Last update: December 2022.
Welcome to our website cmcsolutions.com (the “Website”).
This privacy notice (“Notice”) applies to the processing of your personal data carried by C.M.C. S.p.A. (hereinafter, “C.M.C.” or “Data Controller”) through the Website, in compliance with the Regulation (EU) 2016/679 (“GDPR”), with the Italian Legislative Decree 196/2003 as further amended, with the relevant measures and guidelines of the national and European data protection authorities, as well as the applicable national and European laws and regulations (collectively, the “Applicable Law”).
Some services offered by the Data Controller may be subject to specific notices; if so, it will be our care to provide you, from time to time, with all the relevant information.
1. Contact details of the Data Controller
The data controller is C.M.C. S.p.A., with registered office at via Carlo Marx, 13/C, 06012, Città di Castello (PG), Italy, tax code and VAT number 02969060546.
For any request relating to your personal data processing, you can contact us by sending a letter by mail to our registered office or an e-mail to privacy@cmcsolutions.com.
2. Categories of processed data, purpose of processing and legal basis
We will process your personal data, both by manual and automated means, for the purposes and according to the legal basis described below.
| Purposes | Legal basis | Categories of data processed |
|---|---|---|
| (i) To allow you to use the Website and use the contents made available on the Website. | Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (art. 6(1)(b) GDPR). | Details of the web browser used and of the IP address and any further data related to browsing. |
| (ii) To evaluate your CV in the event of a job application. | Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (art. 6(1)(b) GDPR). |
Identification and contact data and the content of the documentation that you want to share with us. |
| (iii) To send you informative and commercial communications, newsletters and/or market research on the Data Controller's products and/or on the Data Controller's commercial partners’ products, such as promotions, through automated tools (e.g., e-mail) and through non-automated tools (e.g., paper mail) without sharing your data with third parties. The above-mentioned communications will be sent you via e-mail, unless you have also provided other contact details, as well as consented to the receipt of such communications. | Consent of the data subject (art. 6(1)(a) GDPR). | The identification and contact data you provide us with (i.e. name, surname, e-mail address and any other contact details, if any). |
| (iv) To process and reply to any requests you made through the contact channels indicated on the Website (e.g., customer service or providing you with the material or clarifications you requested, book one of our training). | Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (art. 6(1)(b) GDPR). | The personal data collected through the Website (e.g., details on the web browser used and the IP address), as well as your contact details and the information you provided and/or the information necessary for the management of your requests (e.g., name and surname, subject of the request, email address, company name, country). |
| (v) To fulfil legal obligations and respond to requests made by competent authorities. | Compliance with a legal obligation to which we are subject (art. 6(1)(c) GDPR). | Any information which may be required to provide in order to comply with the applicable law or to follow up on requests made by any competent public authorities. |
| (vi) To protect our rights and those of our employees and collaborators, in and out of court. | Pursuing our legitimate interest or a third-party’s one (art. 6(1)(f) GDPR). | Any information needed to ensure that this purpose is pursued. |
| (vii) To carry out extraordinary transactions concerning the Data Controller (including mergers, acquisitions, transfers, corporate reorganizations, corporate restructurings), to the extent strictly necessary to serve this purpose and on the basis of the legitimate interest of the Data Controller subject to an appropriate balance with the fundamental rights and freedoms of the data subject. | Pursuing our legitimate interest or a third-party’s one (art. 6(1)(f) GDPR). | Only the information needed to pursue this purpose. |
To find out how we process your data through the use of cookies, you can consult our Cookie Policy.
3. Nature of provision
The personal data collected for the purposes under no. (i), (ii), (iv) and (v) of section 2 above will be processed as they are necessary to perform a contract to which you are a party and/or pre-contractual measures taken upon your request, as well as to fulfill a legal obligation to which the Data Controller is subject. The provision of such data is optional, but if you do not provide us the requested data we will not be able to allow you to use the Website and its features, examine your CV, or respond to your requests.
