Skip to main content

Privacy policy

The data controller sets out below the information pursuant to arts. 12, 13 and, where applicable, 14 of the GDPR relating to the processing of personal data provided by the Customer/data subject through the completion and signing of the Contract to purchase the products/services offered for sale by the data controller itself, by spontaneously uploading personal data to this website (in particular through the completion of forms) or simply by browsing it.

1. Data controller and contact details

The data controller is V.I.T.A. S.P.A., with registered office in Arnad (AO), Via Nazionale 10 – 11020, VAT no. 00035670074, tel. +39 0125966546, e-mail massimoprola@vitagroup.it, web www.vitagroup.it.

2. Principles applicable to processing

In accordance with the requirements of the GDPR, the data controller constantly endeavours to ensure that personal data are:

  • processed lawfully, fairly and transparently;
  • collected for specified, explicit and legitimate purposes, and subsequently processed in a manner that is not incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date;
  • stored for no longer than is necessary for the purposes for which they are processed;
  • processed, by means of appropriate technical and organisational measures, in a manner that ensures their security;
  • processed, where based on consent, by a decision freely taken by the Customer/data subject, on the basis of a request presented in a clearly distinguishable manner from other matters, in an intelligible and easily accessible form, using clear and plain language.

The data controller adopts appropriate technical and organisational measures in order to ensure data protection by design and to guarantee that, by default, only personal data necessary for each specific purpose of processing are processed.

The data controller collects and gives the utmost consideration to indications, observations and opinions of the Customer/data subject transmitted to the contact details set out above, in order to implement a dynamic privacy management system that ensures effective protection of persons with regard to the processing of their data.

This policy may be subject to changes, in line with the evolution of the relevant legislation and the technical and organisational measures progressively adopted by the data controller; the Customer/data subject is therefore requested to periodically visit this section of the website to view updates and the policy as currently in force.

3. Methods of processing personal data

The processing of personal data is carried out manually and with electronic tools, with logic strictly related to the purposes indicated below and, in any case, in a manner that guarantees the security and confidentiality of the data themselves.

4. Purposes of processing personal data.

4a. Purposes for which processing is necessary
The personal data provided by the Customer/data subject are mainly processed for the performance of the Contract and credit management and, more generally, of the relationship arising from the Contract itself.

The provision of data in the Contract or subsequently, during the course of the contractual relationship, for the processing purposes in question is mandatory; therefore, the failure, partial or inaccurate provision of such data makes it impossible to conclude and/or perform the Contract and, for the Customer/data subject, to use the products/services offered by the data controller, potentially exposing the Customer/data subject to liability for breach of contract.

The personal data provided by the Customer/data subject may also be subject to processing if this is necessary to comply with a legal obligation to which the data controller is subject, for the protection of the vital interests of the Customer/data subject or of another natural person, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, or for the purposes of the legitimate interests pursued by the data controller or by third parties, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the Customer/data subject; in these cases too, the provision of data is mandatory and, therefore, the failure, partial or inaccurate communication of data may expose the Customer/data subject to possible liabilities and penalties provided for by the legal system.

4b. Further purposes of processing following specific and express consent of the Customer/data subject

In addition to the processing purposes set out above, the personal data provided/acquired may be processed, subject to the consent of the Customer/data subject, to be expressed by selecting the “Give consent” box on the Contract or on the website (or using other social or web applications of the data controller), also for the conduct of market research and for the sending of commercial and promotional communications, by telephone (including using the mobile number provided) and automated contact systems (e-mail, sms, mms, fax, etc.), on products/services of the data controller or of companies in the Group to which the data controller may belong.

Consent for the processing purposes referred to in this point (4b) is optional; therefore, following any refusal, data will be processed only for the purposes indicated in the previous point (4a), subject to what is specified below with reference to the legitimate interests of the data controller or third parties.

5. Categories of personal data processed

The data controller mainly processes identification/contact data (first name, surname, addresses, type and number of identity documents, telephone numbers, e-mail addresses, of a fiscal/billing nature, and others) and, where commercial transactions are envisaged, financial data (of a banking nature, in particular account identifiers, credit card numbers, and others connected to the aforementioned commercial transactions).

The processing carried out by the data controller, both for the performance of the Contract and on the basis of the express consent of the Customer/data subject, does not generally concern special categories of personal data, known as sensitive (which reveal racial or ethnic origin, political opinions, religious beliefs, state of health or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (relating to criminal convictions and offences).

However, it cannot be excluded that the data controller, in order to fulfil the obligations arising from the Contract, may need to store and/or process sensitive, genetic and biometric or judicial data of the Customer/data subject or of third parties, of which the Customer/data subject has the capacity of data controller; in such a case, the processing by the data controller takes place on the basis of, under the conditions and within the limits of, the appointment of the same data controller as data processor, by the Customer/data subject.

