Information Notice

pursuant to Article 13, Regulation (EU) 2016/679 (the “Regulation” or “GDPR”)

With this information notice, InfoCert S.p.A. would like to illustrate the purposes for which it collects and processes Your personal data, which categories of personal data are processed, what are Your rights according to the applicable data protection legislation and how they can be exercised.

1. THE DATA CONTROLLER

InfoCert S.p.A., with registered office in Piazza Sallustio n. 9, 00187 – Rome (RM), is the data controller of Your personal data (“InfoCert” or “Data Controller”).

You may contact the Data Controller via e-mail at infocert@legalmail.it, or via regular mail at InfoCert S.p.A., Piazza Sallustio n. 9, 00187 – Rome (RM).

2. THE DATA PROTECTION OFFICER
InfoCert has designated the Group-wide appointed Data Protection Officer (“DPO”) as its own DPO. You may contact the DPO via certified e-mail at tinexta@legalmail.it, or via regular mail at:

Responsabile della Protezione dei Dati Tinexta S.p.A.
Piazza Sallustio n. 9
00187 – Roma (RM).

3. PERSONAL DATA DEFINITION AND INFORMATION REGARDING THE PROCESSING ACTIVITIES

Under the GDPR, personal data is defined as: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (the “Data”).

InfoCert, in its capacity as accredited certification body, collects the identification and contact Data supplied by You in order to execute the contract related to the provision of the services requested by You, including the related ancillary services, where selected (“Services”).

For this purpose, in the context of the activities related to the establishment and subsequent management of the contractual relationship, InfoCert collects and processes the following categories of Data:

  1. personal and identification data (e.g., name, surname, tax code, VAT number);

  2. contact data, such as address of residence or domicile, e-mail address and telephone number;

  3. company/firm, relevant sector, job and job function;

  4. information required for payment and/or invoicing purposes;

v. in general, any additional information necessary for the establishment and subsequent performance of the contract or for any activity that is necessary or functional to it, including those potentially collected in the context of credit controls and fraud prevention.

In addition, we inform You that the request for certain Services such as, for example, (i) digital certifications (including SSL certificates), time stamps and certain types of electronic signatures; and (ii) digital identity (SPID) implies the identification of the customer which takes place through the recognition methods provided for in the Operational Manual, as appropriate, applicable to the Service purchased by You and accessible on the website https://www.infocert.it/documentazione.

In this regard, we point out that if recognition occurs:

  1. a)  bywebcam,i.e.bymeansofaremoteidentificationduringanaudio/videosessionrecordedwith

    an operator; or

  2. b)  withautomatedmethodsinvolvingthereadingoftheidentitydocumentbymeansofhisdevice and the completion of an automatic face recognition procedure via video-selfie, by using biometric recognition technologies that will automatically evaluate the compatibility index between the document and images based on liveness detection and face matching logics.

InfoCert will process not only the Data, but also voice registration data as well as images and videos referable to You (“Biometric Data”), which will be processed by InfoCert for the sole purpose of identifying You and allowing You to conclude the contract related to the specified Services You requested. With reference to the automated recognition methods referred to in point b), InfoCert also specifies that where the minimum level of compatibility between document and registration is not achieved, a subsequent phase of identity verification is envisaged by a back-office person in charge. It is understood that the processing of Biometric Data – where applicable, through the use of automated methods – will be possible only after expressing appropriate consent and limited to what is strictly necessary for Your identification.

It is understood that You can choose not to use the recognition methods referred to in letters a) and b) above, thus being able to access the Services for which prior recognition is necessary, through the alternative methods offered by InfoCert and governed by the Manual Operating applicable to the specific Service You requested (for more information, please visit the website www.infocert.it).

Notwithstanding the optional nature of the tools that involve the processing of Biometric Data for the purpose of Your identification, in general, the provision of Data is entirely voluntary; any refusal to provide the information referred to may, however, prevent InfoCert from following up on Your requests, undermining, according if the case be, the establishment or subsequent management of the contractual relationship with the consequent impossibility to offer the Services You requested.

4. DATA PROCESSING PURPOSES AND RELEVANT LEGAL GROUNDS

a) Establishment, management and execution of the contractual relationship

The Data Controller will process the Data for the execution of pre-contractual measures (e.g., in the event of a request for information prior to the conclusion of a possible agreement), the establishment and following management of the contractual relationship of which You are a party and for all the activities ancillary thereto, among which, by way of example, the ordinary administrative management of the contract, the performance of the services referred to in the agreement, the issuing, management and payment of invoices and the response to the requests for technical assistance, also on line (c.d. trouble- ticketing), the registration and the retention of the Data in order to keep the evidence of Your intention to request the Service, the sending of communications with informative content regarding the imminent termination of the existing contract in order to avoid adverse consequences.

