Information on the processing of data is provided only for the Site and for processing carried out by the Company and does not extend to processing by third parties through other sites that may be consulted by Users via links. The Company does not accept any liability for such further processing. Users should refer to the individual Privacy Policies of third-party websites.
- Data Controller and place of data processing
The Data Controller is the Company COIMA Image S.r.l., with headquarters at Piazza Gae Aulenti No. 12, 20154 Milan, Italy.
- Data processing methods
The Company processes Users’ data while adopting all appropriate data security measures to prevent unauthorised access, unauthorised disclosure, modification or destruction of data. Data processing is carried out using manual and/or electronic tools, according to organisational methods and logics strictly related and limited to the indicated purposes.
- Purpose and legal basis of data processing
The Company, through the Site, may process Users’ data for the following purposes:
- Contacting the Company. Users may contact the Company to ask for information via the contact form provided on the Site. Personal data voluntarily provided by Users (e.g. first name, last name, email address, country and/or other information voluntarily provided by Users) will be processed by the Company in order to receive, correctly manage and respond to communications and/or requests received from Users. The legal basis of data processing is the performance of the service specifically requested by Users. Any refusal to provide personal data will make it impossible for the Company to manage and respond to communications or requests for information (Article 6(1)(b) of the GDPR).
- Receiving job applications through the “Work with us” section. The Company enables Users to send their application to work with COIMA Image through the “Work with us” section of the Site. Accordingly, the Company will receive and use any information provided by Users in their CVs exclusively for the selection and processing of such applications. Users are asked not to include sensitive data in their CV (e.g. data concerning their health, political opinions, sexual life, etc.), unless such data are strictly required by law for CV selection and assessment purposes (e.g. applicants belonging to protected categories). Applications may be sent by email to email@example.com by clicking on “Apply now” in the “Work with us” section of the Site.
Further information on the processing of data for this purpose will be provided by the Controller during initial contact with the applicant. The legal basis for data processing is the execution of a request from the Data Subject (Articles 6(1)(b) and 9(2)b) of the GDPR).
- Newsletter subscription. Users have the option of subscribing to our newsletter (by filling in the “Subscribe to our newsletter” section and providing their name and email address) in order to keep up to date with the Company’s activities and the world of architecture and sustainability. The legal basis for processing is the provision of the service expressly requested by Users (Article 6(1)(b) GDPR).
- Pursuit of the legitimate interests of the Company and/or third parties. Users’ data may be used to exercise the rights and legitimate interests of the Company or third parties, such as the handling of claims and litigation, debt collection, and the prevention of fraud and/or unlawful activities. In such cases, although the provision of Users’ personal data is not required, it is nonetheless necessary as the data are closely connected and instrumental to the pursuit of such legitimate interests, which do not override Users’ fundamental rights and freedoms (Article 6(1)(f) GDPR).
- Fulfilling applicable legal or other obligations. The Company may use personal data provided by Users or otherwise obtained during Users’ interaction with the Site for compliance with legislative and regulatory obligations, national and EU legislation, as well as obligations arising from orders issued by authorities that are legally authorised to do so, which represent the legal basis for data processing (Article 6(1)(c) GDPR).
- Categories of data processed
Through the Site, the Company receives and collects information on Users visiting its pages and using web services available on the Site. The Company obtains and processes the following information.
4.1 Data collected from browsing and cookies
When Users visit the Site, the Site collects certain data, such as pages viewed, links or buttons clicked by Users, date and time of access, Users’ IP address, browser and their operating system (known as “navigation data”). Some of these data, the transmission of which is implicit in the use of communication protocols, are collected in the course of the normal use of the Site, while other data (e.g. pages viewed) are collected only with Users’ explicit consent to the installation of certain cookies and/or other tracking tools. The Company uses these data to obtain statistical information on the use of the Site for purposes strictly related to its functioning and to the evaluation of the effectiveness of the services offered through the Site. Some navigation data may also be used to ascertain liability in the event of any computer crime committed against the Site.
