My HESA

Privacy Policy

This informative notice is for Visitors and Users of Websites www.hesadns.com and www.hesacloud.com property of HESA S.p.A. (henceforth HESA) and not for websites consulted by the user through internal links.
Pursuant to Article 13 of Legislative Decree 30 June 2003, n.196 - Code of practice concerning the protection of personal data - (henceforth the "Data Protection Act") and Art. 13 of EU Regulation 2016/679 ("General Data Protection Regulation" or "GDPR"), we wish to inform you that, by using the aforementioned websites, HESA, as Data Controller (henceforth "Holder") is necessarily aware of personal data relating to you.
For this reason, it is necessary for us to provide you with the following information in fulfillment of the obligation imposed by the aforementioned legislation.

1. WHO IS THE HOLDER OF YOUR PERSONAL DATA?
The data holder is HESA S.p.A., with registered office in Via Triboniano 25, 20156 Milano, Tax Code and VAT no. 09193370153;

2. WHAT IS THE LEGAL AND REGULATORY FRAMEWORK FOR THE PROCESSING OF YOUR DATA?
Your data will be processed for contractual obligations and based on your consent.
In the processing of data that can directly or indirectly identify the User, HESA respects the principle of strict necessity. Therefore, the processing of User data is excluded when the purposes pursued in individual cases can be achieved through the use of anonymous data (such as, for example, in market research aimed at improving services) or by other means that allow us to identify the User only in case of necessity or at the request of the authorities and the police forces (such as, for example, data relating to your traffic data and permanence on the website or your IP address).
The User's data will be communicated to third parties only with the express consent of the User, except in cases where the communication is mandatory by law or is required for purposes established by law for the pursuit of which the User's consent is not required; in such cases, the data may be made available to third parties who will process it independently and solely for the aforementioned purposes (for example, in the event of a request made by the police or by the judiciary or other competent bodies or to fulfill obligations arising from the contract concluded with the User, as is the case with the communication to the bank in charge of payments for the products purchased). Any processing purpose other than the specific one for which the User has provided personal data will be specified in the informative notice and will be carried out by HESA only after acquiring the User’s express consent.
There are bases for processing for which the law provides for the exclusion of consent. For example, the processing of personal data may take place without obtaining the consent of the User when this is necessary to fulfill a legal obligation or when it is necessary to fulfill the obligations assumed contractually with respect to the same User. Furthermore, it is specified that HESA, pursuant to art. 130, paragraph 4 of the Data Protection Act, has the right to use the User's data, without the need to acquire data subject’s express consent, for direct sales activities of products similar to those the User has already purchased and for surveys, on condition that the User has not refused such use with reference to the e-mail address communicated to HESA.
It may occur that HESA finds itself processing personal data of third parties communicated directly by the User to HESA (where, for example, the User wishes to buy an HESA product and have it delivered to the address of residence or domicile of a third party). In such cases, HESA will ensure that the informative notice required by art. 13 of the Data Protection Act is delivered to the third party, in the moment the person’s data is recorded in HESA’s archive, however, the task of obtaining the consent of the person to whom the data refers, remains the sole responsibility of the User before communicating it to HESA, as well as informing the person of the content of this Privacy Policy, taking into account that the User is the sole person responsible for the communication of information and data relating to third parties without such persons having given consent and/or for the possible incorrect use of such data or use contrary to the law.

3. WHERE DO WE PROCESS YOUR DATA?
The processing operations connected to the web services of this Site take place at the aforementioned headquarters of HESA and is handled solely by technical staff responsible for or in charge of data processing, or by any persons responsible or in charge of occasional maintenance operations.

4. WILL YOUR DATA BE TRANSFERRED BEYOND THE BORDERS OF THE EUROPEAN UNION?
HESA currently processes your data without transferring it to countries other than those belonging to the European Union or that do not ensure adequate levels of personal data protection. The privacy standard allows the transfer of personal data beyond the borders of the European Union with the consent of the User, or where there is a legal justification and where an adequate level of data protection is guaranteed.
HESA undertakes to ensure that if the data is transferred beyond the borders of the European Union, it will be done in full compliance with the principles and requirements of local and European Union law, and that appropriate safety measures will be taken to protect personal data in those countries/territories.

