Informative note

Articles 13, 14 REGULATION (EU) 2016 – GDPR – OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL – 27 April 2016

Data controller of personal data processing.
REER SpA, VAT number 05997110019 is the data controller of the processing of your personal data.
As data subject (potential or active customer, potential or active supplier, candidate employee or collaborator, visitor, guest) we inform you that:
The registered office of the Data Data controller is in Corso Re Umberto 2 – 10121 Torino

The contacts of the Data Data controller at the main establishment are:

• Telephone: +39 0112482215
• Email: privacy@reer.it
• Certified Email: reer@pecsoci.ui.torino.it

Another processing establishment can be identified at REER SpA – Illumination Division, VAT Number 05997110019, Via Meucci, 77, 10040, Leinì, (TO), Italy

Processing Purpose

REER SpA processes common identifiable personal data such as: name, surname, company name, address, telephone contact, e-mail address, any possible bank details.

The personal data of the data subjects are collected and processed by REER SpA in an appropriate, relevant, limited to the purposes, lawful, correct and transparent way.

The determined, explicit and legitimate purposes of collecting and processing personal data are:

1. Fulfillment of contractual, pre-contractual, fiscal obligations or of law deriving from existing relationships;
2. Holding and updating administrative accounting and other obligations required by laws, regulations and notes on tax matters;
3. Administrative and accounting purposes (management of orders and ordinary correspondence with customers, suppliers, external support entities also in outsourcing);
4. Purposes strictly connected to the management of employees and collaborators – obligations deriving from national laws;
5. Fulfillment of obligations deriving from national laws;
6. Fulfillment of obligations deriving from community laws, rules and regulations;
7. Safeguard and pursuit of a legitimate interest of the Data Data controller or of third parties, provided that the interests or the fundamental rights and freedoms of the data subject are not prevailing, in particular if they are minor; Among the legitimate interests of the data controller are identified: 
   – Adjustment of relationships between customers and suppliers,
   – Adjustment of relationships between employer and employees,
   – Direct marketing (if consented by the data subject.)
   – Fraud prevention.
   – Processing of personal data concerning data traffic to guarantee network and information security.
8. Health and safety management of the workers;
9. Protection of corporate assets and safety of persons by means of video surveillance and video recording systems. 

Legal grounds for processing or data protection principles:

Legal grounds of the processing carried out for the purposes referred to in points a), b), c), is the contractual obligation and the pre-contractual liability of the data Data controller. The communication of personal data referred to in points a), b), c), d) is therefore a legal and contractual obligation and a necessary requirement for the conclusion of a contract.

• The data communication by the data subject is mandatory. Failure to provide personal data will result in the inability to proceed with the stipulation and execution of the contract as it will no longer be possible to fulfill the obligations provided for by law, instructions given by the competent authorities / supervisory and control bodies and to satisfy the request of the data subject;
• Legal grounds of the processing carried out for the purposes referred to in points e), f) is the legal obligation to which the data data controller is subject;
• Legal grounds of the processing carried out for the purposes referred to in point g) is the legitimate interest of the Data Data controller or third parties or the consent of the data subject freely and explicitly issued for direct marketing activities;
• Legal grounds of the processing carried out for the purposes referred to in Point h) is the vital interests of the data subject where they concern an employee or a collaborator;
• Legal grounds for the processing carried out for the purposes referred to in point (i) is the protection of the company’s assets and safety of persons.

Subject to its explicit and free consent (Article 7 of the GDPR – EU Regulation 679/2016) REER SPA may process your personal data for marketing purposes (sending commercial, promotional and advertising messages on the products and / or services of the Data Data controller by email, ordinary mail, sms to telephone contacts, newsletter).

Processing Methods

Personal data will be processed at the establishment of the data data controller by designated and authorized persons, under the authority of the data controller and trained on the regulatory principles and on the logical and technological safety procedures (Article 32, paragraph 4). Processing is carried out by means of operations or complexes of manual or computerized operations such as: collection, registration, organization, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, cancellation and destruction.

Data Communication

Personal data may be communicated by the data controller, without consent of the data subject, and for purposes related to pre-contractual measures, to the execution of a contract or legal obligation of the data controller exclusively to the following subjects or categories of subjects:

• Chartered accountants and auditors;
• Job consultant and / or payroll study (data of employees and collaborators);
• Public welfare bodies, private supplementary social security funds, insurance and health funds, National Institute for Insurance against accidents at work and occupational diseases (INAIL) (data of employees and collaborators);
• Supervisory bodies;
• Competent doctor (Article 38 of Legislative Decree 81/08) or public health facility, private and / or authorized / contracted (data of employees and collaborators);
• Training / training agencies (data of employees and collaborators);
• Companies or consultants in the field of IT assistance (hardware and software);
• Company for the management of contracts for outsourcing, housing, hosting, etc .;
• Agencies or commercial agents;
• Law firms;
• Judicial authorities;
• Credit recovery companies;
• Insurance service providers;
• Subjects that carry out document archiving activities, documentation and electronic invoicing services;

The communication of personal data to processors is carried out by the Data controller) as a legal or contractual obligation. No data is disseminated by the data controller. Processors will carry out data processing activities as data controllers (Article 28) or independent data controllers, as established in the designation contracts, following the instructions given by the data controller or regarding the nature of the processing. The data controller will not transfer personal data to a third country or to an international organization.

Duration of the processing

The data collected and processed for the purposes referred to in points a), b), c), will be kept, by law, for at least ten years from their last use in an accounting record.
The data collected and processed as indicated in points d), h), are kept by the data controller for the duration of the contract of each employee/collaborator and for the excess time necessary to complete the fulfillment of all obligations. The processing period for points d) and h) is set by the data controller for more 15 years to guarantee every judicial protection.

The duration of the processing referred to in points e), f) is determined by the same national laws and by the laws, rules and regulations of the Community in which the processing is carried out and to which reference is made.
The processing of personal data referred to in point g) and relating to direct marketing will have a duration fixed by the data controller for 3 years, in the event that data subject renews or withdraws the consent upon expiry;

For the processing referred to in point g) and concerning data traffic for network security, the established duration is 6 months.
The duration of the processing referred to in point i) has a duration of 24 hours set by the data controller, unless the data are requested by the control and judicial bodies.

The data subject has the right (guaranteed by the data controller) to:

• Access personal data concerning him/her;
• Request the correction or cancellation of his/her personal data;
• Request processing restriction on his/her personal data;
• Object to processing;
• To receive personal data concerning him/her in order to transmit it to another data controller (data portability);
• To revoke the consent to processing if the consent is its legal ground (Article 6, paragraph 1, Point a), art. 9 (2) (a));
• Make a complaint to a supervisory authority;
• Be aware of the fact that the communication of his/her personal data is a legal or contractual obligation, or a necessary requirement.