Pursuant to Art. 13 of EU Regulation 2016/679 (GDPR)

Privacy Policy for Purchase

Sacto S.r.l. (Tax Code/VAT no. 02499790968), with its registered office at Via Valcava 15, 20900 Monza (MB), as Data Controller pursuant to and for the purposes of EU Regulation 2016/679 (hereinafter also “GDPR” or “Regulation”), recognizes the importance of the fundamental right to the protection of natural persons with regard to the processing of personal data. Therefore, in accordance with the aforementioned Regulation, the processing of personal data of data subjects will be carried out and safeguarded according to the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, accountability and, in any case, in compliance with the provisions of the GDPR.

  1. DATA CONTROLLER

    The Data Controller, meaning the entity that determines the purposes and means of the processing of personal data, is Sacto S.r.l. (Tax Code/VAT no. 02499790968), represented by its legal representative pro tempore, with its registered office at Via Valcava 15, 20900 Monza (MB).

    The Data Controller can be contacted at the following e-mail address: sacto@sacto.it

  1. PURPOSES AND LEGAL BASIS OF THE PROCESSING

    The personal data collected through the website (personal details; contact information) will be processed, in accordance with the GDPR, for the following purposes:

    1. to purchase products through the website (including payment and delivery);

    2. to send commercial and promotional communications (by mail, e-mail, or other electronic means) regarding products, services, offers, promotions, and news related to Sacto S.r.l.

    The data collected through the website are processed to enable the purchase of the products available on the site, as well as to fulfil the legal obligations to which the Data Controller is subject (Art. 6.1.b GDPR and Art. 6.1.c GDPR).

    The data collected, with prior consent, may be used for sending commercial and promotional communications, including by means of automated systems through email or other similar electronic communication technologies (Art. 6.1.a GDPR). Consent may be withdrawn at any time without affecting the lawfulness of processing based on consent given prior to its withdrawal.

  1. RECIPIENTS OF PERSONAL DATA

    Personal data may be accessed exclusively by authorized individuals who have been duly instructed pursuant to Articles 29 GDPR and 2-quaterdecies of the Italian Personal Data Protection Code (such as employees and collaborators). The data may also be accessed by third parties appropriately designated as “Data Processors” pursuant to Article 28 GDPR and provided with the necessary legal safeguards.

    It is understood that the personal data of data subjects may be freely disclosed to third parties, such as law enforcement authorities, whenever permitted by law or required by an order or measure issued by a competent authority.

  1. PERSONAL DATA RETENTION PERIOD

    The personal data of data subjects will be retained for the time necessary to achieve the purposes indicated in point 2), as well as for the period during which the Data Controller is subject to retention obligations for administrative, tax, and/or accounting purposes, in compliance with civil and tax obligations, or for other purposes required by legal and mandatory provisions, whether national or EU.

    Specific security measures are observed to prevent the loss of personal data, unlawful or incorrect use, and unauthorized access, in accordance with the GDPR.

    Furthermore, in order to ensure that personal data are always accurate, up to date, complete, and relevant, you are invited to report any changes to the following e-mail address: sacto@sacto.it

  1. DATA SUBJECT RIGHTS

    Data subjects may exercise their rights at any time, where the legal conditions are met, by contacting the Data Controller at the following e-mail address: sacto@sacto.it, the following rights granted under the GDPR:

    1. to request and obtain confirmation as to whether or not personal data concerning them are being processed;

    2. where processing is taking place, to request and obtain access to the personal data;

    3. to request and obtain, without undue delay, the rectification of inaccurate personal data concerning them, as well as the completion of incomplete personal data;

    4. to request and obtain, without undue delay, the erasure of personal data concerning them when one of the conditions set out in Article 17(1) GDPR applies, except as provided in Article 17(3) GDPR;

    5. to request and obtain, in the cases provided for in Article 18(1) GDPR, the restriction of the processing of their personal data;

    6. to object at any time to the processing of their personal data on grounds relating to their particular situation. Specifically, in the event of an objection, the personal data will no longer be processed unless there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subjects, or for the establishment, exercise, or defense of legal claims;

    7. to obtain the portability of the personal data concerning them, meaning the right to receive such data from the Data Controller in a structured, commonly used, and machine-readable format, and to request their transmission to another Data Controller without hindrance;

    8. where consent is required for the processing of personal data, to withdraw the consent previously given, limited to cases in which the processing is based on the data subjects’ consent for one or more specific purposes or involves the processing of special categories of data (for example, data revealing racial origin, political opinions, religious beliefs, health status, sexual life, etc.). Processing based on consent and carried out prior to its withdrawal remains unaffected and therefore retains its lawfulness.

    In any case, you are asked not to send or disclose so-called special categories of data through the website or by any other means. Under the GDPR, “special category data” refers to any data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, and data concerning an individual’s health, sex life, or sexual orientation.

    Furthermore, data subjects may lodge a complaint with the Supervisory Authority (the Italian Data Protection Authority) if they believe that their rights under the GDPR have been violated, following the procedures indicated on the Authority’s website, available at: www.garanteprivacy.it

  1. CONSEQUENCES OF FAILURE TO PROVIDE PERSONAL DATA

    The provision of personal data is mandatory for the purposes indicated in point 2), letter a), and failure to provide such data makes it impossible to conclude contracts and to deliver the requested services.

    The provision of personal data is optional for the purposes indicated in point 2), letter b), and failure to provide such data makes it impossible to send commercial communications.