5. HOW IS YOUR DATA PROCESSED AND FOR HOW LONG?
Personal data is processed with automated tools for the time strictly necessary to achieve the purposes for which it was collected. Your data will be conserved by the Company for the period strictly necessary to ensure the correct provision of the services purchased - save the need for conservation for a longer period in compliance with the law, including accounting, applicable.

the data acquired for the purposes of registration to the HESA CLOUD SERVICES portal is regulated by a specific detailed informative notice on the registration form. It will be processed in relation to the services offered by HESA through its portal, exclusively for the purposes that fall within the institutional tasks of the company or for the obligations required by law or regulations. As part of these purposes, data processing also relates to data regarding subscriptions/registrations to the portal required for the management of relations with HESA, as well as to enable effective institutional communication and to comply with any legal, regulatory or contractual obligations;
the data processed for the purposes of marketing and profiling (always, of course, provided that your express consent has been given), will be stored in accordance with the applicable legislation and in any case until the revocation of your consent to the processing of your personal data;
the data processed following your eventual purchase of products, will be used exclusively for the sending of emails in accordance with the provisions of art. 130, paragraph 4, of the Data Protection Act.

In all cases, you will have the right to revoke your consent to the processing of your data for marketing and profiling purposes at any time: in each commercial communication there is a section that will allow you to easily revoke your consent.
At the time of the revocation of consent, even if expressed before the expiry of the retention period of data collected for the aforementioned purposes, the same will be automatically deleted or permanently anonymised and our Company may ask you to renew consent to its processing.
The data transmitted to any service providers will be processed by them for the time strictly necessary for the execution of the tasks entrusted to them. Specific security measures will be observed at all times to prevent data loss, illicit or incorrect use and unauthorized access.

6. WHAT ARE YOUR RIGHTS?
In your capacity as the interested party, you can exercise, using the methods indicated in the paragraph "13 EXERCISE OF THE RIGHTS OF THE INTERESTED PARTY", the rights referred to in art. 7 of the Data Protection Act and art. 15 of the Regulations and in particular:

obtain confirmation of the existence or not of personal data concerning you, even if not yet registered, and its communication in an intelligible form;
obtain the indication: a) of the origin of personal data; b) of the purposes and methods of processing; c) of the logic applied in the event of processing carried out with the aid of electronic instruments; d) of the identification details of the Holder, the managers and the designated representative pursuant to art. 5, paragraph 2 of the Data Protection Act and art. 3, paragraph 1, GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it in their capacity as designated representative in the territory of the State, managers or agents;
obtain: a) updating, rectification or, when interested, integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which it was collected or subsequently processed; c) the attestation that the operations referred to in points a) and b) have been brought to the attention, also as regards content, of those to whom the data has been communicated or disseminated, except in the case where such fulfillment reveals itself to be impossible or involves a use of means manifestly disproportionate to the protected right;
to object, in whole or in part: a) for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose of the collection; b) to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by e-mail and/or through traditional marketing methods by telephone and/or paper mail. It should be noted that the right of opposition of the interested party, set out above in point b), for direct marketing purposes through automated methods extends also to traditional methods and that, however, the possibility remains for the interested party to exercise the right to object even if only partially. Therefore, the interested party can choose to receive only communications via traditional methods or automated communications or neither of the two types of communication.

Where applicable, it is also possible to exercise the rights referred to in Articles 16 to 21 of the GDPR (Right of rectification, right to be forgotten, right of limitation of treatment, right to data portability, right of opposition), as well as the right of complaint to the Guarantor Authority.

7. WHAT DATA DO WE PROCESS?
7.1. Navigation data
The computer systems and software procedures used to operate these websites acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This is information that is not collected to be associated with identified interested parties, but which by its very nature could, through processing and association with data held by third parties, allow Users to be identified. This category of data includes IP addresses or domain names of the computers utilized by Users connecting to the Site, the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the operating system and the User's computer environment. This data is used for the sole purpose of obtaining anonymous statistical information regarding the use of the Site and to check its correct functioning and is deleted immediately after processing.
The data may be used to ascertain responsibility in case of hypothetical computer crimes against the Site.

