Information according to Art. 13-14 of the European Regulation 679/2016 (GDPR)

OLD PHARMA International S.r.l. respects the privacy of your personal data and guarantees its protection and correct processing following the latest European legislation. Under Articles 13 and 14 of European Regulation (EU) 2016/679 (hereinafter GDPR) and Legislative Decree 196/03, as amended by Legislative Decree 101/18, we hereby inform you of the following.

1) Data Controller and Data Processor

The Data Controller is OLD PHARMA International S.r.l., in the person of its legal representative pro tempore, with a registered office in Milan, Via MF. Quintiliano, 30, tax code and VAT number 10714760153. The Data Controller may be contacted through a PEC notice at oldpharmainternationalsrl@ticertifica.it or by email at info@oldpharma.it.

The Data Controller has not appointed a Data Protection Officer (DPO).

The data processing described below will take place in Milan Via M. F. Quintiliano, 30; The data will be processed and stored by the Data Controller within the European Economic Area and will not be transferred to or outside the European Economic Area.

2) Nature of data and processing.

The information you provide us with is general and non-specific.

These include first name and surname, date of birth, and contact details (fixed telephone number, mobile phone number, VOIP and email address, etc.).

The information may be provided to us by you, the data subject, in person or remotely.

In the course of its operation, our site may acquire certain data whose transmission is automatic in the course of navigation, such as IP address, online identifiers, contact time, etc.. This information is not processed but is used only to draw up anonymous statistics on the use of the site itself and to check for any anomalies, as well as to prevent fraud; in the latter case, the data may be used solely for the purposes of any communication to the competent authorities to establish responsibility. However, we inform you that, by their very nature, this information could allow the user to be identified through association and processing with data held by third parties.

In addition, when interacting with social networks, you may provide your data in the social network’s registration window (“Register with…”).

Generally, all types of data processing are included in those foreseen by Art. 4, par. 1, no. 2 of EU Reg. 679/16 (e.g. collection, registration, organisation, storage, etc.). However, your data will be processed legally, correctly and transparently. Only data that is necessary and essential to achieve the specific purpose will be processed (so-called minimisation of processing and accountability under Article 5(1)(c) of the GDPR), with the accuracy and integrity of the data being guaranteed.

In particular, you acknowledge that your personal data, including special data, may be collected based on information provided by you when registering or communicating, including electronically, with the Data Controller.

Persons under 16 years of age may use the Services only with the consent of their parents or, in any case, of the holder of parental responsibility under Article 8 of the GDPR.

3) Purposes, legal basis and methods of data processing.

The main purpose of processing your data is the correct and complete provision of the services you requested.

Each type of processing is based on a presumption or legal basis under Article 6 of the GDPR.

The purposes of the processing are as follows, with the relevant legal basis in brackets:

a) provision of the requested services, management of orders, delivery of products, management of payments and communications related to such orders (execution of the contract or pre-contractual measures);

b) fulfilment of fiscal and accounting obligations, also through third parties and external managers (fulfilment of legal and statutory obligations);

c) personal communications and internal security (contract enforcement);

d) direct marketing initiatives known as “soft spam” (Art. 130(4) of the Privacy Code)

e) commercial communications from other brand companies or third parties operating in the sector; (consent)

f) customer care and satisfaction (fulfilment of contract);

Any other and future purposes will be the subject of an annexe to this informative note and possible consent.

Your data will be processed manually and electronically only if there is an appropriate legal basis.

Personal data may be processed both on paper and in computerised form (including portable devices) and in the manner strictly necessary to achieve the above purposes. The data may be processed using cloud-based IT equipment and stored in archives of the latter type.

The provision of data is obligatory insofar as it is necessary to fulfil contractual or legal obligations relating to the purposes set out in points (a), (b), (c) and (f) above. Concerning points (d) and (e), the provision of the data is optional and may be subject to revocation or opposition as described below. The Data Controller hereby informs you that failure to provide your data or inaccurate communication/updating of your data may result in the impossibility of guaranteeing the adequacy of the processing concerning the regulations in force.

4) Data communication.

Our employees may process the data in customer management, marketing, technical staff, etc. All such employees have received appropriate training and instructions on the minimum security measures required to protect your data.

