HOW WE USE YOUR DATA

(Art. 13 of EU Regulation 2016/679)
INF01 – v.03 of 18/01/24

Dear Customer,
We would like to provide you with information regarding the methods and purposes of the processing of your personal data. Regulation (EU) 2016/679 on the “protection of natural persons with regard to the processing of personal data and on the free movement of such data” (hereinafter, the “Regulation” or “GDPR”) establishes rules to ensure that personal data is processed in compliance with fundamental rights and freedoms. This privacy notice reflects those provisions.
Pursuant to Article 13 of Regulation (EU) 2016/679, we inform you as follows.

1. Data Controller

The Data Controller is Difass International S.p.A. (hereinafter “Difass”), represented by its legal representative pro tempore, Tax Code/VAT No. 02172260974, with registered office in Coriano (RN), Via Ausa 5, 47853, Italy.

2. Nature and Provision of Data

The provision of your personal data to Difass is necessary for the establishment and management of the contractual relationship. Therefore, failure to provide the required data will make it impossible to establish or continue such relationship.

3. Purposes of Processing

Your personal data will be processed for the following purposes:

  1. General accounting and VAT management. This includes recording accounting and VAT transactions, as well as their storage, archiving and retention in both paper and digital format.
    Retention period: 10 years from the date of entry in mandatory accounting records.
  2. Active invoicing. This includes the preparation and issuance of quotations, contracts, orders, delivery notes, mandates, fee notices and invoices.
    Retention period: 10 years from the date of entry in mandatory accounting records
  3. Transmission of collection statements and bank advances. This includes submitting bank collection lists (RIBA and RID).
    Retention period: until all civil law effects related to the contractual relationship have expired, in accordance with statutory limitation periods.
  4. Debt collection management. This includes activities related to the recovery of outstanding receivables.
    Retention period: until all civil law effects related to the contractual relationship have expired, in accordance with statutory limitation periods.
  5. Customer management. This includes the collection and management of personal data relating to customers.
    Retention period: in accordance with legal requirements and in the company’s interest in managing any disputes.

4. Legal Basis for Processing

Difass processes your personal data lawfully.

  • Processing activities 1, 2, 3, 4, and 5 are necessary for the performance of a contract to which you are a party;
  • Processing activity 1 is also necessary to comply with legal obligations.
  • Processing activities 3, 4, and 5 pursue the legitimate interests of the Data Controller.

The Data Controller will process your personal data only to the extent necessary for the purposes described above, in compliance with applicable data protection laws.

5. Methods of Processing

Your personal data, as a data subject, includes in particular:

  1. Name, surname, tax code, VAT number, address, email address, telephone number.

    Category: Identification data – Personal data: common
    (Processing activities 1, 2, 3, 4, 5)

  2. Economic and financial data.

    Category: Economic data – Personal data: common
    (Processing activities 1, 2, 3, 4)

These data will be processed with a high level of security, always in accordance with current standards. All protection measures required by data protection legislation and applicable regulations, as well as those defined by the Data Controller, are implemented.
Data will be processed by the following authorised categories:

  • Authorised personnel:
    • COO (Processing: 1, 2, 3, 4, 5)
    • Deputy CEO – Commercial Strategy (Processing: 5)
    • Head of Administration (Processing: 1, 2, 3, 4, 5)
    • Executive Secretariat Manager (Processing: 1, 2, 3, 4, 5)
    • Board of Statutory Auditors and Auditors (Processing: 1, 2, 3, 4, 5)
    • Supervisory Body (Processing: 1, 2, 3, 4, 5)
    • Administrative Staff (Processing: 1, 2, 3, 4, 5)
    • Logistics Manager (Processing: 2, 5)
    • Logistics Staff (Processing: 2, 5)
    • Quality Control Manager (Processing: 2, 5)
    • Quality Control Staff (Processing: 2, 5)
    • Senior Agents Coordinator (Processing: 5)
    • Marketing Director Italy (Processing: 5)
    • Marketing Staff Italy (Processing: 5)
    • Commercial & Dynamic Coordinator (Processing: 5)
    • Italy Licensing (Processing: 5)
    • International Licensing (Processing: 5)
    • Commercial Secretariat (Processing: 5)


6. Data Communication and Transfer

Your data may be communicated, in addition to the above-mentioned parties, to further categories of recipients where necessary and consistent with the legal basis of processing, including:

  • Legal advisors or accountants who provide services relevant to the above purposes;
  • Banking and insurance institutions that provide services relevant to the above purposes;
  • Entities processing data to comply with legal obligations;
  • Judicial or administrative authorities, for the purpose of complying with legal obligations.

Your data will not be transferred to third countries or international organisations. However, the Data Controller may use cloud services; in such cases, providers will be selected among those offering adequate guarantees in accordance with Article 46 of the GDPR.

7.Automated Decision-Making and Profiling

No automated decision-making processes, including profiling, are carried out that produce legal effects concerning you or significantly affect you.

8. Data Subject Rights

As a data subject, you are entitled to the rights set out in Sections 2, 3 and 4 of Chapter III of Regulation (EU) 2016/679 (e.g. the right to request access to your personal data, rectification or erasure of such data, restriction of processing, and to object to processing).
In particular, you have the right to:

  • obtain confirmation from the Data Controller as to whether or not personal data concerning you is being processed and, where that is the case, access to the personal data and the information provided for in Article 15 of Regulation (EU) 2016/679;
  • obtain from the Data Controller the rectification of inaccurate personal data concerning you;
  • obtain the erasure of personal data concerning you where such data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or where the conditions set out in Article 17 of Regulation (EU) 2016/679 apply, provided that the exceptions referred to in Article 17(3) do not apply;
  • obtain restriction of processing where:
    1. you contest the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy of the data;
    2. the processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead, or request that the data be processed for the establishment, exercise or defence of legal claims;
  • receive the personal data concerning you in a structured, commonly used and machine-readable format and, where applicable, request that such data be transmitted directly to another data controller;
  • object to the processing of personal data concerning you where the conditions set out in Article 21(2) of Regulation (EU) 2016/679 apply;
  • lodge a complaint with a supervisory authority.

For the exercise of the above rights, you may contact:

9. Data Retention

The personal data you provide will be processed for the purpose of performing the agreed service and will be retained for the time necessary to fulfil that purpose and, subsequently, for the period during which the Data Controller is subject to retention obligations for tax or other purposes required by applicable laws or regulations.
Data may be stored by means of:

  • storage within the hardware systems of the Data Controller or its data processors