GDPR

GENERAL INFORMATION ABOUT PERSONAL DATA PROCESSING

(Pursuant to art. 14 of the Regulation (EU) 2016/679 and to art. 7 and 13 of the Code for the protection of personal data).

Pursuant to art. 14 of the Regulation (EU) related to the protection of physical persons in terms of personal data processing, and to the free circulation of same which abrogates the directive 95/46/CE (General Regulation about data protection – below also named “Regulation”) and to art. 7 and 13 of The Code for the protection of personal data, NUMERO BLU SERVIZI S.P.A. – Legal and Administrative Residence in Via di Monte Carmelo, 5 – 00166 Rome, P.IVA (VAT)/C.F./R.I. RM 08898571008 – R.E.A. 1125501, Social Capital: 120.000 Euro, fully paid up, provides the following “Information regarding the processing of personal data not obtained by the person concerned”:

Controller of processing: NUMERO BLU SERVIZI S.P.A., Legal and Administrative Residence in Via di Monte Carmelo, 5 – 00166 Rome, P.IVA (VAT)/C.F./R.I. RM 08898571008 – R.E.A. 1125501, Social Capital: 120.000 Euro, is the Controller of the personal data of the persons concerned, for the supplying – on behalf of third parties – of contact center outsourcing services, back-office type services, and inbound and outbound call center services. The employees – who work under the direct authority of the Controller – have been appointed “Persons in charge of” and received to this end appointments and operating instructions. For the purpose of processing users personal data, Numero Blu Servizi S.PA will also use External and Internal Persons Responsible for the data Processing. Any information and request referred to the complete list of the Persons Responsible for the Processing and of the Persons in charge of the Processing can be forwarded contacting the assistance service by phone at 800120412, or writing to: privacy@numerobluservizi.it.

Responsible for Data Protection: pursuant to art. 37 of the Regulation, Numero Blu Servizi S.p.A appointed Mrs. Kathryn La Rocca, email kathryn.larocca@numeroblu.it, as Responsible for Data Protection.

Purpose of the Processing: The personal data of the persons concerned are treated, collected registered and filed in the IT archives of the Data Controller in order to deliver: i) outsourcing services on behalf of third parties, contact center services, back-office type services, inbound and outbound services, also for the purpose of carrying out activities of fees and debt collection as well as telemarketing activities for strategic sectors such as bank, pharmaceutical, energy & utility, public administration, home shopping, health, petroleum, no profit areas; and ii) market and statistical research, and direct marketing services.

Lawfulness of the Processing: The personal data of persons concerned are processed in a lawful and correct way, in order to pursue the Data Controller legitimate interest, ex art. 6, paragraph 1, lett. f) of the Regulation, in respect of the interests, rights and freedom of the person concerned.

Juridical Base of Processing: The Juridical Base of the data processing for those concerned is given by the legitimate interest of the Data Controller, pursuant to art. 6, paragraph 1, let. f) of the Regulation, to execute the service contracts commissioned by third parties, which include direct marketing activities, market & statistical researches, together with contact center, outbound, inbound and back-office services, always in respect of the fundamental interests, rights, and freedom of the person concerned.

Type of data processed: Numero Blu Servizi S.p.A can process the following data for the persons concerned:

– “Personal data”: that allow the direct or indirect identification of the person concerned, such as biographical data, ID numbers such as fiscal code, client code, etc.; residence /location data; contact data, such as telephone numbers, and/or emails, etc.;

Modality of Processing: personal data are mainly processed through IT and telematic systems. It is also possible that data are processed in paper format. In any case, the Data Controller adopts systems suitable to ensure the data maximum safety and confidentiality, in respect of the purposes pursued, and of the safety measures mentioned in the Attachment B of privacy code, of Guarantor prescriptions for personal data protection and of the art 32 of the Regulation (EU) 2016/679 which include strong authentication measures for the IT authentication of the persons in charge, and measures suitable to protect data from the risk of acquisition – even fortuitous – by subjects not legitimate to their treatment, specifically through the use of adequate encryption techniques. In terms of data transmission, all the network components are carefully configured, in order to avoid any not allowed access to information. Encryption systems are defined before the transposition of information storage systems. The access to data is allowed through information systems intended for the treatment of same through a log-system which records accesses and operations on data, saving the log files for a period regulated according to the purposes pursued.

Processing location: Personal data of persons concerned are processed in Italy at the main headquarter of the Data Controller, as well as in its secondary locations. Moreover, the processing can occur at the Italian location of the external persons Responsible for the processing, appointed for this purpose. The processing is managed exclusively by technical staff in charge of the processing itself or by possible persons in charge of occasional maintenance operations.

Recipients of data: Personal data might be communicated by the Data Controller exclusively to third parties customers for possible contact center, back-office, inbound and outbound services, for purpose of debt collection, direct marketing, market and statistical research; to companies connected and/or controlled by the Company, companies, consortia and/or other legal entities to which the Company participates as partner, that therefore may become aware of the data as Owners, Responsible or Appointed persons. Data won’t be spread apart from the specified recipients, except for public police and authorities, in case this is imposed by a legal obligation.

Data retention period: Personal data are processed within the limits of the professional services carried out, in outsourcing on behalf of third parties, by the Data Controller in accordance with the Purposes of Processing pursued, in respect of the relevance and non-excess principle; the data will be then deleted and/or anonymised through a “pseudonymization” process, as required by the Regulation.

Transfer of data abroad:

The Data Controller does not transfer personal data to a recipient in a third country or to international organizations.

