Our Privacy Policy

LIST OF CONTENT

WHO IS THE DATA CONTROLLER?

Personal data provided when interacting with COGES S.P.A. (Tax Code and VAT no.: IT00527790240), both through the company websites and as part of a contractual or pre-contractual relationship with the company, will be processed by it in the capacity of Data Controller.

WHAT ARE THE BASIC PERSONAL DATA PROTECTION REGULATIONS APPLICABLE IN ITALY?

In the private sector, the basic regulations that apply are the following:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of personal data (GDPR).

Privacy Code (Italian Legislative Decree no. 101 of 10 August 2018)

In the context of its commercial relationships, COGES processes the personal data for the purposes and on the legal bases described below:

  • Management of general information requests about the company, as well as our products and services. Legal basis: express consent of the data subject in relation to the sending of the request (Art. 6(1)(a) of the GDPR).
  • Formalisation and performance of commercial contracts (sale, distribution, maintenance services, software licences, etc.): the professional contact details of the persons involved in formalising and performing the contracts – whether sole traders or persons acting as representatives or managers of legal persons to which they provide their services – are processed by COGES based upon the lawfulness of the existence of a legitimate interest (Art. 6(1)(f) of the GDPR).
  • Compliance with legal obligations in tax, accounting and administrative matters deriving from the contractual relationship established with the data subject. Legal basis: compliance with a legal obligation (Art. 6(1)(c) of the GDPR).
  • Analysis of IoT logs from devices manufactured by COGES and connected to retail stores owned by natural persons (sole traders). It should be noted that these are essentially aggregate data and that COGES does not, under any circumstances, process personal data relating to end users/consumers. Legal basis: performance of the contract (Art. 6(1)(b) of the GDPR).
  • Management of the reporting service in application of the COGES criminal compliance programme. Legal basis: compliance with legal obligations (Art. 6(1)(c) and (f) of the GDPR).
  • Sending of commercial communications by COGES to customers by any means, including electronic communications, concerning products and/or services similar to those previously purchased. Legal basis: existence of a legitimate interest (Art. 6(1)(f) of the GDPR).
  • Subject to explicit consent from the data subject, sending of commercial information, by any means, including electronically, by other companies of the Azkoyen Group and, if appropriate, third parties that have entered into a commercial collaboration agreement with COGES. Legal basis: Consent of the data subject (Art. 6(1)(a) of the GDPR).
  • If explicit consent is given, interaction with the social networks on which COGES has a user profile (LinkedIn, Facebook and X). Legal basis: Consent of the data subject provided using “social media buttons or plug-ins” (Art. 6(1)(a) of the GDPR).
  • If consent is given to the use of analytical and/or marketing cookies, information will be collected about the browsing experience on our website in order to measure its activity and, if appropriate, to send personalised advertising to the data subject. Legal basis: Consent of the data subject (Art. 6(1)(a) of the GDPR).
  • As part of relationships with job candidates, COGES may process personal data contained in CVs received directly or via recruitment platforms or contact emails. The purpose of this type of processing is to manage personnel recruitment and candidate lists. Legal basis: to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) of the GDPR) and consent given by the data subject linked to the submission of his/her CV (Art. 6(1)(a) of the GDPR). Furthermore, based upon the existence of a legitimate interest (Art. 6(1)(f) of the GDPR), COGES may perform due diligence checks to ascertain the accuracy of any educational qualifications, certificates and other information relevant to employment included in the CVs provided.

TO WHOM WILL THE PERSONAL DATA BE DISCLOSED?

The personal data may be sent to third-party providers of additional services instructed by COGES who may access the personal information, such as providers of IT services (providers of technical/IT maintenance services, cyber security, hosting services), environmental management companies, consulting firms, administration agencies, recruitment companies, advertising and marketing companies and other providers of additional services who act in the capacity of data processors in line with instructions provided by COGES. Furthermore, the data may be transferred to companies of the Azkoyen Group for the sole purpose of satisfying requests or for administrative management purposes.

Our products and services may be purchased through our distribution network. As a result, the personal data will be transferred to the official distributor closest to the customer’s premises/workplace and, if appropriate, to transportation companies or couriers assigned to deliver products.

