Pursuant to Articles 13 and 14 of EU Regulation 2016/679 (hereinafter referred to as the "Regulation"), also known as GDPR, Fabrick S.p.A. (hereinafter referred to as the "Controller") provides the following information regarding the characteristics of the processing it carries out.
The Data Controller of personal data is Fabrick S.p.A. headquartered in Biella (BI) - 13900, at Piazza Gaudenzio Sella, No. 1.
The Data Protection Officer (hereinafter "DPO" or "DPO - Data Protection Officer") can be contacted at the following addresses:
The processing concerns the personal data of the user of payment services (hereinafter, the "Data Subject") and is carried out within the framework of the service enabling authorization, processing, and settlement of payments, through any payment instrument, between the merchant where an online purchase is made (hereinafter, the "Merchant") and the Data Subject making the purchase, allowing the Merchant to accept and collect electronic payments (hereinafter, the "Service").
In particular, the Controller processes personal data belonging to the following categories:
The aforementioned data are personally provided by the Data Subject through the completion of specific forms, for the purpose of entering payment transaction data, by the Controller or the Merchant, and subsequently communicated to the Controller by the latter.
The processing of personal data is carried out, by the Controller and/or by third parties on behalf of the same, exclusively in the presence of one of the following legal bases and is limited to pursuing the related purposes:
With reference to the purposes indicated above, the provision of data is mandatory and the consent to processing by Data Subjects is not required; failure to provide one or more data will make it impossible to execute the Service.
Personal data may be known by the staff of the Controller authorized to process them in the course of their work duties or by subjects acting as data processors - specifically appointed pursuant to Article 28 of the Regulation - or independent data controllers. The various categories of recipients involved are as follows:
For technical support activities aimed at investigating and resolving abnormal situations, and testing applications, the Controller may allow access to the data, in a tracked manner, to the Sella Group company based in India. Personal data are not stored at the foreign company but are remotely accessed while remaining within the Company's information system. The transfer takes place on the basis of standard contractual clauses approved by the European Commission.
Furthermore, if the Merchant has joined the fraud prevention service, some data will be transferred outside the European Economic Area and, specifically, to Israel, to the company Riskified Ltd., for the purpose of analyzing the level of fraud risk. The transfer is permitted because the European Commission has recognized Israel as a third country that ensures an adequate level of protection for personal data.
Personal data are processed and stored for the period necessary to achieve the purpose of providing the Service, without prejudice to the retention periods provided by law and for the Controller's or third parties' own defensive purposes, until the expiry of the applicable statutory limitation period. In particular, in compliance with the provisions of the Bank of Italy for the retention and availability of documents, data, and information for the fight against money laundering and terrorism financing, where applicable, data relating to the execution of the Service (identification and contact data and data relating to payment transactions) are retained for ten years from the closure of the relationship with the Merchant. At the end of the retention period, personal data relating to Data Subjects will be stored in a form that does not allow their identification (for example: irreversible anonymization), unless their processing is necessary for one or more of the following purposes:
Data Subjects have the right to exercise specific rights regarding data protection, as listed below:
To exercise these rights and for any information regarding the processing of personal data, a request can be sent to the following addresses:
The Controller provides information regarding the action taken regarding the request without undue delay and no later than one month after receiving it.
If the exercise of the aforementioned rights could result in actual and concrete prejudice to the interests protected under anti-money laundering and counter-terrorism provisions, pursuant to Article 2-undecies of the Privacy Code, the scope of these rights and certain related obligations of the Controller may be limited. In such circumstances, the exercise of the same rights may be delayed, restricted, or excluded, to the extent and within the limits necessary and proportionate. If the conditions are met, you will receive a reasoned communication without delay.