The data collected for the purpose under no. (iii) of section 2 above will be processed only with your freely given, specific, informed and unambiguous consent. The provision of your personal data for this purpose is not necessary to use of the Website and its features, however failure to provide them will not allow you to receive communications on the commercial initiatives of C.M.C. on its own products and/or those of its commercial partners. Your consent, if provided, may be withdrawn at any time, without prejudice to the lawfulness of the processing based on the consent before withdrawal. Your consent may be withdrawn by clicking on the link "unsubscribe" at the bottom of each communication or by sending an email to the address indicated in this Notice. Any refusal of consent, or its subsequent withdrawal, will only result in the inability to receive commercial communications from C.M.C., while it will not prevent you from continuing to use the Website and its features.
The personal data collected for the purposes under no. (vi) and (vii) of section 2 above will be processed on the basis of the legitimate interest of C.M.C. or third parties. The right to object can be exercised by contacting the Data Controller at the contact details indicated in this Notice. Any exercise of the right to object could affect your ability to continue using the Website or its features. For more information on the legitimate interests pursued and on the related balancing judgments carried out by the Data Controller, it is possible to send a communication to the contact details indicated in this Notice.
4. Storage of data
Your personal data will be kept for a period of time not exceeding the period of time strictly necessary to pursue the purposes for which they are collected, as well as for any longer period necessary to fulfill legal obligations and/or for judicial protection purposes, and in any case no longer than the ordinary period of limitations. At the end of the storage period, your personal data will be deleted or made anonymous.
In particular, your personal data, processed for the purposes under section 2 above, are stored in compliance with the terms and criteria specified below:
- Purposes (i), (v), (vi) and (vii): the personal data collected for these purposes will be kept for the time strictly necessary to serve these purposes, unless it is necessary to keep them longer in order to fulfill a legal obligation, an order from an Authority or defend our rights.
- Purpose (ii): the personal data collected further to the receipt of a CV will be kept up to 12 months after the end of the recruitment process.
- Purpose (iii): your personal data will be processed to send commercial communications, newsletters and/or market research until you decide to withdraw the consent given; in any event after 24 months from your last interaction with our services your data will in any case be deleted or made anonymous.
- Purpose (iv): the data collected to follow up on your requests will be kept until your request is met, unless it is necessary to keep them longer in order to fulfill a legal obligation, an order from an Authority or defend our rights.
More detailed information regarding the retention periods is available upon request, by contacting the Data Controller at the contact details indicated in this Notice.
More detailed information regarding the retention periods is available upon request, by contacting the Data Controller at the contact details indicated in this Notice.
5. Transfer of data outside the European Economic Area
Insofar as it is necessary for the pursuit of the purposes mentioned under section 2 above, your personal data may be transferred outside the European Economic Area ("EEA").
Whenever your personal data are transferred outside the EEA and, in particular, to countries that do not benefit from an adequacy decision of the European Commission, we will adopt one of the safeguards set out in the Applicable Law, for example by signing the standard contractual clauses adopted by the European Commission, keeping them updated, and we will take any further appropriate technical, organizational and/or contractual measure to ensure a level of protection of your personal data that is adequate and, in any case, essentially equivalent to the one guaranteed within the EEA.
The list of countries outside the EEA to which we can transfer your personal data is available upon request, by contacting us at the contact details indicated in this Notice.
6. Persons or categories of persons to which the personal data may be communicated or which may know your personal data
For the purposes under section 2 of this Notice, the data you provide may be processed by the following categories of persons:
a. authorized C.M.C. personnel, who received specific instructions for the processing operations described in this Notice;
b. third parties which carry out activities connected or instrumental to the activity of C.M.C. (such as, for example, suppliers responsible for the maintenance and development of the IT systems, C.M.C.’s service providers concerning IT and telematic services, archiving, couriers and/or other administrative, accounting or legal services);
c. third parties which carry out activities related to or instrumental to the activity of the Data Controller (such as, for example, professionals, legal and / or tax consultants, companies involved in possible mergers, spin-offs or other extraordinary transactions, business organizations to which the Company adheres).
d. independent authorities, law enforcement entities or judicial and administrative authorities for their institutional purposes to the extent permitted by law, as well as for the assessment and prosecution of crimes, the prevention and protection from threats to public security, to allow C.M.C. to ascertain, exercise or defend a right in court, as well as for other reasons related to the protection of the rights and freedoms of others.
