ECSA Chemicals AG, registered office in CH-9230 Flawil, Burgauerstrasse, 17, CHE-143.818.564, represented by the legal representative pro tempore, and ECSA Italia s.r.l., registered office in 20832 Desio (MB), via Lavoratori Autobianchi, 1, tax code and VAT registration number 00222470130, represented by the legal representative pro tempore, as Joint Controllers of the processing (hereinafter “Joint Controllers”), on the basis of the joint controller arrangement set out in art. 26, GDPR. The essential content of such regulation is available to you.
The Joint Controllers, aware of the importance of ensuring the security of personal information, in compliance with European law, will provide the information below in order to make web site users (hereinafter referred to as “Users”) aware of the features and methods of personal data processing.
1 - Subject of the processing
1.1 The Joint controllers process the User’s personal data collected when the User browses the web site and uses a service and/or a function in the web site.
1.2 Specifically, the Joint controllers may process:
(i) identification and contact personal data (e.g. name, surname, tax code, VAT reg. number, telephone number, e-mail address, etc.) or other information (e.g. relevant company, role and/or position held, sector of interest, etc.), supplied by the User when using the web site, when registering with the web site and when using the services and/or functions of that web site;
(ii) personal data whose transmission is connected to the use of Internet communication protocols (e.g. access to the web page, amount of transferred data, status message when accessing, session ID numbers, IP addresses, URL addresses, localisation data, display language, coordinated universal time, etc.).
2 - Purpose and legal basis of the processing
2.1 The User’s personal data may be processed, without his/her explicit consent, for the purposes listed below:
(i) to make the web site’s functions usable and to provide the functions and services of that web site;
(ii) to send the newsletter if the User has explicitly requested it;
(iii) to reply to the User’s reports, questions and/or requests.
2.2 In this case, the legal basis for the processing will be the supply and the execution of the web site’s functions and/or the services requested by the User (art. 6, paragraph 1, point b, GDPR).
2.3 Additionally, the User’s personal data may be processed without the User’s explicit consent also for the purposes of:
(i) ensuring the technical functioning of the web site and services and/or the web site’s functions. In this case, the legal basis for the processing is the Joint controllers’ legitimate interest in ensuring the technical functioning of the services and/or the web site’s functions (art. 6, paragraph 1, point f, GDPR);
(ii) complying with the legal obligations, legal proceedings or orders of the Authorities. In this case, the legal basis for processing is compliance with legal obligations, EU laws or an order from the Authorities (art. 6, paragraph 1, point c, GDPR);
(iii) lawfully protecting the operations, privacy, security and/or the assets of the Joint controllers and allowing the Joint controllers to exercise their rights. In this case, the legal basis for processing is the lawful interest of the Joint controllers to legally protect themselves and exercise their rights (art. 6, paragraph 1, point f, GDPR).
2.4 Some of the User’s personal data may also be processed, with prior specific and unequivocal consent of the User, for the additional purposes listed below:
(i) to carry out market surveys, including surveys aimed at assessing the levels of customer satisfaction, and to send materials, promotional and marketing communications on products and/or services provided by the Joint controllers and, in general, by the ECSA Group, using automated systems (e.g. e-mails, SMS, MMS, etc.) or traditional channels, i.e. ordinary mail (marketing purposes);
(ii) to analyse the preferences, habits, behaviours or interests of the User inferred, for example, from the preferences expressed when registering with the web site or gathered when the User uses the web site’s functions or services, in order to send targeted advertising communications (profiling purposes). If consent is given, the User’s personal data for profiling purposes will be processed with data processing equipment that will create a commercial profile through cross-referencing. This data processing tool cross-references User browsing data with data collected when the User registered with the web site and when the web site’s functions and/or services are used, though specific forms;
(iii) disclosure of the User’s personal data to other companies in the ECSA Group (ECSA Maintenance AG, ECSA Energy SA, Porta Ticino Easy Stop SA, Stalvedro Easy Stop SA), to allow these companies to contact individual Users and send them materials, promotional and marketing communications on products and/or services offered by them, using automated systems (e.g. e-mails, SMS, MMS, etc.) or traditional channels, i.e. ordinary mail (purpose of disclosing personal data to other companies of the ECSA Group);
2.5 In these cases, consent is the legal basis of the processing (art. 6, point a, GDPR).
3 - Data provided by the User
3.1 The web site contains services and/or functions that allow the User to contact and/or interact with the Joint controllers.
3.2 When registering with the web site, by activating one of the specific functions, Users are asked to provide their personal data. Providing personal data is essential to be able to use some of the web site’s functions and/or specific requested services. Failure to provide such data makes it impossible for the User to use some of the web site’s functions and/or specific requested services.
4 - Browsing data
4.1 During their normal operation, the IT systems and software procedures used by the web site to function can acquire some personal data whose transmission is implicit in the use of Internet communication protocols (so-called browsing data).
4.2 This category of data includes IP addresses or domain names of computers and workstations used by Users who connect to the website, URI/URL (“Uniform Resource Identifier” and “Uniform Resource Locator”) of the requested resources, time of request, the method used to submit the request to the server, the size of the reply file, the numerical code indicating of the response’s status from the server (successful, error, etc.) and other parameters related to the User’s operating system and computer environment.
