Privacy Law (in particular EU Regulation 2016/679, the “General Data Protection Regulation” – hereinafter referred to as “GDPR”, as per English acronym) requires us, as the Site Operator, to provide you with the following information on the processing of your Personal Data, pursuant to Article 13 of the GDPR.
The “Processing of Personal Data”, in simple terms, is any operation concerning any “information relating to an identified or identifiable natural person”. For example, your first and last name, or an email address with a “user name” that identifies you (e.g. mariorossi@….), is considered “Personal Data”. “Processing” operations include actions such as collecting, registering with us and using us to send you a communication, as well communication of Personal Data to other organisations and archiving.
You, as the “natural person to whom the Personal Data relates”, are defined as a “Data Subject”, and are entitled to receive the following information about who we are, what Personal Data we process, why, how and for how long we process it, and what obligations and rights you have in this respect.
Who are we?
Ermes Cyber Security S.r.l. with registered office in Via Corso Bernardino Telesio n. 29, Turin (TO), postcode 10146, fiscal code, VAT number and registration number with the Register of Companies of Turin 1171620019 (hereinafter also referred to as “ECS” or “Data Controller”).
Which categories of data subjects are covered by this information notice?
Visitor: the natural or legal person who uses a device and navigates, via the Internet network, on the public pages of the Site.
User: a Visitor who benefits from ECS Products or Services provided through the Site.
What categories of Personal Data do we process?
Common Data (surname and first name, e-mail address, telephone number, name of the organisation you work for and your role within that organisation), to the minimum extent necessary to achieve each of the Purposes set out below.
In order to allow You to use the Site, we also process Browsing Data, which sometimes does not consist of Personal Data because it does not allow Your identification. For more information on what Browsing Data means and under what conditions it is Personal Data, please refer to the respective Glossary entry at the end of this policy.
Why do we process Personal Data (Purpose), what is the basis of the Processing (Legal Basis) and what is the Data Retention Period?
Purpose 1: provision and use of the Site. It should be noted that for this purpose the Data Controller makes use exclusively of Browsing Data, with Common Data being expressly excluded.
- Retention Period: 1 week from the date of your last access to the Site.
Purpose 2: to provide the Newsletter Service.
- Legal Basis: execution of a contract to which you are a party (We remind you that according to our General Terms and Conditions, “By subscribing to the Newsletter by means of the form available on the Site, the User declares that he/she has the legal capacity, according to his/her national law, to act in order to accept these General Terms and Conditions. This acceptance is made by point-and-click mode“).
- Retention Period: until unsubscription from the Newsletter, or no longer than two years after the last unopened e-mail.
Purpose 3: to provide the Service called Request Demo.
- Legal Basis: performance of a contract to which you are a party (We remind you that according to our General Terms and Conditions, “By submitting the application form, the User declares that he/she has the legal capacity, according to his/her national law, to act in order to accept these General Terms and Conditions. This acceptance is made by point-and-click mode“).
- Retention Period: until unsubscription from the Newsletter, or no longer than two years after the last unopened e-mail.
To whom do we disclose the Data (Categories of Recipients)?
To the minimum extent necessary to achieve each of the Purposes, on one of the legitimacy prerequisites described above and on the basis of the Applicable Legislation and/or a contractual agreement with the Controller, to:
- Persons Authorised by us (e.g. our employees), committed to confidentiality or subject to a legal obligation of confidentiality;
- external organisations necessary for the performance of activities connected with and consequent to the management of the Site and the provision of the Services, which act as Data Processors (e.g. suppliers of IT services, etc.) obliged to maintain confidentiality and comply with Privacy Law;
- consultants and/or professionals appointed by us, autonomous Data Controllers.
Do we transfer Personal Data outside the European Union?
We will not transfer Personal Data outside the European Union.
Are you obliged to provide us with Personal Data?
For Purpose No. 1, there is no obligation to do so, as the acquisition of Browsing Data is sufficient to allow the Controller to provide the Site.
Of course you are not obliged to use our Services (Purposes 2 and 3), but if you wish to do so you are obliged to provide us with the Data we require from you because it is necessary for the performance of the contract (the General Terms and Conditions).
What happens if you do not provide us with your Data?
If your refusal relates to Purpose 1, you will simply cease to use the Site and your Browsing Data will be deleted within 1 week from the date of your last access to the Site.
If your refusal relates to the Services referred to in Purposes 2 and 3, it will not be possible to provide the Service you require.
What rights do you have?
You have the right to:
- access to your Data in our possession, and to request a copy thereof, except where the exercise of the right affects the rights and freedoms of other natural persons;
- request the rectification of any incomplete or inaccurate Data;
- request the erasure of Data, subject to the exclusions or limitations established by the Applicable Legislation (e.g. Article 17 § 3 GDPR);
- request the Restriction of Processing, where the conditions are met and subject to the exclusions set out in Article 18 § 2 GDPR;
- request the portability of the Data (i.e. to receive them in a structured, commonly used and machine-readable format, in order to be able to transmit them to another Data Controller without hindrance), to the extent that the Processing is based on consent or on the need to perform a contract, where technically possible and except where the exercise of the right affects the rights and freedoms of other natural persons;
- lodge a complaint with the Italian Data Protection Authority (in Italy, www.garanteprivacy.it), or with the national Data Protection Authority of the EU country in which he/she normally resides or works, or of the place where the alleged infringement occurred.
