Pursuant to Article 13 EU Regulation No. 2016/679 (hereinafter, "GDPR") we inform the Client that his data will be processed in the following ways and for the following purposes:
RINA S.p.A., with registered office in Genoa (GE), via Corsica 12, CF and VAT no. 03794120109, and the other RINA Group Companies are the Joint Data Controllers pursuant to art. 26 GDPR, who can be reached through the contacts indicated on the website www.rina.org. The Data Protection Officer may be contacted at the e-mail address rina.dpo@rina.org.
The Joint Controllers process the personal data (hereinafter, "personal data" or also "data") of the Client's legal representative or other contact persons, for the pursuit of the purposes described below:
a. to fulfil contractual, administrative and fiscal obligations arising from ongoing relationships (such as the processing of tax data for the issuance of the invoice, data relating to payment including electronic payment communicated by third parties such as providers of e-payment services, as well as data necessary to issue access credentials to platforms for sharing documentation necessary for the performance of the service and any other data conferred by the Customer in the context of the use of such platforms);
b. pre-contractual activities aimed at the formulation of proposals and the establishment of the contractual relationship for the provision of services offered (such as, for example, in the case of processing of identification and contact data collected directly from the Data Subject or publicly available or collected by third parties expressly authorized by the Data Subject necessary for the registration and access to restricted areas on online platforms or mobile applications);
c. to fulfil the obligations provided for by the specific contractual terms of the service requested and/or by any binding accreditation and/or certification requirements (such as, for example,the collection of audit evidence or other probative documentation containing personal data, including special data pursuant to Article 9 GDPR such as health certificates, if required by law or by the reference standard and therefore preparatory to obtaining the service itself, as well as the collection and recording of images and videos in cases where the service is provided digitally and remotely through the use of the relevant IT tools in compliance with the circulars of the Accreditation Bodies).
The provision of data and its processing for the purposes referred to in points a., b. and c. is necessary to ensure the services requested and to execute the contract and any pre-contractual obligations, as well as to comply with the resulting legal obligations. The legal basis for the aforementioned processing can be found in art. 6, par. 1, lett. b) and lett. c) GDPR: therefore, any refusal to provide the data will make it impossible for the Joint Controllers to perform the services covered by the contract.
d. detect the degree of satisfaction with the quality of the products and/or services covered by the contract, by sending surveys or requests via e-mail or telephone contact;
e. send via e-mail or telephone contacts, newsletters, commercial communications and/or advertising material on products and/or services offered by the Company similar to those
The legal basis of the processing of personal data for the purposes referred to in points d. and e. relies on the legitimate interest of the Data Controller to consolidate by keeping up to date the contractual relationship already established with the Data Subject , providing the latter with support, as well as improving the service (Art. 6, par. 1, lett. f) GDPR). The Data Subject may reasonably expect such processing based on the relevant and appropriate relationship between the Data Controller and the Data Subject (Recital No. 47 of the Regulation); however, it should be noted that the processing is not necessary and the Data Subject may object to the same at any time by the means indicated in paragraph 7 of this notice.
f. to fulfil the obligations provided for by law or by an order of the competent Authority (art. 6 par. 1 lett. c GDPR);
g. exercise the rights of the Joint Data Controllers, for example the right to defence in court (art. 6 par. 1 lett. f GDPR).
h. to send, via e-mail and/or telephone contact, newsletters, commercial communications and/or advertising material on all RINA-branded products or services offered by the Joint Controllers; and
i. to use also the photo and video images of the legal representative or of other contacts of the Client taken during the provision of the service or during events organised by the Joint Controllers where these subjects may participate, to document the success of the service and of the initiative, with the possibility of publication on the website www.rina.org, on official social media channels of the company, or other external communication channels selected from time to time.
