We are dedicated to protecting the confidentiality and privacy of information entrusted to us.
Who are we?
Data Controller: pursuant to articles 4 and 24 of the GDPR, the data controller is Zucchetti Switzerland SA (“Zucchetti”), with its registered office at Mendrisio (Switzerland), Centro San Martino, Via Moree 16, in person of its legal representative.
DPO: pursuant to art. 37 of the GDPR, Zucchetti has appointed as is Data Protection Officer (DPO), Mr Mario Brocca, whose contact details are the following: firstname.lastname@example.org, +39 0371 5943191.
Representative within the EU: Zucchetti, pursuant to articles 3.2 and 27 of GDPR, appointed Zucchetti Germany GmbH, with registered address at Saarwiesenstr. 5, 66333 Völklingen, Germany as its representative within the EU for any issue related to data protection and privacy.
How do we collect personal data?
We obtain personal data from individuals in a variety of ways, including obtaining personal data from individuals who provide us their business card, complete our online forms, subscribe to our newsletters, attend meetings or events we host, visit our offices or apply for open positions. We may also obtain personal data directly when, for example, establishing a business relationship, performing professional services through a contract.
What categories of personal data do we collect?
- Contact details (e.g., company name, tax code, VAT number, registered office, residence and domicile, name, job title, work and mobile telephone numbers, work and personal email and postal address);
- Data relating to the contractual relationship, describing the type of contract, as well as information relating to its execution and necessary for the performance of said contract;
- Accounting data relating to the economic relationship, amounts due and payments, their periodic performance, and a summary of the accounting statements;
- Data to make the relationship with our organization more defined and our collaboration and operations more efficient and effective;
- Professional details (e.g., job and career history, educational background).
What lawful reasons do we have for processing personal data?
We may rely on the following lawful reasons when we collect and use personal data to operate our business and provide our products and services:
- Contract: We may process personal data in order to perform our contractual obligations.
- Consent: We may rely on your freely given consent at the time you provided your personal data to us.
- Legitimate interests: We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced. These include:
- Delivering services and products: to deliver the services and products our clients have engaged us to provide.
- Marketing: to deliver timely industry insights and professional knowledge, offerings and invitations we believe are welcomed by our business clients, prospects, subscribers and other individuals.
- Recruitment: to seek for qualified candidates.
- Legal obligations and public interest: We may process personal data in order to meet regulatory and public interest obligations or mandates.
How long do we retain personal data?
The data collected will be stored in a form that allows identification of data subjects for the entire duration of the relationship between you and our company, as well as for 10 years after the date of termination of the relationship. In general, a shorter period of 5 years applies for data not relating to the contractual administrative and accounting obligations.
Why do we need personal data?
We aspire to be transparent when we collect and use personal data and tell you why we need it, which typically includes:
- execute the contract or fulfil pre-contractual commitments such as to provide, activate, suspend and manage products and services, issuing the relative invoices and sending service communications and assistance, or to provide all the services included in the commercial offer and improve technical assistance, customer care, services and products,
- Promoting our professional services, products and capabilities to existing and prospective business clients.
- Sending invitations and providing access to guests attending our events.
- Administering, maintaining and ensuring the security of our information systems, applications and websites.
- Authenticating registered users to certain areas of our sites.
- Processing online requests, including responding to communications from individuals or requests for proposals and quotations.
- Employment of personnel and work processes.
- Seeking for qualified candidates.
The provision of data is optional, although the failure to provide data may, in fact, make it impossible to fulfil the contractual obligations.
Extent of knowledge of your data
The following categories of data processors or persons tasked with processing by our organization may become aware of your data:
- Employees or collaborators in general working in registration and internal administration offices;
Persons appointed to record and provide services, as well as maintenance and support for the services supplied to you;
- Accounting and invoicing personnel;
- Service sales personnel;
- Customer satisfaction survey personnel; fraud and cheating prevention personnel;
- Marketing office personnel;
- Offices, services and secondary branches;
- External envelope stuffing personnel;
- Consultants appointed to provide our organization with advisory, support and other services; - Executives and directors;
- Members of control bodies;
- Our agents, representatives and distributors.
Personal data may also become known by parties that have agreements with us, as indicated in the section below. We may delegate the fulfillment of certain obligations or deeds to such parties, for the purpose of executing the contractual relationship with the data subject.
What about method of processing and personal data security?
Pursuant and consequent to arts. 12 et seq GDPR, the personal data that you provide will be recorded, processed and retained in our hard-copy and electronic files, in compliance with the adequate technical and organizational measures specified in art. 32 GDPR. We limit access to personal data in general. Those individuals who have access to the data are required to maintain the confidentiality of such information. The processing of your personal data may consist in any operation or series of operations described in art. 4, para. 1, point 2 GDPR. Personal data will be processed using suitable tools and procedures that guarantee security and confidentiality. Such processing may be carried out directly and/or via delegated third parties, both manually using hard-copy support and electronically using IT equipment and other instruments. In order to manage properly the relationship and fulfill legal obligations, personal data may be included in the internal documentation of the Data Controller and, if necessary, in the documents and registers required by law.
Do we share personal data with third parties?
