Privacy Policy

VERYWELL SERVICES SRL with its registered office in via Kennedy 1/A 20844 Triuggio (MB), Tax Code and VAT Number 09547600966 email (hereafter “DATA CONTROLLER”) as data controller, informs you under art. 13 of EU Regulation 2016/679 (hereafter “GDPR”) that the processing of your freely-given or collected data, follow the privacy rules, based on the principles of fairness, lawfulness and transparency, carried out under the principles of relevance and completeness, and will not exceed processing purposes.

1. Personal data processed

“Personal Data” means any information concerning an identified or identifiable individual (“data subject”) who can be directly or indirectly identified through a name, identification number, location data, an online identifier or one or more elements of their physical, physiological, psychological, economic, cultural or social identity.

“Special Data” means personal data which reveals an individual’s racial and ethnic origin, religious or philosophical beliefs, union membership, and genetic and biometric data, data relating to health, sexual life or orientation.

“Judicial data” means personal data relating to criminal convictions, crimes or related security measures.

“Processing” means any operation or a set of operations, performed with or without the aid of automated methods, applied to personal data or a set of personal data, such as collection, registration, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. Processing purpose

The supplied data will be processed for the following purposes:

• Requirements relating to the stipulation of contracts and assignments, their performance, later modifications or variations and any obligation envisaged for their fulfilment;
• Operational, organisational, management, financial, insurance and administrative-accounting requirements related to established contractual and pre-contractual relationships;
• Fulfil any obligation required by laws, regulations, or EU legislation.

3. Data processing methods

The processing carried out by the Data Controller under this policy takes place at the Data Controller’s headquarters and is handled by internal personnel, appointed in writing, in charge of processing, under GDPR, or Data Controller external personnel, upon written appointment, as Data Processor under GDPR art. 28.

The Processing will be carried out manually or in a partially or fully automated way. The personal data processing may consist of collection, registration, organisation, storage, consultation, use, processing, modification, selection, retrieval, alignment, combination, transmission, communication, deletion, destruction, blocking and limitation.

Processing will be carried out on physical and electronic copies using electronic, IT and telematic tools suitable to guarantee the security and confidentiality of data under GDPR art. 32 of GDPR, art. 31 of Legislative Decree 196/03 on “appropriate security measures” and art. 33 of Legislative Decree 196/03 on minimum security measures.

Processing technical, IT, organisational, logistical, and procedural security measures shall be carried out under Annex B of Legislative Decree 196/03, to guarantee the minimum legally required data protection. The methods mentioned above, applied to processing, will guarantee data access only to the parties specified in point 6).

4. Retention period

Personal data will be stored on Italian servers for the time necessary for the purposes for which it was collected and processed. The Data Controller will be entitled to store part or all personal data for the purposes permitted by GDPR.

5. Data provision and consequences in case of failure

The provision and processing of data is:

• mandatory and does not need consent for the purposes related to obligations under the laws, regulations or EU regulations;
• necessary and does not need consent for personal data which is essential for the correct establishment of the assignment and the proper management and continuation of service provision;
• necessary and does not need consent for public interest tasks or exercise of public authority of which the Data Controller is invested;
• necessary and does not need consent for pursuing the legitimate interests of the Data Controller or third parties;
• optional and needs your explicit consent for all personal data collected for purposes not directly or indirectly related to contractual, pre-contractual and legal obligations, safeguarding of vital interests, performance of public tasks, exercise of public authority or pursuit of legitimate interests.

Failure to provide the above data could jeopardise the regular performance of the relationship with the Data Controller. Failure to supply the mandatory and necessary personal data could result in the inability of the Data Controller to perform and provide the services requested.

6. Data access

Other than the Data Controller Legal Representative, Personal data may be made accessible for the purposes referred to in art. 2 to the following subjects or special categories of subjects:

• Data Controller’s partners, authorised by the Data Controller, as those in charge of processing or system administrators;
• third-party companies or other parties carrying out outsourcing activities on behalf of the Data Controller (e.g. translators, interpreters) in their role as Data Processors;
• those who carry out checks, audits and certification of Data Controller activities;
• consultants and consulting firms, freelancers, banking and insurance companies, accountants, law firms, labour consulting firms, and IT companies.

Personal data may be sent to the Public Administration, Social Security and Welfare Bodies, Public Bodies, Police Forces, Judicial Authorities or other Public and Private Entities, exclusively for fulfilling the assigned task and legal obligations, regulations or EU regulations.

The data will not be disclosed to other parties other than those mentioned in this policy.

7. Data dissemination

No personal data will be disseminated or transferred to third parties except with the data subject’s explicit consent. Where the communication to third party suppliers should be necessary for organisational, administrative or support needs for the services, the Data Controller shall appoint those third parties as Data Processors under GDPR.

8. Special personal data categories and data related to criminal convictions and offences

The Data Controller may process special categories of personal data, which reveal racial or ethnic origin, political opinions, religious, philosophical or other beliefs, membership of a political party, trade union, associations or organisations with a religious, philosophical, political or trade union nature and personal data and personal data revealing health status and sexual orientation.

The Data Controller may process personal data identified as “judicial” or which reveals criminal and administrative measures and pending charges, or the status of a defendant or being the subject of an investigation.

In these cases, the Privacy Supervisor General Authorisations will limit processing, under Legislative Decree 196/03 and for the purposes necessary for the operations related to the supply of products and services and the fulfilment of contractual or legal obligations.

In addition to the Data Controller Legal Representative, the subjects and categories of subjects who may become aware of the data or to whom the data may be disclosed are:

• Data Controller’s partners, authorised by the Data Controller, as those in charge of processing or system administrators;
• third-party companies or other parties carrying out outsourcing activities on behalf of the Data Controller (e.g. translators, interpreters) in their role as Data Processors;
• consultants and consulting firms, freelancers, banking and insurance companies, accountants, law firms, labour consulting firms, and IT companies.

9. Personal data transfer

The data may be processed and transferred, for the purposes referred to in point 2) and under the procedures set out in point 3), to the parties referred to in points 6) and 8) located in countries belonging to the European Union and/or outside the European Union based on a European Commission Adequacy Decision, Adequate Privacy Guarantee, or a Privacy Supervisory Authority Authorisation.

10. Data subject rights

You can ask the Data Controller Legal Representative for a copy of your personal data, its processing location and an updated list of all Data Processors and System Administrators authorised to process your data at any time using the contact details shown in this policy.

You can freely withdraw your consent, at any time, without any charge and without prejudice to the lawfulness of the processing carried out until that time. Under Articles 15 to 22 of EU Regulation 2016/679 you may exercise the following rights:

1. request confirmation of the personal data’s existence;
2. obtain information about the processing purposes, personal data categories, recipients or categories of recipients who handle or will handle the personal data and, where possible, the retention period;
3. obtain data correction and deletion;
4. obtain a processing limitation;
5. obtain data portability, i.e. receive it from the Data Controller, in a structured, commonly used and electronically readable format, and transmit it to another data controller without hindrance;
6. oppose the processing including when it is carried out for direct marketing purposes;
7. oppose an automated decision-making process concerning individuals, including any profiling;
8. lodge a complaint with the Privacy Supervisor against the Data Controller.

Triuggio 18,May, 2024

VERYWELL SERVICES SRL