The exercise of the above rights may also be delayed, limited or excluded in the cases provided for in Article 2-undecies of Italian Legislative Decree 196/2003.
If you have any doubts or questions about the Processing of your Data, what can you do?
You can contact us at the following e-mail address: firstname.lastname@example.org.
ECS does not knowingly collect personal information about individuals who, according to their national legislation, lack the legal capacity to act for the purpose of entering into contracts. In the event that information about such individuals is recorded, ECS will delete it in a timely manner, at the request of the data subject or of the person exercising parental authority over them.
“Applicable Law“: any provision, of whatever rank, belonging to Italian law or to the law of the European Union, in any way applicable to the Site and/or the Services.
“Authorised Person“: the natural person, placed under the direct authority of the Controller, who receives from the latter instructions on the Processing of Personal Data, pursuant to and for the purposes of Article 29 of the GDPR.
“Authority“: a body or organisation, public or private, with administrative, judicial, police, disciplinary or supervisory powers.
“Board” or “EDPB” means the European Data Protection Board, established by Article 68 of the GDPR and governed by Articles 68 to 76 of the GDPR, replacing WP29 as of 25/5/2018.
“Browsing Data“: these are the data that the computer systems and software procedures used to operate the site acquire, during their normal operation, and whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or the domain names of the computers used by users who connect to the site, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check that it is functioning correctly, and are deleted immediately after processing.
“Common Data“: any of the following types of Personal Data – surname and first name, e-mail address, telephone number, name of the organisation you work for and your role within that organisation.
“Communication“: “the giving of knowledge of personal data to one or more determined persons other than the data subject, the data controller’s representative in the territory of the European Union, the data processor or its representative in the territory of the European Union, the persons authorised, pursuant to Article 2-quaterdecies, to process personal data under the direct authority of the data controller or processor, in any form, including by making them available, consulting them or by interconnecting them” (as defined in Article 2-ter, paragraph 4, letter a of the Privacy Code).
“Data Controller” or, briefly, “Controller” means “the natural or legal person, public authority, service or other body which alone or jointly with others determines the purposes and means of the processing of personal data”, as defined in Article 4, subsection 1, no. 7, of the GDPR, and here specifically ECS.
“Data Processor“: “the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller”, as defined in Article 4, subsection 1, no. 8, of the GDPR.
“Data Subject“: an “identified or identifiable natural person”, as defined in Article 4, subsection 1, no. 1, of the EU Regulation 2016/679 (the “GDPR”), which in this case is a Visitor or a User.
“Data“: all information directly or indirectly referable to the Data Subject, including Browsing Data and Personal Data.
“Dissemination“: “giving knowledge of personal data to unspecified subjects, in any form, also by making them available or consulting them” (as defined in Article 2-ter, paragraph 4, letter b of the Privacy Code).
“ECS” or “Company“: Ermes Cyber Security S.r.l., with registered office in Corso Bernardino Telesio 29, 10146 Turin, Italy, VAT number 11716270019, registered in the Turin Register of Companies, REA TO-1171620019.
“GDPR“: the EU Regulation 2016/679 “on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)”.
“Law(s)” or “Regulation(s)“: one or more of the sets of regulations referred to in this Deed as the Privacy Law and Applicable Law.
“Limitation” means “the marking of personal data stored with the aim of limiting their processing in the future”, as defined in Article 4, subsection 1, no. 3, of the GDPR.
“Personal Data“: “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is any natural person who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more features of his or her physical, physiological, genetic, mental, economic, cultural or social identity”, as defined in Article 4, subsection 1, no. 1, of the GDPR).
“Privacy Code“: Legislative Decree No. 196/2003 as amended and/or supplemented (in particular by Legislative Decree No. 101/2018).
“Privacy Legislation“: EU Regulation 2016/679 (“GDPR”), Legislative Decree 196/2003 as amended and/or supplemented (“Privacy Code”), as well as the measures adopted by the Supervisory Authority in execution of the tasks established by the GDPR and the Privacy Code, and further applicable legislation, of whatever rank, including the opinions and guidelines developed by the Committee.
“Processing“: “any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”, as defined in Article 4, subsection 1, no. 2, of the GDPR.
“Publication“: the action by which the Owner communicates information on the Site, without the implementation of procedures that require the Visitor to view it.
“Recipient“: “the natural or legal person, public authority, service or other body that receives communication of personal data, whether or not it is a Third Party”, as defined in Article 4, subsection 1, no. 9, of the GDPR.
“Retention Period“: the maximum period for which, according to the Privacy Law, taking into account the Purpose and the Legal Basis of the Processing, the Controller may process the Personal Data of the Data Subjects.
“Site“: the web pages displayed through https://www.ermes.company/e related subdomains.
“Supervisory Authority“: the independent public authority established by a State of the European Union, or by the European Union itself, in charge of supervising the application of Privacy Law (for Italy, the Italian Data Protection Authority, http://www.garanteprivacy.it).
“Third Party“: “the natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorised to process personal data under the direct authority of the controller or processor”, as defined in Article 4, subsection 1, no. 10, of the GDPR.
“User“: a Visitor who uses the Products or Services of ECS provided through the Site.
“Visitor“: the natural or legal person who uses a device and navigates, via the Internet, on the public pages of the Site.
“WP29“: the Working Party on the Protection of Individuals with regard to the Processing of Personal Data, set up pursuant to Article 29 of Directive 95/46/EC, whose tasks are laid down in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.