Updated to Reg UE 2016/679 (European regulation on the protection of personal data)
This document adheres to the principles set out in the General Data Protection Regulation (EU) 2016/679 (the “GDPR”).
Data relating to identified or identifiable natural persons may be processed as a result of browsing the website indicated above.
The Data Controller (“Controller”) is CERAMICA CATALANO S.P.A., with registered office in Strada Provinciale Falerina Km 7,200, 01034 Fabrica di Roma (VT), VAT/Tax ID 00090370560, represented by its legal representative pro tempore, Mr. Ugo Brocchi, certified email address (PEC) email@example.com, regular email firstname.lastname@example.org, Tel. 0761/5661, Fax 0761/574304. The Controller has not designated a data protection officer, as it is under no legal obligation to do so.
Personal data is collected and processed for the following purposes:
a) Registration to access the reserved area. You are welcome to browse through the website at your leisure however, some areas of the website require prior registration in order to access certain services and to request and obtain information (technical data sheets, etc.). General personal data required: first name, last name, user category, email address, telephone number, registered and/or administrative office, nationality, website. Legal basis: User consent only (art. 6, subparagraph 1, point (a), GDPR), expressed and obtained through a preliminary computerised procedure and/or contact form.
b) Subscribing to the newsletter, requests for information and marketing activities. The data provided by filling in the contact form is necessary to subscribe to the Catalano Ceramica S.p.A. newsletter, to allow the user to request information from the Controller, to allow the Controller to respond to requests for information sent by the user, for marketing activities which involve sending advertising material by e-mail (or other method specified beforehand), sending information about the services offered and sending information about Catalano Ceramica S.p.A. taking part in trade fairs and/or similar national and international events. General personal data required: name, last name, user category, email address, nationality. Legal basis: User consent only (art. 6, subparagraph 1, point (a), GDPR), expressed and obtained through a preliminary computerised procedure.
c) Fulfilment of obligations arising from the contract entered into with the user and/or resulting from legal obligations or for the protection of the rights of the Controller before judicial or administrative authorities.
General personal data required: first name, last name, user category, email address, telephone number, registered and/or administrative office, tax identification number, VAT number, nationality. Legal basis: The Controller is authorised to process personal data without the express consent of the user when processing is necessary for:
• performance of the contract with the user or to fulfil the obligations prior to entering into a contract (art. 6, subparagraph 1, point (b), GDPR);
• compliance with a legal obligation to which the Controller is subject; (art. 6, subparagraph 1, point (c), GDPR);
• purposes of the legitimate interests pursued by the Controller or by a third party, or for the Controller to exercise the right of defence in or out-of-court (art. 6, subparagraph 1, point (f), GDPR);
• prevention or detection or to take action against fraudulent acts or abuse (or unlawful access) harmful for the website or committed through use of the website (art. 6, subparagraph 1, point (f), GDPR).
By signing up for the newsletter, the user’s e-mail address is automatically added to a contact list; the Controller may send e-mails containing information, also of a commercial and promotional nature to those included in the list.
If the user refuses to provide the data required, we may not be able to deliver the above-mentioned services.
It should be noted that at any time the user may request clarifications from the Controller on the concrete legal basis for each processing activity.
The website www.catalano.it collects and processes the following categories of personal data:
General personal data including, but not limited to, first name, last name, user category, gender, date of birth, email address, registered and/or administrative office, home address and/or address for service, telephone number, nationality.
Unless otherwise specified, browsing and usage data, collected automatically during the use of the site are all mandatory.
Usage and browsing data means all information that the computer systems and software used for running this website collect, as part of normal operations, whose transmission is implicit in the use of Internet communication protocols. However, if the user chooses not to provide the data required, we might not be able to provide the service. The user may choose whether or not to provide optional data without this having any effect on the availability or functioning of the service.
Methods of processing
The Controller declares to adopt appropriate security measures designed to preclude and prevent unauthorised access, disclosure, alteration or destruction of personal data. Data may be processed (the term processing means, pursuant to art. 4 of the GDPR, any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction) on paper and using electronic and/or computerised means, with organizational methods and logic strictly related to the purposes indicated above.
In some cases, in addition to the Controller, other parties involved in the organisation, maintenance and management of the www.catalano.it website may have access to personal data. These parties include, but are not limited to employees of the Controller, in their capacity as data processors, or third-party companies or other parties (digital, technical and IT service providers, customer care operators, IT service providers, business firms, etc.) that carry out activities on behalf of the Controller in their capacity as external data processors (an updated list may be requested from the Controller at any time).