The data controller processes, as data controller with reference to the website, and, potentially, as data processor appointed for this purpose (in the terms set out above) by the Customer/data subject, also so-called navigation data. The computer systems and software procedures used for the operation of websites acquire, in the course of their normal operation, certain personal data, the transmission of which is implicit in the use of internet communication protocols. This is information that is not collected to be associated with identified subjects, but which, by its very nature, could allow the identification of the data subject. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and addresses of websites from which access was made or exit taken, information on pages visited by users within the website, access time, time spent on individual pages, internal path analysis and other parameters relating to the operating system and computer environment of the user. This is therefore information that, by its very nature, allows, through processing and associations also with data held by third parties, the identification of users.

The website may also make use of cookies, both session cookies (which are not stored on the data subject’s computer and disappear when the browser is closed) and persistent cookies, for the transmission of personal information, or in any case systems for tracking data subjects.

6. Source of personal data

The personal data that the data controller processes are collected directly by the data controller itself from the Customer/data subject at the time of, and during, their browsing of the website (or using other social or web applications of the data controller), or, also through its own sales staff, on the occasion of, or subsequent to, the signing of the Contract, during the performance thereof, or from public sources.

As specified above, the data controller, as data processor appointed for this purpose, in order to fulfil the obligations arising from the Contract, may store and/or process data, in particular navigation data, potentially also sensitive, genetic and biometric or judicial, of third parties, of which the Customer/data subject has the capacity of data controller, acquired, with the prior consent of said third parties, at the time of, and during, their browsing of the website (or using other social or web applications attributable to the data controller).

7. Legitimate interests

The legitimate interests of the data controller or of third parties may constitute a valid legal basis for processing, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. In general, such legitimate interests may exist when there is a relevant and appropriate relationship between the data controller and the data subject, for example when the data subject is a customer of the data controller. In particular, it constitutes a legitimate interest of the data controller to process personal data of the Customer/data subject: for fraud prevention purposes, for direct marketing purposes, to ensure the free circulation of the same data within the business Group to which the data controller may belong, or relating to traffic, in order to guarantee network and information security, namely the ability of a network or system to resist unforeseen events or unlawful acts that could compromise the availability, authenticity, integrity and confidentiality of data.

8. Circulation of personal data

8a. Communication of personal data – categories of recipients

In addition to being processed by employees and collaborators of the data controller in various capacities (who are authorised to process data by the data controller itself on the basis of adequate written operational instructions, in order to guarantee the confidentiality and security of the data), certain processing operations may also be carried out by third parties, to whom the data controller entrusts certain activities, or part thereof, functional to the purposes referred to in point (4a), thus both in performance of contractual and legal obligations, among which the following merit mention, by way of inevitably non-exhaustive example: commercial and/or technical partners; companies providing banking and financial services; companies providing document archiving services; debt collection companies; accounting audit and balance sheet certification companies; rating companies; parties that carry out professional assistance and consultancy activities on behalf of the data controller; companies that carry out customer care activities; factoring, credit securitisation or otherwise credit assignee companies; companies in the Group to which the data controller may belong; parties that provide commercial information; IT service companies.

The parties belonging to the aforementioned categories process the personal data themselves as independent data controllers, or as data processors, with reference to specific processing operations that fall within the contractual services that the parties themselves perform in favour of/in the interest of the data controller; the data controller provides data processors with adequate written operational instructions, with particular reference to the adoption of minimum security measures, in order to guarantee the confidentiality and security of the data.

Certain processing operations may be carried out by third parties, to whom the data controller entrusts certain activities, or part thereof, also functionally related to the purposes referred to in point (4b), among which the following merit mention, by way of inevitably non-exhaustive example: commercial and/or technical partners; companies that institutionally provide marketing services; advertising agencies; parties that provide assistance and consultancy activities with reference to competitions and prize operations. The parties belonging to the aforementioned categories process personal data as independent data controllers, or as data processors, with reference to specific processing operations that fall within the contractual services that the parties themselves perform in favour of/in the interest of the data controller; the data controller provides data processors with adequate written operational instructions, with particular reference to the adoption of minimum security measures, in order to guarantee the confidentiality and security of the data.

The list, subject to periodic updating, of data processors with whom the data controller maintains relationships is available, upon written request to be sent to the registered office of the data controller.

Personal data may also be communicated, upon request, to the competent authorities, in fulfilment of obligations arising from mandatory legal provisions.

