Information for users relating to the processing of personal data in the "Investors Relation" area of the website

Dear User,

GSD – Sistemi e Servizi S.C. a R.L as Data Controller (hereinafter "Company" or "Data Controller"), is committed to ensuring the protection of the personal data that is requested from you and that you freely provide to us.
The purpose of this document is to provide you, in a clear, simple and transparent manner, with all the information relating to the processing of your personal data, in accordance with the provisions of Regulation (EU) 2016/679 ("GDPR") and the applicable national legislation.
This information refers specifically to the personal data you provide by filling in the optional form in the Investors Relations area and by subscribing to the relevant information services on our website https://www.grupposandonato.it/investor-relations.
We invite you to read the following carefully to understand the purposes and methods with which we will process your data, the subjects to whom it may be communicated, the retention period and the rights that the GDPR recognizes you and that you can exercise at any time.

Data controller: GSD – Sistemi e Servizi S.C. a R.L., Via Spadolini n. 4 - 20141 Milano,  e-mail amministrazione.gsdss@grupposandonato.it.

Data Protection Officer (DPO): rpd.gsdss@grupposandonato.it.

Type of data:

• Personal data
• Email, Internet browsing
• Company

Source: Data collected from the data subject

 

Purpose	Legal basis	Data retention
Notification of new documentation we will use your e-mail address to send you communications exclusively aimed at notifying you of the publication of new documents and relevant updates within the Investor Relations section (e.g. financial statements, press releases, presentations to investors).	Common data  processing is necessary for the performance of a contract to which the data subject is party, pursuant to art. 6 (1) (b) GDPR	Data processed for this purpose shall be retained for the duration of the contractual term; personal data collected shall not be processed for a period exceeding 10 years, in accordance with the statutory limitation period prescribed by law.

 

The provision of data for this purpose is a contractual requirement necessary for the conclusion of the Service Agreement.
Failure to provide such data shall not preclude the user from browsing the Investor Relations section of the website.

The processing of Personal Data will take place – according to the principles of fairness, lawfulness and transparency – through computerized, manual and/or telematic supports and/or tools, with logics strictly related to the purposes of the processing and in any case guaranteeing the confidentiality and security of the data themselves and compliance with the specific obligations established by law.

The availability, management, access, storage and usability of data is guaranteed by the adoption of technical and organisational measures to ensure adequate levels of security pursuant to art. 25 and 32 of the GDPR, as well as to ensure compliance with the relevant sector provisions according to European Union and national law, including the Guidelines on online reports of the Italian Data Protection Authority of 25 June 2009.

Your Personal Data will not be disseminated except in the event that their communication or dissemination is required by virtue of legal provisions or orders of the authorities. In any case, these are subjects, bodies or authorities acting in their capacity as independent Data Controllers.

The Data may be communicated to subsidiaries and associated companies of the Data Controller for administrative and accounting purposes, meaning those related to organizational, administrative, financial and accounting activities, regardless of the nature of the data processed. These subjects will act, as a rule, as independent Data Controllers of their respective processing operations, unless they act on behalf of the Data Controller as Data Processors and have therefore signed a specific contract that precisely regulates the processing entrusted to them, pursuant to art. 28 of the GDPR.

Your Personal Data may be communicated to service providers who are strictly related and functional to the activity of the Data Controller, who typically act as data processors pursuant to Article 28 of the GDPR. 

Personal Data may be processed by employees of the company departments responsible for pursuing the purposes indicated above, who have been expressly authorized to process them and who have received adequate operating instructions in compliance with the provisions of art. 29 GDPR.

In the event that some of the personal data is shared with Recipients who may be located outside the European Economic Area, the Data Controller ensures that the processing of the Data by these Recipients is carried out in compliance with the GDPR. Indeed, transfers can be based on an adequacy decision, on the Standard Contractual Clauses approved by the European Commission or on another suitable legal basis. More information is available from the Data Controller.

No data transfer outside the European Union is envisaged.

Pursuant to Articles 7 and 15 to 22 of the GDPR, where applicable, you have the right to:

• obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed and, if so, obtain access to your Data, as well as, if the data are not collected from the Data Subject, receive all available information on their origin;

• know the purposes of the processing, the categories of data in question, the recipients or categories of recipients to whom the data have been or will be disclosed, in particular if recipients are third countries or international organisations, the envisaged data retention period or the criteria used to determine that period;

• ask the Data Controller for the rectification, deletion of data or limitation of the processing of data concerning you;

• object to the processing of data, without prejudice to the right of the Data Controller to evaluate your request, which may not be accepted in the event of the existence of compelling legitimate reasons to proceed with the processing that prevail over your interests, rights and freedoms;

• be made aware of the existence of automated decision-making, including profiling;

• obtain data portability in the cases provided for by law;

• lodge a complaint with a supervisory authority (Privacy Guarantor).

Requests must be addressed in writing to the Data Controller or the DPO at the addresses indicated above.

Any modification or deletion or limitation to processing carried out at the request of the data subject, or following withdrawal of consent – unless this is impossible or involves a disproportionate effort – will be communicated by the Data Controller to each of the recipients to whom the personal data have been communicated. The Data Controller may notify the data subject of these recipients upon request.