Dear Customer,

for MAINO INDUSTRIES S.N.C. the protection of your personal data is a principle that goes beyond legal obligations. For this reason we have reviewed our information on the Protection of Personal Data and have strengthened our management system to ensure that your data is processed securely and prevent it from being disclosed to unauthorized parties.

MAINO INDUSTRIES S.N.C. it will never sell your data to third parties.

The commercial offers we offer to our customers are designed to meet their needs and offer the best and most convenient service. In our Privacy Notice we indicate what your rights are and how you can exercise them, what data we collect and for what purposes. You can read the information below. If at the moment we do not have your consent to send you communications relating to personalized offers and latest news and you should be interested, please write to us and we will update your personal information form.

We remind you that, at any time you can request any modification and / or partial and / or total cancellation, change your preferences and consents. With this update we meet the need to protect the private sphere, increasingly felt by European citizens, and we adhere to the new EU Regulation 2016/679 (GDPR) on the protection of personal data.

GDPR for MAINO INDUSTRIES S.N.C. edited by Alfredo Maino.

GDRP: GDPR regulation; what is it, when it comes into force and what changes it entails.

1. What is GDPR?
2. Overview of personal data, data processing and the subjects involved.
3. Main duties required by the GDPR.
4. Specific aspects within the IT platform – on-line store.
5. Content embedded by other websites.

1. What is the GDPR: The GDPR (General Data Protection Regulation) is the New General Regulation on Data Protection (EU Regulation 2016/679). It was issued by the EU. It should have entered into force on 24/05/2016, however the effective date of application has been postponed to 25/05/2018. Describes all the necessary requirements for the implementation of a data protection management system and serves to demonstrate that it has adequately protected the data processed. Unlike the past (the Italian legislation, such as the Law “Privacy Law” D.Lgs. 196/2003 or ISO 27001/2013 provide a checklist of clear obligations), the GDPR does not indicate how to protect information, but asks to be able to demonstrate that they have adequately protected them.

2. Overview of personal data, data processing and the subjects involved: What are personal data? Personal information is the information that identifies or identifies a physical person and that can provide details on its characteristics, its habits, its style of life, his personal relationships, his state of health, his economic situation, etc. .. The following are included in the personal data: • identification data: those that allow direct identification, such as personal data (for example: name and surname); • sensitive data: those that can reveal racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature , the state of health and sexual life; judicial data: those that can reveal the existence of certain judicial measures subject to registration in the judicial register (for example, the final penal convictions, the conditional release, the prohibition or obligation to stay, the alternative measures to detention) or the quality of defendant or suspect. The subjects involved Owner – Manager – Interested – Person in charge • Interested: is the natural person to whom the personal data refer. So, if a treatment concerns, for example, the address, the tax code, etc. by Pippo Bianchi, this person is the “interested”; • Holder: is the natural person, the company, the public or private body, the association, etc., which are responsible for decisions on the purposes and methods of treatment, as well as on the tools used; • Responsible: is the natural person, the company, the public or private body, the association or the body to which the owner entrusts, even outside of its organizational structure, specific and defined tasks of management and control of the treatment of data. The designation of the manager is optional. • Distributor: is the natural person who, on behalf of the owner, processes or uses the personal data on the basis of the instructions received from the holder and / or the person in charge.

3. Main duties required by the GDPR: The data controller must: ● Define which data are acquired and how, the purposes for which they are collected and the retention period (Privacy Notice); ● Analyzing the risks to which it is subjected through a specific risk matrix; ● Draw up the security plan with all the procedures for dealing with risks ● Facilitate customers in exercising their rights under the regulation; ● implement the following security measures: ● pseudonymisation and / or the possible encryption of personal data; – measures that have the capacity to ensure confidentiality on a permanent basis; – the integrity, availability and resilience of treatment systems and services; – measures that have the ability to promptly restore the availability and access of personal data in the event of a physical or technical accident; – a procedure for testing, verifying and regularly assessing the effectiveness of technical and organizational measures in order to guarantee the security of the treatment; ● keep a record of the processing activities, including the name and contact details of the data controller, the owner’s representative and the owner’s manager; the purposes of the processing; description of the categories of data subjects and categories of personal data, categories of recipients of data, transfer of data to third countries or international organizations, deadlines for data deletion, a description of technical and organizational security measures. ● check if there are any conditions to appoint a Data Protection Officer (DPO). In accordance with the Regulation (Article 37), the appointment of the DPO is mandatory: (a) if the treatment is carried out by a public authority or a public body, with the exception of the judicial authorities in the exercise of jurisdictional functions; or (b) if the principal activities of the owner or manager consist of treatments that require regular and systematic monitoring of large-scale stakeholders; or (c) if the principal activities of the owner or manager consist of the large-scale processing of particular categories of data or personal data relating to criminal convictions and offenses. ● appoint all the subjects involved in data processing: external data processing manager (if present, eg accountant, labor consultant ..); to appoint the employees, if any, with a specific confidentiality agreement (for example, employees or collaborators), to appoint the DPO if required; ● Train the data processors.

4. Specific aspects within the IT platform – on-line shop: MAINO INDUSTRIES S.N.C. is the data controller of the data acquired through the website (eg data provided by customers when creating the account for the purchase). ● MAINO INDUSTRIES S.N.C. is nominated by customers (data controllers) as the external data controller that is uploaded on hosting, server, cloud …. In this case, the activities that MAINO INDUSTRIES S.N.C. or its employees perform are well defined internal part of the appointment agreement (containing all the specifications to be followed, including the security measures adopted).

5. Content incorporated from other websites: Only if present, some articles on the MAINO website may include content with external links (for example videos, images, articles, etc.). Any content embedded in other websites behave in exactly the same way that the visitor visited the other website. These websites (such as Gravatar, but also Google, Amazon, Youtube, etc. with their respective privacy reference pages etc.) may collect visitor data , use cookies, integrate additional third-party tracking, and monitor interaction with such embedded content, including tracking the interaction with embedded content whether you are a visitor or a user with an account or not to that website.

Thank you! Questions? Write to