Back to Home

Privacy Policy

PRIVACY

pursuant to art. 13 and 14 EU Reg. 2016/679

Protection of individuals with regard to the processing of personal data KALPA S.r.l. (VAT number: 07690990960), with registered office in Via Carducci, n. 39 - 20099 Sesto San Giovanni (MI), in its capacity as Data Controller, pursuant to articles 13 and 14 of EU Regulation no. 2016/679 (hereinafter "GDPR") wishes, with this policy, to provide you with information about the processing of personal data concerning you. CONTACT DETAILS OF THE DATA CONTROLLER The Data Controller (hereinafter referred to as the "Data Controller") is Kalpa S.r.l. (VAT 07690990960), in the person of its pro-tempore legal representative, to whom you can contact to exercise the rights of the interested party at the following addresses: Tel. 02 8718 7579, E-mail info@kalpa.it, PEC kalpa.mail@pec.it. The subject designated by Kalpa S.r.l. pursuant to Article 2 quaterdecies of Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018 (hereinafter referred to as the "Designated Party") is Flavio Barna and can be contacted at the e-mail address info@kalpa.it In particular, you may contact the Data Controller, for all requests or information regarding the processing of your personal data, the exercise of your rights pursuant to articles 15 (Right of Access), 16 (Right to Rectification), 17 (Right to Erasure), 18 (Right to Restriction of Processing), 20 (Right to Data Portability), 21 (Right to object) and 22 (Automated decision-making relating to natural persons, including profiling) of the GDPR. 1 Definitions Agreement: "as a service" license agreement, granted by the Owner to the Licensee to use the Riseberg Platform in SaaS mode, of which this Privacy Policy is an integral and substantial part. Riseberg Platform: The integrated set of systems, modules and applications developed by the Licensor, aimed at the connectivity, monitoring and management of IoT devices. The platform includes software components based on Apache 2.0 or MIT licenses, programming interfaces (APIs), control dashboards, and data analysis tools. Device (or IoT Device): The physical equipment connected to the platform, equipped with sensors and communication modules, aimed at collecting and transmitting data (e.g. machinery, distributors, air conditioning systems, etc.). Each device can be monitored, managed and, if necessary, updated through the platform. 2 Object of the processing: The subject of the processing are: • personal identification data, contact data and tax data (e.g. name, surname, company name, address, telephone, e-mail, PEC, VAT, C.F., bank and payment details); • personal identification data and contract data of your customers / suppliers / employees / collaborators / users / partners who connect via your devices to our "Riseberg" Platform by virtue of the Contract. • data "communicated" by the Devices and applications (web and mobile) connected to our "Riseberg" Platform.

