Privacy Policy

EXTENDED NOTICE PURSUANT TO ARTICLES 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER, THE “GDPR”)

The data controller provides below the information notice pursuant to Articles 12, 13 and, where applicable, 14 of the GDPR regarding the processing of personal data provided by the Customer/data subject by completing and signing the Agreement to purchase the products/services offered for sale by the data controller, by voluntarily uploading personal data to this website (in particular through the completion of forms) or simply by browsing it.

  1. Data Controller and contact details

The Data Controller is REENGINE SRL, registered office at VIA DELLA MECCANICA 44 – 04011 - APRILIA (LT), VAT no. 02670870597, tel. +39 0692731796, e-mail info@reengine.it, website https://www.reengine.it.

  1. Principles applicable to processing

In accordance with the GDPR, the Data Controller constantly endeavours to ensure that personal data are:

(a) processed lawfully, fairly and transparently;

(b) collected for specified, explicit and legitimate purposes and subsequently processed in a manner that is not incompatible with those purposes;

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(d) accurate and, where necessary, kept up to date;

(e) kept for no longer than is necessary for the purposes for which they are processed;

(f) processed, through appropriate technical and organisational measures, in a manner that ensures their security;

(g) processed, where based on consent, following a decision freely made by the Customer/data subject on the basis of a request presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.

The Data Controller adopts appropriate technical and organisational measures to ensure data protection by design and to ensure that, by default, only the data necessary for each specific processing purpose are processed.

The Data Controller collects and gives the utmost consideration to the indications, observations and opinions of the Customer/data subject sent to the contact details above, with a view to implementing a dynamic privacy management system that ensures the effective protection of individuals with regard to the processing of their data.

This Notice may be amended in line with developments in the applicable legislation and the technical and organisational measures adopted by the Data Controller from time to time; the Customer/data subject is therefore invited to visit this section of the Website periodically to view updates and the Notice as currently in force.

  1. Methods of processing personal data

Personal data are processed manually and by electronic means, using logic strictly related to the purposes indicated below and, in any case, in such a way as to guarantee the security and confidentiality of the data.

  1. Purposes of processing personal data

(4a) Purposes for which processing is necessary

The personal data provided by the Customer/data subject are primarily processed for the performance of the Agreement and for credit management and, more generally, for managing the relationship arising from the Agreement itself.

Providing the data in the Agreement or thereafter, during the contractual relationship, for the above processing purposes is mandatory; therefore, failure to provide, partial provision or inaccurate provision of such data makes it impossible to conclude and/or perform the Agreement and, for the Customer/data subject, to benefit from the products/services offered by the Data Controller, and may potentially expose the Customer/data subject to liability for contractual non-performance.

The personal data provided by the Customer/data subject may also be processed where necessary to comply with a legal obligation to which the Data Controller is subject, to protect the vital interests of the Customer/data subject or of another natural person, to perform a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or for the purposes of the legitimate interests pursued by the Data Controller or by third parties, provided that the interests or fundamental rights and freedoms of the Customer/data subject do not override such interests; in these cases as well, providing the data is mandatory and, consequently, failure to provide, partial provision or inaccurate provision of data may expose the Customer/data subject to any liabilities and penalties provided for by the legal system.

(4b) Additional processing purposes following the Customer/data subject’s specific and express consent

In addition to the purposes of processing indicated above, the personal data provided/acquired may, with the prior consent of the Customer/data subject—expressed by ticking the box <> on the Agreement or on the Website (or by using other social or web applications of the Data Controller)—also be processed for carrying out market surveys and for sending commercial and promotional communications, by telephone (including using the mobile number provided) and by automated contact systems (e-mail, SMS, MMS, fax, etc.), concerning products/services of the Data Controller or of companies belonging to the Group to which the Data Controller may belong.

Consent for the processing purposes referred to in this point (4b) is optional; therefore, if consent is refused, the data will be processed solely for the purposes indicated in the preceding point (4a), without prejudice to what is specified below with reference to the legitimate interests of the Data Controller or third parties.

  1. Categories of personal data processed

The Data Controller mainly processes identification/contact data (first name, surname, addresses, type and number of identity documents, telephone numbers, e-mail addresses, tax/billing data, without limitation) and, where commercial transactions are envisaged, financial data (bank details, in particular current account identifiers, credit card numbers, without limitation connected to the aforementioned transactions).

The processing carried out by the Data Controller, both for the performance of the Agreement and on the basis of the express consent of the Customer/data subject, generally does not concern special categories of personal data (so-called sensitive data revealing racial or ethnic origin, political opinions, religious beliefs, health status or sexual orientation, etc.), nor genetic and biometric data, nor so-called judicial data (relating to criminal convictions and offences).

