Information pursuant to Article 13 of EU Regulation 2016/679 (GDPR)
LAS A&S Srl (hereinafter ‘LAS A&S’) protects the confidentiality of personal data and guarantees the necessary protection against any event that could put it at risk of violation.
As required by EU Regulation 2016/679 (‘GDPR’), and in particular by Article 13, the information required by law regarding the processing of personal data is provided below to the user (‘Data Subject’).
Personal data will be processed in accordance with the principles of fairness, lawfulness and transparency, both in paper and electronic form. The availability, management, access, storage and usability of the data is guaranteed by the adoption of technical and organisational measures deemed appropriate by the Data Controller to ensure adequate levels of security in accordance with Articles 25 and 32 of EU Regulation 2016/679.
With reference to the personal data that will be processed, the Data Controller provides visitors to its website, in their capacity as Data Subjects, with the following information:
1. General information about the Data Controller and contact details
LAS A&S s.r.l, represented by its legal representative Lorenzo Massimino, with registered office in Segrate, Via A. Modigliani, 45 – contactable at the e-mail address info@las-aes.it
2. Category and content of data
The processing concerns personal data provided by the data subject to the Data Controller, with particular reference to:
- personal and biographical data, residential address or domicile, tax code, contact details (telephone, e-mail address, certified e-mail address, fax);
- tax data, biographical data, tax code or VAT number, relating to accounting, payments and invoices;
- company size and organization.
3. Purpose of processing
Data will be processed for the following purposes:
- to fulfil the obligation to execute the contract and for purposes strictly connected, related and instrumental to it;
- for legal obligations, such as, for example, the issuance and storage of invoices relating to sales and purchases, management of relations with banks and insurance companies. Management of the cash book and, in general, assets, insurance and monthly financial statements. Management of the timing of payments to suppliers and collections from customers. Transmission of accounting documents to specialists in the field, such as accountants;
- with the express consent of the data subject, for marketing purposes related to the promotion of the data controller’s activities. For this purpose, only personal data will be processed, with the explicit exclusion of special categories of data;
- contact via newsletter and telephone for market information, company information, satisfaction questionnaires;
- photographs and videos of the activity carried out.
4. Duration of processing
Processing will last for the following periods of time:
- for as long as necessary to provide the services requested by the Data Subject;
- limited to personal data and for tax purposes only, for ten (10) years following the issue of the invoice or payment document;
- for the exercise of the right of defence, for a maximum period of ten (10) years following the provision of services, a period equal to that provided for by law for the expiry of the ordinary action;
- limited to personal data and for marketing purposes only, for a period of two (2) years;
- limited to personal data and for profiling purposes, for one (1) year following the acquisition of consent from the data subject.
5. Provision of data and consent to processing. Conditions of lawfulness
The provision of personal data, contact details and any other details of the data subject are necessary for the performance of the services requested and for the legal obligations arising therefrom. The processing operations are indicated in point 3. Any refusal will make it impossible to provide the service or services requested.
Consent to the processing of data for marketing and profiling purposes is, however, optional.
6. Communication to third parties and categories of recipients
The data may be processed by internal and external data processors or by persons authorised to process the data by the Data Controller. The complete and updated list of data processors and authorised persons is available at the Data Controller’s registered office. By way of example, but not limited to, the data may be communicated for the performance of activities related to the established relationship and to comply with certain legal obligations to:
| Categories of recipients | Purposes |
| External professionals/consultants and consulting firms | Accounting and contractual obligations. |
| Banking institutions | Payments related to the contractual service. |
| Third-party suppliers | Provision of services |
| Financial administration, public bodies, judicial authorities, supervisory and control authorities | Compliance with legal obligations, defence of rights, lists and registers kept by public authorities or similar bodies on the basis of specific legislation, in relation to the contractual service. |
The Data Controller may transfer personal data to countries outside the EU. The transfer of your personal data to third parties in non-EU countries that do not ensure adequate levels of protection will only be carried out with your express consent or after concluding specific agreements with such parties, containing appropriate safeguards and guarantees for the protection of your personal data (‘standard contractual clauses’), or if the transfer is necessary for the conclusion and execution of a contract between you and the Data Controller or for the management of your requests.
If the data subject has given consent to the processing of their personal data for marketing purposes, these may be communicated to data processors and persons authorised to process data, who are responsible for managing marketing services such as, for example, sending newsletters, informative text messages, telemarketing, etc., including through services provided by external companies.
In no other case will the data subject’s data be communicated or disclosed to third parties.
7. Rights of the data subject
The data subject may exercise their rights under the GDPR at any time. These rights are:
- the right to receive confirmation of the existence of the Data and access its content (rights of access);
- the right to update, modify and/or correct the Data (right of rectification);
- the right to request the erasure of Data processed in violation of the law, including those that do not need to be retained for the purposes for which the Data were collected or otherwise processed (right to erasure or to be forgotten);
- the right to restrict the processing of Data processed in violation of the law, including those that do not need to be retained for the purposes for which the Data were collected or otherwise processed (right to restriction);
- the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, including profiling based on those provisions (right to object);
- the right to receive a copy in electronic format of the Data concerning him/her as the Data Subject, when such Data has been provided in the context of the contract, and to request that such Data be transmitted to another data controller (right to data portability).
The data subject may exercise their rights by submitting an informal request to the Data Controller, who will respond within thirty (30) days of receipt. This period may be extended by a further sixty (60) days if the fulfilment of the request is particularly burdensome for the Data Controller. If the data subject wishes to receive a written reply, they must explicitly indicate this in the request.
The data subject may not obtain non-definitive data or data undergoing processing relating to them, nor may they obtain a correction of evaluative data. Furthermore, the right of access may be exercised only in relation to processing operations that are ongoing and not those that have already been completed.
Data subjects are informed that, if they do not receive a response within the specified time frame or are not satisfied with the response, or if they believe that their rights have been violated, they may lodge a complaint with the Data Protection Authority in accordance with the procedures indicated on the Authority’s website, accessible at: http://www.gpdp.it. The exercise of the rights of the data subject is free of charge, unless the Data Controller has to bear excessive costs.
