Information on the processing of personal data
In compliance with the obligations set out in Articles 13 and 14 of European Privacy Regulation EU/2016/679 (GDPR), we hereby wish to inform you about the processing of personal data collected by us, freely provided by you and/or communicated to Oikos Paint Srl by other parties.
Types and purposes of processing, legal basis and retention periods
If you are a user or browse the website
While browsing and using the Company Website, certain information may be collected and processed exclusively for security purposes and to improve the service offered.
If you browse the company websites (oikos-group.it), the information collected mainly concerns interactions with the website, statistics on the pages visited by the user, date and time of access, and the technology used by the user. Information relating to the user's source page and destination page may also be collected.
Furthermore, certain information is collected automatically, in anonymous, aggregated and pseudonymized form, using cookies and similar technologies while browsing the website.
You can read more about our use of cookies in our “Cookie Policy”.
Processing 1
Purpose
Proper operation, management, maintenance, security and improvement of the website, the e-commerce platform and the IT infrastructure.
Legal basis
Processing is necessary for the pursuit of the Data Controller's legitimate interest in the security and maintenance of the IT and web infrastructure (Article 6(1)(f) GDPR).
Retention period
For the period strictly necessary to pursue the purpose.
Processing 2
Purpose
Processing of statistical data for market research purposes.
Legal basis
Processing is necessary for the pursuit of the Data Controller's legitimate interest, and the data are processed only as aggregated data and without reference to identified users for market research purposes (Article 6(1)(f) GDPR).
Retention period
As these are aggregated data, no retention limit is set.
If you decide to contact us or request information by filling in a form
If you decide to contact us by filling in the forms in the “Contacts” or “Contact us” section of the aforementioned websites, the information collected includes name and surname, residential or domicile address, email address, telephone number, profession, as well as the text freely entered by you.
Processing 1
Purpose
To process requests for information and contact, and to provide assistance and technical and commercial support services submitted by filling in the form in the “Contacts” section.
Legal basis
Processing is necessary for the performance of the service requested by the user or for the establishment and/or performance of the contractual relationship (Article 6(1)(b) GDPR).
Retention period
For the entire duration of the relationship and/or the service offered and, in any case, for a period not exceeding 10 years from its termination.
If you fill in the “Work with us” form
If you contact Oikos to submit an unsolicited application or in relation to available positions, the data processed and collected through the form include, by way of example and without limitation, name and surname, tax code, residential or domicile address, email address, telephone number, curriculum vitae, passport photo, as well as the text freely entered by you.
Processing 1
Purpose
Recruitment and selection of personnel for possible hiring through the completion of the form in the “Work with us” section or receipt of unsolicited applications.
Legal basis
Processing is necessary for the performance of the service requested by the user or for the establishment and/or performance of the contractual relationship (Article 6(1)(b) GDPR).
Retention period
5 years for candidates who have been interviewed but not hired; 24 months for candidates who have not been interviewed;
Processing 2
Purpose
To comply with any obligation provided for by laws, regulations or EU legislation.
Legal basis
Processing is necessary to comply with legal obligations to which the Data Controller is subject (Article 6(1)(c) GDPR)
Retention period
10 years from the termination of the relationship.
Processing 3
Purpose
For the resolution of any legal disputes that may arise during the relationship;
Legal basis
Processing is necessary for the pursuit of the Controller's legitimate interest in protecting itself against contractual breaches or other causes of damage (Article 6(1)(f) GDPR);
Retention period
10 years from the termination of the relationship.
If you are our “Distributor” or “Retailer” customer
If you are our distributor or retailer and a contract is in place, data may be collected and processed when establishing and managing the contractual relationship and may include name and surname, residential or domicile address, registered office, email address, telephone number, tax code and VAT number.
Processing 1
Purpose
For activities related to the establishment, management and continuation of commercial and/or contractual relationships.
Legal basis
Processing is necessary for the performance of the service requested by the user or for the establishment and/or performance of the contractual relationship (Article 6(1)(b) GDPR).
Retention period
Tutta la durata del rapporto e/o del servizio offerto e comunque per un periodo non superiore a 10 anni dalla cessazione dello stesso.
Processing 2
Purpose
Communications concerning products and/or services similar to those already purchased or of commercial interest.
Legal basis
These are communications relating to similar services (soft spam) (Article 130, paragraph 4, Legislative Decree 196/2003).
Retention period
Until objection through the link included in each communication.
Processing 3
Purpose
Processing of statistical data on the quality of products or services.
