Our commitment to personal data protection
Dear User, on this page you will find the information on the management methods used for the handling of your personal data on our site. Privacy, protection and security of data processed are of particular importance: this is why our company dedicates utmost attention to the protection of personal data.
The security of data and respect for the rights of interested parties form the basis of the trust relationship and cooperation with our clients, partners, employees, and in general, all those who come in contact with our Company.
For this reason, we comply with all the law requirements upon gathering, processing and conserving personal data, particularly the provision of the EU Regulations on data protection (General Data Protection Regulation 2016/679 “GDPR”) and all the applicable norms on personal data protection.
Hereunder is a description of the principles and measures for the protection of the rights and liberty of natural persons who come into contact with our Company, in relation to the processing of their personal data.
The Data Controller, that is, the party determining the purposes of the processing, is Nest Srl (hereinafter referred to as “Nest Srl” or “Company”) with registered office at Via Prato Santo, 4a – 37126 VERONA (VR) – ITALIA. The updated list on the processing can be consulted upon request via email at the address email@example.com.
Personal data processing principles
The principles applied in personal data processing are the following:
Legitimacy: Personal data processing is always performed on a legal basis.
Transparency: Every party involved must be able to understand the processing of their own personal data.
Objectives: The purposes for which the personal data are processed must be clearly identified beforehand and defined at the time of collection.
Processing Minimization: Personal data processing must be limited in the suitable measure, factual, pertinent and necessary for the processing aims. The same holds for the access options.
Accuracy: The personal data should be correctly and completely archived, elaborated and updated sequentially. Suitable measures are taken to cancel, correct, integrate or update data that are imprecise, incomplete and not updated.
Filing time limits: The personal data may be kept only for the time necessary in consideration of the objectives for which they are gathered or for the time allowed by law norms (for example the conservation times established by tax legislations).
Integrity and confidentiality: In data processing, suitable technical and organisational measures should be adopted to protect the data in an appropriate manner, particularly to avoid unauthorised or illicit processing, accidental loss of data, and their accidental destruction or damage.
All processing performed by our Company are carried out in conformity with the aforementioned principles.
Legal grounds for data processing
Any processing of personal data is subject to the principle,”prohibition subject to authorization.” Consequently, any processing of personal data is unlawful if there is no legal basis.
Our Company processes personal data on the basis of the following laws:
- Fulfillment or preparation of a contract, e.g. management of the addresses for postal communications;
- Fulfillment of a law obligation, e.g.. deposit of documents in compliance with financial/commercial laws;
- Legitimate interests, e.g. advertising through the postal service (provided there are no objections);
- Consent of the data subject, e.g. for contacts via telephone or for the processing of healthcare data.
Special categories of personal data, e.g. those regarding ethnic origin, religious creed or health, may be processed only with the explicit consent or law authorisation.
Rights of the data subjects concerned
The protection of the rights of natural persons in relation to personal data processing is an absolute priority for Nest Srl.
To guarantee this, the interested party has among others, the following rights:
- Information:The data subjects concerned shall be immediately informed and in a transparent manner on the possibility and methods of the processing of their data. This holds either in cases where the personal data are collected directly from the data subject or from third parties.
- Access: The data subject may at any time request information on the personal data kept or processed, and also a copy of such data.
- Rectification: The data subjects may at any time, request the correction or completion of inaccurate or incomplete personal data, e.g. if a name or address is incorrect.
- Erasure: The data subjects may request the erasure of their own personal data, in so far as there are no contrasting obligations or rights, e.g. obligations to keep for fiscal/commercial reasons. The data subjects also have the right to be “forgotten” with the consequence that other controllers are informed of the request for erasure, in so far as Nest Srl has communicated personal data to them.
- Processing limits: The data subjects may request that their personal data be limited, e.g. if the data are inaccurate.
- Opposition: Data subjects at any time may oppose the processing of their personal data for advertising purposes.Otherwise, an opposition is possible in certain conditions in consideration of the particular personal circumstance of the data subjects.
