INFORMATION ON THE PROCESSING OF PERSONAL DATA – E-MAIL MARKETING
Pursuant to art. 13 and 14 of EU Reg. 2016/679 (GDPR), Aetna Group S.p.A., as Data Controller, is informed you that the personal data referred to identified or identifiable natural persons, collected under the contractual relation with the Data Controller, will be processed in full compliance with the existing national and European legislation on the protection of personal data exclusively for the purposes functional and instrumental to fulfil legal or contractual obligations.
Purposes and legal basis: processing purposes and legal basis are:
(i) the performance of the contract with Aetna Group S.p.A. or of the steps prior to entering into the contract, pursuant to art. 6, lett. b), GDPR;
(ii) the compliance to legal obligations to which the controller is subject, pursuant to art. 6, lett. c), GDPR;
(iii) the defense of the rights of the Data Controller in judicial and extrajudicial proceedings, pursuant to art. 6, lett. f), GDPR (prevalent legitimate interest of the Data Controller);
(iv) marketing communications using the e-mail addresses provided for the purposes referred to in point (i), to promote products and services of the Group similar to those already purchased or subject to previous requests, pursuant to art. 6, lett. f), GDPR and art. 130, co. 4, of Legislative Decree 196/2003 (so-called "soft-spam"; legitimate interest of the Data Controller and legitimate expectation of the data subject), or pursuant to art. 6, lett. a), GDPR, when the data subject has given consent to such processing of data.
Soft-spam and legitimate interest: the commercial communications (point (iv) above) do not require the prior consent of the recipients, according to art. 6, lett. f), GDPR and art. 130, co. 4, of Legislative Decree 130/2003: data subjects are informed of the processing through this information and they are always granted the right to object, in a simple and free way, to such processing. Each communication sent by the Data Controller contains a reference to this information and instructions on how to request the interruption of the processing (by opt-out), contacting the Data Controller or directly selecting the specific link made available at the bottom of each communication.
The processing for marketing purposes is carried out within the limits of what is reasonably foreseeable, following purchases or signs of interest in our products and services, by the Group and in compliance with the compliance with the balancing test of our interest with respect to the protection and guarantees recognized to the interests and rights of the data subject.
Data provision: the provision of data requested by the Data Controller for the purposes indicated above is mandatory as it is essential for the execution of the contractual relationship. For marketing purposes based on legitimate interest, it is always possible to exercise the right to object and immediately stop further processing. For marketing purposes based on the consent of the data subjects, the provision of data and consent is always optional and always revocable
Processing methods: the data will be processed both in paper and computerized form, even partially automated, by insertion in Data Controller computer systems and databases. The data will be accessed only by subjects expressly authorized and specially trained by Data Controller, always within the limits of their respective competences and of what is necessary for the correct performance of the tasks entrusted to them.
Data processing takes place within the territory of the European Union, even in the case of intragroup data transfer. If the Data Controller has to carry out data processing on non-European territory, this will always take place in compliance with the provisions of articles 45 and following of the GDPR. All the necessary precautions will therefore be taken in order to guarantee complete protection of personal data by basing this transfer, depending on each case: a) on adequacy decisions of the recipient third countries expressed by the European Commission; b) on adequate guarantees expressed by the third party recipient pursuant to art. 46 GDPR; c) on the adoption of binding corporate rules, so-called Corporate binding rules.
Data Recipients: the data may be shared with the consultants and service providers of Data Controller, designated as data processors; the related list, with reference to the treatments that concern them, can be requested to Data Controller.
The data may also be communicated and shared with companies belonging to the same corporate group as the Data Controller, according to Cons. 48 GDPR and to art. 6, lett. f) GDPR, for the purposes indicated in points 1 and 2 above: to obtain the complete list of these companies, please contact Data Controller using the contact details indicated in point 8. of this Notice.
The data may also be communicated to subjects expressly authorized for this purpose by legal provisions (e.g. Competent authorities or control bodies)
Retention period: the data will be kept for the period of time necessary to achieve the purposes related to the execution of the contract and for legal obligations, in particular tax and fiscal, and for any defense, even in court, of Data Controller’s rights.
Data subject rights: as data subjects, the identified or identifiable natural persons to whom the processed data refer may request access to the data concerning him or her which are being processed, as well as their correction and erasure, if such erasure does not conflict with contractual obligations or of law concerning the retention of the data to which the Data Controller is required; have the right to request data portability in a readable format with the most common applications; have the right to lodge a complaint with the competent Supervisory Authority (in Italy, Garante per la protezione dei dati personali) in the event of unlawful processing or in case of delay or impediment by the Data Controller to exercise the rights. Furthermore, they may at any time oppose the processing and revoke the consent to the processing for marketing purposes, without prejudice to the lawfulness of the processing carried out before such revocation. Finally, they are always entitled to oppose the processing of data concerning them (right to object), even in the case of soft-spam, without prejudice to the overriding legitimate interest of the Data Controller.
Contact points: We remind you that at any time you may request more information about the data processed, the exercise of rights, as well as require an updated list of the subjects who are processing data, by contacting the Data Controller at the following contact points: