With this information on the processing of personal data (hereinafter, the “Policy”), BMG Barberino S.r.l. (hereinafter, the “Company” or the “Data Controller”), in its capacity as data controller, wishes to inform its counterparties who rent one or more commercial spaces owned by the Company (hereinafter, the “Tenants”), about the methods and purposes of processing their personal data, in accordance with the European Regulation on the protection of personal data no. 679/2016 (hereinafter, “European Regulation”) and Legislative Decree no. 196/2003, as subsequently amended and supplemented by Legislative Decree 101/2018 (hereinafter, “Privacy Code”).
WHO ARE THE DATA CONTROLLER AND DATA PROCESSOR?
BMG Barberino S.r.l. with registered office in via A. Manzoni 38 – 20121 Milan (MI), VAT no. 05176070489, which can be contacted at the following e-mail address privacy@barberinooutlet.com, is, as the lessor of its commercial spaces, the data controller of the personal data of the Tenants, which takes place in the manner and for the purposes indicated in this Policy. The Data Controller has appointed a Data Protection Officer (“DPO”), who can be contacted at the e-mail address dpo@barberinooutlet.com.
The Data Controller has also appointed Promos S.r.l. – Tax Code/VAT number: 03123920179 – with registered office in Via San Zeno, 173 – 25124 Brescia (BS), which can be contacted at the e-mail address privacy@promosgroup.it, as the Data Processor, as the person responsible for the commercial management of the Outlet, as well as for relations with customers of the same. The Data Processor has also appointed a DPO, who can be reached at the e-mail address dpo@promosgroup.it or by writing to his office, as indicated above.
• TO WHOM DOES THE NOTICE APPLY?
This Policy applies to the Controller’s processing of personal data of: at. Tenants, if they are individuals or sole proprietorships; and b. legal representatives, partners, directors, attorneys, employees, collaborators and/or other subjects who act, in any capacity, in the name and on behalf of the Tenants (hereinafter jointly referred to as the “Data Subjects”).
• WHAT PERSONAL DATA IS PROCESSED?
The Data Controller collects the following types of personal data relating to the Tenants and/or the Data Subject (hereinafter jointly the “Data”) at the time of negotiations and signing of the lease agreement and subsequently in execution thereof:
a. Identifying and contact details of the Tenant, such as the company name, headquarters, address, any secondary offices, VAT number, and tax code of the Tenant, in case this is a natural person or a sole proprietorship;
b. Identifying and contact data of the Interested Parties, such as name, surname, role held, email address, and phone number;
c. Bank and payment details, including the SDI code for electronic invoicing and the IBAN; d. Information on the profession or work activity carried out, including the profession and role held in the company/entity to which the Data Subject belongs; and additional personal data relating to the Data Subject that may be collected by the Data Controller during the negotiation phase and/or conclusion and/or execution and/or termination of the lease agreement with the Data Controller.
In particular, the Data are collected:
• directly by the Data Subject, where the Lessee is a natural person;
• by the organization or entity to which the Data Subject belongs as a partner, employee or person in charge of the Lessee;
• from publicly accessible lists, registers and other sources (for example, in the event that the Data Controller collects the Data present on the Lessee’s Chamber of Commerce certificate); and/or • from databases of subjects that offer information on the commercial reliability of companies and entrepreneurs.
In the event that, for the execution of the contract, the Lessee provides the Data Controller with Data relating to other Data Subjects, the Lessee is required to inform said Data Subjects of the processing of their Data by the Company, providing them with a copy of this Policy. In any case, it is recommended not to provide Data that is not strictly necessary for the pursuit of the purposes referred to in this Policy and, in any case, within the limits of what is requested by the Data Controller.
• FOR WHAT PURPOSES ARE THE DATA PROCESSED?
The Data Controller processes the Data of the Data Subjects for:
a. to carry out negotiations and execute the lease agreement to which the Lessee is a party (hereinafter, the “Contractual Purposes”);
b. to comply with the obligations deriving from the applicable legislation, in particular in tax, tax and anti-money laundering matters, including the execution of mandatory communications to the competent administrations and authorities and supervisory bodies, as well as to comply with requests from the same (hereinafter, the “Legal Purposes”);
• verify the security and commercial and financial reliability of its contractual counterparts, including the Tenants, prevent fraud, ensure the soundness of management and the correct execution of commercial relations between the Owner and its Tenants;
• assert and defend its rights, including in the context of debt collection proceedings, against the Tenant or third parties in any dispute; and
• carry out activities functional to the sale of companies and business units, acquisitions, mergers, demergers or other transformations and for the execution of such transactions (the purposes referred to in letters c) to e) are jointly defined as the “Purposes of Legitimate Interest”).
• ON WHAT LEGAL BASIS IS THE DATA PROCESSED?
The processing of Data is necessary with reference to the Contractual Purposes and the Legal Purposes, in order to (i) negotiate, stipulate, execute and/or terminate the rental contract with the Tenant; and (ii) comply with applicable regulations, pursuant to Article 6, letters b) and c) of the European Regulation. Failure to provide Data for these purposes will make it impossible for the Data Controller to enter into the commercial lease agreement with the Tenant.
The processing of Data for the Purposes of Legitimate Interest is carried out pursuant to Article 6, letter f) of the European Regulation for the pursuit of the legitimate interest of the Data Controller, which is fairly balanced with the rights and freedoms of the Data Subjects, as the Data processing activity is limited to what is strictly necessary for the execution of the economic operations and other activities indicated above. Processing for the Purposes of Legitimate Interest is not mandatory and the Data Subject may object to such processing in the manner indicated in paragraph 10 of this Policy, but if the Data Subject objects to such processing, his/her Data may not be used for the Purposes of Legitimate Interest, unless the Company demonstrates the presence of overriding compelling legitimate reasons or the exercise or defence of a right pursuant to Article 21 of the European Regulation.
