In accordance with current legislation and the provisions of Art. 13 of the Regulation (EU 2016/679) of the European Parliament and of the Council of 27 April 2016 concerning the protection of individuals with regard to the processing of personal data, as well as the free movement of such data (General Data Protection Regulation), hereinafter the "Regulation" or "GDPR", this Policy illustrates the processing of users' personal data carried out in relation to the browsing of this website www.neogy.it (hereinafter the "Website") and, where applicable, in the context of contractual or pre-contractual activities carried out on behalf of the customer or potential customer.

This Website is managed by Neogy Srl, with headquarters in Bolzano, via Dodiciville 8, Tax Code 02945160212, telephone: +39 0471 986111, Certified Email (PEC): info@pec.neogy.it (hereinafter the "Data Controller" or "Controller"), who, as Data Controller, determines the purposes and means of the processing of the personal data provided by you through the Website. For specific enquiries related to the protection of personal data, please send your request to the email address privacy.info@neogy.it.

The Data Controller has appointed, pursuant to Art. 37 of the GDPR, a Data Protection Officer, abbreviated as "DPO"), who can be contacted at the following email address: dpo@neogy.it 

PROCESSING PURPOSE

The processing of personal data may have the following purposes:

• to allow the user to browse the Website and use all of its features, check the correct functioning of the Website, allow the user to make better use of the contents and services, also by registering and/or accessing the reserved area
• user interaction on the Website (reserved area, through data provided voluntarily, response to questions posed by the data subject)
• to allow the security checks required by law
• to ascertain responsibility in the event of IT crimes against the Website
• to detect, prevent, mitigate and ascertain fraudulent or illegal activities in relation to the services provided on the Website
• to allow the use of the apps made available by Neogy and use of the related services
• to allow access to the "save and continue" features available on the Website when concluding contracts via the internet, to use contact details in order to facilitate the conclusion of the procedure
• to carry out activities aimed at improving the quality of the services offered, by way of example, through surveys to assess customer satisfaction
• to collect in aggregate and anonymous form data relating to the use of the Website through analytics cookies, similar to technical cookies
• (in case of optional consent) to collect data relating to the use of the Website by the individual user through analytical and statistical cookies
• (in case of optional consent) through profiling and third-party cookies, to directly or indirectly send advertising messages in line with the user's preferences and browsing

For more information on cookies, please refer to the Cookie Policy.

TYPE OF DATA PROCESSED

Neogy will process the Personal Data communicated by the user and/or lawfully collected, in particular the following categories of Personal Data may be processed:

• Browsing data: the computer and telematic systems and the software procedures responsible for the operation and use of the Website acquire some data, such as the date and time of access, the pages visited, the name of the Internet service provider and the Internet protocol (IP) address used to access the Internet, the Internet address from which the user connects to the Website (URL), etc., the transmission of which is implicit in the use of web communication protocols or is useful for better management and optimisation of the data and email sending system.
• Data collected while browsing through cookies and/or other monitoring technologies on the Website: for more information, see the Cookie Policy 
• Data provided voluntarily by the user, such as identification data allowing direct identification, personal data (name, surname, tax code, VAT number, address, etc.), contact data such as telephone number, email address, etc.) communicated to the Controller: for more information, see the section "Data provided voluntarily by the user"
• Data acquired by Customer Service, such as data provided during interactions with Customer Service, including recording of telephone calls with prior consent or in cases of registration pursuant to a legal obligation
• Reserved area data, such as data provided for the purpose of accessing the reserved area, including any identification and contact data, as well as any other contractual data, necessary to successfully complete the registration (registration data)

LEGAL BASIS OF THE PROCESSING - MANDATORY PROVISION

The Data Controller will process the user's Personal Data in the presence of one or more legal bases provided for by the GDPR:

• following the free, specific, informed, unequivocal consent expressed to the processing by the user: for third-party cookies, profiling cookies and non-aggregated analytical and statistical cookies
• for the purpose of executing a contract to which the user is a party or pre-contractual measures taken at the user's request: for the use of the Website's features, to check the correct functioning of the Website, for the "save and continue" feature, reserved area and/or APP, to respond to questions / requests from the Data Subject, for customer experience
• in fulfilment of a legal obligation to which the Data Controller is subject: for the purposes of the security checks required by law and for the purposes of ascertaining responsibility in the event of hypothetical IT crimes against the Website
• in the presence of a legitimate interest of the Data Controller: for the correct functioning and security control of the Website, for the detection, prevention, mitigation and verification of fraudulent or illegal activities in relation to the services provided by the Website, for the improvement and measurement of customer experience satisfaction, quality control of the services offered.

