Privacy and Cookies
Last update, 21st February 2019
To whom it may concern,
we want to give you some information on how we manage people’s data in compliance with EU Regulation 2016/679 known as GDPR (and its predecessor PRIVACY law 196/2003), as well as the law 70/03 "Implementation of Directive 2000/31 / CE regarding certain legal aspects of services of the information company in the internal market, with specific reference to electronic commerce" but mainly to inform you that we really care about to your confidentiality and to the protection of the data you could decide to entrust us with.
In accordance with what is reiterated by the EU Regulation we will give you, in a clear and understandable way, the essential information. For each piece of information you can find one or more levels of clarification (after the initial pages and reachable by clicking the highlighted words), where we will give you further and more detailed information in case in which you want to deepen some aspects which could not be completely clear and understandable to you.
For any question, do not hesitate to contact the owner of the data management Fluentis s.r.l. with registered office in Via Mezzomonte, 24, 33077, Sacile (PN), VAT number: IT01720550936, Rea: PN-99105 through its representatives via:
- e-mail: Privacy@fluentis.com
- Tel.: +39 0434 1696346
also using the template provided by the National data protection authority: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924
Your personal and contact details (e-mail, phone, mobile phone, address) may have been collected from public domain sources (for example: telephone directories or public databases), from social networks (for example: Facebook, LinkedIn, Twitter, Instagram, etc.) or through the internet (for example: your Internet sites, third party websites authorized by you, public forums, etc.), in this case your data will be used only to request your explicit consent to the data processing explaining clearly, also verbally and / or by telephone, the method and purpose of such processing, and it will be immediately marked as "restricted to treatment" in the event of your refusal to processing; this is to avoid that we can contact you again in case of your denial.
Personal data collected through our site, or through sites linked to us, is used only to follow up on your requests. If you give us your explicit consent, they can be used for statistical, profiling purposes.
The data acquired, as described above, will be processed in accordance with the provisions of the regulation for the following reasons:
- Meeting legal obligations (i.e. accounting, invoicing, financial management);
- The execution of the services provided through the Website and the Cloud requested by you;
- Meeting your requests (e.g.: Estimates, offers, technical and commercial assistance);
- Fulfilling any contractual obligations arising from agreements with you or the organization you represent;
- Keeping a database of the questions, proposals, more frequent communications;
- For the technical management of navigation on our sites (see also section Cookies and other technologies);
- If you give us active and explicit consent to stay in contact with you (e.g.: newsletters, commercial offers, updates, etc.);
- And, possibly, to pursue legitimate interests of the owner or third parties (provided for in Article 6 of the regulation that we quote below) that will be, where possible and lawful, our care to indicate them before the treatment.
Regarding points a), b) and c) and the missed communication and treatment of the necessary data will prevent us from being able to respond to your requests, and this cannot be imputed to us and cannot be considered to authorize any request from your side for non-compliance or cause of damage. Personal data are subject to treatment both on paper and electronic and / or automated, through the use of websites hosted on the cloud managed by our company and located within the European Union. Your data will be processed only within our organization and only by specially trained, appointed and authorized personnel. They may be transferred to third parties only as a legal requirement (for example, Minister of Finance as a list of transactions done) to carry out operations required by law (e.g.: consultants and accounting studios for balance sheets and statements etc.) or to fulfill our obligations in their comparisons (e.g.: couriers for deliveries, postal services, banking institutions for the management of receipts and payments, etc.). They may also be transferred to our partners in the territory or to other companies linked to us only if this is necessary to meet your requests or to fulfill contractual obligations, these companies, who have with us a regular and legal contract as Managers of the processing, will treat them in full compliance with what is indicated in this statement and we will monitor their use and management, they will be destroyed by these companies immediately after the fulfillment of the purpose for which they were entrusted.
Business transfers: by continuing to develop our business, we may sell or purchase brands, subsidiaries or business units. We may share and / or transfer your personal information to a third party in connection with such transactions (including, without limitation, any reorganization, merger, sale, joint venture, assignment, transfer or other sale of all or part of the our business, our brands, affiliates, subsidiaries or other assets). Customer information is generally one of the transferred business assets, but remains subject to any pre-existing and applicable privacy information.
Your data will not be transferred to others, except as indicated above, without having requested to you an explicit and active consent or that you have explicitly requested it.
Under no circumstances your data will, unless collected outside the European Community, be transferred outside the countries of the European Community.
Your data will be kept for the strictly necessary period to fulfill the purpose for which it was collected, or for the period determined by law; in case of spontaneous assignment (e-mail request, applications, proposals, etc.) it will be kept for no more than 12 months from the date of the last communication; Personal data processed for the purposes of marketing will be retained until the revocation of the consent given by the interested party.
At any time, as established also by the EU regulation 2016/679, you can exercise your rights as explained by Article 15 of the regulation that we refer to below, and you can request, through the contacts indicated above, to know, modify, block, cancel or transfer your data processed by us.
