PRIVACY POLICY OF Cooder S.r.l.
pursuant to Article 13 of Regulation (EU) 2016/679
This privacy policy is provided in compliance with the European General Data Protection Regulation (EU) 2016/679 ("GDPR") and subsequent amendments and/or additions, as well as any applicable national legislation or regulations concerning the processing of personal data from time to time ("Privacy Regulations") to ensure that personal data is processed with respect for the rights and freedoms of individuals, particularly with regard to the protection of personal data.
The term "personal data" refers to any information relating to an identified or identifiable natural person, even indirectly, by reference to any other information, including a personal identification number.
The term "processing" refers to any operation or set of operations performed on personal data or sets of personal data, with or without the aid of automated processes, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction.
The term "data subject" refers to the natural person to whom the personal data relates.
1. Data Controller
Cooder S.r.l., with registered office at Via dell'Industria 25, Porto Sant'Elpidio FM, Tax Code and VAT number 01668090440, acts as the Data Controller ("Controller" or "Cooder") for the purposes set forth in paragraph 3 below and is part of the Impresoft Group.The list of companies belonging to the Impresoft Group is available at the following section of the Impresoft S.p.A. website: www.impresoftgroup.com/it/le-aziende-del-gruppo ("Group Companies").The Controller can be contacted at the following email address: [email protected].
The Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following email address: [email protected].
2. Sources and Types of Data Processed
The data processed by the Controller and collected directly from Cooder's website may include personal information and contact details (name, surname, email, phone number, address, role, company name, CV, and information relating to professional life in the case of applications, and any other information voluntarily provided by the data subject).
3. Purposes and Legal Basis of the Processing Carried Out by the Controller
The Controller may process the personal data of the data subject for the following purposes:
1. Purposes strictly related and instrumental to the establishment and management of a contract to which the data subject is a party, pursuant to Article 6(1)(b) GDPR. The provision of personal data does not require consent but is necessary to finalize, execute, or continue the contractual relationship with the Controller.
2. Management of relationships with the data subject arising from their requests to access additional content (whitepapers, gated content) offered on the Controller's website. The provision of personal data is not mandatory, but refusal to provide it may prevent the data subject from obtaining the requested services/products/content, or from receiving the features, information, and informational material requested from the Controller. The provision of personal data does not require consent as the processing is necessary to execute a free contract of which the data subject is a party, as per Article 6(1)(b) GDPR.
3. Through profiling cookies, if accepted by the user through the appropriate cookie banner, profiling activities are carried out, consisting of analyzing the interests and preferences of users regarding the type of content downloaded from the site to engage in targeted marketing activities. The provision of data is not mandatory, and processing requires the data subject’s consent. Such data will be viewed and processed by other Group Companies only with the consent referred to in point 9) below.
4. Responding to information requests made by the data subject to the Controller. To fulfill these requests, the Controller may rely on other partners and Group Companies whose product is the subject of the data subject’s request for information. The provision of personal data does not require consent, as processing is necessary to execute pre-contractual measures adopted at the request of the data subject, as per Article 6(1)(b) GDPR.
5. Compliance with legal obligations, regulations, EU legislation, or orders issued by authorities empowered by law or by supervisory and control bodies, pursuant to Article 6(1)(c) GDPR. The provision of personal data for the purposes of this point is mandatory, and the related processing does not require consent.
6. Business analysis purposes in anonymous form: to improve business activities and services (e.g., measuring customer satisfaction regarding the quality of services provided by the Controller and conducting studies and market research). The provision of personal data is not mandatory, and the related processing does not require consent due to the legitimate interest of the Controller in carrying out business analysis activities, pursuant to Article 6(1)(f) GDPR.
7. Marketing purposes for the promotion and sale of products and services similar to those already purchased by the data subject (so-called soft spam), through commercial communications sent via email. The provision of data is not mandatory, and the related processing does not require consent due to the legitimate interest of the Controller, pursuant to Article 6(1)(f) GDPR, to carry out marketing activities toward its customers.