The provision of Personal Data by the user will be:

• necessary in all cases in which the processing takes place on the basis of a legal obligation or to execute a contract or to fulfil pre-contractual obligations, in the event of any refusal, the Data Controller will be unable to process the user's requests and provide the services requested
• voluntary for the pursuit of other additional purposes.

COLLECTION AND METHOD OF PROCESSING 

Data are collected from the Data Subject, i.e. the data that the user provides and those resulting from the use of the Website.
The personal data collected will be processed, with the aid of computerised, telematic and possibly manual means, for the purposes of carrying out the purposes specified above. Processing of Personal Data means any operation or set of operations, performed with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as collection, registration, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.

The IT systems and software used to operate the Website collect some personal data, the transmission of which is implicit in the use of Internet communication protocols (e.g. IP addresses or domain names of the computers used by users connecting to the Website, URI - Uniform Resource Identifier - addresses of the resources requested, time of the request, method used to send the request to the server, size of the file obtained in response, numerical code indicating the status of the response given by the server - successful, error, etc. - and other parameters relating to the user's operating system and IT environment). Although this information is not collected to be associated with identified data subjects, by its nature it could, through processing and association with data held by third parties, allow users to be identified.

These data are used for the sole purpose of obtaining statistical information on the use of the Website, not linked to any user identification data, and to check that it is functioning correctly, and are cancelled immediately after processing.

Furthermore, data will be collected through cookies to manage and improve the browsing experience: 

• Technical cookies strictly necessary for the functioning of the Website or to allow the user a better use of the contents and services
• Analytics / analytical and statistics cookies, which allow the collection of data relating to the use of the Website.
• Profiling and third-party cookies to directly or indirectly send advertising messages in line with the user's preferences and browsing.

For further information, including the storage duration of the collected data, please refer to the Cookie Policy.

STORAGE PERIOD

The Personal Data of the Data Subject will be kept for the time necessary to achieve the purposes indicated above, in compliance with the principles of proportionality and necessity, including, where appropriate, to fulfil any related or subsequent obligations required by applicable law.

RECIPIENTS OF PERSONAL DATA

The data collected and processed may be communicated and/or made accessible, for the purposes specified above, to:

• judicial authorities, law enforcement agencies, public administrations, supervisory and control authorities and any other subjects to whom the right to access such data is recognised by law, as well as for the fulfilment of obligations established by law and/or by regulations and/or by public authorities;
• employees, collaborators, suppliers of the Data Controller, in the context of the related duties and/or execution of contractual obligations with reference to the management of the Website and the purposes specified above: by way of non-limiting example, the suppliers of the Data Controller include:
  - other companies of the Alperia Group that perform intercompany services for the Controller as well as for other third parties in charge of providing the services instrumental or in any event necessary for the management of the Website;
  - companies responsible for providing and managing the services relating to the Website: Konverto SPA, via Bruno-Buozzi 8 - 39100 Bolzano
•  (if the Data Subject has given consent to third-party cookies) third-party companies, referring to the list of third-party companies shown in the Cookie Policy)

The aforementioned subjects will process the Personal Data as independent data controllers or, if appointed, as data processors or subjects expressly authorised on the basis of instructions received from the Data Controller.

PLACE OF DATA PROCESSING

Processing will take place within the European Union and data will be stored on servers located within the European Union. There is no intention to transfer the data outside the European Union or to an international organisation. Any transfers of Personal Data to countries outside the European Union will be governed by the provisions of Chapter V of the GDPR and, therefore, provided that an adequate level of protection of Personal Data is ensured by virtue of an adequacy decision of the country issued by the European Commission; and, in the absence of such adequacy decision, on the basis of adequate guarantees of a contractual nature, including binding corporate rules and standard contractual data protection clauses.
Google may transfer the user's Personal Data outside the European Union, in particular to the United States, only after anonymisation.

Please refer to the specific Cookie Policy also available in the footer of this website.

Neogy Srl, as Controller of the Website, informs you that the personal data provided voluntarily by the user (through forms on the Website or through the optional, explicit and spontaneous sending of messages by email or traditional mail to the addresses indicated on the Website) may involve the subsequent acquisition of the information provided, necessary to respond to requests (i.e. the address, including email, of the sender or the relative telephone number), as well as any other personal data included in the relative communications.

Such data will be processed for the sole purpose of following up on the user's request by the persons in charge of the treatment by the Data Controller and may be communicated to companies of the Alperia Group, as well as other third parties (service providers such as independent Data Controllers or, if appointed, as Data Processors), only if this is necessary for this purpose.