These persons will act, as the case may be, as independent data controllers or data processors, in the latter case by virtue of a specific written agreement concerning the processing of personal data and following the instructions given by the Data Controller. The list of recipients of your data is available upon request, by writing to C.M.C. at the contact details indicated in this Notice.
Your data may also be collected by third parties when you accept third party cookies. Please consult our Cookie Policy for further information.
Your personal data will not be disseminated.
7. Your rights
To the extent that they are applicable to the processing described in this Notice, you can exercise the rights under articles 15 et seq. of the GDPR:
a) Right of access (art. 15 of the GDPR): the right to obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed and if so, to obtain access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if recipients in third countries or international organizations; (iv) when possible, the envisaged retention period of the personal data or, if not possible, the criteria used to determine this period; (v) the right to lodge a complaint with a supervisory authority; (vi) if personal data are not collected from you, all available information on their origin; (vii) the existence of automated decision-making, including profiling, as well as meaningful information on the logic used and the expected consequences of such processing;
b) Right of rectification (art. 16 of the GDPR): the right to obtain the rectification of inaccurate personal data concerning you without undue delay as well as, taking into account the purposes of the processing, the right to obtain the integration of incomplete personal data, including by providing a supplementary statement. Also, for this purpose, we remind you that you wish to notify the Data Controller, using the contact details indicated in this Notice, of any change and/or update of the personal data processed always in accordance with this Notice;
c) Right of erasure (so-called right to be forgotten, art. 17 of the GDPR): the right to obtain the deletion of personal data concerning you where one of the following grounds applies: (i) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the personal data is being processed unlawfully; (iii) you have withdrawn the consent under which the Data Controller had the right to process your personal data and there is no other legal basis for the Data Controller to process it; (iv) you have objected to the processing activity and there is no overriding legitimate grounds for the data processing; (v) the personal data must be erased to fulfill a legal obligation. However, C.M.C. has the right to disregard the exercise of the rights of erasure in the event that this is necessary for the compliance with a legal obligation or for the establishment, exercise or defence of legal claims;
d) Right to restriction of processing (art. 18 of the GDPR): the right to obtain from the Data Controller the restriction of processing when one of the following applies: (i) if you have contested the accuracy of personal data concerning you, for the period necessary for the Data Controller to verify the accuracy of such personal data; (ii) in case of unlawful processing of your personal data, if you object to its erasure; (iii) the Data Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; (iv) for the period necessary for the verification as to whether the legitimate reasons of the Data Controller prevail over your request to object to the processing;
e) Right to data portability (art. 20 of the GDPR): the right to receive in a structured, commonly used and machine-readable format your personal data provided to the Data Controller and processed by the Data Controller based on your consent or a contract with you, as well as the right to transmit such personal data to another data controller without hindrance;
f) Right to object (art. 21 of the GDPR): the right to object at any time, for reasons related to your particular situation, to the processing of personal data carried out on the basis of the legitimate interest of the Data Controller. This is without prejudice to the possibility for the Data Controller to continue the processing by demonstrating the existence of compelling legitimate reasons that override the interests, rights and freedoms of the data subject;
g) Right to withdraw consent (art. 7 of the GDPR): the right to withdraw, at any time, a consent that may have been given. Such withdrawal shall not affect the lawfulness of the processing based on the consent given prior to the withdrawal.
Furthermore, if you believe that your personal data processing breaches the principles set forth by the Applicable Law, you can lodge a complaint with the judicial authority or the data protection authority in the Member State of your habitual residence, place of work or place of the alleged infringement. The competent data protection in authority in Italy is the Italian Data Protection Authority (i.e. il Garante per la protezione dei dati personali – the “Authority”). More information on how to lodge complaints is available on the website of the Authority, at http://www.garanteprivacy.it.
The above listed rights may be exercised at any time by sending a letter by mail to our registered office, or by e-mail to privacy@cmcsolutions.com.
8. Changes and updates to the Notice
The evolution of our services may lead to changes to the features of your personal data processing described so far. As a consequence, this Notice may undergo changes and additions over time, which may also be necessary to comply the applicable laws and regulations. We therefore invite you to periodically check this page to make sure that nothing has changed: where possible, we will try to timely inform you about the changes made and their consequences.
In any case the updated version of the Notice will be published on this page, indicating the date of its last update.
