Pursuant to Article 13 EU Regulation No. 2016/679 (hereinafter, "GDPR") we inform the Client that his data will be processed in the following ways and for the following purposes:
RINA S.p.A., with registered office in Genoa (GE), via Corsica 12, CF and VAT no. 03794120109, and the other RINA Group Companies are the Joint Data Controllers pursuant to art. 26 GDPR, who can be reached through the contacts indicated on the website www.rina.org. The Data Protection Officer may be contacted at the e-mail address rina.dpo@rina.org.
The Joint Controllers process the personal data (hereinafter, "personal data" or also "data") of the Client//potential Client (hereinafter, even more briefly "the Client") legal representative or other contact persons, for the pursuit of the purposes described below:
a. to fulfil contractual, administrative and fiscal obligations arising from ongoing relationships (such as the processing of tax data for the issuance of the invoice, data relating to payment including electronic payment communicated by third parties such as providers of e-payment services, as well as data necessary to issue access credentials to platforms for sharing documentation necessary for the performance of the service and any other data conferred by the Customer in the context of the use of such platforms);
b. . pre-contractual activity aimed at the presentation of the services on which the data subject has requested information, as well as the formulation of proposals and the establishment of the contractual relationship for the provision of the services offered (such as for example in the case of processing of identification and contact data collected directly by the data subject on the occasion of events or publicly available or collected by third parties expressly authorized by the data subject necessary for registration and access to restricted areas of the site that allow the use of online platforms or mobile applications);
c. to fulfil the obligations provided for by the specific contractual terms of the service requested and/or by any binding accreditation and/or certification requirements (such as, for example, the collection of audit evidence or other probative documentation containing personal data, including special data pursuant to Art. 9 GDPR such as health certificates, if required by law or by the reference standard and therefore preparatory to obtaining the service itself, as well as the collection and recording of images and videos in cases where the service is provided digitally and remotely using relevant IT tools in compliance with the circulars of the Accreditation Bodies).
The provision of data and its processing for the purposes referred to in points a., b. and c. is necessary to ensure the services requested and to execute the contract and any pre-contractual obligations, as well as to comply with the resulting legal obligations. The legal basis for the aforementioned processing can be found in art. 6, par. 1, lett. b) and lett. c) GDPR: therefore, any refusal to provide the data will make it impossible for the Joint Controllers to perform the services covered by the contract.
Notice is given this category also includes processing activities carried out to provide you with information on products and services, coming from third-party resources, for example trade fairs in which we participate or technological platforms we use, for example for webinars.
d. detect the degree of satisfaction with the quality of the products and/or services covered by the contract, by sending surveys or requests via e-mail or telephone contact (only for Clients);
e. send via e-mail or telephone contacts, newsletters, commercial communications and/or advertising material on products and/or services offered by the Company similar to those covered by the contract (only for Clients).
f. guarantee the access to your reserved area in a secure manner and avoid illegal activities by recording access to the reserved area with log files (only for Clients).
The legal basis of the processing of personal data for the purposes referred to in points d. and e. relies on the legitimate interest of the Data Controller to consolidate by keeping up to date the contractual relationship already established with the Data Subject, providing the latter with support, as well as improving the service (Art. 6, par. 1, lett. f) GDPR). The Data Subject may reasonably expect such processing based on the relevant and appropriate relationship between the Data Controller and the Data Subject (Recital No. 47 of the Regulation); however, it should be noted that the processing is not necessary and the Data Subject may object to the same at any time by the means indicated in paragraph 7 of this notice.
g. to fulfil the obligations provided for by law or by an order of the competent Authority (art. 6 par. 1 lett. c GDPR);
h. exercise the rights of the Joint Data Controllers, for example the right to defence in court (art. 6 par. 1 lett. f GDPR).
i. to send, via e-mail and/or telephone contact, newsletters, commercial communications and/or advertising material on all RINA-branded products or services offered by the Joint Controllers (only for potential Clients as well as for Clients to whom products or services different from those covered by the contract are promoted);
The processing of data for the purposes referred to in points h is, however, optional. Therefore, the Data Subject is free to express consent or refusal and to subsequently revoke the consent initially given. The legal basis for the aforementioned processing is the consent referred to in Article 6, par. 1, let. a) GDPR. Any refusal to consent to the processing will have the only consequence of the impossibility to receive newsletters, commercial communications and advertising material on all RINA brand products or services offered by the Joint Controllers without prejudice to the aforementioned purposes for which, in order to carry out the processing, it is not necessary for you to give your consent. The revocation of the previously given consent does not affect the lawfulness of the processing based on the consent given before revocation.
