Information on the processing of personal data for the online payment service via "PayPal" made pursuant to Article 13 Regulation (EU) 2016/679 ("GDPR")

1. Data Controller and Data Protection Officer

Data controller: Emmegi S.p.a, in the person of its legal representative pro tempore, with registered office at Via Archimede, 10, 41019 Soliera (MO) - Italy, e-mail info@emmegi.com, Tax Code/VAT number 01978870366.

Data Protection Officer (DPO): Dr. Donato Eugenio Caccavella, e-mail address: dpo.voilap@amicadpo.eu
 

2. Personal data processed, purpose of processing and legal basis

The Controller shall process your personal identification and contact data (such as your first name, last name, company name, VAT number, tax code, address, city, postcode, province, state, e-mail address, offer/order number) provided directly by you by filling in the data collection form in the "PAYPAL" section on the Controller's website (www.emmegi.com, the "Site"). In addition, the Data Controller itself may come into possession of further payment data from external payment processing services such as, for example, billing address, means of payment used, etc.

The data used for payment are acquired directly by the operator of the payment service requested without being processed in any way by the Holder's website. (further information available at PayPal's privacy policy).

The Controller intends to process your personal data for the purpose of:

(a) to manage online orders so as to verify that the information provided for the transaction is complete and valid, as well as to process the order and proceed to the eventual delivery of the products, and also to contact you for any problem related to the management of the order and/or after-sales service; the legal basis for this purpose is the execution of the contract and/or pre-contractual measures pursuant to Article 6(1)(b) of the GDPR;

(b) to comply with obligations imposed by laws or regulations in the administrative, accounting and tax fields (e.g. the obligation to keep commercial and tax documents, etc.) and the legal basis for this purpose is the fulfilment of a legal obligation, within the meaning of Article 6(1)(c) of the GDPR;

(c) to send you promotional communications regarding the services and products of the Controller and/or the companies in the Controller's Group and/or events organised by them or to contact you for market research purposes by telephone contact with an operator or by automated contact methods (e.g. automated email campaigns, SMS, automated telephone contact, instant messaging, etc.); the legal basis for the processing of the data is the provision of your consent, pursuant to Article 6(1)(a) of the GDPR;
 

3. Nature of conferment, data retention period and processing methods

For the purposes referred to in paragraph 2, letters a) and b) above, the provision of your personal data is mandatory for the processing and evaluation of your request, since your refusal to provide such data will make it impossible for the Controller to respond to it.

With reference to the purpose referred to in paragraph 2 letter c) above, the provision of your personal data is optional and your refusal to provide them would only make it impossible for the Data Controller to update you on its products, services and/or initiatives or to develop promotional initiatives for you that are more in line with your profile.

The retention period of your personal data:

• • for the purposes set out in paragraph 2(a) and (b) above, will last for the period necessary to execute the contract and also thereafter for contractual requirements and the fulfilment of legal and tax obligations, and for the effective management of financial and business relations;
• • for the purpose referred to in paragraph 2(c) above, shall continue for 2 years from the date of issue of the relevant consent or until you decide to revoke your consent;

Processing is carried out in compliance with the requirements of the GDPR, according to the principles of correctness, lawfulness and transparency and the protection of your rights as described therein. Personal data are processed by means of computerised, telematic and/or paper-based tools, for the sole purpose of pursuing the purposes for which they were collected, as well as with the use of security measures aimed at guaranteeing the confidentiality of personal data and preventing undue access by unauthorised parties.
 

4. Communication of data

In order to establish and/or implement existing relations or for legal obligations, your personal data will be processed by persons specifically appointed by the Data Controller as authorised processors. Furthermore, your personal data may be processed by third parties belonging, by way of example, to the following categories:

• • providers of technical support services for the management of the computer system,
• • logistics providers, advertising agencies or other service providers;
• • business partners;
• • providers of external telematic platforms for sending communications;
• • payment service providers;
• • companies belonging to the Group to which the Controller belongs, for the performance of instrumental activities connected with or supporting that of the Controller.

The entities belonging to the above categories operate, in some cases, as data controllers specifically appointed by the Data Controller in compliance with Article 28 GDPR, and in other cases completely autonomously as separate data controllers, it being understood that, in the latter case, the communication of your personal data to such autonomous data controllers would take place solely for the purposes of pursuing the purposes set out in paragraph 2 above.

Your personal data will not be disseminated.
 

5. Transfer of personal data outside the European Union

Data will generally not be transferred outside the European Union; however, should it be necessary to transfer data to countries outside the EU for specific needs related to the location of the services rendered by the suppliers, including to countries that do not offer adequate protection, the Company undertakes to guarantee adequate levels of protection and safeguards, including contractual ones, in accordance with the applicable rules, including the stipulation of standard contractual clauses.
 

6. Rights of the persons concerned

In relation to the processing described in this Notice, as a data subject, you may, under the conditions set out in the GDPR, exercise the rights set out in Articles 15 - 21 of the GDPR, in particular:

• • Right of access: the right to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to obtain access to your personal data - including a copy thereof - and communication of, inter alia, the information referred to in Article 15 of the GDPR;
• • Right of rectification: the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the integration of incomplete personal data pursuant to Article 16 of the GDPR;
• • The right to erasure (right to be forgotten): the right to obtain, without undue delay, the erasure of personal data concerning you, in the cases referred to in Article 17 of the GDPR; the right to erasure does not apply to the extent that the processing is necessary for the performance of a legal obligation or the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims;
• • Right of restriction of processing: right to obtain restriction of processing, in the cases indicated in Article 18 of the GDPR;
• • Right to data portability: the right to receive, in a structured, commonly used and machine-readable format, the personal data concerning you provided to the Data Controller and the right to transmit them to another data controller without hindrance, where the processing is based on consent and is carried out by automated means, in accordance with Article 20 of the GDPR. In addition, the right to have your personal data transmitted directly by the Controller to another controller if this is technically feasible;
• • Right to object: the right to object to the processing of personal data concerning you, unless there are legitimate grounds for the Controller to continue the processing, pursuant to Article 21 of the GDPR;
• • Right to revoke consent at any time without prejudice to the lawfulness of the processing based on the consent given before revocation;
• • Right to lodge a complaint with the Garante per la protezione dei dati personali, Piazza Venezia n. 11, 00187, Rome (RM).

To exercise all rights as identified above, simply contact the data controller or the DPO at the following e-mail address: dpo.voilap@amicadpo.eu
 

7. Personal data of minors

The services on this site are intended for a general public and are not intended for children under the age of 14. The Owner does not knowingly collect personal data from users under this age group. In the event of the release of personal data belonging to a child under the age of 14, the Data Controller will immediately delete them.