The relevant processing will take place on the legal basis referred to in Article 6, paragraph 1, letter b), GDPR, being the processing necessary to the performance of a contract of which You are a party or to the execution of the pre-contractual measures adopted in response to Your request.

In case You opt for the identification method through webcam or automated methods, InfoCert will also process the Biometric Data. In this case, the processing will be carried out under the specific consent of the data subject pursuant to Article 6, paragraph 1, letter a), and 9, paragraph 2, letter a), GDPR, given at the time of the identification and/or request for the Services.

In addition, the identification process with automated methods implies an automated decision-making process pursuant to Article 22, GDPR. Consequently, before proceeding with the recognition through such automated method, You will be asked to express consent, being it the condition of lawfulness under the combined provisions of Articles 6, paragraph 1, letter a) and 22, paragraph 2, letter c), Regulation.

b) Compliance with legal obligations

The Data Controller will process the Data for the fulfilment of legal and regulatory obligations, both national and European, possibly imposed on it (including, where applicable, those provided for under anti- money laundering legislation) for the establishment and management of the contractual relationship. By way of example, the Data will be collected in digital mode – and stored in encrypted mode – in electronic files, in compliance with (i) D. L.vo 82/2005 (“Codice dell’Amministrazione Digitale” or “CAD”); and (ii) Regulation (EU) 2014/910 (“Electronic IDentification Authentication and Signature Regulation” or “EIDAS Regulation”).

If necessary, the processing will be based on the legal basis referred to under Article 6, paragraph 1, letter c), GDPR.

c) Defense of legal rights

The Data Controller may process the Data to assert and defend its rights (including, judicial proceedings).

If necessary, the processing will be based on the legal basis referred to in Article 6, paragraph 1, letter f), GDPR.

d) Performance of statistical analysis

InfoCert may process certain information when performing statistical, business and market analysis as well as analysis related to the quality of services.

In this context, information is normally stored and processed in an anonymous and aggregate form; therefore, it does not involve the processing of Data, understood as information directly or indirectly related to You.

Should the relevant analysis involve the processing of Data, appropriate measures to ensure the security of Data will be implemented (such as, for example, the pseudonymization); in this case, the processing will be based on the legal basis of the legitimate interest of the Data Controller referred to in Article 6, paragraph 1, letter f), GDPR.

e) Customers satisfaction and direct marketing

The Data Controller may process the Personal Data in order to send communications via e-mail with the purpose of understanding Your opinion on the Services purchased by You, functional to the improvement of the services offered by Infocert and, in general, of the customer experience.

InfoCert may also process the Data in order to send You via e-mail (i) commercial and promotional communications related to products and/or services of InfoCert or of other group companies members to the Tinexta Group, which are similar or analogous to those you already purchased or ordered, and/or (ii) invitations to participate in initiatives, promotional campaigns or events, workshop, courses, seminars and round tables organized by InfoCert or other group companies of the Tinexta Group.

In this regard, we would like to inform You that in order to send You offers regarding products and services that may be of interest to You and invite You to take part to initiatives that may be of interest to You, the Data Controller may take into consideration Your preferences, as they result from Your prior purchases or orders and, in general, from the characteristics of Your contractual relationship with InfoCert. This, however, will not have any consequences on Your rights and freedoms as a data subject, as You will still be able to have access to all products/services offered by the Data Controller or other group companies of the Tinexta Group; moreover, there are not and will not be any restriction based on the preferences of the data subjects.

The potential processing will be based on the legal basis set forth in Article 6, paragraph 1, letter f), GDPR, namely the legitimate interest of the Data Controller. In this regard, we specify that, with reference to the processing at stake, You may object to the sending of further direct marketing and customer satisfaction communications, free of charge and at any time by the means provided for under the following paragraph 8.

The activities referred to in this paragraph shall not apply to those persons, natural persons, who purchase InfoCert’s products or services for the mere instrumental purpose of interacting with InfoCert’s customers, legal persons.

f) Marketing of non-similar products, indirect marketing, and Social Media Marketing

Should You have given Your consent, the Data Controller may process the aforementioned Data in order to send You commercial and/or promotional communications relating to all InfoCert’s, other Group companies’ and/or third parties’ products or services, as well as to invite You to participate in events, exhibitions, seminars, etc., organized by third party partners (“Indirect Marketing”).

In this context, the Data Controller may also process – in joint ownership with each of the social media platforms and/or each of the technology service providers listed here but not limited to: Meta Platforms Ireland Ltd., Linkedin Inc., Google Ads, Microsoft Advertising Bing, Spotify – some Data (in particular, the email) for the promotion – (a) through the pages of the social media platform or the technology service provider, or (b) within advertising spaces on other websites – of offers/commercial communications and/or promotions relating to all the products or services of the Data Controller and/or other Group companies, as well as events, exhibitions, seminars, etc., organized by the Data Controller or by the latter (“Social Media Marketing”).

