Language

Highstreet.io: your one stop solution for feed management

Boost your eCommerce with an advanced data feed management platform.

1174x733

INFORMATION ON THE PROCESSING OF PERSONAL DATA of Univerce S.r.l.

Pursuant to articles 13 of Regulation (EU) 2016/679

This information is provided in accordance with the European General Data Protection Regulation EU 2016/679 ("GDPR") and subsequent amendments and/or supplements as well as national legislation or regulations on the processing of personal data as applicable from time to time ("Privacy Legislation") to ensure that the processing of personal data is carried out in accordance with the rights and freedoms of persons with particular regard to the protection of personal data.

The term "personal data" means any information relating to a natural person who is identified or identifiable, even indirectly, by reference to any other information, including a personal identification number.

The term "processing" means any operation or set of operations, whether or not by automated means, applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction.

The term "data subject" means the natural person to whom the personal data refer.

1. Data controller

Univerce S.r.l, registered office in Via Dell'Industria, 25 - Porto Sant'Elpidio 63821 and P.I. 01668090440, acts as the Data Controller ("Controller" or "Univerce") of the data for the purposes set out in paragraph 3 below and belongs to the Impresoft Group.

The list of companies belonging to the Impresoft Group can be found in the following section of the Impresoft S.p.A. website www.impresoftgroup.com/it/le-aziende-del-gruppo ("Group Companies"). The Data Controller can be reached at the following e-mail address: dpo@theuniverce.com

The Owner has appointed a Data Protection Officer, who can be contacted at the following address: dpo@impresoft.com.

2. Sources and Type of Data Processed

Data are collected directly from the customer/potential customer and may include, but are not limited to, the following:

  • first and last name;
  • contact information (e-mail address, phone number);
  • data related to professional life (role/duties within the company).

3. Purpose and legal basis of the processing carried out by the Controller

The Data Controller may process the personal data of the data subject for the following processing purposes:

  1. Purposes strictly related and instrumental to the establishment and management of a contract to which the data subject is a party pursuant to Article 6 paragraph 1 letter b) GDPR. The provision of personal data does not require consent, but is necessary to perfect, execute or continue the contractual relationship with the Owner.

  2. Responding to requests for information made by the data subject to the Data Controller. The provision of personal data does not require consent as the processing is necessary to execute pre-contractual measures taken at the request of the data subject pursuant to Article 6 paragraph 1 letter b) GDPR.

  3. Fulfilment of legal obligations, by regulations, by EU legislation, by provisions issued by authorities empowered to do so by law or by supervisory and control bodies pursuant to Art. 6 paragraph 1 lett. c) GDPR. The provision of personal data for the purposes referred to in this point is mandatory and its processing does not require consent.

  4. Purposes of business analysis in an anonymous form: to improve the business and its services (e.g. detection of the degree of customer satisfaction on the quality of services rendered and on the activity carried out by the Owner, the elaboration of studies and market research). The provision of personal data is not compulsory and its processing does not require consent due to the existence of legitimate interest of the Data Controller to carry out business analysis activities in accordance with Art. 6 par. 1 lett. f) GDPR.

  5. Marketing purposes for the promotion and sale of products and services similar to those already purchased by the data subject (so-called soft spam), through commercial communications transmitted by e-mail. The provision of data is not compulsory and their processing does not require consent due to the existence of legitimate interest of the Data Controller under Art. 6 par. 1 lett. f) GDPR to carry out marketing activities towards its customers.

  6. Own marketing purposes with recourse to automated contact tools (such as call without operator, e-mail) or through traditional contact tools (call with operator), directly or through third party companies, with reference to its products and services i) transmit and/or propose by telephone, informative, commercial, advertising and promotional material, including personalized/specific interest ii) transmit newsletters and invitations regarding events and initiatives. The provision of data is not compulsory and their processing requires consent, which may be given and revoked even for some of the above activities, by writing to the e-mail address below. If the data subject fails to provide personal data, the data subject will not be able to receive information on the products and/or services offered by the Data Controller, but there will be no consequences on the existing contractual relationship with the Data Controller.

  7. Communication of data to the Group Companies that, with reference to its own products and services and those of the Group Companies belonging to the ICT and consulting sector, may, with recourse to automated contact tools (such as call without operator, e-mail) or through traditional contact tools (call with operator), directly or through third party companies, i) transmit and/or propose by telephone, informative, commercial, advertising and promotional material, including personalized/specific interest ii) transmit newsletters and invitations regarding events and initiatives. The provision of data is not compulsory and their processing requires the consent of the person concerned, which may be revoked at any time without affecting the processing given before the revocation.

  8. Judicial defense: if necessary to ascertain, exercise or defend one's rights in court. The provision of personal data is compulsory and its processing does not require consent due to the existence of legitimate interest of the Data Controller in accordance with Art. 6 par. 1 lett. f) GDPR.

4. Place and manner of processing of personal data

In relation to the stated purposes, the processing of personal data is carried out using manual, computerized and telematic tools with logic strictly related to the purposes and, in any case, in such a way as to ensure the security and confidentiality of the data.

