INTRODUCTION

This General Privacy Policy for Customers refers exclusively to the processing of personal data managed by Legur Srl, as Data Controller, for the purpose of executing contracts with customers and providing related support and training services, as well as for business development and marketing purposes.

With reference to any processing of personal data carried out by Legur Srl on behalf of the customer acting as Data Controller, in its role as Data Processor, in the management of software applications supplied to customers or storage and/or cloud services, please refer to the agreements between the Data Controller and the Data Processor signed by the parties.

GENERAL CUSTOMER PRIVACY NOTICE PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679 (“GDPR”)

1. Data Controller and Data Processors
The Data Controller is Legur S.R.L., with registered office in Via Orzinuovi 73, 25125 Brescia, Italy, Tax Code and VAT No. 04034610982. Legur Srl has appointed a Data Protection Officer (DPO) who can be contacted for any request at the following email address: dpo@legur.it.
The updated list of Data Processors is kept at the registered office of the Data Controller.

2. Subject of Processing – Categories of Personal Data Processed
The Data Controller processes personal data of your staff members, consisting of common identification and business contact data (such as name, surname, address, phone number, email), communicated by you during the negotiation and/or conclusion of contracts as Customers for the Controller’s services or during the contractual relationship. The Customer receiving this notice undertakes to provide it to its staff members whose data are processed by the Data Controller.

The Data Controller may also process personal data of your staff members, consisting of common identification and business contact data, acquired from third-party Data Controllers (e.g., trade fair organizations) who have obtained lawful consent for transfer for commercial contact purposes.

3. Purposes and Legal Bases of Processing

3.1 Contractual and Pre-contractual Purposes
Legal bases:

• 3.1.1 processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request
• 3.1.2 processing is necessary for compliance with legal obligations provided by law, regulations, EU legislation, or orders from Authorities
• 3.1.3 processing is necessary to pursue the legitimate interest of the Controller in legal defense

3.2 Business Development and Marketing Purposes: to send you (by email) commercial or marketing communications relating to the Controller’s products or services.
Legal bases:

• 3.2.1 based on the Controller’s legitimate interest (so-called “soft spam”) if you have already purchased our products or used our services, limited to similar products/services, unless you object
• 3.2.2 based on your explicit and specific consent given to us or to third parties from whom the data were acquired

4. Processing Methods and Data Retention
Your personal data may be processed through the operations indicated in Art. 4(2) GDPR: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction. Data may be processed in both paper and electronic form.

The Controller will process personal data for the time necessary to fulfill contractual purposes and in any case no longer than 10 years after termination of the contractual relationship. For marketing purposes, data will be processed only as long as necessary or as required by law. Upon withdrawal of consent or request to be removed from our commercial mailing list, data will be promptly deactivated in marketing databases. Data contained in previous communications will be retained for no longer than 24 months, unless anonymized.

5. Access to Data
Your data may be made accessible for the purposes referred to in Art. 3:

• to employees and collaborators of the Controller as authorized personnel and/or system administrators
• to third-party companies or other entities (e.g., professional firms, consultants, insurance companies, banks) performing activities on behalf of the Controller, acting as independent Controllers or appointed Data Processors

6. Communication of Data
Pursuant to Art. 6(b) and (c) GDPR, the Controller may communicate your data, without the need for consent, to judicial authorities and to entities to whom communication is required by law for contractual purposes. These entities will process the data as independent Data Controllers.
Your data will not be subject to public disclosure.

7. Data Transfers
Personal data may be transferred, for the purposes of this notice and for archiving and storage needs, both within EU countries and to non-EU countries. In any case, the Controller ensures that extra-EU transfers will comply with applicable legal provisions.

8. Nature of Data Provision
Providing data for contractual purposes (Art. 3.1) is mandatory. Failure to provide such data will make it impossible to perform the contract.
Providing data for marketing purposes (Art. 3.2) is optional; refusal will prevent you from receiving commercial communications and advertising materials.

9. Data Subject Rights
By contacting privacy@legur.it, each data subject may exercise the rights set out in Art. 15 GDPR:

• obtain confirmation of the existence of personal data and access to such data
• obtain information on the origin of the data, purposes and methods of processing, applied logic, details of the Controller/Processors, and categories of recipients
• obtain updating, rectification, integration, erasure, anonymization, or blocking of unlawfully processed data
• object to processing for legitimate reasons or for marketing purposes, through automated or traditional means
• exercise the rights under Arts. 16–21 GDPR (rectification, erasure, restriction, portability, objection) and lodge a complaint with the Supervisory Authority
• request compensation for damage pursuant to Art. 82 GDPR, where applicable

Ref. GUL_INFO05 dated 16/02/2021