Dear Customer,
please carefully read the following information, provided in accordance with the provisions of EU Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data, as well as on the free circulation of such data and which repeals Directive 95/46/EC (GDPR).

Definitions

“Personal data”: Any information concerning an identified or identifiable natural person (Article 4, paragraph 1, point 1 of EU Regulation 2016/679);
“Data Controller”: natural or legal person, public authority, service or other body that, individually or along with others, determines the purposes and means of processing personal data (Article 4, paragraph 1, point 7 of EU Regulation 2016/679); “Data Processor”: natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller (Article 4, paragraph 1, point 8 of EU Regulation 2016/679);
“Recipient”: natural or legal person, public authority, service or other body that receives notification of personal data (Article 4, paragraph 1, point 9 of EU Regulation 2016/679).

Principles applicable to the processing of personal data

Pursuant to and for the purposes of Article 5 of the aforementioned Regulation, the personal data provided by the Data Subject is:

(a) processed in a lawful, fair and transparent manner;

b) collected for specific, explicit and legitimate purposes;

(c) adequate, relevant and limited to that which is strictly necessary with regard to the purposes for which it is processed;

(d) accurate and, if necessary, updated;

e) kept in such a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;

f) processed in such a way as to ensure adequate security.

Data of the Data Controller

Type of personal data processed

The personal data provided by the data subject is the following:
Identification (name and surname, place and date of birth, municipality and place of residence, tax code, shipping address);

• Contact details (telephone number, e-mail address, pec certified e-mail address)
• Banking details (payment terms: cheque and/or bank transfer).
• Purpose of processing – Legal basis

1) Management of activities related to the conclusion and execution of the contract.

Legal basis: the processing is necessary for the execution of a contract of which the data subject is a party or for the execution of pre-contractual measures adopted at the request of the interested party (Article 6, paragraph 1, letter b), GDPR);

2) Fulfilment of administrative, accounting and tax obligations. Legal basis: the processing is necessary to fulfil a legal obligation of which the data controller is subject (Article 6, paragraph 1, letter c), GDPR).

3) Management of activities relating to the assessment and/or exercise and/or defence of a right of the data controller. Legal basis: the processing is necessary for the pursuit of the legitimate interest of the data controller or third parties which is substantiated by the protection of an infringed right. (Article 6, paragraph 1, letter f), GDPR)

Data processors appointed and instructed pursuant to and for the purposes of Article 28 of EU Regulation 2016/679

The personal data provided by the data subject may be processed, on behalf of the Data Controller, for exclusive technical, functional and organisational reasons, strictly related to the purposes set out above, by the following persons designated as data processors pursuant to and for the effects

of Article 28 of EU Regulation 2016/679:

• Accountant appointed by the data controller for the management of activities

  relating to external bookkeeping;

• Providers of installation, assistance and maintenance services for IT and

  electronic systems;

• Hosting provider in charge of providing the hosting services.

The Data Subject may ask the Data Controller for the constantly updated list of data processors.

Recipients and/or categories of recipients of personal data

The personal data provided by the data subject may be disclosed to the following natural or legal persons and public authorities who may be qualified, on a case-by-case basis, also as independent data controllers:

• Credit institutions authorised for commercial transactions;
• Transport companies appointed for the shipment and delivery of the products purchased

  by the data subject;

Public bodies and/or Authorities and/or Judicial Authorities for inspection and/or

checking and/or supervision activities or for the fulfilment of legal obligations.

Data storage period

The personal data provided by the Data Subject for the conclusion and execution of the contract is kept by the Data Controller in a form that allows the identification of the Data Subject for a period of time not exceeding the achievement of the purposes for which it is processed; always and in any case for a period of time not exceeding 10 years from the termination of the legal effects of the contract (art. 2220 of the Italian Civil Code Storage of accounting records; art. 2946 of the Italian Civil Code Ordinary prescription). After these terms, the data is either destroyed or anonymised.

Nature of provision and refusal

The provision of the data needed for the conclusion and execution of the contract is necessary; the refusal to provide the data and/or the complete opposition to its processing, makes it impossible to carry out any legal relationship between the Parties.

Location and method of processing

The processing of the personal data provided takes place at the registered office of the Data Controller, on paper, computer and electronic support and it is also carried out by subjects authorised to process it, who are constantly instructed on current Community and national legislation on the safeguarding and protection of personal data (Article 29 GDPR). Specific security measures are implemented to prevent the loss of data, illicit or incorrect use and unauthorized access. GDPR). Specifiche misure di sicurezza organizzative, fisiche e tecniche sono osservate per prevenire la perdita dei dati, usi illeciti o non corretti e accessi non autorizzati.

Rights of data subjects – complaint to the supervisory authority

Pursuant to and for the purposes of Articles 13, paragraph 2, and 15 to 21 of EU Regulation 2016/679, you may exercise the following rights:

1. Right to obtain access to the personal data provided and information relating to it (art. 15 GDPR);
2. Right to rectification of inaccurate data or the integration of incomplete data (art. 16 GDPR);
3. Right to deletion of personal data concerning you (upon the occurrence of one of the conditions indicated in art. 17, paragraph 1, EU Regulation 2016/679 and in

   compliance with the exceptions provided for in paragraph 3 of the same article);

4. Right to limit the processing of personal data provided (in the event of one

   of the hypotheses indicated in Article 18, paragraph 1, GDPR);

5. Right to data portability or the right to receive personal data concerning you in a structured and

   machine-readable format (the so-called right to personal data

   portability pursuant to art. 20 GDPR);

6. Right to lodge a complaint with the Garantor for the protection of personal data,

   following the procedures and indications published on the www.garanteprivacy.it website (art.77

   GDPR);

7. Right to bring actions before the competent jurisdictional authorities (art.79

   GDPR).

The Data Subject has the right to object to the processing of personal data provided in the event of special situations concerning him/her (Article 21 of the GDPR).
The Data Subject also has the right to revoke, at any time, any consent given for specific purposes (Article 7 of the GDPR).

How to exercise your rights

You can exercise your rights at any time by sending:

• A registered letter with receipt notification to QUALITYBED S.R.L., registered office;
• E-mail and/or PEC certified e-mail notification to the addresses indicated above.

Automated decision-making processes

For the pursuit of the purposes of the processing described above, no decision is made based solely on automated processing which produces legal effects that concern the data subject or that significantly affect you in a similar manner.

Transfer to a third country

The Data Controller does not transfer personal data to third countries or international organisations. However, the Data Controller reserves the right to use cloud services; in which case, the service providers will be selected from among those who provide adequate guarantees, as provided for in Article 46 of EU Regulation 2016/679.