4.3 These data, which are needed to use web services, are also processed for the purpose of:
(i) obtaining statistical information on the use of services (e.g. most frequently visited pages, number of visitors in time bands or per day, geographical area of origin, etc.);
(ii) checking that the services offered function correctly.
4.4 The browsing data does not persist for more than a few days (unless judicial authorities need to determine if an offence has been committed).
5 - Provision of the personal data
5.1 The provision of personal data by the User as set out in point 2.1 is not mandatory, but failure to do so makes it impossible to register with the web site, impossible for the Joint controllers to provide services and/or web site functions and for the Joint controllers to reply to the User’s reports, questions and/or requests.
5.2 The provision of personal data for the purposes in point 2.4 is optional and is linked to the User expressing consent.
5.3 The provision of browsing data is necessary to use the web site’s services and or functions.
6 - Processing methods
6.1 The processing of personal data is carried out with the operations listed in art. 4, paragraph 1, no. 2), GDPR, i.e. any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
6.2 Personal data shall be processed according to the principles of lawfulness, fairness and transparency. It can be done using automated methods that can memorise, manage and transmit the data, using equipment, depending on the state of the art and mutatis mutandis, that is suitable to ensure the safety and confidentiality of the data, using appropriate procedures that avoid the risk of loss, unauthorised access, unlawful use and dissemination of data. The personal data can be stored on digital or paper support or on any type of support considered the most appropriate for processing.
7 - Data storage period
8 - Disclosure of data
8.1 The personal data processed by the Joint controllers will not be disclosed, i.e. they will not be provided to unspecified subjects, in no form whatsoever, including consultation or otherwise making them available, without the specific, unequivocal prior consent of the User.
8.2 The data may be made accessible to the workers and/or collaborators who are employed by or work for the Joint controllers and/or to some external subjects that provide sufficient guarantees they have implemented appropriate legal, technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Specifically, the data may be disclosed to: i. employees and/or collaborators of the Joint controllers, as persons authorised to process personal data and/or System Administrators; ii. third party companies or other subjects to which the Joint controllers have outsourced activities, as external processors of personal data.
8.3 Additionally, the Joint controllers may disclose the personal data to the persons entitled to access them under the provisions of the law, rules and EU regulations, and to all the other subjects to whom communication is mandatory according to the law.
9 - Data transfer
9.1 Personal data will be managed and stored on servers and/or in premises of the Joint controllers and/or third party companies officially appointed as data processors, based in Switzerland (which the European Commission rates as a country that guarantees adequate protection of personal data) and/or inside the European Union or the European Economic Area (EEA) or, in any case, in countries outside the European Union or the European Economic Area (EEA), which the European Commission rates as countries that guarantee adequate protection of personal data pursuant to art. 45, GDPR, i.e. in compliance with the provisions set forth in articles 46 and 47, GDPR.
10 - Rights of the data subject
10.1 Pursuant to articles 15 to 22, GDPR, in the cases listed, the User has the right to:
(i) obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the related information, including receiving a copy of it (so-called right of access);
(ii) obtain the rectification of inaccurate personal data and/or the integration of the incomplete personal data concerning him or her (so-called right to rectification);
(iii) obtain the erasure of personal data concerning him or her where one of the grounds set out in the GDPR applies (so-called right to erasure);
(iv) to obtain the restriction of processing to only some of the personal data where one of the grounds set out in the GDPR applies (so-called right to restriction of processing);
(v) request and receive the personal data concerning him or her, in a structured, commonly used and machine-readable format or request and have those data transmitted to another controller without hindrance (so-called right to data portability);
(vii) withdraw, at any time, the consent given to the processing of personal data (so-called right to withdraw consent);
(vii) object, in full or in part, to the processing of personal data (so-called right to object);
(viii) not to be subject to a decision based solely on automated processing in the cases listed in the GDPR.
10.2 If the User believes the personal data are being processed in violation of the provisions set forth in the GDPR, he/she has the right to lodge a complaint with the supervisory authority (art. 77, GDPR), or seek an effective judicial remedy (art. 79, GDPR).
11 - Procedures for the exercise of rights
12 - Controllers, processors, authorised subjects
12.1 The Joint Controllers are:
ECSA Chemicals AG, registered office in CH-9230 Flawil, Burgauerstrasse, 17, CHE-143.818.564, represented by the legal representative pro tempore, and ECSA Italia s.r.l., registered office in 20832 Desio (MB), via Lavoratori Autobianchi, 1, tax code and VAT registration number 00222470130, represented by the legal representative pro tempore. More information on the processors and subjects authorised to process personal data can be obtained by contacting the Joint controllers at the addresses included in this policy.
13 - DATA PROTECTION OFFICER – DPO
ECSA Italia s.r.l. has appointed the person in charge for the protection of personal data – c.d. Data Protection Officer or “DPO”, who can be contacted for any information and / or request at the following e-mail address: firstname.lastname@example.org
Changes to the policy
This policy may change. Users should check this policy regularly and refer to the most updated version.
Policy updated on 13/01/2021..