The company Cimbali Group S.p.A., with registered office in Binasco (MI), at Via Manzoni 17, tax code and VAT no. 09052100154 (hereinafter the ‘Company’) undertakes to protect the personal data of users (hereinafter the ‘User’ or ‘Users’) of the website http://mumacacademy.com/ (hereinafter the ‘Site’) and, in its capacity as Data Controller, pursuant to Article 13 of Regulation (EU) 679/2016 (the General Data Protection Regulation, hereinafter the ‘GDPR’), is required to provide the User with some information on the processing of personal data. This Privacy Notice does not apply to any other websites owned by third parties that may be accessed through links on this Site. Please read the privacy notices of any such third-party websites for information on how they process personal data.
DATA THAT MAY BE PROCESSED
The following types of User data (hereinafter also referred to jointly as ‘personal data’) may be processed through the Site.
A) Browsing data and cookies
The computer systems and software procedures provided for Site functioning acquire, during their normal operation, some personal data, transmission of which is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified individuals, but by its nature, through processing and association with data held by third parties, could allow Users to be identified. This category of data includes the IP addresses of computers used by Users who connect to the Site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the request time, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system used. This data is used only to gather anonymous statistical information about use of the Site and to check the correct functioning of the Site. Such data is deleted immediately after processing. The data may be used to ascertain responsibility in the event of any computer crimes against the Site.
B) Personal data provided voluntarily by the User
The Company processes some personal data that may be provided voluntarily by Users through the relevant forms:
- For newsletter sign-up (e-mail address);
- For Site registration (e-mail address, name, surname, telephone number, invoicing details);
- To sign up to MUMAC ACADEMY courses (including contact details, invoicing details and – with the User’s consent – details of any allergies or dietary restrictions, as samples of food products may be provided during courses);
- To sign up to news & events (name, surname, e-mail address, telephone number, occupation/company/interests);
- To produce videos and photographs during events (image and/or voice recordings).
Either personal data that may be sent to the Company via e-mail or in another form using the contact details given on the Site.
PURPOSES OF DATA PROCESSING
A) Execution of a contract or pre-contractual measures related to User requests and the management of training courses and events.
The Company may process the User’s personal data to perform a contract or pre-contractual measures, to manage or respond to requests for information made through the Site, including with the aim of allowing Users to sign up to MUMAC ACADEMY courses and/or training sessions.
Processing requirement: fulfilment of a contractual obligation or performance of pre-contractual measures. The provision of personal data is compulsory; in the absence of such data, the Company will not be able to respond to the User’s request or perform the contract or contractual measures to be performed at the User’s request. The provision of data relating to the User’s health (such as details of any allergies) is optional and based on the User’s consent. Failure to provide this particular category of data or withdrawal of consent may mean that the Company is not be able to go ahead with the User’s request to sign up to a course or courses.
B) Producing video footage and photographs during events.
The Company may process data relating to your image/voice through photographic and/or audiovisual recording devices in order to prepare audio/photo/video material for the purposes of promoting the event and the activities and services provided by the Company and any subsequent publication of audio/photo/video material on the site mumacacademy.com and/or on the Company’s social media pages (Facebook®, Instagram®, Twitter®, LinkedIn®, YouTube®).
Processing requirement: the User’s consent, which may be withdrawn at any time using the contact details given above. Failure to give consent does not entail any consequences for the User.
C) Sending marketing communications.
The Company may process the User’s contact details for marketing purposes with the aim of providing information on promotional initiatives relating to training courses and/or events through automated communication methods (e.g. e-mail). The newsletter service is managed by a third-party company appointed by the Company that is the data controller.
Processing requirement: the User’s consent, which may be withdrawn at any time using the contact details given above. Failure to give consent does not entail any consequence other than rendering it impossible for the User to receive promotional communications.
D) Purposes connected with obligations under the law, regulations or by EC legislation, by provisions/requests of authorities empowered to do so by law and/or by supervisory and control bodies.
The Company may process the User’s personal data in order to fulfil its obligations.
Processing requirement: fulfilment of a legal obligation. The provision of personal data for such purpose is compulsory since, in the absence of such data, the Company is unable to fulfil certain legal obligations.
E) Defence of rights in judicial, administrative or out-of-court proceedings, and in disputes arising in connection with the services/activities offered.
The Company may process personal data to defend its own rights or to act or even make claims against the User or third parties.
Processing requirement: the Company’s legitimate interest in defending its own rights. In this case, new and specific provision of data is not required, since the Company shall pursue this further purpose, where necessary, by processing the data collected for the above purposes, which are deemed compatible with this purpose (because of the context in which such data was collected, the nature of the data and the adequate guarantees for the processing thereof, as well as the link between the above purposes and this further purpose).
HOW AND WHERE WE KEEP PERSONAL DATA SECURE
The Company uses appropriate security measures in order to guarantee the protection, safety, integrity and accessibility of the User’s personal data.
All personal data is stored on our protected computer devices (or paper copies suitably archived) or on those of our suppliers. Such data may be accessed and used based on our standards and our security policy (or equivalent standards for our suppliers). The servers are located within the European Economic Area (EEA). Any transfer of the personal data subject to processing outside of the EEA must comply with the rights and guarantees set out in the regulations in force. Where personal data subject to processing is not transferred out of the EEA on the basis of a suitability decision by the European Commission, further suitable guarantees will be adopted, such as model contractual clauses.
HOW LONG WE STORE PERSONAL DATA FOR
We store your personal data only for the time required to perform the purposes for which such data was collected or for any other connected legitimate purpose. If personal data is collected for two different purposes, we will therefore store such data until the purpose with the longest retention period comes to an end, but we will no longer process that data for the purposes for which the retention period has expired.
Any of your personal data that is no longer required or for which no legal basis exists for it to be stored will be irreversibly anonymised (and may therefore be kept) or securely destroyed.
Browsing data will not be retained by the portal unless it is necessary for a criminal investigation by the judicial authorities; it will instead be retained by Google for a maximum of 50 months.
Data processed to fulfil any contractual obligation may be kept for the entire duration of the contract and in any case no longer than 10 years thereafter, in line with the statute of limitations.
Data processing for marketing purposes may be stored for 24 months from the data on which we obtained your most recent consent for such purpose.
Data (including images taken during events) processed for promotional and communication purposes may be stored for 24 months after such data was obtained.
Where the processing of data is required for judicial purposes, such data will be kept for as long as any claims may be pursued by law.
WHO CAN ACCESS PERSONAL DATA
Duly authorised Company employees may have access to User’s personal data, as may any external suppliers (including consultants), appointed, where required, as data processors.
Should you wish to ask to see the list of data processors and other subjects with whom we communicate data, you may contact the Company using the details given in the Contact us section.
DATA PROTECTION RIGHTS
Each User has the right to obtain from the Company, subject to the existence of the legal prerequisite underlying their request:
- Access to personal data relating to them, as well as rectification thereof;
- The erasure of personal data;
- The rectification of personal data relating to Users held by the Company;
- The restriction of processing of personal data relating to Users;
- A copy of personal data provided by Users to the Company, in a structured, commonly used format that can be read by an automated device (portability) and the transfer of such personal data to another data processor.
Furthermore, users have the right to object in whole or in part to the use of personal data processed by the Company, if the conditions laid down in personal data protection legislation are met, for example if personal data is processed for direct marketing purposes.
Should the User exercise any of the aforementioned rights, it is the Company’s responsibility to check that they are entitled to exercise such a right and this will be acknowledged, as a rule, within one month.
Should the User believe that the processing of their personal data is in breach of the provisions of the applicable legislation on personal data protection, they have the right to make a claim before the Italian Data Protection Authority, using the details available on the website www.garanteprivacy.it, or to take appropriate legal action.
The Company’s contact details for claims and to exercise rights relating to personal data processing are as follows: Certified e-mail firstname.lastname@example.org; telephone number +39 02900491.
For requests relating to training courses provided by us and/or further information relating to our services, please write to the following e-mail address email@example.com
Last updated in June 2020