The processing in joint ownership with each social media platform or technology service provider will be limited to the technical operations and processing activities strictly necessary for the publication of the promotional message and, if the case be, the production by the social platform or the technology service provider of statistical reports related to the progress of the campaign.

For any further processing activity carried out by the social media platform or by the technology service provider as an independent data controller, please refer to the information pursuant to Article 13 or 14, GDPR, provided by the social media or by the technology service provider involved, to which any request to exercise the rights recognized by the GDPR relating to the data processing carried out by it in autonomous ownership may be addressed. InfoCert is not responsible and shall not be liable in any way for any data processing carried out by the social media platform or by the technology service provider that is additional to the Social Media Marketing activities described herein and/or concerns personal data other than those processed under the joint controllership agreement.

The processing of Your Data in the context of Indirect Marketing or Social Media Marketing activities will be possible only if You have given Your consent, being it the relevant legal ground. In this regard, we inform You that You have the right to withdraw the consent previously given, free of charge and at any time, through the link available at the bottom of all Indirect Marketing communications that You may have received or by contacting the Data Controller with the modalities provided for under paragraph 8 below .

The activities referred to in this paragraph shall not apply to those persons, natural persons, who purchase InfoCert’s products or services for the mere instrumental purpose of interacting with InfoCert’s customers, legal persons.

g) Communication of Data to third parties for their own marketing purposes

Provided that Your previous consent is given, the Data Controller may disclose Your Data to other Group companies or to third parties operating, for example, in the following fields: cybersecurity services, call centers, digital & social marketing, market surveys, loyalty programs and prize competitions, which will use them for their own marketing purposes and for their own commercial activities as independent data controllers. For more information on the processing carried out by them, please refer to the information pursuant to Article 14, GDPR, which will be provided to You by each indenpendent data controller.

The processing of Data for this purpose by InfoCert will only be possible if You have given Your consent, being it the applicable legal ground pursuant to Article 6, paragraph 1, letter a), GDPR. In this regard, we inform You that You have the right to withdraw, free of charge and at any time, the consent You might have previously given as to the communication of Your Data by contacting the Data Controller as provided for under paragraph 8 below.

The activities referred to in this paragraph shall not apply to those persons, natural persons, who purchase InfoCert’s products or services for the mere instrumental purpose of interacting with InfoCert’s customers, legal persons.

h) Performance of corporate transactions

InfoCert may process the Data in the context of activities functional to transfers of companies and business units, acquisitions, mergers, demergers or other transformations and for the execution of such operations.

Any possible processing activity will be based on the legal basis set forth in Article 6, paragraph 1, letter f), GDPR, namely the legitimate interest of the Data Controller to carry out such activities as an expression of its freedom of economic initiative.

i) Fulfillment of legal obligations

The Data Controller may carry out the processing of Your Data if necessary in relation to the fulfillment of the legal obligations.

If necessary, the processing will be based on the legal basis set forth in Article 6, paragraph 1, letter c), GDPR.

5. COMMUNICATION OF DATA TO THIRD PARTIES LOCATED IN THE EUROPEAN ECONOMIC AREA

InfoCert may disclose Your Data to third parties which provide the Data Controller with services necessary, functional, or anyhow connected to the relevant purposes set forth above.

In particular, the Data may be communicated to subjects (e.g., companies, associations, entities, professionals) that support InfoCert in the activities necessary to the marketing, distribution and promotion of its products or services, including, for example, technology service providers, marketing and/or communication agencies, external consultants, who will carry out the processing activities as data processors. The up-to-date list of processors is kept by InfoCert and is available upon prior request.

The Data Controller may also disclose the Data to third parties to which said disclosure is provided for as a legal obligation, to public authorities, to other legal entities established in the European Economic Area, to credit or electronic money institutions with whom InfoCert collaborates as well as security certificate providers. These subjects will process Data as independent data controllers.

As part of the Social Media Marketing activities, some Data will be processed – provided that Your prior consens is given – by providers of social media platforms or technology services, each of them acting as InfoCert’s joint controller. More information on the relationships between the joint controllers is available upon request.

The Data – and in particular the Biometric Data that may be collected through the optional identification procedures referred to under Article 3, paragraph 4, letters a) and b) above – will not be made available to the public.

6. TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA

The Data are stored on servers located in the European Union.

Without prejudice to this, for the purposes stated above, the Data may be transferred to recepients located in countries outside the European Economic Area, which provide InfoCert with services connected to its processing activities.

Such transfer, where applicable, will only take place in compliance with the conditions set forth under GDPR and will be governed, depending on the recipients, by the use of standard contractual clauses adopted by the European Commission or, alternatively, on the basis of an adequacy decision of the Commission and/or any other instrument permitted by the applicable legislation.

