WEBSITE PERSONAL DATA PROCESSING POLICY

www.hbigroup.it

Art. 13 – 14 REG. (EU) 2016/679

Document creation: January 8, 2025

WEBSITE DISCLOSURE MOD. 1

For any clarification, information, exercise of the rights listed in this policy, please take contact with email: info@hbigroup.it

The interested party is requested to indicate in the subject line of the communication: “Website Privacy Request”

The policy below may be subject to change as a result of the introduction of new regulations or as a result of changes to the website, so please visit this section periodically for updates.

GENERAL INFORMATION ABOUT REG. (EU) 2016/679. European Regulation No. 679 of 2016 establishes rules to protect and safeguard natural persons with regard to the processing of their personal data. This privacy policy refers exclusively to the website listed in the epigraph. Third-party websites or any web pages that can be accessed through this website are not covered by this policy: the Data Controller disclaims any responsibility for them. According to the law, the processing of personal data is governed by the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality of the data subject as well as the protection of his/her rights: the Data Controller undertakes to observe the aforementioned principles and, also for this purpose, informs the data subject from the outset that, with the exception of those processing operations to which the law provides for his or her explicit consent, by browsing this website, uploading or providing personal data, the data subject accepts and agrees to be bound by the terms and conditions set out in this notice.

DATA CONTROLLER – Art. 24 GDPR. The Data Controller (or only Controller) is the natural or legal person, public authority, service or other body which, individually or jointly with others, determines the purposes and means of the processing of personal data. It is, moreover, the one who is in charge of security profiles. With regard to the processing of personal data of the data subject carried out through this website, the Data Controller is:

HBI Ltd.

OPERATIONAL HEADQUARTERS:
Via Tasca 1, 31059 Zero Branco (TV)

LEGAL HEAD OFFICE:
Via Volta 13/A, 39100 Bolzano (BZ) c/o NOI Techpark

VAT NUMBER: 02439010220

Email info@hbigroup.it

For any clarification or exercise of the rights pertaining to the interested party, the addresses already indicated may be contacted.

DATA SUBJECT TO PROCESSING – art. 4 paragraph 1 letter a) GDPR. A “data subject” is the natural person, identified or identifiable, to whom the personal data refer. This is, in short, the person who gives the Data Controller his/her personal data and who, therefore, is protected and safeguarded by the aforementioned European Regulation. With respect to this website, the data subject is the user, i.e. the natural person who performs browsing activities.

DATA OF CHILDREN UNDER 14 YEARS OF AGE. This website does not offer direct services to individuals under the age of fourteen. The Data Controller is not responsible for the possible collection of data from such individuals, as this responsibility remains with the holders of parental responsibility for lack of supervision. In any case, if the Data Controller believes that some data unintentionally collected relates to individuals under the age of fourteen, it will proceed without delay to destroy the same.

PURPOSE OF THE PROCESSING AND CATEGORIES OF DATA PROCESSED- art. 13 par. 1 lett. c) GDPR. In addition to browsing data, the Data Controller for the performance of the processing uses only the data strictly necessary, which are marked with an asterisk symbol (*) in the appropriate compilation spaces on the website. The data provided will be used only and exclusively to achieve the purposes referred to in the following points (by way of example: the data provided to request information on the activity carried out by the Controller will be used only to respond to the request and not for different purposes, except with the consent of the interested party or legitimate interest of the Controller to use the data for different purposes).

Listed below, according to purpose, are the reasons and grounds for which the Controller processes the user’s personal data.

(1) To enable navigation on the website.

By simple browsing, no identifying data will be collected. However, for the purpose of normal operation of the website it is possible that the computer system acquires certain information whose transmission is implicit in internet communication protocols (e.g. log files, IP internet protocol address). In addition, through the use of cookies, information will be collected that the user does not directly provide. This is, in any case, information that is not collected for the purpose of making an association with identified data subjects, but which nevertheless, given its very nature, could allow third parties to identify the user, through processing and association with other data already in their possession. Cookie disclosure. Information on cookies and automated systems similar to cookies is made available to the user by clicking on the appropriate link called “COOKIE POLICY” on the website (see cookie policy also posted at the end of this).

(2) To respond to requests for information.
The website contains the contact details of the Data Controller (for example: email, registered office, landline, cell phone, WhatsApp contact, other possible). The user who uses these contact details to collect information about the activity of the Controller, provides the Controller with his personal data (such as first name, last name, biographical data, WhatsApp image), which will be processed by the Controller exclusively to evade to the request for clarification, doubts, other concerning the execution of pre-contractual or contractual measures.

(3) To fulfill legislative obligations.

The data provided by the data subject will be used to fulfill legislative obligations under national, European or supranational legislation.

(4) For the purpose of ascertaining, exercising or defending rights.

The data provided by the data subject will also be processed, if necessary, for the establishment, exercise or defense of the Holder’s rights in extrajudicial and/or judicial proceedings.

