INFORMATION ON THE PROCESSING OF PERSONAL DATA (Pursuant to Articles 12 and 13 of EU Regulation 2016/679 of the European Parliament and of the Council)
The company Karma Srl, Via Venti Settembre 118, 00187 Rome (RM), VAT number 16036661003, as Data Controller, hereby informs you that EU Regulation 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation") establishes rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of such data.
The regulation protects the fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data.
The data controller (natural or legal person who determines the purposes and means of the processing of personal data) adopts appropriate measures to provide the data subject with all information relating to the processing.
In accordance with the aforementioned regulations, such processing will be based on principles of correctness, lawfulness, and transparency, and the protection of your privacy and your rights.
Pursuant to Articles 12 and 13 of EU Regulation 2016/679, in the event of data concerning the data subject being collected from the data subject, the Data Controller shall provide the data subject with the following information at the time the personal data are obtained:
Subject of Processing
The Data Controller processes personal and identifying data relating to a natural person (data subject), such as, for example, name, surname, identification number, company name, address, telephone, email, bank and payment details, electronic traffic data (logs, originating IP address), etc., communicated by you upon the conclusion of contracts for the Controller's services.
Data Controller and Representative of the Data Controller
The Data Controller is: Karma Srl.
c/o Karma Srl Via Venti Settembre 118, 00187 Rome (RM), VAT number 16036661003, Tel. +39 0632092589, info@serom.it
The Representative of the Data Controller (where applicable) is: Not appointed. The updated list of Data Processors (where applicable) and persons authorized to process data is kept at the registered office of the Data Controller.
Data Protection Officer (where applicable)
The Data Protection Officer is: Not appointed.
Purpose of data processing
The data serves the Controller to follow up on the registration request and the contract for the supply of the purchased product, to manage and execute contact requests sent by the Data Subject, to provide assistance, and to fulfill legal and regulatory obligations to which the Controller is subject based on the activity carried out. Under no circumstances does Karma resell the Data Subject's personal data to third parties or use them for undeclared purposes.
In particular, the Data Subject's data will be processed for:
a) registration and contact and/or information material requests
The processing of the Data Subject's personal data takes place to carry out the preliminary and subsequent activities to the registration request, the management of information and contact requests and/or the sending of informative material, as well as to fulfill any other resulting obligation.
The legal basis for such processing is the fulfillment of services inherent to the registration request, information and contact, and/or sending of informative material, and compliance with legal obligations.
b) contract management
The processing of the Data Subject's personal data takes place to carry out the preliminary and subsequent activities to the purchase of a product, the management of the related order, the provision of the Service itself and/or the production and/or shipping of the purchased Product, the related invoicing and payment management, the handling of complaints and/or reports to the assistance service and the provision of assistance itself, fraud prevention, as well as the fulfillment of any other obligation deriving from the contract.
The legal basis for such processing is the fulfillment of services inherent to the contractual relationship and compliance with legal obligations.
c) promotional activities on products similar to those purchased by the Data Subject (Recital 47 GDPR)
The data controller, even without your explicit consent, may use the contact data communicated by the Data Subject for direct sales of its products, limited to cases where the products are similar to those already purchased, unless the Data Subject explicitly objects.
d) commercial promotion activities on products different from those purchased by the Data Subject
The Data Subject's personal data may also be processed for commercial promotion purposes, for surveys and market research regarding products offered by the Controller only if the Data Subject has authorized the processing and does not object to it.
Such processing may occur, in an automated manner, using the following methods:
- email (newsletter)
- telephone contact
and may be carried out:
1. if the Data Subject has not withdrawn their consent for the use of the data;
2. if, in cases where processing occurs through contact with a telephone operator, the Data Subject is not
registered with the opt-out register referred to in Presidential Decree no. 178/2010;
The legal basis for such processing is the consent given by the Data Subject prior to the processing itself, which can be freely and at any time withdrawn by the Data Subject (see Section III).
e) cybersecurity
The Controller, in line with Recital 49 of the GDPR, processes, including through its suppliers (third parties and/or recipients), the Data Subject's personal data related to traffic to the extent strictly necessary and proportionate to ensure network and information security, meaning the ability of a network or information system to resist, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data.
The Controller will promptly inform Data Subjects if there is a particular risk of their data being breached, without prejudice to the obligations arising from Article 33 of the GDPR concerning notifications of personal data breaches.