Personal data, pursuant to art. 5 of the GDPR shall be: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency); b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (purpose limitation); c) adequate, relevant and not excessive in relation to the purposes for which they are processed (data minimisation); d) accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were processed (accuracy); e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were processed; f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality). The Controller has not adopted any automated decision-making process, nor does it carry out profiling pursuant to art. 22 of Regulation (EU) 2016/679.
Place of processing and the transfer of personal data to third countries or international organisations.
Processing related to the services provided through the www.catalano.it website, are carried out at the Controller’s registered and administrative office in Strada Provinciale Falerina Km 7,200 01034, Fabrica di Roma (VT) . It should be noted that the user’s personal data may be transferred to a country other than the country where the user is located. In any case, the Controller does not transfer personal data to a third country or an international organisation.
Processing operations may be carried out at the offices of companies involved in the management, organisation and maintenance of the website, including hosting service providers. You can ask the Controller for an updated list of external data processors by sending an email to email@example.com.
Pursuant to art. 4, subparagraph 1, no. 9 of the GDPR, the recipient is the natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. That being said, recipients are, therefore, all subjects, be they internal or external, who receive personal data from the Controller. Recipients may receive such data to carry out processing operations on behalf of the Controller, or achieve their own specific purposes. For the purposes indicated in Article 2 above, pursued by the Controller, it may communicate personal data to external Processors which have entered into specific contracts with the Controller. You can ask the Controller for an updated list of external data processors by sending an email to firstname.lastname@example.org.
Personal data are processed and retained for the time necessary for the purposes for which they are processed; data collected for purposes related to the performance of a contract between the Controller and user shall be retained until the contract ends and for any subsequent legal obligations connected thereto; data collected for purposes relating to the legitimate interest of the Controller shall be processed until the fulfilment of these interests. However, the Controller may be obliged to keep personal data for a longer period in compliance with a legal obligation or by order of an authority (in these cases, the criteria used to determine the retention period shall be solely legal). When processing is based on the consent of the user, the Controller may retain the personal data until the relative consent is withdrawn. As regards the purposes indicated in point 2 above, the Controller shall retain the personal data for the following periods of time:
a) Registration to access the reserved area. The data will be retained for as long as you are registered in the reserved area and until you withdraw your consent, which can be requested in the manner described in point 7 below. After withdrawal of consent, the data will be erased or rendered anonymous.
b) Subscribing to the newsletter, requests for information and marketing activities. The data will be retained until you withdraw your consent, which can be requested in the manner described in point 7 below. After withdrawal of consent, the data will be erased or rendered anonymous.
c) Fulfilment of obligations arising from the contract entered into with the user and/or resulting from legal obligations or for the protection of the rights of the Controller before judicial or administrative authorities. Retention period established by applicable law.
At the end of the retention period, personal data shall be erased and the right of access, erasure, rectification, as well as the right to data portability can no longer be exercised.
The user is guaranteed the rights laid down in Articles 15-22 of the GDPR which, in particular regard the right of access (art. 15), the right to rectification (art. 16), the right to erasure, i.e. the right to be forgotten (art. 17), the right to restriction of processing (art. 18), notification obligation regarding rectification or erasure of personal data or restriction of processing (art. 19), the right to data portability (art. 20), the right to object (art. 21), automated individual decision-making relating to natural persons, including profiling (art. 22).
Right of access. The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, obtain access to such data.
Right to rectification. The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (right to be forgotten). The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay, where: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based according to Article 6, subparagraph 1, point (a) and where there is no other legal ground for the processing. The Controller may refuse the erasure only for: a) compliance with a legal obligation and/or performance of a contract; b) the exercise of a right in a legal action.
Right to restriction of processing. The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies: a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; the data subject has objected to processing pursuant to Article 21, subparagraph 1, pending the verification whether the legitimate grounds of the Controller override those of the data subject.
Notification obligation regarding rectification or erasure of personal data or restriction of processing. The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17, subparagraph 1 and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
Right to data portability. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided.
Right to object The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. The Controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. Where the data subject objects to processing for marketing purposes, the personal data shall no longer be processed for such purposes.
The user also has the right to:
– withdraw consent at any time and free of charge, without affecting the lawfulness of processing based on consent provided before its withdrawal;
– in the event that the Controller’s response to a request from the data subject is unsatisfactory, to lodge a complaint with the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority), with head office in Piazza Venezia, no. 11, 00187 Rome (RM), following the procedures and instructions published on the Authority’s website https://www.garanteprivacy.it/.
The user can read the cookies policy published and freely available on the website.