Personal data processing policy

Nielsen Communication S.r.l., with registered office in Via Calderara 9/A – 37138 Verona (VR), tax code and VAT number 03786970230 (hereinafter referred to as “Data Controller”), in its capacity as data controller, pursuant to Art. 13 of Legislative Decree no. 196 dated 30.6.2003 (hereinafter referred to as the “Privacy Code”) and Art. 13 of the EU Regulation no. 2016/679 (hereinafter referred to as “GDPR”), hereby informs you that your data will be processed with the following methods and for the following purposes:

1. Data that will be processed.

The Data Controller processes the personal identification data (for example, first name, surname, company name, address, telephone number, e-mail address, bank and payment details) – hereinafter referred to as “personal data” or even “data” – you have communicated when contracts have been concluded for the services supplied by the Data Controller.

2. Purpose of processing.

Your personal data are processed:

A) without your explicit consent (Art. 24 points a), b), c) of the Privacy Code and Art. 6 points b), e) of the GDPR), for the following purposes:

to conclude contracts for services supplied by the Data Controller;

to meet pre-contractual, contractual and tax obligations deriving from relations with you;

to meet obligations established by law, a regulation, EU legislation or an order of the Authority (anti-money laundering, for example);

to exercise the Data Controller’s rights, for example, the right of defence in court.

B) only subject to your specific and express consent (Art. 23 and 130 of the Privacy Code and Art. 7 of the GDPR), for the following marketing purposes:

sending by e-mail, ordinary post and/or text messages and/or telephone calls, newsletters, commercial information and/or advertising material on products or services offered by the Data Controller and surveys on satisfaction with the quality of services.

Please note that if you are already a customer, we may send you commercial information on the Data Controller’s services and products similar to those you have already used, unless you withdraw your consent (Art. 130, paragraph 4 of the Privacy Code).

3. Methods of processing.

Your personal data is processed using the means indicated in Art. 4 of the Privacy Code and Art. 4 no. 2) of the GDPR and more specifically: collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, blocking, disclosure, erasure or destruction of data.

Your personal data will be processed both by printed as well as electronic and/or automated means.

The Data Controller will keep the personal data for the time strictly necessary to fulfil the above purposes and in any case, for a maximum of ten years from termination of the relationship for service purposes and for a maximum of two years from when the data was collected for marketing purposes.

4. Access to data.

Your data may be made accessible for the purposes outlined in Art. 2.A) and 2.B):

to the Data Controller’s employees and collaborators in their capacity as data processors and/or system administrators;

to third party companies or other subjects (including, for example, banks, professional firms, consultants, insurance companies providing insurance services, and so on) that perform outsourcing activities on behalf of the Data Controller in their capacity as external data processors

5. Data disclosure.

The Data Controller may disclose your personal data, with no need for your explicit consent (ex Art. 24 points a), b), d) Data Protection Code and Art. 6 points b) and c) of the GDPR), for the purposes outlined in Art. 2.A), to surveillance bodies (such as IVASS), judicial authorities, insurance companies providing insurance services, and to those subjects to which data must be disclosed by law in order to fulfil the aforementioned purposes.

These subjects will handle the data as independent data controllers.

Your personal data will not be disseminated.

6. Transfer of personal data.

Personal data are stored on servers located within the European Union.

However, if necessary, the Data Controller may transfer the servers outside the EU.

In this case, however, the Data Controller guarantees that data will be transferred outside the EU in compliance with the legislation in force in accordance with the standard contractual clauses required by the European Commission.

7. Provision of personal data and consequences of refusal to give consent.

The provision of personal data for the purposes set out in Art. 2.A) is mandatory.

If these data are not provided, we cannot guarantee the services outlined in Art. 2.A).

The provision of personal data for the purposes set out in Art. 2.B), on the other hand, is optional.

8. Rights of the data subject.

As data subject, you may exercise the rights outlined in Art. 7 of the Privacy Code and Art. 15 of the GDPR and, in particular the right to:

i. obtain confirmation as to whether or not personal data concerning you exist, even if not recorded, and communication of such data in intelligible form;

ii. obtain the following information:

a) the source of the personal data;

b) the purposes and methods of processing;

c) the logic applied to the processing if it is carried out using electronic means;

d) the identification data concerning the data controller, data processors and the representative designated as per Art. 5, paragraph 2 of the Privacy Code and Art. 3, paragraph 1 of the GDPR;

e) the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.

iii. obtain:

a) updating, rectification or, where interested therein, integration of the data;

b) erasure, anonymisation or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;

c) certification to the effect that the operations as per points a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.

iv. object, in whole or in part:

a) on legitimate grounds, to the processing of personal data concerning you, even though they are relevant to the purpose of the collection;

b) to the processing of personal data concerning you where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market research or commercial communication surveys performed through automated contact means without an operator (e-mail) as well as traditional methods of marketing (paper mail, operator-assisted phone calls).

It should be noted that the right to object of the interested party, set out in point b) above, for direct marketing purposes through automated methods extends to traditional ones and that in any case, the possibility remains for the data subject to exercise the right to object even only partially.

Therefore, the interested party can decide to receive communications using only traditional methods or only automated communications or neither of the two types of communication.

Where applicable, you also have the rights referred to in art. 16-21 of the GDPR (Right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the Supervisory Authority.

9. How to exercise your rights.

You can exercise your rights at any time by sending:

a registered letter with acknowledgment of receipt to NIELSEN COMMUNICATION SRL – Head Office in Verona – Via Calderara 9/A – 37138 (VR);

an e-mail to eb@nielsen.it

10. Data controller, data processor and persons in charge.

The Data Controller is Nielsen Communication S.r.l. with registered office in Via Calderara 9/A – 37138 Verona (VR).

An updated list of data processors and persons in charge is kept at the registered office of the Data Controller.