The LFE Group is a group composed of the following companies in a relationship of joint data control, pursuant to Article 26 of EU Regulation 2016/679 (hereinafter referred to as GDPR):
LFE HOLDINGS SRL with registered office in Granarolo dell’Emilia (BO), via Don Minzoni 28-30-32, 40057 Frazione Cadriano;
OLEOBI SRL with registered office in Granarolo dell’Emilia (BO), via Don Minzoni 28, 30, 32, 40057 Frazione Cadriano;
SACE SRL with registered office in Sasso Marconi (BO), via Cartiera 154, 40037 Frazione Borgonuovo;
PK SRL with registered office in Castel Maggiore (BO), Via Lirone, 60/C, 40013;
EBI MOTION CONTROLS SRL with registered office in Granarolo dell’Emilia (BO), via Andrea Costa 11/2, 40057, Frazione Cadriano
LFE HOLDINGS SRL, OLEOBI SRL, PK SRL, SACE SRL and EBI MOTION CONTROLS SRL are joint data controllers according to Article 26 of EU Regulation 2016/679 (GDPR) as they jointly determine the purposes and means of processing personal data of which each company is the independent controller.
As for the websites, this policy is applied to the websites which, where present, refer to each company.
2. ROLES IN THE FIELD OF PRIVACY
2.1. The Joint Data Controllers identify a Data Protection Committee, that is a mutual privacy board (Privacy Committee) responsible for the assessment and preparation of the interventions to be carried out in relation to the obligations deriving from the GDPR and from the national legislation in force on the subject, in order to control compliance. The Privacy Committee acts as a contact point for the data subjects for all matters relating to the processing of personal data and the exercise of their rights, as well as a contact point for the Control Authority for matters related to data processing.
2.2. Each Joint Data Controller appoints the data processors and those authorised to process data as well as system administrators from among the people who work within its organisational structure and under its liability.
2.3. Each Joint Data Controller can grant external parties who provide sufficient guarantees to implement adequate technical and organisational measures and for which the processing of data as external Processors is used for data processing or even for portions thereof. , by virtue of the data processing contract that the Joint Data Controllers have decided to adopt.
2.4. The purpose of the Joint Data Controlling is to process all personal data both in the paper and computer archives of each Joint Data Controller, which is better listed in the Registry of the processing activities of each Joint Data Controller, as well as all data that will be acquired in the future.
3. PRINCIPLES TO BE RESPECTED
The Joint Data Controllers undertake to comply with the following personal data protection principles:
- comply with the principles of lawfulness, correctness, transparency, limitation, data minimisation, accuracy, conservation limitation, integrity and confidentiality as well as accountability as indicated in Article 5 of the GDPR;
- comply with the conduct standards according to the joint data control agreement according to Article 26 GDPR;
- plan training interventions, instruct and update employees regarding data processing and the security measures adopted;
- maintain the secrecy of personal data collected and/or known and/or processed and/or used by virtue of the Joint Data Control relationship established with the other Joint Data Controllers;
- implement all the appropriate technical and organisational security measures to guarantee the complete protection of personal data collected, processed, and used as part of the Joint Data Control relationship;
- keep all the documentation certifying the data breach occurred and keep a special data breach register that specifies the cause, place, type of personal data violated, effects and consequences of the violation and the joint data controller's action plan, as well as motivating and documenting, case by case, decisions made to delay the notification procedure or not to proceed with the notification, nor to the communication to the data subjects;
- verifying the correct keeping and updating of the lists of data managers, authorised people and system administrators, of Processing activity registers and Data breach registers;
The addresses of the websites to which each company refers are given below.
Each of the aforementioned companies holds the role of Data Controller with regard to all data processing carried out for the purpose of managing and using the data referred to its website.
5. TYPE OF DATA PROCESSED
a. Browsing data
The computer systems and software procedures used to operate the websites identified above acquire, in normal operation, some personal data that are then implicitly transmitted in the use of Internet communication protocols. This is information that by its nature could, through associations and processing with data held by third parties, allow users/visitors to be identified (e.g. IP address, computer domain names used by users/visitors connecting to the website etc.). This data is used only exclusively in an aggregate and anonymous manner and to check the correct functioning of the website. This data could be used to ascertain liability in the event of computer crimes against the website.