Legal basis
Processing is necessary for the pursuit of the Data Controller's legitimate interest, and the data are processed only as aggregated data and without reference to identified users for market research purposes (Article 6(1)(f) GDPR).
Retention period
As these are aggregated data, no retention limit is set.
Processing 4
Purpose
To comply with any obligation provided for by laws, regulations or EU legislation.
Legal basis
Processing is necessary to comply with legal obligations to which the Data Controller is subject (Article 6(1)(c) GDPR)
Retention period
10 years from the termination of the relationship.
Processing 5
Purpose
For the resolution of any legal disputes that may arise during the relationship.
Legal basis
Processing is necessary for the pursuit of the Controller's legitimate interest in protecting itself against contractual breaches or other causes of damage (Article 6(1)(f) GDPR).
Retention period
10 years from the termination of the relationship.
If you are an applicator, decorator, construction company, architect or architectural firm
If you are one of the subjects listed above and, even if no contract is in place, you interact with Oikos to request information, consultancy or to be updated on our initiatives and activities, data may be collected and processed at trade fairs or events, through the completion of digital forms or at your explicit request, and may include name and surname, registered office, email address and telephone number.
Processing 1
Purpose
To process requests for information and contact, and to provide assistance and technical and commercial support services.
Legal basis
Processing is necessary for the performance of the service requested by the data subject (Article 6(1)(b) GDPR).
Retention period
For the entire duration of the relationship and/or the service provided and, in any case, for a period not exceeding 10 years from its termination.
Processing 2
Purpose
Sending periodic newsletters and communications of commercial and/or technical interest.
Legal basis
Sending periodic newsletters and communications of commercial and/or technical interest requires consent (Article 6(1)(a) GDPR).
Retention period
Until objection through the link included in each communication.
Processing 3
Purpose
Processing of statistical data for market research purposes
Legal basis
Processing is necessary for the pursuit of the Data Controller's legitimate interest, and the data are processed only as aggregated data and without reference to identified users for market research purposes (Article 6(1)(f) GDPR).
Retention period
As these are aggregated data, no retention limit is set.
Processing 4
Purpose
To comply with any obligation provided for by laws, regulations or EU legislation.
Legal basis
Processing is necessary to comply with legal obligations to which the Data Controller is subject (Article 6(1)(c) GDPR)
Retention period
10 years from the termination of the relationship.
Processing 5
Purpose
For the resolution of any legal disputes that may arise.
Legal basis
Processing is necessary for the pursuit of the Controller's legitimate interest in protecting itself against contractual breaches or other causes of damage (Article 6(1)(f) GDPR).
Retention period
10 years from the termination of the relationship.
If you are our supplier
If you are our supplier, data will be collected and processed when establishing and managing the contractual relationship and may also concern your employees. Specifically, the data collected will relate to company name, name and surname, registered office, email address, telephone number, tax code and VAT number.
Processing 1
Purpose
For activities related to the establishment, management and continuation of commercial and/or contractual relationships.
Legal basis
Processing is necessary for the performance of the service requested by the user or for the establishment and/or performance of the contractual relationship (Article 6(1)(b) GDPR).
Retention period
Tutta la durata del rapporto e/o del servizio offerto e comunque per un periodo non superiore a 10 anni dalla cessazione dello stesso.
Processing 2
Purpose
Processing of statistical data on the quality of services.
Legal basis
Processing is necessary for the pursuit of the Data Controller's legitimate interest, and the data are processed only as aggregated data and without reference to identified users for market research purposes (Article 6(1)(f) GDPR).
Retention period
As these are aggregated data, no retention limit is set.
Processing 3
Purpose
To comply with any obligation provided for by laws, regulations or EU legislation.
Legal basis
Processing is necessary to comply with legal obligations to which the Data Controller is subject (Article 6(1)(c) GDPR)
Retention period
10 years from the termination of the relationship.
Processing 4
Purpose
For the resolution of any legal disputes that may arise during the relationship.
Legal basis
Processing is necessary for the pursuit of the Controller's legitimate interest in protecting itself against contractual breaches or other causes of damage (Article 6(1)(f) GDPR).
Retention period
10 years from the termination of the relationship.
If you participate in webinars
If you participate in a webinar, processing will take place mainly or exclusively by electronic means with regard to images and online identification of participants, in compliance with the security protocols established by the Controller through the external Processor.
The platforms used to provide the service require the participant to enter an email address and a nickname.
The email address is communicated during registration to the platform provider and consists of the first-level identifying data needed to access the connection. The nickname is freely chosen by the participant and is shared in the screen area identifying the participant during the conference in the so-called virtual room. When registering for the webinar, the Controller will request consent to process the data provided for marketing activities.
