2. Privacy Policy

WEB PRIVACY POLICY


Browsing policy pursuant to art. 13 of Regulation (EU) 2016/679 (GDPR)


In adherence to the requirements of the EU Data Protection Regulation 2016/679 (hereinafter, also "GDPR"), as well as the national legislation in force on the matter, BAXI S.p.A. (hereinafter, also "the Company") with the hereby Privacy Policy wishes to inform users of its website about the methods, purposes and conditions of the processing operations carried out by the Company itself on the personal data collected.


This Privacy Policy, in particular, concerns the personal data of users who visit, consult or interact with this website.


In the specific section "Categories of data processed" are specified the individual types of data that are relevant.


In accordance with the provisions of the GDPR, users who consult and use the Company's website are classified as Data Subjects, meaning the identified or identifiable physical persons to whom the personal data being processed refer.


Please note that this Policy does not extend to other websites, over which BAXI S.p.A. has no control, that may be visited by users by clicking on links found on the Company’s website, including Social Network Platforms (in particular, Facebook, LinkedIn and YouTube, in addition to those that may be included over time) that can be reached through the direct linking links found on the site. In these cases, during navigation and consultation, users' personal data are not managed by the Company, but by the managers of the various sites and Social Networks, who act as data controllers. Therefore, please refer to the relevant Privacy Notices found in the aforementioned external platforms


1. DATA CONTROLLER


BAXI S.p.A., with registered office in Bassano del Grappa (VI), Via Trozzetti, 20, VAT no. IT02727440246, in the person of the Legal Representative, is the Data Controller.


2. CONTACT DETAILS OF THE DATA CONTROLLER


- Email to the following address: privacy@baxi.it
- Written communication to the registered office


3. CATEGORIES OF DATA PROCESSED


During and following consultation and use of its website by users, the Company may process the following personal data (hereafter, also “Data”) of users themselves:


A) Navigation data.


The IT systems and software procedures used for the operation of this website acquire, during their normal operation, some personal data, the transmission of which is implicit in the use of Internet communication protocols.


These data are not collected for the purpose of associating them with identified subjects, but by their very nature, through processing and association with personal data held by third parties, they might allow users of this website to be identified.


This category of data includes: IP addresses or domain names of the computers used by users who connect to the site; the addresses in URI (Uniform Resource Identifier) notation of the requested resources; the time of the request; the method used to submit the request to the web server; the size of the file obtained in response; the numerical code indicating the server’s response status (successfully concluded, error, etc.); as well as other parameters relating to the operating system and the user's computing environment.


B) Personal data provided voluntarily.


The optional, explicit and voluntary transmission of personal data to the Company, by completing the forms on the website, leads to the acquisition of the user’s contact data and all other personal data required by the Company in order to fulfill specific requests.


4. PURPOSES AND LEGAL BASIS OF THE PROCESSING OF PERSONAL DATA


The navigation data specified in Section 3(A) of this Policy are processed by the Data Controller in order to obtain anonymous statistical information on the use of the website and also to monitor the technical operation and performance of the website.


The processing is based, therefore, on a legal obligation to which the Company is subject, as well as on the pursuit of the legitimate interest of the Data Controller in the safe navigation and proper functioning of the website.


Therefore, according to Article 6 paragraph 1 letter c) and letter f) GDPR, the express consent of users is not required.

Personal data specified in Section 3(B) of this Policy are processed by the Data Controller for the specific purpose of providing information or assistance to users, as well as to handle contact requests received.


In this case, the processing is based on the execution of a contract or pre-contractual measures and on the fulfillment of specific user requests.
Therefore, according to Article 6 paragraph 1 letter b) GDPR, the express consent of users is not required.


5. NATURE OF PROVIDING PERSONAL DATA


The provision of navigation data is mandatory, as it is functional for consultation, navigation and use of the Company's website, as well as necessary to ensure its provision.