However, it cannot be ruled out that, in order to fulfil obligations arising from the Agreement, the Data Controller may need to store and/or process sensitive, genetic and biometric or judicial data of the Customer/data subject or of third parties for whom the Customer/data subject acts as data controller; in such case, processing by the Data Controller takes place pursuant to, under the conditions of, and within the limits set by, the appointment of the Data Controller as processor by the Customer/data subject.

With reference to the Website, the Data Controller processes, as data controller and potentially as processor appointed for this purpose (as above), so-called browsing data. The IT systems and software procedures used to operate websites acquire, during their normal operation, certain personal data the transmission of which is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but, by its very nature, could allow users to be identified. This category of information includes geolocation data, IP addresses, browser type, operating system, the domain name and addresses of websites from which access or exit was made, information on the pages visited by users within the site, access time, time spent on each page, internal navigation analysis and other parameters relating to the user’s operating system and IT environment. By their very nature, such information, through processing and association with data held by third parties, may make it possible to identify users.

The Website may also use cookies, both session cookies (which are not stored on the user’s computer and disappear when the browser is closed) and persistent cookies, for the transmission of personal information, as well as other tracking systems.

  1. Source of personal data

The personal data processed by the Data Controller are collected directly by the Data Controller from the Customer/data subject when and while the latter browses the Website (or uses other social or web applications of the Data Controller), or, also through the Data Controller’s sales personnel, upon or after the signing of the Agreement, during its performance, or from public sources.

As specified above, the Data Controller, as processor appointed for this purpose, in order to fulfil obligations arising from the Agreement, may store and/or process data—particularly browsing data—potentially including sensitive, genetic and biometric or judicial data, of third parties for whom the Customer/data subject acts as data controller, obtained with the prior consent of such third parties, when and while those third parties browse the Website (or use other social or web applications referable to the Data Controller).

  1. Legitimate interests

The legitimate interests of the Data Controller or third parties may constitute a valid legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject do not prevail. In general, such legitimate interests may exist where there is a relevant and appropriate relationship between the Data Controller and the data subject, for example where the data subject is a customer of the Data Controller. In particular, it is a legitimate interest of the Data Controller to process the Customer/data subject’s personal data for the prevention of fraud, for direct marketing purposes, to ensure the free movement of such data within the corporate group to which the Data Controller may belong, or concerning traffic data in order to ensure network and information security—that is, the capability of a network or a system to withstand unforeseen events or unlawful acts that could compromise the availability, authenticity, integrity and confidentiality of data.

  1. Disclosure of personal data

(8a) Disclosure of personal data – categories of recipients

In addition to employees and collaborators of the Data Controller (authorised by the Data Controller to process data on the basis of appropriate written operating instructions, in order to ensure the confidentiality and security of the data), some processing operations may also be carried out by third parties to whom the Data Controller entrusts certain activities, or parts thereof, functional to the purposes set out in point (4a), both in fulfilment of contractual obligations and of legal obligations. By way of example only and without limitation: commercial and/or technical partners; companies providing banking and financial services; companies providing document archiving services; debt collection agencies; auditing and statutory certification firms; rating agencies; parties providing professional assistance and consultancy to the Data Controller; customer care service providers; factoring companies, securitisation companies or other assignees of receivables; companies belonging to the Group to which the Data Controller may belong; business information providers; IT service companies. The parties belonging to the aforementioned categories process personal data as independent controllers, or as processors with reference to specific processing operations that fall within the contractual services they perform for/in the interest of the Data Controller; the Data Controller provides processors with appropriate written operating instructions, particularly regarding the adoption of minimum security measures, in order to guarantee confidentiality and data security.

Some processing operations may also be carried out by third parties to whom the Data Controller entrusts certain activities, or parts thereof, also for the purposes set out in point (4b), including, by way of example only and without limitation: commercial and/or technical partners; companies that institutionally provide marketing services; advertising agencies; parties providing assistance and consultancy with regard to prize contests and promotions. The parties in these categories process personal data as independent controllers or as processors with reference to specific processing operations that fall within the contractual services they perform for/in the interest of the Data Controller; the Data Controller provides processors with appropriate written operating instructions, particularly regarding the adoption of minimum security measures, in order to guarantee confidentiality and data security.

A list of processors with whom the Data Controller has relations is available, upon written request to be sent to the Data Controller’s registered office, and is subject to periodic updates.

Personal data may also be disclosed, upon request, to the competent authorities in compliance with obligations arising from mandatory legal provisions.

