Privacy Policy

Collaborators and Local Managers

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA OF INDEPENDENT AND COORDINATED COLLABORATORS, INCLUDING LOCAL MANAGERS, PURSUANT TO ART.13 OF EU REGULATION 2016/679 (GDPR)

With this information, pursuant to the provisions of art. 13 of EU Regulation no. 2016/679 (also called “GDPR”), we wish to inform you regarding the processing of your personal data acquired and processed for contractual and accounting purposes.

1. DATA CONTROLLER

The data controller is Estay s.r.l. with registered office in P.za Deffenu n. 9, 09125 – Cagliari (CA), in the person of its legal representative pro tempore. For any need relating to personal data, the Data Controller may be contacted via ordinary or registered mail delivered to the registered office indicated above, or via e-mail to the address amministrazione@estay.it, or via PEC at estaysrl@pec.net.

The Personal Data Protection Officer (RPD or DPO) is Mr. Giovanni Molinari, who can be contacted via e-mail at dpo@estay.it.

2. CATEGORIES OF PERSONAL DATA SUBJECT TO THE PROCESSING

The Data Controller processes the following categories of personal data relating to the interested party, provided or acquired during the negotiation, stipulation and/or execution of the contractual relationship:

  • Personal identification data: name, surname, tax code;
  • Qualification, professional and possibly academic career, as well as any data reported on thethe course of life of the interested party;
  • Contact and delivery data: e-mail address, telephone number, domicile or different delivery address;
  • Insurance data;
  • Any data relating to the consideration;
  • Bank details, for the payment of the commission;

3. PURPOSE OF THE PROCESSING AND LEGAL BASIS

Personal data is processed for the following purposes:

  1. Stipulation and execution of the contract and any pre-contractual measures at the request of the interested party;
  2. Commission processing and payment;
  3. Possible completion of procedures involving the interested party's insurance company;
  4. Fulfillment of legal, contractual (including collective agreements), administrative, fiscal and insurance obligations connected to the contract, including keeping accounting records;
  5. Maintaining necessary correspondence and communications.

The legal basis of the processing indicated above is the stipulation and execution of the contract or any pre-contractual measures requested by the interested party.

The legal basis of processing relating to obligations expressly provided for by law is the fulfillment of a legal obligation.

The provision of data for the purposes indicated above is instrumental, necessary and mandatory for the purposes of fulfilling legal and contractual obligations and also for the administrative, fiscal and accounting management of the contractual relationship, and therefore any failure to provide such data entails the objective impossibility of establishing, continuing or executing the relationship, or of correctly carrying out all the obligations connected to the relationship.

4. TREATMENT METHODS

The processing of personal data will take place in full compliance with the principles of confidentiality, correctness, necessity, relevance, lawfulness and transparency provided for by the GDPR. The processing and storage of personal data will be carried out using both paper and electronic tools, in compliance with current regulatory provisions. Suitable security measures will be observed to prevent the loss of personal data, illicit or incorrect use of the same or unauthorized access. The data will be processed exclusively by personnel authorized by the data controller who will be given specific instructions on the methods and purposes of the processing.

5. DATA CONSERVATION PERIOD AND CRITERIA

The duration of the processing will correspond to that of the contractual relationship. The data will be kept until the execution of the contract is completed and in any case up to and no later than the maximum term of 10 years from the end of the contractual relationship, as required by law for the purposes of preserving the accounting and non-accounting documentation for the financial year. of the commercial business activity and in compliance with the ordinary limitation period (art. 2220 and art. 2946 c.c.). This is without prejudice to extensions of the aforementioned deadlines due to the management of any disputes, as well as any derogation possibly provided for by Italian or Euro-Community regulations.

6. DATA COMMUNICATION

In addition to any communications required by law or by administrative or judicial authorities, all data collected and processed may be communicated to the following subjects, where necessary appointed external managers of the processing delegated to them, correct appointment and instructions provided in writing pursuant to art. 28, par. 3, GDPR:

  • Employment consultants, accountants and business consultants; companies that provide maintenance or assistance on platforms and applications and/or consultants, also in associated form, for the processing of commissions; specialists in information systems and company electronic devices, as well as their possible collaborators; business and management software providers, as well as providers of communication services such as email.

6.1. Data transfers to third countries

The Data Controller does not foresee transfers of personal data outside the European Economic Area. However, the data processed through the software and service providers listed below may transit through servers located outside the EEA.

Below are the links to which this Data Controller refers for consultation of the measures adopted by suppliers to adapt the protection of personal data to the standards required by the GDPR.

- Microsoft Corporation, with reference to servers located in the United States of America:

https://privacy.microsoft.com/it-it/privacystatement; https://privacy.microsoft.com/it-IT/; https://www.microsoft.com/it-it/trust-center/privacy?rtc=1; https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWRql1?culture=it-it&country=IT

(see attachment:Compliance with EU transfer requirements for personal data in the Microsoft Cloud).

- Google Ireland Limited, with reference to the email serviceGmail, equipped with servers located all over the world:

https://policies.google.com/privacy#inforetaining; https://policies.google.com/privacy/frameworks.

In this regard, it is noted that both Microsoft Corporation and Google Ireland Limited adhere to the FrameworkData Privacy Framework developed by the United States of America and the European Commission and declared adequate by the latter on 10 July 2023.

 

7. RIGHTS OF THE INTERESTED PARTY

At any time the interested party can exercise, pursuant to the articles. 15 et seq. of the GDPR 2016/679, the right to:

  • Access (art. 15 EU Regulation no. 2016/679);
  • Correction (art. 16 EU Regulation no. 2016/679);
  • Cancellation (art. 17 EU Regulation no. 2016/679);
  • Limitation (art. 18 EU Regulation no. 2016/679);
  • Portability (art. 20 EU Regulation no. 2016/679);
  • Opposition to processing (art. 21 EU Regulation no. 2016/679);
  • Revocation of consent to processing, if based on this legal basis, without prejudice to the lawfulness of the processing based on the consent acquired before the revocation (art. 7, par. 3 EU Regulation no. 2016/679);
  • Submit a complaint to the Guarantor Authority for the Protection of Personal Data and/or appeal to the competent Judicial Authority (articles 77 and 78 of EU Regulation no. 2016/679).

7.1 Details on the right to access data

The interested party has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed. Furthermore, where such processing is underway, the interested party has the right to obtain access to their personal data and the following information: purpose of the processing(s); categories of personal data processed; recipients or categories of recipients to whom the personal data have been or will be communicated; data retention period or criteria for determining this period; existence of the interested party's right to request rectification or deletion of personal data, or limitation of the processing of personal data concerning him/her; right to object to processing (where the right to object is provided for); right to portability.

The Data Controller is required to respond within one month from the date of receipt of the request, a period which can be extended up to three months in the case of particular complexity of the request.

7.2 Details on the right to complain

The interested party has the right to lodge a complaint with the Supervisory Authority. For further information on the right to lodge a complaint, please consult the institutional website of the Privacy Guarantor: www.garanteprivacy.it.

 

To exercise his rights and for any need relating to the processing that concerns him, the interested party can contact the Data Controller and the DPO by contacting them at the addresses indicated in par. 1.