Personal data is processed in accordance with the principles of lawfulness, correctness and transparency.
Personal data will be kept for the time necessary to fulfill the aforementioned purposes and in any case no later than 10 years from the termination of the contractual relationship.
Will the Joint Controllers have documented need to keep the data for a period exceeding 10 years (for example in the event that the cancellation could compromise their legitimate right of defense or, in general, for the protection of their corporate assets), the further conservation may take place in compliance with the corporate criteria provided for backup and recovery policy and by limiting access only to the Responsible of the legal function, to guarantee the legitimate exercise of the right of defense.
Processing carried out for marketing purposes will not be processed beyond 2 years from the collection and/or receipt.
Personal data may be made accessible for the purposes referred to in paragraph 2, in addition to the parties authorised to process them by the Joint Data Controllers, also to the following recipients:
- affiliates or subsidiary Companies of the RINA Group, in Italy and abroad, to the extent that this is necessary to perform the processing, in accordance with the binding corporate rules adopted by the RINA Group;
- to Companies or other third parties (suppliers, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, supervisory bodies, etc.) bound by specific legal instruments with the Joint Controllers, including Data Processors;
- to public entities, supervisory bodies, judicial and control authorities, accreditation or notification bodies, auditing companies, etc. for the fulfilment of legal or regulatory obligations in the sector.
Personal data are stored on servers located within the European Union. It is in any case understood that the Joint Controllers, where necessary, will have the right to transfer personal data to non-EU countries. In this case, the transfer of data outside the EU will take place in compliance with the applicable legal requirements, also through the provision of standard contractual clauses provided by the European Commission and the adoption of binding corporate rules for intragroup transfers.
The Data Subject, has the following rights:
1. to obtain confirmation of the existence or otherwise of processing of personal data concerning you, as well as to obtain a copy of such data;
2. ii. to obtain information on: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the event of processing carried out with the aid of electronic instruments; d) the identity of the Data Controllers, Data Processors and the Data Protection Officer; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of the data in their capacity as designated representative in the territory of the State, data processors or persons in charge of processing;
3. to obtain: a) the updating, rectification or integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law; c) certification that the operations referred to in letters a) and b) have been notified, also with regard to their content, of those to whom the data were communicated or disseminated, unless this proves impossible or involves a disproportionate effort; d) obtain from the Data Controllers in a structured, commonly used and intelligible format the personal data concerning him/her and, where technically feasible, obtain the direct transmission of said data from one Data Controller to another;
4. to oppose to a) the processing of your personal data, even if pertinent to the purpose of collection; b) the processing of your personal data for the purpose of sending advertising or commercial material or for carrying out market research or commercial communications, through the use of automated calling systems without the intervention of an operator by e-mail and/or through traditional marketing methods by telephone and/or paper mail. The right to object may also be exercised only in part, thus allowing the Data Subject to choose to receive only communications by traditional means or only automated communications or neither of the two types of communication.
5. Revoke the consent previously given.
Therefore, the Data Subject has the rights under Articles 15 - 21 of the Reg. EU/679/2016, as well as the right to lodge a complaint with the competent Authority under Article 77 GDPR.
The RINA Group has appointed a Data Protection Officer, who can be contacted at any time for all questions relating to the processing of personal data and the exercise of the related rights in the following way: by sending an e-mail to the address rina.dpo@rina.org.
It is specified that you have the right to revoke the consent given at any time by writing to rina.dpo@rina.org; as well as by accessing your Preference Center via the link at the bottom of commercial communications or published on RINA digital services. By accessing the Preference Center, the data subject will be able to change their preferences at any time.