We may share personal data with trusted third parties to help us deliver efficient and quality services and products and to fulfill all required legal and/or contractual obligations (“Data Processors”). These recipients are contractually bound to safeguard the data we entrust to them. We may engage with several or all of the following categories of recipients:
- other Zucchetti Group companies, including parent companies, subsidiaries and associates;
- companies/professional firms that provide assistance, advice or collaboration to Zucchetti in accounting, administrative, tax, legal and financial matters;
- public administrations, so that they can perform the institutional functions within the limits established by law;
- third-party service providers to whom the communication is necessary in order to provide the contractual services;
- banks and/or financial institutions for management of the payments deriving from the contractual relationship.
Your data may be communicated following audits or inspections to supervisory bodies, legal authorities and to other parties to whom the communication is required by law.
It should be noted that the role of Data Processors is held by external companies that have entered into a contract with our company, and that require your personal data in order to fulfil the obligations under this contract.
In order to know the Data Processors, if appointed, and to know the people who will be appointed in the future for this function, data subjects may send a request to the Data Controller at the above-mentioned address.
It should be noted that the Data Processors mentioned above do not deal with requests to exercise the rights of data subjects under articles 15 et seq. of the Regulation. This activity is carried out exclusively by Zucchetti in its capacity as Data Controller.
Do we transfer your personal data outside Switzerland or European Union?
We may transfer personal data to the countries where Zucchetti is represented by affiliates (https://www.zucchetti.com/worldwide/cms/zucchetti-world.html) as well as to other countries inside or outside Switzerland and European Union where our service provider are located. Each organization is required to safeguard personal data in accordance with our contractual obligations and applicable data protection legislation. Such safeguards may include transfer to countries that have been deemed to provide an adequate level of protection according to lists of countries published by the Federal Data Protection and Information Commissioner or applying standard data protection model clauses, binding corporate rules or other standard contractual obligations which provide for appropriate protection of data.
What are your data protection rights?
If Zucchetti processes personal information about you, you have the rights listed below. Before responding to your request, we may ask for proof of identity. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. We may also ask you for sufficient information about your interactions with us so that we can locate your personal information.
- Access: You can ask us to verify whether we are processing personal data about you, and if so, to provide more specific information.
- Correction: You can ask us to correct our records if you believe they contain incorrect or incomplete information about you.
- Erasure: You can ask us to erase (delete) your personal data after you withdraw your consent to processing or when we no longer need it for the purpose it was originally collected, and no retention requirements exist
- Processing restrictions: You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, prefer to restrict its use rather than having us erase it.
- Data portability: In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data in electronic form if technically feasible.
- Automated Individual Decision-making: You can ask us to review any decisions made about you which we made solely based on automated processing, including profiling, that produced legal effects concerning you or which significantly affected you.
- Right to Object to Marketing including Profiling: You can object to our use of your personal data for marketing purposes, including profiling. We may need to keep some minimal information to comply with your request to cease marketing to you.
- Right to Object to Active Sourcing: You can object to our use of your personal data for active sourcing purposes. We may need to keep some minimal information to comply with your request to cease recruiting activities
- Right to Withdraw Consent: You can withdraw your consent that you have previously given to one or more specified purposes of processing your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
To exercise the above rights, contact the "Data Controller" by sending an e-mail to email@example.com or at the following telephone number +41(0)916042043 or write to the Zucchetti Switzerland SA, Privacy Office, at Centro San Martino, Via Moree 16, 6850 Mendrisio, Switzerland. The Data Controller will respond within 30 days of receiving your formal request.
You also have the right to file a complaint before the national Data Protection Authority should you believe that the data processing carried out by the Data Controller breaches any of your rights and/or violates the consent previously given.
Processing without need for consent from the data subject - Even without your consent, we are entitled to process your personal data should it be necessary in order to:
- fulfill an obligation required by law, by a regulation or by EU legislation;
- fulfill obligations deriving from a contract to which you are a party or to fulfill specific requests received from you prior to termination of the contract.
Furthermore, your express consent is not required when the processing:
a) concerns data obtained from public registers, lists, deeds or documents that can be read by anyone, without prejudice to the limits and procedures that laws, regulations or EU legislation establish with regard to obtaining knowledge about and the publishing of data, or to data on the performance of economic activities, processed in compliance with current regulations governing business and industrial secrets;
b) is necessary in order to safeguard the life or physical safety of a third party (in this case, the Controller must inform the data subject about the processing of that personal data, even subsequent, but as soon as possible. In such circumstances, therefore, consent is given following presentation of that information);
c) is necessary, with the exclusion of dissemination, in order to carry out defense investigations or, in any case, to uphold or defend a right in court, on condition that the data is processed solely for those purposes and for the period strictly necessary for their pursuit, in compliance with current regulations governing business and industrial secrets;
d) is necessary, with the exclusion of dissemination, in cases identified by the Data Protection Authority on the basis of legal principles, in pursuit of the legitimate interests of the Controller or another recipient of the data, including with reference to the activities of banking groups and subsidiaries or associates, should the fundamental rights and liberties, dignity or legitimate interests of the data subject not prevail.
Updating date: December 2nd, 2019
Zucchetti Switzerland SA