7.2. Data provided voluntarily by the User
Following optional, explicit and voluntary consent expressed beforehand by the party interested in the use of this integrated service on this Site or in the addresses indicated on this Site, HESA will collect and store the data received, including the e-mail address, for the time necessary to respond to requests, for the purpose of exchanging information or contacts.
Specific summary information will be progressively reported or displayed on the pages of the Site prepared for particular services on request or for particular categories of data.

7.3. Cookies
For information regarding the Cookies Policy, please refer to the specific Cookie Policy.

8. DOES HESA PROCESS DATA RELATING TO MINORS?
As a general rule, we do not intentionally collect personal data regarding minors. If we discover that we have inadvertently collected personal data from such individuals, we will act to eliminate such data as soon as possible, except where the applicable law requires us to conserve it.

9. OPTIONALITY OF DATA SUPPLY
Besides that specified for navigation, the User is free to provide the personal data contained in the request forms or indicated in contacts to request, for example, the sending of informative material or other communications. Failure to provide such data may make it impossible to obtain what has been requested. For completeness of information, it should be remembered that in some cases (not subject to the ordinary management of this Site) the Authority may request information pursuant to Article 157 of Legislative Decree n. 196/2003, for the purpose of monitoring the processing of personal data. In such cases response is mandatory under penalty of administrative sanction.
The Site offers certain services to be used for which the User is required to provide additional data, qualifiable as personal data. For example, the registration to the Site, access to reserved areas and the purchase of HESA and services, are all activities that involve the conferment by the User of personal data that will allow HESA to uniquely identify the Users such as, by way of example, name, surname, date of birth, address of residence and/or domicile, telephone number, e-mail address, credit card details. It is expressly understood that the submission of such personal data is optional, but becomes mandatory in order to allow the User to access certain services of the Site. The refusal to supply such data, therefore, does not imply any consequences for the User, but in the absence of the relevant submission of data HESA will be unable to provide the User with certain services.
In order to promote and improve its products, services and content, HESA reserves the right to aggregate personal data and non-personal data. In this case, non-personal data will be processed as personal data until it is aggregated to the latter.

10. REDIRECT THROUGH SOCIAL PLUGIN
During navigation it is possible to use the direct marketing social media plugins. Social media plugins are special tools that allow you to incorporate the features of the social network directly within the Site (e.g. the "Like" function on Facebook). When you visit a page on the Site and interact with a plugin (e.g. by clicking on the "Like" button) or you decide to leave a comment, the corresponding information is transmitted from the browser directly to the social network platform (in this case Facebook) and from this memorized. All the social plug-ins on the site are marked by the respective logo owned by the social network platform. For information on the purposes, type and methods of collection, processing, use and storage of personal data by the social network platform, as well as for the methods in which to exercise their rights, please consult the privacy policy of the related social network.

11. LINK TO THIRD PARTY SITES
From our Sites it may be possible to connect through appropriate links to other third-party websites.
HESA does not control or perform monitoring operations on these websites or on their contents. Our Sites provide links to these websites solely to facilitate Users to search and browse and to facilitate hypertext links on the Internet to other websites. The activation of such links does not entail any form of recommendation or signalling by HESA to access and browse such websites, nor any guarantee regarding their contents, services or goods supplied and sold to Users. We therefore decline any responsibility regarding the contents of these Sites and the rules adopted by them, including with regard to the protection of personal data and the related processing during browsing (navigation) within the Sites in question.

