Privacy Policies

Data, information and any personal data published on this site may be freely used by those interested in the products of CPL CONCORDIA Soc. Coop.

Following are the main policies provided pursuant to GDPR 679/2016 – the European Regulation on the Protection of personal data.

General and common elements of the policies

Identity of the Data Controller

The Data Controller of any processing carried out is CPL CONCORDIA Soc. Coop., with registered and administrative office in Via A. Grandi 39 – 41033 CONCORDIA sulla Secchia (MO), represented by the General Manager pro tempore.
The Data Controller guarantees the security, confidentiality and protection of personal data at its disposal, at any stage of their processing.

Data protection officer
The Data Controller has appointed the Data protection officer pursuant to Art. 37, domiciled for the office at the company’s headquarters and can be reached by writing to the email address dpo@cpl.it.

Data transfer

The Data Controller will not transfer personal data to third countries or to international organisations for any reason.

Where cloud services are used, providers are selected from among those with servers in Europe. If it becomes necessary to transfer data outside the EU (e.g. in the case of a contract with a multinational company), CPL will check that the suppliers provide adequate guarantees, as required by Art. 46 of the GDPR 679/2016 and update the Privacy Policy.

Rights of the data subject

With regard to Art. 15 – right of access, 16 – right of rectification, 17 – right of erasure, 18 – right to restriction of processing, 20 – right to portability, 22 – right to oppose automated decision-making processes of the GDPR 679/16, the data subjects can exercise their rights by writing to the Data Controller CPL CONCORDIA Soc. Coop. at the address above or by email to dpo@cpl.it, specifying the subject of the request, the right being exercised and attaching a copy of an identity document that attests to the legitimacy of the request.
The Data Controller points out in particular that any data subject may exercise the right to object in the form and manner provided for in Art. 21 of the GDPR 679/2016.

Lodging a complaint

The data subject has the right to lodge a complaint with the supervisory authority in his or her country of residence. If you believe that the processing of your personal data has been carried out in breach of the legislation on the protection of personal data, you have the right to lodge a complaint with the Italian Data Protection Authority, Piazza Venezia, 11 – 00187 – Rome, using the forms available at the following link https://www.garanteprivacy.it/modulistica-e-servizi-online/reclamo.

Automated decision-making processes

The Data Controller does not perform any processing consisting of automated decision-making based on personal data.

Privacy Policy for customers, potential customers receiving information or business proposals, business partners or partners in temporary association of companies (ATI) and employees working for them

This Privacy Policy is provided to individuals acting in the name and on behalf of customers of “CPL CONCORDIA Soc. Coop.”, pursuant to articles 13 and 14 of the GDPR 679/2016 “European Regulation on the Protection of Personal Data”.

Source of the data

The personal data processed are those provided by data subjects for:

public sources, online contact tracing;
participation in events, seminars and conferences promoted by CPL;
consent of the data subject (explicit or by an unambiguous positive act, e.g. exchanging business cards);
pre-contractual phases, requests for information and estimates, including by telephone and email;
sending orders, concluding contracts and their extension;
performance of the contractual relationship and related activities;
provision of data and sales activities subsequent to the order;
compliance with current legislation (e.g. public procurement, occupational health and safety, data protection, taxation, etc.);
participation in tenders;
receiving communications via PEC certified email;
requests for information on previous sales activities;

or, alternatively, they may be contact details of potential customers obtained from parties other than the data subject.

Categories of processed data

The data processed may be:

personal identification data, professional profile data, banking data, economic data (financial losses, compensation), salary data (remuneration, salary), curricular data;
judicial data, self-certifications and declarations of convictions;
other certifications, copies of identity documents;
images and videos;
all data contained on the company servers being backed up;
log data, computer traffic, user ID, login credentials;
data of family members (related parties).

As regards processing carried out on the basis of the consent given by the data subject, it should be noted that such processing is the subject of a specific separate policy.

Withdrawal of consent

With regard to Art. 7 of the GDPR 679/2016, the data subject can withdraw any consent given at any time.

However, processing covered by this Privacy Policy that is based on a different legal basis is lawful and permitted even in the absence of consent, insofar as it is necessary for the performance of a contract to which the data subject is party or for the fulfilment of their requests or legal obligations.

