The new data protection regulation No. 2016/679 of the European Union (General Data Protection Regulation, GDPR, hereinafter referred to as “Regulation” or “GDPR”) became directly applicable in Europe. According to the Regulation, the Company is considered as data controller, i.e. the Regulation is applicable in respect of the personal data managed by the Company as well.
1.2 The purpose of the Notification
The purpose of the Notification is to establish the data protection and data management provisions and principles followed and applied by, and applicable to:
Carrozzeria Franco S.N.C. Di Alessandrin Franco & C.
Italy – Selvazzano Dentro (PD) Via Penghe 1/F
“+39 049 623151”
(hereinafter referred to as “Data Controller” or “Company”), as well as the data protection and data management policy of the company.
In course of determining the content of the Notification, in addition to in particular the Regulation, the Company took into consideration the provisions of Act CXII of 2011 on the Right to Informational Self-determination and the Freedom of Information (“Privacy Act”), Act V of 2013 on the Civil Code (Civil Code), and Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations to Business Advertising Activity (Business Advertising Act) as well.
The scope of the present Data Management Notification covers the data managements related to the website available at:
(hereinafter referred to as “Website”) and data managements related to the commercial activity of the Company.
Unless there is notification to the contrary, the scope of the Notification shall not extend to those services and data managements which are related to the promotions, prize games, services and other campaigns of or to the content published by those third parties who advertise on the Website or appear on it any other manner.
Unless there is notification to the contrary, the scope of the Notification shall not extend to the services and data managements of those websites or service providers to which any reference to be found on the Websites leads. The scope of the Notification shall not extend to the data managements of those persons (organizations, companies) from the notification, newsletter or advertisement letter the Data Subject had become aware of the Website.
1.5. The amendment of the Notification
1.5.1. The Company reserves the right to amend the Notification through its unilateral consent.
1.5.2. By entering the Website the Data Subject accepts the prevailing effective provisions of the Notification, and unless otherwise provided by the Notification, further consent of the Data Subject is not required.
The concepts used in the Data Management Notification shall have the following meaning:
2.1. Data Management: Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.2. Data Controller: Any natural or legal person, public authority, service or other entity that determines the purposes and means of the management of personal data individually or jointly with other parties.
2.3. Personal Data or data: means any information relating to an identified or identifiable natural person (“data subject”).
2.4. Data Processor: means a natural or legal person, public authority, agency or service provider which manages personal data on behalf of the Data Controller.
2.5. Data subject: means a natural person who provides his/her personal data or whose personal data are provided to the Company..
2.6. External service provider: means those third-party service provider partners employed – either directly or indirectly – by the Data Controller or the operator of the Website related to the provisions of the certain services, to which Personal Data are or may be transmitted in order to provide their services or which transmit Personal Data to the Company. In addition, external service providers shall include those service providers as well which are cooperating neither with the Company, nor the operators of the services, however, since they have access to the Website, they collect data from the Data Subjects, which either individually or linked with other data may be suitable for identifying the Data Subject. In course of the provision of hosting services, the Company considers the Data Subject as External service provider as well, in respect of the data management activity pursued on the hosting service used by the Data Subject.
2.7. Notification: the present data management notification of the Company.
Carrozzeria Franco S.N.C. Di Alessandrin Franco & C.
Italy – Selvazzano Dentro (PD) Via Penghe 1/F
“+39 049 623151”
Data protection officer: Pursuant to the Regulation, the Company is not obliged to appoint a data protection officer
Position of the data protection officer: –
4.1. Lawfulness, fairness
The data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The Company manages only those data specified by law or provided by the Data Subject or the employers/principals/clients thereof, for the following purposes. The scope of the Personal Data managed is proportional to the purpose of the data management and shall not reach beyond it.
The data shall be necessary and relevant in respect of the purpose of the data management, as well as shall be accurate and up-to-date, if necessary.
4.3. Purpose limitation
In any case where the Company intends to use the Personal Data for any purpose other than that of the original data collection, then the Company shall notify the Data Subject thereof and shall obtain the prior express consent of Data Subject; for such purpose and shall provide opportunity to the Data Subject to prohibit the use.
