Complete privacy policy for customers

Who are we and what do we do with your personal data?

The company Valmet Tissue Converting S.p.A., with its registered office in 55100 Lucca, Via Giovanni Diodati 50 (hereinafter also the "Data Controller"), as Data Controller will see to the confidentiality of your personal data and guarantee its necessary protection from any event that could put it at a risk of violation. The Data Controller applies policies and practices concerning the collection and use of personal data and the exercise of the rights recognized by the applicable legislation. The Data Controller is responsible for updating the policies and practices adopted for the protection of personal data whenever it becomes necessary and in any case whenever regulatory and organizational changes that may affect the processing of your personal data arise.

The Data Controller has appointed a Data Protection Officer (DPO) that you can contact if you have questions about the policies and practices adopted. The contact details of the Data Protection Officer are as follows: dpo.ti.luc@valmet.com 

How does the Data Controller collect and process your data?

The Data Controller collects and/or receives information about you, such as:

• name, surname
• e-mail
• phone number
• fax number
• address
• role in the company
• language

Your personal information will be processed for:

1) the management of the pre-contractual negotiation, of the contractual relationship and the fulfilment of any other obligations including regulatory obligations, arising therefrom

Your personal data is also collected from third parties such as, by way of example:

• Other data controllers (e.g. companies of the group)

The personal data that the Data Controller processes for this purpose are, among others:

• name, surname, e-mail, telephone number, fax number, address, role in the company, language

2) for the communication to third parties and recipients

Your data will not be disclosed to third parties / recipients for their own independent purposes unless:

1. you give permission
2. the communication is necessary for the fulfilment of the obligations depending on the contract and the laws that govern it (e.g. for the defence of your rights, for reporting to the supervisory authorities, etc.).

3) for direct marketing activities concerning the services of the Data Controller

The processing of your personal data takes place in order to offer you products that are additional to those you have purchased, or even improved or more suitable to your needs, and to send you advertising material. The processing of your data (such as first name, last name, e-mail,) may take place by e-mail.

This processing may be carried out on the basis of a legitimate interest of the Data Controller (so-called soft spam). However, this is without prejudice to your right to object at any time to processing based on legitimate interest for reasons related to your particular situation by writing to the Data Controller at privacy.ti.luc@valmet.com

4) for the communication of data to the companies of the group to which the Data Controller belongs for marketing activities in an autonomous basis

The communication of your data (first name, last name, e-mail address, role in the company) is carried out for marketing activities proper to the companies of the group to which the Data Controller belongs. The processing in question may be carried out on the basis of a legitimate interest of the Data Controller. However, this is without prejudice to your right to object at any time to processing based on legitimate interest for reasons related to your particular situation by writing to the Controller at privacy.ti.luc@valmet.com

5) for information security purposes

What happens if you do not give your consent to the processing of personal data?

If you do not provide your personal data, the Data Controller will not be able to follow up the processing related to the pre-contractual negotiation, the management of the contract and the services connected to it or to the fulfilments arising therefrom.The Data Controller intends to carry out the processing based on certain legitimate interests that do not affect your right to privacy, such as those that:

• to allow the prevention of computer incidents and the notification to the supervisory authority or the communication to users, if necessary, of the violation of personal data;
• to allow communication to third parties / recipients for activities related to those of contract management.

How and for how long is your data stored?

How 

The data processing is performed through paper supports or IT procedures by specially authorized and trained internal subjects. Such internal subjects are allowed access to your personal data to the extent that it is necessary to carry out the processing activities that concern you. The data belonging to particular categories are treated separately from the others also by means of pseudonymisation or aggregation methods that do not allow you to be easily identified.

The Data Controller periodically verifies the tools through which your data is processed and the security measures provided for which it provides for constant updating; verifies, also through the subjects authorized to the treatment, that personal data of which the processing is not necessary is not collected, processed, filed or stored; verifies that the data is stored with the guarantee of integrity and authenticity and their use for the purposes of the treatments actually performed. The Data Controller guarantees that the data, even after the verifications, are found to be excessive or irrelevant will not be used except for the possible retention, according to the law, of the deed or document that contains them.

Where
The data is stored in paper, computerized and software archives located within the European economic area. Your personal data may also be stored in the following non-EU countries - with full assurance of the guarantees provided by European legislation. For more details on the guarantees adopted by the Data Controller, please refer to the paragraph "Non-EU data transfer" of this information.  

