INFORMATION ON THE PROCESSING OF PERSONAL DATA OF NATURAL PERSONS
PURSUANT TO ART. 13 – 14 REG. (EU) 2016/679 – GDPR

Also in consideration of future regulatory changes or new processing put in place by the Data Controller, the information below may be subject to changes and additions.
We therefore advise you to visit this page periodically.

TABLE OF CONTENTS
1. Privacy policy for customers, potential customers, suppliers.
2. Privacy policy for job applicants.
3. Privacy policy for web users (please refer to the privacy policy on the website www.hbigroup.it)

1. Document creation date
(last updated):

January 16, 2025

Interested recipients of the document:
customers,
potential customers,
suppliers.

DATA CONTROLLER. HBI Srl with registered office in Via A. Volta No. 13/A – a 39100 Bolzano (BZ) and operating office in Via Tasca No. 1 – a 31059 Zero Branco (TV), with VAT No. 02439010220. Email: info@hbigroup.it

PURPOSE OF PROCESSING AND CATEGORIES OF DATA. (1) The Controller processes common data of the data subject (e.g., first name, last name, residence, date and place of birth, company name, registered office, VAT number, any other common and not “sensitive” data) for pre-contractual and/or contractual needs, including administrative, accounting purposes as well as any other aspect related to the pre-contractual and/or contractual phase of the relationship; (2) The Controller processes common data of the data subject for the fulfillment of legislative obligations provided for by national, European or supranational legislation. (3) The Controller processes common and non-common data of the data subject for the establishment, exercise and/or defense of the Controller’s rights in extrajudicial as well as judicial proceedings. (4) The Controller processes common data of the data subject for sending advertising material or commercial communications, offers and promotions, direct sales, or for carrying out market research or opinion polls (these activities, taken together, are defined as “Direct Marketing activities”).

LEGAL BASIS. With reference to point (1), the data provided by the data subject will be processed on the basis of Art. 6 par. 1 lett. b) GDPR i.e. for the execution of pre-contractual or contractual measures taken at the request of the data subject. With reference to point (2), the legal basis lies in the fulfillment of a legal obligation to which the Data Controller is subject (Art. 6 par. 1 lett. c) GDPR). With reference to (3), the legal basis lies in the legitimate interest of the Data Controller (Art. 6 para. 1 lit. f) of the GDPR). Indeed, should a dispute/litigation/concern arise between the data subject and the Data Controller, the latter will be entitled to process the data subject’s data in order to enforce its reasons. With reference to point (4), the legal basis lies: i) in the optional consent of the data subject ( art. 6 par. 1 lett. a) GDPR); ii) in art. 130 par. 4 new Privacy Code, but only in the case of processing by e-mail and for sending communications concerning services similar to those already sold to the Customer; iii) in the legitimate interest ex art. 6 par. 1 letter f) (in combination with Recital No. 47 GDPR) when the data subject expects such processing by the Controller and this does not infringe on his rights and freedoms (for more information on this legal basis, please contact the Controller at the above address).

TERMS OF DATA RETENTION. With reference to point (1), with regard to the potential customer, in the case of provision of data in the absence of subsequent conclusion of the contract, his data will be retained until the reasons that justified its processing cease to exist (e.g., having carried out the relevant administrative formalities, the data will be deleted). On the other hand, as far as the potential supplier is concerned, in the case of objective disinterest on the part of the owner about the quote, his data will be deleted immediately; on the contrary, in the case of quotes that are “interesting” but not necessary at the time of submission, the potential supplier’s data will be retained for one year, and this is to assess the appropriateness of subsequent contracting. Ultimately, whether customer or supplier, in the case of contract stipulation, the maximum data retention period will be 10 years from the conclusion of the effects of the contract, and this is for needs related to accounting management and legal protection to which the owner is obligated by law. With reference to point (2), the retention period dependent on the standard applied by the Controller at the time of processing. With reference to item (3), the Controller retains the data of the data subject for this purpose only if there is a reasonable likelihood of having to take legal action. With reference to item (4), (i) in the case of consent, the data will be retained for this purpose until consent is withdrawn as per Article 7 GDPR. Revocation of consent does not affect the lawfulness of the processing based on the consent before revocation; ii) – iii) on the other hand, in the case of processing carried out pursuant to Art. 130 para. 4 new Privacy Code and Art. 6 para. 1 lett. f) the data will be retained for this purpose until the objection under Art. 21 GDPR by the data subject, to be asserted from the beginning of the processing or during its protraction.

OBLIGATORY OR NOT TO PROVIDE THE DATA: CONSEQUENCES. With reference to point (1), the interested party is not obliged to provide the data, although failure to provide all or even some of the requested data will not allow the conclusion of the contract and/or its execution. With reference to point (2) and (3), the provision of data is obligatory as required by specific legislative provisions. In reference to point (4), the provision of personal data for this purpose is not mandatory, although in the case of failure to provide data in order to receive communications on marketing, the interested party will not be able to collect more information on the activities and services that the Owner performs.

DISSEMINATION AND COMMUNICATION OF DATA. Data will not be disseminated but communicated to subjects formally appointed as data processors (such as employees or collaborators of the data controller) or designated as data processors (such as the accountant, software house, IT technician, other). For more information about these individuals, please contact the Controller at the above address. In order to comply with contractual and/or regulatory obligations, the data subject’s data may be disclosed to (i) banking institutions for the fulfillment of payment obligations arising from the contract; (ii) insurance institutions in the case of accidents/accidents; (iii) public entities where required by law; (iv) Lawyers, Law Enforcement, Judicial Authorities in the case of wrongdoing, breach of contract, other legally relevant fact related to the data subject or to the Data Controller itself.

METHODS OF PROCESSING. In general, data will be processed using computerized and/or traditional methods and procedures. In particular, with reference to point 4), communications having as their object “marketing” are carried out through “automated” systems (for example, by email, fax, text message, telephone calls without the aid of an operator, social networks, interactive applications, push notifications) and/or through “traditional” systems (such as, for example, by paper mail and/or calls with an operator). It should be noted that the consent collected for the performance of processing by “automated systems” legitimizes the Data Controller to use the same data also for the performance of communications by “traditional systems.” In any case, the data subject has the right to object to any unwanted mode of processing (for example, by expressing his or her desire to want to receive only email communications). In the case of the processing of sending communications carried out by telephone operator, such processing is precluded with respect to the data subject who was registered in the Register of Oppositions.

TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EU. The Data Controller undertakes not to transfer the personal data of the data subject to countries outside the EU. In the case of transfers, the Controller guarantees the application of the rules set forth in Articles 44 et seq. of the GDPR.

RIGHTS OF THE DATA SUBJECT. The data subject has the right to ask the data controller for access to their personal data, i.e., to know what data the data controller processes (Art. 15 GDPR); to obtain rectification, i.e., the right to have their data changed if they have changed (Art. 16 GDPR); to restriction of processing concerning them, i.e., to limit the data controller’s use of the data (Art. 18 GDPR); to object, on legitimate grounds, to their processing (Art. 21 GDPR); to data portability, i.e., the right to receive all personal data processed by the data controller in a structured, machine-readable format (Art. 20 GDPR); to request the deletion of one’s own data from the data controller (Art. 17 GDPR); to revoke at any time the explicit consent previously given, without affecting the lawfulness of the processing carried out up to that moment (Art. 7 – 13 GDPR); to lodge a complaint with the Data Protection Authority in case of violations of the regulations (Art. 77 GDPR).

For any information or to exercise the rights listed in this policy, please contact the above email address.