Privacy Policy

relating to the data collected by the company Buono e Onesto S.r.l. through the website www.buonoeonesto.it
in compliance with articles 13 and 14 of the EU / 679/2016 Regulation and to the Legislative Decree 101/2018 to modify and integrate the Legislative Decree 196/2003

Dear User,

we wish to inform you that the European Regulation 679 of 27 April 2016 on the processing of personal data provides for the protection of individuals with regard to the processing of personal data.

Pursuant to articles 13 and 14 of the aforementioned Regulation and of the national legislation in force on the matter, we  provide you with the following information related to the processing of your data provided through the use of the website www.buonoeonesto.it  and the forms contained therein:

1. Who is the controller of your data?

Buono e Onesto S.r.l. (VAT number: 04197610167) with registered office in via Caravaggio n. 45, 24047, Treviglio – BG – (hereinafter also referred to as “Buono e Onesto” or the “Data Controller“) acts as owner of the processing of the User’s personal data collected through the use of the website www.buonoeonesto.it  and any co-obligated parties (jointly defined as the “Data Subject“) referred to in paragraph 2 below and can be contacted at the e-mail address commerciale@buonoeonesto.it.

2. Which of your data are processed?

Buono e Onesto processes the following personal data provided by the Data Subject:
  • URL, IP address, metadata, browser and cookies (in accordance with our cookie policy which can be consulted by clicking here);
  • name, e-mail address and content of the message sent to us by filling in the form in the “contact us” section of the website or by alternative means (eg direct e-mail).
The listed above data, hereinafter, will be jointly defined as “data“.

3. For what purposes are your data processed?

The data will be processed by Buono e Honesto as Data Controller for:

  1. allowing the user to browse the website and for the possible conclusion of contracts for products and services by the  Data Controller;
  2. fulfilling the pre-contractual, contractual and fiscal obligations deriving from existing relationships with the Data Subject;
  3. fulfillingl the obligations established by law, by a regulation, by community legislation or by an order of the Authority (such as for example in the field of anti-money laundering);
  4. exercising the rights of the Data Controller, such as, for example, the right to defense in court.

The purposes referred to in points (a) to (d) are jointly defined as “Contractual Purposes“.

  1. carrying out activities functional to any securitisations, assignments of credit and issue of securities, transfers of business and business unit, acquisitions, mergers, divisions or other transformations and for the execution of such operations;
  2. carrying out checks aimed at preventing any fraud.

The purposes referred to in points (e) and (f) are jointly defined as “Legitimate Interest Purposes“.

  1. promoting products and services by the  Data Controller, also by sending advertising materials, commercial communications, carrying out market research and direct sales activities, both through traditional communication tools, such as mail on paper, and  through remote communication tools, such as email, chat, telephone, SMS, video call, automatic call, instant message, chatbot, intelligent interactive automated communication systems, banners, social networks, search engines, notification systems and other remote communication tools.

The purpose referred to in point (g) is called “Marketing Purpose“.

4. On what basis are your data processed?

Data processing:

  • is mandatory for Contractual Purposes as necessary to use the website and to allow the possible execution of the contract between the Data Controller and the Data Subject, the supply of the products and services  and of any information about them, in the cases referred to in letters (a) to (c) of the previous paragraph 3 and the fulfillment legal obligations in the case referred to in letter (d) of the previous paragraph 3. The provision of the data is mandatory: if the Data Subject does not provide such data, the Data Controller will not be able to proceed with the stipulation of any contract and with the supply of the products and services. In the case of persons under the age of 16, parental consent or that of the person who is responsible for the Data Subject will also be required for the Contractual Purposes;
  • for Legitimate Interest Purposes referred to in paragraph 3, letter (e), is executed for the pursuit  of the legitimate interest of the  Data Controller and its counterparties in carrying out the economic operations indicated therein pursuant to Article 6, letter f), of EU Regulation / 2016/679, adequately balanced with the interests of the Data Subject as the processing is realised within the limits strictly necessary for the execution of these operations.  Instead the processing for  Legitimate Interest Purposes referred to in paragraph 3 , letter (f) is functional to the pursuit of a legitimate interest of the Data Controller, adequately balanced with the interests of the Data Subject in light of the restrictions imposed on such processing and of the specific circumstances in which the processing takes place (see paragraph 3). The processing for the Legitimate Interest Purposes is not mandatory and the Data Subject  may oppose to this processing  how referred to in paragraph 8 below, but if the Data Subject opposes this processing, his data cannot be used for the Purposes of Legitimate Interest, unless  the Data Controller proves the presence of legitimate binding prevailing reasons or for exercising or defending a right pursuant to article 21 of the GDPR;
  • finally for Marketing Purpose better specified in letter (g) of the previous paragraph 3, is submitted to the consent by the Data Subject. The processing of data for marketing purpose  is optional and, without consent, the Data Subject  will not receive any commercial communication ,will not participate in market research and will not receive customized communications and services. Failure to consent to the provision of the data for Marketing Purpose does not in any way prejudice the contractual relationships established between the Data Subject and the  Data Controller and the provision of the related services . At any time, the Data Subject may revoke any consent previously given by sending a written request to the Data Controller by e-mail communication to the address indicated in paragraph 1 of this policy.

5. How is your data processed?

The data processing  provided by  the Data Subject  is carried out by means of the operations indicated in art. 4 no. 2) GDPR and precisely: collection, registration, organization, storage, consultation, processing, modification, extraction, use, communication by any available form, cancellation and destruction of data.

The data can be processed with manual or IT tools, suitable to guarantee its security, confidentiality and to avoid unauthorized access.

