INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA

Sign up and use of MyMapei profile

pursuant to art. 13 of EU Regulation 2016/679 (GDPR)

titolare-trattamento

CONTROLLER

Who decides the purposes and means of the processing?

Mapei S.p.A. is the data controller, which means that it is the subject who determines the purposes and means of the

processing*

personal data**

. Below you can find the contact details of Mapei S.p.A.:

Address: Via Cafiero, 22 20158 – Milan Italy
Telephone and Fax: +39 02 376 731 e +39 02 37 67 32 14
E-mail: privacy@mapei.it

In the present information notice, Mapei S.p.A. is also referred to as the 'Company' or 'Controller'.

*Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, storage, organisation, consultation, use, erasure of data.

**Personal data means any information relating to an identified or identifiable natural person. By way of example, a name, an identification number, location data, one or more factors specific to the physical, economic, cultural or social identity of that natural person

dati-trattati

PROCESSED DATA

What kind of data do we collect?

We collect various personal data, to fulfill the processing purposes listed in the following paragraph. We process only

common personal data*

, including:

identification, contact and authentication data,i.e., user’s first and last name, e-mail (username) and password for sign up and login;
data spontaneously provided by the user while using the services as tax code and professional register number;
navigation data within the website, using tracking tools such as technical cookies, analytics, profiling cookies; for further information on cookies, please refer to the cookie policy.

*Personal data can be classified into two types: common data and special categories of personal data (also known as "sensitive data"). Special categories of data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning a person's health, sex life or sexual orientation. Common data are, by exclusion, all other data, e.g. name and surname, contact details, postal address, bank details, etc.

finalita

PURPOSES

For what purpose do we process users’ data?

The processing of user’s data is carried out for different

purposes*

creation of a MyMapei account;
marketing: sending of advertising and promotional material, both through automated and traditional means, related to services and products offered by the Company, invitation to events, market research, statistical analysis. Depending on the user's preferences, this activity may also include sending a periodical Newsletter by e-mail and/or sending Realtà Mapei or Realtà Mapei International magazine by traditional mail, to the postal address provided by the user. You can find out more about the magazines and their contents at this link;
profiled marketing / profiling: analysis of the user's preferences, habits, behaviour, interests deduced from the data provided by the user and his/her interaction with the site, in combination with the data collected via cookies, to send personalised commercial communications and/or to carry out targeted promotional actions;
registration for online and/or in-person courses organized by the Company. In order to obtain professional training credits, the professional order/registry number and the tax code will be requested;
fulfilment of legal obligations provided for by applicable national and supranational regulations;
ascertainment, exercise or defence of the Controller's rights in court and/or out-of-court procedures.

*Personal data may only be collected for specified, explicit and legitimate purposes, and subsequently processed in a manner compatible with those purposes.

base-giuridica

LEGAL BASIS

What condition makes the processing lawful?

The processing must be founded on an adequate

legal basis*

to be lawful:
1. and 4.

performance of a contract**

to which the data subject is a party, or execution of pre-contractual measures taken at his/her request, pursuant to art. 6, par. 1, lett. b) GDPR. The user will be able to save in the MyMapei profile the professional order/registration number and the tax code: this processing will be based on consent;
2. and 3. consent of the data subject, pursuant to art. 6, par. 1, lett. a) GDPR;
5. compliance to a legal obligation to which the Controller is subject, pursuant to art. 6, par. 1, lett. c) GDPR;
6. legitimate interest of the Controller or of a third party, pursuant to art. 6, par. 1, lett. f) GDPR.

*Processing may only be carried out if certain conditions, alternative to each other and known as legal bases, are in place. In the processing of common data, the controller may rely on the following legal bases:

consent of the data subject;
performance of a contract to which the data subject is party or of pre-contractual measures taken at the request of the data subject;
fulfillment of a legal obligation;
safeguard of the the vital interests of the data subject or of another natural person;
necessity for the performance of a task carried out in the public interest;
legitimate interest of the data controller.

**When the regulation refers to the performance of a contract or to pre-contractual measures, the scope is meant to include also activities that apparently might not appear to be contracts: e.g. registering on a site, sending an enquiry via a contact form, registering for a training course.

conservazione

RETENTION

How long do we retain personal data?