The Company does not verify the Personal Data provided to it. Only the person providing the Personal Data shall be responsible for the compliance of the Personal Data.
4.5 Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are managed.
4.6. Protection of the data of persons below the age of 16
The Personal Data of persons below the age of 16 may be managed only subject to the consent of the person of age who exercises parental control of such person. The Company cannot verify the right of the person giving consent or the content of the statement of such person, therefore the Data Subject or the person exercising parental control over the Data Subject shall warrant that the consent is compliant with the laws. In the absence of statement of consent, the Company does not collect Personal Data related to data subjects below the age of 16.
4.7. Save for the Data Processors and External service providers specified in the Notification, the Company does not provide the Personal Data to any third party.
Data shall be processed in a manner that ensures their appropriate security through taking the appropriate technical and/or organizational measures.
Exception to the provision of the present section is the use of the data in statistically summarized form, which shall not include any other data suitable for identifying the Data Subject in any form.
In certain cases – official judicial, police request, legal procedure due to infringement of copyright, financial right or any other right, or due to the reasonable suspicion of the above, the infringement of the interests of the Company, jeopardizing the provision of the service, etc. – the Company may disclose the available Personal Data of the Data Subject to third parties.
4.8. The Data Subject, as well as all those parties to whom the Company had transmitted the Personal Data for the purpose of Data Management shall be notified by the Company of the correction, restriction and deletion of the Personal Data. The notification may be omitted if considering the purpose of the Data Management, such omission does not damage the legitimate interest of the Data Subject.
4.9. Pursuant to the Regulation, the Company is not obliged to appoint a data protection officer, since the Company is not considered as public authority or public service provider, and the activities of the Company do not involve any operation which requires the regular and systematic monitoring of Data Subjects on a large scale, as well as the Company does not manage sensitive data, or personal data related to relating to decisions regarding criminal convictions and offences.
5.1 Article 6 of the GDPR established the cases in which the personal data of the Data Subjects may be managed:
5.2. Considering the nature of the activity of the Company, the legal basis of the data management is primarily the freely given, express, informed consent of the Data Subject (Point a) Subsection (1) Section 5 of the Privacy Act), the above Article 5.1 (b) and Article 5.1 (c) of the Regulation in course of the preparation of any contractual obligation between the Company and the Data Subject or the employee/principal/client thereof, or after the conclusion of such obligation. In respect of the areas subject to video surveillance, the above Article 5.1 (d) of the Regulation. The Data Subject establishes contact with the Company in course of completing any task for his/her employer/principal/client voluntarily, or Data Subject registers voluntarily, or uses the service of the Company voluntarily. In the absence of the consent of the Data Subjects, the Company shall manage data only if unambiguously authorized by law.
5.3 If the data management is based on consent, then the data controller shall at all times be able to verify that the data subject had granted his/her consent to the management of his/her personal data.
5.4. The data subject shall have the right to withdraw his or her consent at any time in respect of all data management the legal basis of which is the above Article 5.1 (a) of the Regulation. The withdrawal of the consent does not prejudice the lawfulness of the data management based on consent and the data management according to the above Article 5.1 (b) and/or (c) and/or Article 5.1 (d) of the Regulation before the withdrawal.
5.5. Data Transfer to the Data Processors specified in the Notification may be carried out without the separate consent of the Data Subject. Unless otherwise provided by law, the personal data may be provided to third parties or authorities exclusively based on final and enforceable administrative decision, or based on the prior express consent of the Data Subject.
5.6. For the purpose of asset security, surveillance cameras are operated in the rooms open clients operated by the Company, as well as in the storage facilities. The legal basis of this is Article 6 (1) (d) of the Regulation.
5.7. Upon entry to certain websites, the IP address of the User is recorded by the Data Controller without the separate consent of the User, related to the provision of the service, considering the legitimate interest of the Data Controller and due to the lawful provision of the service (e.g. in order to filter unauthorized use or unlawful contents).