The Data owner will provide the interested party with the requested information and any actions taken within a month of receiving the request. This deadline may be extended by two months if necessary, taking into account the complexity and the number of requests. The Data Controller will inform the interested party of such extension, and of the reasons for the delay, within one month from receipt of the request.
In case you have given explicit, conscious and active consent for the processing of your data, you may revoke this consent at any time through the contacts listed above, without of course that this may affect the treatments required by law (for example, the conservation of documents and of the accounting records) or the treatments already taken against your consent.
If you believe that your rights have been violated, and that we have not given feedback to your requests to that effect, you can always file a complaint to the privacy authority through the forms prepared and present at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524
This statement does NOT apply when we process personal data on behalf of another Data Owner (for example, data from our customers who use our ERP software both locally and in the cloud). In this case, we act as Data Processor and these treatments are regulated by a specific contract with the Data Owner.
We take the security of personal information very seriously. To protect the personal information provided by the interested party from unauthorized access, destruction, loss or accidental and / or illicit alteration, we use adequate and constantly updated technical and organizational security measures.
Violation of data security
We have implemented strict security controls, intrusion detection software and alert procedures in the event of a potential or actual intrusion into our information systems. We have set up a data breach notification policy and an incident response team that will immediately react and implement a remediation plan in response to any unauthorized access to our computer systems or databases. If a data security breach occurs with any impact on the user's personal information, a notification will be sent as soon as possible once the violation has been determined.
Our website, for a better functioning and to guarantee services provided by third parties, uses technical cookies.
Technical cookies are those used for the sole purpose of transmitting a communication over an electronic communication network, or to the extent strictly necessary to the provider of an information society service explicitly requested by the subscriber or user to provide such service. They are not used for further purposes, and are installed with normal navigation on our pages. They can be divided into navigation or session cookies, which guarantee the normal navigation and use of the website (allowing to make a purchase or authenticate to access restricted areas); functional cookies, which allow the user to browse according to a series of selected criteria (for example, language, products selected for purchasing, etc.) in order to improve the service provided. For the installation of these cookies, the user’s consent is not required, while there is the obligation to give this information pursuant to art. 13 of EU Regulation 679/16 on the protection of personal data.
During the navigation on a site, the user can also receive cookies from different sites or web servers on his terminal (so-called "third-party" cookies); this happens because on the visited website there may be elements such as, for example, images, maps, sounds, specific links to web pages of other domains that reside on servers other than the one on which the requested page is located. Fluentis S.r.l. uses third-party cookies, in particular cookies issued by Google Analytics services (used by Google to collect and then provide information, in aggregate form, on the number of users and how they visit the site). The information generated by the cookie about the use of the website is communicated to Google Inc. (for information on use and any disabling see www.google.com/analytics/learn/privacy.html)
Third-party cookies from Facebook, Twitter and YouTube that are not present on the website's servers can also be used on the website, therefore they are not sent by it to the user's terminal. These cookies are activated if the user clicks on the FB, TW or YT icon, or enters the respective social sites, or uses related services in the API. For any information and for disabling their saving on the user's terminal, please refer to www.facebook.com/help/cookies twitter.com/privacy support.google.com/youtube
Because of the particular invasiveness that such devices may have in the private sphere of users, we asked for their prior consent to use them, with a special form on the home page of our site.
Texts, images and any other multimedia content on this site is owned by the OWNER or licensed to the OWNER.
All the distinctive signs used within the site belong to the OWNER or their respective owners or licensees, who have granted the OWNER the right to use, limited to their publication on the site.
No part of the site (including text, images and any other multimedia content) may be reproduced or transmitted without the written authorization of the OWNER, except for personal non-transferable use. Use for any unauthorized purpose is expressly prohibited by law.
We, unless otherwise required by law, cannot be held responsible in any way for damages of any nature directly or indirectly caused by access to its website, by the inability or impossibility to access it, by reliance on the information contained therein or from their use. We reserve the right to modify its contents at any time and without notice. We assume no responsibility for services offered by third parties with whom our Sites have activated a link, and for any other content, information or anything else contrary to the laws of the Italian and European State present in it. Furthermore, the indication of links does not imply any kind of approval or sharing of responsibility in relation to the completeness and correctness of the information contained in the indicated sites.
We report for your information the Article 6 of the GDPR Regulation that explains the legitimate reasons for the treatment of data, Article 7 governing consent and Articles 15 to 22 that govern the exercise of its rights.Article 6
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
- Union law; or
- Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
- any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
- the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
- the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
- the possible consequences of the intended further processing for data subjects;
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Conditions for consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
We report for your information the articles of the GDPR governing access to your rights.Article 15
Right of access by the data subject
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.Article 16
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.Article 17
Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
Right to restriction of processing
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.Article 19
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.Article 20
Right to data portability
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
- the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.Article 21
Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.Article 22
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- is based on the data subject's explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.