Privacy Information

Riva Forni Elettrici S.p.A. with registered office in Milan, Viale Certosa 249, as Data Controller pursuant to EU Regulation 679/2016 applicable from 25 May 2018 – General Data Protection Regulation ("GDPR") and pursuant to Legislative Decree no. 196/2003 – Personal Data Protection Code ("Privacy Code") as amended by Legislative Decree no. 101/18 (hereinafter collectively referred to as the "Applicable Law") recognises the importance of protecting personal data and considers the protection of personal data to be one of the main purpose of its business.

In compliance with the Applicable Law, we provide the necessary information regarding the processing of the personal data provided. This information is provided pursuant to articles 13 and 14 of the GDPR and Riva Forni Elettrici S.p.a. invite you to read it carefully as it contains important information on the protection of personal data and the security measures adopted to ensure its confidentiality in full compliance with the Applicable Law.

Riva Forni Elettrici S.p.A. informs you that the processing of personal data will be based on the principles of lawfulness, fairness, transparency, purpose and retention limitation, adequacy, data minimization, accuracy, integrity, and confidentiality. Personal data will therefore be processed in accordance with the legislative provisions of the Applicable Law and the confidentiality obligations set forth therein.

In light of the above, pursuant to articles 6, 7, 9, 13 and 14 of GDPR Riva Forni Elettrici S.p.a. informs you about:

PERSONAL DATA SUBJECT TO PROCESSING

The Data Controller may process the following categories of data;

• Browsing data. The computer systems and software procedures used for the operation of this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of the Internet. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow browsing users to be identified. Such personal data will be processed in the manner and for the purposes described below.
  
  
• Cookies. Cookies are text files that are automatically generated in the user's computer following the visit to certain pages of the site and through which identification data of the user can be collected. For more information, you can consult our Cookie Policy available on the website.
  
  
• Data provided voluntarily by the User. The explicit and voluntary provision of personal data by the User is necessary for access to certain services offered by the Data Controller through the website (e.g. registration form for access to the reserved area via personal account). The personal data processed are essentially identification data and will be processed in the manner described below.

PURPOSE, LEGAL BASIS AND MANDATORY OR OPTIONAL NATURE OF THE PROCESSING

The processing to which your personal data will be subjected has the following purposes:

a) to fulfil specific obligations or to perform specific tasks provided for by national and EU legislation, laws, regulations;

b) to allow the Data Controller to provide its services in compliance with the general principles of lawfulness, fairness, transparency, limitation of purposes and storage, adequacy, data minimization, accuracy, integrity and confidentiality;

c) To allow proper use of the website and/or access to the reserved area, ensuring the correct functioning of the site itself. For the purposes relating to the reserved area, specifically, please refer to the dedicated information.

d) allow the Data Controller to evaluate any applications with a view to personnel search and selection. For this purpose, please refer to the Information notice in the "Work with us" section of the website.

The legal basis for the processing referred to in purpose a) is the fulfilment of a legal obligation. The legal basis for the processing referred to in purposes b), c) and d) is the performance of a contractual or pre-contractual obligation.

The Data Controller also informs that any non-communication, or incorrect communication of any of the mandatory information, has the following consequences:

• the impossibility of the Data Controller to guarantee the adequacy of the processing itself with the contractual or pre-contractual agreements for which it is carried out;
• the impossibility of the Data Controller to evaluate the application submitted or respond to the requests of the data subject, to ensure the correct use of the website, as well as the services offered therein.

METHOD OF THE PROCESSING

The processing may be carried out with the aid of electronic and automated means, will take place at the aforementioned headquarters of the Data Controller, at the operational offices or at identified third parties and will include, in compliance with the limits and conditions set out in articles 5 and 25 of the GDPR, all the operations provided for by article 4 point 1 no. 2) of the GDPR (collection, recording, processing, etc.), necessary for the processing, including communication to the subjects referred to in the following point.

DISCLOSURE AND DATA RECIPIENTS

The personal data processed will not be disclosure, unless explicit authorization of the Data Subject issued prior to suitable information notice. Without prejudice to communications made to competent authorities due to legal obligations, the personal data may be disclosured to companies contractually linked to the Data Controller. The personal data may be disclosure to third parties belong to the following categories:

• subjects who provide services for the management of the IT system used by the Data Controller and the telecommunications networks, and who take care of the maintenance of the IT systems;

The data processed identified in application of company security procedures are not subject to disclosure, except for express and specific requests that may be made by the competent judicial and investigative authorities.

The subjects belong to the aforementioned categories act as Data Processor or operate individually as separate Data Controllers. The list of Data Processors is constantly updated and available on request at the headquarters of the Data Controller.

In addition, during the ordinary processing activities, the subjects expressly designated by the Data Controller as Designated People, authorized according to their respective professional profiles, may have access to personal data.

DATA TRANSFERRED OUTSIDE THE EUROPEAN UNION

The Data Controller does not directly transfer data outside the European Union. However, using cloud services, chosen as a guarantee of adequate and appropriate security measures to protect personal data, a transfer of data outside the EEA could still be carried out, for technical and maintenance reasons, through the following guarantees ensured by the provider:

• Transfer of data by means of an adequacy decision issued by the EU Commission.
  
  
• Transfer of data by signing standard contractual clauses for the transfer of data outside the EU, as defined by the European Commission, in order to ensure a secure and legitimate transfer and consequent processing of data outside the EU.

DATA RETENTION

The processing and the storage of the personal data will have a data retention necessary to get the purposes indicated in this information notice, including the compliance with rules and regulations, in any case no later than 12 (twelve) months from receipt of the data specified above.

RIGHT OF ACCESS TO PERSONAL DATA AND OTHER RIGHTS

Pursuant to the GDPR, the Data Subject shall have the right to ask the Data Controller for access (art. 15 GDPR), rectification (art. 16 GDPR), erasure or oblivion (art. 17 GDPR) when the Data Controller has no longer any legal basis for processing, the limitation of the processing of personal data concerning Data Subject within the limits provided for by current legislation (art. 18 GDPR), the right to data portability (art. 20 GDPR) or to object to the processing (art. 21 GDPR), as well as the right not to be subject to a decision based solely on automated processing, including profiling, which may produce legal effects on the Data Subject or which in the same way significantly affects the Data Subject (art. 22 GDPR). If the processing of personal data is based on the express consent of the Data Subject, pursuant to art. 7 paragraph 3 of the GDPR, the Data Subject shall revoke the consent given at any time.

The exercise of the rights listed above is free of charge and is not subject to formal constraints and can therefore be exercised using the contact details made available by the Data Controller. When the Data Subject exercises any of its rights, the Data Controller must verify that the Data Subject is entitled to exercise these rights and must give feedback within one month.

The Data Subject shall also have the right to lodge a complaint with the Supervisor for the protection of personal data, using the contact details available on the Supervisor’s website www.garanteprivacy.it or to appeal to the competent courts (Article 77 GDPR) if the Data Subject believes that the processing carried out by the Data Controller does not comply with the General Data Protection Regulation.

DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is Riva Forni Elettrici S.p.A. with registered office in Milan Viale Certosa 249, telephone number +39 02 307001, e-mail privacyitalia.rfe@rivagroup.com. Riva Forni Elettrici S.p.A. has appointed as Data Protection Officer (DPO) GetSolution di Paola Generali, with registered office in Via Fabio Filzi, 23 20124 Milan, telephone number +39 02 39661701, e-mail dpo-grupporiva@getsolution.it, available for any information regarding the processing of personal data carried out by the Data Controller.