Privacy Policy GDPR
Chrysos PERSONAL DATA PROCESSING POLICY
Pursuant to Article 13 of Regulation (EU) 2016/679
This policy is provided in accordance with the European General Data Protection Regulation (EU) 2016/679 (“GDPR”), as subsequently amended and/or supplemented, and national laws or regulations on the processing of personal data, as applicable from time to time (“Privacy Legislation”), to ensure that the processing of personal data is carried out in accordance with the rights and freedoms of persons with particular regard to the protection of personal data.
The term “personal data” means any information relating to a natural person who is identified or identifiable, even indirectly, by reference to any other information, including a personal identification number.
The term “processing” means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The term “data subject” refers to the natural person to whom the personal data relate.
- Data controller
Chrysos S.p.A. having its registered office at Via Albertoni 10 Romano d’Ezzelino (VI) Tax code and VAT no. 01917760249 is the Data Controller (“Data Controller” or “Chrysos”) for the purposes described in paragraph 3 below and is part of the Chrysos Group. The Data Controller can be contacted at the following e-mail address: gdpr@chrysos.com
- Sources and Type of data processed
The data processed by the Data Controller and collected directly from the https://desmos.net website may include personal information and contact information (first name, surname, e-mail, telephone number, address, role, company name, CV and data on professional life in the case of an application and any other information voluntarily provided by the data subject).
- Purpose and legal basis of the processing carried out by the Data Controller
The Data Controller may process the personal data of the data subject for the processing purposes set out below:
- Purposes strictly connected with and ancillary to the conclusion and performance of a contract to which the data subject is party, in accordance with Article 6(1)(b) of the GDPR. The provision of personal data does not require consent, but is necessary for the establishment, performance or continuation of the contractual relationship with the Data Controller.
- Management of the relationship with the data subject resulting from the data subject’s request to use additional content (whitepapers, gated content) offered within the Data Controller’s website. The provision of personal data is not compulsory, but refusal to provide them may make it impossible for the data subject to obtain the services and/or products and/or content requested, to receive the functions, information and informative material requested from the Data Controller. The provision of personal data does not require consent as the processing is necessary for the performance of a free contract to which the data subject is a party, as set out in Article 6(1)(b) of the GDPR.
- Profiling cookies, if accepted by the user via a cookie banner, are used to carry out profiling activities consisting of analysing the interests and preferences of users in relation to the type of content downloaded from the website in order to carry out profiled marketing activities. The provision of data is not compulsory and their processing requires the consent of the data subject. These data will only be displayed and processed by the other Group Companies if the consent referred to in 9) below has been given.
- Responding to requests for information made by the data subject to the Data Controller. The provision of personal data does not require consent as the processing is necessary to carry out pre-contractual measures taken at the request of the data subject, in accordance with Article 6(1)(b) of the GDPR.
- Fulfilment of legal obligations, regulations, EU legislation, provisions issued by authorities empowered to do so by law or by supervisory and control bodies pursuant to Article 6(1)(c) GDPR. The provision of personal data for the purposes set out in this point is obligatory and does not require consent.
- Purposes of business analysis in an anonymous form: to improve the business and own services (for example, to measure customer satisfaction with the quality of the services provided and the activities carried out by the Data Controller, by carrying out studies and market research). The provision of personal data is not compulsory and the relevant processing does not require consent due to the existence of a legitimate interest of the Data Controller in carrying out business analysis activities in accordance with Article 6(1)(f) of the GDPR.
- Marketing purposes for the promotion and sale of products and services similar to those already purchased by the data subject (so-called soft spam), through commercial communications sent by e-mail. The provision of data is not compulsory and their processing does not require consent due to the existence of a legitimate interest of the Data Controller in carrying out marketing activities towards its customers, in accordance with Article 6(1)(f) GDPR.