(5) For sending advertising communications (referred to as “Direct Marketing” or “Newsletter”).
The information referred to in this point 5) will apply whenever, in the course of browsing the website, the user is asked to provide his/her data and consent for the receipt of “Direct Marketing” or “Newsletter” communications. By giving consent to the performance of such processing, the user may receive, from the Data Controller, advertising material or commercial communications, offers and promotions, direct sales communications or for the performance of market research or opinion polls (henceforth, collectively referred to as “direct marketing” or “Newsletter” activities). The purpose of the processing is to carry out “direct marketing” activities towards the user.

(6) For purposes of responding to requests for information made by the user through the appropriate contact form. The user’s data (for example: name, email, telephone, other) provided by filling out the above form will be processed by the Owner only for the purpose of processing the specific request.

(7) For purposes of screening a job application. (“Collaborate with us). The applicant’s personal data, such as first name, last name, email, telephone, educational background, social security number, even data referable to a minor of age, will be processed for recruitment, selection, and personnel evaluation purposes. Sensitive data (see Art. 9 para. 1 GDPR) will be processed only if strictly necessary. In contrast, judicial data (see Art. 10 GDPR) will be processed only under the control of the Judicial Authority. In case the candidate also provides the Controller with his/her public social network profile (such as that of Facebook, Instagram, Linkedin, other), the data published therein will be processed by the Controller only where they are necessary and relevant for the performance of the job service to which the candidate’s application is addressed (example: if the candidate was applying as a social media manager and possessed a social-social profile useful for promoting his/her aptitudes/skills, then the Controller may lawfully process the aforementioned data). No social profile (not even public) used by the data subject for mere private purposes will be considered by the Data Controller, so please do not include such information in your CV.

LEGAL BASIS – art. 13 par. 1(c) GDPR. The numerical order above is followed.

(1) Depending on the case, the legal basis could lie in consent pursuant to Art. 6 para. lett. a) GDPR or Art. 22 GDPR (see Cookie Policy) or on legal obligations and/or legitimate interests of third parties (Art. 6 para. 1 lett. c) and f) GDPR) (see processing carried out by law enforcement agencies for purposes of justice).

(2) The legal basis lies in the execution of pre-contractual or contractual measures taken at the request of the data subject (Art. 6 para. 1 (b) GDPR).

(3) The legal basis for such data processing lies in the fulfillment of a legal obligation to which the Data Controller is subject (Art. 6 para. 1(c) GDPR).

(4) What legitimizes such processing is the legitimate interest of the Data Controller (Art. 6(1)(f) GDPR). In fact, if a dispute/litigation/concern arises between the data subject and the Controller, the Controller will be legitimized to process the data subject’s data in order to enforce its reasons.

(5) The legal basis resides:

(i) in the (optional) consent ex art. 6 par. 1 lett. a) GDPR of the data subject;
(ii) in art. 130 paragraph 4 new Privacy Code, but only in the case of processing by e-mail and for sending communications concerning services similar to those already “sold” to the Customer;

(iii) in the legitimate interest under Art. 6 para. 1(f) (in combination with Recital No. 47 GDPR) when the data subject expects such processing by the Controller and it does not infringe on his or her rights and freedoms.

(6) The legal basis lies in the execution of pre-contractual or contractual measures taken at the request of the data subject (Art. 6 par. 1(b) GDPR).

(7) The processing is lawful insofar as it is carried out for the execution of pre-contractual measures taken at the request of the data subject (pursuant to Art. 6 par. 1 letter B – GDPR). In fact, the sending of one’s CV or other data pertaining to one’s professional-employment sphere, and the consequent screening of the profile by the Data Controller, is intended to determine whether or not an employment relationship is established. In any case, the consent at the foot of the CV will have to be issued in case the data subject decides to provide the Data Controller with data of a sensitive nature as well (see Art. 9 par. 1 GDPR) . (You are asked to indicate at the bottom of your CV the following: “I also give my explicit consent to the processing of sensitive data” with the date and signature of the applicant).

PERIOD OF DATA STORAGE – art. 13 par. 2 lett. a) GDPR. The numerical order above is followed.

(1) Except as discussed regarding cookies or other cookie-like tools, this Owner does not retain any data potentially provided through simple browsing.

(2) The data of the data subject will be kept for the time necessary to carry out the service of issuing information: after this period has expired, the data will be deleted.

(3) The retention period dependent on the standard applied by the Owner at the time of processing.

(4) The Data Controller shall retain the data of the data subject for this purpose only if there is a reasonable likelihood of judicial action.

(5) With reference to this point:

i) In the case of consent, the data will be retained for that purpose until the revocation of consent under Art. 7 GDPR. Revocation of consent does not affect the lawfulness of the processing based on the consent before revocation;
ii) – iii) on the other hand, in the case of processing carried out pursuant to Art. 130 para. 4 new Privacy Code and Art. 6 para. 1 lett. f) the data will be retained for this purpose until the objection under Art. 21 GDPR by the data subject, to be asserted from the beginning of the processing or during its protraction.

(6) as point (2).

