Orastron Website — Privacy Notice ex Artt. 13-14 Reg. EU 2016/679 (“GDPR”) — January 2023

Premises

In compliance with EU Reg. 2016/679, Italian Legislative Decree 196/2003, and related regulations, in order to correctly manage the contractual relationship, Orastron srl unipersonale (Data Controller) may process your personal data (if concerning a legal person, also in relation to natural persons who are workers or similar positions in the other Party) for the purposes and in the manner specified below.

PurposesLegal basis and consequences in case of refusalRetention period
a) agreement and performance of the contractual and pre-contractual relationship, with related administrative and accounting purposes, including possible double opt-in verification process; included are nickname, avatar, comments and any other information/content you are allowed to publish on the Websiteperformance of a contract, in case of refusal it will not be possible to agree and perform the contractup to three months after the termination of the contractual relationship or the pre-contractual requests; about avatar, nickname, comments, and any other information you published on the Website, they shall not be deleted after the contractual termination unless for compelling reasons (e.g., law infringement)
b) compliance with laws or regulations, including for administrative and accounting purposes relating to contractual performance (e.g., compliance with copyright to be recognised as an author)regulatory obligation, in case of refusal the penalties provided for by the law will apply, so there will be no contractual relationshipup to the duration foreseen by the applicable laws
c) establishment, exercise, or defence of legal claimslegitimate interest pursued by the Data Controller, considered overridden pursuant to Article 21 GDPRfor a maximum of 10 years pursuant to art. 2946 of the Italian Civil Code or up to the maximum prescription term
d) IT security and networks securitylegitimate interest pursued by the Data Controller, considered overridden pursuant to Recital 49 GDPRfor a maximum of 6 months unless further use for rights’ protection
e) reproduction and usage of the image and/or the voice and/or the name (if applicable)explicit consent, in case of refusal it will not be possible to have a contractual relationshipfor the entire duration of the contents exploitation incorporating the image and/or the voice and/or the name, except for the possible withdraw of the consent
f) marketing online communication via e-mail, newsletter, etc., about Orastron business activity and productsconsent, in case of refusal it will not be possible to receive marketing communicationsfor a maximum of 24 months, unless consent withdraw; in case of newsletter, until consent withdraw

A) Processing Methods

In general, the processing will be carried out using hardcopy, IT, telematic, or other telecommunications systems, in order to guarantee the security and confidentiality of the data, as well as full compliance with the law.

Data Categories: common data (excluding special data — e.g., health data — or relating to criminal convictions and offences; if you provide any kind of not requested data, the Controller shall not process them except deletion); possibly (if required by Controller website feature, as avatar or nickname) also the image, the nickname, and your comments/texts/contents as provided by you.

Data Sources: the data subject (you).

B) Data Recipients

The data will not be disclosed but may be communicated to recipients of data processor or separate controllers or joint-controllers, in particular:

  1. in case of payment, to the banking or payment services which are used for payment transactions, as well as to their operating employees, for administrative and accounting management of the contract/report, and for the checks concerning the payments performance purposes only;
  2. to companies and professional advisors or consultants or services of Data Controller carrying out its business activities, in particular lawyers, tax and employment advisors, auditors, shippers, IT and security consultants, IT and application service providers (also for cloud storage and e-mail; for the cloud and e-mail services our provider is Serverplan srl società unipersonale, with headquarters in Italy);
  3. to any contractors and subcontractors for the contractual performance, as well as the contractors who collaborate with the Data Controller for contractual duties;
  4. to public bodies or legal authorities if imposed by applicable regulations or following a request by the authority itself;
  5. in case of image/avatar, nickname, comments and any other similar information/content you may provide and publish on the Website, they may be disseminated and disclosed to any Internet users or registered Website users, case by case as previously alerted/notified by the Controller on the Website.

Unless otherwise indicated, the recipients will not be established outside the European Community or in any case in countries that not ensure an appropriate level of protection. The data will not be transferred or processed outside the European Community or any other place deemed not appropriated; in case of extra-UE data transfer, they shall comply with articles 45-49 GDPR; if appropriate safeguards are applied, e.g., standard contractual clauses, they may be completed by supplementary measures.

C) Third-Party Data

If you are a natural person, what is provided here applies to the processing of your personal data. In case of third parties data provided by you, you warrant that these natural persons have been made aware of this notice, delivering it to them in durable medium and collecting the relative consent (if due), holding harmless the Data Controller from any third party liability or claim.

D) Rights Pursuant to Articles 15-22 GDPR

You can exercise the following rights at any time:

  1. the right to request access to personal data to Data Controller, requesting confirmation of their existence as well as the rectification or erasure or the restriction (temporary) of processing that concerns the data;
  2. THE RIGHT TO OBJECT AT ANY TIME TO PROCESSING FOR REASONS CONNECTED WITH HIS/HER/ITS PARTICULAR SITUATION IN THE EVENT OF: I) NECESSARY PROCESSING FOR THE EXECUTION OF A TASK CARRIED OUT FOR REASONS OF PUBLIC INTEREST OR II) LEGITIMATE INTEREST;
  3. in case of given consent for one or more specific purposes, the right to withdraw this consent(s) at any time;
  4. the right to data portability (if the legal basis is contractual performing or consent) by request to the Data Controller, by means of communication of a file in .CSV format, or similar interoperable open format, or in the format originally used by you, depending on the kind of data;
  5. the right to lodge a complaint with the following Supervisory Authority: Garante per la Protezione dei Dati Personali (https://www.garanteprivacy.it/) if in Italy; in any case, the right to alternatively lodge a complaint with the competent data protection authority of the Member State where the data subject habitually residence, place of work, or the place where the alleged infringement.

The processing takes place by automated means which do not determine the profiling of the data subjects.

E) Data Controller

Orastron srl unipersonale, registered office in Via Pasquale Voso, 20/D — 84043 Agropoli (SA), Italy, VAT ID IT05975760652, e-mail: info@orastron.com.