- Own marketing purposes: through the use of automated contact tools (such as automated calls, e-mails) or through traditional contact tools (cold calling), directly or through third party companies, with reference to their products and services i) sending and/or proposing by telephone informative, commercial, advertising and promotional material, also personalised/of specific interest, on the basis of the information obtained following the activity referred to in point 3 above ii) sending newsletters and invitations to events and initiatives. The provision of data is not compulsory and their processing requires consent, which may be given and withdrawn, even for only some of the above activities, by writing to the e-mail address below. If the data subject does not provide personal data, he/she will not be able to receive information about the products and/or services offered by the Data Controller, but there will be no consequences for the data subject’s ability to consult the website and for any contractual relationship with the Data Controller.
- Communication of data to the Group Companies which, with reference to their products and services and those of the Group Companies belonging to the ICT and consultancy sector, may, directly or through third parties, using automated contact tools (such as automated calls, e-mails) or traditional contact tools (cold calling), i) send and/or propose by telephone informative, commercial, advertising and promotional material, also personalised/of specific interest, on the basis of the information obtained following the activity referred to in point 3 above ii) send newsletters and invitations to events and initiatives. The provision of data is not compulsory and their processing requires the consent of the data subject, which may be withdrawn at any time without prejudice to the processing carried out prior to the withdrawal.
- Management of the website(s) (statistical analysis). The provision of personal data is not compulsory and their processing does not require consent due to the existence of a legitimate interest of the Data Controller in managing its own website, in accordance with Article 6(1)(f) of the GDPR.
- Personnel recruitment and selection activities. The provision of personal data is not compulsory, but refusal to provide them may prevent the Data Controller from assessing the professional profile of the data subject for the purpose of establishing an employment relationship. The relevant processing does not require the consent of the data subject in order to carry out pre-contractual measures taken at the request of the data subject, in accordance with Article 6(1)(b) of the GDPR.
- Communication of candidates’ data to Group Companies for the purposes of recruitment and selection by them. Their processing requires the consent of the data subject, which may be withdrawn at any time without prejudice to the processing carried out prior to the withdrawal.
- Legal defence: where necessary to establish, exercise or defend one’s rights in a court of law. The provision of personal data is compulsory and the relevant processing does not require consent due to the existence of a legitimate interest of the Data Controller, in accordance with Article 6(1)(f) GDPR.
- Transmission by the Controller of marketing newsletters to the e-mail address provided by the data subject in the appropriate section of the site. The provision of data is optional and its processing requires the consent of the data subject, which is necessary in order to take advantage of the service of receiving newsletters from the Owner.
- Where and how personal data are processed
In relation to the aforementioned purposes, personal data will be processed using manual, computerised and electronic tools, with logic strictly related to these purposes and in any case in such a way as to guarantee the security and confidentiality of the data.
Chrysos will process the personal data of the data subject exclusively with technical personnel in charge of such processing, using mainly automated and computerised methods suitable to guarantee, in relation to the purposes for which the data are processed, the security and confidentiality of the data, as well as to prevent unauthorised access to the data. Automated decision making processes are not performed by Chrysos.
The processing of the data collected takes place on the premises of Chrysos and of the service providers identified by it and appointed, where necessary, as data processors in accordance with Article 28 of the GDPR.
The data collected and processed on the website are stored in the CRM shared by the Group Companies, which is hosted in HubSpot’s servers in Europe (“HubSpot CRM”).
- Storage of personal data
The data subject’s personal data will only be stored for as long as necessary to achieve the purposes for which they have been collected, in accordance with the principle of minimisation pursuant to Article 5(1)(c) of the GDPR.
In particular, with regard to processing for marketing purposes, the data will be processed and stored until the data subject withdraws his or her consent. In any event, the data subject may at any time request that the processing cease or that the data be erased, as provided for below.
The Data Controller may store some data even after the termination of the relationship, depending on the time required to manage specific contractual or legal obligations as well as for administrative, tax and/or contribution purposes for the period of time required by laws and regulations in force, as well as for the time required to enforce any rights in a court of law.
In any case, the data will be processed not only in accordance with the regulations in force, but also in accordance with the standards of confidentiality to which the Data Controller has always been bound.
The storage period will vary according to the type of data processed, but in general, Chrysos refers to these criteria to determine the storage period:
- If there is a legal or contractual need to store the data.
- If the data are needed to provide its services.
