Customer Information to fulfill pre-contractual, contractual and tax obligations

SUDSTAR DI GUTIERREZ RUTH CLAUDIA, with registered office in Via Brandimarte Alfeo n. 23, 60025, Loreto (AN) (hereinafter, “Owner”), as Data Controller, informs you pursuant to art. 13 EU Regulation n. 2016/679 (hereinafter, “GDPR”), that your data will be processed in the manner and for the following purposes:
1. Object of the processing
The Data Controller processes the personal data (for example name, surname, company name, address, telephone, e-mail, bank and payment details, accounting and tax data, sports suitability, etc.) communicated by you when entering into contracts for the Data Controller’s services.
2. Purpose of processing
Your personal data are processed:
A) Without your express consent (art. 6 letter b), e) GDPR), for the following Service Purposes:
– conclude contracts for the Data Controller’s services, aimed at carrying out the assigned task, which the customer will request;
– fulfill the pre-contractual, contractual and tax obligations arising from existing relationships with you;
– fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority (such as, for example, in the field of anti-money laundering);
– exercise the rights of the Data Controller, for example the right of defense in court;
– for any processing activity necessary for carrying out the assigned task (including communication with Banks and Credit Institutions requested directly via email or telephone message by the Data Subject).
B) Only with your specific and separate consent (art. 130 Privacy Code and art. 7 GDPR), for the following Marketing Purposes:
– send you via email or whatsapp, informational, advertising or promotional material and/or newsletters regarding the services offered by the Data Controller.
We inform you that, if you are already our customer, we may send you commercial communications relating to the Data Controller’s services similar to those you have already used, unless you disagree (art. 130 c. 4 Privacy Code).
3. Processing methods
The processing of your personal data is carried out by means of the operations indicated in art. 4 n. 2) GDPR and specifically: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.
Communications may take place in traditional ways (e.g. post and/or telephone), automated and similar (e.g. fax, e-mail, text message, app, etc.).
Specifically:
– the collection of personal data is limited to what is necessary for each specific purpose of the processing;
– the processing of personal data is limited to the purposes for which they were collected;
– the storage of personal data is limited to each specific purpose of the processing.
The Data Controller will process the personal data for the time necessary to fulfill the purposes set out above and in any case for no longer than 10 years from the termination of the relationship for the Service Purposes.
4. Access to data
Your data may be made accessible for the purposes referred to in art. 2.A):
– to collaborators and employees of the Data Controller in Italy, in their capacity as Data Processors and/or Internal Data Processors and/or System Administrators;
– to third-party companies or other entities (for example, credit institutions, professional firms, consultants, etc.) that carry out outsourcing activities on behalf of the Data Controller, in their capacity as External Data Processors;
Your data may be made accessible for the purposes referred to in art. 2.B):
– to collaborators and employees of the Data Controller in Italy, in their capacity as Persons in Charge and/or Internal Data Processors and/or System Administrators.
5. Communication of data
Without the need for express consent (pursuant to art. 6 letters b) and c) GDPR), the Data Controller may communicate your data for the purposes referred to in art. 2. to Supervisory Bodies (such as IVASS), Judicial Authorities, to insurance companies for the provision of insurance services, as well as to those entities to whom communication is mandatory by law for the fulfillment of the aforementioned purposes. These entities will process the data in their capacity as independent data controllers. Your data will not be disclosed.
6. Data transfer
Personal data is stored on servers located in the registered office, within the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to move the servers even outside the EU. In this case, the Data Controller hereby ensures that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, subject to the stipulation of the standard contractual clauses provided by the European Commission.
7. Nature of the provision of data and delivery

uences of refusal to respond
The provision of data for the purposes referred to in art. 2.A) is mandatory. In their absence, we will not be able to guarantee you the Services referred to in art. 2.A).
The provision of data for the purposes referred to in art. 2.B) is optional. You can therefore decide not to provide any data or to subsequently deny the possibility of processing data already provided: in this case, you will not be able to receive information, advertising or promotional material and/or newsletters regarding the Services offered by the Data Controller. However, you will continue to be entitled to the Services referred to in art. 2.A).
8. Rights of the interested party
In your capacity as an interested party, you have the rights referred to in art. 15 GDPR and specifically the rights to:
i. obtain confirmation of the existence or otherwise of personal data concerning you, even if not yet recorded, and their communication in an intelligible form;

Information on the Processing of Personal Data
ii. obtain the indication: a) of the origin of the personal data; b) of the purposes and methods of processing; c) of the logic applied in case of processing carried out with the aid of electronic instruments; d) of the identification details of the Data Controller, the Managers and the Representative designated pursuant to art. 5, paragraph 2 of the Privacy Code and art. 3, paragraph 1, GDPR; e) of the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as Representative designated in the territory of the State, Managers or Persons in Charge; iii. obtain: a) the updating, rectification or, when interested, integration of the data; b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed; c) certification that the operations referred to in letters a) and b) have been brought to the attention, including their content, of those to whom the data have been communicated or disclosed, except where such fulfillment is impossible or involves the use of means that are manifestly disproportionate to the right being protected;
iv. object, in whole or in part, for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose of the collection.
Where applicable, you also have the rights referred to in Articles 16-22 of the GDPR (Right to rectification, right to be forgotten, right to limit processing, right to data portability, right to object), as well as the right to lodge a complaint with the Guarantor Authority.
To ensure the correct exercise of the rights, the interested party must make himself unequivocally identifiable. The organization undertakes to provide feedback within 30 days and, in the event of impossibility to respect these deadlines, to justify any extension of the terms provided. The response will be free of charge except in cases of unfoundedness (for example, there is no data regarding the interested party making the request) or excessive requests (for example, repetitive over time) for which a fee may be charged that does not exceed the costs actually incurred for the research carried out in the specific case. The rights relating to personal data concerning deceased persons may be exercised by those who have a personal interest or act to protect the interested party or for family reasons deserving of protection. The interested party may also lodge a complaint with the Supervisory Authority.

In the event of a violation of personal data suffered by SUDSTAR DI GUTIERREZ RUTH CLAUDIA, the Data Controller will notify the violation to the competent supervisory authority within 72 hours of the event and will also communicate the event to the interested party, except in cases of exclusion provided for by the legislation.
9. Methods of exercising rights
You may exercise your rights at any time by sending:
– a registered letter with return receipt to SUDSTAR DI GUTIERREZ RUTH CLAUDIA, with registered office in Via Brandimarte Alfeo n. 23, 60025, Loreto (AN);
– an e-mail to the address: sudstar@sudstar.eu.
10. Owner, Manager and Persons in Charge
The Data Controller is SUDSTAR DI GUTIERREZ RUTH CLAUDIA, with registered office in Via Brandimarte Alfeo n. 23, 60025, Loreto (AN).
The updated list of Managers and Persons in Charge of processing is kept at the registered office of the Data Controller.