PRIVACY POLICY
PRIVACY NOTICE – CONTACT FORM AND NEWSLETTER
(pursuant to Article 13 of EU Regulation 2016/679)
This notice describes how VINEXT processes the personal data of users who complete the contact form available on the website [www.vinext.it](http://www.vinext.it)
1. Data Controller
The Data Controller is VINEXT S.p.A.
Registered office: Stradone San Fermo 26, 37121 Verona
Operational headquarters: Viale del Lavoro 44, 37036 San Martino Buon Albergo (VR)
VAT No. / Tax Code: 04353750237
E-mail: vinext@legalmail.it
2. Types of data processed
Through the contact form, identifying and contact data may be collected, such as name, surname, company name, e-mail address, telephone number, company of affiliation, content of the message sent by the user, and any consent to subscribe to the newsletter, to be authorized by ticking the appropriate box on the contact form.
3. Purposes and legal bases of processing
A) Management of requests through the contact form
The data are processed to:
- respond to requests submitted, provide information and support
- carry out any pre-contractual activities requested by the data subject;
- comply with any legal obligations or protect the rights of the Data Controller, where necessary.
Legal basis: performance of pre-contractual measures requested by the data subject (Art. 6.1.b GDPR)
B) Sending newsletters and marketing communications
Only with explicit prior consent to be provided by ticking the appropriate box on the contact form, the data may be used for:
- sending newsletters
- commercial and promotional communications
- updates on services, events, and initiatives
Legal basis: consent of the data subject (Art. 6.1.a GDPR). Consent is: freely given, optional, and may be withdrawn at any time
4. Legal basis
Processing is necessary in order to follow up on the user’s request and, where applicable, for the performance of pre-contractual measures taken at the user’s request, pursuant to Article 6, paragraph 1, letter b) of the GDPR.
For any requirements related to the protection of the Data Controller’s rights, the legal basis is legitimate interest, pursuant to Article 6, paragraph 1, letter f) of the GDPR.
5. Nature of data provision
The provision of data is optional. However, failure to provide the data marked as mandatory prevents the Data Controller from receiving or properly managing the request submitted through the form.
6. Processing methods
The data are processed using electronic and organizational tools suitable for ensuring the security, confidentiality, integrity, and availability of the information.
Processing is carried out by authorized personnel and by third parties providing technical, IT, hosting, maintenance, or website management services, appointed, where necessary, as Data Processors pursuant to Article 28 of the GDPR.
The Data Controller does not carry out processing consisting of automated decision-making processes, such as profiling, on the data of users who interact with our website to use this service. The data will be processed by persons expressly authorized and trained in the protection of personal data. IT technicians, including outsourced technicians who oversee the operation of the IT system, may also access the data incidentally.
7. Data retention
Personal data collected through the contact form will be retained for the time strictly necessary to manage the request and provide feedback to the data subject and, in any case, for a period not exceeding 24 months from the last contact, without prejudice to any need for further retention connected to legal obligations or the protection of the Data Controller’s rights.
Personal data processed for the purpose of sending newsletters and marketing communications, subject to the data subject’s consent, will be retained for a longer period, consistent with the purpose of processing and in compliance with the principle of proportionality. In particular, such data may be retained for a maximum period of 24 months from the collection of consent or from the last significant contact/interaction, unless consent is renewed or updated.
8. Recipients of the data
The data may be communicated, within the limits strictly necessary to perform services or activities on our behalf, to third parties, including, by way of example:
- authorized personnel of VINEXT;
- IT service providers, hosting providers, website maintenance and technical management providers;
- consultants or professionals, where necessary;
- public bodies or competent authorities, in the cases provided for by law.
The personal data processed by the Data Controller will not be disclosed, meaning that they will not be made known to unspecified parties in any possible form, including by making them available or simply accessible for consultation.
9. Transfer of data outside the EEA
As a rule, data are not transferred outside the European Union or the European Economic Area. Where, for technical reasons related to cloud services or digital providers, a transfer to third countries becomes necessary, such transfer will take place exclusively in compliance with Articles 44 et seq. of the GDPR, on the basis of adequacy decisions of the European Commission, standard contractual clauses, or other safeguards provided for by applicable legislation.
10. Rights of the data subject
The data subject may exercise, in the cases provided for by the GDPR, the following rights:
- access to personal data;
- rectification of inaccurate data concerning them and/or completion of incomplete personal data;
- erasure of personal data, in the cases provided for by current legislation;
- restriction of processing;
- objection to processing;
- data portability, where applicable.
With regard to exercising their rights, the data subject may submit requests by sending a specific communication by registered mail addressed to the Data Controller at the address indicated above, or by sending a communication to the e-mail address vinext@legalmail.it, specifying the subject of the request, the right they intend to exercise, and attaching a photocopy of an identity document proving the legitimacy of the request.
11. Complaint to the Supervisory Authority
Data subjects who believe that the processing of personal data relating to them is carried out in breach of the Regulation have the right to lodge a complaint with the competent supervisory authority, the Italian Data Protection Authority, according to the procedures indicated on the website www.garanteprivacy.it pursuant to Article 77, or to bring proceedings before the competent courts