5.8. Upon providing his/her e-mail address and the data provided in course of the registration (e.g. username, identifier, password, etc.) the User simultaneously undertakes responsibility for the services being used exclusively by User through the e-mail address provided or with the use of the data provided by User. Considering this undertaking of liability, any and all responsibility in connection with entries with any e-mail address and/or data provided shall be borne exclusively by that User who had such e-mail address registered and who had provided such data.
The data shall be managed lawfully, fairly and in a transparent manner in relation to the Data Subject. The Company aims at managing only those personal data which are essential to realize the purpose of the data management and which are suitable for achieving the purpose. Personal Data shall be managed to the extent and for the duration necessary for the realization of the purpose.
The primary purpose of the data management is the operation of the Website, provision of the services of Data Controller, the establishment and performance of its commercial and contractual relations.
In accordance with the above, the purposes of the data management are the following:
– identification of the Data Subject, maintaining contact with Data Subject;
– preparation of the contract concluded in course of the purchase made on the Website, the fulfilment of the contractual obligations by Data Controller, the enforcement of the rights of the Data Controller;
– the provisions of brief, transparent, comprehensible and easily accessible information to Data Subject;
– the conclusion and fulfilment of the legal transactions within the scope of activity of the Company, between the Company and the Data Subject;
– in case of use of services subject to payment of fees, the collection of the fees, invoicing;
– fulfilment of the obligations to be fulfilled by Data Controller, exercising the rights to which Data Controllers is entitled to;
– preparation of analyses, statistics, the development of the services; for this purpose, the Data Controller uses only anonymized data and summaries unsuitable for personal identification
– subject to the specific consent of the Data Subject, advertising, research
– protection of the interests of the Data Subject.
The Company manages exclusively those Personal Data which had been provided by the Data Subjects or the legal entities using the service (work) of the Data Subjects in order to prepare/fulfil the transaction; the Company does not collect data from any other source.
The data are provided in course of the registration of the Data Subject. In course of the registration, the Data Subject provides his/her name, e-mail address and password.
If the Data Subject registers to any promotion organized by the Data Controller, and the Data Subject provides his/her data, then the Data Subject grants his/her consent to the management of his/her personal data in accordance with notification of the promotion concerned. In this case, the Data Controller manages only those data which had been provided in course of the promotion.
The Company manages the personal data provided in accordance with Section 8 exclusively. The data managed are the following; the data managed by the Company may be classified into the following groups based on the purpose of the data management:
“- Data necessary for the registration.
In the framework of the registration necessary for the purchase on the Website, the Data Subject allows purchases from the webshop by providing his/her family name, first name, e-mail address, password, telephone number and club membership number.”
“- Data provided in course of communications of marketing purpose.
In courser of the communications of marketing purpose carried out by the Company, the Data Subject provides his/her name, e-mail address, telephone number and address. The legal basis of the data management is the consent of the Data Subject, the primary purpose of the data management is maintaining contact for marketing purposes, and sending information, newsletter or direct marketing under Subsection (1) Section 6 of Act XLVIII of 2008.”
“- Data related to participation in professional training.
The legal basis of the data management is the consent of the Data Subject, the primary purpose of the data management is the provision of information, and the performance of contract.”
“- Data of suppliers.
In course of the business cooperation with its suppliers of the Company, in case of data management, the Data Subject or the employer/principal/client of the Data Subject provides the name, e-mail address and telephone number of the Data Subject. The legal basis of the data management is performance of contract and the fulfilment of legal obligations.”
“- Data provided in course of public opinion surveys.
In course of the public opinion surveys carried out by the Company, the data provided by the Data Subject will be managed, recorded and used later. The Company is entitled to manage such data under Point e) Section 9(2) of the GDPR”
“- Documents uploaded.
The Data Subject may or in certain cases is obliged to upload pictures of certain personal documents. The Company recommends that the personal data not necessary for the above legal transaction of the parties and not requested by the Company shall be deleted from such documents (in accordance with Section 10 below). If the Data Subject publishes any picture of a document containing personal data as well, then the legal basis of the data management is the consent of the Data Subject. In respect of photographs, the purpose of the data management is the provision of the services of the Website.”
