Privacy Policy

Privacy Policy

(pursuant to Art. 13 of EU Regulation 2016/679 – “GDPR”)

1. Data Controller and Contact Details

The Data Controller is MECBO s.r.l., single-member company, with registered office at Via Umbria 8/12 – 40024 – Castel San Pietro Terme (BO), Tax Code 00418580379 – VAT No. 00508751203 (e-mail: info@mecbo.it), PEC: mecbosrl@legalmail.it (hereinafter also the “Controller”).

For any request regarding the protection of personal data or for the exercise of the rights indicated in point 9, you may contact the Controller using the contact details above.

2. Types of Data Processed

In the context of relationships with customers (current and potential), the Controller processes in particular the following categories of personal data:

– Identification and contact data: first name, last name, any title/role, contact details (telephone, e-mail), professional address;
– Company and tax data: company name/business name, registered office, VAT number/tax code, identification codes, tax and accounting information;

– Banking and payment data: IBAN, bank or payment details necessary for the management of collections and payments;
– Data relating to contractual relationships: information on contracts, orders, quotations, correspondence, history of relationships and transactions;

– Data of internal contacts of the customer/supplier: identification and contact details of the customer’s/supplier’s representatives, employees or collaborators.

The Controller does not request nor intend to process special categories of personal data pursuant to Art. 9 GDPR (e.g. health data, religious or political beliefs, etc.) nor data relating to criminal convictions and offences (Art. 10 GDPR) within the scope of relationships with customers and suppliers.

3. Purposes of Processing and Legal Bases

The personal data indicated above are processed for the following purposes and on the basis of the specified legal grounds:

1. Establishment and performance of the contractual or pre-contractual relationship

– management of requests for quotations or information, preparation of estimates, order management, performance of supplies and services, after-sales assistance.

– Legal basis: performance of pre-contractual measures and of the contract to which the data subject is a party (Art. 6(1)(b) GDPR).

1. Compliance with legal obligations

– Accounting, tax, civil law and anti-money laundering obligations, where applicable; obligations arising from European Union law, national laws or regulations, or from orders or lawful requests of authorities.
– Legal basis: compliance with legal obligations to which the Controller is subject (Art. 6(1)(c) GDPR).

1. Internal administrative and organizational management

– Planning and management control, maintenance of customer and supplier records, organization of internal activities, management of schedules and contacts.

– Legal basis: the Controller’s legitimate interest in proper organizational and administrative management of its business (Art. 6(1)(f) GDPR).

1. Protection of the Controller’s rights

– Prevention and management of disputes, debt collection, exercise or defense of rights in judicial or extrajudicial proceedings, management of complaints or claims.

– Legal basis: the Controller’s legitimate interest in protecting its rights (Art. 6(1)(f) GDPR).

1. Sending communications strictly related to the ongoing relationship

– Service communications relating to deadlines, contractual updates, changes in operating conditions, as well as possible informational communications on products or services similar to those already purchased/provided, addressed to existing customers (“soft spam” within the limits permitted).
– Legal basis: performance of the contract (Art. 6(1)(b) GDPR) for communications strictly necessary for managing the relationship; the Controller’s legitimate interest in maintaining business relationships with its customers (Art. 6(1)(f) GDPR), within the limits permitted by electronic communications regulations.

The provision of data for the purposes referred to in points a. and b. is necessary: failure to provide such data makes it impossible to establish or continue the contractual relationship and to comply with the related legal obligations.
For purposes based on legitimate interest (points c., d. and e.), the data subject may object at any time, within the limits indicated in point 9.

4. Methods of Processing

Data processing is carried out:

– using manual and IT tools;

– in compliance with the principles of lawfulness, fairness, transparency, minimization and security provided for by the GDPR;
– with logic strictly related to the purposes indicated and, in any case, in such a way as to ensure the confidentiality and integrity of the data.

The Controller adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

The processing does not involve any automated decision-making process producing legal effects concerning the data subject or significantly affecting him/her, pursuant to Art. 22 GDPR, nor profiling activities carried out on customer and supplier data.

