Information on the processing of personal data
In respect of the provisions of EU Reg. 2016/679 (General Data Protection Regulation), we hereby provide you with the due information on the processing of any personal data you may provide.
This privacy notice is rendered in accordance with Art. 13 of EU Reg. 2016/679 and it is also based upon the provisions of Directive 2002/58/EC (Directive on privacy and electronic communications), as updated by Directive 2009/136/EC. The information in this privacy notice describes the methods applied with regard to the processing of personal data.
Athena S.p.A. takes all the technical and organizational security measures necessary to protect your personal data against loss and misuse. In some cases, your personal data are encrypted during transmission using Secure Sockets Layer software technology (SSL).
This Privacy notice is provided only for the websites of Athena S.p.A. and not for other websites that may be consulted by the User through links.
The Data Processing Controller, pursuant articles 4 and 24 of EU Reg. 2016/679 is:
Athena S.p.A., with registered office in Via delle Albere, 13, 36045, Alonte (VI) –Italy, VAT 00589040242, REA VI-139951; Tel. +39 (0)444 727272; Fax +39 (0)444 727222.
Internal Data Processor.
Athena S.p.A. informs the User that it has appointed an Internal Data Processor whose name, along with an updated list of the Internal Privacy Function Managers, is available by sending an email to the Controller.
The Internal Data Processor governs the necessary processing of personal data and coordinates the privacy function managers, in relation to the various company functions represented by specific processing areas.
To exercise the rights indicated in Art. 7 of Italian Legislative Decree 196/2003 and in Art. 15 to 22 of the GDPR 2016/679 (detailed below) or to obtain any additional privacy information, you may contact the Controller at the following details: e-mail: email@example.com; tel: +39 (0)444 727272; fax: +39 (0)444 727222.
In accordance with Art. 4 letter a) of the GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
That category includes information such as your personal name, address, telephone number, email, tax code, bank details. Information that cannot be connected directly to you - for example, favourite websites or number of users of a certain website - is not considered personal data.
For the provision and management of the Services with the User, Athena S.p.A. informs you that, in order to allow the GET mobile app to work properly, we can process sensitive personal data such as: a) data concerning health ; b) the location data.
4. Provision of personal data.
Apart from the navigation data as specified above, the provision of personal data for further purposes and methods of processing is not mandatory. Failure to provide personal data could lead to the impossibility to obtain what is requested.
5. Purposes of personal data processing.
Pursuant to art. 6 GDPR, Athena S.p.A. will process personal data lawfully for the following purposes:
5.1. Purposes connected to managing the contractual relationship and providing the Services: your personal data shall be processed for the following activities:
- in order to make it possible the stipulation of Distance Contracts with the Users (hereinafter also the “Contract”), through the e-commerce platform available on this website, allowing Athena S.p.A. to fulfil its obligations under the Contract and the law;
- in order to allow the GET mobile app to work properly. The Services offered by our App and the Website may include various functions based on your location and health status. To provide these Services, Athena S.p.A., partners and licensees could collect, use and share precise location data, such as the real-time location of the mobile device. For some third parties, such as Google, this information will be shared automatically. For others, such as Facebook, this information will be shared only on explicit consent of the user or if the latter chooses to share them.
- in order to pursue pre-contractual purposes, also in relation to the methods provided for in the General Conditions of Sale published on the Website;
- in order to provide communications relating to the performance of the contractual relationship.
5.2. Purposes connected to fulfilling legal obligations and pursuing the legitimate interest:
- in order to allow the Data Controller to fulfil the obligations established by law, regulations or EU legislations;
- in order to prevent or discover fraudulent activities or malicious activities harmful to the Site; for the protection of the legitimate interest of the Data Controller or third parties, unless interests, rights and fundamental freedom of data subject should not prevail;
- in order to resolve any complaints and/or disputes.
5.3. Purposes connected to allow users to register on the Website:
- in order to allow the registration of Users on the Site. We inform the User that the access and the browsing of the Site are free, but the possibility to sign the Contract it is allowed only after registration of the User.
The provision of your personal data for the purposes indicated in points 5.1 and 5.3 is mandatory. Their failure, partial or incorrect conferment could result in the inability to provide the services offered by the Site and for the achievement of the other purposes indicated therein.
Pursuant to the art. 6, paragraph 1 lett. c) – f) of GDPR, it’s not necessary the express consent for the purpose indicated in point 5.2.