- Categories of parties to which the data may be disclosed
The Data controller may disclose the personal data of the data subject to third parties in order to comply with legal obligations and to service providers who act as autonomous Data Controllers or are designated as Data Processors in accordance with Article 28 of the GDPR if they have to process data on behalf of the Data Controller and essentially fall into the following categories, which are listed by way of example but are not limited to:
- entities performing banking services, including those involved in operating payment systems;
- persons, companies, associations or professional firms providing services or activities of assistance and consultancy to the data controllers, in particular but not exclusively in relation to accounting, administrative, legal, tax and financial, commercial matters;
- business, marketing, legal partners, technical service and/or software platform providers, system administrators, hosting providers, IT companies, communication agencies;
- parties that carry out the control, the audit and the certification of the activities carried out;
- Group Companies that provide services of an IT nature (e.g. the provision of the HubSpot CRM or the support, maintenance, assistance and development of the HubSpot CRM itself);
- all the Group Companies, only if the data subject has given his or her consent for the purposes set out in points 9) and/or 12) of paragraph 3 above.
The updated list of parties to which the personal data of data subjects may be communicated and/or transferred is available from Chrysos by contacting us at: gdpr@chrysos.com.
- Transfer of data outside the EU
Any transfer of data to Third Countries, outside the EU, for the purposes indicated in paragraphs 3 and 4 above, may take place, in accordance with the methods permitted by the laws in force and in particular in accordance with the provisions of the GDPR set out in: i) Article 44 - General principle of transfer; ii) Article 45 - Transfer on the basis of an adequacy decision; iii) Article 46 - Transfer subject to adequate safeguards; iv) Article 49 - Exceptions in specific situations.
The data subject’s data will be shared with Group Companies in the HubSpot CRM with the specific consent of the data subject. Group Companies include Officina Bernardi US Ltd, which is based in New York (USA). The transfer of data to this Company is guaranteed by the European Commission’s Adequacy Decision 2002/2/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data under the Canadian Personal Information Protection and Electronic Documents Act.
- Rights of the data subject
Articles 15-22 of the GDPR provide data subjects with specific rights. In particular, the data subject may obtain from the Data Controller: access, rectification, erasure, restriction of processing, withdrawal of consent, and portability of data concerning them. The data subject also has the right to object to processing on legitimate grounds and/or for commercial purposes.
The Data Controller undertakes to reply to the data subject as soon as possible after verifying the identity of the data subject, where necessary.
Where the right of objection is exercised, the Data Controller reserves the right not to process the request and thus to continue processing if there are compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject.
With respect to marketing purposes, this is without prejudice to the possibility of the data subject having given their consent:
- to request, at any time and free of charge, to receive communications only by traditional contact methods, such as cold calling;
- to object, at any time and free of charge, to the processing of data for the above-mentioned purposes. In this case, the right to object to the processing of data via automated contact methods (such as e-mail and automated calls) extends to traditional contact methods (such as cold calling);
- to object, at any time and free of charge, to the processing of data for the above-mentioned purposes only in part, i.e. by expressly choosing how to be contacted.
The aforementioned rights may be exercised by sending a written communication to the Data Controller at the following e-mail address: gdpr@chrysos.com.
The data subject is informed that, pursuant to Article 12 of the GDPR, if the data subject’s requests are found to be manifestly unfounded or excessive, in particular due to their repetitive nature, the Data Controller may a) charge a reasonable fee, taking into account the administrative costs incurred in providing the information or communications or in taking the requested action, or b) refuse to comply with the request.
The data subject also has the right to lodge a complaint with the Italian Data Protection Authority.
- Links to other websites
The website may contain links to other websites. However, once the data subject has used these links and left this website, Chrysos will have no control over the other websites. Chrysos will in no way be responsible for the protection and confidentiality of the information provided when visiting such other sites. We recommend that you carefully read the privacy policy applicable to the website in question.
- Changes to this privacy policy
Chrysos reserves the right to make changes to this policy at any time by notifying the data subjects on this page. If the data subject does not accept the changes made to this policy, the data subject shall cease to use this website and may request Chrysos to remove his or her personal data.