Information notice under Regulation (EU) 2016/679 for online marketing
Under Regulation (EU) 2016/679 (“General Data Protection Regulation” or simply GDPR) and the national laws applicable to the protection of personal data, we wish to inform you that, in compliance with the provisions of the GDPR, your personal data has been collected and processed as follows.
Joint Controllers and related contact information.
On the basis of a joint controller agreement under art.26 of the GDPR the following parties are Joint Controllers:
- Zhermack S.p.A., with registered office in via Bovazecchino no. 100, Badia Polesine (Rovigo), Italy;
- Zhermack GmbH Deutschland, with registered office in Öhlmühle 10, D-49448 Marl, Germany.
The contact information (sole contact person) of the Joint Controllers is the Legal Specialist, domiciled at Zhermack Spa, who may be contacted at the following address: firstname.lastname@example.org.
Data Protection Officer
The person appointed as the Data Protection Officer of the Dentsply Sirona Group (hereinafter “Group DPO”), to whom any questions or requests for information can be directed, provided that the required conditions are met, at the email address email@example.com or on the number +49 69 299 08 901.
Purposes and methods of processing for which the data is intended. Mandatory or optional nature of the provision of personal data; consequences of a possible refusal.
The personal data is freely provided by you on the website www.Zhermack.com .
The Joint Controllers collect and process personal data for the following purposes:
- to provide a reply to any information, including pre-contractual information that may be requested, as well as to send the newsletter;
- with the consent of the data subject, to send (also via newsletter) business and promotional information, direct sales information and market research (hereinafter defined as “marketing activities”) by the Joint Controllers, either jointly or separately. The processing of personal data for marketing purposes will be carried out using traditional tools (paper-based mail) and by means of distance communication, such as telephone, also without operator, email, MMS, text message, WhatsApp, app, etc.;
- with the consent of the data subject, personal data, browsing and purchasing choices (“Profiling”) are processed using fully automated means, with electronic tools, including cookies, with the aim of improving the marketing activities of the Joint Controllers. The failure to consent to the processing of this personal data for profiling activities will make it impossible for marketing offers to be improved with the aim of tailoring them to the interests of the users.
The processing of the personal data for the purposes referred to in point I of the previous paragraph is carried out under art.6, para. 1, letter b) of the GDPR, and the provision of the personal data is essential for the services/information requested. Any refusal to provide the data will make it impossible to provide the requested information. Nevertheless, the data subject is under no obligation to provide the data and its processing does not require the consent of the data subjects.
The provision of the data for the purposes stated in points II and III is optional and the processing requires the consent of the data subject under art.6, para. 1, letter a) of the GDPR and art. 130, paragraph 1 of the Italian Privacy Code. The consent provided for the sending of business and promotional communications via automated tools is extended also to the traditional contact methods. The failure to consent to the processing of personal data for profiling activities (point III) will make it impossible to improve marketing offers with the aim of tailoring them to the interests of the data subjects (with regard to the subject of the activities carried out by the Joint Controllers, it is considered that profiling activities do not put the personal aspects relating to the data subjects at risk).
The data provided by data subjects is collected and processed by a lead nurturing platform and flows into the database managed by Zhermack and, in particular, on the CRM that has been set up as the sole Database of the Joint Controllers.
It is also to be noted that the software procedures that control the functioning of the website, in addition to enabling the profiling activities stated above to be carried out via cookies, may also acquire some personal data on browsing habits during the normal course of operation, the transmission of which is implicit in the use of Internet communication protocols, for the purpose of checking the correct functioning of the website and collecting information on its use.
Categories of recipients of the personal data.
Personal data will be processed by the authorised parties responsible for the management of the requested services (in particular marketing services and IT) and, possibly, marketing activities. The data may be communicated, if necessary due to the information requested, to the Companies of the Dentsply Sirona Group.
The data will also be processed by the Data Processors that, on behalf of the Joint Controllers, perform activities strictly functional to the management of the services referred to for the purposes described above.
The data may be communicated to companies of the Dentsply Sirona Group for the same purposes stated above.
Personal data may be communicated to third parties in order to comply with legal obligations, to respect orders issued by public authorities authorised to do so, or to enforce or defend a legal claim (see art.6, para. 1, letters c) and f)).
The list of these parties can be consulted through the Contact person stated above.
