Tuesday, 18 March 2025
CMC Components - Slide 1

Privacy Policy

Identity of the Data Controller. Data Protection Officer. Contact Details

In compliance with the obligations set forth in Articles 13 and 14 of the European Regulation 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) and the applicable national laws regarding the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data, CMC srl, with registered office at Strada dei Laghi, 52 - Monteriggioni (SIENA), Tax Code/VAT No.: 01016350520, contactable for these purposes at the email address: info@cmcgroup.it, as the Data Controller (hereinafter referred to as the “Controller”), in consideration of the importance it places on the protection and security of personal data provided through this site, informs that it has appointed Mr. Fabrizio Mandorlini as the Data Protection Officer (DPO), in accordance with Articles 37-39 of the GDPR, who can be contacted at cell. +39 329 9875817.

Definitions

For the purposes of the aforementioned legislation, the following definitions apply:

  • Personal data: any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
  • Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Filing system: any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
  • Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
  • Recipient: a natural or legal person, public authority, agency or another body to which personal data are disclosed, whether a third party or not.
  • Data subject's consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

Categories of Personal Data Processed. Obligation/Optional Nature of Providing Data. Consequences of Failure to Provide Data

The Controller processes personal data related to the user as the "data subject," as voluntarily provided or lawfully obtained.

The provision of Personal Data may occur by filling in the relevant fields in the various sections of the Site, contacting Customer Service, or by sending requests via email where applicable.

The site contains virtually no information intended directly for minors. Minors must not provide information or personal data. Participation in any contests present on the website is exclusively for adults.

In particular, the following personal data are processed:

Data Related to the Operation of This Site

The IT systems and software procedures used to operate this website acquire, during their normal operation, the following personal data whose transmission is implicit in the use of Internet communication protocols, by way of example: IP addresses; the type of browser used; addresses of websites from which access was obtained, access time, other browsing parameters, etc.

This information is not collected to be associated with identified data subjects but, by its nature, could allow users to be identified, through processing and association with other data held by third parties.

Data Related to Promotional and Profiling Activities

Optionally, with the express consent of the data subject (obtained through the voluntary selection of appropriate checkboxes), the contact data voluntarily provided may be used for sending promotional communications and/or the service may be customized based on preferences expressed by filling in the respective sections.

This concerns personal data not belonging to special categories (such as name, surname, telephone number, email address, date of birth, residential address, etc.), provided by the data subject to allow their identification and/or the fulfillment of the requested service (e.g., sending newsletters or communicating the Controller’s initiatives) or additional data to allow a personalized service (profiling), in any case only with the express prior consent.

The data in this category is optional; therefore, consent for processing these data may be denied or revoked by the data subject at any time and as easily as it is given, without prejudice to the lawfulness of processing carried out before the revocation. Consequently, failure to provide and/or revocation of consent for the processing of these data will not prevent the data subject (the "user") from accessing the service, but the Controller will not be able to send commercial communications, provide access to any dedicated promotional advantages and/or personalize such communications according to expressed preferences.

Purpose of the Processing to Which the Personal Data Are Destined. Legal Basis of the Processing

The purposes of processing the personal data of the user (data subject) are indicated below, whether automatically acquired during navigation or voluntarily provided by the user, according to the needs expressed from time to time during access to the contact services and/or various sections of the website, by filling in online forms or by direct access, through links, to the Controller's email address related to the requested service.

Data Related to the Operation of This Site

Navigation data is processed exclusively by persons expressly authorized by the Controller to facilitate access to the sections of the website, as well as participation in any promotions and/or contests, including activities related to the evaluation, assignment, and/or communication of digital coupons (also through transactional email delivery), as well as the prizes related to such participation, responding to requests received via email (for example, requests of a technical nature on access problems or the functioning of a contest), in which case the legal basis is the performance of pre-contractual measures or a contract (Article 6, paragraph 1, letter b of the GDPR), or to allow maintenance of the site, in which case the legal basis for processing is the legitimate interest of the Controller to ensure site security, proper functioning, and obtain usage statistics (Article 6, paragraph 1, letter f of the GDPR).

Data Related to Promotional Activities (so-called Marketing) and/or Market Research

Subject to the user's consent and until its withdrawal, the Controller may carry out marketing activities, such as, but not limited to: newsletter subscription, using the contact details provided by the data subject (postal mail, telephone, email address), market research, sending informative and promotional material, marketing and advertising activities concerning the Controller's products and services, determining the user’s level of satisfaction with the quality of the activities performed by the Controller, carried out directly or through specialized companies using distance communication techniques, including automated contact methods (such as SMS, MMS, fax, phone calls, emails, messages on web applications) and traditional methods (such as postal mail and telephone calls with an operator), through personal or telephone interviews, questionnaires, conducting statistical surveys, carrying out analyses on habits and defining the user’s profile using the information provided at the time of registration, upon filling in questionnaires, based on actions performed while browsing the web or interacting with advertising banners of the Controller, with the content published on various social networks.

In all these cases, the legal basis for processing is the consent specifically and freely given by the data subject (Article 6, paragraph 1, letter a of the GDPR), without prejudice to the possibility of withdrawal at any time and without any formalities, without prejudice to processing carried out by the Controller prior to the withdrawal.

Consent for the processing of personal data is optional, but in the event of refusal, either in full or in part, to provide data or to consent to their processing and/or communication, it will not be possible to complete the newsletter subscription process and therefore to execute the requested service.