- Automated decisional process: In the context of efficient commercial transactions, the data subjects can undergo an automated decision only if lawful, e.g. in the framework of the fulfillment of the contract. The data subjects are informed of the corresponding automated processing procedures.
The data subjects will be furnished with all the information relating to the processing of their own personal data in a clear and simple language.
In cases of the violation of personal data, the data subjects shall be informed of such breach in the presence of law requirements if such violation entails risks for their rights and freedoms.
The data subjects are furthermore free to lodge complaints to the Company, and contact the data protection officer or the judicial authorities to exercise their own rights and freedom in the processing of personal data. The legal rights and claims of the data subjects are not in any way limited by this policy.
Assignment of Data Processing Tasks and Data Transfer
If the personal data are processed by external processors or partners on behalf of Nest Srl, suitable data protection measures are taken according to the category, for example:
- Assignment of data processing tasks: According to instructions in force, if the processor has to process personal data, specific agreements are undertaken with such suppliers and the assignment is given only to those processors who adopt suitable technical and organisational measures to protect them. The same holds in cases of access to data for maintenance and assistance activities.
- Transfer of functions:If a third party is assigned with other further tasks with respect to personal data processing which requires an independent decision regarding the use of data, a specific agreement is undertaken to this end, which has to provide adequate technical and organisational measures, similar to what was provided for in the previous point.
- Privacy agreement: If the dissemination of personal data in a limited measure cannot be excluded in single cases, a privacy agreement is concluded for security reasons with the supplier.
If the personal data are processed outside the EU or can be viewed outside the EU, this will occur only if guarantees are furnished to ensure the security of the processing, e.g. the undertaking of standard data protection clauses.
Security of data, assessment of the impact and technological design
We adopt suitable technical and organisational measures for the protection of personal data. These include, in particular, measures to guarantee the privacy, integrity and availability of personal data, including the resiliency of systems and services.
The risks for the rights and freedom of the persons concerned are taken into consideration in all the processing operations when the technical and organisational measures are selected. In cases of elevated risks, the processing is subject to a further control of the risks and measures.
Upon processing personal data, the principle observed is the “protection of data by means of pre-set technological designs for data protection” (data privacy by design/default), e.g. by means of pseudonymisation or reduction of personal data to a minimum. The technical and organisational measures are regularly reviewed in terms of efficacy and adopted according to needs, taking the stateoftheart into account. This likewise holds for the technical and organisational measures when suppliers of external services or partners are involved.
Data Protection Responsibility and organisation
Nest Srl is responsible for the application of the data protection norms. The company’s management creates the premises necessary for the implementation of the data protection requirement by the employees of the various departments. The principles and characteristics of the data protection management system of Nest Srl are described thoroughly in the data Protection Guidelines.
All the data subjects may address Nest Srl at its headquarters to request clarifications or information, and also to exercise their own rights. The related requests may be addressed to:
c/o Nest Srl with registered office in Via Prato Santo, 4a – 37126 VERONA (VR) – ITALIA.
Surfing in the site
The pages visited by the user may be sent to its terminal (usually the browser) by theso-called cookies, that is, small text strings that keep track of the user’s movements. The cookies may be used for various purposes: monitoring the sessions, memorising specific information, etc.
For details regarding the cookies used by Nest Srl Italia, kindly see the specific Comprehensive Information on Cookies.
Information to the persons concerned
The purposes, processing methods, persons to which the data received are communicated, and any other information useful to the data subject, are given in detail in the circular hereunder, drawn up for the purposes the Company pursues each time, in the framework of the services to which the same is authorised pursuant to the norms in force.
Information concerning personal data protection
The contents of this Circular were drawn up in conformity with the General Data Protection Regulation (EU Regulation 2016/679, here in after referred to as “Privacy Regulation,” consultable on the site of the Italian Data Protection Authority (DPA) www.garanteprivacy.it). The objective which Nest Srl (here in after referred to as Nest Srl or the Company) intends to pursue is to ensure the best transparency with regard to how the Company processes Personal Data in such a way that will clarify how such data are collected and used and for what purposes the processing is performed, and that the data you furnish shall be processed with methods for the following purposes:
1. Subject of processing
The Data Controller, for the establishment of the current relationships with you, processes your personal, identification, contact and fiscal data (e.g. name, surname, corporate name, address, telephone, e-mail, bank and payment references, etc.).
