Information on the processing of personal data

Pursuant to art. 13 D. Lgs n. 196/2003 of Italian Privacy code and of art. 13 and 14 of EU regulation n. 2016/679GDPR.

The data controller is the society Karma Italiana S.r.l., owner of RIDEM brand. The Data Controller, pursuant to art. 13 Legislative Decree n. 196/2003 (hereinafter, for the sake of brevity, the Privacy Code) and art. 13/ 14 of the EU Regulation n. 2016/679 (hereinafter, for the sake of brevity, GDPR) has prepared this Privacy Notice in compliance with the above provisions with a view to guaranteeing the protection of the Personal Data of each interested party. The legal basis of the processing will be his consent, freely given and revocable at any time, or the execution of a contract or the law itself. In this regard, the Data Controller informs you that your data will be processed in the following ways and for the following purposes:

1) General information
The Data Controller is the natural or legal person who, individually or together with others, determines the purposes and means of the processing of personal data; The data processor is the natural or legal person who processes personal data on behalf of the data controller.
Data Controller and Data Processor (TRTO): Karma Italiana Srl with registered office in Via Guido Gozzano 38 bis - 21052 Busto Arsizio (VA);Data Protection Officer (DPO): No Data Protection Officer has been formally appointed as the treatments carried out by the Data Controller do not present specific large-scale risks for the rights and freedoms of the data subjects.

2) Object of the treatment

The Data Controller, by reason of its activity, acquires and processes the personal identification data (hereinafter "personal data" or "data") communicated by the customer during the contact and / or relationship established with the Data Controller on an entirely voluntary basis. Pursuant to the GDPR, "personal data" means any information concerning an identified or identifiable natural person ("interested", ie the customer), for example: name, surname, company name, address, telephone, e-mail, certified e-mail , bank and payment references. The Data Controller does not process sensitive or judicial data.

3) Purposes of the treatment

3.1 Pursuant to art. 13 of the GDPR, we inform you that the data you provide will be processed, even without your express consent (based on Article 6, letter b) to f) inclusive), with the aim of:- management and execution of specific pre-contractual and contractual obligations, in particular for the conclusion of the supply contracts as well as for the performance of organizational tasks related to the provision of services and / or products and the planning of the Company's activities;
- fulfillment of the obligations established by the law, also of fiscal nature, by a regulation, by community legislation or by an order of the Authority, and / or of any other nature in any case related to the purposes of the Company;
- exercise of any public interest tasks by the Data Controller, such as the indication of possible crimes or threats to public security and the consequent transmission of relevant personal data to the competent authority.

3.2 Furthermore, we inform you that the data you provide will be processed by virtue of your consent, given with the signing of this information, with the aim of:
- send information and / or advertising material on products or services offered by the Data Controller, also relating to the organization of events, training courses, special promotions, market research, questionnaires;
- commercial communications via email, post and / or sms and / or telephone contacts, with possible registration of personal data in the contact database;
- communication of data to parent companies, subsidiaries and / or associated companies for the performance of contractual activities;
- periodic information on administrative, fiscal and management topics dealt with by our Company and of a generic information nature. Added to this is the completion of the operations necessary for the performance of ordinary administrative and fiscal activities. We inform you that, if you are already a customer of the Company, commercial communications relating to the services and products of the Data Controller may be sent to you unless you expressly dissent. The Personal Data processed are collected:
- from Customers who have filled in the necessary personal information, personally or through the Authorized Reseller from whom they purchased our products and services;
- directly from the interested party;
- remotely, through direct and indirect collection, also through one's own collaborators;
-from public registers, lists, deeds or documents that can be known by anyone, in respect of the limits and procedures that the laws, regulations or community legislation establish for the knowledge and disclosure of the data.

4) Customer obligation to provide personal data

Within the scope of the processing of Personal Data, we inform you that you are obliged to provide all the Personal Data required for the purpose of accepting and executing the contractual obligations related to this Information, as well as the data that we are required by law to collect, for the purposes specified in point 3.1. The provision of data instead for the purposes referred to in point 3.2 is optional: you can therefore revoke your consent to the processing of personal data already provided at any time, for the purposes described in point 3.2, without any prejudice. Your data will also be processed, compulsorily, for the purposes provided for by the current anti-money laundering legislation (Legislative Decree 231/2007 and subsequent amendments).