5.4. Purposes connected to marketing activities: with your express consent, the Data will be processed for the following purposes:
- market research, economic and statistical analyses; social, cultural and charitable initiatives;
-update on training and marketing initiatives;
- sending of newsletters, advertising/informative/promotional material and updates on initiatives, promotions and offers, internal and external marketing campaigns, even online, aimed at rewarding and/or maintaining the loyalty of Customers; communications and information on activities and events;
- to carry out interactive commercial communications, send by SMS, e-mail, fax, calls without the intervention of an operator;
- to send unsolicited commercial communications pursuant to Article 9 of Legislative Decree 9 April 2003 no. 70 implementing the Directive on Electronic Commerce 2000/31 / EEC. This kind of communication must be immediately and unequivocally identifiable and contain an indication that the recipient of messages may object to receiving such communications in the future.
The conferment of your personal data for the purposes indicated in point 5.4 is optional; their failure, partial or incorrect conferment could result in the impossibility of carrying out the activities indicated therein.
6. Recipients or Categories of Recipients of Data.
Data of personal nature provided may be communicated to employees or collaborators of the Controller who, acting under the direct authority of the latter, process data and are appointed as internal processors or processing officers or System Administrators and they will receive in that regard adequate operating instructions from the Controller; the same will occur - by the Processors appointed by the Controller - in relation to employees or collaborators of the Processors.
The Personal Data may also be brought to the attention of external Processors of the Controller, appointed pursuant to Art. 28 of EU Reg. 2016/679, such as third party companies or other entities that perform outsourced activities on behalf of Athena S.p.A.
Categories of External Processors:
• third party suppliers, manufacturers, distributors, retailers and commercial partners of Athena S.p.A.
• persons, companies or professional firms, providing activity of support, consultancy or collaboration to Athena S.p.A. on accounting, administrative, legal, tax and financial matters relating to the General Terms of Sale;
• credit institutions for profiles relating to the fulfilment of receipts and payments;
• companies that perform on behalf of Athena S.p.A. outsourced activities therein including IT technicians who manage the websites and respective electronic communication infrastructures required for that purpose, appointed as processors;
• external suppliers who provide to Athena S.p.A. support services, appointed as processors;
Personal data will not be disseminated.
The entities belonging to the aforementioned categories perform the role of Data Processor, or they operate in complete autonomy as separate Processing Controllers.
The list of appointed Processors is constantly updated and available at the office of Athena S.p.A. and can be consulted by sending an e-mail to the following address: firstname.lastname@example.org.
7. Possible filling-in by the interested subject by using third parties’ personal data
The user acknowledges that any indication (for example in the filling-in of forms and electronic modules on the site) of personal data and contact information of any third party represents a processing of personal data against which the user acts as Data Controller, thus assuming all the obligations and responsibilities of the law. In this sense, you guarantee Athena S.p.A. that any third party data will be so designated by the user (and that will consequently be processed as if the third party had provided their informed consent to the processing) has provided the user with their full consent full compliance with the Data Protection Code. The user confers indemnification with respect to any dispute, claims of damage from handling, etc. that could reach Athena S.p.A. from any third parties concerned as a result of the data provided by the user in breach of the applicable personal protection data laws.
8. Place, Method of Processing and Data Storage Period.
The Personal Data are processed mainly at the office of the Controller and in the locations in which the External Processors are located. For further information, contact the Controller.
The Personal Data will be processed by means of operations of collection, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, block, communication, erasure and destruction of the data.
The Personal Data will be processed with electronic/automated media and on paper medium, with logics strictly related to the aforementioned purposes, by way of Databases, electronic platforms managed by Athena S.p.A. or by third parties appointed as processors for that purpose.
The processing will be performed using methods and instruments aimed at guaranteeing the maximum security and confidentiality, by entities specifically instructed for that purpose.
In respect of the provisions of Art. 5 paragraph 1 letter e) of EU Reg. 2016/679 the personal data collected will be stored in a form that allows for the data subjects to be identified for a period of time not exceeding the achievement of the purposes for which the personal data are processed, and in any case erased without unjustified delay.
To find out about the criteria at the basis of the data storage period, write to email@example.com.
The Controller has adopted a large variety of security measures to protect the Customer against the risk of loss, abuse or alteration of the Data. In particular, it has adopted the measures indicated in Articles 32 - 34 of the Privacy Code; Athena S.p.A. uses the data encryption technology established by the AES Standards and the protected data transmission protocols known as HL7 and HTTPS; it complies with the ISO / IEC 27000, WG3 and WG4 standards. Athena S.p.A. stores the Data on servers located in the European territory or, in the case of electronic platforms and Google, they may be transferred to the USA.
The data will not be in any way disseminated or communicated to external entities, without prejudice to legal obligations in that sense.
9. Transfer of Data to a Third Country and/or International Organisations.
Athena S.p.A. does not share, sell, transfer or otherwise disseminate your personal data to third parties located in a third country and/or to international organisations and it will continue not to do so in future, subject to legal obligations, unless this is necessary for the purposes laid down by the contract or if you have provided your explicit consent to that processing.
