Information notice pursuant to Article 13 of Regulation (EU) 2016/679 on the protection of personal data (GDPR) and request for consent for the processing of personal data collected from the Data Subject

 

Fanny Snc di Toschi & C., with registered office in Veggiano (PD), Via San Matteo 1/A, Tax Code and VAT No. 01830710289, in its capacity as Data Controller (hereinafter the “Data Controller”) as defined under current legislation, can be contacted at the following details:

Tel. +39 049 5082101
E-mail: info@fannyrelais.com

Herewith, and pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter the “Regulation”), we inform you that the Data Controller shall process the personal data you provide for the purposes and using the methods set out below.

Please note that this privacy notice applies exclusively to the website www.fannyrelais.com (the “Website”), and does not apply to other websites that may be accessed through external links. This information notice is provided to users interacting with the Website pursuant to Article 13 of the applicable legislation.

In accordance with Article 12 and subsequent provisions of the GDPR, we inform you that the personal data you provide will be recorded, processed, and stored in our paper and electronic archives, in compliance with the adequate technical and organizational measures set out in Article 32 of the GDPR. Data will be processed using tools and procedures designed to ensure their security and confidentiality.

 

1. Categories of Data

The Data Controller may request, even partially, the following data:

• E-mail address, title, first name, last name, telephone number, country of origin;

• Browsing data.

Should you provide personal data belonging to third parties (i.e., not relating to you directly), you will act as an independent data controller, assuming all legal obligations and responsibilities. In this regard, you agree to indemnify the Data Controller against any dispute or claim for damages arising from the processing of such data performed through your spontaneous communication in breach of applicable data protection laws. You also guarantee that such data is processed based on a suitable legal basis under Article 6 of the GDPR.

 

2. Purposes and Legal Basis of the Processing

Your personal data will be processed for the following purposes:

a) to establish, enter into, and perform a contract relating to the professional services and activities offered by the Data Controller, and to respond to any subsequent requests;
b) to respond to your requests for information regarding the Data Controller and its services;
c) fulfilment of tax or accounting obligations;
d) customer management (including the administration of clients, contracts, and invoices);
e) to establish or defend a legal claim before a judicial or administrative authority, or during arbitration or conciliation procedures;
f) to comply with legal obligations, regulations, EU legislation, or orders issued by public authorities.

The processing operations listed above are necessary to provide the requested services. Therefore, the Data Controller does not require your specific consent, as the legal basis lies in Article 6(1)(b) of the Regulation (“processing is necessary for the performance of a contract…”) and Article 6(1)(c) of the Regulation (“processing is necessary for compliance with a legal obligation…”).

 

3. Recipients or Categories of Recipients of Personal Data

Personal data may be disclosed, where strictly necessary, to the following categories:

1. Authorized personnel of the Data Controller, adequately trained and bound by confidentiality obligations;

2. Third parties providing services to the Data Controller, appointed as Data Processors under Article 28 GDPR, such as:

   • Companies or professional firms providing consulting, assistance, and accounting, administrative, legal, tax, or financial services.

Personal data may also be disclosed to judicial authorities when required by law.

Data subjects may request an updated list of recipients at any time by contacting the Data Controller.

No dissemination of personal data is foreseen.

 

4. Transfer of Data to Third Countries

Personal data will not be transferred to non-EU countries or international organizations.

 

5. Data Retention Period

Data will be retained for the period strictly necessary to fulfil the purposes under points a)–f) above, and in any case no longer than 10 years from the date of collection for legal compliance purposes or within the time limits set by statutory limitations.

 

6. Obligation to Provide Personal Data

Providing data for the purposes outlined in Section 2 a)–f) is required by law and/or necessary to enter into a contract. Failure to provide such data will make it impossible for the Data Controller to perform the requested services or pre-contractual measures.

 

7. Processing Methods

Personal data will be processed using both paper-based and electronic tools, ensuring security and confidentiality in accordance with Articles 12 et seq. of the GDPR. Data may be included in internal documentation and, if necessary, in legally required registers.

 

8. Rights of the Data Subject

You may exercise the following rights at any time:

a) Access your personal data and obtain information about the processing;
b) Rectification or erasure of data, or restriction of processing;
c) Object to processing for reasons related to your particular situation;
d) Data portability, receiving your data in a structured, commonly used, machine-readable format (.xml or similar);
e) Withdraw consent, where applicable, without affecting the lawfulness of processing prior to withdrawal;
f) Lodge a complaint with the competent Supervisory Authority (in Italy: Garante per la protezione dei dati personali, www.garanteprivacy.it).

Requests may be submitted to the Data Controller using the contact details in Section 1.

Requests will be handled without undue delay and in any case within one month, extendable by two more months in complex cases.

 

9. Communication in Case of Data Breach

If a personal data breach is likely to result in a high risk to your rights and freedoms, the Data Controller will notify you without undue delay, in compliance with internal procedures and Article 34 of the Regulation.