To process your data, the Data Controller may also use third parties such as:

1. consultants in general, accountants and auditors or lawyers, formally appointed or legally authorised to provide functional services for the above purposes;

2. banking and insurance institutions that provide functional services for the purposes indicated above, including companies that handle payment services accepted by our site as autonomous owners;

3. parties that process data to comply with specific legal obligations;

4. judicial, police or administrative authorities for the fulfilment of legal obligations;

5. websites and third-party providers of communication networks and services;

6. websites and third-party providers of communication networks and services for the processing of communications sent by email, their contents and attachments;

7. Other companies of the Group, namely Virgilio Holding S.p.A., Prodotti Gianni S.r.l., Auriga S.r.l..

Your data may, therefore, be communicated to the subjects mentioned above, who will process it as autonomous data controllers or data processors.

You will be able to check the compliance of these service providers with current legislation on the website of each of them, also by requesting their contact details from the Data Controller in the manner described below.

5) Retention of data.

Your personal data, processed for the above purposes, will be stored under Article 13.2.a of the GDPR. The data will be archived for as long as the holder is subject to retention obligations established by law or regulation for fiscal or other purposes. Following the provisions mentioned above, your data will not be kept longer than is strictly necessary for the purposes and purposes described above.

In the event of a dispute with the Data Controller, the data will be processed until the expiry of the period of limitation of each party’s rights. Concerning marketing purposes, the data will be kept for two years unless the data subject expressly objects or withdraws consent.

6) Data Profiling and Dissemination.

Your personal data will not be subject to dissemination or any fully automated decision-making process, including profiling. The exception is when you connect to the website or social network pages that refer to the Data Controller (Facebook, Twitter, etc.), in which case your data may be analysed following the provisions and purposes indicated by the provider of the relevant web service or social network. In the latter case, it is possible that the hosting service provider or the social network in question may use cookies. You are, therefore, invited to check your privacy and security settings in your social profile settings and disable the use of these tools if you do not wish them to be used in this way. Remember that the “Preferences” option, available on the toolbar of most browsers, includes instructions on preventing the browser from accepting cookies, receiving notifications for each new cookie installed, or disabling unwanted cookies. By continuing to use and visit the website or the social profiles of the owner, you automatically consent to the processing of your data and the use of cookies following the settings you have previously defined and as indicated by the hosting server or social network used.

7) Data security.

The Data Controller undertakes to protect its data from unauthorised access or other alteration. This implies using various security measures (passwords, firewalls, antivirus software, backups, etc.) to protect the data stored, as well as constant monitoring of the way the data is collected, stored and processed.

Following the provisions of this policy, the owner will treat all your personal data in strict confidence to preserve its integrity, confidentiality and availability (Art. 32 GDPR) and will take all reasonable measures to ensure the security of your data once in the Data Controller’s possession. Similarly, the Data Controller will impose similar measures on third-party suppliers.

8) Data subject rights.

Your rights under the GDPR include the right to:

– Request access to your personal data and information relating to it; rectify inaccurate data or integrate incomplete data; delete personal data relating to you (if one of the conditions set out in Article 17(1) of the GDPR applies and following the exceptions set out in paragraph 3 of the same article); restrict the processing of your personal data (if one of the cases set out in Article 18(1) of the GDPR applies);

– Request and obtain – in cases where the legal basis of the processing is a contract or consent, and the processing is carried out by automated means – your personal data in a structured, machine-readable format, also to communicate such data to another Data Controller (so-called right to data portability);

– to object at any time to the processing of your personal data in the event of specific situations concerning you;

– withdraw your consent at any time, limited to cases where the processing is based on your consent for one or more specific purposes and concerns ordinary personal data (e.g. date and place of birth or place of residence) or special categories of data (e.g. data revealing your racial origin, political opinions, religious beliefs, health or sex life). However, processing based on consent and carried out before its withdrawal remains lawful;

file a complaint with a supervisory authority (Data Protection Authority – www.garanteprivacy.it).

9) Contacts

To exercise your rights, you may send a PEC or an email to the Data Controller or contact him at the following address: OLD PHARMA International S.r.l. Via M.F. Quintilian, 30 – 20138 Milan