Privacy policy - Namirial S.p.A.
pursuant to art. 13 of EU Regulation n. 679/2016 ("Regulation" or "GDPR") and in compliance with the principles contained therein
Namirial S.p.A. proceeds with the processing of data in compliance with the provisions of European Regulation 2016/679 on the protection of fixed persons about the processing of personal data and on the free movement of such data (hereinafter "EU Regulation 2016/679").
According to Article 13 of the aforementioned Regulation below is information regarding the identification of the data controller and the data processor on the subject of the processing of personal data concerning contracts and the provision of services.
The Data Controller is Namirial S.p.A. (hereinafter referred to as the "Data Controller" or "Namirial") with registered office in via Caduti sul Lavoro, 4 - 60019 Senigallia (AN), VAT n. IT02046570426. The Data Protection Officer (DPO) can be contacted through the following email address: dpo@namirial.com - (PEC) dpo.namirial@sicurezzapostale.it
Categories of data
As part of the activities carried out by the user on the websites indicated, Namirial may process the following categories of personal data, depending on the purpose:
- Personal data (e.g. name, surname, tax code, date and place of birth, nationality);
- Identification document;
- Contact information (phone number and email);
- IP Address;
- Data contained in documents subject to signing.
Purpose of processing and legal basis of processing personal data
We will process your personal data for the following purposes:
- Creating the user profile: the legal basis for this purpose is Art. 6(1) b of the GDPR - Contract;
- Sharing of signature certificate data with requesting parties: to enable us to secure your identity and to be able to grant you access to the services you have requested, we may need to share your signature certificate data with the provider of the service you are trying to access. The legal basis for this activity is Article 6(1) b of the GDPR - Contract and Article 6(1) f of the GDPR - Legitimate interest;
- Promotional and marketing activities of the Data Controller: the legal basis for this purpose is Art. 6(1) a of the GDPR -Consent;
- Management and response to requests for commercial assistance, including online: the legal basis for this purpose is art. 6(1) b of the GDPR - Contract;
- Fulfillment of legal obligations, national or community regulations: the legal basis for this purpose is art. 6(1) c of the GDPR - Legal obligation;
- Sending communications with informative content about services similar to those already purchased: the legal basis for this purpose is art. 6(1) f of the GDPR - Legitimate interest of the Data Controller;
- Statistical, business and market analysis, carried out in absolutely anonymous and aggregate form: the legal basis for this purpose is art. 6(1) f of the GDPR - Legitimate interest of the Data Controller;
- Judicial protection of Namirial rights: the legal basis for this purpose is Article 6(1) f of the GDPR - Legitimate interest of the Data Controller.
Conferment of data
The conferment of the data referred to in points a), b), e) and h) are compulsory in order to allow the conclusion of the contract or for the provision of services requested. The conferment of the data referred to in further points is optional: you may at any time ask the Data Controller to stop the processing activities without any consequences in the services provided to you.
Method of processing and access to data
Namirial processes personal data in compliance with the principles of the Regulation in virtue of its own legitimate interests linked to the type of activity carried out and the need to execute existing contracts or pre-contractual measures requested by the interested parties.
The treatment is carried out by means of automated and/or manual computer and telematic tools that guarantee the appropriate
security measures to prevent access, disclosure, loss, incorrect, illegal or unauthorized use of data.
The data are processed for the time necessary to carry out the service requested by the User, or required by the purposes described in this document, and the User may always request the interruption of the Processing or the cancellation of the data. The data can only be accessed by those in charge, who are adequately trained and informed about their duties and the activiti es permitted on the data collected, who work on behalf of Namirial and who are recipients of instructions and tasks given by the Data Controller.
In cases where the processing of data of interested parties is carried out for the purposes referred to in point B), the data associated with the chosen authentication tool will be collected and verified by Namirial S.p.A. in order to proceed to the issuance of the Digital Identity or Certificate.
Data Sharing
We would like to inform you that the data relating to the contract and the service activity may be communicated to third parties appointed as external data processors (the complete list is available to the Data Controller), business consultants for administrative and accounting purposes, as well as legal consultants for the possible management of disputes.
The data may also be communicated to the police or judicial authorities for purposes of investigation or prosecution of crime s committed by users of telematic services, where necessary.
We would also like to inform you that data may also be processed by third parties acting as Local Registration Authority or Registration Authority Operator or by individuals with archiving function, formally appointed by Namirial as external data processors/sub-processors.
Data processing location
Personal data are processed at the headquarters of the Data Controller, as well as in the servers that host the service. Personal data are stored in servers located in the EU territory and will not be transferred outside of it under any circumstances. The Data Controller guarantees that when using cloud providers established outside the European Economic Area, the processing of personal data by these recipients is carried out in accordance with the principles of the GDPR. Transfers are made by means of appropriate safeguards, such as adequacy decisions, standard contractual clauses approved by the European Commission, or other safeguards provided by the GDPR.
Data Retention
Namirial S.p.A. will keep the data of the interested parties in a form that permits identification of the same for a period of time not exceeding the achievement of the purposes for which the data were collected.
The data related to the Certificates and/or Digital Identity will be kept for 20 (twenty) years from the termination of the contract or from the expiration or revocation of the Certificate or Digital Identity, in accordance with the provisions of art.28, para.4bis of Legislative Decree 82/2005 as amended (Codice per l'Amministrazione Digitale) and art. 7, para.8 of the Prime Minister's Decree of 24 October 2014 as amended.
The data strictly necessary for fiscal and accounting fulfilments, once the purpose for which they were collected is no longer valid, will be kept for a period of 10 (ten) years as required by Italian law.
Data for marketing purposes will be kept until consent is revoked.
Once these periods have elapsed, Namirial S.p.A. will cancel the data of the interested parties.
The interested party has the right to request, at any time, the modification of the structures regulated by this privacy policy through the exercise of the rights set out in the following paragraph.
Data Subjects rights
The User may exercise all the rights provided for by Articles 15-21 of EU Reg. no. 679/2016, at any time and without unjustified limitations, by contacting the Data Controller at dpo@namirial.com.
Requests shall be filed free of charge and processed by the Controller within 30 days.
Specifically, the User can:
- Obtain from the controller confirmation as to whether or not personal data are being processed (Art.15);
- Obtain from the controller the rectification of inaccurate personal data (Art. 16);
- Obtain from the controller the erasure of personal data (Art. 17);
- Obtain from the controller restriction of processing (Art. 18);
- Have the right to receive the personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (Art. 20);
- Have the right to object (Art. 21);
In any case, Users are always entitled to lodge a complaint with the competent supervisory authority (Garante per la Protezione
dei Dati Personali), under Art. 77 of the Regulation, if they believe that the Data Controller's processing of their Personal Data is in violation of the applicable law. The Controller reserves the right to amend and update the Privacy Policy as a result of any further new or revised provisions of any national and EU laws and regulations on personal data protection.