4.2 Data provided voluntarily by Users
The Company limits the collection of personal data provided voluntarily by Users to what is necessary for the purposes set out in paragraph 3 above, and to provide the services that are expressly requested. In addition, the Company may collect and process additional personal data, if such data are voluntarily provided by Users in relation to services offered by the Site, for example in the event that Users contact the Company to report inefficiencies or malfunctions, or to exercise their rights regarding the processing of personal data, etc. Such data will be processed by the Company solely for purposes strictly related to Users’ requests. Any failure to provide data may result in it being impossible for Users to receive the requested service.
- Disclosure of data to third parties and transfer of data to non-EU countries
- duly instructed personnel of the Data Controller (in particular, employees and contract staff in the HR, IT and administration departments may have access to data if they need to process the same in order to perform their duties);
- companies, contract staff, consultants or freelancers that the Company engages to perform technical or organisational tasks (e.g. IT and web service providers, procurement services etc.) and with whom the Company collaborates in order to provide and operate its own services, or for certain communication activities;
- persons, companies or professional firms that provide support and consultancy to the Company, particularly (but not exclusively) in accounting, administrative, legal, tax and financial matters;
- persons/entities entitled by law or by order of a public authority to access such data.
The persons/entities belonging to the categories indicated above will use the data as independent data controllers pursuant to law or as data processors duly appointed by the Company. Such persons/entities may be based in EU and non-EU countries. Where such persons/entities are based in non-EU countries, the Company declares that it has adopted the measures provided for in the Regulation to legitimise the transfer of personal data thereto.
A list of entities to which the data are or may be disclosed, and the privacy measures adopted to legitimise transfers of such data outside the EU, may be requested from the Company by using the contact details indicated in the “Rights of Users and Contact Details” section.
- Data storage
Data are processed for the time necessary to perform the activities indicated in paragraph 3 above, and are erased when the purposes for which they were collected and processed no longer apply.
In particular, the Company will respond to requests received by email and will retain evidence of such requests for a maximum period of 2 months following receipt of the request (after which the data will be erased), without further processing the personal data provided, except where the data must be kept for longer periods to duly fulfil Users’ requests.
If a User has applied unsuccessfully for a position of employment at the Company, the Company will erase such User’s personal data within and no later than 5 years from the date on which the data were provided. The length of the storage period will depend on the seniority of the role (the storage period – between 18 months and five years – is directly proportional to the seniority of the candidate). Personal data used to send newsletters will be kept until the User asks to be removed from the Company’s mailing list.
- User rights and contact details
Users may exercise the rights provided for by law and, where applicable, the rights established in Article 15 et seq. of the Regulation. In particular, Users have the right to:
- obtain confirmation as to whether or not their personal data are being processed and, if this is the case, to request information on data processing from the Data Controller (e.g. purpose, categories of data processed, recipients or categories of recipients of data, storage period, etc.);
- request the rectification of inaccurate or incomplete data;
- request that the Controller delete the data (e.g. if the personal data are no longer necessary for the purposes for which they were collected, or if the consent on which data processing is based is withdrawn, etc.);
- request the restriction of processing (e.g. if the User challenges the accuracy of data; if data processing is unlawful and the User objects to the deletion of the personal data; if the data are necessary for the exercise or defence of a right of the User in court, even if the data controller no longer requires them; when the User exercises the right to object to data processing, for the time necessary to verify whether legitimate reasons exist);
- receive personal data concerning him/her in a commonly used and machine-readable format (e.g. PDF) and send the data to another controller, or obtain their direct transmission from one data controller to another, if technically feasible (so-called ‘data portability’).
Users have the right to object to the processing of their personal data, in whole or in part, for legitimate reasons.
These rights may be exercised directly by sending a communication to the following email address: firstname.lastname@example.org.
Finally, if Users consider that data have been processed in violation of legislation on the protection of personal data, they have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
If the changes are particularly significant and/or notably affect Users’ rights, the Company may also communicate them to Users in a different manner (e.g. by email).