Privacy notice for the users of the website

Pursuant to the legislation applicable to protection of personal data (“Privacy Legislation”), including EU Regulation 2016/679 (“GDPR”), DATA4 Services S.A.S.U. (“DATA4“ or the “Company”, the “Data Controller”), as data controller, provides users (hereinafter the “Users” or “Data Subjects” or, in the singular, the “User” o “Data Subject”) of the website www.data4group.com (the “Website”), that will process their personal data collected through the Website itself in the modalities and for the purposes described in this privacy notice (the “Notice”).

This Notice applies solely and exclusively to the Website and do not apply to other websites owned by third parties that can be accessed by the User through any links that may be contained in the Website. Whether the User access another website, the Company recommends to read the information regarding the processing of personal data applicable to that website.

By browsing the Website, the User acknowledges that he/she has read and understood the content of this Notice.

1.    WHAT IS PERSONNAL DATA?

Personal data is any information that makes a natural person to be identified or identifiable (whose identity can be determined directly or indirectly, in particular by means of an identifier).

2.WHO IS THE DATA CONTROLLER?

The Data Controller is DATA4 Services S.A.S.U., with registered office in 6 rue de la Trémoille, 75008 Paris (FR), fiscal code No. FR35493254643, to be contacted at the following e-mail address: privacy@data4group.com. DATA4 Services S.A.S.U. is one of the companies of the DATA4 Group (the “DATA4 Group”).

3.  WHAT PERSONAL DATA WE PROCESS THROUGH THE WEBSITE?

The Company will process exclusively the following types of personal data of Users who browse and interact with the web services of the Website and, in particular:

(i) Personal data collected while a User is browsing the Website

The computer systems, cookie technology and software procedures that are used to run the Website collect, during their normal functioning, certain data whose transmission is implicit when using the Internet. This kind of information is not acquired for purposes directly linked to identifiable data subjects but could, due to its nature, be processed and aggregated with the data held by third parties, in such a way as to make User identification possible.

This category of data includes, for example, the IP addresses or the domain names of the computers used by the Users who connect to the Website, the pages visited by the Users within the Website, the domain names and addresses of the websites from which the User accessed to the Website (through referrals), the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used in submitting the request to the web server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server, and other settings relating to the type of browser (e.g. Internet Explorer, Google Chrome, Firefox), operating system (e.g. Windows) and computer environment of the User.

These data are also collected by means of cookie technology, namely text files and numbers that are installed while browsing a website, in the memory of the device (PC, smartphone or tablet) connected to the Internet through the browser application installed therein. For further details regarding the cookies used on the Website, we invite the Users to read the Cookie Policy available at the following link: Cookies Policy.

(ii) Personal data directly provided by the User in the context of the communication with the Company

These data are provided directly by the User to the Company (such as, but not limited to: name, last name, phone number, e-mail address, function, company, any personal data of the sender contained in e-mail communications or attachments thereto, etc.), following the sending of a communication through the form contained in the section “Contact” of the Website.

4.    FOR WHAT PURPOSES, ON WHAT LEGAL BASIS, AND FOR HOW LONG DO WE PROCESS PERSONAL DATA?

Personal data provided by the User will be processed for the following purposes (“Purposes”):

Purposes of the processing Legal basis of the processing Retention period
a) To fulfil legal, accounting and tax obligations to which the Company is subject. Article 6(1)(c) of the GDPR:

legal obligation to which the Data Controller is subject.

The personal data collected for this Purpose will be retained and processed for the entire duration of browsing and, subsequent to its termination, in any case, no longer than 13 months.
b) To allow Users to browse the Website. Article 6(1)(f) of the GDPR:

Data Controller’s legitimate interest to: (i) inform the User, through the contents of the Website, and to promote with them the Company‘s background, the activities carried out and the services offered; (ii) improve the quality and the structure of the Website, as well as to create new services, functionalities and/or features thereof.

The personal data collected for this Purpose will be retained and processed for the entire duration of browsing and, subsequent to its termination, in any case, no longer than 13 months.

IP address – while browsing and which can legally be considered personal data is stored for a period of 7 days unless reasonably justified incident indicates a longer storage period (e.g. due to a hacking attack or Legal Hold is ordered in connection with legal proceedings).

c) To interact with the User that is interested to Company‘s services, through the contact form available on the Website. Article 6(1)(f) of the GDPR:

Data Controller’s legitimate interest to: (i) use the information as submitted in the contact form  for business development purposes and to handle the User’s request.

The personal data collected for this Purpose will be retained only for as long as is strictly necessary to achieve the Purposes for which they were collected and, in any case, no longer than 3 years after latest expressed contact interestfrom User.
d) To carry out the maintenance and technical assistance necessary to ensure the proper functioning of the Website and the services connected to it. Article 6(1)(f) of the GDPR:

Data Controller’s legitimate interest to: (i) improve the quality and the structure of the Website, as well as to create new services, functionalities and/or features of the Website; (ii) for the management and processing of statistical surveys on the use of the Website (after personal data anonymization). 