The provision of such data is optional, but refusal to provide it would not allow the Data Controller to satisfy the request of the Data Subject.
The consent of the Data Subject is not required for the processing of personal data necessary for these purposes, since the processing is necessary for the performance of a contract to which the Data Subject is party or to take steps at his request prior to entering into a contract (Art. 6(1)(b) GDPR) and, where applicable, to comply with a legal obligation (Art. 6(1)(a) GDPR).

The data will be processed by personnel appointed by the Data Controller with procedures, technical and IT tools suitable for protecting the confidentiality and security of the Data Subject's personal data. The processing consists of the collection, registration, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, cancellation, destruction of the data, including the combination of two or more of the aforementioned activities.

Data are kept for the time strictly necessary to provide the user with the requested service and are erased immediately afterwards, subject to further storage obligations established by law. The data will not be disseminated.

In order to carry out the aforementioned purposes, the Data Controller may also use the services of third parties acting on behalf of and in accordance with the instructions of the Data Controller and appointed as Data Processors, such as providers of processing or instrumental services, including, for example, IT service providers for the operation of the Website.
Please also see the Policy for Website users.

The GDPR gives Data Subjects the right to ask the Data Controller for access to their Personal Data, to rectify or erase it (“right to be forgotten”), or to restrict its processing, as well as to object to its processing. 

If the processing is based on consent or on the performance of a contractual obligation and is carried out with the aid of automated tools, the Data Subject shall have the right to obtain the relevant personal data in a structured format, in a language generally accepted in the industry and readable by automatic means, and, if technically feasible, to request its communication to another controller without impediment. 

Data Subjects then have the right to withdraw their consent at any time, without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal.

The above description is indicative, with reference to articles 7, 15-22, of the GDPR.

To exercise these rights, the Data Subject may contact the Data Controller by sending a written request to the dedicated email address: privacy.info@neogy.it
The Data Controller has appointed, pursuant to Art. 37 of the GDPR, a Data Protection Officer (DPO), who can be contacted at the email address: dpo@neogy.it, specifying the content of the request in the subject line.

Users of the Website have the right to withdraw their consent to the use of non-technical cookies, such as analytical and statistical cookies and/or profiling cookies and third-party cookies, as well as to refuse to accept cookies used for marketing purposes, without affecting the functioning and features of the Website, by accessing the relevant section at the bottom of the pages visited.

Data Subjects always have the right to lodge a complaint with the Italian Data Protection Authority.
The Italian Data Protection Authority can be contacted via the contact details indicated on the Authority's website www.garanteprivacy.it.

1. Data Controller

The data controller (i.e. the subject who determines the purposes and means of the processing of personal data, hereinafter the "Data Controller" or "Controller") is Neogy Srl, in the person of its pro tempore legal representative, based in Bolzano, via Dodiciville 8, Tax Code 02945160212, telephone: +39 0471 986111, Certified Email (PEC): info@pec.neogy.it

For contacts relating specifically to the protection of personal data, including the exercise of the rights referred to in point 9 below, please use the following email address:         privacy.info@neogy.it

to whom you are kindly requested to address any queries you may have.

2. Contact details of the data protection officer 

We inform you that the Data Controller has appointed, pursuant to Art. 37 of the GDPR, a Data Protection Officer (abbreviated "DPO"), who can be contacted through the following channels:

- Data Protection Officer (DPO) c/o Neogy Srl, via Dodiciville No. 8, 39100 Bolzano

- telephone +39 0471 986111

- email: dpo@neogy.it

3. Purpose of the processing

The processing of personal data may have the following purposes:

1) the drawing up of contracts and the fulfilment of contractual obligations (for and on behalf of the Data Controller) and therefore for purposes strictly related to the management of customer relations, including administrative and accounting formalities and obligations (for example: the acquisition of information preliminary to the conclusion of a contract; the execution of operations based on the obligations deriving from the contract concluded with customers, including, where necessary, the activation of the POD and any request for incentives; to manage discounted rates; to implement the agreed payment methods; for operational and managerial needs; the preparation of reports regarding the contractually agreed services; for payment control needs and consequent actions; to access and possibly use all the services, including interactive ones, of the Website and the APP, etc.; the acquisition of the information necessary for the management of complaints and/or requests for information relating to services; dispute management - contractual breaches; notices; transactions; debt collection; arbitration; legal disputes, etc.-);

2)fulfilment of regulatory obligations (from both national and community sources) and the provisions issued by authorities legitimated by the law and by supervisory and control bodies;

3) (if the data subject does not object) to send communications to the email address provided by the data subject for the direct sale of products or services similar to those already supplied, provided that the data subject, having been duly informed, does not object to such use, either initially or in subsequent communications;

4) (with the consent of the data subject) the promotion and sale of products and services (including those of Group companies, but without the transfer of data to them), carried out by means of letters, telephone, advertising material, automated communication systems, newsletters via email, etc. Market and customer satisfaction surveys, carried out also through the work of specialised companies, by means of personal or telephone interviews, questionnaires, online surveys, aimed at the specific proposal of products and services (marketing);

5) (with the consent of the data subject) carrying out automated activities aimed at analysing preferences, habits and/or consumption choices in order to offer products or services that are in line with interests (profiling);

6) (with the consent of the data subject) communication of data to third parties for marketing purposes and/or customer satisfaction surveys.

