Dear Data subject,
Pursuant to Art. 13 and 14 of the GDPR, the companies of the Retelit Group indicated below (hereinafter, the "Companies" or "Joint Controllers"), as Data Controllers, inform you that the data relating to your company (hereinafter, the "Customer") and the personal data relating to the individuals acting on its behalf (hereinafter, the "Data"), will be used and stored in compliance with the provisions of the European Regulation for the Protection of Personal Data EU 2016/679 (hereinafter, "GDPR"), the applicable legislation on the protection of personal data, and in accordance with this policy.
It is understood that it is your responsibility to inform the individuals acting on your behalf, of the processing of the Data referred to in this notice and to seek their consent where necessary.
1. Who we are.
The Retelit Group consists of the Holding Retelit S.p.A. and the other Companies listed on the website at the page www.retelit.it/en/legal/legal-notes which, depending on the purposes pursued, may process your Data as Autonomous Data Controller or as Joint Controllers, by issue of the Joint Controller Agreement pursuant to Article 26 of the GDPR, the essential contents of which are available upon your request at the contacts below,Hereinafter, severally the Controllers or jointly the "Joint Controllers" or the "Retelit Group".
More information on the corporate structure of the Retelit Group, as well as contact details, can be found at www.retelit.it .
For any request regarding the processing of Data, it will in any case be possible to contact the Parent Company Retelit, by sending
- a registered letter with return receipt to the registered office
- a PEC to retelit@pec.retelit.com or an e-mail to privacy@retelit.it
2. Data Protection Officer.
The Retelit Group, in order to facilitate the relationship between you and each Data Controller, have designated a Data Protection Officer (DPO) who can be contacted via
- PEC to retelit@pec.retelit.com - c.a. of the Data Protection Officer (DPO);
- e-mail, at dpo@retelit.it.
These contact methods are also made available on the Parent Company Retelit website www.retelit.it where any updates will also be posted.
3. Type of Data and Method of Processing.
In the context of the activities related to the establishment and subsequent management of the contractual relationship with you and/or the organization for which you are a referral, Joint Controllers collect and process the following categories of Data:
- personal and identifying data (e.g., first name, last name, tax code, VAT number, video images);
- Contact information, such as residence or home address, e-mail address, telephone number;
- browsing data (e.g. cookies, IP addresses, parameters related to the operating system and device used by the user);
- Telephone and telematics traffic data;
- company, industry, job role, function;
- bank details (e.g. IBAN code, credit card number, etc.) other information necessary for payment and/or billing purposes (where applicable);
- data related to your consumption habits and preferences, in order to send you targeted offers of products and/or services from the Joint Controllers and/or business partners;
- in general, any other information necessary for the establishment and subsequent execution of the contract or for ancillary and/or functional activities, including Data collected in the context of any creditworthiness checks and fraud prevention.
The Joint Controllers collect the Data:
- at the data subject, through customer care operators, and by other modes of contact, such as, for example, websites and applications on mobile devices such as tablets and smartphones;
- through third parties, such as our business partners, marketing and market research companies, and financial risk centers;
- from public sources, such as freely accessible records, directories and documents (such as financial statements or chamber of commerce visas), as well as from sources such as print and/or digital newspapers, information drawn from telephone directories, websites of public agencies and supervisory and control authorities.
4. Purpose and legal basis of data processing.
Data will be collected, used, and stored:
- To fulfill legal and/or regulatory obligations to which the Joint Controllers are subject, including tax, accounting, administrative obligations, related to the provision of services or sale of their products;
- for the performance of contracts to which the data subject is a party and for the adoption of pre-contractual measures taken at your request;
- for the performance of ordinary pre-contractual activities related and/or instrumental to the establishment of the contractual relationship, such as, but not limited to, creditworthiness, solvency and/or reliability checks, to prevent the risk of possible fraud;
- for the establishment, exercise or defense of a right of the Owners, including in court;
- for carrying out corporate transactions, such as divestitures, acquisitions, mergers, demergers or other organizational transformations;
- to send commercial communications about products and services similar to those already purchased (so-called "soft spam"), without prejudice to the data subject's right to object at any time;
- to send surveys and other "customer satisfaction" activities aimed at detecting the degree of satisfaction and/or improving the quality of service rendered to Customers;
- for the conduct of market research, promotional initiatives and the sending of commercial communications, by the Retelit Group and/or business partners, on their own and third parties' products and services - operating in the field of digital services, infrastructure and ICT - through e-mail, newsletters, sms, MMS, and/or by means of the postal service or telephone calls with operator;
- to carry out profiling activities in order to target promotional offerings and customize marketing activities referred to in the preceding point;
- To carry out analysis of telephone and telematic traffic data, in an anonymous and aggregate manner to improve the technologies and services provided by the Joint Controllers.
The processing of Data for the purposes under a), b) and c), does not require your consent as it is necessary to comply with legal obligations, for the performance of contracts to which you are a party and/or for the adoption of pre-contractual measures taken at your request, pursuant to Art. 6, c. 1, lett. b) and c) of the GDPR.
The processing of Data for the purposes sub d), e), f), g), j) does not require your consent as it is necessary for the pursuit of the legitimate interest of the Companies, pursuant to Art. 6, c. 1, lett. f) of the GDPR.
The processing of Data for the purposes sub (h), (i) requires your consent in accordance with Art. 6, c. 1 (a).
5. Data provision.
The provision of Data for the purposes under a), b) c) constitutes a legal and contractual obligation, respectively: in these cases, failure to provide the Data will result in the impossibility for the Companies to establish and/or continue business relations with you.
The provision of Data for the purpose sub d), e), f), g), k) is optional, but necessary for the pursuit of the legitimate interest of the Companies, without prejudice to your right to object to the processing at any time in the case of special situations that concern you.