Communication of the data and its transfer outside the EU.
The possible transfer of data outside the EU, to countries that do not offer an adequate level of data protection, will take place in accordance with an infra-group agreement for the transfer of the data among the Companies of the Dentsply Sirona Group, which provides for the adoption of standard contractual clauses approved by the European Commission for the transfer of data from one data controller to another data controller and the adoption of those for transfers from the data controller to the data processor. To obtain a copy of this possible data or the place where the data has been made available, please write to the Contact person stated above.
In general, data is stored for the period of time strictly necessary for the purposes for which it has been collected. In particular:
- for any information requested, the time limit necessary for the documentation of the activities carried out in order to provide a response, namely 18 months;
- for the processing of data for marketing purposes and for profiling purposes, the storage time limit is 24 months from the collection of the data or from the last activity of the data subject.
Without prejudice to the right of the data subject to request the erasure of his/her data and/or the making anonymous of his/her data at any time, upon the expiry of the storage time limit stated above the Joint Controllers may request the data subject via email to expressly agree to the storage of the data (and possibly updating it) for a further two years. If specific consent is not given for the storage of data, it will be erased or made anonymous.
Complaints to the competent Supervisory Authority or Judicial Authority.
In order to exercise his/her rights, the data subject is entitled to lodge a complaint with the competent supervisory authority (in Italy the Data Protection Authority [Garante per la protezione dei dati personali], Piazza di Monte Citorio, 121, 00186, Rome; in Germany: Die Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstraße 5, 30159 Hannover) or to lodge a complaint to the competent judicial authority.
The rights of the data subject under articles 15-22 of the GDPR.
The data subject is entitled to withdraw his/her consent to the processing of his/her personal data at any time, without affecting the lawfulness of the processing based on consent before the withdrawal. The GDPR grants the right to access, rectify or erase the personal data, and to obtain the restriction of its processing or the objection to its processing and its portability. The right of access to the data can be exercised at reasonable intervals, in order to have correct and constant information on the processing and to verify the lawfulness thereof. The right to erase the data applies to the personal data processed in breach of the law or in the other cases laid down in art.17 of the GDPR. The restriction of the processing can be obtained from the Joint Controllers for the period necessary to check the personal data whose accuracy is contested, or when the processing is unlawful, restriction is preferred to the erasure of the data, or if there is the need to have this data at disposal for the establishment, exercise or defence of a legal claim, even if the Joint Controllers no longer require it for the processing purposes, or for the period necessary to check the possible prevalence of the legitimate grounds of the Joint Controllers over those of the data subject and for which they object to the processing. In the case of restriction, the personal data is processed only with the consent of the data subject or for the establishment, exercise or defence of a legal claim or to protect the rights of another natural or legal person or for reasons of a substantial public interest of the European Union or a member State. In any case the data subject will be informed by the Joint Controllers before the latter withdraw the aforesaid restriction. For reasons connected to his/her situation, the data subject is entitled to object to the processing of the data necessary for the performance of a task carried out in the public interest or connected to the exercise of official authority vested in the Joint Controllers, or for the pursuit of the legitimate interest of the Joint Controllers. The Joint Controllers will refrain from further processing this data, unless they provide evidence of imperative legitimate reasons that prevail over those of the data subject. The data subject may object to the processing of his/her personal data at any time when it is processed for direct marketing purposes, including profiling. The right of the data subject to object to the processing of his/her personal data for marketing purposes using automated contact methods is extended to traditional methods, without prejudice to the possibility of the data subject to exercise this right in full or in part, i.e. objecting only, for example, to the sending of promotional communications via automated means. The data subject is entitled to the portability of the data (the possibility of receiving the data provided and possibly of sending it to another Data Controller) in the cases permitted by the GDPR (art.20); the data subject is entitled not to be the subject of a decision based exclusively on automated processing, including profiling. As an exception, this type of processing is possible if authorised by the laws of the Union or the member State to which the Joint Controllers are subject, or if permitted by the data subject or if necessary for contractual purposes. In the latter two cases, the data subject is entitled to obtain human intervention from the Joint Controllers, to express his/her opinion and to challenge the decision.
Data subjects may access the essential contents of the Joint Controller Agreement, in accordance with the provisions of art.26, paragraph 2, of the GDPR.
In order to exercise these rights, please contact the Contact Person stated above.