“- Invoicing data.
If the Data Subject performs consideration to the Company, then the Company manages the data related to the payment and the invoicing (payment method, the data of the means of payment, the name, address and tax number of the buyer in case of invoicing). The legal basis of the data management is partly the consent of the Data Subject, and partly the laws relevant to taxation and accounting. The purpose of the data management is invoicing and the collection of the fees.”
“- The data, documents provided in course of authentication.
The Data Subjects may, or in the cases specified by the Company are obliged to authenticate themselves, as specified in Section 11 below. The documents are managed in accordance with Section 11 below. The purpose of the data management is verifying the personal identity of the Data Subject.”
In addition to the above, the Company manages the technical data – including the IP address – in accordance with the provisions of Section 13.
The source of the data is the Data Subject or any legal entity in employment/agency/works legal relationship with the Data Subject, who provides the data (i) in course of a possible registration and/or (ii) in course of the preparation or conclusion of the legal transaction and/or (iii) in course of making the statement related to the newsletter or the direct marketing under Subsection (1) Section 6 of Act XLVIII of 2008.
It is mandatory to provide the data indicated in the registration form, except if the contrary thereof is expressly indicated therein.
The Data Subject provides the data individually, the Company does not provide any mandatory guideline in this regard and specifies no content requirements. The Data Subject grants his/her express consent to the management of the data provided. The Data Subject may provide further data in his/her profile in addition to the data required by the Company, and the legal basis of managing the data shall be the voluntary consent of the Data Subject in this case as well.
If the Data Subject registers to any promotion organized by the Company (e.g. on facebook), and if the Data Subject provides his/her data requested there, then the Data Subject accepts the data management notification related to the promotion concerned. In this case, the Data Subject does not register on the Website by providing the data, however, the Data Subject gives his/her consent to his/her data being managed in accordance with the provisions of the notification of the promotion.
It is an option on the Website, that in case of mandatory notification on the Website, the Data Subject is obliged to provide his/her personal documents to the Company in the interest of facilitating the conclusion of the legal transaction between the parties.
The Data Subject – unless it is stipulated as mandatory by the Company – has the opportunity to publish the documents with the deletion of the personal data. If the Data Subject does not delete the data, then the Data Subject gives his/her consent to the publication of the data in case of disclosure.
If the Company does not require the disclosure of the documents with personal data, and it provides opportunity to delete the data, then the Company shall not be liable for any possible disclosure.
The purpose of the authentication process is to allow the Company to affirm the authenticity of the person of the Data Subject. The Company verifies whether the Data Subject indicating intention to conclude a contract is actually a natural person. After the verification, the Company deletes the photos and data from the Website, however, the Company stores those in another place of storage until the cease of the legal basis of the data management. The purpose of the data management is the authentication of the Data Subjects, as well as the conclusion of the legal transaction, and after the conclusion thereof, facilitating the lawful fulfilment thereof.
If the Data Subject grants his/her consent, then the Company may maintain contact with the Data Subject through the contact information provided, and may send advertisements to Data Subject with the method of direct marketing. The advertisements may be sent via mail, telephone (including SMS) or e-mail (including Messenger as well); the condition of this in all cases is the consent of the Data Subject. The Data Subject may withdraw his/her consent any time, without justification.
The system of the Company may automatically record the IP address of the computer of the Data Subject, the starting date and time of the visit, or in certain cases – depending on the settings of the computer – the type of the browser and the operating system. The data so recorded cannot be linked with the other personal data. The management of the data serves statistical purposes exclusively.
The cookies allow the Website to recognize, identify and record the previous visitors. The cookies help both the Company and the operator of the Website in optimizing the Website, and in developing the services of the Website in accordance with the customs of the Data Subjects. In addition, cookies are suitable for
– memorizing the settings, therefore the Data Subject does not have to set those again when he/she enters a new site,
– remembering the data previously entered, therefore those do not have to be typed again,
– analyzing the use of the website, so that as a result of the developments carried out with the use of the information so gained, the website operates as much as possible according to the expectations of the Data Subject and the Data Subject can find the information wanted easily, and monitoring the efficiency of the advertisements.