The personal data collected for this Purpose will be retained and processed for the entire duration of browsing and, subsequent to its termination, in any case, no longer than 13 months.
e) To enable the Company to exercise its rights in court and suppress unlawful conduct and to the extent necessary to establish or assert or defend against claims.. Article 6(1)(f) of the GDPR:

Data Controller’s legitimate interest to: (i) prevent the occurrence of fraud or other crimes through the use of the Website; (ii) for the management of the Data Controller or a third party’s litigation in court; (iii) establish or assert claims by Data Controller or its affiliated companies or to defend against claims by Data Controller or its affiliated companies.

The personal data collected for this Purpose will be retained only for as long as is strictly necessary to achieve the Purposes for which they were collected and, in any case, no longer than 6 years after the claim arises, provided that the limitation period ends at the end of the year.
f) To enable the Company to send to the User communications by e-mail regarding products, initiatives and/or services proposed by the Company and/or newsletters, or other advertising, informative or promotional material.

Marketing activities may include market research and surveys that are carried out to determine the level of satisfaction of data subjects and to conduct statistical analysis, even by using aggregated anonymous data.

Article 6(1)(a) of the GDPR:

consent of the data subject.

Users with whom the Company has had contractual relationships are informed that the Company may send them communications regarding similar services and products, without their consent, in compliance with all legal provisions in force and applicable from time to time, provided that the Users have not refused the sending of such communications.  In this case, the legal basis is the legitimate interest of the Data Controller to carry out Company’s marketing and promotional activities towards the Users of the Website, pursuant to article 6(1)(f) of the GDPR.

The Data Controller also informs the User that he/she has the possibility to (i) withdraw, at any time, any consent given, it being understood that the withdrawal of consent does not affect the lawfulness for the processing based on consent given prior to withdrawal; (ii) object, at any time, for the processing of his/her personal data on the basis of the Company’s legitimate interests.

In particular, in the event that the User, in the future, wish to stop receiving any communications send by the Company for marketing purposes, he/she can unsubscribe from the mailing list by selecting the “Unsubscribe” link at the bottom of the e-mail communications.

The data subjects‘ personal data processed for marketing purposes will be retained  until the data subject requests to erase it or withdraws the consent and, in any case, no longer than 36 months after their collection.
g) To communicate to third parties for the purpose of carrying out their own marketing activities (e.g., companies of DATA4 Group such as, Data4 Services Italy and Data4 Luxembourg) in order to enhance the corporate image externally and thus for corporate identity reasons. Article 6(1)(a) of the GDPR:

consent of the User.

The personal data collected for this Purpose will be retained only for as long as is strictly necessary to achieve the Purposes for which they were collected and, in any case, no longer than 12 months after their collection. or until withdrawal of the consent (i.e. unsubscribing).

At the end of the retention periods, the personal data will be erased, unless the Company needs to carry out the data processing activities a) and e) described in the chart above, if necessary, after minimization, to retain them.

In the event that the Company decides to process the personal data collected for any other purposes inconsistent with the Purposes for which the personal data were originally collected or authorized, the Company will inform the User in advance and the Data Controller will gather his/her consent for such processing activity, if needed.

5.    NATURE OF THE PROVISION OF PERSONAL DATA

The provision of the personal data provided by the User occurs automatically by browsing the Website. Therefore, if the User does not intend to provide any personal data by browsing the Website, please do not visit this Website, do not otherwise use this Website or do not provide your consent when such option is offered to you pursuant to the Privacy Legislation.

The provision of the personal data directly provided by the User in order to communicate with the Company is optional. However, failure to provide such personal data could lead to the impossibility for the User to receive replies to communication sent by the User to the Company.

The provision of personal data processed, only with the consent of the User, for marketing and promotional Purposes is optional. However, failure to give consent for this Purpose will result in not receiving marketing and promotional information.

6. HOW WE PROCESS PERSONAL DATA?

In relation to the above-mentioned Purposes, the processing of personal data may consist in the activities indicated in Article 4(1)(2) of the GDPR, namely: collection, recording, organization, storage, consultation, processing, restriction, erasure and destruction of personal data.

Moreover, Data Subjects‘ personal data will be:

  • processed in accordance with the principles of lawfulness, fairness and transparency;
  • collected for the above-specified legitimate Purposes;
  • adequate, relevant and limited to what is necessary in relation to the Purposes for which they are processed;
  • kept in a form which permits identification of the Data Subject for no longer than is necessary for the Purposes for which the personal data are processed as specified in the above Section 4;
  • processed in a manner that ensures appropriate security of the personal data from the risks of destruction, loss, alteration, unauthorised disclosure or access through technical and organisational protection measures.

The processing may be carried out using manuals, computerized or technology tools, with logic strictly related to the Purposes and, in any case, with means that ensure compliance with the requirements and prescriptions of confidentiality and security, and with the specific obligations provided in the applicable legislation.

7.    TO WHOM WE COMMUNICATE PERSONAL DATA?

User‘s personal data will be processed by the Company‘s employees and collaborators, specifically designated as authorized persons for the processing pursuant to the Article 29 of the GDPR.

