Data Protection Statement

THE CONTROLLER

The Controller is SYNERGY FLAVOURS (ITALY) S.P.A. with a sole shareholder, and registered office located at Strada per i Laghetti No.3, Muggia (Trieste, Italy) (hereinafter also referred to as “SYNERGY” or “Controller”).

In order to exercise the rights recognised by REGULATION (EU) 2016/679 (hereinafter referred to as “GDPR” or the “Regulation”) or to ask for any clarification regarding the processing of your personal data, you can contact the Data Controller at the following contact details: telephone (+39 0402397911), e-mail [email protected]

SECURITY OF PROCESSING

The Controller has adopted technical and organisational measures to ensure a level of security appropriate to the risk and compliance with the legislation on the processing of personal data.

INFORMATION ON TYPES OF DATA PROCESSED

A) BROWSING DATA

As you browse the Website, a series of personal data is processed, such as your computer’s IP addresses or domain names, the referring and exit web pages, the URI/URL addresses of the requested resources, the date and time of the visit, information about your operating system and browser, as well as other technical data related to your browsing activity.

Purposes and legal basis for data processing (GDPR – Article 13 (1), point (c))

The processing of such data – in an automated and aggregated form – is carried out exclusively for purposes related to the management and administration of the Website, as well as for statistical purposes. The data may also be used to ascertain liability in the event of cybercrimes against the Website and/or any other unlawful acts.

The legal basis is the legitimate interest of the Controller (Article 6 (1), point (f) of the GDPR).

Scope of Communication (GDPR – Article 13 (1), points (e) and (f))

The data are processed solely by duly authorised, trained personnel, as well as by IT service providers who manage the Website and have been designated as Data Protection Officers (DPOs). This data are neither disclosed nor transferred outside the European Economic Area.

Data storage period (GDPR – Article 13 (2), point (a))

As a rule of thumb, unless there is a need for investigations following unlawful acts or breaches, data are not stored for more than 7 days.

Provision of personal data (GDPR – Article 13 (2), point 8 (e))

Data are not provided by the data subject but are automatically acquired by the Website’s IT systems.

B) CONTACT REQUESTS

Sending messages to the addresses on the Website and/or using the contact forms entails the acquisition and processing of the sender’s contact details by the Controller, which are necessary to respond, as well as any other personal data included in the message text.

 

Purposes and legal basis for data processing (GDPR – Article 13 (1), point (c))

Contact details are requested and processed in order to provide a reply and/or contact the Data Subject. The legal basis for data processing involves taking steps at the Data Subject’s request prior to entering into a contract (GDPR – Article 6 (1), point (b)).

Scope of Communication (GDPR – Article 13 (1), points (e) and (f))

Data are processed solely by duly authorised, trained personnel.

Data are neither disclosed nor transferred outside the European Economic Area.

Data storage period (GDPR – Article 13 (2), point (a))

As a rule of thumb, data are stored for as long as is deemed necessary in order to respond to the Data Subject. Generally speaking, data will be stored for a period determined by strict necessity, based on the different purposes for which it is processed. In any event, data will be retained stored in compliance with current personal data protection laws and to protect the rights of the Data Controller (e.g. pursuant to the statute of limitations under the Italian Civil Code).

Provision of personal data (GDPR – Article 13 (2), point (e))

Failure to provide data will make it impossible to fulfil your needs.

C) WORK WITH US

C.1) JOB VACANCIES

Purposes and legal basis for data processing (GDPR – Article 13 (1), point (c))

The personal data contained in the Curriculum Vitae and in the specific fields in the dedicated section are processed for the following purposes:

• to manage the Data Subject’s assessment procedure in relation to the selection process in which he/she has chosen to participate.
• to store the Data Subject’s CV in the appropriate database in order to assess it for future positions of potential interest.

Legal basis: Article 6 (1), point (b) of the GDPR; Article 9 (2), point (b) of the GDPR.

With regard to special category data, the Controller warrants that:

1. the processing will only be carried out if deemed necessary to fulfil or enforce specific obligations or to perform specific tasks provided for by European Union legislation, laws, regulations or collective agreements, including company agreements, in accordance with domestic law, in particular for the purpose of establishing the employment relationship;
2. in the event that the CVs submitted by candidates contain data that are not relevant to the purpose pursued, the Controller will refrain from using such information.