The legal basis for such processing is compliance with legal obligations and the Controller's legitimate interest in carrying out processing for the purpose of protecting company assets.
f) profiling
The Data Subject's personal data may also be processed for profiling purposes (such as analysis of transmitted data and selected products, proposing advertising messages and/or commercial offers in line with the choices expressed by the users themselves) exclusively if the Data Subject has provided explicit and informed consent. The legal basis for such processing is the consent given by the Data Subject in advance.
g) fraud prevention
- the Data Subject's personal data, excluding special categories (Art 9 GDPR) or judicial data (Art 10 GDPR), will be processed to allow controls for monitoring and preventing fraudulent payments by software systems that perform automated verification prior to product negotiation;
- failure to pass these controls will result in the inability to complete the transaction; the Data Subject may in any case express their opinion, obtain an explanation, or dispute the decision by stating their reasons to Customer Service;
- personal data collected solely for anti-fraud purposes, unlike data necessary for the correct execution of the requested service, will be immediately deleted at the end of the control phases.
Data processing methods
The processing of personal data is carried out by means of the operations indicated in Art. 4 paragraph 2) and specifically: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Data processing is carried out using tools and procedures suitable to ensure their security and confidentiality.
The processing of personal data will be carried out using the following methods:
- manual paper-based
- manual computer-based (without automated decision-making process)
Data dissemination
Without the need for express consent (pursuant to art. 6 letters b) and c)), the Controller may communicate your data for the aforementioned purposes to supervisory bodies, judicial authorities, insurance companies, as well as to those subjects to whom disclosure is mandatory by law for the fulfillment of the stated purposes. These subjects will process the data in their capacity as independent data controllers.
- data will be communicated to the following categories of recipients: external processors who participate in the company process solely to fulfill specific legal obligations and in compliance with contractual obligations, public and private bodies for social security, welfare, and insurance purposes.
Data dissemination to a third country or an international organization
- Personal data will not be transferred to a Third Country or an International Organization.
Nature of data provision and consequences of refusal to respond
The Data Controller is obliged to inform the data subject whether the communication of personal data is a legal or contractual obligation or a necessary requirement for entering into a contract, and whether the data subject is obliged to provide the personal data and the possible consequences of not providing such data;
The provision of data is:
- mandatory
In cases where the provision of data for the indicated purposes is mandatory, the reason for the obligation is due to the execution of a contract or pre-contractual measures.
In cases where the provision of data for the indicated purposes is mandatory, any refusal to provide such data:
- could result in the non-execution of the contract,
- could result in partial execution of the contract,
- the non-continuation of the relationship,
- the non-provision of services.
Data Retention
The Controller will process personal data for the time strictly necessary to fulfill the purposes mentioned above and, in any case, for no longer than 10 years after the termination of the relationship for Service Purposes.
- The personal data processed will be stored until: 10 years after the termination of the contract.
Data Subject Rights
At any time, the data subject may exercise their rights against the data controller.
Article 13 letter b) of EU Regulation 2016/679 states that when personal data are obtained, the data controller provides the data subject with the existence of the following rights necessary to ensure fair and transparent processing of personal data:
- right of access to data (Art. 15)
- right to rectification of data (Art. 16)
- right to erasure of data (Art. 17)
- right to restriction of data processing (Art. 18)
- right to object to data processing (Art. 21)
- right to data portability (Art. 20).
In addition to the rights referred to in Article 13, the EU Regulation provides that the data subject may exercise additional rights:
- right to withdraw consent (Art. 7)
- right to lodge a complaint with a supervisory authority (Art. 77).
The attached articles specifically address the individual rights of the Data Subject.
Right to withdraw consent (Art. 7)
Article 7, paragraph 3, states that the Data Subject has the right to withdraw their consent at any time in the following cases:
- where processing is based on consent given for the processing of their data for one or more specific purposes (Article 6, paragraph 1, letter a)),
- where processing concerns special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation) and is based on consent given for the processing of their data for one or more specific purposes (Article 9, paragraph 2, letter a)).
The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Before giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Right to lodge a complaint with a supervisory authority (Art. 77)
Article 77 states that the data subject, if they consider that the processing concerning them infringes this Regulation, has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. This is without prejudice to any other administrative or judicial remedy.
The data controller informs the data subject of the possibility of lodging a complaint with a supervisory authority and of pursuing a judicial remedy.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress or the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78.
The data subject also has the right to an effective judicial remedy if a supervisory authority does not handle a complaint or does not inform them within three months on the progress or outcome of the complaint lodged. This is without prejudice to any other administrative or judicial remedy.
Methods of exercising the data subject's rights
The data subject may at any time exercise their rights by sending to the Data Controller and/or the Data Processor (where appointed):
- a registered letter with return receipt to: Karma Srl with registered office in Via Venti Settembre 118, 00187 Rome (RM), VAT number 16036661003, Tel. +39 0632092589
- an email to: info@serom.it
The Data Controller