Privacy Policy

PRIVACY POLICY
on the processing of personal data
Articles 12 et seq. of Regulation (EU) 2016/679 (GDPR)

INTRODUCTION
In compliance with the provisions of EU Regulation 2016/679 (hereinafter referred to as the GDPR), we hereby provide the following information regarding the processing of personal data provided by the data subject in relation to relations with Lybra Tech srl (hereinafter the Company). The Privacy Policy is provided pursuant to Article 13 of the GDPR.

1.IDENTITY AND CONTACT DETAILS
In relation to the different areas in which the processing will be carried out for the purposes of this notice, the Company may act as Data Controller pursuant to Article 4 of the GDPR or as Joint Data Controller pursuant to Article 26 of the GDPR.
The Company can be contacted at the following addresses: Via Salento 63, 00162, Rome; email: [email protected]

2.PURPOSE OF THE PROCESSING, LEGAL BASIS AND DATA RETENTION PERIOD

a) Pre-contractual/contractual

Provide information on marketed products and services, if requested by the data subject; Execution of existing contractual relationships.

Type of data processed: Personal data and contact details; data necessary for the execution of the contractual relationship.

Legal basis: Execution of a contract to which you are party or pre-contractual measures taken at the request of the data subject; Compliance with legal obligations. Art. 6 para. 1, letters b) and c) GDPR.

Role: Data Controller

Data retention period*: According to the law.

b) Direct marketing

Sending, by automated contact methods (email and instant messaging) and traditional methods (phone calls and regular mail), of advertising material, newsletters, promotional and commercial communications relating to products and/or events and/or training courses, as well as carrying out market studies and statistical analyses and customer satisfaction surveys.

Type of data processed: Personal details and contact data.

Legal basis: Consent (requested by contract or with specific request); (optional and revocable at any time) Art. 6 para. 1, letter a) of the GDPR. If the data subject has not consented to the sending of commercial communications by automated methods, they may still receive them through traditional methods if they have not expressed their disagreement through ordinary methods and/or the Opposition Register.

Role: Joint Data Controllers

Data retention period*: Until consent for this purpose is revoked and/or five years have elapsed since consent was given.

c) Marketing to existing customers

Sending communications relating to contracted products/services and/or products/services similar to those already contracted (newsletters, webinars, events, training activities).

Type of data processed: Personal data and contact details; data relating to the company to which it belongs and the role held.

Legal basis: Legitimate interest Art. 6 para. 1, letter f) of the GDPR.

Role: Joint Data Controllers

Data retention period*: Until consent has been revoked.

d) Indirect marketing

Communication of data to business partners/third parties so that they can make you the recipient of marketing communications.

Type of data processed: Personal details and contact data.

Legal basis: Consent (requested by contract or with specific request) (optional and revocable at any time) Art. 6 para. 1, letter a) of the GDPR.

Role: Joint Data Controllers

Data retention period*: Until consent for this purpose is revoked and/or five years have elapsed since the last interaction with the Data Controllers.

e) Collection and publication of content:

Generation of case histories and publication on social networks, newspapers, magazines and websites of images, videos, reviews, evaluations and other content that the data subject may freely decide to share with the Data Processors, as well as on any other media used (as provided for in the individual consents requested from time to time).

Type of data processed: Personal data; pictures, sounds, company, professional role and experience, nickname, social network profile

Legal basis: Consent (optional and revocable at any time) Art. 6 para. 1, letter a) of the GDPR.

Role: Joint Data Controller

Data retention period*: Until consent for this purpose is revoked and/or five years have elapsed since the last interaction with the Data Controllers.

f) If necessary, to ascertain, exercise or defend the rights of the Joint Data Controllers in court.

Type of data processed: Personal data and contact details, data relating to the execution of the contract.

Legal basis: Legitimate interest (legal protection) Art. 6 para. 1, letter f) of the GDPR.

Role: Data Controller

Data retention period*: For the time necessary to exercise the rights in court.

g) Registration on Internet portals.

Type of data processed: Personal data and contact details, company details and job position held

Legal basis: Express consent

Role: Joint Data Controller

Data retention period*: Five years since the last interaction

h) Purpose of providing support for products and services purchased.

Type of data processed: Personal data/contact details depending on the contracted product/service.

Legal basis: Execution of a contract to which you are a party (for resolution of anomalies and malfunctions). Legitimate interest (for analyses aimed at improving the service).

Role: Data Controller

Data retention period*: Five years since the last interaction.

*After deletion, the data may be retained for a further period of up to one year, according to the company’s information system backup retention policies.