Scope of Communication (GDPR – Article 13 (1), points (e) and (f))

Personal data may only be accessed by people authorised to process it and by individuals who have been appointed as Data Protection Officers (DPOs) to process data on behalf of the Controller. These individuals are bound to secrecy and confidentiality also on the basis of specific internal regulations.

As a Carbery Group company, certain data may be disclosed to other companies within the group for administrative and human resources management purposes, always in accordance with the purposes indicated above, based on legitimate interest pursuant to Article 6 (1), point (f) of the GDPR and in accordance with Article 48 of the same Regulation.

The data will not be transferred to third countries outside the European Economic Area, unless adequate guarantees are provided.

Data storage period (GDPR – Article 13 (2), point (a))

Data are stored for 12 months.

Provision of personal data (GDPR – Article 13 (2), point (e))

Failure to provide the mandatory data will make it impossible to participate in the personnel selection process.

C.2) UNSOLICITED JOB APPLICATION

Purposes and legal basis for data processing (GDPR – Article 13 (1), point (c))

Data are processed for the following purposes:

• to allow the Data Subject to submit his/her CV to the Data Controller, even if there are no vacancies for the desired position at the time;
• to store the Data Subject’s CV in the appropriate database in order to assess it for future positions of potential interest.

Legal basis: Article 111-bis of Italian Legislative Decree No. 196/03 and Article 6 (1), point (b) of the GDPR (performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract).

Scope of Communication (GDPR – Article. 13 (1), points (e) and (f))

Personal data may only be accessed by people authorised to process it and by individuals who have been appointed as Data Protection Officers (DPOs) to process data on behalf of the Controller. These individuals are bound to secrecy and confidentiality also on the basis of specific internal regulations.

As a Carbery Group company, certain data may be disclosed to other companies within the group for administrative and human resources management purposes, always in accordance with the purposes indicated above, based on legitimate interest pursuant to Article 6 (1), point (f) of the GDPR and in accordance with Article 48 of the same Regulation.

The data will not be transferred to third countries outside the European Economic Area, unless adequate guarantees are provided.

Data storage period (GDPR – Article 13 (2), point (a))

Data are stored for 12 months.

Provision of personal data (GDPR – Article 13 (2) point (e))

Failure to provide mandatory data will make it impossible for the Data Subject to submit his/her unsolicited application.

 

RIGHT OF ACCESS BY THE DATA SUBJECT

Pursuant to Articles 15 et seq. of the GDPR, with regard to his/her own personal data, the Data Subject shall have the right:

• to obtain access from the Controller to his/her personal data together with a copy of said data, and to obtain information regarding the purposes of the processing, the envisaged period for which the personal data will be stored as well as the recipients or categories of recipient to whom the personal data have been or will be disclosed;
• to obtain from the Controller, without undue delay, rectification of inaccurate personal data referring to him/her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement;
• to obtain from the Controller, restriction of processing personal data referring to him/her, in the cases provided for in Article 18 of the GDPR, to  storage, or data processing operations  for which the Data Subject has given express consent or for the establishment, exercise or defence of legal claims, to protect public interests, or for the protection of the rights of another natural or legal person;
• to obtain their erasure without undue delay, in cases in which:
  • data are no longer necessary in relation to the purposes stated;
  • consent to data processing has been withdrawn;
  •  data have been unlawfully processed;
  • data erasure is necessary in order to comply with a legal obligation and in other cases provided for by Article 17 of the GDPR;
• to object, at any time, to processing of personal data concerning him or her, pursuant to Article 21 of the GDPR, in particular for direct marketing purposes. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes;
• to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller (known as the Right to Data Portability);
• to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

The aforementioned rights may be exercised by contacting the Controller using the contact details provided.

THE RIGHT TO LODGE A COMPLAINT

Where a Data Subject considers that his or her rights under this Regulation are infringed, he/she has the right to lodge a complaint with the competent supervisory authority (Italian Data Protection Authority – www.gpdp.it).