 

Subject to explicit consent from the data subject, the data may be transferred for commercial purposes to other companies of the Azkoyen Group and to companies that have entered into a commercial collaboration agreement with COGES.

 

Where legally applicable, the data may also be transferred to public administration bodies, auditors, notaries, legal experts, lawyers, attorneys, courts and law enforcement agencies in the exercise of their functions.

FOR HOW LONG WILL WE STORE THE PERSONAL DATA?

The personal data will be stored only for the time taken to fulfil the purpose for which they were collected. When they are no longer necessary, they will be erased. However, they may be blocked and remain accessible only to judges, courts, public prosecutors or public administrations – particularly to authorities in charge of personal data protection – for compliance with their responsibilities deriving from the processing and only until the applicable limitation periods have expired.

 

Personal data obtained via the contact form will be stored only for the time it takes to respond to the information request.

Personal data obtained via the job application form will be stored for the entire duration of that process and for a maximum period of 2 years after their entry in the list of candidates. Thereafter, they will be blocked/erased, except in the case of candidates who are subsequently recruited; the CVs of these candidates will be entered in the personnel register and the data protection policy relating to the workplace will then apply.

Personal data obtained via the reporting service will be stored in the respective system for a maximum period of three months, after which they will be erased or made anonymous, notwithstanding that if an investigation is launched, the data may be processed in the information system of the bodies in charge of control and compliance functions.

Personal data concerning commercial transactions with customers and suppliers who act as autonomous entrepreneurs, as well as the data of legal and sales representatives of customers and suppliers, will be stored for the entire duration of the contractual relationship and for six years after its termination, with the possibility of this term being extended for as long as the set limitation periods of the rights remain in force.

Personal data of professional nature that have been included in databases for commercial purposes will be stored until the data subject objects in that sense or until we have been informed that the data are no longer up to date or until the databases are purged.

WHAT SECURITY MEASURES DO WE APPLY FOR THE PROTECTION OF PERSONAL DATA?

The personal data provided will be processed using physical, logical and organisational security measures appropriate to avoid the loss, improper use, alteration and unauthorised access of the same, taking account of the state-of-the-art of technology, the nature of the data and the risk analysis performed.

 

Furthermore, COGES performs its business activity in accordance with a management model based upon continuous improvement, in conformity with the ISO 27001 standard.

WILL THE PERSONAL DATA BE TRANSFERRED INTERNATIONALLY?

COGES has two business data processing centres situated in Navarra (Spain). International transfers of data, namely transfers from the EU to territories or international organisations located outside of the European Economic Area, may only take place in certain cases.

 

If this occurs, COGES will always ensure that one of the following conditions is in place: (i) there is an adequacy decision certifying an adequate level of protection (ii) standard contractual clauses have been formalised in conformity with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries (iii) neither of the two previous conditions are in place but one of the exceptions envisaged by Art. 49 of the GDPR applies. In this regard, it is worth clarifying that some COGES services involve the hosting of personal data in the Microsoft Azure cloud, which adheres to the Data Privacy Framework, guaranteeing the validity of the transfer between the United States and the European Union.

IN WHAT WAY CAN THE DATA SUBJECT EXERCISE HIS/HER RIGHTS IN RELATION TO THE PERSONAL DATA AND CONTACT OUR DATA PROTECTION OFFICER?

To withdraw consent provided, as well as to exercise the rights of access, rectification, erasure, objection, restriction, portability and not to be subject to automated individual decisions, a written request can be sent to:

 

COGES S.P.A. Via G. Leopardi, n. 23, 36030 Caldogno

responsabilesicurezza@coges.eu

If considered appropriate, the data subject may contact our Data Protection Officer (DPO) using the same email address as indicated above, as well as lodge the respective complaint for the protection of rights with the Data Protection Supervisory Authority.

MANDATORY OR OPTIONAL NATURE OF PROVISION OF THE REQUESTED DATA

The mandatory data to be provided on each form are marked by an asterisk (*). Any refusal to provide those data will prevent communication with the data subject and, if appropriate, will make it impossible to provide the requested information and/or services.