Privacy Notice

Art. 13 of Regulation (EU) 2016/679

Dear Client,
Exelab S.r.l., as Data Controller, processes your personal data in compliance with the general principles and specific provisions of Regulation (EU) 2016/679.
In accordance with Article 13 of the aforementioned Regulation, we inform you of the following characteristics of the processing, as well as the rights granted to you under the law.

Personal Data Subject to Processing

The Data Controller collects and processes the following personal data relating to the data subject, who is a client of the company:

Identification data (name, surname, place and date of birth, tax code);
Accounting and tax data;
Contact details (residential address, email, phone number).

Purposes of Processing and Legal Bases

The Data Controller collects and processes the personal information of the data subject for the following purposes:

To administratively manage the assigned task, including entering the client’s data into corporate systems and carrying out all activities necessary for the proper fulfillment of contractual obligations (the legal basis for processing is the performance of contractual obligations between the parties);
To manage the client relationship from an accounting and fiscal perspective, including issuing invoices and managing payments (the legal basis for processing is the performance of contractual obligations and compliance with legal obligations);
To fulfill legal obligations (the legal basis for processing is compliance with legal requirements);
To manage any disputes (the legal basis is the legitimate interest of the Data Controller, specifically the right of defense in any legal or extrajudicial proceedings).

Purposes as Data Processor

Within the scope of the service provision, the Data Controller acts as a Data Processor for all data the client inputs into the applications and services provided. The relationship between the client and the processor is regulated by specific addenda to the contracts.

The data collected for these purposes will be used exclusively for the purposes related to the proper provision of the service. These data will not be disclosed and will only be shared with sub-processors (appointed as sub-processors) necessary for the provision of the service (e.g., providers, hosting services, technical partners).

Methods of Processing and Data Retention

The personal data of the data subject are processed both in paper form and electronically (e.g., through the use of databases, application software).

The Data Controller retains the personal information of the data subject only for the time necessary to achieve the purposes for which it was collected and processed or for the period required by specific applicable legal provisions. In particular, the client’s personal data will be retained by the Data Controller for ten years from the termination of the engagement, in line with the terms established by current regulations.

Scope of Communication, Both Internal and External

The personal data of the data subject may be accessed by employees of the Data Controller who require it to manage the client relationship, particularly administrative personnel and project execution staff. Our employees have been trained and instructed on the legal provisions for protecting personal data.

The Data Controller shares the data subject’s personal information with certain third-party suppliers who assist in managing the client relationship. In particular, these include third parties engaged for task management (e.g., external professionals) and for accounting and tax matters (e.g., banks, consultants, audit firms).

Should any third-party supplier have access to the data, it will do so in compliance with applicable data protection laws and in accordance with the instructions given by the Data Controller in the designation acts as External Processor. The Data Controller does not share personal information with other third parties without the data subject’s consent, unless required by law or a competent authority (e.g., in cases where it is necessary for national security or public interest reasons).

Providing personal data is optional; however, refusal to provide such data makes it impossible to establish and manage the relationship between the parties.

Transfer of Data Outside the EEA

The data of the data subject will not be transferred outside the European Economic Area.

Data Subject’s Rights and Methods of Exercising Them

Regulation (EU) 2016/679 guarantees the data subject specific rights (Articles 15-22). For each processing activity, the data subject has the right to:

Access: Obtain a copy of personal data held by the Data Controller and being processed;
Rectification: Request corrections to personal data held by the Data Controller if they are not updated and/or accurate;
Object to processing for commercial purposes: Request the Data Controller to stop sending marketing communications;
Object to decisions based solely on automated processing, including profiling;
Withdraw previously given consent at any time;
Lodge a complaint with the Data Protection Authority if concerned about the Data Controller’s processing activities.

In specific circumstances, the data subject may also exercise the following rights:

Erasure: Request deletion of data when the purposes for processing have ceased, and there are no legitimate interests or legal requirements mandating retention;
Restriction of processing;
Data portability: Receive data in a structured, commonly used format to transfer to another Data Controller.

Contacts for Exercising Rights

The data subject can exercise these rights at any time by contacting Data Controller at the following addresses:
Exelab S.r.l., Via Angelo Poliziano, 43 – 00184 Rome, privacy@exelab.com - Certified Email (PEC): exelab@pec.it
The Data Protection Officer (DPO) is Comesifa Srls, represented by Francesco Loppini, who can be reached at the following email address: dpo@exelab.com.

The Data Controller will ensure a response within the timeframes established by the law.