CLIENTS’ PERSONAL DATA PROCESSING POLICY

under Article 13, Regulation (EU) 2016/679 (“GDPR”)

 

LUISE ASSOCIATES SICILY SRL as the Data Controller would hereby like to inform you that, in accordance with Article 13, Regulation (EU) 2016/679 ( “GDPR”), the personal data of the Person Concerned (if it is a natural person or a sole proprietorship), of its associates, employees or representatives (hereinafter referred to as “data Subjects”) acquired for carrying out the negotiations concerning the existing contract (hereinafter the “Contract”) between the Data Controller and the counterpart of the Contract (hereinafter, the “Client”) and while running it and its connected activities, will be treated in compliance with this Policy on Personal Data Processing.

Personal Data shall be processed in full compliance with the principles of fairness, lawfulness and transparence and with the rights and secrecy of the Data Subjects.

 

DATA CONTROLLERS AND JOINT DATA CONTROLLERS

LUISE ASSOCIATES SICILY SRL is the company that shall process your personal data for the purposes stated in this Policy and shall therefore take on the role of Data Controller, according to the relative definition contained in the Article 4 point 7 of the Regulation.

The Company is based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI, (hereinafter referred as the “Data Controller”) and can be reached at the following e-mail address: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

The Data Controller shall cooperate with the following societies, which, along with the Data Controller, represent LUISE entrepreneurial group. They shall, therefore, act as Joint Data Controllers which means “two or more societies that jointly determine the purposes and means of processing” as laid down in Article 26 of the Regulation (EU):

  • LUISE GROUP SRL based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • JOSEPH LUISE & SONS SRL based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • LUISE INTERNATIONAL SRL based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • OCEANO MARE GROUP SRL based in PIAZZA G. BOVIO, 22 – 80133 NAPOLI
  • LUISE ASSOCIATES SRL based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • LUISE ASSOCIATES ROME SRL based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • MARINE DI ISCHIA SRL based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • AEOLIAN YACHT SERVICES SRL based in VIA T.M. AMENDOLA – 98055 LIPARI (ME)
  • LUISE ASSOCIATES ADRIATIC SRL based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • LUISE ASSOCIATES PUGLIA SRL based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • LUISE ASSOCIATES & CO. RIVIERA SRL based in VIA DEL CASTILLO, 17 – 18038 SANREMO (IM)
  • SYTEX SRL based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • LUISE SERVICES COMMUNICATIONS SRL based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • T.I. (LUISE INTERNATIONAL SRL - PESTO SRL) based in VIA F. CARACCIOLO, 13 – 80122 NAPOLI
  • CAPRI YACHT SERVICES SRL based in VIA ROMA, 53 – 80073 CAPRI (NA)
  • PONZA YACHT SERVICES SRL based in VIA LUNGOMARE CABOTO, 77 – 04024 GAETA (LT)
  • PORTO ANTICO DI STABIA SRL based in VIA G. BONITO, 20 INT. PORTO – 80053 CASTELLAMMARE DI STABIA (NA)
  • ATI MEETING POINT DEL PORTO TURISTICO DI CAPRI based in VIA TITO MINNITI, 2 – 80073 ANACAPRI (NA)

 (hereinafter jointly with the “Data Controller”, the “Joint Data Controllers”).

 

Joint Data Controllers have entered a Joint Ownership Agreement under Article 26 of the Regulation (EU), whereby they committed to:

  • jointly determining some purposes and methods of processing data collected for the purposes stated in this Policy;
  • jointly determining, in a clear and transparent manner, the procedures to allow the Data Subjects to promptly get a feedback in case they want to exercise their rights as provided for by Articles 15, 16, 17, 18 and 21 of the Regulation (EU), and in the case of data portability pursuant to Article 20 of the Regulation (EU) as more accurately described further on in this Policy.
  • jointly defining this Policy in the parts of common interests, pointing out all the information laid down by the Regulation (EU).

 

The Joint Ownership Agreement duly reflects the respective roles and the relationships of the Joint Controllers with the Data Subjects. The essential content of the Agreement shall be made available to the interested Data Subjects who made a written request that is to be sent to the Data Controller or any of the Joint Data Controllers at the addresses indicated in this Policy. Irrespective of the terms of the Agreement, the Data Subjects can exercise their rights under Regulation (EU) in respect of and against each of the Data Controllers.

 

Joint Data Protectors have proceeded to make the appointments as Data Processor, where necessary, in accordance with the legislative framework currently in force. The full list of the Data Protectors is available upon written request that is to be sent either to the Data Controller or to any of the Joint Controllers at the addresses indicated in this Policy.

 

In order to facilitate the relationships between the Data Processor and/or the Joint Data Processors, Luise Group has established a Privacy Office which, among the other tasks, is entitled to act as a contact point for Data Subjects.

Data Subjects can freely contact the Privacy Office for all the matters concerning their Personal Data and/or if they wish to exercise their rights as laid down by this Policy. They can send an e-mail to This email address is being protected from spambots. You need JavaScript enabled to view it. or a written request to the Data Processor or any of the Joint Data Processor at the corresponding addresses previously mentioned.

 

PERSONAL DATA COLLECTION

Data Protector gathers and manages the following Personal Data of the Data Subjects (hereinafter, jointly, the “Data”):

  • personal details (e.g. name, surname, date of birth, fiscal code and suchlike)
  • contact information (addresses, phone numbers, e-mail addresses and suchlike);
  • accounting information (fiscal data, financials, bank details and suchlike).

Data undergoing processing are directly provided by Data Subjects.

 

PURPOSES OF DATA PROCESSING

Personal data of Data Subjects are processed for the following purposes (Contractual and Legal):

  • to enable the performance of the contract with the Client and the fulfilment of contractual and pre-contractual obligations resulting from the relationship in which the Client is a part;
  • to provide customer care services;
  • for the administrative management of the Client, including registry, orders, contracts, and invoice management activities as well as the relative keeping of the accounting records;
  • for the debt management and the litigation management aimed to protect the Data Protector’s rights with respect to the Client and third parties.
  • to fulfil any legal and statutory obligation.

 

NATURE OF DATA PROVISION AND LEGAL BASIS

Data undergoing processing are directly provided by the Client; Data provision and processing are mandatory for:

  • Contractual purposes, as they are necessary to the performance of the contract with the Client;
  • Legal purposes, as they are required by community laws, regulations and legislation.

If the Client does not want its data to be processed for the aforementioned purposes, it shall not be possible for the Data Controller to conclude a contractual relationship with the Client.

 

DATA PROCESSING METHODS AND DATA RETENTION

Data are processed for the pursuit of the purposes stated in this Policy in either paper, computerised or telematic form. They are integrated into the corporate databases (e.g. customer list, administrative databases, etc) through retention, registration, organisation, structuration, conservation, consultation, utilisation, elaboration and comparison operations.

 

Furthermore, Data shall be:

  • processed fairly and lawfully;
  • collected and recorded for specific, explicit and legitimate purposes and in such a way as to ensure confidentiality and security;
  • relevant, complete and not exceeding the purposes of Data collection and processing;
  • retained for a period that shall not exceed the necessary time required by the purposes of collection and processing.

 

Data shall be processed by the Data Controller and/or by the Joint Controllers for the period of time necessary to fulfil the purposes for which they were collected in the first place, in compliance with the abovementioned paragraph “Purposes of Data Processing”. In all cases, the following Data retention periods are applied to the Data Processing for the purposes stated below:

 

  • Data collected for Contractual Purposes shall be stored for the duration of the contract and for 10 years after the expiry of the contract for defence purposes and/or to assert a right of the Data Controller both in and out of court, in case of any dispute related to the performance of the contract;
  • Data collected for Legal Purposes shall be stored for a period of time that equals the duration prescribed by the Law for each typology of data.

