This policy describes, pursuant to and for the purposes of Article 13 of EU Regulation 679/2016 (General Data Protection Regulation, hereinafter "GDPR"), the ways in which the Data Controller processes personal data collected or provided by the Data Subject both while surfing this Website, and in execution of current business relationships (for example, pre-contractual or contractual measures). This document supplements any information on the processing of personal data provided to our Customers in the various occasions of interaction.

The processing of personal data is based on the principles of lawfulness, transparency, fairness and protection of the privacy and rights of the data subject, always in accordance with national (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018) and European (GDPR) regulation currently in force.

Data Controller

The Data Controller is ARMAL S.p.A., legally established in Via Fiorentina 109, 50052 Certaldo (FI) - Italy, telephone number: +390571665305, e-mail: [email protected]

The Joint Data Controller, pursuant to Art. 26 GDPR, is YLDA Group S.p.A., legally established in Via Fiorentina, 109, 50052 Certaldo (FI) - Italy, e-mail: [email protected]

Data Protection Officer (DPO)

The Data Protection Officer can be contacted at the e-mail address [email protected]

Origin and type of data collected

• navigation data: the computer systems and software procedures used to operate the Website may acquire, during their normal operation, some data whose transmission is implicit in the use of Internet communication protocols. This category of data could include IP addresses or domain names of the devices used, URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given to the server (successful, error, etc..) and other parameters regarding the operating system and computer environment of the User.
• personal data collected during the establishment of pre-contractual and contractual relationships: for example, identification and contact data (name, surname, e-mail, telephone, address, vat/c.f.), purchase data, payment data (bank data relating to transfers and other methods of payment), billing data.
• personal data transmitted to the e-mail addresses indicated on the Site: the e-mail address, as well as all other personal data included in the message.
• contact data (e-mail) collected in the “Keep in touch” section of the Website.

Purposes of processing and legal bases

Data is processed for the following purposes: 

• to process and manage the User's requests and answer questions formulated via e-mail addresses available on the Site. The legal basis is the legitimate interest of the Data Controller (Article 6, letter f), GDPR) to be efficient and satisfy any type of request submitted, to provide information on the services offered, including by sending communications relating to products or services similar to those already used - unless opposed (so-called Soft spam).
• to execute pre-contractual and contractual relationships: issue of quotes and orders, conclusion of contracts and commercial agreements, management of support and maintenance services, management of financial and administrative practices. The legal basis is the execution of contractual and pre-contractual measures taken at the request of the Customer (Article 6, letter b), GDPR) and the fulfilment of legal obligations (Article 6, letter c), GDPR). 
• for marketing and commercial promotion purposes, in order to send, via e-mail, sms, telephone, or other digital communication tools, news about products, services, events and promotions. The legal basis is the express consent given by the User (Article 6, letter a), GDPR).
• to comply with legal obligations to which the Data Controller is subject. The legal basis is the fulfilment of legal obligations (Article 6(c) GDPR).  

Provision of personal data

The mandatory or optional nature of the provision of data is specified from time to time - regarding the individual information requested - also by affixing a special symbol (*) to the mandatory information. Any refusal to communicate the data marked as mandatory makes it impossible for the Controller to perform the contract or provide the services available. The provision of further data is, instead, optional.

Modality and place of processing

The processing of personal data is carried out by the Controller mainly with electronic and telematic methods, supported by specifically authorized internal staff. Adequate security measures are taken in order to minimize the risk of destruction or loss - even accidental - of data, unauthorized access or processing not allowed or not in accordance with the purposes of collection. Data are processed at the Data Controller's offices and in any other place where the parties involved in the processing are located, as well as at the hosting servers. For further information, please contact the Data Controller.

Data retention period

The data are processed for the time necessary to perform the service requested by the User or in general until the purposes for which they were collected. Some data will be kept for longer periods due to fiscal-administrative-accounting obligations (e.g. 10 years ex art. 2220 c.c.). About marketing purposes, the retention period is 24 months from the date of the consent, except for the User's right to request revocation at any time. Subsequently, personal data will be automatically deleted or permanently anonymized.

Disclosure of personal data

The User's personal data will not be disseminated to unspecified subjects. However, they may be disclosed, in addition to the Companies of YLDA Group S.p.A., to professionals, collaborators, natural and legal persons who perform services in outsourcing on behalf of the Controller. These subjects will be able to process the data as Data Controllers, Joint Data Controllers and Data Processors duly appointed pursuant to art. 28 GDPR, in full compliance with the above-mentioned regulations in force; they will only be provided with the information necessary to carry out their relative functions. The complete and updated list of data processors is available upon request. The data may also be communicated or made available to people who have the right to access the data under the provisions of the law, regulation or European legislation, within the limits and for the purposes provided by these rules, as well as banks, credit institutions, finance companies, debt collection, insurance agencies.

Personal data transfer

Any transfer of personal data to countries outside the EU that may be necessary to implement the contract in place with the User or to ensure the services offered (for example, for suppliers based in third countries) is performed in accordance with Articles. 44 et seq. of the GDPR, providing appropriate tools that ensure adequate guarantees of data protection.

Links to other sites, platforms, and social networks

This information is provided only for the armal.biz Site and not for other websites and social platforms that can be visited by the User through links. For further information on the data processing carried out by these external entities, please refer to their respective privacy policies.

• Facebook: https://www.facebook.com/about/privacy
• Twitter: https://twitter.com/en/privacy
• Google: https://policies.google.com/privacy?hl=en-GB

Rights of the data subject

At any time, pursuant to Articles 15 et seq. of the GDPR, the User may exercise the following rights:

• to access to personal data: right to obtain confirmation of the existence or not of personal data concerning him/her.
• to obtain the rectification or cancellation of the data or the limitation of the processing.
• to obtain information about the origin of personal data, the purposes and methods of processing, the categories of data, the recipients, or categories of recipients to whom the personal data have been or will be communicated and, when possible, the retention period, as well as information about the identity of the controller, processor, any appointed representatives, or parties to which data may be communicated.
• to object - for legitimate reasons - the processing of all or part of the personal data.
• portability of data.
• to withdraw consent, at any time, without prejudice to the lawfulness of the processing based on the consent given before the revocation.
• to lodge a complaint with the Supervisory Authority.

The exercise of rights, except for letter g), may be made by sending a request to the following e-mail address [email protected]

In case of suspected violation of the legislation on the protection of personal data, you can contact the Data Protection Officer (DPO) by sending an e-mail to the following address [email protected]

Changes and updates

The Data Controller may make changes or additions to this policy also as a consequence of any subsequent changes or additions to the law. Changes and updates to the Privacy Policy will be applicable as soon as they are published on the Website. We therefore invite the User to regularly access this section to check the publication of the most recent and updated Privacy Policy.