Privacy Policy

Information regarding G.D.P.R. E.U. 2016/679 and pursuant to article 13 of Leg. Decree 196/2003.

Pursuant to article 13 of the G.D.P.R. E.U. 2016/679 and to article 13 of Leg. Decree 196/03 – Personal Data Protection Code -
(hereinafter referred to for convenience as “Code”), THE-MA SpA is obliged to provide some information regarding the use of your personal
data . The data held by our company have been collected and will be processed in full observance of the above-stated Code, including the
obligations of confidentiality, provided for therein.


1.- PURPOSE AND METHOD OF PROCESSING DATA
Your communicated or acquired personal data will be processed while carrying out the activities of THE-MA SpA with the following
purposes:
- Management of existing contract, management of negotiations aimed at stipulating a contract and the pre-contractual stage generally.
- Management of any contractual relations that may exist in the future, including management of disputes and all credit protection
activities.
- Fulfilment of legal obligations deriving from existing relations.
- Also provided during registration to the Controller’s website and/or on subscribing to the Controller’s newsletter.
Your personal data are processed:
A) Without your express consent (art. 24 letter a, b, c of the Privacy Code and art. 6
letter b, e of the GDPR), for the following service purposes:
- to allow registration on the website;
- to manage and maintain the website;
- to subscribe to the newsletter service provided by the Controller and further services that you may request;
- to fulfil pre-contractual, contractual and fiscal obligations deriving from the existing relations we have with you;
- to fulfil obligations imposed by law, regulations, EU legislation or an order by an Authority;
- to prevent or discover fraud or abusive damage to the website;
- to exercise the Controller’s rights, for example the right to defence in court.
B) Only further to specific, distinct consent (articles 23 and 130 Privacy Code and article 7 of GDPR), for the following Marketing purposes:
- to send newsletter, commercial communications and/or advertising material about products or services offered by the Controller via
email. We would like to inform you that if you are already our customer, we will send you commercial communications about the
Controller’s services and products that are similar to the ones that you have used, unless you do not allow us to (article 130, para. 4
Privacy Code).
Your personal data are processed using the operations stated in article 4 of the Privacy Code and in article 4 no. 2) of the GDPR and
specifically:: collection, registration, organization, storage, consultation, processing, amendment, selection, extraction, comparison, use,
interconnection, blocking, communication, deletion and destruction of data. Your personal data are processed on paper, electronically
and automatically.
The Controller will process your personal for the time required to fulfil the purposes above and in all cases for no longer than 10 years after
the relations for Service purposes have ceased and for no longer than 2 years after data has been processed for Marketing purposes.
The data will be processed for the entire duration of the contract, and also subsequently for commercial purposes. The data subject can
request deletion of his/her personal data from the archives at any time, as stated in point 5 below.


2.- ACCESS TO DATA
Your Data will be made accessible for the purposes stated in article 1.A) and 1.B):
- to employees and collaborators, in their roles as internal processing clerks and/or managers and/or system administrators;
- To external companies supporting the customer’s project feasibility study, for technical project management, for personal data
storage etc) or to third parties (e.g. providers of website management and maintenance, suppliers, banks and professional studios
etc) that are outsourced to work on the Controller’s behalf, as external data processors.

3.- REALM OF COMMUNICATION
Notwithstanding the communications and diffusions made as par of legal and contractual obligations without your express consent (ex
article 24 letter a), b), d) Privacy Code and article 6 letter b) and c) of GDPR), the Controller may communicate your data for the purposes
stated in article 1.A) in Italy and overseas, in observance of the purposes stated above, to the following subjects:
- Legal practices, credit collection firms and credit insurance firms.
- Commercial information banks.
- Factoring companies.
- Banks and other financial brokers for obligations related to commercial relations (for example for payments).
- Professionals, consultants and service companies.
- Our network of agents.


4.- PROVIDING DATA
Providing the data required to fulfil legal and fiscal obligations coming from existing commercial and contractual relationship is
mandatory. Providing data that is not a part of contractual or legal obligations is optional.
Without your express consent (ex art. 24 letter a), b), d) Privacy Code and art. 6 letter b) and c) GDPR), the Controller will communicate
your data for the purposes stated in art. 1.A) to supervisory bodies, judicial authorities and all parties to which communication is mandatory
by law for carrying out the said purposes. Your data will not be diffused.