5. Recipients of Personal Data

Personal data may be made accessible, communicated or otherwise processed, within the limits of the purposes indicated above, to:

– authorized personnel of the Controller (employees and collaborators), duly instructed;

– entities acting as data processors pursuant to Art. 28 GDPR, including, by way of example: accounting, tax or legal consultants; companies providing IT and management services (hosting, software maintenance, system management, cloud service providers, e-mail providers); banks and financial intermediaries, debt collection companies, insurance companies; independent third-party controllers (e.g. public authorities, bodies or entities to whom data disclosure is mandatory by law or by authority orders).

The updated list of data processors is available upon request at the Controller’s contact details.

6. Transfer of Data to Third Countries

As a rule, personal data are processed within the European Economic Area (EEA).

Some IT services used by the Controller may involve the transfer of data to countries outside the EEA (e.g. in the case of cloud services). In such cases, the Controller ensures that the transfer takes place in compliance with Arts. 44 et seq. GDPR, on the basis of an adequacy decision of the European Commission or, failing that, on the basis of appropriate safeguards (such as standard contractual clauses approved by the European Commission), possibly supplemented by additional security measures.

7. Data Retention Period

Personal data are retained for the time strictly necessary to achieve the purposes for which they were collected, in compliance with the principles of storage limitation and minimization, and in particular:

– contractual, accounting and tax data: retained for the entire duration of the contractual relationship and, thereafter, for a period of 10 years from the termination of the relationship or from the last accounting entry, unless longer periods are required by applicable law;

– data relating to dispute management and debt protection: retained for the time strictly necessary to manage disputes and until the decision becomes final or the dispute is settled, as well as for the period necessary to enforce the decision and in compliance with applicable limitation periods;

– contact data of customer/supplier representatives: retained for the duration of the relationship with the customer/supplier they represent or for whom they work and, in any case, no longer than necessary for the stated purposes, subject to updates or replacement of representatives.

After the retention period has elapsed, the data will be deleted, anonymized or retained only where necessary to comply with further legal obligations or authority orders.

8. Nature of Data Provision

The provision of personal data identified as necessary:

– is mandatory to comply with legal obligations to which the Controller is subject;

– is necessary for the conclusion and performance of the contract or to satisfy pre-contractual requests.

Failure to provide such data makes it impossible to establish or continue the contractual relationship with the Controller.

The provision of any additional data not strictly necessary for the contractual relationship or legal obligations may be optional: in this case, failure to provide such data may limit certain aspects of the relationship but will not prevent its conclusion as such, unless otherwise indicated.

9. Rights of the Data Subject

The data subject, in relation to the processing described in this notice, may exercise at any time the rights recognized by Arts. 15–22 GDPR, and in particular:

– right of access: to obtain confirmation as to whether or not personal data concerning him/her are being processed and to receive information on the processing, as well as a copy of the data;

– right to rectification: to obtain the correction of inaccurate data or the completion of incomplete data;

– right to erasure (“right to be forgotten”): to obtain the erasure of data in the cases provided for by Art. 17 GDPR;

– right to restriction of processing: to obtain restriction of processing in the cases provided for by Art. 18 GDPR;
– right to data portability: to receive in a structured, commonly used and machine-readable format the personal data concerning him/her, processed on the basis of the contract, and to transmit them to another controller, where technically feasible (Art. 20 GDPR);

– right to object: to object at any time to the processing of personal data based on the Controller’s legitimate interest, for reasons related to his/her particular situation (Art. 21 GDPR). In such cases, the Controller shall refrain from further processing the data unless it demonstrates the existence of compelling legitimate grounds or the necessity of the processing for the establishment, exercise or defense of a legal claim.

To exercise these rights, the data subject may contact the Controller using the contact details indicated in point 1.

The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or with the supervisory authority of the EU country in which he/she usually resides, works or where the alleged infringement occurred.

10. Updates

This privacy notice may be amended or updated in the event of regulatory or organizational changes affecting the processing of personal data. The updated version will be made available at the Controller’s registered office.