Withdrawal of consent at any time shall not affect the lawfulness of processing based on the consent given before the withdrawal.

Refusal to provide data

Customers cannot refuse to provide the Data Controller with the personal data necessary to comply with the laws that regulate commercial activities and taxes.
The provision of further personal data may be necessary to improve the quality and efficiency of commercial activities.
Therefore, refusal to provide the data required by law or to execute the contract will prevent the execution of orders, while failure to provide further data may compromise in whole or in part the execution of other requests and the quality and efficiency of the commercial activity itself.

Data recipients

To the extent strictly necessary, they may also be disclosed to parties that for the purposes of processing orders or other requests or services related to the commercial activity or the contractual relationship with the Data Controller must provide goods and/or perform services on behalf of the Data Controller. Finally, they may be communicated to the competent bodies in the event of fulfilment of obligations connected with the regulations in force, as well as to the parties entitled to access them by virtue of provisions of the law, regulations and Community legislation.

Privacy Policy for suppliers, potential suppliers, subcontractors or auxiliaries and workers employed by them

This Privacy Policy is provided to individuals acting in the name and on behalf of suppliers of “CPL CONCORDIA Soc. Coop.”, pursuant to articles 13 and 14 of the GDPR 679/2016 “European Regulation on the Protection of Personal Data”.

Source of the data

The personal data processed are those provided by the data subject or their employer for:

public sources, online contact tracing;
pre-qualification and/or qualification activities through a platform dedicated to the Supplier Qualification System;
participation in events, seminars and conferences promoted by CPL;
consent of the data subject (explicit or by an unambiguous positive act, e.g. exchanging business cards);
pre-contractual phases, requests for information and estimates, including by telephone and email;
sending orders, concluding contracts and their extension;
performance of the contractual relationship and related activities;
provision of data and sales activities subsequent to the order;
compliance with current legislation (e.g. public procurement, occupational health and safety, data protection, taxation, etc.);
participation in tenders;
receiving communications via PEC certified email;
requests for information on previous sales activities.

Categories of processed data

The data processed may be:

personal details, contact data, professional profile data, qualifications, licences, copy of ID document, other certifications, training certificates (e.g. health and safety), curricular data;
bank data, economic data (financial losses, compensation), salary data (compensation, salary, level, contract date);
health data (fitness for work, accidents, medical certificates, etc.);
judicial data, self-certifications and declarations of criminal convictions and offences;
image on badge, other images and videos;
geographical location data;
all data contained on the company servers being backed up;
any data on PCs, telematic traffic data and user ID, login credentials, log data, telematic traffic, user ID.

Data Processors

For the activity of pre-qualification and/or qualification of the Supplier, through the platform dedicated to the Supplier Qualification System, the Company Net4market – CSAmed s.r.l. has been appointed as Data Processor.
Subsequently, in the pre-contractual phase, the Supplier’s data are managed through a dedicated platform and the Company Zucchetti Spa has been appointed as Data Processor.

As regards processing carried out on the basis of the consent given by the data subject, it should be noted that such processing is the subject of a specific separate policy.

Withdrawal of consent

With regard to Art. 7 of the GDPR 679/2016, the data subject can withdraw any consent given at any time.
However, processing covered by this Privacy Policy that is based on a different legal basis is lawful and permitted even in the absence of consent, insofar as it is necessary for the performance of a contract to which the data subject is party or for the fulfilment of their requests or legal obligations.
Withdrawal of consent at any time shall not affect the lawfulness of processing based on the consent given before the withdrawal.

Refusal to provide data

Suppliers cannot refuse to provide the Data Controller with the personal data necessary to comply with the laws that regulate commercial activities and taxes.
The provision of further personal data may be necessary to improve the quality and efficiency of commercial activities.
Therefore, refusal to provide the data required by law or to execute the contract will prevent the execution of orders, while failure to provide further data may compromise in whole or in part the execution of other requests and the quality and efficiency of the commercial activity itself.