(7) The retention period depends on whether the employment relationship is established or not. In fact, in case the Data Controller is not interested in the profile, it will immediately delete the candidate’s data. On the other hand, in the case of profiles that are interesting but not necessary at the time of submission, the Controller will retain the data for the maximum period of 15 months. In the case of the conclusion of an employment or collaboration contract with the candidate, the Data Controller will retain the data of the new employee/collaborator in accordance with the provisions of the relevant Data Protection Notice (to which please refer). Lastly, it should be noted that in the event that there is a concrete likelihood of a dispute or controversy between the parties, the candidate’s data will be kept until the reasons that justified its retention (e.g. amicable settlement of the dispute, final judgment, other) are exhausted.

COMPULSORINESS OF CONFERMENT

CONSEQUENCES IN THE CASE OF FAILURE TO CONFER

METHODS OF PROCESSING – art. 13 par. 2(e) GDPR. The numerical order above is followed.

(1) Interested parties are not obliged to provide their data. Failure to provide it does not allow navigation. Processing carried out exclusively by means of computer systems (software).

(2) The data subject is not obliged to provide the data. Failure to provide does not allow the user to receive the requested information. Processing carried out by email, telephone, paper mail, App.

(3) The system depends on legal obligations; in fact, it is the legislative framework that provides for how processing should be carried out (see, for example, on electronic invoicing).

(4) Processing carried out through computer systems (e.g., through use of email, pec, telematics platform, management systems, other) and paper-based systems (e.g., through drafting of court documents, notices, printing of documents, paper mail, other). Sometimes, the system depends on legal obligations (see PCT).

(5) The provision of personal data is not mandatory. In case of failure to provide data to receive communications on marketing, the data subject will not be able to collect more information about the products and services that performs the Owner, other. With regard to the methods of processing, the communications having as their object “Direct Marketing” are carried out through “automated” systems (such as, for example, by email, fax, text message, telephone calls without the aid of an operator, social networks, interactive applications such as WhatsApp, push notifications) and through “traditional” systems (such as, for example, by paper mail and/or calls with an operator). It should be noted that the consent collected for the performance of processing by “automated systems” legitimizes the Data Controller to use the same data also for the performance of communications by “traditional systems.” In any case, the data subject has the right to object to any unwanted mode of processing (for example, by expressing his or her desire to want to receive only email communications). In the case of the processing of sending communications carried out by telephone operator, such processing is precluded with respect to the data subject who was registered in the Register of Oppositions.

(6) The data subject is not obliged to provide the data. Failure to provide it does not allow the user to receive the requested information. The processing is carried out with computer systems.

(7) The candidate is not obliged to provide his/her personal data. Even so, however, failure to provide it does not allow the Holder to screen the candidate’s profile and thus, if appropriate, to proceed with his/her recruitment or hiring.

DIFFUSION AND COMMUNICATION OF DATA – art. 13 par. 2 letter e) GDPR. The data will not be disseminated but communicated to those persons formally appointed as data processors (e.g., employees or collaborators) or designated as data processors (e.g., company providing the hosting service).

In the case of issuing a comment, the data will be published on the site and then made visible to users.

To comply with legal or contractual obligations, the data subject’s data may be disclosed to the following parties:

(i) to insurance institutions in the case of claims;

(ii) to public agencies where required by law;

(iii) to Lawyers, Law Enforcement, Judicial Authority (e.g.) in the case of wrongdoing, breach of contract, other legally relevant fact caused by the data subject or by the Data Controller itself against the data subject.

For more information about the persons in charge or the data processors, please contact the Controller at the email address indicated in the epigraph.

PLACE OF DATA PROCESSING AND TRANSFER OF DATA TO NON-EU COUNTRIES – art. 13 par. 1 letter f). Data processing is carried out at the registered office of the Data Controller as well as at the places of work or data processing connected to the persons designated as data processors (with server location in the EU). The Controller undertakes not to transfer user data to countries outside the EU. In the case of transfers, the Controller guarantees the application of the rules set forth in Articles 44 et seq. of the GDPR. For any information, please contact the email address already reported.

RIGHTS OF THE DATA SUBJECT. The right of the data subject to ask the data controller for access to personal data, i.e., to know what data the data controller processes (Art. 15 GDPR); the right to obtain rectification, i.e., the right to have one’s data changed if they have changed (Art. 16 GDPR); the right to restriction of processing concerning him or her, i.e., to limit the data controller’s use of the data (Art. 18 GDPR); the right to object, on legitimate grounds, to their processing (Art. 21 GDPR); the right to data portability, i.e., the right to receive all personal data processed by the data controller in a structured, machine-readable format (Art. 20 GDPR); the right to request deletion of one’s data from the data controller (Art. 17 GDPR); the right to revoke at any time the explicit consent previously given, without prejudice to the lawfulness of the processing carried out up to that moment (art. 7 – 13 GDPR); the right to lodge a complaint with the Data Protection Authority in case of violations of the regulations (art. 77 GDPR).

COOKIE POLICY. Information about cookies and cookie-like automated systems is made available to the user by clicking the appropriate link called “COOKIE POLICY” located in the footer of the website. For completeness, the Data Controller at the conclusion of this Website Privacy Policy also provides the aforementioned Cookie Policy.

For any information, clarification, exercise of rights please contact the Holder at the above email address.