Privacy Policy

The Data Controller is: Kepa Srl , Via Angelo Maj 10 Bergamo 24121 BG , info@kepa.it

The processing consists, for example, of collection, recording, organisation, conservation, extraction, consultation, use, communication and deletion of personal data. It is carried out, for the aforementioned purposes, according to the principles (ex art. 5 of GDPR n. 2016/679) of lawfulness, correctness, transparency, data minimization and accuracy. The data is processed by telephone, paper, computer and telematic methods. The processing takes place using suitable tools, technical and organizational measures adequate to guarantee security, integrity and confidentiality, avoiding in particular the risk of loss, unauthorized access, illicit use, diffusion, in compliance with the provisions of the art. 32 of the GDPR n. 2016/679, by the subjects and in compliance with the provisions of the art. 29 of the GDPR n. 2016/679 and art. 2- quaterdecies of the Privacy Code.

The provision of data for mandatory purposes does not require explicit consent. Without this data, we will not be able to provide our services. The provision of data for other purposes is optional and requires your explicit consent. In case of lack of consent, you will not be able to receive e newsletters, information material or commercial communications regarding the services offered by the Owner or by third-party companies. However, you will still have access to our services.
We process your personal information only when there is a legal basis for such processing. The legal bases include:

• Your consent to the processing activities in question;
• The legal obligations that we are required to satisfy;
• The execution of rules dictated by laws or regulations, or by contracts, agreements or other legal instruments;
• Studies conducted by research institutions, preferably on anonymized personal information;
• The execution of a contract and related pre-contractual obligations, if you are a party to such contract;
• The exercise of our rights in court, administrative proceedings or arbitration;
• The defense or protection of your or a third party’s physical safety;
• Health protection, in the context of procedures implemented by entities or professionals in the healthcare sector;
• Our legitimate interests, provided that your fundamental rights and freedoms do not override those interests;
• Credit protection.

Your data may be made accessible for the purposes set out below:

• to the employees and collaborators of the Data Controller in their capacity as data processors and/or system administrators;
• to third-party companies or other subjects (for example: professional firms, consultants, software houses that provide management software, credit institutions, insurance companies, etc.) who carry out outsourced activities on behalf of the Data Controller, in their capacity as external data controllers .

Among the Personal Data collected by this Website, independently or through third parties, there are: Tracking Tools; Usage D ata; first name; e-mail; website;unique device identifiers for advertising (Google Advertiser ID or IDFA identifier, for example); number of Users; city; device information; session statistics; browserinformation; answers to questions; click; keypress events; motion sensor events; mouse movements; position relative to scrolling; touch events.

The Data Controller may communicate your data to the Public Administration, Supervisory Bodies and/or Judicial Authorities, as well as to all other subjects to whom communication is mandatory or necessary by law. Your information will not be disseminated.

All personal data provided will be processed in compliance with the principles of lawfulness, correctness, relevance and proportionality, exclusively with the necessary methods, including IT and telematics, to pursue the purposes described above. Personal data will be retained for a period of 6 years following the last contact with the interested party or until the interested party requests cancellation. In this case, the data related to the legitimate interest of the owner or necessary for the fulfillment of legal obligations may still be retained. It should be noted that the information systems used for the management of the information collected are configured, from the outset, so as to minimize the use of personal data.

In your capacity as an interested party, you have the rights referred to in the art. 15 ss and art. 77 of the GDPR, and precisely the rights of:

• Obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed and, in this case, to obtain access to the personal data and the following information: the purposes of the processing; the categories of personal data in question; the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients are from third countries or international organisations; when possible, the expected retention period of personal data or, if this is not possible, the criteria used to determine this period; if the data are not collected from the interested party, all available information on their origin; the existence of an automated decision-making process, including profiling, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the interested party.
• Obtain from the data controller the rectification of inaccurate personal data concerning him without unjustified delay. Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration.
• Obtain from the data controller information relating to personal data concerning him without unjustified delay, if one of the following reasons exists: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the i nterested party withdraws the consent on which the processing is based in accordance with Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), and if there is no other legal basis for the processing; the interested party objects to the processing pursuant to Article 21, paragraph 1, and there is no overriding legitimate reason to proceed with the processing, or objects to the processing pursuant to Article 21, paragraph 2; the personal data have been processed unlawfully; the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject.
• Obtain from the data controller the limitation of processing when one of the following hypotheses occurs: the interested part y contests the accuracy of the personal data, for the period necessary for the data controller to verify the accuracy of such personal data; the processing is unlawful and the interested party opposes the deletion of the personal data and requests instead that their use be limited; although the data controller no lo nger needs them for the purposes of the processing, the personal data are necessary for the interested party to ascertain, exercise or defend a right in court ; the interested party has objected to the processing pursuant to Article 21, paragraph 1, pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party.
• Receive the personal data concerning him/her provided to a data controller in a structured, commonly used and machine -readable format and transmit such data to another data controller without impediments by the data controller to whom he/she provided them if the processing is carried out by digital means. In exercising their rights regarding data portability, the interested party has the right to obtain the direct transmission of personal data from one data controller to another, if technically feasible.
• Object at any time, for reasons related to your particular situation, to the processing of personal data concerning you pursuant to Article 6, paragraph 1, letters e) or f), including profiling on the basis of these provisions. If personal data are processed for direct marketing purposes, the interested party has the right to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling to the extent that it is connected to such marketing.
• Right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
• Right to lodge a complaint with a supervisory authority pursuant to art. 77.

You may exercise your rights at any time by contacting the Owner at the following email address: info@kepa.it

The updated list of external managers and data processors is kept at the registered office of the Data Controller

This information was drawn up on 22-02-2024 and may undergo changes over time also depending on legislative and regulatory additions or changes in the matter. The interested party is invited to consult this page often.