INFORMATION ON THE PROCESSING OF PERSONAL DATA – CUSTOMERS

Dear Customer,
Pursuant to and in compliance with Articles 13 and 14 of Regulation (EU) No. 679/2016, General Data Protection Regulation (hereinafter “GDPR”) and in accordance with the provisions of Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2019 (hereinafter “Code”), we inform you of how we collect, communicate, and protect your personal data provided by you and acquired in connection with contracts and/or pre-contractual contacts. This data will be processed, including with the aid of electronic means, directly by Pentatech Srl (hereinafter “Company” or “Data Controller”) and/or through third parties, for the purposes set out below.
This policy applies to the personal data of individuals acting on behalf of suppliers (e.g., owners, directors, representatives, employees).

SECTION 1: OUR PRINCIPLES
The Company is committed to respecting your privacy. Privacy, security, and compliance with applicable data protection laws are important to us. Everything we do is designed to ensure the protection of you and the personal data you provide.

SECTION 2: DATA CONTROLLER
The data controller is Pentatech Srl, located at Via dell’Industria, 21, 48017 Conselice (RA). For any inquiries regarding the processing of your personal data, you can contact the Data Controller at the following email address: pentatech@pentatechsrl.it, or send a written request to Pentatech Srl, Via dell’Industria, 21, 48017 Conselice (RA).

SECTION 3: CATEGORIES OF PERSONAL DATA PROCESSED
The Data Controller may process the following categories of personal data:

  • Identification and personal data: name, surname; identification data of the person signing/approving (e.g., legal representative/attorney).
  • Professional contact information: company email, certified email (if used in connection with the relationship); company landline/mobile phone number; office address, delivery/service contact details.
  • Administrative, accounting, and contractual data: data required for orders, quotes, contracts, and financial terms; billing and payment details (e.g., IBAN and customer bank details, if attributable to a natural person in the case of sole proprietorships/professionals or when payment is made with instruments registered to a natural person); documents and communications relating to orders, tickets, support, and interventions.
  • Data relating to the provision of services and assistance: technical and operational information useful for installation/configuration/support (e.g., contact names, availability, intervention outcomes, operational notes); any technical logs/recordings strictly necessary for managing the service (e.g., access logs to assistance portals or ticketing systems, intervention tracking, IP addresses/technical identifiers when essential and proportionate).
  • Communication data: content of emails, certified emails, messages, and telephone/operational communications with contact persons (to the extent necessary to manage the relationship).
  • Data for commercial and marketing purposes: professional contact information and preferences/feedback on promotional communications (e.g., event registration, information requests, unsubscriptions).

The data can be:

  • provided directly by the interested party (e.g. contact person who writes or signs);
  • communicated by the Client who designates his/her operational/administrative contacts and referents;
  • collected during the relationship (e.g. technical information generated by the management of services, tickets, interventions and related activities).

SECTION 4: PURPOSE OF THE PROCESSING AND LEGAL BASES
The Data Controller processes the data for the following purposes:
Pre-contractual and contractual management, such as Management of requests, contacts, estimates, site inspections, and technical assessments; drafting, executing, and managing contracts and business relationships.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures/contract).
Order management, supply of goods/services, support and maintenance such as order fulfillment, deliveries, activations, and installations; ticket management, interventions, technical assistance, and customer care; and management of operational and technical communications.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures/contract).
Administrative, accounting and tax obligations such as Document issuance, invoicing, collections/payments; mandatory compliance with civil and tax regulations.
Legal basis: Art. 6(1)(c) GDPR (legal obligation).
Credit protection and litigation management as reminders, management of outstanding debts, debt collection; management of complaints, disputes, litigation, legal defense.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the Data Controller in protecting credit and its rights) and Art. 6(1)(b) GDPR when related to the execution of the relationship.
Archiving and maintaining relationship documentation such as contracts, orders, correspondence, and documents related to the relationship.
Legal basis: art. 6(1)(c) and/or 6(1)(f) GDPR (obligations and legitimate organizational-administrative interest).
Commercial and promotional communications (direct marketing) such as sending promotional communications relating to the Data Controller’s services/solutions, events, and commercial news.
Legal basis: Art. 6(1)(a) GDPR (consent), where required.
In a B2B context, the use of “professional” contacts may also be regulated by national legislation and will in any case be managed with an opt -out and minimization logic, guaranteeing the possibility of opposition/unsubscription.
Providing the data required for contractual purposes and legal obligations is necessary.
Failure to provide this information may make it impossible to:

  • manage the request/quote;
  • correctly execute the contract and/or provide the requested services;
  • fulfill administrative and accounting obligations.

Providing data for marketing purposes is optional; failure to consent does not affect the contractual relationship.