The participant may choose whether or not to deactivate their camera. If they decide to keep the camera active, images of the person shown on video will also be visible to the other participants and may be recorded by the Controller. The same applies to audio resulting from the activated microphone function.
The email identifier and the data requested during registration are conditions for participation. Likewise, it is mandatory to create a nickname, chosen by the data subject, to be associated with the email address. The choice of whether to keep the camera active and to speak during the session is left to the participant.
Processing 1
Purpose
- Provision of on-site courses and related participant registration;
- Preparation of attendance certificates.
Legal basis
Processing is necessary for the performance of the service requested by the user/customer or for the establishment and/or performance of the contractual relationship (Article 6(1)(b) GDPR).
Retention period
Personal data relating to the data subject's webinar registration will be retained for a period of 10 years.
Processing 2
Purpose
Configuration and proper provision of the webinar training service, proper functioning of the platforms used, including identity verification and IT security of the session.
Legal basis
Processing is necessary for the pursuit of the Data Controller's legitimate interest and for the security of the communications for which it is responsible (Article 6(1)(f) GDPR).
Retention period
Data relating to use of the platform, nicknames, chats and session data, as necessary to provide the service, will be retained by the external Processor until the user stops using the platform or until the user and/or the platform administrator deletes the personal data.
Processing 3
Purpose
Recording of images and/or videos of the course, conference or event carried out during webinar meetings for documentary, training or communication purposes.
Legal basis
With regard to the acquisition of images and any audio, the data subject's consent (Article 6(1)(a) GDPR), including implied consent where, in the case of a webinar meeting, after being informed of the start of recording, they do not deactivate the camera and decide to actively participate in the conference. With regard to the use of the nickname (which may coincide with name and surname), the Controller's legitimate interest in not being technically deprived of the possibility of recording the conference in order to avoid capturing participants' nicknames (Article 6(1)(f) GDPR).
Retention period
- 6 years from recording for documentary and training purposes;
- 3 years from recording for communication purposes
Processing 4
Purpose
Carrying out direct marketing activities;
sending periodic newsletters and communications of commercial interest.
Legal basis
Consent is required (Article 6(1)(a) GDPR).
Retention period
Considering the type of product marketed, 5 years from receipt of consent until objection through the link included in each newsletter.
Processing 5
Purpose
Use of the email address registered for webinar courses to send newsletters relating to training courses similar to those already attended
Legal basis
These are communications relating to similar services (soft spam) (Article 130, paragraph 4, Legislative Decree 196/2003).
Retention period
Sino ad opposizione attraverso il link riportato in ogni newsletter.
Processing 6
Purpose
Processing of statistical data for market research purposes.
Legal basis
Processing is necessary for the pursuit of the Data Controller's legitimate interest, and the data are processed only as aggregated data and without reference to identified users for market research purposes (Article 6(1)(f) GDPR).
Retention period
As these are aggregated data, no retention limit is set.
Processing 7
Purpose
To comply with any obligation provided for by laws, regulations or EU legislation.
Legal basis
Processing is necessary to comply with legal obligations to which the Data Controller is subject (Article 6(1)(c) GDPR).
Retention period
10 years from the termination of the relationship.
Processing 8
Purpose
For the resolution of any legal disputes that may arise during the relationship.
Legal basis
Processing is necessary for the pursuit of the Controller's legitimate interest in protecting itself against contractual breaches or other causes of damage (Article 6(1)(f) GDPR).
Retention period
10 years from the termination of the relationship.
If you participate in training courses at Oikos premises
If you decide to participate in on-site training courses organized by Oikos at one of its premises, during registration you will be asked to provide common personal data such as, by way of example and without limitation, personal details, contact details, type of work performed, name of the reference Oikos retailer, as well as the possibility of video-photographic documentation of the training meetings.
Processing 1
Purpose
- Provision of on-site courses and related participant registration;
- Preparation of attendance certificates.
Legal basis
Processing is necessary for the performance of the service requested by the user/customer or for the establishment and/or performance of the contractual relationship (Article 6(1)(b) GDPR).
Retention period
Personal data relating to course registration will be retained for a period of 10 years from registration.
Processing 2
Purpose
Recording of images and/or videos of the course for documentary, training or communication purposes.
Legal basis
With regard to the acquisition of images and any audio, the data subject's consent (Article 6(1)(a) GDPR), including implied consent where, after being informed at the beginning of the course, they still decide to actively participate in the conference or course.