8. Own marketing purposes: using automated contact tools (such as calls without an operator, emails) or traditional contact tools (operator-assisted calls), directly or through third-party companies, to i) transmit or propose by telephone, information material, commercial, advertising, and promotional content, also personalized/of specific interest based on the information obtained from the activity referred to in point 3 above ii) send newsletters and invitations to events and initiatives. The provision of data is not mandatory, and processing requires consent, which can be given and revoked for some of the activities mentioned above by writing to the email address below. If the data subject does not provide personal data, they will not be able to receive information on the products and/or services offered by the Controller, but there will be no consequences regarding the data subject’s ability to browse the site or their existing contractual relationship with the Controller.
9. Communication of data to Group Companies, which, with reference to their own products and services and those of other Group Companies operating in the ICT and consulting sectors, may use automated contact tools (such as calls without an operator, emails) or traditional contact tools (operator-assisted calls), directly or through third-party companies, to i) transmit or propose by telephone, information material, commercial, advertising, and promotional content, also personalized/of specific interest based on the information obtained from the activity referred to in point 3 above ii) send newsletters and invitations to events and initiatives. The provision of data is not mandatory, and processing requires the data subject’s consent, which can be revoked at any time without prejudice to the processing carried out before the revocation.
10. Website management (statistical analysis). The provision of personal data is not mandatory, and the related processing does not require consent due to the legitimate interest of the Controller, pursuant to Article 6(1)(f) GDPR, in managing its website.
11. Personnel selection and recruitment activities. The provision of personal data is not mandatory, but refusal to provide it may prevent the Controller from evaluating the data subject's professional profile for the purpose of establishing a working relationship. The related processing does not require the data subject’s consent for the execution of pre-contractual measures adopted at the request of the data subject, pursuant to Article 6(1)(b) GDPR.
12. Communication of candidate data to Group Companies for their personnel search and selection purposes. The related processing requires the data subject’s consent, which can be revoked at any time without prejudice to the processing carried out before the revocation.
13. Judicial defense: if necessary to ascertain, exercise, or defend one's rights in judicial proceedings. The provision of personal data is mandatory, and the related processing does not require consent due to the legitimate interest of the Controller, pursuant to Article 6(1)(f) GDPR.
14. Sending marketing newsletters to the email address provided by the data subject in the appropriate section of the site. The provision of data is optional, and processing requires the data subject’s consent, which is necessary to receive the newsletter service from the Controller.
4. Location and Method of Processing Personal Data
In relation to the purposes mentioned above, the processing of personal data is carried out using manual, computerized, and telematic tools, with logic strictly related to the purposes themselves and, in any case, in a way that ensures the security and confidentiality of the data. Cooder will process the personal data of the data subject exclusively with technical personnel assigned to such processing, using predominantly automated and computerized methods, suitable for ensuring, in relation to the purposes for which the data are processed, the security and confidentiality of the data, as well as preventing unauthorized access to them. Cooder does not carry out automated decision-making processes.The processing of the collected data takes place at Cooder's offices and the offices of service providers identified and appointed, if necessary, as data processors pursuant to Article 28 of the GDPR.The data collected and processed on the website are stored in the CRM shared by the Group Companies, which resides on HubSpot's server located in Europe ("HubSpot CRM").
5. Retention of Personal Data
The personal data of the data subject will be retained only for the time necessary to achieve the purposes for which they are collected, in compliance with the principle of data minimization pursuant to Article 5.1.c) of the GDPR.In particular, regarding processing for marketing purposes, the data will be processed and retained until the consent is revoked by the data subject. In any case, the data subject may always request the interruption of the processing or the deletion of their data, as provided below.The Controller may retain certain data even after the end of the relationship, depending on the time necessary to manage specific contractual or legal obligations, as well as for administrative, fiscal, and/or contributory purposes, for the period of time required by current laws and regulations, as well as for the time necessary to assert any rights in court.In any case, the data will be processed not only in compliance with current legislation but also according to the principles of confidentiality to which the Controller has always adhered.The retention times will vary depending on the type of data processed, but in general, Cooder refers to the following criteria to determine the retention period:
If there is a legal or contractual need to retain the data.
If the data are necessary to provide its services.
