Privacy policy



Pursuant to and for the purposes of (i) Legislative Decree No. 196 of June 30, 2003, the "Privacy Code," (ii) EU Regulation 2016/679 on "the protection of individuals with regard to the processing of personal data and on the free movement of such data," the "GDPR," Articles 13 and 14, and (iii) Legislative Decree Aug. 10, 2018, no. 101 laying down provisions for the adaptation of national legislation to the EU Regulation 2016/679, rules also jointly referred to as the "Privacy Legislation," there are a number of obligations on those who carry out the processing - "the collection, recording, organization, structuring, storage adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison, interconnection, restriction, deletion or destruction" - of personal data referring to other subjects (hereinafter the "Processing").
CASTELLI Spa with registered office in Via Dante Alighieri, 12 - 24060 San Paolo D'Argon (BG) wishes to inform you, in the following sections, about the methods and purposes of the Processing of personal data concerning you. 
A. Data Controller.
The Data Controller is the entity that determines the purposes and means of Personal Data Processing (the "Data Controller") and is identified in the Company, in the person of the Legal Representative.
The Data Controller may be contacted by paper mail at the address of the registered/operating office: Via Dante Alighieri, 12 - 24060 San Paolo D'Argon (BG)
or by e-mail at the following address:
B. Data Protection Officer
The Data Protection Officer (the "Officer") is the person who assists the Data Controller in the performance of its duties. The Data Protection Officer is Lawyer Gianpiero Zingari, who can be contacted by paper mail at the following address: Milan, Via Santa Sofia n. 77 - 20122, or at the following address:
C. Method of collecting the data of the Data Subject.
The Data Controller may come into possession of your data in the following circumstances:
a. in case of a contact request forwarded through the Company's website, by e-mail or by telephone, in order to request information about the services and products provided by the Company;

b. in case of purchase of a product and/or service provided by the Company, including pre-contractual negotiations;

c. where you provide your data in order to receive commercial communications, newsletters and/or to be updated on events organized and marketing initiatives undertaken by the Company:

d. where the Controller's business partners legitimately transfer your personal data to the Controller;

e. where the Controller acquires your personal data from other sources in compliance with the applicable legislation and the requirements of Article 14 of the GDPR (e.g., public registers, lists, acts or documents that are knowable by anyone within the limits and under the conditions established by the rules on their knowability)
D. Categories of Data Subject to Processing
The data processed by the Data Controller may include:
a. data related to natural persons, necessary for the conclusion and execution of the contractual/commercial relationship with customers/suppliers, such as data concerning the customer/supplier itself or those of the customer/supplier's legal representative who signs the contract in the name and on behalf of the latter or of the customer/supplier's internal company contact persons (e.g. name, surname, telephone number, e-mail address, bank details), involved in various capacities in the activities referred to in the main contractual/commercial relationship, as well as any other information necessary for the execution of the relationship and/or the provision of the service(s);

b. information related to how you use the Company's website, open or forward communications received from the Company, including information collected through cookies and other tracking technologies;

E. Purpose and legal basis of the Processing
Pursuant to the Privacy Regulations, the Processing of personal data must be legitimized by one of several legal prerequisites set forth in Article 6 of the GDPR. These prerequisites are expressly stated below for each purpose according to which the Controller performs the Processing of your data:
Management of the contractual/commercial relationship: the Controller may process the Data in order to respond to your requests, i.e. to comply with requirements prior to the stipulation as well as to execute the contract. Legal basis for processing: in order to execute the contract to which you are a party or pre-contractual measures taken at your request (Art. 6 par. 1 letter b of the GDPR). Data retention policy: the Data provided to us as part of your request or for the mere formalization of an estimate will be retained for a maximum time of five years. Data processed to execute the relationship may be retained for the entire duration of the relationship as well as for ten years thereafter beginning at the end of the fiscal year following the fiscal year to which it pertains.
Fulfillment of legally binding obligations: the Data Controller processes Data in order to fulfill any civil, administrative, fiscal, accounting obligation required by law (e.g., regarding health and safety in the workplace ex D.Lgs. 81/2008), by a regulation, by European legislation or by an order of the Authority and arising from the relationship(s) with you; Legal basis for processing: to execute the relationship to which you are a party (art. 6 par. 1 lett. b of the GDPR), to fulfill a legal obligation to which the Controller is subject (art. 6 par. 1 lett. c of the GDPR). Data Retention Policy: the Data may be retained for as long as necessary to fulfill the legal obligations and, in any case, for the entire duration of the contract as well as for ten years thereafter, starting at the end of the fiscal year following the fiscal year to which it pertains.
Defense in court for the Holder's rights: where the obligation arises, the Holder will provide information concerning you to the Authorities and bodies in charge of law enforcement, regulations and judicial acts, as well as to third parties in litigation. The Data Controller reserves the right to process the Data to prevent possible risks and fraud, as well as to defend its rights arising from the contract in judicial or extrajudicial proceedings, including for the purpose of possible credit recovery, either directly or through third parties (credit recovery agencies/companies) to whom they will only be communicated for this purpose. Legal basis of the processing: for the pursuit of a legitimate interest of the Data Controller consisting in preventing possible fraud or defending its own right or making any claim arising from its business relationship with you, unless your interests or fundamental rights prevail (Art. 6 par. 1 lett. f of the GDPR). Data Retention Policy: the Data may be retained for the period of time necessary for the purpose of enabling the Company to act or defend against any claims made against you or third parties.
Carrying out promotional and marketing activities: your Data, collected in the context of the sale of a product and/or service or even through the Company's website, may be processed in order to send you commercial/promotional communications - via automated contact methods (such as e-mail, sms or mms) and/or traditional methods (such as paper mail) relating to the services offered by the Company - and/or invitations to company events, as well as for the carrying out of market studies, statistical analyses and satisfaction surveys. At the time of collection and at the time of sending each communication, you will be informed of the possibility to object to the Processing at any time, easily and free of charge. For purely promotional purposes of the Company, the Controller, with your explicit consent, may collect and proceed to the publication of your image in any medium or dissemination on the company website, social channels or in commercial catalogs as well as in any other form or medium of transmission, existing or future invention. Legal basis of the processing: consent given by you as a Data Subject to the Processing (art. 6 par. 1 lett. a of the GDPR). Data Retention Policy: the Data processed for marketing purposes, may be retained until your freely expressed consent is revoked. Revocation of consent does not affect the lawfulness of the processing based on the consent before revocation.

If the Data Controller intends to process Your Data for purposes other than those described above, it is required to inform You of such additional purposes prior to the completion of the Processing(s).
F. Nature of the provision of Data
The provision of Data for the purposes set forth in (a), (b), (c) is mandatory as it is required for the fulfillment of legal and contractual obligations. Any refusal to provide them or any subsequent lack of authorization to their Processing may result in the impossibility of the Data Controller to carry out the existing contractual relationships.
On the other hand, the provision of Data for the purpose referred to in letter d) is optional and failure to provide them or failure to authorize their Processing will result in the impossibility of carrying out the activities indicated therein.
G. Modalities of Data Processing.
In relation to the purposes indicated above, the Company performs the Data Processing, in compliance with the security measures set forth in Article 32 of the GDPR by means of manual, computerized and telematic tools, suitable for storing, managing and transmitting the Data themselves, solely in order to pursue the purposes for which they were collected and, in any case, in such a way as to guarantee their security and confidentiality, as well as compliance with the principles of correctness, lawfulness, transparency.
The Data Controller does not carry out Processing that consists of automated decision-making processes on the Data processed.
H. Scope of communication of the Data
Your Data may be made accessible to:

employees and collaborators of the Data Controller in their capacity as authorized persons and/or delegates of the Processing and/or system administrators; 

External third parties who - on behalf of the Data Controller - perform outsourcing activities for support, administrative, accounting, tax purposes or for purposes related to the management of the supply relationship or legal protection;

Supervisory Bodies, Judicial Authorities as well as to all Institutional Bodies to which the communication is mandatory by law for the fulfillment of the said purposes

I. Transfer of Data to a third country or international organization.
Personal Data are processed within the European Union and stored on servers located there. It is in any case understood that the Data Controller, should it become necessary, will be entitled to transmit such Data to a third country or international organization and/or move the servers also outside the EU. In this case, the Data Controller assures as of now that the transfer of the Data outside the EU will take place in accordance with the applicable legal provisions, set forth in Art. 44 et seq. of the GDPR, and in particular with the adoption of the guarantees set forth in Art 46 of the GDPR. This point should state what safeguards the Data Controller intends to adopt, the means of obtaining a copy of those safeguards, and the place where they have been made available.
L. Rights of the data subject
Finally, the Company informs you that under the Privacy Regulations (Articles 15-22 of the GDPR), you may exercise specific rights at any time, and in particular you may request from the Data Controller:
access to the Personal Data and information concerning you;
without undue delay, the rectification of inaccurate Personal Data, as well as the integration of incomplete Personal Data, including by providing a supplementary declaration;
taking into account the purposes of the processing, the integration of incomplete Personal Data;
the deletion of your Personal Data if (i) it is no longer necessary for the pursuit of the purposes for which it was collected or otherwise processed, (ii) if you revoke the consent legitimately given and there is no other basis justifying the Processing, (iii) if you have objected to the Processing pursuant to and in accordance with Article 21 of the GDPR, (iv) where the Personal Data has been processed unlawfully, or (v) for cases where the deletion is necessary to comply with a legal obligation;
the restriction of Processing to only Personal Data concerning you under the conditions set forth in Article 18 of the GDPR;

 Where the Processing is based on Your consent or contract and is carried out by automated means, You have the right to receive in a structured, commonly used and machine-readable format the Data, as well as to transmit it to another Data Controller without hindrance. If technically feasible, You have the right to obtain direct transmission from the Data Controller to another Data Controller.
This right does not apply if the Processing is necessary for the performance of a task of public interest or is connected with the exercise of public powers vested in the Data Controller.

The above rights may not be exercised in the cases referred to in Article 2-undecies of the Privacy Code.

In the event that you believe that the Processing concerning you violates the Privacy Regulations or that the Data Controller has not complied with its obligations related to the exercise of the aforementioned rights, you have the right, pursuant to Article 77 of the GDPR, to lodge a complaint with the Supervisory Authority located in the Member State where you normally reside or work, or with the one located in the place where the alleged violation occurred. This is without prejudice to any other administrative or judicial remedy.
If you would like more information about the Processing of Data and to exercise the rights set forth above, you may send a written request using the contact information provided in the "Data Controller and Data Processor" section of this Policy. In the event of a request from you for information regarding your Data, the Data Controller will respond as soon as possible - unless this proves impossible or involves a disproportionate effort - and in any case no later than thirty days from the request. Any inability or delay on the part of the Data Controller in fulfilling requests will be adequately justified.