The Company may disclose the User’s personal data for the Purposes indicated in the above Sections 4 to Company’s supervisory and/or control bodies, judicial authorities and to any other entities to which the disclosure is required by law for the fulfillment of the said Purposes, acting as autonomous data controllers.

Furthermore, the Company may assign certain operations of processing of personal data carried out for the Purposes referred to in the above Sections 4 to categories of recipients, expressly selected and appointed by the Company, if necessary, as data processors pursuant to the Article 28 of the GDPR, including but not limited to:

  • DATA4 Group Companies;
  • the Website’s technical service providers;
  • the hosting provider offering services for hosting the Website;
  • communication agencies involved in market research activities that may be carried out by the Company using, after anonymization, Users’ browsing data.

Users’ personal data will not be disclosed to the public or to undefined persons.

8. DO WE TRANSFER PERSONAL DATA TO COUNTRIES OUTSIDE THE EEA?

The processing and storage of personal data will take place on Company’s servers located within the European Economic Area and/or third-party companies duly appointed as data processors.

Any transfer of Users’ personal data outside the European Economic Area may take place only under the terms and with the guarantees provided for by the Privacy Legislation and, in particular, in accordance with Articles 44 – 49 of the GDPR.

9. THIRD PARTIES WEBSITES

It should be noted that, should the Website contain links that refer to websites of third parties, the Company cannot exercise any control over the content of such websites nor does it have any access to the personal data of the users/visitors of these websites. Moreover, the Company has no access to the personal data of visitors/users of the websites.

The owners of the aforementioned websites will remain, therefore, the sole and exclusive owners and managers of the processing of their users’ personal data, and the Company remains extraneous to this activity as well as to any liability, prejudice, cost, which may arise from its failure or improper performance.

We therefore recommend you to carefully read the relevant privacy notices and terms of use of such websites, before providing or consenting for the processing of your personal data.

10. WHAT ARE YOUR RIGHTS IN RELATION TO THE PROCESSING OF YOUR PERSONAL DATA?

The User, as data subject, in accordance with the law, will always have the right to withdraw at any time his/her consent, where given, which does not affect the lawfulness of processing based on consent before its withdrawal, as well as to exercise, at any time, the following rights:

  1. the “right of access” and, specifically, the right to obtain confirmation as to whether or not personal data concerning the User are being processed and the communication of such data in an intelligible form;
  2. the “right to rectification” i.e. the right to request the rectification or, if interested, the integration of personal data;
  3. the “right to erasure” i.e. the right to request the erasure or the anonymization of personal data that have been processed unlawfully, including data whose storage is unnecessary for the Purposes for which they were collected or further processed;
  4. the “right to restriction of processing” i.e. the right to obtain from the Data Controller the limitation of the processing in certain cases provided for under the Privacy Legislation;
  5. the right to request the Data Controller to indicate the recipients to whom it has notified any rectification or erasure or restriction of processing (carried out in accordance with Articles 16, 17 and 18 GDPR, in fulfillment of the notification obligation unless this proves impossible or involves disproportionate effort);
  6. the “right to data portability” i.e. the right to receive (or transmit directly to another data controller) personal data in a structured, commonly used and machine-readable format;
  7. the “right to object”, i.e. the right to object, in whole or in part:
    • the processing of personal data carried out by the Data Controller for its own legitimate interest;
    • the processing of personal data carried out by the Data Controller for direct marketing or profiling purposes.

In the above cases, where necessary, the Data Controller will inform the third parties to whom the User‘s personal data have been disclosed of his/her exercise of rights, unless it is not possible or is too onerous and, in any case, in accordance with the provisions of the Privacy Legislation.

It is expressly understood, as provided in Article 21 of the GDPR, that in the event that the data subject exercises his/her right to object, the Data Controller will refrain from any further processing of the personal data, unless the Data Controller demonstrates the existence of binding legitimate reasons to proceed with the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of a right in court.

In any case, the Company – where it has reasonable doubts as to the identity of the data subject making the request referred to in Articles 15 to 21 of the GDPR – may request additional information to confirm the identity of the data subject.

11. EXERCISE OF RIGHTS AND COMPLAINTS TO THE DATA PROTECTION AUTHORITY

The User is entitled to exercise his/her rights at any time in the following manner:

  • by e-mail, to the address: privacy@data4group.com
  • by sending a letter to the address of the registered office of DATA4 as indicated in this Notice.

The Data Controller hereby informs the User that, pursuant to the Privacy Legislation, he/she has the right to lodge a complaint with the competent supervisory authority (in particular in the Member State of User’s habitual residence, place of work or place of the alleged breach), if he/she is of the opinion that his/her personal data are being processed in a way that would lead to breaches of the GDPR.

In order to facilitate the exercise of the right to lodge a complaint, the name and contact details of the European Union Supervisory Authority are available at the following link: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

12. UPDATES TO THE PRIVACY NOTICE

This Notice may be amended over the time. We encourage the User to check its contents periodically. In any case, it will be the Data Controller’s responsibility to report appropriately any significant amendments made to this Notice.

Last update on: July 2024