PRIVACY POLICY ON THE PROCESSING OF PERSONAL DATA
INFORMATION ON THE PROCESSING OF PERSONAL DATA
Pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR) and subsequent amendments
Customer Information Form – 29/04/2025
With this document, AEP Allestimenti Speciali S.r.l. wishes to inform you that the processing of personal data provided will be carried out lawfully and transparently, for legitimate purposes, while safeguarding confidentiality.
IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
The Data Controller (hereinafter also referred to as the “Controller” and/or the “Company”) is AEP Allestimenti Speciali S.r.l., with registered office in Flero (BS), Via S. Desiderio 17, Tax Code and VAT No. 01619850173, R.E.A. BS – 253145, reachable, in addition to the above-mentioned registered office, at the following contacts:
- Phone: +39 0302680617
- Dedicated email for privacy: privacy@aepbs.it
TYPE OF DATA SUBJECT TO PROCESSING
The following data will be processed by the Controller:
- Contact details of natural persons, such as your employees and/or collaborators when appointed as contacts, necessary for the correct management of the ongoing relationship, including, where necessary, the data of the legal representative of the client as a legal entity.
PURPOSES OF DATA PROCESSING
The personal data provided will be processed for the following purposes:
- To execute pre-contractual and contractual measures necessary to provide the requested services.
LEGAL BASIS OF PROCESSING
For the purposes outlined in section 3.1 (so-called “Contractual and Pre-Contractual Purposes”), the legal basis for processing is Article 6, paragraph 1, letter (b) of Regulation 679/2016 – performance of a contract.
METHODS OF DATA PROCESSING
Processing will be carried out using electronic, IT, and paper-based tools.
In accordance with the Regulation, the processing carried out by the Controller will adhere to the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality.
Data will always be processed with the utmost respect for confidentiality, including when handled by third parties explicitly appointed by the Controller.
Data will not be subject to any automated decision-making processes or profiling.
DATA RETENTION PERIOD
The retention period for personal data begins at the moment it is provided. Personal data will be retained for the time necessary to fulfill the purposes for which it was collected or for periods required by national and EU laws, regulations, and provisions applicable to the Controller.
In particular:
- Where data cannot be separated from contractual, accounting, and tax obligations, the retention period, in compliance with current regulations and in relation to the statutory limitation period for rights arising from the service, is 10 years; data will be retained for this period.
- Where data can be separated from contractual, accounting, and tax obligations, they will be retained only for the time strictly necessary for the purpose for which they were collected, and in any case no longer than 2 years from the completion of the service provided by the Controller.
If legal claims arise, personal data necessary for such purposes will be retained for the duration required to achieve the objective.
At the end of this period, the Controller will irreversibly delete data using secure deletion or destruction methods, or retain it in anonymized form, which cannot, even indirectly, identify individuals, in accordance with technical deletion and backup procedures.
Data obsolescence checks will be carried out periodically in relation to the purposes for which data were collected.
RECIPIENTS OF PERSONAL DATA
Data processing will be carried out by the Controller and its employees and/or collaborators authorized to process data, as well as by appointed Data Processors, all specifically identified in writing, within the scope of their functions and according to the Controller’s instructions, which ensures appropriate security measures.
Personal data may be communicated to recipients whose activity is necessary to execute the contractual relationship and/or to comply with legal obligations. Possible categories of recipients include:
- Subjects processing data under specific legal obligations;
- Internal and/or external consultants or suppliers providing services related to contractual purposes;
- Software and hardware support companies, including management, cloud, or similar providers;
- Banks, financial companies, and other credit intermediaries providing services related to the contractual purpose;
- Companies or professionals for the judicial or extrajudicial protection of the Controller’s rights;
- All public and private entities for whom disclosure is necessary to properly fulfill the above purposes and/or contractual obligations.
Some of these recipients may act independently as separate Data Controllers or as Data Processors appointed by the Controller pursuant to Article 28 GDPR.
An updated list of Data Processors may always be requested from the Data Controller.
DATA DISSEMINATION
Except in the case of your explicit written request or a legal obligation, personal data provided will not be disseminated.
DATA TRANSFER ABROAD
Data collected will not be transferred by the Controller to countries outside the European Economic Area (EEA) or to international organizations.
Some personal data may be shared with recipients outside the EEA. If such transfer occurs, the Controller ensures that it is carried out in compliance with applicable law, using adequate safeguards such as adequacy decisions, Standard Contractual Clauses approved by the European Commission, or other legal instruments.
PHYSICAL STORAGE LOCATION OF PAPER AND DIGITAL DATA
Personal data will be stored by the Controller in paper archives at the registered office and in IT and telematic environments located within the European Economic Area.
DATA SUBJECT RIGHTS
Under the GDPR (Articles 15–22), data subjects have the right to obtain:
- Confirmation of whether their personal data is processed (access);
- Their personal data in an intelligible form;
- Correction, deletion, restriction, or objection to the processing;
- Withdrawal of consent at any time;
- Data portability for data subject to specific consent;
- Update of their personal data.
Data subjects also have the right to know the source, purpose, methods, logic, and recipients of their data, and to request anonymization, restriction, or blocking of unlawful data. Complaints regarding unauthorized processing can be submitted to the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it.
Requests to exercise these rights can be addressed to the Controller at the contacts indicated above, using the Authority’s model available at: Garante Privacy Form.
NATURE OF DATA PROVISION AND CONSEQUENCES OF REFUSAL
While only data strictly necessary for the purposes indicated are required, some data are essential for establishing the contractual relationship.
In cases where data provision is required by law or contract (section 3.1), refusal to provide data, in whole or in part, would prevent the Controller from executing the contract and constitute unlawful processing.
COMPLAINT TO THE DATA PROTECTION AUTHORITY AND RIGHT TO WITHDRAW CONSENT
Data subjects may lodge a complaint with the Authority as described on www.garanteprivacy.it and, where consent was expressly given, may withdraw it at any time as easily as it was provided, via email or registered letter to the registered office (contacts in section 1).
PROVISION OF THIS INFORMATION TO INVOLVED PARTIES
If, for the reasons described in section 2.a, data of your employees, partners, directors, or contacts are also processed, please provide them with this privacy information.