You may obtain more information as to where the Data has been, if the case be, transferred by contacting InfoCert at the addresses provided above.

7. DATA RETENTION PERIODS

InfoCert will process Your Data for the time strictly necessary to fulfil the purposes mentioned and described above. In particular:

• for the purposes of managing the contractual relationship (e.g., performance of the contract,

INFOCERT S.P.A. | COMPANY SUBJECT TO THE MANAGEMENT AND COORDINATION OF TINEXTA S.P.A.
REGISTERED OFFICE | PIAZZA SALLUSTIO, 9 00187 ROME (ITALY) | T +39 06 836691 | F +39 06 83669634 | W INFOCERT.IT – INFOCERT.DIGITAL | E INFO@INFOCERT.IT
P.IVA/C.F. 07945211006 | REA NR. 1064345 | AUTHORISED SHARE CAPITAL EUROS 22.117.536,00 – SHARE CAPITAL SUBSCRIBED AND PAID- UP EUROS 20.080.928,00

management of and response to requests for technical assistance, sending of informative communications regarding the impending expiry of the contract), defense of rights, activities connected to the performance of corporate transactions and fulfillment of legal obligations, the Data will be processed for the entire duration of the contractual relationship and will be stored for an additional period of 10 years from the date of termination of the contractual relationship, exclusively for the purposes related to the compliance with legal obligations, to the defense the Data Controller’s rights or to the need to respond to the requests of the competent authorities;

  • for the identification via Web Identification or through automated methods, the Data and the Biometric Data will be processed for the time strictly necessary to ensure You the possibility to access the Services as well as for the purpose of protecting InfoCert’s rights in court, that is until the expiration of the period prescribed by the CAD and eIDAS Regulation.. It is understood that at the end of the retention period, Data including Biometric Data will be immediately and automatically deleted, without prejudice to any legal provisions that provides specific rules on this regard;

  • for the purpose of performing statistical, business and market analysis, as well as the analysis on the quality of services, the Data will be processed for the time necessary to carry out analytical activities, it being understood that such activities will normally be performed on the basis of anonymous and/or aggregate information;

  • with specific reference to: (a) sending of customer satisfaction communications, the Data will be processed for a maximum period of 12 months from the purchase or order made by You, without prejudice to your right to object to the processing; (b) activities of direct and indirect marketing as well as social media marketing, the Data will be stored for the duration of Your contractual relationship with InfoCert and for a maximum period of 24 months from its termination any reason whatsoever or, if later, from Your last expression of interest as to the products and services of the Data Controller, unless – as applicable – You decide to exercise the right to object to the processing or to withdraw the relevant consent.

    8. DATA SUBJECT’S RIGHTS

    During the period in which InfoCert stores or processes Your Data, You, as data subject, may at any time exercise the following rights:

  • Right of access – You have the right to obtain confirmation as to whether or not Your Data is being processed, and, where that is the case, the right to access the Data and to receive any information regarding said processing;

  • Right of rectification – You have the right to obtain the rectification of Your Data, should it be inaccurate or incomplete;

  • Right to erasure – under certain conditions, You have the right to obtain the deletion of Your data in our archives if it is not relevant to the continuation of the contractual relationship nor necessary to

fulfill a legal obligation to which InfoCert is subject nor for the judicial establishment, exercise or defense of a legal right;

  • Right to restriction of processing – under certain conditions, You have the right to obtain the restriction of the processing of Your Data;

  • Right of portability – under certain conditions, You have the right to obtain the transfer to another data controller of Your Data that we hold;

  • Right to object – You have the right to object, at any time on grounds relating to Your particular situation, to the processing of Your Data which is based on the legal basis of legitimate interest, the exercise of a public interest task, or the exercise of public authority, including profiling, unless InfoCert has legitimate grounds to continue the processing that override the interests, rights and freedoms of the data subject or for the judicial establishment, exercise or defense of legal claims;

  • Right to withdraw the consent – You have the right to withdraw the consent previously given to the processing of Your Data at any time, provided that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;

  • Right to lodge a complaint before the supervisory authority – if InfoCert refuses to follow up to Your requests, it will provide the reasons for such denial. Should You wish to lodge a complaint regarding the manner in which Your Data is processed, or regarding the handling of a request You made, You have the right to lodge a complaint directly before the Supervisory Authority.

    The above-mentioned rights may be exercised towards InfoCert by sending an email to the following e- mail address richieste.privacy@legalmail.it.

The exercise of Your rights as data subjects is free of charge in accordance and within the limits of Article 12, GDPR.

9. FINAL PROVISIONS

InfoCert reserves the right to modify and/or update this information notice also on the basis of the applicable legislative and regulatory evolutions of data protection, as well as on the basis of possible decisions of the competent Authorities.

Icona Top