For requirements strictly linked to the implementation of the contract and the provision of the services, some of your personal data may be communicated to other Group companies, based in non-European third countries.
To enhance the protection of the personal data transferred by Athena S.p.A. based in a State of the European Economic Area (EEA) to a company of the Athena Group in a State outside the EEA, the Athena Group has decided to adopt the Privacy Group Guidelines for all companies that guarantee an adequate level of protection of personal data confidentiality.
All data subjects are, therefore, invited to read the public version of the Athena S.p.A. Privacy Group Guidelines by sending a request to the Processing Controller.
In case you have given your consent for the purposes related to marketing activities and for the purposes connected to recording and image processing, your data may be transferred to non-EU Countries (more specifically in the USA) to be stored on the servers of electronic platforms (eg Google). The transfer is carried out by Athena S.p.A., following the stipulation of Standard Contractual Clauses with the providers of servers and/or services entrusted to third parties, or verification of compliance with the system called "Privacy Shield”.
The Website does not contain any information intended directly for minors. Minors must not give personal data to Athena S.p.A. without parent or guardian’s permission. If you are a minor, you must obtain your parent or guardian’s permission to use the website and ensure that he/she reads these privacy notice.
11. Changes to this Privacy Notice.
Privacy laws and regulations are constantly evolving. As a result, it is possible that this Privacy Notice may be updated. We therefore invite you to consult this page to view our latest version periodically. The continued use of the Website, after a new version of the Privacy Notice has been uploaded on the site, will indicate the approval and consent of the User to the new version.
12. Third-Party Links.
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
13. Online Dispute Resolution.
Pursuant to art. 14 of Regulation 524/2013, Athena S.p.A. informs that, in the event of a dispute, the User can lodge a complaint via the European Union's ODR platform at the following link http://ec.europa.eu/consumers/odr/. The ODR platform is an access point for users who wish to resolve disputes arising from sales contracts or online services out of court. For more information contact Athena S.p.A. at firstname.lastname@example.org.
14. Rights of Data Subjects.
You have the right to invoke the rights as expressed by Articles 15, 16, 17, 18, 19, 20, 21, 22 of EU Regulation 2016/679, by contacting the Controller, by writing to the address email@example.com.
You may at any time exercise the rights referred to in Article 7 of Legislative Decree 196/2003, reported in full on the website www.garanteprivacy.it by sending a written notice to the address indicated at firstname.lastname@example.org.
For your convenience we reproduce in full the aforementioned Article 7.
You have the right, at any time, to ask the Controller for access to your personal data, to the rectification and erasure of the same and to the restriction on processing. In addition, you have the right to object, at any time, to the processing of your data (including automated processing, e.g. profiling) as well as to the portability of your data.
Without prejudice to any other administrative and jurisdictional recourse, if you believe that the processing of data relating to you violates the provisions of EU Reg. 2016/679, in accordance with Art. 15 letter f) of the aforementioned EU Reg. 2016/679, you have the right to make a complaint to the Data Protection Supervisor and, with reference to Art. 6 paragraph 1, letter a) and Art. 9, paragraph 2, letter a), you have the right to revoke at any time the consent provided.
In the case of a request for data portability, the Processing Controller will provide to you, in a structured, commonly-used and machine-readable format, your personal data, without prejudice to paragraphs 3 and 4 of Art. 20 of EU Reg. 2016/679.
Art. 7 of Italian Legislative Decree 196/2003
(Right to access personal data and other rights)
1. The interested party has the right to obtain confirmation of whether or not personal data concerning him, even if not yet recorded and their communication in intelligible form.
2. The interested party has the right to obtain information on:
a) origin of personal data;
b) purposes and methods of processing;
c) the logic applied in case of processing with the aid of electronic instruments
d) the identity of the owner, manager and the representatives appointed under article 5, comma 2;
e) on subjects or categories of persons to whom the data may be communicated to or who can learn about them as appointed representative in the State, territory as managers or agents.
3. The interested party has the right to obtain:
a) An updating, rectification or, when interested, an integration of data;
b) the cancellation, the transformation into an anonymous form or blocking of data unlawfully processed, including those that do not need to be kept for the purposes for which the data was collected or subsequently processed;
c) certification that the operations noted in letters a) and b), have been brought to knowledge in regards to their contents, to those whom the data has been communicated or disseminated, except where this requirement proves impossible or involves a manifestly disproportionate to the protected right.
4. The interested part has the right to oppose in whole or in part:
a) for legitimate reasons of the processing of personal data, pertinent to the purpose of the collection;
b) the processing of personal data for purposes of sending advertising materials or direct sales or for carrying out market surveys or commercial communications.”