PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679 CONCERNING THE PROTECTION AND PROCESSING OF PERSONAL DATA (GDPR)
1. IDENTITY OF THE DATA CONTROLLER
The Data Controller is Marazzi Group S.r.l. a Socio Unico, with registered office at Viale Regina Pacis 39, 41049 Sassuolo (Modena) Italy, in the person of its current legal representative (the "Data Controller" or "Marazzi").
2. WHICH PERSONAL DATA WE PROCESS
3. PURPOSES AND LEGAL BASIS OF THE PROCESSING
The Data Controller will process your personal data for the following purposes:
- purposes related to the finalisation of the warranty extension contract and the management and execution of works under warranty and associated procedures, including the management of communications and deliveries, the making of payments and any other contractual activities requiring the processing of your personal data; the legal basis for this purpose is the fulfilment of a contract to which you are a party, under article 6, first comma, subsection b), of the GDPR or, if you are an employee/contact of the legal person customer, the legitimate interest of the Data Controller, under article 6, first comma, subsection f) of the GDPR, deriving from the need to interact with the legal person customer though you;
- administrative-accounting purposes or purposes of compliance with laws, regulations and the instructions of authorities; the legal basis for this purpose is the fulfilment of a legal obligation to which the Data Controller is subject under article 6, first comma, subsection c) of the GDPR;
- purposes relating to the management of any disputes; in this case the legal basis of the data processing is the pursuance of a legitimate interest of the Data Controller, under article 6, first comma, subsection f) of the GDPR;
- marketing purposes via conventional means (e.g. telephone contact with operator, paper mail, etc.), via email, or automated contacts (e.g. email campaigns, SMS, automated telephone contact, instant messaging, social media, etc.); the legal basis of the data processing is the issue of your consent, under article 6, first comma, subsection a) of the GDPR. However, if your email address has been contributed in the context of the purchase of one of the Data Controller's products or services, marketing emails relating to similar services or products may be sent on the basis of the legitimate interest of the Data Controller, pursuant to article 6, first comma, subsection f) of the GDPR, subject in all cases to the right to object to this processing purpose at the time of sending of every communication, by clicking the link provided "If you no longer wish to receive this email, click here” or by the procedures described in point 7 below;
4. DATA STORAGE PERIOD, NATURE OF CONTRIBUTION AND PROCESSING PROCEDURES
The period of storage of your personal data:
- for the purposes as per point 3 subsection a) above will be the entire duration of the contract relationship, plus the time after this period required by the relevant legislation;
- for the purposes as per point 3 subsection b) above will be the duration of the legal obligation enforced by the relevant legislation;
- for the purpose as per point 3 subsection c) above, will be the duration of the dispute, and a period of 10 years after its resolution;
- for the purposes as per point 3 subsections d) and e) above, may continue until you decide to withdraw your consent, if applicable, or until you decide to exercise your right to object to the processing.
With regard to the purposes as per point 3 subsections a), b) and c) above, the contribution of your personal data is compulsory and your refusal to contribute them will render the performance of the work under warranty impossible; with regard to the purposes as per point 3 subsections d) and e) above, the contribution of your personal data is optional and if you refuse to contribute them the Data Controller will simply be unable to update you concerning its products and projects, or to submit surveys to you.
Your personal data will be processed, in compliance with the provisions of the GDPR, by paper, IT and telematic means, for the stated purposes, and in all cases by procedures which guarantee an appropriate level of security and confidentiality, in accordance with the provisions of Article 32 of the GDPR.
5. RECIPIENTS OF YOUR PERSONAL DATA, AND PARTIES WHO MAY GAIN KNOWLEDGE OF THEM
For the pursuance of the purposes described in point 3 above, the personal data processed will be known to Marazzi's employees, contract staff and associates working in the capacity of authorised data users.