If the Company displays different contents on the Website with the help of external web-based services, then that may result in the storage of several cookies which are not supervised by the Company, therefore the Company has no influence on the kind of data these websites or external domains collect. Information on these cookies is provide in the policies applicable to the service concerned.
The Company uses the cookies to display advertisements to the Data Subjects through Google and Facebook. The data management is carried out without human intervention.
The Data Subjects have the opportunity to delete the cookies in their browser (usually in the data protection section of the settings). By prohibiting the use of the cookies, the Data Subject acknowledges that without cookies, the operation of the Website is not complete.
The Company shall transmit personal data to any third party only if the Data Subject – being aware of the scope of data transmitted and the recipient of the data transmission – had given his/her unambiguous consent to the transmission, or if authorization to the data transmission is given by law.
The Company is entitled and obliged to transmit all those Personal Data available to the Company and stored properly to the competent authorities, which Personal Data the Company is obliged to transmit based on law of final and enforceable administrative order. The Company shall not be made liable for such Data Transmission and the consequences resulting from it.
The Company shall document the data transmissions in all cases, and shall keep records of the data transmissions.
The Company may use data processors to pursue its activity. The data processors make no individual decisions, they are entitled to act only in accordance with the contract concluded with the Company and the instructions received. The Company controls the work of the data processors. The data processors may employ further data processor only upon the consent of the Company.
The Company may use only those data processors who or which provide appropriate guarantees for the execution of the appropriate technical and organizational measures which ensure the protection of the rights of the data subjects.
The data processors may not employ further data processor without specific or general authorization given in advance in writing by the Company. In case of general written authorization, the data processor shall notify the Company of any and all planned changes which affect the use or replacement of additional data processors, thereby providing opportunity to the Company to make objections against such changes.
The Company specifies the data processors used in the Notification.
The data processors used by the Company:
Carrozzeria Franco S.N.C. Di Alessandrin Franco & C.
The Company uses External service providers, with which External service providers the Company cooperates.
In respect of the Personal data managed in the systems of the External service providers, the provisions of the data protection policies of the External service providers shall prevail.
The Company uses its best efforts to ensure that the External service provider manages the Personal data transmitted to it in compliance with the law, and to ensure that such Personal Data are used by the External service provider exclusively for the purpose determined by the Data Subject or specified below in the Notification.
The Company informs the Data Subjects about the data transmission carried out for the External service providers in the framework of the Notification.
External service providers:
Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland”
“- Google LLC
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA”
“- Microsoft Corporation
One Microsoft Way, Redmond, WA 98052-7329, USA”
The Company shall ensure the security of the data, and shall take those technical and organizational measures, and shall develop those procedural rules which are required for the enforcement of the prevailing laws, and data and secret protection rules. Through the appropriate measures, the Company shall protect the data from unlawful access, alteration, transmission, disclosure, erasure or destruction, as well as accidental destruction and damage, as well as from becoming inaccessible due to the change in technology.
Considering the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of the data management, and the risk of varying probability and gravity caused to the rights and freedoms of natural persons, the Company and the data processor shall take appropriate technical and organizational measures in order to ensure the level of data security corresponding to the rate of the risk.
In the framework of the above:
– shall ensure the measures ensuring protection against unlawful access, including the protection of software and hardware devices, as well as physical protection (access protection, network protection);
– shall take the measures providing opportunity to restore files, as well as regular backup saves;
– shall ensure anti-virus protection.
The Company erases the Personal Data
The Data Subject may request that the data managed on the basis of the voluntary consent of Data Subject be erased. In such case, the Company erases the data. The erasure may be denied only if any law authorizes the management of the data. The Company shall in all cases provide information on the rejection of the request for erasure and the laws allowing the data management.
The erasure may be denied (i) if the management of the Personal data is authorized by law; and (ii) it is necessary for protection or rights, enforcement of rights.
If the erasure of the data is ordered definitively by the court or the National Authority for Data Protection and Freedom of Information, then the Data Processor shall execute the erasure.
