Policy on the processing of personal data

With this policy pursuant to Article 13 of EU Regulation no. 2016/679 on the protection of personal data (hereinafter the “GDPR” or “Regulation”), Th.Kohl S.r.l (hereinafter “Th.Kohl” or the “Data Controller “) describes how the personal data of users (hereinafter “data subjects”) who access and visit the website are processed www.thkohl.it and guarantees that their personal data shall be processed in compliance with the principles of lawfulness, correctness and transparency in accordance with the provisions of the GDPR and in accordance with the following information.

The policy is valid only for the aforementioned website and not for other links/websites that may be present on the website, such as, for example, Facebook, Twitter, LinkedIn, YouTube pages, for which users are asked to read the respective policy provided by the data controllers.

1. Data controller
The data controller is Th.Kohl S.r.l with headquarters at Viale dell’Industria, 37 37030, Badia Calavena (VR) – email: info@thkohl.it

2. Types of data processed

• Browsing data: During normal operation, the computer systems and software procedures used to operate the website acquire certain personal data, the transmission of which is implicit in the use of Internet communication protocols. This information is not gathered in order to be associated with identified data subjects but, by its very nature, could, through processing and association with data held by third parties, enable users to be identified. This category of data includes IP addresses or the domain names of the computers used by users connecting to the website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check its correct functioning, to identify anomalies and/or abuses and is deleted immediately after processing. The data could be used to ascertain liability in the event of alleged computer crimes against the website or third parties: except for this possibility, at present, the data on web contacts do not persist for more than seven days;
• data provided voluntarily by the user by filling in the “Information Request” form (name, surname, address, city, email address and telephone number);
• email address and any other personal data contained in email messages and/or their attachments, sent to the addresses specified on the Website in order to carry out the processing activities necessary to respond to the user’s requests.

3. Purpose and legal basis of processing
Th.Kohl shall use your data exclusively for the purpose of:

• executing a specific request made by the user or providing the requested service (“Service”) by filling in the “Information Request” form;
• responding to a specific user request sent to the email addresses and contact details specified on the Website;
  sending the Newsletter and updates on industry insights and news;
• carrying out customer satisfaction (“Customer Satisfaction”) surveys relating to the quality of the Company’s goods and services in accordance with a legitimate interest of the Company;
• sending commercial communications and advertising regarding the Company’s products and services or carrying out market research (“Marketing”);
• carrying out profiling activities to analyse your behaviour, habits and propensity to consume in order to improve the products and services provided by the Company and to meet your expectations;
• improving the user experience on the company’s websites.

The processing of data for marketing and profiling purposes (and possibly for the transfer of data to third parties) shall be carried out subject to your consent, as provided for in Article 6 paragraph 1 section a) of the GDPR.

The provision of data is optional. However, refusal to provide data shall make it impossible to receive the newsletter service.

We shall not use your personal data for purposes other than those described in this policy, unless we inform you in advance and, where necessary, obtain your consent.

4. Data processing methods
Personal data relating to employees shall be processed by means of archives and paper media or with the aid of computer and electronic media, whilst respecting their confidentiality.

5. Data retention time
In accordance with the principles set out in the GDPR, your personal data shall be retained from the time of their receipt/update until you withdraw your consent.

6. Communication and dissemination of data
Parties that may become aware of your personal data, within the limits strictly necessary to fulfil the aforementioned purposes, are as follows:

• persons authorised to process personal data by Th.Kohl;
• the suppliers of the applications used to send the newsletters;
• associated companies of Th.Kohl S.r.l.

If the user connects to the site through an active Google account, Google LCC may obtain additional information about the user that cannot be controlled by the Data Controller.

Under no circumstances shall your personal data be disclosed, disseminated, assigned or otherwise transferred to third parties for unlawful purposes nor, in any case, without providing data subjects with appropriate information and obtaining their consent where required by law.

Personal data shall not be transferred abroad to non-EU countries or international organisations that do not guarantee an adequate level of protection, recognised under Article 45 of the GDPR, based on an adequacy decision made by the EU Commission.

In the event that it becomes necessary for the provision of services, the transfer of personal data to non-EU countries or International Organisations, for which the Commission has not adopted any adequacy decision pursuant to Article 45 of the GDPR, shall only take place if there are adequate safeguards provided for by the recipient country or Organisation, pursuant to Article 46 of the GDPR and provided that the data subjects have enforceable rights and effective remedies. In the absence of an adequacy decision by the Commission, pursuant to Article 45 of the GDPR, or adequate safeguards, pursuant to Article 46 of the GDPR, including binding corporate rules, cross-border transfers shall only take place if one of the conditions set out in Article 49 of the GDPR is met.

7. Rights of the data subject
Data subjects are entitled to the rights, in the cases and within the limits provided for by the Regulation, as set out in Articles 15 to 22. By way of example, each data subject may:

• request confirmation of the existence or otherwise of their personal data (Article 15 paragraph 1);
• obtain information regarding the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or shall be disclosed and, where possible, the retention period (Article 15 paragraph 1 section a, c);
• obtain the rectification and erasure of data (Articles 16 and 17);
• obtain the limitation of processing (Article 18);
• obtain, from the data controller, information on the recipients to whom the personal data have been transmitted and any rectification, erasure or limitation of processing (Article 19);
• obtain the portability of data, i.e., receive them from a data controller, in a structured, commonly used and machine-readable format and transmit them to another data controller without hindrance (Article 20);
• object to automated decision-making concerning individuals, including profiling (Articles 21 and 22);
• where processing is based on consent, the right to withdraw said consent at any time (Article 7 paragraph 3);
• where a personal data breach is likely to present a high risk to the rights and freedoms of individuals, the data controller shall notify the data subject of the breach without undue delay (Article 34);

In order to ensure that the aforementioned rights are exercised by the Data Subject and not by unauthorised third parties, the Data Controller may request the Data Subject to provide any further information necessary for this purpose.

8. Exercising the rights of the data subject
The rights referred to above may be exercised by making a request to the Data Controller, either directly or via an authorised person, verbally or by sending an email to the following address: privacy@thkohl.it The request is made freely and without formality by the data subject, who has the right to receive an appropriate response within a reasonable period of time, depending on the circumstances of the case.

In order to exercise their rights, data subjects may make use of non-profit bodies, organisations or associations, the statutory objectives of which are in the public interest and which are active in the field of the protection of the rights and freedoms of data subjects as regards the protection of personal data, granting, for this purpose, an appropriate mandate. Data subjects may also be assisted by a trusted person.

To find out about your rights, file a complaint and be kept up-to-date on the legislation on the protection of persons as regards the processing of personal data, you can contact the Italian Data Protection Authority by visiting the website http://www.garanteprivacy.it/.