Valmet Tissue Converting S.p.A. - Complete privacy policy for actual and potential customers

The company Valmet Tissue Converting S.p.A., with its registered office in 55100 Lucca, Via Giovanni Diodati 50 (hereinafter also the "Data Controller"), as Data Controller will see to the confidentiality of your personal data and guarantee its necessary protection from any event that could put it at a risk of violation. The Data Controller applies policies and practices concerning the collection and use of personal data and the exercise of the rights recognised by the applicable legislation. The Data Controller is responsible for updating the policies and practices adopted for the protection of personal data whenever it becomes necessary and in any case whenever regulatory and organisational changes that may affect the processing of your personal data arise.

The Data Controller has appointed a Data Protection Officer (DPO) that you can contact if you have questions about the policies and practices adopted. The contact details of the Data Protection Officer are as follows: dpo.ti.luc@valmet.com 

The Data Controller collects and/or receives information about you, such as:

• name, surname
• e-mail
• phone number
• fax number
• address
• role in the company
• language
• images/videos

Your personal information will be processed for:

• pre-contractual activity
• the management of the contractual relationship in all its phases
• payment management, complaint handling
• registration, invoicing and bookkeeping
• prevent contractual fraud

Execution of pre-contractual and contractual activities

Fulfilment of legal obligations and depending on the contract and the relationship established, such as, among others, those arising from:

• Presidential Decree no. 633/1972 and subsequent amendments and integrations
• Presidential Decree no. 600/1972 and subsequent amendments and integrations
• Code of Ethics of the Data Controller Fulfilment of economic, financial and social reporting obligations

Your personal data is also collected from third parties such as, by way of example:

• Other data controllers (e.g. companies of the group)

The personal data that the Data Controller processes for this purpose are, among others:

• name, surname, e-mail, telephone number, fax number, address, role in the company, language, images

Communication to third parties, such as

• Companies of the group
• Tax advisers and accountants
• Couriers
• Credit institutions
• Lawyers
• Sales agents
• IT consultants
• Credit insurance companies
• External collaborators identified for this purpose
• Auditors

Execution of pre-contractual and contractual activities

Fulfilment of obligations depending on the contract

Fulfilment of legal obligations, such as, among others, depending on:

• Presidential Decree no. 633/1972 and subsequent amendments and integrations
• Presidential Decree no. 600/1972

Observance of transparency and economic and social reporting obligations

Your data will not be disclosed to third parties / recipients for their own independent purposes unless:

1. you give permission
2. the communication is necessary for the fulfilment of the obligations depending on the contract and the laws that govern it (e.g. for the defence of your rights, for reporting to the supervisory authorities, etc.).

The processing of your personal data is to offer additional services to the ones you requested, perhaps even better or more appropriate to your needs and, in order to send you promotional material. The processing of your data (such as name, surname, e-mail, telephone number, fax number, address) may take place for:

• e-mail;
• sms;
• telephone contact even without an operator;
• paper mail
• fax.

The processing in question may be carried out if:

1. you give your consent for the use of the data also with regard to the communication methods, both traditional and automated, with which the processing takes place;
2. the processing is carried out through a telephone operator contact, if you are not registered in the register of oppositions pursuant to Presidential Decree no. 178/ 2010;
3. you have not opposed to the processing and/or if, in case, you have not specifically and separately objected to the sending of communications by traditional methods and/or by automated tools

With your consent, your data such as name, surname, e-mail, telephone number, fax number, address may be processed for communication to partners, to the companies of the group and to the network of companies to which the Data Controller belongs for independent marketing purposes concerning products and services of the recipients.

• implementation of the detection and notification of personal data violation (data breach)

Execution of activities depending on the established relationship

Fulfilment of legal obligations (detection and notification of data breach events)

Legitimate interest

If you do not provide your personal data, the Data Controller will not be able to follow up the processing related to the pre-contractual negotiation, the management of the contract and the services connected to it or to the fulfilments arising therefrom.

The Data Controller intends to carry out the processing based on certain legitimate interests that do not affect your right to privacy, such as those that:

• to allow the prevention of computer incidents and the notification to the supervisory authority or the communication to users, if necessary, of the violation of personal data;
• to allow communication to third parties / recipients for activities related to those of contract management.

The processing of your personal data will not be carried out for such purposes; this will not have effects related to treatment of your data for the main purposes, nor for that for which you have already given your consent, if requested.

How
The data processing is performed through paper supports or IT procedures by specially authorized and trained internal subjects. Such internal subjects are allowed access to your personal data to the extent that it is necessary to carry out the processing activities that concern you. The data belonging to particular categories are treated separately from the others also by means of pseudonymisation or aggregation methods that do not allow you to be easily identified. The Data Controller periodically verifies the tools through which your data is processed and the security measures provided for which it provides for constant updating; verifies, also through the subjects authorized to the treatment, that personal data of which the processing is not necessary is not collected, processed, filed or stored; verifies that the data is stored with the guarantee of integrity and authenticity and their use for the purposes of the treatments actually performed. The Data Controller guarantees that the data, even after the verifications, are found to be excessive or irrelevant will not be used except for the possible retention, according to the law, of the deed or document that contains them.

