Introduction

ROI Group S.r.l. considers the protection of its users’ privacy fundamental. It has therefore adopted all necessary measures to this end and constantly strives to process personal data with maximum attention and great respect. Indeed, in the processing of the personal data gathered, ROI Group S.r.l. adopts all suitable measures to guarantee the security and confidentiality of data, in compliance with the regulations in effect.

This privacy policy explain how ROI Group S.r.l. manages the personal data of clients subscribing and participating in courses and events, indicating the means and purposes of data gathering, the use of data and the processing of information, pursuant to articles 13 and 14 of EU Regulation 2016/679 (so-called GDPR).

Data Controller

The Data Controller for the processing of data is ROI Group S.r.l., located in Macerata (MC), 67 Via G. Carducci (hereafter “Controller”).

The legal basis for the provision of data

The Controller refuses all responsibility in the case that the data subject provides incorrect or inaccurate data or data pertaining to third parties without authorisation or explicit permission to provide consent for the processing of such data. The data subject assumes full responsibility in such cases.

Categories of data processed

The Controller processes the following personal data:

a. Personal data: personal details (name, surname, residential address, fiscal code/VAT number, date and place of birth, sex); contact details (telephone number, email address)

b. Professional data: profession, commercial sector, company name;

c. Invoicing and payment data: name, surname, company name, address, fiscal code/VAT number, payment method;

d. Images: photographic and audio-visual content created during the event that may include the data subject.

The purposes and legal basis of processing

The provision of the above-mentioned data serves the following purposes:

a. Execution of the contract relating to the course/event purchased, creation of personalised material, sending informative material regarding the relevant event, and invitations to exclusive additional activities during the course of the event;

b. Management of administrative/accounting requirements.

The provision of data for the above-mentioned purposes is mandatory as it is necessary for the correct execution of the contract (article 6, comma 1, letter b GDPR) and the fulfilment of legal obligations (article 6, comma 1, letter c GDPR).

Processing is also carried out for the following purposes:

c. Implementation and updating of customer lists;

d. creation of photographic and audio-visual content during the course/event, for informational and promotional purposes;

e. management of any disputes;

The provision of data for the above-mentioned processing operations is mandatory and based on the controller’s legitmate interest (article 6, comma 2, letter f GDPR) to implement a client archive (sub. c), to document courses/events held (sub. d), and for the legal and extra-judicial protection of its own rights (sub. e).

With regard to the purpose of sub. d, if the data subject does not wish to be recorded during the course/event, he/she must indicate this at least 30 days in advance, sending an email to the following email address: privacy@roigroup.it

Processing is carried out for the following purposes:

f. communication of data to partners of the Data Controller for the purposes of the data subject’s participation, subject to acceptance of the relevant invite, in initiatives organised during the event/course;

g. communication of personal and professional data to third-party companies and/or partners for marketing purposes, as well as the sending of promotional and commercial material.

The above-mentioned processing operations concern data that has already been compulsorily provided for the preceding purposes and are based on the data subject’s consent (article 6, comma 1, letter a GDPR)

The data subject has the right to withdraw consent at any time without prejudice to the lawfulness of processing operations carried out before the withdrawal of consent. For information regarding the means of exercising the right to withdrawal, see the section entitled “Exercising the rights of the data subject”.

Any refusal to provide consent or a withdrawal of consent will preclude the data subject from using the services described in sub. f and sub. g.

Data retention periods

Personal data is retained for the following periods.

– For the purposes described in sub. a, sub. b, sub. d and sub. e: the period necessary for the execution of the contract and for 10 successive years, unless otherwise stipulated by law;

– for the purpose described in sub. c: retention of the Client’s personal details and contact details for the entire duration of the Controller’s activities, unless the Client requests the deletion of the data;

– for the purpose described in sub. f: retention for the duration of the course/event;

– for the purpose described in sub. g: retention for 24 months.

Communication of data

Personal data can be communicated to external subjects who, where appropriate, have been nominated as data processors (article
28 GDPR), who process data on behalf of the Controller.

In particular, the data being processed can be communicated (including via automated means) to the following categories of recipient, if strictly necessary:

– technical experts and software houses assisting the Controller to develop, maintain and run its website;

– Professionals in the legal, commercial or fiscal fields;

– subjects assisting the controller in the organisation and management of courses/events;

– other course participants (exclusively for the purpose described in sub. f);

– sponsors and partners of the controller (for the purposes described in sub. a, sub. f and sub. g)

The processing of data takes place within the European Union.

No communication of personal data being processed is foreseen, with the exclusion of the data gathered for the purpose of sub. d, which can be integrated in publicity, promotional and informative content and published by any means.

Security measures

Personal data is subject to both paper-based and electronic processing. To this end, all procedures designed to protect the confidentiality, integrity and availability of information have been adopted, in line with existing regulations.

The rights of the data subject

Pursuant to articles 13-21 of the GDPR, in accordance with the provisions therein, the data subject can, at any time, exercise the following rights vis-à-vis the Controller:

– the right to withdraw consent to the processing of data (see the section entitled “The purposes and legal basis of processing”

– the right to access (the data subject has the right to
know whether his/her data is being processed as well as information regarding the data being processed, and to receive a copy of this data);

– the right to rectification (the data subject can request that this/her personal data is updated or corrected);

– the right to the erasure of data (so-called “right to be forgotten”) (the data subject can request the deletion of his/her personal data, in the cases and circumstances referred to in article 17 GDPR);

– the right to data portability (in the cases and circumstances referred to in article 20 GDPR, the data subject has the right to receive his/her personal data in a structured, commonly used and machine-readable format, and, if technically possible, the right to transmit this data to another controller without hindrance).

– the restriction of processing (the data subject can request that the processing of his/her data is restricted in the cases referred to in article 18 GDPR. In such eventualities, data may be processed by the Controller, as well as for retention, with the consent of the data subject or for the protection of his/her rights or the rights of others in a court of justice or for reasons of public interest).

– the right to object (if personal data is processed in the public interest or based on the legitimate interest of the Controller, the data subject has the right to object to processing on grounds relating to his or her particular situation. In the case of processing for direct marketing purposes, the objection may be exercised without any reason).

– the right to lodge a complaint with the Ombudsman (www.garanteprivacy.it).

Exercising the rights of the data subject

To exercise the rights indicated above, the data subject must send a written request to the Data Controller, using the contact details indicated below.

Contact details

For any requests and to exercise his/her rights, the data subject may contact the Data Controller using the following email address: privacy@roigroup.it.

Modifications to this privacy policy

The Data Controller reserves the right to make modifications to this privacy policy at any time, giving adequate notice to Users, who may withdraw their consent to the processing of personal data.

Last updated: 5 June 2019