Data recipients

The personal data processed by the Data Controller will not be disseminated, i.e. they will not be disclosed to unidentified parties in any form, including making them available or publishing them for viewing. However, they may be communicated to workers employed by the Data Controller and to certain authorised external parties who collaborate with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and tasks performed, the processing of personal data will be carried out by persons expressly instructed and authorised to carry out specific processing operations.
To the extent strictly necessary, they may also be disclosed to parties that for the purposes of processing orders or other requests or services related to the commercial activity or the contractual relationship with the Data Controller must provide goods and/or perform services on behalf of the Data Controller. Finally, they may be communicated to the competent bodies in the event of fulfilment of obligations connected with the regulations in force, as well as to the parties entitled to access them by virtue of provisions of the law, regulations and Community legislation.

Privacy Policy for Visitors

This Privacy Policy is provided pursuant to Art. 13 of the GDPR 679/16 – “European Regulation on the Protection of Personal Data”, to visitors and in general to all persons temporarily present at the headquarters of CPL CONCORDIA Soc. Coop. in via Grandi 39 – Concordia sulla Secchia, for visits, deliveries, maintenance work and any other occasional or previously agreed event.

Source of the data

The personal data processed are those provided by data subjects who enter the offices for:

visits or work in the offices;
interviews or work sessions in the offices;
delivery or collection of goods, parcels, correspondence.

Images of people and means of transport collected through the video surveillance system are also processed, see the ad hoc Privacy Policy.

Categories of processed data

The data processed may be data related to personal identification, professional profile and entry card images, other images and videos.

As regards processing carried out on the basis of the consent given by the data subject, it should be noted that such processing is the subject of a specific separate policy.

Data recipients

The personal data processed by the Data Controller will not be disseminated, i.e. they will not be disclosed to unidentified parties in any form, including making them available or publishing them for viewing. However, they may be communicated to workers employed by the Data Controller and to certain authorised external parties who collaborate with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and tasks performed, the processing of personal data will be carried out by persons expressly instructed and authorised to carry out specific processing operations.
They may also be communicated, to the competent bodies in the event of fulfilment of obligations connected with the regulations in force, as well as to the parties entitled to access them by virtue of provisions of the law, regulations and Community legislation such as, for example:

law enforcement authorities;
medical specialists in case of accident or illness.

Withdrawal of consent

With regard to Art. 7 of the GDPR 679/2016, the data subject can withdraw any consent given at any time.
However, processing covered by this Privacy Policy that is based on a different legal basis is lawful and permitted even in the absence of consent, insofar as it is necessary for the performance of a contract to which the data subject is party or for the fulfilment of their requests or legal obligations or the pursuit of a legitimate interest of the Data Controller.
Withdrawal of consent at any time shall not affect the lawfulness of processing based on the consent given before the withdrawal.

Refusal to provide data

Visitors may not refuse to provide the Data Controller with the personal data required to access the site. Therefore, refusal to provide the data will prevent access.

Privacy Policy for Recipients of e-mail messages

This Privacy Policy is provided pursuant to articles 13 and 14 of the GDPR 679/16 – “European Data Protection Regulation”, to all recipients of written communications from a party acting on behalf of CPL CONCORDIA Soc. Coop. at via Grandi 39 – Concordia sulla Secchia.

The contents of e-mails are to be considered confidential. Therefore, the information contained therein, or included in any attachments, is reserved exclusively for the addressees.
The authenticity of the sender and the content are not guaranteed.

Data source and legal basis

The personal data processed are those provided by the data subjects or by other recipients of messages originating from the data subjects and forwarded, or reciprocally transmitted during the exchange of correspondence.
CPL’s databases include contacts and email addresses of companies and entities, including contact persons in legal entities:
i) with whom there have been previous communications by email or other means of communication for pre-contractual or contractual reasons;
ii) or who have voluntarily provided their email address during direct contacts, giving their consent;
iii) or contacts that – based on the recipient’s role – were appropriate within their organisation and that led CPL to believe that the communication sent could respond to a common and legitimate interest.
This is always without prejudice to the possibility for the recipient to exercise their right to object to the processing with the consequent immediate and free interruption of the processing. In general, all contacts and addresses are used by CPL in accordance with the desire and willingness of data subjects to receive communications from the company via email.

Categories of processed data

The data processed may be any data contained in the mail.