5) Processing methods

Personal Data are subjected to both paper and electronic and / or automated processing, by means of the operations referred to in Art. 4 point 2) GDPR and more precisely: collection, registration, organization, structuring, storage, adaptation or modification, extraction, selection, consultation, processing, communication, transmission, comparison, use, interconnection, cancellation and destruction of data.

6) Data retention and security measures

The data controller and the data processor have implemented technical and organizational measures aimed at guaranteeing a level of security adequate to the risk of destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, of the Personal Data processed. Among other things, these measures include:
- the ability to ensure the confidentiality, integrity, availability of processing systems and services on a permanent basis;
- the ability to promptly restore the availability and access of personal data in the event of a physical or technical accident;
- a procedure to test, verify and regularly evaluate the effectiveness of technical and organizational measures in order to ensure the security of the processing. In this perspective, the data controller and the data processor, even if different subjects, have instructed their employees / collaborators authorized to process Personal Data. The Data Controller will process your personal data for the time necessary to fulfill the aforementioned purposes and will keep them for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed. The following subjects will be authorized to process and access your personal data for the purposes referred to in Art. 3:
- employees and collaborators of the Data Controller, in their capacity as persons in charge of processing and / or internal data processors and / or system administrators;
- third-party companies that carry out instrumental activities on behalf of the Company or other subjects, such as, for example, credit institutions, professional firms, consultants, insurance companies, etc., in their capacity as external data processors. in particular:
- external consultants for the supply of specific services and / or products offered;
- service companies to which specific management related to contractual obligations have been entrusted;
- companies of the same group or affiliates to which the Data Controller belongs, for administrative and / or accounting purposes.

7) Data communication and disclosure

Your Personal Data may be disclosed, for the purposes referred to in Art. 3 point 3.1, to Supervisory Bodies, Inspection Bodies, Judicial Authorities, Insurance Companies, as well as to those subjects to whom the communication is mandatory by law; these subjects will process the data as independent data controllers. Your data will not be published, displayed or made available and / or consulted to indeterminate subjects, nor transferred abroad. Your personal data processed by the persons in charge and the data processor may be communicated and transferred to group and / or affiliated companies pursuant to art. 43 of Legislative Decree. n. 196/2003 and art. 44 of Regulation (EU) 2016/679, for administrative / accounting purposes. In this circumstance, the Data Controller will adopt contractual guarantees signed with the company receiving the data in order to ensure data protection corresponding to the European regulatory provisions.

8) Data transfer

Personal data is processed in Italy. The Data Controller ensures from now on that in the event of data transfer to other countries, even outside the EU, all the relevant legal provisions will be observed.

9) The rights of the data subject (right of access, right of rectification and cancellation, "right to be forgotten")

You may at any time exercise, in the presence of the legal requirements, the rights enshrined in Article 15 et seq. of the GDPR, and more precisely:
- access their personal data, through a copy provided by the owner of the data being processed, with the right to have it transmitted directly to another owner;
-be informed on the origin of the data, the purpose of their processing, on any recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations, on the duration of the period of storage;
- rectify and update your data, obtain their transformation into anonymous form, block or delete them if they are no longer necessary or have been processed illegally and have the confirmation that, of these operations, the owner has given notice to all those subjects to whom your data had been communicated or disseminated, unless this fulfillment is impossible or involves the use of manifestly disproportionate means;
- limit the processing of personal data concerning you and oppose, only in cases of law, the processing. In case of processing of your data for direct marketing purposes, both with automated and traditional methods, your right remains to choose how you wish to receive the aforementioned communications;
- lodge a complaint with the Guarantor Authority.

10) How to exercise your rights

You may, at any time, exercise your rights by writing to the e-mail address or by sending a registered letter to the headquarters of the Data Controller indicated in point 1.