We inform you that your personal and sensitive data that have been collected to perform the activities as listed below will be processed in compliance with EU Regulation 679/2016, as follows:
1. DATA CONTROLLER
The Company MANSUTTI S.p.A. (Tax code/VAT no. 08743920152) with registered office in Milan, Via Fabio Filzi 27, as controller of the processing of your personal data, even of a sensitive nature (like your health information and judicial proceedings in the event of a claim), will process the data collected from you in accordance with the purposes and in the manner described below. In compliance with EU Regulation 679/2016, the Data Controller specifies the methods of processing, including the security measures adopted and the methods for disclosing your collected data to third parties.
To exercise your rights, as well as for more detailed information about the parties or categories of parties to whom the data are disclosed or who become aware of them as processors, you can contact MANSUTTI S.p.A. Via Fabio Filzi 27 - 20124 MILAN. tel. 02.85571.
2. CATEGORIES OF PROCESSING
In accordance with the provisions of Recommendation R (2002) 9 of the Council of Europe, the data controllers identified above will process your personal and sensitive data for the following purposes:
a) execution of the legal obligations deriving from the Contract of which you are a beneficiary, including any case in which you may appear as an insured or damaged third party;
b) collection of premiums and presentation of other invoices;
c) resolution of disputes regarding compensation or payment of other benefits;
f) prevention, detection and/or prosecution of insurance fraud;
g) recognition, exercise or defence of a right in court;
h) fulfilment of other specific legal or contractual obligations;
i) surveys of new insurance markets;
j) statistical and aggregate surveys for the development of new insurance products;
k) internal management activities, including "intragroup" activity, where applicable;
l) actuarial activities.
3. ACCESS TO DATA
In accordance with the Privacy Authority Provision of 26 April 2007 "Exemption from the requirement to provide notice in the insurance field (so-called insurance chain)", your data may be disclosed to the following parties:
a) insurers, co-insurers and re-insurers; agents, sub-agents, insurance and re-insurance brokers, producers and other channels for acquiring insurance contracts; banks, asset management companies, S.I.M.; lawyers; claims assessors; doctors; mechanics; dealers; vehicle demolition centres;
b) payments services; service companies entrusted with the management, settlement and payment of claims, including assistance operations centres, consultancy companies for judicial services, affiliated clinics; IT and telematic or archiving service companies; postal service companies (for transmission, mailing, transport and sorting of communications to customers); auditing and consulting firms; commercial information companies for financial risks; service companies for fraud control; debt collection companies;
c) Group companies (subsidiaries, associates as well as the parent company and its respective subsidiaries and directly and indirectly associated companies pursuant to current law) which, in compliance with the provisions of EU Regulation 679/2016, have adopted group policies and guidelines for sharing personal and sensitive data;
d) ANIA (National Association of Insurance Companies); associations and consortia of the insurance sector including: consortium for the Direct Compensation Convention (CID), Italian Central Office (UCI S.c.a.r.l.), CONSAP (Public Insurance Services Concessionaire), IVASS (Institute for Insurance Supervision), Ministry of Infrastructure - Civil motorisation and transport concessions; INAIL; Ministry of Labour and Social Security; Entities managing compulsory social insurance like INPS, INPDAI, INPGI, etc.; Ministry of Economy and Finance - Tax Registry; Agricultural consortia for defending against hail and other natural events; Judiciary; Law Enforcement (State Police, Carabinieri, Guardia di Finanza, Firefighters, Municipal Police), other parties or databases to which the disclosure of data is mandatory.
4. DURATION OF THE PROCESSING
The parties specified above will process your personal data for the entire duration of the contractual relationship, and in any case for a period of 10 years after the conclusion of the contract.
5. RIGHTS OF THE DATA SUBJECT
In accordance with the provisions of Chapter III, Section I, GDPR, you may exercise the rights specified therein, and in particular:
Right of access - Obtain confirmation that your personal data are being processed, and if so receive information relating in particular to: purposes of the processing, categories of personal data processed, storage period, recipients they can be disclosed to (article 15, GDPR);
Right of rectification - Without unjustified delay, obtain the correction of inaccurate personal data concerning you, and the completion of incomplete personal data (article 16, GDPR);
Right of erasure - Without unjustified delay, obtain the erasure of personal data concerning you, in the cases envisaged by the GDPR (article 17, GDPR);
Right of restriction - Obtaining the restriction of processing by the Data Controller, in the cases envisaged by the GDPR (article 18, GDPR);
Right to portability - Receive your personal data that have been provided to the Data Controller in a structured, commonly used format that is readable by an automatic device, as well as their transmission to another data controller without impediment in the cases envisaged by the GDPR (article 20, GDPR);
Right to object - Object to the processing of your personal data unless there are legitimate reasons for the Joint Controllers to continue with the processing (article 21, GDPR);
Right to lodge a complaint with the supervisory authority - Lodge a complaint with the Personal Data Protection Authority, Piazza di Montecitorio 121, 00186, Rome (RM).
6. SECURITY MEASURES ADOPTED
Your data will be processed using the best IT or telematic systems available on the market, subject to high security standards against accidental loss of data, employing disaster recovery systems as well as data breach management procedures as required by current law.
In compliance with art. 25 ("Data protection from design and protection by default"), 32 ("Security of processing"), 35 ("Data protection impact assessment") and 36 ("Prior consultation") of EU Regulation 679/2016, the Data Controller has adopted a data security planning programme concerning both the design and the management of the processing of personal data, including sensitive data provided by you, providing for the appointment of a DPO.
We therefore inform you that your data will be processed both on computers and on paper, and in particular your sensitive data will be processed separately with respect to your personal data so that the former will not be made immediately intelligible except through the observance of some technical specifications and credentials that allow access only to certain categories of expressly authorised parties.
7. LIST OF DATA PROCESSORS
The Data Controller has appointed some companies that manage the data in the name and on behalf of the Data Controller as external data processors. The list of Data Processors is held by the DPO, who you can contact for further clarifications.
8. DISCLOSURE OF YOUR DATA TO NON-EU PARTIES
Having adopted development policies based on outsourced technological infrastructure, including “cloud computing”, we inform you that it is possible that the Data Controller will transfer your personal data abroad, even to non-EU countries. However, in such case this will only occur where strictly necessary and in any case only pursuant to and for the purposes of art. 44-45 and 46 of the GDPR and therefore after verifying that in the state in question there is specific legislation that guarantees a level of protection of personal data equivalent to the level envisaged by Reg. EU 670/2016.
9. RIGHT TO DATA PORTABILITY
In accordance with article 20 of EU Regulation 679/2016, you have the right to request that your personal data be saved on an electronic support, even if managed in an automated manner, and to request MANSUTTI S.p.A. to transmit your data directly to a third party specified by you, without prejudice to your right to be forgotten (i.e. the erasure of your data from the MANSUTTI S.p.A. database)
10. DATA PROTECTION OFFICER CONTACT (DPO)
Pursuant to article 37 and following of EU Regulation 679/2016, we inform you that the Data Controller has appointed a Data Protection Officer for the data managed. You may make any request regarding access to your personal data, their rectification, erasure, objection to processing or portability by sending written notice to the following contact:
MANSUTTI S.p.A.: email@example.com
11. POSSIBILITY OF LODGING A COMPLAINT WITH THE PRIVACY AUTHORITY
We inform you that in any case, in the event of an alleged infringement on the rights guaranteed to you by EU Regulation 679/2016, you may lodge a complaint with authorities having jurisdiction, including the Privacy Authority.