Instead of erasure, the Company – along with notifying the Data Subject – blocks the personal data if the Data Subject so requests, or if based on the information available it may be presumed that the erasure would prejudice the legitimate interests of the Data Subject.
The personal data so blocked may be managed exclusively until the data management purpose that excluded the erasure of the personal data exists.
The Company shall mark the personal data managed by the Company if the Data Subject contests the correctness or the accuracy thereof, but the incorrectness or inaccuracy of the personal data cannot be established unambiguously.
In respect of the data managements stipulated by law, the provisions of the law shall prevail concerning the erasure of the data.
In case of erasure, the Company shall make the data unsuitable for personal identification.
If stipulated by law, the Company shall destroy the data carrier containing the personal data.
The Company shall in all cases notify the Data Subject of the rejection of the request for erasure, including the reason for denying the erasure. After the fulfilment of the request for erasure of personal data, the previous (erased) data can no longer be restored.
The newsletters sent by the Company may be discontinued through the unsubscribing link to be found therein. In case of unsubscribing, the Company erases the Personal Data of the Data Subject in its newsletter database.
19.1. Simultaneously with contacting the Data Subject, the Company informs the Data Subject about the management of the data. In addition, the Data Subject may request information about the data management at any time.
The data subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data, and to receive information on the purpose of the data management, the categories of the personal data affected, those recipients or categories of recipients to whom the personal data had been or will be disclosed, the planned duration of storage of the personal data, or if it is not possible, then the aspects of determining such duration. The Data Subject has the right to request from the Data Controller the rectification or erasure of personal data or restriction of processing of the personal data related to the Data Subject, or to object to management of such personal data. In addition, the Data Subject may submit complaints addressed to the supervisory authority, and where the personal data are not collected from the Data Subject, all available information as to their source.
19.2. The data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purpose of the data management, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
19.3. Save for the data managements stipulated by law, the Data Subject shall have the right to request that the Company erased the personal data concerning him or her without undue delay. The Company shall notify the Data Subject of the erasure.
19.4. The Data Subject may object to the management of his/her data in accordance with the provisions of the Privacy Act.
19.5. The Data Subject may submit his/her request for information, rectification or erasure in writing, in a letter addressed to the registered seat or place of business of the Company, or via e-mail sent to the Company to the following address:
19.6. The Data Subject may request that the management of his/her Personal Data be restricted by the Company if the Data Subject contests the accuracy of the Personal Data managed. In this case, the restriction applies to that period which allows the Company to verify the accuracy of the Personal Data.
The Company shall mark the Personal Data managed by the Company if the Data Subject contests the correctness or the accuracy thereof, but the incorrectness or inaccuracy of the personal data cannot be established unambiguously.
The Data Subject may request that his/her Personal Data be restricted by the Company even if the data management is unlawful, but the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead.
The Data Subject may request that his/her Personal Data be restricted by the Company even if the purpose of the Data Management had been realized, however, the Data Subject requests those for making, enforcing or protecting legal claims.
19.7. Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the data controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another data controller without hindrance from that data controller to which the personal data have been provided.
19.8. If the Company fails to comply with the request of the Data Subject for rectification, erasure or blocking, then the Company shall within 30 days of the receipt of the request notify the Data Subject of the reasons for rejecting the of request for rectification, erasure or blocking. If the request for rectification, erasure or blocking is rejected, the Data Controller shall notify the Data Subject of the opportunity of judicial legal remedy and referring to the National Authority for Data Protection and Freedom of Information.
19.9. The Data Subject may make his/her above statements related to exercising his/her rights through the contact information of Data Controller specified in Section 2.
In the event the rights of the Data Subject are infringed, then the Data Subject may refer to the court under Subsection (1) Section 22 of the Privacy Act. The adjudication of the lawsuit falls within the competence of the regional court. Subject to the choice of the Data Subject, the lawsuit may be initiated before the regional court competent according to the residence or the place of stay of the Data Subject as well. Upon the request, the Data Controller shall notify the Data Subject in detail about the opportunities and means of legal remedy.