 

SCOPE OF DATA COMMUNICATION AND DISSEMINATION

Data might be shared by the Data Controller, for the purposes referred to by the previous paragraph and within the strictly necessary limits required to carry out each type of processing, with one or more specific subjects belonging to the following categories:

  • as persons in Charge of the Processing - Data Controller’s employees and/or collaborators belonging to - but not limited to - the sale offices, technical support, administration office, etc, as part of their duties and/or possible contractual obligation regarding the commercial relationships with the Client.
  • as Data Processors to carry out all the activities related to the performance of the contracts with the Client - legal counsel or law firms, administrative or accounting firm, Data Controller’s suppliers (as, for instance, electronic tools suppliers, external professional collaborators, etc);
  • as Independent Data Controllers- bank and insurance offices managing receipts and payments as well as commercial information societies for credit protection, public authorities for the fulfilment of normative obligations; law enforcement and judicial authorities to deal with the pertaining requests;
  • as Joint Data Controllers - societies belonging to Luise Group, entitled to supervise the activities related to the performance of existing contractual relations, to data processing and management as well as payment and credit management.


Under no circumstances shall the Data Controller disseminate the Data.

 

TERRITORIAL SCOPE OF DATA PROCESSING

Data shall be processed by the Data Controller and/or the Joint Controllers solely within the EU borders.

If, for technical and/or operational reasons it deems to be necessary to consult subjects located outside the European Union, such subject shall henceforth be nominated Data Processors for the purposes of and in accordance with Article 28 of Regulation (EU).

Data transfer to the abovementioned subjects, limited to specific processing purposes, shall be regulated in accordance with the provisions of Chapter V of the Regulation (EU). All necessary precautions shall be taken to ensure comprehensive Data protection.

The transfer shall therefore be based on:

  • decisions made by the European Commission on the adequacy of third recipient countries, as provided for in Article of Regulation (EU);
  • appropriate safeguards expressed by the third recipient subject as provided for in Article 46 of Regulation (EU);
  • binding corporate rules in accordance with Article 47 of Regulation (EU).


If Personal Data have been processed outside the European Union, the Data Subject is entitled to ask the Data Controller or any of the Joint Controllers for further details by requesting evidence of the specific safeguards adopted.

 

RIGHTS OF THE DATA SUBJECT

Throughout the period in which the Data are owned by the Data Controller and/or the Joint Controllers, Data Subject are allowed to obtain - at any time and free of charge, just by contacting the Data Controller or any of the Joint Controllers - the list of the Data Processors and the details of the subject categories to whom the Data have been or will be disclosed.

 

Data Subject can also exercise the following rights:

  • Right of access– to obtain confirmation as to whether or not its personal data are being processed, and where that is the case, to access the personal data and every information related to the Processing; to obtain information about the Data source, processing, purposes and modalities as well as the logic applied to such processing which is carried out through electronic tools.
  • Right to rectification– to ask for the update, rectification or, whether desired, the integration of Data;
  • Right to erasure– to obtain the erasure, the transformation in anonymous form or the blocking of Data processed unlawfully as well as to oppose the processing for legitimate reasons;
  • Right to withdraw the given consent– to withdraw, at any time, the consent to the Data Processing without prejudice to the lawfulness of the treatment based on the consent given before the revocation.

 

In addition to the abovementioned rights, in any moment and within the limits of the Regulation (EU), Data Subjects have the right to:

  • ask for restriction in Data Processing if: they contest the accuracy of the Data for the period of time required to verify such correctness; if the processing is unlawful and the Data Subjects oppose the erasure of the Data and request the restriction of their use instead; the controller no longer needs the Data for the purposes of the processing but they are required by the Data Subjects for the establishment, exercise or defence of legal claims; Data subjects have objected to processing pursuant to Article 21, paragraph 1, pending the verification whether the legitimate grounds of the Controller override those of the Data Subjects;
  • object to processing of personal Data at any time;
  • ask for the erasure of Data concerning them without undue delay;
  • obtain the portability of Data concerning them;
  • lodge a complaint to the European Data Protection Supervisor, should the conditions apply.

 

AMENDMENTS AND UPDATES

This Privacy Policy is valid from: “Update April 2019”.

Joint Data Controllers will be able to amend and/or integrate parts into this Policy, also as a result of potential future legal amendments and/or integrations of Regulation (EU).

Any amendment shall be notified in advance and shall be made available through the communication channels of the Joint Data Controller’s societies that is to say on their websites.