8b. Transfer of personal data to third countries

The personal data of the Customer/data subject may also be transferred abroad, both to countries within the European Union and to countries outside the European Union and, in the latter case, either on the basis of an adequacy decision, or within the framework of and with the appropriate guarantees provided for by the GDPR (thus, in particular, in the presence of standard contractual clauses for data protection approved by the European Commission), or, outside the cases referred to above, where one or more of the derogations provided for by the GDPR apply (in particular, on the basis of the explicit consent of the Customer/data subject, or for the performance of the Contract concluded by the Customer/data subject, or for the performance of a contract entered into between the data controller and another natural or legal person in favour of the Customer/data subject, specifically for the performance of activities entrusted to the latter by the data controller itself for the performance of the Contract concluded with the Customer/data subject).

For the hypothesis of transfers of data to countries outside the European Union, the Customer/data subject is permitted, upon written request to be sent to the registered office of the data controller, to be informed of the appropriate guarantees, or the derogations, that legitimise the cross-border processing. It is understood that, in the event of transfer of data to countries outside the European Union, for any request concerning the data, also for the exercise of the rights recognised by the GDPR to the Customer/data subject, the latter may always validly contact the data controller.

9. Criteria for determining the retention period of personal data

For the purposes referred to in point (4a) above, the retention period of personal data provided by the Customer/data subject, and the consequent potential processing thereof, coincides with the limitation period of the rights/duties (legal, fiscal, etc.) arising from the Contract: generally 10 years, therefore, unless interruption events occur that could, in effect, extend said period.

For the purposes referred to in point (4b) above, the retention period of data provided by the Customer/data subject, and the consequent potential processing thereof, ends with the withdrawal of the consent previously given by the Customer/data subject themselves or, in the absence thereof, in any case after one year from the cessation of any relationship between the data controller and the Customer/data subject.

10. Rights of the Customer/data subject

The data controller recognises – and facilitates the exercise by the Customer/data subject of – all the rights provided for by the GDPR, in particular:

  • the right to request access to their personal data and to obtain a copy thereof (art. 15 GDPR);
  • the right to rectification (art. 16 GDPR) and to erasure of data (art. 17 GDPR);
  • the right to restriction of processing (art. 18 GDPR); the right to data portability (art. 20 GDPR, where the conditions are met);
  • the right to object to processing (arts. 21 and 22 GDPR), in particular to processing for marketing purposes or that results in automated decision-making, including profiling, that produces legal effects concerning them, where the conditions are met.

The data controller also recognises to the Customer/data subject, where processing is based on consent, the right to withdraw said consent at any time, without prejudice to the lawfulness of processing based on the consent given before its withdrawal. To do so, the Customer/data subject may unsubscribe at any time on the website (or on other social or web applications of the data controller) or by using the appropriate link at the bottom of each commercial communication received, or by contacting the data controller at the contact details set out above.

The data controller also informs the Customer/data subject of the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), as the supervisory authority operating in Italy, and to seek judicial remedy, both against a decision of the Data Protection Authority and against the data controller itself and/or a data processor.

11. Security of systems and personal data

Taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of processing, as well as the risk, in terms of likelihood and severity, for the rights and freedoms of natural persons, the data controller adopts technical and organisational measures deemed appropriate to ensure a level of security appropriate to the risk, in particular ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services (also through the encryption of personal data, where necessary) and the ability to restore the availability of data in a timely manner in the event of a physical or technical incident, and adopting internal procedures aimed at regularly testing, verifying and evaluating the effectiveness of the technical and organisational measures employed.

In assessing the appropriate level of security, account is taken of the risks presented by the processing that derive, in particular, from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The data controller endeavours to ensure that any person acting under its authority and having access to personal data does not process such data unless instructed to do so by the data controller itself.

That said, the Customer/data subject acknowledges and accepts that no security system guarantees, with certainty, absolute protection; therefore, the data controller is not liable for acts or facts of third parties who, abusively, despite the adequate precautions adopted, access the systems without the due authorisations.

12. Automated decision-making processes, including profiling

The data controller may carry out automated processing, including profiling, in relation to the purposes referred to in point (4b) above, to optimise the navigability of the website (or the usability of other social or web applications of the data controller) and to improve the shopping experience, subject to what is specified above with regard to the rights of objection and withdrawal of consent by the Customer/data subject.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning, for example, that natural person’s personal preferences, interests or location, also for the purpose of creating profiles, or homogeneous groups of subjects by characteristics, interests or behaviour.

The data controller does not carry out any automated processing that produces legal effects concerning the Customer/data subject or that similarly significantly affects their person, unless this is necessary for the conclusion or performance of the Contract, is authorised by law or is based on the explicit consent of the Customer/data subject, in any case always recognising the latter’s right to obtain human intervention, to express their opinion and to contest the decision.