12. PURPOSES AND METHODS OF DATA PROCESSING
12.1. Data collected from the Internet
Following consultation of this Site, data relating to identified or identifiable persons may be processed.
The conferment of data is optional, however, the same could in some cases be indispensable for the performance of specific activities and therefore, failure to provide it would create an impediment for HESA regarding the provision of services and information. Failure to provide all data except that which is not attributable to legal, tax and contractual obligations will be assessed by the writer from time to time and will determine the consequent decisions, related to the importance for the writer of the data requested and not conferred. In particular, for the purposes defined in point "12.2. Data provided voluntarily by the User and collected for the execution of services", the User will be required to express, in accordance with Article 23 of the Data Protection Act, the free and informed consent to the processing of data, through the specific signing of appropriate documentation drawn up for envisaged processing operations where processing is likely to be envisaged.
Personal data may be communicated by the Holder exclusively for the attainment of the specific purposes indicated in this informative notice, to subjects, internal and external, to the Holder’s organisation, who will process your data in accordance with the instructions received from the Company in the role as managers, persons in charge, system administrator or in total autonomy, as distinct data Holders.
The internal subjects are the appointed managers or persons in charge of the aforementioned processing.
External subjects are external collaborators such as: managers or processors, postal and shipping services, banking institutions, law firms, accounting and tax consultancy firms, IT systems management services, IT systems maintenance services, as well as all the subjects to whom the faculty of access to the data and/or the obligation of communication is recognized by virtue of regulatory provisions or judicial authorities.
No data is communicated or disseminated unless expressly specified in the informative notes drawn up for the specific processing for which you will be requested to express explicit and separate consent to the interested party. Likewise, if the acquisition of sensitive data is necessary, you will be requested to provide explicit and separate consent to the interested party.
The technical data on access to the Site, as well as that collected from any e-mails sent by you, will not, in any case, be disclosed to third parties, nor will it be disseminated.
12.2. Data provided voluntarily by the User and collected for the execution of the services
The collection and processing of the User’s personal data will be in compliance with the general principles of necessity, correctness, relevance and non-excess and in particular the processing of data will be implemented for:

registration to the personal area or adhesion to the services offered by HESA through the Sites;
response to questions and provision of information requested by the User;
management of User requests, of a technical and commercial nature, relating to the progress of orders and also of a general nature;
execution of activities, related to or necessary for the supply of HESA's services, including the communication of data to third-party companies which, by way of example, the implementation of activities related to or necessary for the supply of HESA's services or the management of payments on the Site;
necessary and indispensable processing of an operational, administrational, accounting and/or any other nature. In particular, some data will be used for registrations and communications required by law;
detection of the degree of satisfaction and preferences of the User;
consent for User access, following the registration and creation of the User profile on the HESA CLOUD SERVICES portal, to the reserved area for the provision of services, products and any other kind of request and the subsequent and autonomous management of the User’s own profile via the control panel;
management of payments, including anti-fraud control in the case of payment by credit card;
sending, after obtaining consent, of advertising material, information and commercial information, as well as the transfer to third parties of the data processed for commercial purposes also for sale or possible sale purposes, or for all commercial and/or statistical purposes lawful according to current legislation. The consent given for sending commercial and promotional communications pursuant to art. 130, paragraphs 1 and 2, of the Code (so-called "Direct Marketing") implies consent to the receipt of communications not only via automated methods, but also through traditional methods (paper mail and telephone calls via operator). In these circumstances, the User is also given the right to express his consent to the receipt of the aforementioned communications exclusively through traditional methods of contact;
User profiling, after obtaining consent, in order to allow HESA to process the User's consumer choices, habits and propensities and, consequently, to send to the User specific offers related to HESA products and services;
subscription to the "NEWSLETTER" service to which the User has the right to register for during the registration process in the reserved area. If the personal data provided by the User is provided when registering to the aforementioned service, the same will be used for the sole purpose of sending the newsletter and will not be disclosed to third parties. For further details, it is possible to consult the dedicated informative notice.

13. EXERCISE OF THE RIGHTS OF THE INTERESTED PARTY
The interested party at any time can exercise towards the data Holder the rights provided for in art. 7 of the applicable Code and by articles 15 to 22 of the Regulations, by contacting HESA S.p.A., with registered office in Via Triboniano 25, 20156 Milano, Tax Code and VAT no. 09193370153 by e-mail: privacy@hesa.com.

14. UPDATE OF THIS POLICY
This Privacy Policy regulates the processing of personal data released by the User when browsing the Site and may be amended or simply updated, in whole or in part, also in consideration of changes in the laws or regulations governing the protection of personal data. Changes and updates to this Privacy Policy will be made known to Users as soon as they are adopted and will be binding as soon as they are published on the Site.
HESA therefore invites Users to access this page regularly in order to verify the publication of the most recent and updated version of the Privacy Policy. For this purpose, the document provides the date of updating.

Last updated 04 July 2018