Rights of Persons Concerned:

Transparent Communication: Pursuant to art. 7 of personal data protection Code and to art. 15 -22 and 34 of the Regulation, contacting the Data Controller of NUMERO BLU SERVIZI S.p.A. (ph. 800120412) or writing to privacy@numerobluservizi.it, the Persons concerned can receive all the necessary information relevant to the processing in a concise, transparent, intelligible and easily accessible way, with a clear and simple language, particularly in case of information intended specifically for minors. Information is provided in writing or through other means, even – if applicable – electronically. If requested by the person concerned, information can be provided orally, if the identity of the person is proven through other means. The Data Controller cannot refuse to satisfy the person concerned request in order to exercise his/her rights, unless the Controller proves that it is not possible to identify the person concerned.

The Data Controller provides to the person concerned the information relative to the action taken about a request, without unjustified delay and in any case at the latest within one (1) month after having received the request itself.

Except for what prescribed by art. 12, paragraph 5 of the Regulation, information is given free of charge.

Without prejudice to the Data Controller of requiring any documents attesting to the identity of the person requesting the information pursuant to art. 7 of the Privacy Code and art 12-22 and 34 of the Regulation, in case there are reasonable doubts about the identity of the physical person who presents the requests, pursuant to the above mentioned applicable regulatory requirements.

Right of access: The person concerned expressly takes note that he/she has the right to obtain the indication:

  • of the origin and category of their personal data;

  • of processing purposes and modalities;

  • of the logic applied in case of processing through electronic tools;

  • of the identification details of the Controller, of the people in charge and of the designated representative;

  • of the subjects or of the categories of subjects to whom the personal data have been or will be communicated, particularly if recipients of third countries or international organizations , or who can get to know them as representative designated in the territory of the State, of persons in charge of or appointees;

  • of the foreseen personal data retention period, or – if it’s not possible – the criteria used to determine that period;

  • the data update, correction or – in case of interest – integration;

  • the personal data deletion or the restriction of the processing of the relevant personal data, or the opposition to their processing;

  • the transformation into an anonymous form or the block of data processed in violation of the law, included those for which the retention is not necessary for the purposes for which data have been collected or subsequently processed;

  • of knowing all the information available about the data origin;

  • the existence of an automated decision-making process, including profiling, meaningful information about the logic, and the importance and the foreseen consequences of such processing for the person concerned.

The Data Controller provides a copy of the personal data subjected to processing. In case of additional copies possibly requested by the person concerned, the Data Controller may charge a reasonable expense contribution based on the administrative costs. If the person concerned presents the request through electronic means – and unless otherwise indicated by the person concerned – information is provided in electronic format in common use.

The Person concerned always has the right of making a complaint to Guarantor for the protection of personal data.

In case the personal data are transferred to a third country or to an international organization, the person concerned has the right of being informed of the existence of adequate guarantees, pursuant to the EU Regulation 2016/679.

Right to data correction: The Person concerned has the right of obtaining by the Data Controller the correction of incorrect personal data without unjustified delay, as well as the integration for incomplete personal data.

Right to data cancellation: The Person concerned has the right of obtaining by the Data Controller his/her personal data cancellation without unjustified delay, and the Data Controller is obliged to cancel without unjustified delay the personal data – if the conditions foreseen by the Regulation, by the Privacy Code and by the Privacy Guarantor measures subsist.

Right to Data Processing Restriction: The Person concerned has the right of obtaining by the Data Controller the restriction of data processing when one of the following hypothesis occurs: a) the person concerned contests the exactness of his/her personal data, for the time necessary to the Data Controller to verify the exactness of those data; b) the data processing is illicit and the person concerned opposes to the cancellation of his/her personal data and asks – instead – that its use is restricted; c) although the Data Controller does not need them for processing purposes, personal data are necessary to the person concerned for the ascertainment, the exercise or the defense of a right in court; d) the person concerned opposed to the data processing pursuant to art. 21, paragraph 1 of the Regulation, awaiting the verification about the possible prevalence of Data Controller legitimate reasons vs. those of the person concerned.

Right to data portability: The Person concerned has the right to receive in a structured format – of common use and readable from an automatic tool – the personal data that concern him/her and has the right to transmit those data to another Data Controller without any impediments by the Data Controller to whom the data have been provided.

Right to opposition: The Person concerned has the right to oppose at any time – for reasons depending on his/her particular situation – to his/her personal data processing, included their profiling. The Data Controller refrains from further processing the personal data unless it can be demonstrated the existence of cogent legitimate reasons for proceeding to their processing that prevail on interests, rights and freedoms of the person concerned, or for the ascertainment, the exercise or the defense of a right in court. If personal data are processed for direct marketing purposes, the person concerned has the right to oppose at any time the processing of his/her personal data carried out for this purpose, including the profiling in so far as it is connected to such direct marketing, i.e. any data processing aimed to send advertising material or direct sale or for carrying out market researches or commercial communication.

Safety

The Data Controller ensures the safety of Users personal data, in compliance with art 31 and following of the Privacy Code and of the Attachment B of same, and art. 32 of the Regulation.

Principles of relevance and non-excess of processing.

The personal data of the person concerned will be treated according to the principle of relevance and non-excess in relation to the objectives pursued. Personal data will be stored for the strictly necessary time to the objectives pursued with the processing of same.

Persona data source

The Controller can process in its archives the personal data of the persons concerned provided by third parties customers of outsourcing contact center services, back-office services, inbound and outbound services, as well as direct marketing, market and statistical research services; moreover these data may derive from publicly available sources.

Ban on Profiling

Personal data of persons concerned are neither subject of profiling nor processing through an automated decision-making process.

Right to Complaint

The Person concerned expressly takes note that the data processing carried out by the Processing Controller is subjected to the control of the Guarantor for the protection of personal data, to whom it is possible to address any complaint about the data collection, management and processing in accordance with the Regulation, with the personal data protection Code and with the regulatory provisions of the Guarantor itself.

Click here to get the file for the exercise of the rights.