4. Type of data processed

The following categories of Personal Data may be processed:

- surname, first name, place and date of birth, residence;

- tax code and/or VAT number;

- telephone number and/or email address, certified email (PEC) and/or other contact details;

- address and street number of the place where the contractually agreed services are provided;

- delivery address for invoices and recipient code (SDI code);

- data relating to contractually agreed services, such as for example PODs, consumption and/or charging data including card identification data for charging services

- payment methods (IBAN, identification details of payments, etc.).

5. Legal basis of the processing and obligation to provide data

With regard to purpose 1), "drawing up of contracts and the fulfilment of contractual obligations", there is no obligation to provide data in the pre-contractual phase, but failure to provide it will make it impossible to follow up on the request for service provision; once the contract has been concluded, the provision of any other data required, or the updating of data already provided, is mandatory for all legal and contractual obligations, and therefore any refusal to provide them, in whole or in part, may make it impossible for the Company to perform the contract and may in any case constitute a breach of contract on the part of the Customer or a violation of the law.

As regards purpose 2), "fulfilment of regulatory obligations or provisions of the authorities", you will be asked for the data relevant to the fulfilment of these obligations by the Data Controller, if they are not already available because they were collected for purpose 1), and failure to provide them could constitute a breach of the law on your part.

The legitimacy of the data processing for the above-mentioned purposes 1) and 2) therefore derives from the fact that it is necessary for the performance of the contract to which you are a party (or, in the pre-contractual phase, in relation to pre-contractual measures taken in the context of the contracting) or for the fulfilment of legal obligations connected to the contract itself or, in any case, to the provision of the service.

Therefore, the legal basis of the processing for purposes 1) and 2) consists in the fact that the processing is necessary: for the execution of the contract with you or of the pre-contractual measures adopted at your request; for the fulfilment of a legal obligation to which the Data Controller is subject or for the execution of a task of public interest or connected to the exercise of public powers with which the data controller is invested.

As regards the other purposes, provision is optional and the processing will take place only with your consent as a data subject; therefore, also in relation to data already communicated for purposes 1) and 2), in any event, in the absence of your consent for the specific further purpose, the processing will not be carried out, with the consequence that in the event of failure to provide any data that may be further necessary for the specific purpose and in the event of failure to expressly consent to the related individual processing, the activities described in purposes 4) to 6) will not be carried out, while the processing referred to in purpose 3) may take place unless you, adequately informed, do not refuse such use, initially or on the occasion of subsequent communications, as provided for in Art. 130(4) Legislative Decree 196/2003 as amended.

6. Collection, methods of processing and storage

The data is collected from the data subject, i.e. the data that you provide to us and that results from the use of the contractually agreed services.

The processing will be carried out:

• through the use of manual and automated systems;
• by subjects or categories of persons authorised to carry out the related tasks;
• with the use of adequate measures to guarantee the confidentiality of the data and to prevent access to them by unauthorised third parties.

With reference to the purposes from 3) to 6) of the previous point 3, it should be noted in particular that personal data will also be processed by:

1. the use of automated call or call communication systems;
2. electronic communications by email, fax, Mms (Multimedia Messaging Service) or SMS (Short Message Service) or other types of communications;
3. the use of the telephone with operator and paper mail.

As regards purposes 1) and 2) of the previous point 3., your data will be kept for the entire duration of the contractual relationship, and, after the termination of the relationship - limited to the data necessary at that point - for the extinction of the obligations assumed contractually and for the fulfilment of any legal obligations and for the needs of protection, including contractual ones, connected or deriving from it.

For purpose 4) of the previous point 3., processing will cease in any event - if you do not withdraw your consent first - at the end of the contractual relationship. For purposes 3), 5) and 6) of the previous point 3., processing may last until the consent is withdrawn and in any event no later than two years from the termination of the contractual relationship or from the renewal of the consent.