2. Processing purposes and judicial grounds
Your personal data are processed:
a. Without your express consent (Art. 6 GDPR) to carry out the following service purposes:
- Conclude the contracts for the services of the Data Controller;
- Fulfill the pre-contractual, contractual and fiscal obligations deriving from existing relationships with you;
- Fulfill the obligations provided by law, a regulation, a community norm or an order of the Authority (e.g. pursuant to the Anti-Money Laundering Norm);
- Exercise the rights of the Data Controller, e.g. the right to defend itself in lawsuits;
b. Only after your specific and clear consent (Art. 7 GDPR), for the following marketing purposes:
- For the sending via mail, of posts and/or sms and/or telephone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller and survey of customer satisfaction on the quality of services;
3. Nature of data underwriting and consequences of refusal to respond
The underwriting of data for the purposes referred to in point 2.a is obligatory. Without it, we could not guarantee the relevant services.
The underwriting of data for the purpose referred to in point 2.bis instead optional. You may thus decide not to underwrite any data or subsequently deny the possibility to process data for such purposes; in such case you will not receive the newsletter, commercial communications and advertising material regarding the products offered by the Data Controller. However, you will continue to have the right to avail of the services referred to in point 2.a.
4. Processing methods
The processing of your personal data will be done by means of the operations indicated in Art. 4 no. 2 GDPR, and specifically by: collection, registration, organisation, structuring, retaining, adaptation or modification, extraction, consultation, use, communication through transmission, diffusion or any other form of disclosure, comparison or interconnection, limitation, and erasure or destruction of the data.
Your personal data are subjected to both paper, and electronic and/or automated processing.
The processing is performed by assigned operators and collaborators in the field of their respective functions and in conformity with the instructions received, always and solely for the achievement of the specific aims, scrupulously complying with the principles of privacy and security required by applicable norms.
5. Access to data
Your data may be made accessible for the purposes referred to in point 2:
- To the employees and collaborators of the Data Controller in their capacity as entities tasked with processing and/or internal managers and/or system administrators;
- To third-party companies or other subjects (e.g. credit institutions, professional studios, consultants, insurance companies, etc.) that engage in outsourcing activities on behalf of the Data Controller, in their capacity as external processing managers.
6. Communication of data
Without needing express consent (Art. 6 GDPR),the Data Controller may communicate your data for the purposes referred to in point 2.a Supervisory Bodiesand /or Judicial Authoritiesas well as all the other subjects to which the communication is obligatory by law for the fulfillment of the aforesaid purposes. Your data shall not be disseminated.
7. Data retention
All personal data given will be treated in compliance with the principles of legitimacy, correctness, pertinence and proportionality, only with the methods, also IT and telematics, strictly necessary for the pursuance of the aforementioned aims. In every case, personal data shall be kept for a period not longer than that strictly needed to achieve the aims indicated. Personal data that do not need to be kept in relation to the indicated scopes shall be cancelled or transformed into anonymous form. We highlight that the IT systems used for the management of information collected are configured, right at the start, in a way as to minimise the use of personal data.
What are the rights of the Data subjects?
The data subjects have the right to exercise at all times the following precise rights:
- Right to access. You may request the confirmation that your own Personal Data are being processed and, in such cases, obtain the related information and know the rights that can be exercised.
- Right to rectify. You may request the rectification of Personal Data retained to be inaccurate or integration if retained to be incomplete. The Company reserves the right in these cases to verify the accuracy of the information received before proceeding with the activities requested.
- Right to erasure.You may request the erasure of your own Personal Data if these are no longer necessary for the purposes for which they were collected.Data subjects may revoke the consent on which the processing is based, or oppose their processing, if the data are illegally processed or there is a law obligation in this sense. In these cases, the Company proceeds with the requested erasure, except in cases where the Personal Data are kept for a law obligation or for the ascertainment, or exercise of defense of a right in law proceedings.