SECTION 5: METHODS OF PROCESSING
Data processing is carried out using paper and digital tools, using methods strictly related to the purposes indicated above and in compliance with the principles of lawfulness, fairness, transparency, data minimization, and data storage limitation.
The Data Controller adopts appropriate technical and organizational measures to protect data from unauthorized access, loss, alteration, and improper disclosure.

SECTION 6: COMMUNICATION OF DATA
Without prejudice to communications made in compliance with legal and contractual obligations, all data collected and processed may be disclosed to employees and/or collaborators of the Company, appointed as authorized persons or data controllers, and communicated to other persons or general categories of persons other than the Data Controller, such as:

  • IT companies for the management, maintenance, and updating of the systems and software used by the Data Controller;
  • IT vendors and companies that manage/maintain systems, software, infrastructure, and digital services (e.g., hosting, cloud, ticketing, email, backup) when necessary;
  • Consultants, professionals, law firms, arbitrators, insurance companies, experts, brokers for judicial and extrajudicial activities, insurance in the event of claims and for organizational, administrative, financial and accounting management;
  • Banks and entities that support collections/payments and financial services connected to the relationship;
  • Public Safety Authorities and Judicial Authorities for the management of investigations by the Investigating Bodies in the event of accidents.

External parties who process data on behalf of the Data Controller are appointed, where required, as Data Processors pursuant to Art. 28 GDPR.

SECTION 7: TRANSFER OF DATA ABROAD
If, for technical/organizational reasons (e.g., cloud services or IT providers), data is transferred to countries outside the European Economic Area, the transfer will be carried out in compliance with Chapter V of the GDPR (Articles 44 et seq.), adopting adequate safeguards, such as:

  • European Commission adequacy decisions, where available;
  • Standard Contractual Clauses (SCCs) and supplementary measures, where necessary.

Further information on the guarantees adopted can be requested by contacting the Data Controller.

SECTION 8: DATA RETENTION PERIODS
The data is retained for the time strictly necessary for the purposes and, in any case, according to criteria consistent with obligations and protection of rights.
In particular:

  • For administrative, accounting, and tax purposes and for contractual documentation: 10 years pursuant to art. 2220 of the Italian Civil Code, without prejudice to any disputes or credit protection needs that may justify further retention for the time strictly necessary;
  • For marketing purposes: until objected to/withdrawn and in any case subject to periodic review; in any case, the data will be retained for a period no longer than 24 months from the last significant interaction (e.g., request, commercial contact, purchase/order, event participation), except where required by law or for legal defense purposes.

SECTION 9: EXISTENCE OF AUTOMATED DECISION-MAKING , INCLUDING PROFILING
The Data Controller does not use automated decision-making processes, including profiling, that produce legal effects or significantly affect the data subject in a similar way (Article 22 GDPR).

SECTION 10: RIGHTS OF DATA SUBJECTS
The interested party may at any time exercise the rights provided for by the GDPR listed below, which are recognized by the legislation on personal data protection, against Pentatech srl by sending a specific written request to the Company according to one of the methods indicated in SECTION 2.
You may revoke any consent you may have expressed in this Policy at any time using the same methods.
Right of access
You may obtain confirmation from Pentatech as to whether or not your Personal Data is being processed and, if so, access to your personal data and the information required by Art. 15 of the Law. This information includes, for example, the purposes pursued by the Data Controller, the categories of data involved, the recipients to whom the data may be disclosed, the applicable retention period, and the existence of any automated decision-making processes.
Right to rectification
You may obtain from Pentatech, without delay, the rectification of your Personal Data that is inaccurate, as well as, taking into account the purposes of the processing, the integration of the same, if incomplete, by providing a supplementary statement.
Right to erasure
You may request the Data Controller to delete your Personal Data if one of the reasons set forth in Article 17 of the Law applies, including, but not limited to: if the Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed, or if the consent on which the processing of your Personal Data is based has been withdrawn by you and there is no other legal basis for the processing. It is understood that the withdrawal of consent will not affect the lawfulness of the processing carried out up to that point. We inform you that Pentatech will not be able to delete your Personal Data if its processing is necessary, for example, to comply with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.
Right to restriction of processing
You may obtain restriction of the processing of your Personal Data if one of the circumstances set forth in Article 18 of the Law applies, including, for example: if you dispute the accuracy of your Personal Data being processed or if your Personal Data is necessary for the establishment, exercise, or defense of legal claims.
Right to object
You may object at any time to the processing of your Personal Data if the processing is carried out for the performance of a task carried out in the public interest or for the pursuit of a legitimate interest of the Data Controller (including profiling), pursuant to Article 21 of the Law. Should you decide to exercise the right to object described herein, Pentatech will refrain from further processing your personal data, unless there are compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
Right to lodge a complaint with the Italian Data Protection Authority
Without prejudice to your right to appeal to any other administrative or judicial body, if you believe that the processing of your Personal Data by the Data Controller violates the Law and/or applicable regulations, you may lodge a complaint with the competent Data Protection Authority.