Data storage

As regards attachments contained in email messages received by the respective offices, the retention periods are those laid down for each type of data in relation to the purposes for which it will be processed.
For emails, the retention times are those foreseen for backups following data retention policies that do not exceed 6 months.

Data recipients

Persons or subjects other than the addressees and the persons who cooperate with them for the proper fulfilment of the purposes strictly connected with the communication received, also pursuant to Art. 616 of the Italian Criminal Code, are not authorised to read, copy, modify and/or disseminate the message to third parties.

It is prohibited for anyone who receives a communication from CPL in error to use it and bring it to the attention of third parties, while anyone who receives such a communication is obliged to delete it from their mailbox and notify the sender.

We inform you that all email addresses of the domain “…@cpl.it” are company emails, and as such are used for work-related communications. Therefore, for operational needs any outgoing or incoming message could be read by parties other than the sender and/or the recipient.

In particular, on the basis of the roles and tasks performed, the processing of personal data will be carried out by persons expressly instructed and authorised to carry out specific processing operations.

To the extent strictly necessary, they may also be disclosed to parties that for the purposes of processing orders or other requests or services related to the commercial activity or the contractual relationship with the Data Controller must supply goods and/or perform services on behalf of the Data Controller in connection with the communication. Finally, they may be communicated to the competent bodies in the event of fulfilment of obligations connected with the regulations in force, as well as to the parties entitled to access them by virtue of provisions of the law, regulations and Community legislation.

Withdrawal of consent

With regard to Art. 7 of the GDPR 679/2016, the data subject can withdraw any consent given at any time.
However, processing covered by this Privacy Policy, which are based on the legal basis referred to in letter b) of Art. 6 par. 1 of the GDPR, is lawful and permitted even in the absence of consent, insofar as it is necessary for the performance of a contract to which the data subject is party or for the fulfilment of their requests or legal obligations.
Withdrawal of consent at any time shall not affect the lawfulness of processing based on the consent given before the withdrawal.

Refusal to provide data

Natural contact persons of companies and legal entities, identified by their own organisation, for the management of documents related to the execution of a contract or for the fulfilment of legal obligations, cannot refuse to provide the Data Controller with the personal (contact) data necessary to proceed with these activities.
Therefore, refusal to provide the data required by law or to execute the contract will prevent the execution of orders, while failure to provide further data may compromise in whole or in part the execution of other requests and the quality and efficiency of the commercial activity itself.

Privacy Policy on video surveillance

This Privacy Policy is provided pursuant to Art. 13 of the GDPR 679/16 – “European Regulation on the Protection of Personal Data”, to visitors and in general to all persons temporarily present at the headquarters of CPL CONCORDIA Soc. Coop. in via Grandi 39 – Concordia sulla Secchia, for visits, deliveries, maintenance work and any other occasional or previously agreed event, as they enter the perimeter subject to video surveillance systems.

Source of the data

Video surveillance systems.

Categories of processed data

Images and videos of people and vehicles collected through the video surveillance system.

Purposes of the processing

The above personal data are processed for the purposes of occupational safety and protection of company assets (including crime prevention).

The data are processed in accordance with the provisions of the various trade union agreements signed between the company and the territorially competent trade unions, and in full compliance with the principles of lawfulness, necessity, proportionality, in accordance with the purposes and provisions established by Art. 4 of Italian Law No. 300/70, the Resolution of 8 April 2010 of the Italian Data Protection Authority on video surveillance and Guidelines 3/2019 of the EDPB (European Data Protection Board) on the processing of personal data through video devices.

Legal basis of the processing

Visitors’ personal data are lawfully processed to pursue the legitimate interest of the Data Controller.

Data recipients

The personal data processed by the Data Controller are not disseminated, i.e. they are not disclosed to unidentified parties in any form, including making them available or publishing them for viewing. However, they may be communicated to workers employed by the Data Controller and to certain authorised external parties who collaborate with them and/or who are identified as Data Processors.

They may also be communicated, to the extent strictly necessary, to the competent authorities in the case of fulfilments connected with current regulations, as well as to the parties entitled to access them by virtue of legal provisions, regulations and Community legislation such as, for example, law enforcement authorities.