Retention period
- 6 years from recording for documentary and training purposes;
- 3 years from recording for communication purposes.
Processing 3
Purpose
- Carrying out direct marketing activities;
- sending periodic newsletters and communications of commercial interest;
Legal basis
Consent is required (Article 6(1)(a) GDPR).
Retention period
Considering the type of product marketed, 5 years from receipt of consent until objection through the link included in each newsletter.
Processing 4
Purpose
Use of the email address provided during registration to send newsletters relating to training courses similar to those already attended.
Legal basis
These are communications relating to similar services (soft spam) (Article 130, paragraph 4, Legislative Decree 196/2003)..
Retention period
Sino ad opposizione attraverso il link riportato in ogni newsletter.
Processing 5
Purpose
Processing of statistical data on the quality of products or services.
Legal basis
Processing is necessary for the pursuit of the Data Controller's legitimate interest, and the data are processed only as aggregated data and without reference to identified users for market research purposes (Article 6(1)(f) GDPR).
Retention period
As these are aggregated data, no retention limit is set.
Processing 6
Purpose
To comply with any obligation provided for by laws, regulations or EU legislation.
Legal basis
Processing is necessary to comply with legal obligations to which the Data Controller is subject (Article 6(1)(c) GDPR).
Retention period
10 years from the termination of the relationship.
Processing 7
Purpose
For the resolution of any legal disputes that may arise during the relationship.
Legal basis
Processing is necessary for the pursuit of the Controller's legitimate interest in protecting itself against contractual breaches or other causes of damage (Article 6(1)(f) GDPR).
Retention period
10 years from the termination of the relationship.
If you want to know how we use your images
During the provision of services and/or the organization of events or competitions, the Data Controller may carry out video recordings, including voice, and/or photographic recordings, for communication and promotional purposes, including through social networks, or for sharing the projects you submit on the Oikos community.
If, during such recordings, your image is also captured in a way that makes you wholly or partially recognizable, it falls within common personal data.
Before starting such processing, the Controller will provide notice thereof and, if you do not wish to be recorded in any way, you must inform the Controller.
- During public events or events held in public, images will be processed without the need for explicit consent.
- During courses or events, if the recordings do not make recognition possible, they will be processed without the need for explicit consent.
- During courses or events, if the recordings make the data subject recognizable but consent has been expressed and can be inferred from the context, verbal consent will be considered valid.
- For images or videos in which the data subject is the main subject, specific consent will be requested.
In any case, the Controller states that images will not be used in contexts that may prejudice the personal dignity, decorum and safety of the persons portrayed.
Posing and use of images are to be considered services provided free of charge.
Methods of data processing
The processing of personal data is carried out mainly with the support of IT systems, including automated systems, and may consist of the following operations: collection, recording, organization and storage, consultation, use, processing, modification, selection, extraction, comparison, interconnection, transmission, communication, dissemination, erasure, destruction, blocking and restriction.
When carrying out processing operations, all technical, IT, organizational and procedural security measures will always be adopted, so as to ensure the minimum level of data protection required by law.
Who we disclose your data to
The subjects or categories of subjects who may become aware of the personal data or to whom such data may be communicated are the following:
Processors, for example: Oikos product retailers, IT companies and software houses, consultants and consulting firms, freelancers, self-employed workers, agents and representative agencies, transport and logistics companies.
Personal data may also be disseminated, but only in aggregated and anonymous form and for statistical purposes.
For further details, please contact the Data Controller.
Retention and transfer of personal data abroad
Personal data are managed and stored in the cloud and on servers located within the European Union and the European Economic Area, owned by and/or available to the Controller and/or third-party companies duly appointed as processors.
Some services offered by the Controller may use external providers, duly appointed as processors, whose storage takes place outside the EU. In such cases, the Controller will verify compliance on the basis of an adequacy decision or that the transfer is subject to appropriate safeguards.
Rights that may be exercised
In accordance with the GDPR, you may exercise the rights set out therein and, in particular:
You may always request, at any time, from the Data Controller or the Data Protection Officer, a copy of your personal data, information regarding the location where your personal data are processed and an updated list containing the identification details of all Processors and System Administrators authorized to process your data.
At any time, you may freely withdraw the consent given, without any charge and without prejudice to the lawfulness of processing carried out up to that moment, and exercise the following rights of the data subject against the Data Controller as provided for by European Privacy Regulation EU/2016/679: access, rectification, erasure, restriction, objection, portability and complaint to the Data Protection Authority.
Identity and contact details of the Data Controller
Contact details of the Data Protection Officer (DPO)