Univerce will process the personal data of the interested party exclusively with technical personnel in charge of such processing, with mainly automated and computerized methods, suitable to guarantee, in relation to the purposes for which the data are processed, security and confidentiality, as well as to prevent unauthorized access to the data. Univerce does not perform automated decision-making processes.

The processing of the collected data takes place at the premises of Univerce and the service providers identified by it and appointed, where necessary, as data processors pursuant to Article 28 of the GDPR.

The data collected and processed by the Data Controller is stored in the CRM common to the Group Companies that resides in HubSpot's server which has its servers in Europe ("HubSpot CRM").

5. Storage of personal data

The data subject's personal data will only be kept for as long as necessary to achieve the purposes for which they are collected, in accordance with the principle of minimization under Article 5.1.c) of the GDPR.

In particular, with regard to processing for marketing purposes, the data will be processed and stored until the data subject's consent is revoked. In any case, the data subject can always request the interruption of the processing or the deletion of his or her data, as provided below.

The Data Controller may retain some data even after the termination of the relationship depending on the time necessary for the management of specific contractual or legal obligations as well as for purposes of administrative, tax and/or contribution period of time imposed by laws and regulations in force, as well as for the time necessary to enforce any rights in court.

In any case, the data are processed not only in compliance with current regulations, but also according to the canons of confidentiality to which the Data Controller has always been inspired.

Retention times will vary depending on the type of data processed, but, in general, Univerce refers to these criteria to determine the retention period:

  • If there is a legal or contractual need to retain the data.
  • If the data is necessary to provide its services.

6. Categories of parties to whom the data may be communicated

The Data Controller may disclose personal data in fulfillment of legal obligations and to service providers who will act as autonomous Data Controllers or will be designated as Data Processors pursuant to Article 28 of the GDPR should they process data on behalf of the Data Controller and are essentially included in the following categories listed by way of example but not limited to:

  • entities that perform banking services, including entities involved in the management of payment systems;
  • persons, companies, associations or professional firms that provide services or activities of assistance and consultancy to the owners, with particular but not exclusive reference to issues in accounting, administrative, legal, tax and financial, commercial matters;
  • business, marketing, legal partners, suppliers of technical services and/or software platforms, system administrators, hosting providers, IT companies, communication agencies;
  • Individuals who carry out control, audit and certification tasks of the activities put in place.
  • Group Companies that provide services of an IT nature (e.g., make available the HubSpot CRM or provide support, maintenance, assistance and development of the HubSpot CRM itself);
  • all Group Companies, only in the event that the data subject has consented to the purposes referred to in point 7) of paragraph 3 above.

The updated list of names of the subjects to whom the personal data of data subjects may be communicated and/or transferred is available from Univerce by contacting us at: dpo@theuniverce.com.

7. Transfer of data outside the EU

The possible transfer of data to Third Countries outside the EU for the purposes indicated in paragraphs 3 and 4 above, may take place, in compliance with the modalities allowed by the law in force and in particular according to the provisions of the GDPR set out in: i) art. 44 - General principle for transfer; ii) art. 45 - Transfer on the basis of an adequacy decision; iii) art. 46 - Transfer subject to adequate safeguards; iv) art.49 - Exceptions in specific situations.

The data of the data subject is shared, if specific consent is given, with the to the Group Companies in the HubSpot CRM. Among the Group Companies is the Company Kipcast S.r.l which is based in Canada. The transfer of data to this Company is guaranteed by the European Commission's Adequacy Decision 2002/2/EC of December 20, 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data under the Canadian Personal Information Protection and Electronic Documents Act.

8. Rights of the data subject

Under Articles 15-22 of the GDPR, data subjects are granted specific rights. In particular, the data subject may obtain from the Data Controller: access, rectification, erasure, restriction of processing, withdrawal of consent as well as portability of data concerning him/her. The data subject also has the right to object to the processing for legitimate reasons and/or for commercial purposes.

The Data Controller undertakes to respond as soon as possible to the data subject after verifying his/her identity where necessary.

In the event that the right to object is exercised, the Data Controller reserves the right not to act on the request, and thus to continue the processing, in the event that there are compulsory legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the data subject.

As for marketing purposes, this is without prejudice to the possibility for the data subject who has given his or her consent

  • to request, at any time and free of charge, to receive communications exclusively through traditional means of contact such as operator calls;
  • to object, at any time and free of charge, to the processing of data for the aforementioned purposes. In this case, the right to object to the processing of data through automated modes of contact (such as e-mail and telephone calls without an operator), extends to traditional modes of contact (such as telephone calls through an operator);
  • to object, at any time and free of charge, to the processing of data for the above-mentioned purposes only in part, i.e. by expressing a choice about the contact mode.

The above rights may be exercised by sending a written communication to the following e-mail address: dpo@theuniverce.com.

The data subject is informed that, pursuant to Article 12 of the GDPR, if the data subject's requests are found to be manifestly unfounded or excessive, in particular due to their repetitive nature, the Data Controller may: a) charge a reasonable fee, taking into account the administrative costs incurred in providing the information or communications or taking the requested action or b) refuse to comply with the request.

The data subject also has the right to lodge a complaint before the Data Protection Authority.

Last updated: 06/03/2024