There are no automated decision-making processes, except for (should you express your consent) profiling - see previous point 3. purpose 5) -, which may also take place by cross referencing the personal data collected in relation to the provision of the service and the relative use of several different features among those made available to the user and through the use of other identifiers (authentication credentials, cards, etc. ), necessary to trace specific actions or behavioural patterns recurring in the use of the features offered (patterns) back to specific, identified or identifiable subjects.

7. Data communication

The data collected and processed may be communicated, exclusively for the purposes specified above, to:

1. all subjects to whom the right to access such data is recognised by virtue of regulatory provisions;
2. employees, collaborators, suppliers of the Data Controller, in the context of the related duties and/or contractual obligations relating to the execution of the contractual relationship with data subjects; among the suppliers of the Data Controller we note, by way of example, other Group companies that perform activities for intercompany service contracts, banks and credit institutions, insurance companies, legal advisers, lawyers, tax advisers and accountants, debt collection companies, companies that detect financial risks and perform fraud prevention activities, companies that read meters, companies that print and envelop invoices, delivery companies, etc;
3. public administrations and supervisory and control authorities;
4. (if data subjects have given consent to purpose 4) of the previous point 3. to companies appointed to carry out personal or telephone interviews, questionnaires, online surveys);
5. (if data subjects have given consent to purpose 6) of the previous point 3.to the parent companies, subsidiaries and associates of the Alperia Group, - therefore for situations other than Intercompany collaborations falling under b) above - and to third party commercial partner companies.

8. Place of data processing and transfer of personal data

The performance of the activity takes place in the European Union. There is no intention to transfer the data outside the European Union or to an international organisation.

In the event that the processing of Personal Data in countries outside the European Union is necessary, the transfer will be regulated in accordance with the provisions of Chapter V of the GDPR and, therefore, provided that an adequate level of protection is guaranteed, recognised by a specific adequacy decision expressed by the European Commission; and, in the absence of this decision of adequacy, only if adequate guarantees of a contractual or contractual nature are provided by the Data Controller and the Processors involved, including binding company rules and standard contractual data protection clauses.

9. Rights of the Data Subject

The GDPR grants the Data Subject the exercise of the following rights with respect to the personal data concerning them (the summary description is indicative, so please refer to the GDPR, and in particular articles 15-22):

a) access to personal data (you will therefore have the right to obtain free information regarding the personal data held by the Data Controller and the related processing, as well as to obtain a copy in an accessible format);

b) rectification of data (the Data Controller will, upon your notification, correct or integrate your data - non-expression of evaluation elements - incorrect or inaccurate, even if they have become such because they were not updated);

c) withdrawal of consent (if the processing takes place on the basis of the consent expressed by you, you can withdraw the consent at any time, without prejudice to the lawfulness of the processing provided before the withdrawal);

d) erasure of data (right to be forgotten) (for example: the data are no longer necessary with respect to the purposes for which they were collected or processed; have been processed unlawfully; must be deleted to comply with a legal obligation; You have withdrawn your consent and there is no other legal basis for the processing; You object, if the conditions exist, to the processing, pursuant to the following letter f);

e) limitation of processing (in certain cases - disputing the accuracy of the data, in time for the necessary verification; dispute of the lawfulness of the processing with opposition to cancellation; necessity of use for the rights of the Data Subject of defence, while they are no longer useful for the purposes of the processing; if you object to the processing, the data will be stored, while the necessary checks are being carried out, in such a way that they can be restored if necessary, but in the meantime they cannot be consulted by the Controller, except precisely in relation to the validity of your request for restriction, or with your consent, or for the establishment, exercise or defence of a legal claim, or to protect the rights of another natural or legal person, or for reasons of significant public interest of the Union or of a Member State);

f) objection, in whole or in part, to the processing of your data for legitimate reasons (in certain circumstances, you may still object to the processing of your data, in particular, where your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing, including profiling, insofar as it relates to such direct marketing. If personal data are processed for scientific, historical research or statistical purposes, you have the right to object on grounds relating to your particular situation, unless the processing is necessary for the performance of a task of public interest);

g) data portability (where the processing is based on consent or on a contract and is carried out by automated means, you will, at your request, receive the personal data concerning you in a structured format, in a language generally accepted in the industry and in a form readable by an automated device, and will be able to have them communicated to another controller without hindrance from the Data Controller to whom they were originally communicated and, where technically possible, to have such communication carried out directly by the Controller);

h) lodge a complaint with the supervisory authority (Italian Data Protection Authority).

The Italian Data Protection Authority can be contacted via the contact details indicated on the Authority's website "www.garanteprivacy.it".

The other rights of the Data Subject can be exercised by request to the following email address:

      privacy.info@neogy.it

or to the other contact details of the Data Controller indicated above.

 January 2022 update