered office, obtain information on the appropriate safeguards, or the derogations, that legitimise the cross-border processing. It is understood that in the event of data transfers to countries outside the European Union, for any data-related request, including the exercise of the rights granted by the GDPR to the Customer/data subject, the latter may always validly contact the data controller.
9. Criteria for Determining the Personal Data Retention Period
For the purposes referred to in point (4a) above, the retention period of the personal data provided by the Customer/data subject, and their consequent potential processing, coincides with the limitation period of the rights/duties (legal, tax, etc.) arising from the Contract: typically 10 years, therefore, without prejudice to any events interrupting limitation that could in fact extend such period.
For the purposes referred to in point (4b) above, the retention period of the data provided by the Customer/data subject, and their consequent potential processing, ends upon withdrawal of the consent previously given by the Customer/data subject or, failing that, in any case one year after the termination of any relationship between the data controller and the Customer/data subject.
10. Rights of the Customer/Data Subject
The data controller recognises—and facilitates the exercise by the Customer/data subject of—all the rights provided by the GDPR, in particular the right to request access to their personal data and obtain a copy thereof (Art. 15 GDPR), rectification (Art. 16 GDPR) and erasure (Art. 17 GDPR), restriction of processing concerning them (Art. 18 GDPR), data portability (Art. 20 GDPR, where applicable) and to object to processing concerning them (Arts. 21 and 22 GDPR, in the cases mentioned therein and, in particular, to processing for marketing purposes or that results in automated decision-making, including profiling, which produces legal effects concerning them, where applicable).
The data controller also recognises the Customer/data subject’s right, where processing is based on consent, to withdraw such consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. To do so, the Customer/data subject may unsubscribe at any time on the Site (or on other social or web applications of the data controller) or by using the appropriate link at the bottom of each commercial communication received, or by contacting the data controller at the contact details indicated above.
The data controller also informs the Customer/data subject of the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), as the supervisory authority operating in Italy, and to bring legal proceedings, both against a decision of the Authority and against the data controller and/or a data processor.
11. Security of Systems and Personal Data
Taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of processing, and the risk, in terms of likelihood and severity, to the rights and freedoms of natural persons, the data controller adopts technical and organisational measures deemed appropriate to ensure a level of security appropriate to the risk, in particular by ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services (including by encrypting personal data where necessary) and the ability to restore the availability of data in a timely manner in the event of a physical or technical incident, and by adopting internal procedures aimed at regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures employed.
In assessing the appropriate level of security, account is taken of the risks presented by processing, in particular from the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidental or unlawful.
The data controller endeavours to ensure that anyone acting under its authority and having access to personal data does not process such data unless instructed to do so by the data controller.
That said, the Customer/data subject acknowledges and accepts that no security system can guarantee absolute protection with certainty; therefore, the data controller is not liable for acts or events of third parties who unlawfully, despite the appropriate safeguards adopted, access the systems without the necessary authorisations.
12. Automated Decision-Making, Including Profiling
The data controller may carry out automated processing, including profiling, in relation to the purposes referred to in point (4b) above, in order to optimise the navigability of the Site (or the usability of other social or web applications of the data controller) and to improve the purchasing experience, without prejudice to what is specified above regarding the Customer/data subject’s rights to object and to withdraw consent.
Profiling means any form of automated processing of personal data intended to evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects concerning, for example, that person’s personal preferences, interests or location, including for the purpose of creating profiles, i.e., homogeneous groups of subjects by characteristics, interests or behaviours.
The data controller does not carry out any automated processing that produces legal effects concerning the Customer/data subject or similarly significantly affects them, unless this is necessary for entering into or performing the Contract, is authorised by law, or is based on the Customer/data subject’s explicit consent, in all cases recognising the latter’s right to obtain human intervention, to express their point of view and to contest the decision.