The provision of Data for the purposes sub h), i) is optional and failure to provide it will result in the impossibility for the Companies to carry out the functional activities to achieve the purposes in question, without any consequences with reference to the establishment and/or execution of the contract.
With regard to the purpose sub f), it will be possible for the Companies to use the e-mail details you have provided in the context of a previous sale of products and services without prejudice to your ability to object to such processing at any time (initially or on the occasion of subsequent communications), in the manner described in the appropriate section of this policy.
6. Recipients or categories of recipients.
The Data may be made accessible to, brought to the attention of, and/or communicated to the following parties, who may be appointed by the Data Controllers - as appropriate - as data processors, authorized persons, co-processors, or will act as independent data controllers:
- employees or collaborators in any capacity, of the Group Companies;
- Public or private entities, natural or legal persons, which the Companies make use of for the performance of activities instrumental to the pursuit of the above purpose and/or to which the Data Holders are obliged to communicate the Data, by virtue of legal, contractual and/or for commercial promotion purposes, subject to your consent.
In any case, the Data will not be disseminated.
7. Data retention.
The Contractors will process your Data for as long as is strictly necessary to achieve the purposes stated and described in this policy.
Specifically, depending on the purpose of processing, the expected retention periods are as follows:
Pre-contractual activities | Up to 24 months after the collection of the Data |
Fulfillment of legal obligations | Up to 10 years after the termination of the provision of services/products |
Administrative, accounting and tax purposes | Up to 10 years after the termination of the provision of services/products |
Verification of the degree of financial reliability, solvency and fraud prevention | For the duration of the contractual relationship |
Marketing purposes | Until consent is revoked or 24 months after termination of the contractual relationship |
Profiling for marketing purposes | Until consent is revoked or 24 months after termination of the contractual relationship |
Treatment for carrying out direct marketing activities | 24 months after termination of the contractual relationship unless the right to object is exercised in accordance with Article 21(2) and (3) of the GDPR |
Treatment for the management of extrajudicial, judicial and regulatory litigation | For the duration of the contractual relationship, unless extended in the event of any pending litigation with customers and/or users of our Company's websites |
Recording of calls for verification of service quality and training of customer care workers | For 6 months from the acquisition of the recording of the phone call |
Conducting surveys and other "Customer Satisfaction" surveys. | 24 months after termination of the contractual relationship |
Processing of telephone and/or computer traffic data for service billing purposes and/or for dispute of charges | Up to 6 months, unless extended, for litigation management |
Retention of telephone and/or computer traffic data for the purpose of investigating and prosecuting crimes | 12/24/72 months, according to specific legal provisions |
Aggregate profiling of traffic data to improve the quality of services and/or products marketed | For 24 months after termination of the contract relationship, unless the right to object is exercised in accordance with Article 21(2) and (3) of the GDPR |
8. Data Transfer to Third Countries.
The Retelit Group undertake to process and store the Data within the European Union.
Notwithstanding the above, in order to achieve the purposes referred to in paragraph 4, the Data may be transferred to entities established in countries outside the European Economic Area, which provide the Data Holders with services related to the processing activities performed (e.g., technology service providers, cloud, CRM, etc.).
Such a transfer, where appropriate, will take place in compliance with the conditions set forth in the GDPR and will be regulated, depending on the recipients, through the use of the standard contractual clauses adopted by the European Commission or - alternatively - on the basis of an adequacy decision of the Commission and/or any other instrument allowed by the relevant legislation, including adherence to the certification mechanism of the "EU-U.S. Data Privacy Framework."
9. Rights that can be exercised by the Data Subject.
During the period in which the Data Controllers carry out the processing of your Data, you, as a data subject may, at any time, exercise the rights provided for in Articles 15 to 22 of the GDPR:
- Right of Access: You have the right to obtain confirmation as to whether or not processing concerning your Data exists, and, where applicable, the right to receive any information relating to the processing;
- Right to Rectification: You have the right to have your Data rectified if it is incomplete or inaccurate;
- Right to be Forgotten: in certain circumstances, You have the right to obtain the deletion of Your Data, if it is not relevant to the continuation of the contractual relationship and/or necessary to fulfill a legal obligation to which the Joint Controllers are subject and/or for the establishment, exercise and/or defense of a right in court;
- Right to restriction of processing: You have the right to obtain the restriction of processing concerning your Data, in the cases provided for in Article 18 of the GDPR;
- Right to portability: You have the right to receive personal data about you in a structured, commonly used, machine-readable format and request its transmission to another data controller, if technically feasible.
- Right to object to processing carried out on the basis of legitimate interest: You have the right to object, at any time, for reasons related to your particular situation, to the processing of your Data, if based on the lawful condition of legitimate interest, unless there are legitimate reasons for the Joint Controllers to continue the processing, which override the interests, rights and freedoms of the data subject, such as the establishment, exercise or defense of a right in court.
- Revocation of consent in relation to the processing carried out for marketing purposes: You have the right to revoke at any time any consent you may have given to the processing of Data for the purposes h) i), by clicking the appropriate link at the bottom of the e-mails with promotional content by sending specific request to privacy@retelit.it or - where available - by accessing the Customer Area, using the appropriate function.
10. Right to file a complaint with the Guarantor.
You have the right to file a complaint with the Guarantor if you believe that your rights under the GDPR have been violated, in the manner indicated on the Guarantor's website to the link below - www.garanteprivacy.it and www.dsb.gv.at/Eingabeformular-online/Eingabeformular-online.html (to Austria).
11. Final Provisions.
The Retelit Group reserve the right to amend and/or update this policy also on the basis of developments in applicable data protection legislation, as well as in the face of any changes in the corporate structure of the Group.
The updated version of the disclosure can always be found on the Group Company's website at www.retelit.it.