3.COMPULSORY PROVISION OF DATA

The data subject shall provide the Company with the data necessary for the performance of the contractual relationship, as well as the data necessary to comply with obligations laid down by laws, regulations, EU rules, or provisions of Authorities empowered to do so by law and by supervisory and control bodies (referred to in purposes a) and f) above).

Data that is not essential for the performance of the contractual relationship is qualified and considered supplementary and its provision by the data subject, if requested, is optional and subject to consent. The consent given may be revoked by the data subject at any time by writing an email to: [email protected]. Such revocation shall in no way affect the lawfulness of the processing based on the consents given prior to the revocation.

4.DATA PROCESSING METHODS

Personal data will be recorded, processed and stored in the Company’s archives, on paper and electronically, in compliance with the appropriate technical and organisational measures set out in Article 32 of the GDPR. Processing of the data subject’s personal data may consist of any operation or set of operations among those listed in article 4, para. 1, point 2 of the GDPR.

The processing of personal data shall take place through the use of instruments and procedures suitable to guarantee its security and confidentiality and may be carried out, directly and/or through delegated third parties, either manually by means of paper media, or by means of computerised or electronic tools. For the purposes of the correct management of the relationship and the fulfilment of legal obligations, the data may be included in the Company’s internal documentation and, if necessary, in the records and registers required by law.

The data subject’s personal data may be processed by employees of the Company’s business departments for the pursuit of the above-mentioned purposes. These employees have been expressly authorised to process the data and have received appropriate operating instructions pursuant to article 29 of the GDPR.

5.CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The personal data of the data subject may be communicated and processed by external parties acting as independent data controllers pursuant to articles 4 and 24 of the GDPR such as, by way of example, authorities and supervisory and control bodies and in general subjects, public or private, legitimately entitled to request the data and/or subjects acting as Data Processors pursuant to article 28 of the GDPR), such as, by way of example, consultancy companies and/or professional firms and/or professionals, e.g. legal, tax and insurance companies.

The data may also be communicated to business partners/dealers for the performance of activities connected with the execution of the contract or for the performance – by them – of commercial actions, subject to the express consent of the data subject.

6.TRANSFER OF DATA TO NON-EU COUNTRIES

The data provided by the data subject will only be processed in countries located within the European Union. If the personal data of the data subject is processed in a non-EU state, the rights conferred on the data subject by Community law will be guaranteed and the data subject will be promptly notified.

7.RIGHTS OF THE DATA SUBJECT

Pursuant to articles 15 et seq. of the GDPR, the data subject may exercise the following rights:

1.Access: confirmation of whether or not the data subject’s personal data is being processed and the right to access it. Requests that are manifestly unfounded, excessive or repetitive cannot be answered;
2.Rectification: the right to correct/obtain the correction of personal data if it is incorrect or outdated and to complete it if it is incomplete;
3.Deletion/right to be forgotten: the right to obtain, in certain cases, the deletion of the personal data provided. This is not an absolute right, as the Company may have legitimate or legal reasons to keep it;
4.Limitation: the data will be archived, but may not be processed or further processed in the cases provided for by law;
5.Portability: the right to move, copy or transfer data from databases from the Company to third parties. This applies only to data provided by the data subject for the performance of a contract or for which express consent has been given and the processing is carried out by automated means;
6.Opposition to direct marketing;
7.Withdrawal of consent at any time, if the processing is based on consent.

Pursuant to art. 2-undicies of Legislative Decree 196/2003, the exercise of the rights of the data subject may be delayed, restricted or excluded by substantiated notice given without delay, unless such notice would jeopardise the purpose of the restriction, for such time and to the extent that this constitutes a necessary and proportionate measure, having regard to the fundamental rights and legitimate interests of the data subject, in order to safeguard the interests referred to in subsection 1(a) (protected anti-money laundering interests), (e) (concerning the carrying out of defensive investigations or the exercise of a right in court) and (f) (concerning the confidentiality of the identity of the employee who reports offences of which they have become aware by reason of their duties). In such cases, the rights of the data subject may also be exercised through the Data Protection Authority in the manner set out in article 160 of the same Decree. In such a case, the Data Protection Authority will inform the data subject that it has carried out all the necessary verifications or that it has conducted a review, as well as of the data subject’s right to take legal action.

It should also be noted that – before processing requests – the Company may carry out an identity check on the data subject in order to assess the legitimacy of the request received.

To exercise these rights, the data subject may contact the Company in relation to the areas as defined above at the address [email protected]

The Company shall respond within 30 days of receipt of the formal request sent by the data subject.

Please note that in the event of a breach of the data subject’s personal data, the data subject may lodge a complaint with the competent authority, the Data Protection Authority.