Where
The data is stored in paper, computerized and software archives located within the European economic area. Your personal data may also be stored in the following non-EU countries - with full assurance of the guarantees provided by European legislation. For more details on the guarantees adopted by the Data Controller, please refer to the paragraph "Non-EU data transfer" of this information.

For how long
The personal data processed are kept for the time necessary to carry out the activities related to the management of the contract that you have stipulated with the Data Controller and for the fulfilments, including those required by law. arising therefrom.

In particular:

• identifying data
• accounting data
• data relating to professional and commercial activity

Duration of the contractual relationship Without prejudice to:

• termination of the contract (for any reason)
• the purposes that continue beyond the conclusion of the contract (e.g. bookkeeping, art. 2220 of the Italian Civil Code)
• the prescription terms: from five to ten years from the definition of the relationship and in any case from the moment in which the rights that depend on it can be exercised (articles 2935, 2946 and 2947 of the Italian Civil Code)
• for particular defensive needs the data strictly related to the contract may be kept for up to 40 years.

Except in the event of litigation if it involves an extension of the aforementioned terms, for the time necessary to pursue the related purpose

Once all the purposes that legitimize the retention of your personal data are exhausted, the Data Controller will take care of deleting them or making them anonymous.

The personal data processed by the Data Controller related to direct marketing are kept for 24 months unless you revoke the consent you have given and/or object to the processing

However, you have the right to object at any time to the treatment based on legitimate interest for any reason related to your particular situation.

The Data Controller may transfer your personal data abroad (non-EU countries) and in particular:

USA, South Africa, Russia, Turkey, Singapore, South Korea (Agents) - ex art. 49 lett.b) “the transfer is necessary for the performance of a contract between the Data subject and the Data Controller or the implementation of pre-contractual measures taken at the data subject’s request.”

Israel (Agents) - The European Commission adequacy decision on the adequate level of data protection by the State of Israel.

China, Brazil USA (Sister Companies) - Standard contractual clauses aimed at ensuring adequate safeguards, including data subjects' rights with regard to the transfer of personal data outside the EU.

Japan (Sister Company) – Adequacy decision EU-Japan.

USA (Information Society and IT Support), existence of adequacy decision, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016, pursuant to Directive 95/46 / EC of the European Parliament and of the Council, on the adequacy of the protection offered by the EU-US privacy shield regime [notified under number C (2016) 4176].

In substance, you, at any time and free of charge and without special charges and formalities for your request, can:

• obtain confirmation of the processing carried out by the Data Controller;
• access your personal data and know the origin (when the data are not obtained from you directly), the purposes and the purposes of the processing, the data of the subjects to whom they are communicated, the period of retention of your data or the criteria useful for determining it;
• revoke the consent at any time, if this constitutes the basis of the processing. Withdrawal of consent in any case does not affect the lawfulness of the processing based on the consent given prior to the revocation;
• update or correct your personal data so that they are always accurate and accurate;
• delete your personal data from the data banks and / or archives including backups of the Data Controller in the case, among others, where they are no longer necessary for the purposes of the processing or if it is assumed to be illicit, and always if they exist the conditions required by law; and in any case if the treatment is not justified by another equally legitimate reason;
• limit the processing of your personal data in certain circumstances, for example where you have disputed its accuracy, for the period necessary for the Data Controller to verify its accuracy. You must be informed, in due time, even when the suspension period has been completed or the reason for the limitation of the processing has ceased, and therefore the limitation itself revoked;
• obtain your personal data, if received or processed by the Data Controller with your consent and / or if their processing is based on a contract and with automated tools, in electronic format also for the purpose of transmitting them to another data controller.

The Data Controller must proceed in this way without delay and, in any case, at the latest within one month of receiving your request. The deadline can be extended by two months, if necessary, taking into account the complexity and the number of requests received. In such cases the Data Controller, within a month of receiving your request, must inform you and inform you of the reasons for the extension.

For any further information and in any case to send your request, contact the Data Controller at privacy.ti.luc@valmet.com

For reasons related to your particular situation, you can oppose the processing of your personal data at any time when this takes place for legitimate prevailing reason or if it concerns the processing of personal data whose disclosure is subject to your consent, sending your request to the Data Controller at the address privacy.ti.luc@valmet.com

You have the right to the deletion of your personal data if there is no legitimate prevailing reason with respect to the one that gave rise to your request, and in case in the event that you are opposed to the processing of data.

Without prejudice to any other administrative or judicial action, you can file a complaint with the competent control authority or that which carries out its tasks and exercises its powers in Italy where you have your habitual residence or work or if different in the State Member where the violation of Regulation (EU) 2016/679 occurred.

Any update of this privacy policy will be communicated to you promptly and by appropriate means and the same will be communicated to you if the Data Controller proceeds to process your data for purposes other than those referred to in this statement before proceeding and in time to give your consent if necessary.