6. Categories of Subjects to Whom Data May Be Communicated
The Controller may disclose the personal data of the data subject to third parties in compliance with legal obligations and to service providers who will act as independent controllers or will be appointed as processors pursuant to Article 28 of the GDPR, where they process data on behalf of the Controller. These are essentially included in the following categories, by way of example and not exhaustively:
entities that perform banking services, including those involved in payment systems;
persons, companies, associations, or professional firms that provide services or assistance and consultancy to the Controllers, particularly but not limited to, accounting, administrative, legal, tax, financial, and commercial matters;
commercial, marketing, legal partners, technical service providers and/or software platforms, system administrators, hosting providers, IT companies, communication agencies;
entities that carry out control, auditing, and certification of the activities carried out;
Group Companies that provide IT services (e.g., they make the HubSpot CRM available or provide support, maintenance, assistance, and development activities for the HubSpot CRM itself);
all Group Companies, only if the data subject has given their consent for the purposes of points 9) and/or point 12) of paragraph 3 above;
all Group Companies, only if necessary to fulfill a request made by the data subject as indicated in point 4) of paragraph 3 above.
An updated list of the names of the entities to whom the personal data of the data subjects may be communicated and/or transferred is available at Cooder by contacting us at: [email protected].
7. Transfer of Data Outside the EU
The possible transfer of data to third countries outside the EU for the purposes indicated in paragraphs 3 and 4 above may occur, in compliance with the methods permitted by current law and in particular based on the provisions of the GDPR: i) Article 44 - General principle for the transfer; ii) Article 45 - Transfer based on an adequacy decision; iii) Article 46 - Transfer subject to appropriate safeguards; iv) Article 49 - Derogations for specific situations.The data of the data subject are shared, with specific consent, with the Group Companies in the HubSpot CRM. Among the Group Companies is Kipcast Corp., located in Canada. The transfer of data to this company is guaranteed by the European Commission’s Adequacy Decision 2002/2/EC of 20 December 2001, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by Canadian law on the protection of personal information and electronic documents.
8. Data Subject's Rights
Under Articles 15-22 of the GDPR, data subjects are granted specific rights. In particular, the data subject may obtain from the Controller: access, rectification, deletion, restriction of processing, revocation of consent, as well as the portability of their data. The data subject also has the right to object to the processing for legitimate reasons and/or for commercial purposes.The Controller is committed to responding to the data subject as soon as possible after verifying their identity where necessary.In the event that the right to object is exercised, the Controller reserves the right not to comply with the request, and therefore to continue the processing if there are compelling legitimate reasons for doing so that override the interests, rights, and freedoms of the data subject.As for marketing purposes, the data subject who has given their consent:
may request, at any time and free of charge, to receive communications exclusively through traditional contact methods such as operator-assisted calls;
may object, at any time and free of charge, to the processing of their data for the above purposes. In this case, the right to object to the processing of data through automated contact methods (such as emails and calls without an operator) extends to traditional contact methods (such as operator-assisted calls);
may object, at any time and free of charge, to the processing of data for the above purposes only in part, expressing a choice regarding the contact methods.
The rights referred to above may be exercised by sending a written communication to the Data Controller at the following email address: [email protected].The data subject is informed that, pursuant to Article 12 of the GDPR, if the data subject's requests are manifestly unfounded or excessive, particularly due to their repetitive nature, the Controller may: a) charge a reasonable fee based on the administrative costs incurred to provide the information or communication or to take the action requested; or b) refuse to comply with the request.The data subject also has the right to file a complaint with the Data Protection Authority.
9. Links to Other Websites
The site may contain links to other websites. However, once the data subject has used these links and leaves this site, Cooder will have no control over the other websites. Cooder will not be in any way responsible for the protection and confidentiality of the information provided while visiting such other sites. It is recommended to carefully read the privacy policy applicable to the site in question.
10. Changes to This Privacy Policy
Cooder reserves the right to make changes to this privacy policy at any time, notifying the data subjects on this page. If the data subject does not accept the changes made to this privacy policy, they are required to cease using this site and may request that Cooder delete their personal data.
Last updated: 29/02/2024