Such data may be collected and processed by us because they have been provided to us by you directly (art. 13 GDPR) or through persons appointed by you/authorized by you (art. 14 GDPR). 3 Purposes of processing and legal bases Pursuant to art. 6 of EU Reg. 2016/679, the data you provide to us directly (art. 13 GDPR) or indirectly (art. 14 GDPR), will be processed: • to perform the Contract; • to fulfil pre-contractual, contractual, accounting and tax obligations arising from the contractual relationship; • to comply with the obligations provided for by law, by a regulation, by EU legislation or by an order of the Authority; • exercising the rights of the Data Controller (e.g. the right of defence in court). In addition, subject to consent, contact data may also be processed for marketing purposes, such as: commercial communications, newsletters and/or advertising material on our products/services and/or to detect the degree of satisfaction with the quality of products/services and/or future events or news of an informative nature. Finally, the data may be subject to any anonymous processing for the performance of statistical activities aimed at carrying out institutional activities and/or improving our products/services. Pursuant to art. 13 par. 3 and art. 14, par. 4 of EU Regulation 679/2016, if the Data Controller intends to further process personal data for a purpose other than that for which they were collected, before such further processing shall provide the data subject with information on this different purpose and any further relevant information. 4 Methods of data processing Data collection is limited to the minimum necessary for each specific purpose of the processing. Data processing is limited to the purposes for which they were collected and their storage is limited to the minimum necessary for each specific processing purpose. Personal data processing operations may be carried out with the support of paper, computer or telematic means (including portable devices). The data processing is carried out by the Data Controller through the Person in Charge and/or the Data Controller's duly trained and authorised personnel. The data will not be subject to any automated decision-making, i.e. aimed at making decisions based solely on technological means based on predetermined criteria (i.e. without human involvement). No personal data is provided to commercial third parties and no sales or transfer of personal data are made. Periodic checks are provided on the data processed and on the possibility of being able to delete them if they are no longer necessary for the intended purposes. 5 Provision of data The provision of data is an indispensable condition for the fulfilment of the obligations assumed on the basis of the existing contractual relationship, as well as legal obligations, rules and regulations. Consent is not mandatory for all other purposes and, even if given, can be revoked at any time by the data subject. 6 Refusal to provide data Any refusal or omission by the data subject to provide data, in whole or in part, where it is indispensable for the fulfilment of the obligations assumed with the contract, will make it impossible to continue the existing contractual relationship. 7 Communication of data The data collected may be communicated to the competent authorities, upon their legitimate request. The data collected may also be communicated to the following subjects: a) collaborators and employees of the Data Controller who have been previously instructed and authorised; b) auxiliaries or external consultants, such as but not limited to: legal consultants, accountants, labor consultants; freelancers, for the purposes of advocacy or consultancy; insurance companies, social security funds, public administrations; third parties who collaborate with us for the purpose of providing the requested product/service; subjects who deal with our communication campaigns. They will be appointed by us as data processors pursuant to art. 28 of the GDPR, whenever their services are necessary for the performance of the professional assignment. Our Company undertakes to request the guarantee of maximum confidentiality from the aforementioned third parties and to ensure that the data are processed exclusively for the purposes mentioned above. 8 Disclosure of personal data The data collected will not be passed on by us to third parties or disseminated. This is without prejudice to the communication or dissemination of data, in accordance with the law, if requested by the police, judicial authorities, or other public bodies, for the purposes of defence or security of the State or the prevention, detection or suppression of crimes. 9 Transfer of personal data abroad The processed data will not be transferred outside the European Economic Area and will be stored on servers located within the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to use servers also located outside the EU. In this case, it is now ensured that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, subject to the stipulation of the standard contractual clauses provided for by the European Commission. 10 Retention of personal data All data provided will be stored at our registered office in the epigraph indicated in compliance with all current regulations. Always in compliance with all security regulations and requirements, the data provided may also be stored by us in "clouds" mode. In order to ensure correct and transparent processing, the data are stored for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed in accordance with the provisions of legal obligations. In this regard, it should be noted that the data provided will be stored for the duration of the contract and, subsequently, for a maximum of ten years from the completion of the service in accordance with legal obligations for tax or other purposes. The data provided/used for marketing purposes will be stored for a maximum of 24 months from collection, while those for profiling purposes will be kept for a maximum of 12 months from collection. 11 Consent to data processing Pursuant to art. 7 of the GDPR, by signing at the bottom of this form, consent is expressed to the processing of data also for marketing / profiling purposes indicated in point 3.2. Consent to the processing of data for this specific purpose is merely optional and has no repercussions for the existing contractual relationship. 12 Rights of Data Subjects

We inform you that, pursuant to articles 15, 16, 17, 18, 20 and 21 of the GDPR, you have the right to: a) obtain from the data controller confirmation as to whether or not personal data concerning you is being processed and to obtain access to your data and a copy of them (so-called "data processing"). right of access); b) obtain from the data controller the rectification of inaccurate personal data concerning you or their integration (so-called "Summary Analysis"). right to rectification); c) obtain from the data controller the erasure of your personal data if they are no longer necessary in relation to the purposes for which they were collected or processed or if you withdraw your consent on which the processing is based. In some cases, your request for the deletion of personal data will not be accepted, for example if the processing of your personal data is necessary for the fulfilment of a legal obligation provided for by the European Union or Italian law or risks making it impossible or seriously jeopardising the achievement of the purposes of the processing (so-called "Processing Rights"). right to be forgotten); d) obtain from the data controller the limitation of your personal data if: (i) you contest the accuracy of the same, (ii) you believe that the processing is unlawful, (iii) the personal data are necessary for you to ascertain, exercise or defend a right in court, (iv) You have objected to the processing pursuant to art. 21, paragraph 1 of the GDPR and the assessment of the balance between your interests involved and those of the data controllers (so-called "S.p.A.") is pending. right to restriction); e) object to the processing of your personal data for reasons related to your particular situation in the event that the processing is based on the legitimate interest of the data controller, unless the latter demonstrate the existence of compelling legitimate reasons for proceeding with the processing that prevail over your interests, rights and freedoms or for the establishment, exercise or defence of a right in court (so-called "Intellectual Property Rights").right to object); f) receive in a structured, commonly used and machine-readable format the personal data concerning you that you have provided to the data controller, as well as the right to transmit such data to another data controller without hindrance from the data controller to whom you initially provided them (so-called "data controller"). data portability); g) lodge a complaint with the Guarantor for the protection of personal data, following the procedures and indications published on the official website of the Authority on www.garanteprivacy.it. The Data Controller undertakes to provide feedback within 30 days from the date of receipt of the request and, if unable to comply with these times, to justify any extension. The feedback will be free of charge except in cases of unfounded (e.g. there are no data concerning the applicant concerned) or excessive requests (e.g. repetitive over time) for which a fee may be charged not exceeding the costs actually incurred for the research carried out in the specific case.