Data storage

Video recorded images are retained for a maximum period of 7 (seven) days after capture. For particularly important events that may lead to a specific investigative request by the judicial authority or the judicial police, the term of retention of the images is established by the authority itself, or is extended until the request is fulfilled and the investigation concluded.

Refusal to provide data

The provision of personal data, insofar as it cannot be avoided in order to access the workplaces of CPL CONCORDIA Soc. Coop., is necessary for the pursuit of the legitimate interests of the Data Controller and is mandatory for the data subject. Therefore, refusal to provide the data will prevent access.

In addition, the data subject is required to comply with company procedures, regulations and practices.

Policy on the processing of personal data in the context of checks carried out for the prevention of COVID-19

This Privacy Policy is provided pursuant to Art. 13 of the GDPR 679/16 – “European Regulation on the Protection of Personal Data”, to visitors and in general to all persons (not employees) temporarily present at the headquarters of CPL CONCORDIA Soc. Coop. for visits, deliveries, maintenance work and for any other occasional or previously agreed event:

i) who complete the declaration required during the COVID-19 emergency and have their temperature taken, to ensure compliance with CPL safety protocols, as well as those

ii) who, being employed in the private sector, are required to possess and show a COVID-19 Green Pass to access workplaces where work is carried out.

Background:

Art. 3 of Italian Decree-Law No. 127 of 21/09/2021, published in the Official Journal No. 226 of 21/09/2021, stipulates that anyone working in the private sector is required to possess and show a COVID-19 Green Pass to access workplaces where work is carried out. CPL CONCORDIA Soc. Coop. has therefore adopted the “Company Protocol – COVID-19 phase 4 rev.0” and carries out the above-mentioned checks in accordance with the procedures contained therein.

If the data subject refuses to produce the aforementioned Green Pass, or if it is found to be invalid, they will not be allowed access to the workplace and persons found to be without a Green Pass will be removed.

Source of the data

The personal data processed are provided by the data subjects through the completion of the above declaration during visits or works, interviews or work sessions, delivery or collection of goods, packages, correspondence at the premises; by showing a green pass, as well as having their temperature taken.

Processed data

a green pass verified by the “VerificaC19” App (downloaded onto a mobile device or other suitable equipment provided by the Cooperative and set to “basic” verification) which will only show a graphic sign on the device (green light), without recording or storing any data. As of 28/02/2022, the medical certificate for vaccination exemption (issued on the basis of Circular 0035309-04/08/2021 of the Italian Ministry of Health) can only be verified digitally, in the same way as a green pass;
identification details (in particular name, surname and date of birth) of the data subject;
body temperature, without recording or storing it, except in the case of a temperature of more than 37.5°C, as it is necessary to demonstrate the reason for refusing access.

Purposes of the processing

The aforementioned personal data are processed during the COVID-19 emergency phase, for the prevention of infection, as well as to fulfil a legal obligation introduced by Italian Decree-Law No. 127/2021.

Legal basis of the processing

The personal data of visitors are lawfully processed to fulfil a legal obligation to which the Data Controller is subject (Art. 6 letter c) under Italian Decree-Law No. 127/2021.

Data recipients

They may also be communicated, to the competent bodies in the event of fulfilment of obligations connected with the regulations in force, as well as to the parties entitled to access them by virtue of provisions of the law, regulations and Community legislation such as, for example, law enforcement authorities and/or health personnel.

Data storage

The Data Controller keeps and processes personal data for the time necessary to fulfil the purposes specified. In particular, data released by declaration will be deleted two months after the end of the COVID-19 emergency phase.

Green Pass data are not retained but will be verified throughout the period of validity of the above-mentioned Decree-Law.

Withdrawal of consent

With regard to Art. 7 of the GDPR 679/16, the data subject can withdraw any consent given at any time. However, it should be noted that the processing of data provided by declaration is lawful and permitted even in the absence of consent.

Refusal to provide data

The data subject can refuse to give the Data Controller his or her personal data because the provision of data is optional. However, the refusal to provide data will make it impossible to enter the offices of CPL CONCORDIA Soc. Coop.

DPO details

Tel.: 0535.616.111
E-mail: dpo@cpl.it