The processing of data for the purposes referred to in points h and i is, however, optional. Therefore, the Data Subject is free to express consent or refusal and to subsequently revoke the consent initially given. The legal basis for the aforementioned processing is the consent referred to in Article 6(1)(a) GDPR. Refusal to consent to the processing will only result in the impossibility of receiving newsletters, commercial communications and advertising material about all the RINA-branded products or services offered by the Joint Controllers and the impossibility of publishing the images, photos and videos on the Controller's social channels, without prejudice to the purposes set out in points a., b. and c. above.
Personal data is processed in accordance with the principles of lawfulness, correctness and transparency.
The processing of personal data is carried out by means of the following operations: collection, recording, organization, structuring, storage, consultation, adaptation or modification, use, dissemination, communication, extraction, comparison, interconnection, limitation, deletion and destruction of data. Both paper and electronic processing can be made.
Personal data will be kept for the time necessary to fulfil the above purposes and in any case no longer than 10 years from the termination of the contractual relationship and no longer than 2 years from the collection and/or receipt of consent of the data for marketing purposes.
Should the Joint Data Controllers have a documented need to retain the data for a period longer than 10 years (for example, in the event that deletion might compromise their legitimate right of defence or, in general, for the protection of their business assets), further retention may take place by limiting access to the data only to the Head of the legal department, in order to ensure the legitimate exercise of the right of defence.
Personal data may be made accessible for the purposes referred to in paragraph 2, in addition to the parties authorised to process them by the Joint Data Controllers, also to the following recipients:
- affiliates or subsidiary Companies of the RINA Group, in Italy and abroad, to the extent that this is necessary to perform the processing, in accordance with the binding corporate rules adopted by the RINA Group;
- to Companies or other third parties (suppliers, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, supervisory bodies, etc.) bound by specific legal instruments with the Joint Controllers;
- to public entities, supervisory bodies, judicial and control authorities, accreditation or notification bodies, auditing companies, etc. for the fulfilment of legal or regulatory obligations in the sector.
Personal data are stored on servers located within the European Union. It is in any case understood that the Joint Controllers, where necessary, will have the right to transfer personal data to non-EU countries. In this case, the transfer of data outside the EU will take place in compliance with the applicable legal requirements, also through the provision of standard contractual clauses provided by the European Commission and the adoption of binding corporate rules for intragroup transfers.
The Data Subject, has the following rights:
i. to obtain confirmation of the existence or otherwise of processing of personal data concerning you, as well as to obtain a copy of such data;
ii. to obtain information on: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the event of processing carried out with the aid of electronic instruments; d) the identity of the Data Controllers, Data Processors and the Data Protection Officer; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of the data in their capacity as designated representative in the territory of the State, data processors or persons in charge of processing;
iii. to obtain: a) the updating, rectification or integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law; c) certification that the operations referred to in letters a) and b) have been notified, also with regard to their content, of those to whom the data were communicated or disseminated, unless this proves impossible or involves a disproportionate effort; d) obtain from the Data Controllers in a structured, commonly used and intelligible format the personal data concerning him/her and, where technically feasible,
obtain the direct transmission of said data from one Data Controller to another;
iv. to oppose to a) the processing of your personal data, even if pertinent to the purpose of collection; b) the processing of your personal data for the purpose of sending advertising or commercial
material or for carrying out market research or commercial communications, through the use of automated calling systems without the intervention of an operator by e-mail and/or through traditional marketing methods by telephone and/or paper mail. The right to object may also be exercised only in part, thus allowing the Data Subject to choose to receive only communications by
traditional means or only automated communications or neither of the two types of communication.
Therefore, the Data Subject has the rights under Articles 15 - 21 of the EU/679/2016, as well as the right to lodge a complaint with the competent Authority under Article 77 GDPR.
The RINA Group has appointed a Data Protection Officer, who may be contacted at any time for all matters relating to the processing of your personal data and to the exercise of the relative rights in the following ways:
Please note that you have the right to withdraw the consent given as per paragraph 2, letters h. and i. at any time by writing to rina.dpo@rina.org.