Moreover, for the pursuance of the purposes described in point 3 above, your personal data may be processed by third parties belonging, for example, to the following categories:
- providers of technical assistance services for operation of the IT system, logistics suppliers, advertising agencies or other suppliers of services related to the work done under warranty (e.g. transporters, installers, system engineers, etc.);
- dealers or parties through which Marazzi supplies its products;
- supervisory and controlling authorities and bodies, and public or private bodies in general with a public interest function;
- business partners;
- suppliers of external digital communications platforms;
- other companies belonging to the same group of companies as or linked to Marazzi, or the parent company Mohawk Industries.
The entities in the aforesaid categories operate in some cases as data processors specifically designated by the Data Controller in accordance with article 28 of the GDPR, and in other cases with complete independence as separate Data Controllers, in which case your personal data would be disclosed to the said independent data controllers on the basis of the Data Controller's legitimate interest arising from the constraints connected to the organisational model adopted and, in all cases, solely for the pursuance of the purposes referred to in point 3 above.
Your personal data will not be disseminated.
6. TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION
For technical and organisational purposes, your data may be transferred to non-European Union member states: this transfer is, in any case, lawful since it is covered by adequacy decisions issued by the European Commission and/or standard data protection clauses based on the models adopted by the European Commission pursuant to art. 46 of the GDPR.
You may request a copy of the safeguards adopted for transfer of your personal data outside the EU, and information concerning the places where they are made available, by sending a specific request to the Data Controller at the email address firstname.lastname@example.org.
7. YOUR RIGHTS AS DATA SUBJECT
- right of access - article 15 GDPR: right to obtain confirmation of whether or not personal data concerning you are being processed and, if this is the case, to obtain access to your personal data - including a copy of them - and communication, amongst other things, of the following information:
- purposes of the processing
- categories of personal data processed
- recipients or categories of recipients to whom they have been or will be disclosed
- data storage period or the criteria used
- rights of the data subject (rectification, erasure of personal data, restriction of processing and right to object to processing)
- right to lodge a complaint with the supervisory authority
- right to receive information on the origin of personal data if they have not been collected from the data subject
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the envisaged consequences of such processing for the data subject
- right to rectification - article 16 GDPR: right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data;
- right to erasure (right to be forgotten) - article 17 GDPR: right to obtain, without undue delay, the erasure of personal data concerning you, when:
- the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you have withdrawn consent and where there is no other legal ground for the processing;
- you have successfully objected to the processing of the personal data;
- the data have been unlawfully processed,
- the data have to be erased for compliance with a legal obligation;
- the personal data have been collected in relation to the offer of information society services referred to in article 8, comma 1 of the GDPR.
The right to erasure does not apply to the extent to which the processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or for the establishment, exercise or defence of legal claims.
- right to restriction of processing - article 18 GDPR: right to obtain restriction of the processing, when:
- the accuracy of the personal data is contested by the data subject;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
- the data subject needs the personal data for the verification, exercise or defence of a right during judicial proceedings;
- the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
- right to data portability - article 20 GDPR: right to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance, if the processing is based on consent and is carried out by automated means. In addition, the right to have your personal data transmitted directly by the Data Controller to the other controller, where technically feasible.
- right to object - article 21 GDPR: right to object to the processing of personal data concerning you, unless there are legitimate grounds for the Data Controller to continue the processing;
- right to withdraw consent: right to withdraw the consent given previously at any time
- right to lodge a complaint with the data protection authority of your member State of residence or work, or of the location in which the alleged breach occurred.
The above rights may be exercised in relation to the Data Controller using the contacts provided in point 1 above. The Data Controller shall examine your request and shall inform you, without undue delay and in all cases within no more than one month of its receipt, concerning the action taken with regard to your request.
The exercise of your rights as data subject is free of charge in accordance with article 12 of the GDPR. However, in the event of requests which are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may charge you a reasonable fee taking into account the administrative costs of dealing with your request, or refuse to act on the request.
Please also note that the Data Controller may request further information necessary to confirm the identity of the data subject.
Marazzi Group S.r.l. a socio unico
Last updated 30.04.2020