(8b) Transfer of personal data to third countries

The Customer/data subject’s personal data may also be transferred abroad, both to countries within the European Union and to countries outside the European Union. In the latter case, transfers will be based either on an adequacy decision, or within and subject to the appropriate safeguards provided by the GDPR (in particular, the presence of standard contractual clauses approved by the European Commission), or, outside the aforementioned circumstances, by relying on one or more of the derogations provided for by the GDPR (in particular, the express consent of the Customer/data subject, or for the performance of the Agreement concluded by the Customer/data subject, or for the performance of a contract concluded between the Data Controller and another natural or legal person for the benefit of the Customer/data subject, specifically for activities entrusted to such other party by the Data Controller in order to perform the Agreement concluded with the Customer/data subject). In the event of data transfers to countries outside the European Union, the Customer/data subject may, upon written request to the Data Controller’s registered office, be informed of the appropriate safeguards or derogations that legitimise the cross-border processing. It is understood that, in the event of data transfers to countries outside the European Union, for any request concerning the data, including the exercise of the rights granted by the GDPR to the Customer/data subject, the latter may always validly contact the Data Controller.

  1. Criteria for determining the retention period of personal data

For the purposes referred to in point (4a) above, the retention period of the personal data provided by the Customer/data subject—and the consequent potential processing thereof—coincides with the limitation period of the rights/obligations (legal, tax, etc.) arising from the Agreement: typically, therefore, 10 years, unless events interrupting the limitation period occur, which could in fact extend that period.

For the purposes referred to in point (4b) above, the retention period of the personal data provided by the Customer/data subject—and the consequent potential processing thereof—ends upon revocation of the consent previously given by the Customer/data subject or, in the absence thereof, in any case one year after the termination of any relationship between the Data Controller and the Customer/data subject.

  1. Rights of the Customer/data subject

The Data Controller recognises—and facilitates the exercise by the Customer/data subject of—all rights provided for by the GDPR, in particular the right to request access to their personal data and obtain a copy thereof (Art. 15 GDPR), rectification (Art. 16 GDPR) and erasure (Art. 17 GDPR), restriction of processing concerning them (Art. 18 GDPR), data portability (Art. 20 GDPR, where applicable), and to object to processing concerning them (Arts. 21 and 22 GDPR, in the cases mentioned therein, and in particular to processing for marketing purposes or that results in automated decision-making, including profiling, producing legal effects concerning them, where applicable).

The Data Controller also recognises the Customer/data subject’s right, where processing is based on consent, to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To do so, the Customer/data subject may unsubscribe at any time on the Website (or on other social or web applications of the Data Controller) or by using the dedicated link at the bottom of each commercial communication received, or by contacting the Data Controller at the contact details indicated above.

The Data Controller further informs the Customer/data subject of the right to lodge a complaint with the Data Protection Authority (Garante per la Protezione dei Dati Personali) as the supervisory authority operating in Italy, and to bring legal proceedings both against a decision of the Authority and against the Data Controller and/or a processor.

  1. Security of systems and personal data

Taking into account the state of the art and implementation costs, as well as the nature, scope, context and purposes of processing, and the risk, of varying likelihood and severity, to the rights and freedoms of natural persons, the Data Controller adopts technical and organisational measures deemed appropriate to ensure a level of security appropriate to the risk, in particular ensuring, on an ongoing basis, the confidentiality, integrity, availability and resilience of processing systems and services (including, where necessary, the encryption of personal data) and the ability to restore the availability of data in a timely manner in the event of a physical or technical incident, and adopting internal procedures to regularly test, assess and evaluate the effectiveness of the technical and organisational measures implemented.

When assessing the appropriate level of security, account is taken of the risks presented by processing, in particular those resulting from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The Data Controller ensures that anyone acting under its authority who has access to personal data does not process such data unless instructed to do so by the Data Controller.

That said, the Customer/data subject acknowledges and accepts that no security system can guarantee absolute protection with certainty; therefore, the Data Controller cannot be held liable for acts or events of third parties who, despite appropriate precautions having been taken, unlawfully access systems without the required authorisations.

  1. Automated decision-making, including profiling

The Data Controller may carry out automated processing, including profiling, for the purposes referred to in point (4b) above, in order to optimise navigation of the Website (or the usability of other social or web applications of the Data Controller) and to improve the purchasing experience, without prejudice to what is specified above regarding the Customer/data subject’s rights to object and to withdraw consent.

Profiling means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning, for example, that person’s preferences, interests or location, including for the purpose of creating profiles—that is, homogeneous groups of individuals by characteristics, interests or behaviours.

The Data Controller does not carry out any automated processing that produces legal effects concerning the Customer/data subject or similarly significantly affects them, unless this is necessary for the conclusion or performance of the Agreement, is authorised by law or is based on the Customer/data subject’s explicit consent; in any case, the Customer/data subject is always afforded the right to obtain human intervention, to express their point of view and to contest the decision.

This website uses cookies to ensure you get the best experience on our website