- Right to limitation. You may request the limitation of Personal Data processing (retention without use) when: the data subject questions the exactness of the period needed to allow the Company to verify their accuracy; the processing is unlawful if the data subject opposes the erasure and requests its limitation; the Company no longer needs the data for its own purposes but the data subject needs them to be checked, for the exercise or defense of a right in lawsuits; and the data subject opposes the processing and is awaiting the Company’s verification. When the processing is limited, the Company may continue to use the Personal Data after the express consent of the data subject or to ascertain, exercise or defend one’s right in lawsuits, protect the rights of another natural or juridical person, or for important reasons of public interest.
- Right to data portability.You may receive your own Personal Data from the Company in a commonly used structured form and eventually transmit such data to another Data Controller, when the processing is based on the consent of the data subject or comes about in the execution of a contract in which the data subject is a party, or when the processing is carried out with automated means.
- Right to oppose.You may oppose the processing of one’s own Personal Data, for reasons connected to one’s own particular situation, if this is founded on the Company’s legitimate interest. The Company will not be able to accept such request in the presence of binding legitimate reasons that prevail over the interests, rights and freedom of the data subject or for the ascertainment, exercise or defense of a right in lawsuits. If the Personal Data are processed for the purposes of direct marketing, the data subject may oppose the relevant processing any time.
- Right to not being subjected to automated decisions.
The data subject has the right to not be subjected to decisions based solely on automated processing, including the profiling, when the decision produces juridical effects which concern him or impact importantly on his/her person. In these cases, one may request human intervention in the decisional process. Such right cannot be applied when the decision is needed for the conclusion or execution of a contract with the Company or is authorised by law or is based on the explicit consent of the data subject.
In all cases of the data subject’s exercise of his/her own rights, the Company verifies beforehand the identity of the applicant so as to guarantee the confidentiality of information to be handled. No payment is foreseen, except in cases where the requests are manifestly ungrounded or excessive. In such cases the Company informs the data subject before hand on the costs to be borne.
The requested fulfillment time, as provided by the Privacy Regulation, shall be at most one month from the date of receipt. Such term may be extended by two months, if necessary, in consideration of the complexity and the number of requests, after information has been relayed to the data subject.
Right to lodge a complaint to a control authority
Who is the Data Controller?
The Data Controller, that is, the entity determining the purposes of the processing is Nest Srl (hereinafter “Nest Srl” or “the Company”) with registered office in Via Prato Santo, 4a – 37126 VERONA (VR) – ITALIA, P.IVA 04569390232 which in its capacity as Data Controller keeps you informed pursuant to Art. 13 EU Regulation n. 2016/679 (hereinafter referred to as “GDPR”)
Who can the Data subject address?
If there is one assigned, the Data Protection Officer can be addressed at the headquarters of Nest Srl, and to whom the requests of the data subject will be transmitted. The Officer can be contacted at Nest Srl at the following address: c/o Nest Srl with registered office in Via Prato Santo, 4a – 37126 VERONA (VR) – ITALIA email: firstname.lastname@example.org. The updated list of officers and persons tasked with processing is kept at the registered office of the Data Controller.
Can complaints be lodged directly to the Data Protection Authority?
The data subjects may present complaints to the Data Protection Authority for issues pertaining to the processing of their Personal Data by the Company. All information to this regard is available on the Authority’s site: www.garanteprivacy.it
Is processing performed for commercial purposes?
The Company may send commercial communications using the mail or mobile phone furnished by the Persons concerned for the purpose of direct sale of its own products or services analogous to those purchased. At any time, the Persons concerned are entitled to oppose the sending of such communications.
For the sending of further commercial communications, market research or surveys on customer satisfaction, the Personal Data may be processed only with the consent of the data subjects, with the option to revoke it any time.
In the presence of communications via mail, the revocation may come about through the specific link present in the mails sent. In any case consent may be revoked by writing directly to the Privacy Service, the addresses of which are given in this office circular.