For how long
The personal data processed are kept for the time necessary to carry out the activities related to the management of the contract that you have stipulated with the Data Controller and for the fulfilments, including those required by law. arising therefrom.  

In particular:

Once all the purposes that legitimize the retention of your personal data are exhausted, the Data Controller will take care of deleting them or making them anonymous.

The personal data processed by the Data Controller related to direct marketing are kept for 24 months unless you revoke the consent you have given and/or object to the processing.However, you have the right to object at any time to the treatment based on legitimate interest for any reason related to your particular situation.

Non-EU data transfer

The Data Controller may transfer your personal data abroad (non-EU countries) and in particular:

Turkey, Mexico (Agents and intermediaries) - ex art. 49 lett.b) “the transfer is necessary for the performance of a contract between the Data subject and the Data Controller or the implementation of pre-contractual measures taken at the data subject’s request.”

Israel, South Korea (Agents) - The European Commission adequacy decision on the adequate level of data protection by the State of Israel and South Korea.

China, Brazil USA (Sister Companies) - Standard contractual clauses aimed at ensuring adequate safeguards, including data subjects' rights with regard to the transfer of personal data outside the EU.

Japan (Sister Company) – Adequacy decision EU-Japan.

The transfer may, also, take place to consultants, single dealer ex art. 49 lett. c) "the transfer is necessary for the conclusion or performance of a contract concluded between the data controller and another natural or legal person in favor of the data subject." 

For the data subject's personal data processed by suppliers and/or subcontractors based in non-EU countries, the Data Controller puts in place all appropriate safeguards, provided by regulation, to protect the data.

What are your rights?

In substance, you, at any time and free of charge and without special charges and formalities for your request, can:

• obtain confirmation of the processing carried out by the Data Controller;
• access your personal data and know the origin (when the data are not obtained from you directly), the purposes and the purposes of the processing, the data of the subjects to whom they are communicated, the period of retention of your data or the criteria useful for determining it;
• revoke the consent at any time, if this constitutes the basis of the processing. Withdrawal of consent in any case does not affect the lawfulness of the processing based on the consent given prior to the revocation;
• update or correct your personal data so that they are always accurate and accurate;
• delete your personal data from the data banks and / or archives including backups of the Data Controller in the case, among others, where they are no longer necessary for the purposes of the processing or if it is assumed to be illicit, and always if they exist the conditions required by law; and in any case if the treatment is not justified by another equally legitimate reason;
• limit the processing of your personal data in certain circumstances, for example where you have disputed its accuracy, for the period necessary for the Data Controller to verify its accuracy. You must be informed, in due time, even when the suspension period has been completed or the reason for the limitation of the processing has ceased, and therefore the limitation itself revoked;
• obtain your personal data, if received or processed by the Data Controller with your consent and / or if their processing is based on a contract and with automated tools, in electronic format also for the purpose of transmitting them to another data controller.

The Data Controller must proceed in this way without delay and, in any case, at the latest within one month of receiving your request. The deadline can be extended by two months, if necessary, taking into account the complexity and the number of requests received. In such cases the Data Controller, within a month of receiving your request, must inform you and inform you of the reasons for the extension.

For any further information and in any case to send your request, contact the Data Controller at privacy.ti.luc@valmet.com

How and when can you oppose the processing of your personal data?

For reasons related to your particular situation, you can oppose the processing of your personal data at any time when this takes place for legitimate prevailing reason or if it concerns the processing of personal data whose disclosure is subject to your consent, sending your request to the Data Controller at the address privacy.ti.luc@valmet.com

You have the right to the deletion of your personal data if there is no legitimate prevailing reason with respect to the one that gave rise to your request, and in case in the event that you are opposed to the processing of data.

Who can you lodge a complaint with?

Without prejudice to any other administrative or judicial action, you can file a complaint with the competent control authority or that which carries out its tasks and exercises its powers in Italy where you have your habitual residence or work or if different in the State Member where the violation of Regulation (EU) 2016/679 occurred.

Any update of this privacy policy will be communicated to you promptly and by appropriate means and the same will be communicated to you if the Data Controller proceeds to process your data for purposes other than those referred to in this statement before proceeding and in time to give your consent if necessary