In summary, the main purposes of the cookies mentioned are:
• Identify yourself when you log in to our websites. In this way we can provide you with product recommendations, view personalised content, recognise you, and provide other functions and personalised services.
• Provide you with content, including advertising.
• Keep track of the preferences you indicate. In this way we can respect your prefer-ences.
• Conduct research and analysis to improve the content, products and services of the Lfe group.
• Prevent fraudulent activities.
• Improve security.
b. Data provided voluntarily by the user / visitor
If the users / visitors of the website send their personal data to access certain services, or to make requests by e-mail, they are aware, as specially informed, that this involves the acquisition by the Data Controller of the data provided and the address of the sender. This data will be processed in the manner and for the purposes indicated in the corresponding policy.
c. Data relating to employees
For each company, to be considered in relation to its employees an independent Data Controller, both common data (personal data, domiciles, bank accounts, CVs) and particular data (data relating to health, trade union membership) are processed.
d. Data relating to customers and suppliers
Common data (e-mail, contact details, tax data) is processed.
6. PURPOSE AND LEGAL BASIS OF THE PROCESSING
Personal data is processed to:
6.1. conclude contracts with the Data Controllers and manage the related relationships in the pre-contractual, contractual, fiscal and accounting phases; (the legal basis of the aforementioned processing is the fulfilment of contractual and legal obligations to which the Data Controller is subject).
6.2. Direct marketing activities to customers already acquired for the direct sale of the Data Controller’s products and/or services (sending of newsletters, information activities, market research, advertising communications); (the legal basis of this processing is the legitimate interest).
6.3. direct marketing activities for new customers; (the legal basis of the aforementioned treatment is consent).
7. PROCESSING METHOD AND DATA STORAGE PERIOD
Data processing will be carried out by means of the operations indicated in Article 4, No. 2 of the GDPR in manual form, using IT and telematic instruments. The data will be recorded, processed and stored in our paper and electronic archives.
The data will be processed by authorised people.
For the activities referred to in Article 6.1., Personal data will be stored until processing of the same is no longer needed for the purpose for which they were collected and, in any case, no later than 10 years from the termination of the contractual relationship.
For the activities referred to in Articles 6.2. and 6.3., personal data will be stored until processing is no longer needed for the purpose for which it was collected and, in any case, no later than 2 years after acquisition.
8. RECIPIENTS OF DATA PROCESSING
The data may be made accessible to the Data Controller’s employees and/or collaborators in their capacity as people authorised to process the data or data processors.
The data may be communicated for the obligations imposed by the law or for the correct execution of the contractual relationship, for example to social security, welfare and insurance bodies, trade associations, tax and labour offices, other Group companies, professional legal assistance offices, commercial, tax, auditing companies, banks and credit institutions.
The data will not be disclosed to undetermined subjects.
9. NATURE OF THE PROVISION
The disclosure of data is mandatory for the purposes referred to in Article 6.1.; therefore, any refusal to provide data or incorrect communication of data results in the objective impossibility of managing pre-contractual and contractual relationships.
The communication of data for the purposes referred to in Articles 6.2. and 6.3. is optional; therefore, the data subject can decide to grant the data or exercise, even subsequently, the right of opposition pursuant to Article 21 of the GDPR.
In this case, the personal data will no longer be the object of direct marketing (and therefore you will no longer receive newsletters, advertising communications, etc.) but will continue to be entitled to the services referred to in Article 6.1.
10. METHODS FOR EXERCISING RIGHTS
According to Article 26, paragraph 3, GDPR, the data subject may exercise his/her rights with and against each Joint Data Controller. In exercising his/her rights, the data subject may contact, at his/her choice, the data controller from among the joint data controller, by sending a written communication to the company's registered office or by sending an e-mail to the following address email@example.com, which is a contact point for the data subjects.
11. CHANGES TO THE POLICY