We retain user’s data for a period that depends on the specific purpose of the processing:
1. and 4. contractual duration and, after its termination, for the ordinary limitation period of 10 years;
2. until revocation of the data subject’s consent (marketing registry) and for a maximum period of 24 months (information related to campaigns sent to the user);
3. until revocation od the data subject’s consent (profiling registry) and for a maximum period of 12 months (information connected to the user's behaviour, preferences and interests);
5. for the time required by the applicable legislation;
6. for the entire duration of judicial or extrajudicial

litigation*

*Until the time limit for appeals is exhausted

necessarieta

NECESSITY

Is the provision of personal data necessary?

For some of the processing purposes listed above, it is necessary for the user to provide their data, without which we will not be able to provide our services; for others, the provision of data is optional. In particular, the provision of data marked with an asterisk (*) in the MyMapei registration form is mandatory for the purposes of creating the account itself; in the context of registration for training courses, the provision of the professional order number and the tax code is optional, but without them it will not be possible to obtain any professional training credits. Consent to marketing and profiling is

optional and revocable at any time*

, in the appropriate section of your MyMapei profile, or by contacting the Controller at the following e-mail address privacy@mapei.it.

*Consent to the processing of personal data, in order to be compliant, must be free, specific, informed, unequivocal and expressed through a positive action by the data subject. The interested party has the right to revoke his/her/their consent at any time: by accessing the appropriate section of your MyMapei profile you can choose to revoke your consent to marketing or select only the types of content that you are interested in (among generic marketing, newsletters and Realtà Mapei and/or Realtà Mapei International magazine).

soggetti-terzi

THIRD PARTIES

To whom could we communicate personal data?

The user’s data may be communicated to subjects acting as controllers such as, by way of example, authorities and supervisory and control bodies, persons, companies, associations or professional firms providing assistance and consulting services, and in general by public and private subjects entitled to request the data. The user’s data may be processed, on behalf of the Data Controller, by subjects appointed as

Processors*

, who are given appropriate operating instructions.
These subjects are essentially included, by way of example, in the following categories:
a) companies that provide e-mail and hard-copy sending services;
b) companies that provide website and information system maintenance services;
c) companies that provide management and maintenance services for the Controller's database;
d) companies that provide marketing automation platform management services.
For a complete list of the Processors, please send a request to privacy@mapei.it.

*The Data Processor is the subject who processes data on behalf of the Controller. For example, when Mapei enters into a contract with a supplier, if the latter is required to process personal data belonging to Mapei in order to perform its services, it must also sign the Data Processing Agreement, undertaking to process personal data in compliance with the instructions received

autorizzati

AUTHORISED

Who is authorised to process the data?

Personal data may be processed by the employees of the Company functions deputed to the pursuit of the aforementioned purposes, who have been expressly authorised to process the data and who have received adequate operating instructions pursuant to art. 29 of the GDPR and 2 quaterdecies of Legislative Decree 196/2003, as amended and adapted by Legislative Decree 101/2018.

extra-ue

EXTRA EU

Could data be transferred to countries outside the EU?

There will be no transfer of data outside the European Economic Area (EEA)*

as regards the processing related to the creation and use of the services available in the MyMapei profile. As an exception, if the data subject requests to receive the magazine Realtà Mapei or Realtà Mapei International in countries outside the EEA, personal data will also be processed outside the EEA, in order to allow the magazine to be sent by post.

*The transfer of personal data to countries outside the European Economic Area may result in a reduction of the level of data protection, due to the less strict legal provisions in force in those countries. For this reason, the transfer can only take place under certain conditions, outlined in the GDPR.

diritti

RIGHTS

What are the data subject's rights?

By contacting the Company by e-mail at privacy@mapei.it users may request access to the data concerning them, their rectification, integration or deletion, the restriction of processing in the cases provided for by Article 18 GDPR as well as opposition to processing in cases of legitimate interest of the data controller.
Data subjects also have the right, in the event that the processing is based on consent or contract and is carried out by automated means, to receive the data in a structured, commonly used and machine-readable format, as well as, if technically feasible, to transmit them to another data controller without hindrance.
Data subjects have the right to withdraw their consent at any time, as well as to object – for reasons related to their particular situation – to processing carried out in pursuit of the legitimate interests of the data controller. Data subjects may withdraw and manage their consents via the channels indicated, or by contacting the Controller by e-mail at privacy@mapei.it. Such withdrawal shall not affect the lawfulness of the processing based on the consent given before the withdrawal.
Finally, data subjects have the

right to lodge a complaint with the competent supervisory authority*

*The Italian Supervisory Authority is the Garante per la Protezione dei Dati Personali. The data subject may contact the Authority of the Member State in which he/she/they reside, in which he/she/they work or in which the alleged infringement occurred to lodge a complaint.

Keep in touch

Subscribe to our newsletter to get Mapei news