5.- TRANSFERRING DATA
Personal data will be managed and stored on servers located within the European Union belonging to the Controller and/or other
companies who have been appointed and duly nominated as Data Processors. Our servers are currently located in Italy. Data will not be
subject to transfers outside the European Union. In all cases, it is agreed that the Controller will have the right to move the servers in Italy
and/or European Union and/or non/EU countries if necessary. In this case, the Controller guarantees hereinafter that transfer of data to non-
EU countries will take place in compliance with applicable legal provisions, stipulating, if necessary, agreements that ensure an adequate
level of protection and/or adopting standard contractual clauses provided for by the European Commission.

6 - REFUSAL TO PROVIDE DATA
Providing data for the purposes as set out in article 1.A) is mandatory. If not provided, we cannot guarantee registration on the website
or the services as stated in article 1.A). Providing data for the purposes as set out in article 1.B) is optional. You can therefore decide to not
provide any data or deny the possibility of processing data already provided at a later date: in this case, you will not receive newsletters,
commercial communications and advertising material pertaining to the services that the Controller offers. In all cases, you will continue to
have the right to the services stated in article 1.A).
Refusal to provide the data required to fulfil legal and fiscal obligations deriving from the existing commercial and contractual
relationship, or the subsequent denial of consent for the data to be processed, will mean that it is impossible for us to continue current
commercial and contractual relations. If you do not provide all the data that is not connected with contractual or legal obligations, the
situation will be evaluated by us each time and decisions will be made in relation to importance of the data requested and not provided for
our company.


7.- DATA SUBJECT’S RIGHTS
As the data subject, you have the rights stated in article 7 Privacy Code and article 15 GDPR and specifically the rights of:
A) obtaining confirmation of the existence or non-existence of personal data concerning themselves, even if not yet recorded, and for it
to be communicated in an intelligible form.
B) Obtaining indication:
- of the origin of the personal data;
- of the purpose and modes of handling;
- of the logic applied in the event of handling carried out with the aid of electronic tools;
- of the ID of the controller, the processors and the appointed representative pursuant to article 5, paragraph 2 Privacy Code and
article 3 paragraph 1 GDPR and the subjects or categories of subjects to whom personal data can be communicated or can learn
of it, as appointed representative in the state territory, as managers or appointees;
C) Obtaining:
- update, correction, or where required, an integration of data;
- cancellation, transformation to anonymous format or blocking of data handled in violation of the law, including data that is not
required to be stored in relation to the purposes for which said data was collected or later handled;
Information and consent form for
customers
- The declaration that the operations as set out in article 7.A) and B) have been brought to the attention, also regarding content, of
those provided with the data, except for the case in which this fulfilment is impossible or would bring about a use of media that is
clearly disproportionate to the protected right;
D) Opposing, fully or partly:
- the handling of personal data regarding him/herself but pertinent to the purpose of data collection, for legitimate reasons;
- the processing of your personal data for the purposes of sending advertising or direct sales material or for carrying out market
research or commercial communications, via the use of automated call systems without an operator, via email and/or via traditional
marketing modes by telephone and/or post. Please note that the data subject’s right to object, as per point B) above, for direct
marketing purposes using automated modes is also extended to traditional modes and the possibility however remains for the data
subject to exercise his/her right to object, if only in part. Therefore, the data subject can decide to only receive communications by
traditional methods or only automatic communications, or neither of the two types of communication.
- Where applicable, the data subject also has the rights stated in articles 16/21 GDPR (Right to rectification, right to be forgotten,
right to restriction of processing, right to data portability, right to opposition) and the right to complain to the Data Protection
Authority.


9.- METHOD FOR EXERCISING YOUR RIGHTS
You can exercise your rights at any time by sending:
- A recorded delivery letter addressed to: THE-MA SpA via della Repubblica Italiana, 8, 40061 Minerbio (BO)
- An email to the address privacy@the-ma.it
- A certified email to the address: the-ma@legalmail.it

10.- MINORS
This website and the Controller’s services are not intended for subjects under the age of 18 years and the Controller does not
intentionally collect personal information referring to the latter. If information about minors is accidentally recorded, the Controller will
promptly delete it, on request from the users.

11.- AMENDMENTS TO THIS INFORMATION SHEET
This information may undergo variations. We therefore recommend that you regularly check this information sheet and refer to the most
updated version.

12.- DATA CONTROLLER AND PROCESSOR
The Data Controller is:
THE-MA SpA Via della Repubblica Italiana, 8 - 40061 Minerbio (BO)