Processing Methods. Categories of Recipients. Transfer Outside the EU

The personal data provided by the data subjects, directly or indirectly, will be processed mainly in an automated manner, with logics strictly related to the aforementioned purposes, through archives managed by the Controller or by third parties appointed as Data Processors (for the complete and updated list of Data Processors appointed for the processing of data relating to them, the data subject may contact the Controller at the above contact addresses) and/or integrated computer systems and/or websites owned or used by the Controller.

The Controller has adopted appropriate security measures to protect data subjects against the risk of data loss, misuse, or alteration. Although it is not possible to guarantee that data transmission over the Internet or websites is perfectly secure from intrusion, the Controller and its suppliers endeavor to maintain physical, electronic, and procedural security measures to protect personal data in compliance with legal requirements by adopting appropriate technical and organizational measures to address risks, as set out in Article 32 of the GDPR. The Controller uses protected data transmission protocols known as http or https, processing such data for the specific, explicit, and legitimate purposes for which they were collected so that the processing is not incompatible with those purposes, following principles of lawfulness, fairness, transparency, minimization, accuracy, integrity, and confidentiality.

Users' (data subjects') data are stored on servers located within the European territory or, in the case of electronic platforms like Google and/or SAP Customer Data Cloud, may be transferred by the Controller outside the EU territory, in which case ensuring compliance with applicable legal provisions and the observance of adequate safeguards as required by Articles 46, 47, and 49 of the GDPR. The Servers are subject to an advanced backup and disaster recovery system, protected by firewalls, with strict access restriction to personal data, based on necessity and for the purposes communicated; the transfer of collected data takes place through appropriate security measures, and a permanent monitoring system for access to IT systems is in place to detect and prevent any abuse.

Retention Period

The personal data communicated by the data subject or otherwise processed by the Controller are saved for the time necessary to fulfill the specific purposes, as indicated below.

Data Related to the Operation of This Site

The data referred to in point 2.1 and used solely for the purpose of obtaining anonymous statistical information on the use of the site and to check its proper functioning are kept for a period of 6 months after the request for cancellation from the service, solely to fulfill the same.

In the case of processing for participation in contests, processing will be limited to the time strictly necessary to fulfill the regulatory retention obligation.

Personal data processed to comply with an information request by the data subject will be retained concerning the type of request for the time necessary to comply with the regulatory retention obligation and/or for any legal needs.

Data Related to the Implementation of Promotional Activities and/or Market Research

In the event of consent for data processing for the purposes mentioned in point 2.2, such data will be retained within the maximum period of time provided for by the aforementioned regulation concerning the provision of consent, i.e., no longer than two years for purposes related to commercial communications and no longer than one year for profiling purposes, except for withdrawal of the relevant consent by the data subject earlier.

In both cases, the retention period may be extended to comply with a legal obligation, a specific request from a public authority or supervisory body, or to allow the conduct of defensive investigations and/or judicial protection, if necessary.

Data Subject Rights

In relation to the processing of personal data described above, the data subject may contact the Data Controller at the addresses indicated in point 1, without any formalities, at any time, to exercise the rights provided for by Articles 15-22 of the GDPR, fully available at www.garanteprivacy.it/regolamentoue, within the limits and under the conditions provided therein, and listed below for illustration:

  • Right of access: to obtain confirmation as to whether or not personal data concerning them are being processed and to obtain access to such data and specific information (e.g., purposes of processing, categories of data concerned, recipients to whom the data will be disclosed).
  • Right to rectification: to obtain rectification of inaccurate data concerning them (e.g., to update, modify or correct such data) without undue delay. In such cases, the data controller is obliged to communicate the rectification to all recipients to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort.
  • Right to erasure (so-called right to be forgotten): to obtain the definitive deletion of data concerning them, and the data controller is obliged to delete them without undue delay if certain reasons exist (e.g., if the personal data are no longer necessary concerning the purposes for which they were collected; if the data subject withdraws consent; if they must be deleted due to a legal obligation). In such cases, the data controller is obliged to communicate the deletion to all recipients to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort.
  • Right to restriction of processing: to impose a restriction on data processing, e.g., storage only, excluding any other use, in certain cases (e.g., if the processing is unlawful and the data subject objects to the deletion of the data; if the data subject contests accuracy, within the verification period of accuracy). In such cases, the data controller is obliged to communicate the restriction of processing to all recipients to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort.
  • Right to data portability: to obtain the return of personal data provided in electronic format and transmit them to others or request transmission from one controller to another, if technically feasible.
  • Right to object: to object at any time to processing for public interest purposes or legitimate interest; for marketing purposes; for scientific, historical, or statistical research purposes.

Finally, under Articles 77 and 79 of Regulation EU 2016/679, the data subject has the right to file a judicial appeal, without prejudice to any other administrative or extrajudicial remedy available, including the right to lodge a complaint with a supervisory authority (Garante per la protezione dei dati personali, Piazza Venezia n. 11 - 00187 Rome, www.garanteprivacy.it, email: garante@gpdp.it, Fax: (+39) 06.69677.3785 Central telephone exchange: (+39) 06.69677.1).

The Controller reserves the right to make changes to this Privacy Notice at any time, with binding effects as of its publication, providing information on this page, which may therefore be updated over time, also in compliance with European and national regulations in this regard. Users (data subjects) are therefore invited to constantly check the content of the Privacy Notice to ensure they agree with any changes (taking the last modification date indicated at the bottom as a reference), being required to cease browsing the website if they do not accept the changes.

Last update: 21-09-2024