The provision of personal data by users in order to receive information or assistance from the Company or to make requests to the Company, on the other hand, is optional, free and voluntary. Failure to provide this data determines the impossibility for the Company to provide the Data Subject with the requested information, assistance or service.


6. DATA RETENTION PERIOD


The navigation data specified in Section 3(A) are retained by the Data Controller for no longer than 12 months. Longer retention periods may depend on the need to comply with specific requests made by the Public Administration or other governmental or regulatory body, as well as if this is necessary to enable the Judicial Authority to proceed with the investigation of criminal offenses.

The personal data voluntarily provided, referred to in point 3 letter B), are kept for no longer than three months.

Upon the expiration of these retention periods, personal data subject to computerized processing are deleted by automatic means or otherwise permanently anonymized.


7. DATA PROCESSING METHODS


The processing of Data is carried out by telematic methods in full compliance with the provisions on the protection of personal data and, specifically, with the technical and organizational measures referred to in Article 32 GDPR, with the observance of precautionary measures that ensure data integrity, confidentiality and availability, as well as data accuracy, updating and relevance to the purposes stated in this Privacy Policy.


It should be noted that the processing referred to in this Notice is not subject to automated decision-making processes.


Regarding website page access data, the processing of users' personal data is carried out using automated tools.


Please also note that the Company has adopted specific security measures designed to protect the data collected from unauthorized or unlawful processing, as well as designed to prevent the loss, destruction or accidental damage of such data.


8. PERSONAL DATA RECIPIENTS


The Data are not subject to dissemination, except when required by a law or regulation or EU legislation.


In any case, Data will be processed by individuals specifically authorized by the Data Controller (e.g., other employees of the Company, due to the functions they hold), who have received specific operational instructions.


The Data may be communicated to parties outside the Company who process the Data on behalf of the Data Controller as Data Processors (e.g., sales agencies and data processing and IT service companies). Please note that the updated list of external Data Processors, appointed pursuant to Article 28 GDPR, is kept by the Data Controller and can be consulted at the request of the Data Subject.


9. DATA TRANSFER TO OTHER COUNTRIES


The Data Controller may transfer data to countries outside the European Union or the European Economic Area (EEA).

The Controller ensures that any such transfers will take place:


- in accordance with specific standard contractual clauses approved by the European Commission (SCC) under Article 46 GDPR;

- to countries that the European Commission has deemed to guarantee an adequate level of protection, in accordance with the provisions of Art. 44 et seq. GDPR.


Any exceptions to the above will take place only in compliance with Art. 49 GDPR.


10. DATA SUBJECTS’ RIGHTS


By sending a communication by registered letter with return receipt to the registered office of the Company or by e-mail to the address indicated in the "Contact details of the Data Controller" section of this Policy, Data Subjects can the Data Controller at any time:


a) access to their personal data;
b) rectification of their data;
c) the deletion of their data, within the limits provided by the GDPR;
d) the restriction of the data processing, if the conditions set forth in Article 18 GDPR are met;
e) the portability of their data in a structured format, in the cases referred to in Article 20 GDPR;
f) opposition to the processing of their data, in accordance with Article 21 GDPR.

If Data Subjects consider that the processing concerning them violates the GDPR, they also have the right to lodge a complaint with the Italian Data protection Authority (Garante per la Protezione dei Dati Personali), based in Rome, 00187, Piazza Venezia 11, at the following coordinates:


www.gpdp.it - www.garanteprivacy.it
e-mail: garante@gpdp.it
fax: (+39) 06.69677.3785
telephone: (+39) 06.69677.1

Please note that BAXI S.p.A. has appointed a Personal Data Protection Officer (DPO) after assessing the specialist knowledge of personal data protection regulations.
The Personal Data Protection Officer oversees compliance with personal data processing regulations and provides necessary advice. In addition, when necessary, the DPO cooperates with the Data Protection Authority.


The Personal Data Protection Officer, appointed by BAXI S.p.A. pursuant to Article 37 GDPR, can be contacted at the company's headquarters or through the e-mail address privacy@baxi.it


Last update: May 2024