6. To whom is your data communicated?

The data may be communicated for  Contractual Purposes to subjects who perform services connected and functional to the management of the present or future contractual relationship and, in particular, to the following categories of subjects located within the European Union:

  • suppliers of assistance, fiscal and legal advice services, including debt collection companies;
  • IT or archiving service providers, such as, among others, the company that issues and manages the digital signature certificate if the digital signature is used by the Data Subject to sign the contract.

The data may be disclosed for Legitimate Interest Purposes referred to in paragraph 3, letter (e) and (f), to suppliers of assistance services, technical, fiscal and legal advice, assignees of credits in the context of securitization of credit or assignment of credit for purposes strictly connected and instrumental to the management of the relationship with the transferred Data Subject, as well as to a securities issue, assignees of company or business branch, potential buyers of  Buono and Onesto Srl and companies resulting from possible mergers, divisions or other transformations of Buono and Onesto S.r.l., also in the context of the activities functional to these operations, and to competent authorities.

Finally,the  data may be communicated for Marketing Purpose to service providers such as external data processors and with the prior consent of the Data Subject  to the third parties referred to in paragraph 3, letter (g).

The above-mentioned subjects may act, as appropriate, as external data processors or independent data controllers. The updated list of the companies to which  the Data Subject’s data will be communicated may be requested at any time to the Data Controller, by means of a specific request to be sent to the address referred to in paragraph 1 of this policy. Data will not be subject to further disclosure.

7. Are your data transferred abroad?

The data provided by the Data Subject may be freely transferred outside the national territory to countries located in the European Union. The Data Subjet has the right to obtain a copy of the data held abroad and to obtain information about the place where such data is stored by sending a written request to the Data Cntroller by e-mail communication to the address indicated in paragraph 1 of this policy.

8. What are your rights in relation to the processing of your data?

The Data Subject, pursuant to and for the purposes of articles 15 – 22 of EU Regulation / 679/2016, has the right to:

  • obtain confirmation from the Data Controller whether or not the data processing is in progress;
  • obtain access to data and information relating to the data processing ;
  • obtain from the Data Controller the correction of inaccurate data without undue delay;
  • obtain the integration of incomplete data, also by providing an additional declaration;
  • obtain from the Data Controller the cancellation of data without undue delay;
  • obtain from the the Data Controller the limitation of the treatment:
  1. for the period necessary to verify the accuracy of such data by the Data Controller, when the Data Subjects disputes its accuracy;
  2. when the processing is unlawful and the Data Subjects opposes the deletion of the data, requesting instead a limited use of the data;
  3. when the data for the Data Subject are necessary for the assessment, exercise or defense of a right in court, although the Data Controller no longer needs it for processing purposes;
  4. when the Data Subject has opposed the processing pursuant to Article 21, paragraph 1 of EU Regulation / 679/2016 and for the entire period necessary to verify the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the Data Subject ;
  • receive the data provided to the Data Controller in a structured, commonly used and machine-readable format;
  • transmit this data to another Data Controller without hindrance by the Data Controller to whom this data was provided;
  • obtain the direct transmission of the data from one Data Controller to another, if technically feasible;
  • object at any time, for reasons connected with a particular situation, to the processing of personal data pursuant to article 6, paragraph 1, letters e) or f), including profiling;
  • not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects or which significantly affects in a similar way;
  • propose a complaint directly to the Guarantor Authority if there is a violation of the data protection legislation by the Data Controller.

Requests for the exercise of the aforementioned rights can be forwarded to the Data Controller by sending a written request by e-mail communication to the address indicated in paragraph 1 of this policy.

The right of complaint, however, can be freely exercised by the Data Subject by preparing an act to be sent to the Guarantor Authority choosing one of the following ways: registered letter with return receipt addressed to the “Guarantor for the protection of personal data, Piazza Venezia n. 11, 00187, Rome “or certified email to protocollo@pec.gpdp.

9. Who are the external managers of the processing of your data?

The Data controller, to pursue the Marketing Purpose set out in paragraph 3) of this policy, makes use of the company “MediArteProgetti di Daniela Ricotti” (VAT number: 01875740183; CF: RCT DNL 68P48 G 388 R) with registered office in Via Luisa Battistotti Sassi 28, 20133, Milan – MI – which acts as external manager for the data processing of the Data Subject.

The complete list of external processors is available by sending a written request to  the Data Controller by e-mail communication to the address indicated in paragraph 1 of this policy.

10. How long will your data be kept?

The data processed by the Data Controller:

  • for Contractual Purposes referred to in letters (a) to (d) and for the Legitimate Interest Purposes referred to in paragraph 3, letter (e) will be kept for a period aimed at following up the contact by the user or equal to the duration of any contract relating to products and / or services (including any renewals) and for the 10 years following the end, termination or withdrawal of it, except in cases where the conservation for a subsequent period is required for any disputes, requests from the competent authorities or pursuant to applicable legislation;
  • for Legitimate Interest Purposes referred to in paragraph 3, letter (f) will be kept for the duration strictly necessary to guarantee the reliability of the checks therein indicated;
  • for Marketing Purpose referred to in paragraph 3, letter (g) will be kept for a period equal to the duration of any contract relating to products and / or services (including any renewals) and for the 24 months following the end  of it for any reason.

11. Modifications and Updates

This policy is valid from the date indicated below. The Data Controller may also make changes and / or additions to this policy, also as a consequence of any subsequent changes and / or regulatory additions in force on the matter. If substantial, the changes will be notified in advance and the Data Subject may view the text of this policy constantly updated on the website www.buonoeonesto.it  or make an explicit request to the Data Controller by communicating to the e-mail address indicated in paragraph 1 of this policy.

Last update

04.27.2020