• HOW IS THE DATA PROCESSED?
The Data is processed both with the aid of IT or automated tools, and on paper, adopting suitable security measures to guarantee the protection and confidentiality of the Data. In particular, the Data Controller adopts appropriate organizational and technical measures to protect the Data in its possession against loss, theft, as well as unauthorized use, disclosure or modification of the Data.
• TO WHOM IS THE DATA COMMUNICATED?
For the purposes referred to in paragraph 4, the following categories of subjects may have access to the Data: a. personnel of the Data Controller or of the subjects indicated below, as persons in charge of processing, within the scope of their respective duties;
b. suppliers of instrumental or support services to those carried out by the Account Holder, including legal, administrative and tax advisors, banking institutions for the management of payments deriving from the execution of the rental contract with the Tenant, suppliers of technological services;
c. subcontractors and/or subcontractors engaged in activities related to the execution of the lease agreement in place between the Owner and the Lessee;
d. public bodies and/or judicial and/or control authorities whose right of access to the Data is provided for by applicable legislation; and e. other transferees of a company or business unit, companies resulting from possible mergers, demergers or other transformations of the Data Controller. These subjects act, as the case may be, as independent data controllers or data processors. The complete and updated list of subjects who process the Data as data processors is available upon request to the Data Controller, by sending a communication to the addresses indicated below in paragraph 10. In any case, the Data will not be disseminated.
8. IS THE DATA TRANSFERRED ABROAD?
The Data is not transferred to countries located outside the European Economic Area. In the event that it becomes necessary to transfer the Data outside the European Economic Area to a third country or an international organization that does not guarantee an adequate level of protection as provided for by the European Commission, the Company will adopt an appropriate mechanism for the transfer and the guarantees required for the purposes of the transfer itself, pursuant to articles 44 et seq. of the European Regulation.
• HOW LONG IS THE DATA STORED?
The Data are stored by the Data Controller for the period of time strictly necessary to pursue the purposes for which such Data were collected. In particular, with reference to:
a. Contractual Purposes, the Data are stored for a period equal to the duration of the lease agreement (including any renewals) with the Lessee and for 10 years following the termination, termination or withdrawal of the same, except in cases where retention for a subsequent period is required for any disputes, requests from the competent authorities or pursuant to applicable legislation;
b. Legal Purposes, the Data are stored for the duration prescribed for each type of Data by law;
c. Purposes of Legitimate Interest, the Data are stored for a period equal to the duration of the lease agreement (including any renewals) with the Renter and for the following 10 years, in the event thatthe Data are necessary to protect and enforce the rights of the Data Controller against the Renter, the Data Subject and/or third parties in the event of any legal disputes.
In the event that the processing is aimed at carrying out activities functional to the sale of business and business units, acquisitions, mergers, demergers or other transformations, the retention terms listed above will apply with respect to the main processing that takes place. At the end of the retention period, the Data will be deleted or anonymized.
WHAT ARE THE RIGHTS OF THE DATA SUBJECTS?
Without prejudice to the Data Subject’s right not to provide his/her Data, the Data Subject, at any time and free of charge, may:
a. obtain confirmation of the existence or otherwise of Data concerning him/her;
b. to know the origin of the Data, the purposes of the processing and its methods, as well as the logic applied to the processing carried out by electronic means;
c. request the updating, correction or – if interested – the integration of the Data concerning him/her;
d. obtain the cancellation, transformation into anonymous form or blocking of any Data processed in violation of the law, as well as to object, for legitimate reasons, to the processing;
e. withdraw one’s consent, where previously given;
f. ask the Data Controller to limit the processing of Data concerning him/her in the event that (i) the Data Subject contests the accuracy of the Data, for the period necessary for the Data Controller to verify the accuracy of such Data; (ii) the processing is unlawful and the Data Subject opposes the erasure of the Data and instead requests that its use be limited; (iii) although the Data Controller no longer needs them for the purposes of processing, the Data are necessary for the Data Subject to ascertain, exercise or defend a right in or out of court; (iv) the Data Subject has objected to the processing pursuant to Article 21, paragraph 1, of the European Regulation pending verification of whether the legitimate reasons of the Data Controller prevail over those of the Data Subject;
g. object at any time to the processing of your Data for Purposes of Legitimate Interest; and h. obtain the portability of the Data concerning him/her. The Data Subject will also have the right to lodge a complaint with the Data Protection Authority at the contacts available on the www.garanteprivacy.it website, where the conditions are met.
In the event of the death of the Data Subject, pursuant to Article 2-terdecies of the Privacy Code, the aforementioned rights relating to his/her Data may be exercised by those who have an interest of their own, or act to protect the Data Subject in their capacity as his/her representative, or for family reasons worthy of protection.
The Data Subject may expressly prohibit the exercise of some of the rights listed above by his successors in title by sending a written declaration to the Data Controller in the manner indicated below.
This declaration may be revoked or amended later in the same manner. In the event of doubts or concerns regarding this Policy or in the event of exercising the rights provided for therein, the Data Subject may contact the Company by writing to the e-mail address privacy@barberinooutlet.com.
CHANGES AND UPDATES TO THE POLICY
This Policy is effective as of the effective date set forth below. However, the Data Controller may make changes and/or additions to this Policy, also as a consequence of any subsequent amendments and/or additions to the regulations.
In any case, changes will be notified in advance and the Tenant and Data Subjects will be able to view the text of the Policy constantly updated on the website https://www.barberinooutlet.com/en/privacy-information/
19/07/2024