Privacy Policy

This Privacy Policy applies to all cases where you access the website and decide to use its services. This policy provides useful information to understand how the information that identifies users is collected and managed by https://irisbio.com/

PRIVACY POLICY PURSUANT TO ART. 13, REG. (EU) 2016/679

The policy is given only for the websites related to www.irisbio.com; third websites accessed by the user through links are not covered by this policy.

TITOLARE DEL TRATTAMENTO

Data collected through this site will be processed, under the agreement pursuant to art. 26 of the REG. EU 2016/679 by joint controller A.S.T.R.A. BIO S.R.L. (c.f. e p.iva 01182120194), con sede legale in S.P. 9 Km 3 + 135 – 26030, Casteldidone (CR), commerciale@irisbio.com.

They decide autonomously the purposes of the data processing, the measures and the procedures in order to grant the confidentiality, integrity and availability of such data.

PURPOSES OF DATA PROCESSING

The purposes of data processing are summarized as follows:

  • Registration on the website and use of the services.
  • To proceed with the purchasing and execute the purchasing orders and eventual returns and claims through https://portaleordini.irisbio.com/it;
  • To manage and to control the payments made following the purchase on the website;
  • To manage the requests of the data subject: technical, of a commercial nature, on the progress of the orders and request for information through the section “Contacts”
  • To receive CVs
  • To send newsletter;
  • To send communications for marketing purposes, advertising and promotional activities included the sending of sales materials related to marketed products (e.g. free samples), transmitted electronically (e-mail, SMS) and conventionally (paper mail, by phone).

LAWFULNESS OF PROCESSING AND MANDATORY OR OPTIONAL DATA

The provision of personal data can be mandatory or optional.

In case of mandatory data provision, the absence of their statements involves the impossibility to fulfil the requirements.

The legal basis (so called lawfulness condition) of the processing:

  • for the purposes identified in points 1) to 4) is the contract: the absence of their statements involves the impossibility to fulfil the obligations deriving from the contractual relationship requirements. For registration on the site and the creation of an account, the legal basis is the consent given by the user by entering data in the appropriate form and creating the account.
  • for the purpose indicated in point 4. The request for information via the ‘contact’ section is the consent of the user requesting information, manifested by entering data in the form of the relevant
  • - for the purpose indicated in point 5. it is noted that the processing of Curricula Vitae spontaneously sent is legitimate insofar as it is expressly authorized by a rule of law (Article 111-bis of Legislative Decree no. 196 of 2003), which specifies that in this case the consent of the person to whom the personal data refer is not required.

- for the purposes indicated in points 6. and 7. is the consent, in the absence of which it will not be possible to send newsletters or commercial communications. With reference, on the other hand, to the hypotheses in which the data subjects have provided their contact details as part of a previous business relationship with Astrabio, the latter may use their data to send communications about its products and services, similar to those already purchased, even without having acquired specific consent for this, unless they refuse such use (so-called ‘soft spam’- art. 130, paragraph 4, Legislative Decree 196/2003; art. 6, paragraph 1, letter f) of EU Reg. 2016/679). In this hypothesis, in fact, the legal basis justifying the processing is the legitimate interest of the Data Controller (Recital (47) of EU Reg. 2016/679)

For completeness, it should be recalled that in some cases (not related to the ordinary management of the website) the Supervisory Authority may request information pursuant to Art. 157 of the Italian Legislative Decree no. 196/2003, to control and supervise the data processing. In this case, the reply is mandatory and it is punishable by administrative law.

PROCESSING ARRANGEMENTS AND DATA RETENTION

Personal data will processed mainly in an electronical way.

The data processing operations will be carried out with the aim of guaranteeing the logical, physical security and confidentiality of the personal data.

The data acquired will be retained only for the time needed to achieve the purposes for which they were collected, namely:

  • data of the registered user: until the user will ask their cancellation; Please note that data processing will not be indefinite, as after 10 years of inactivity, the account will be deactivated.
  • data collected to execute the purchasing order: for the time necessary to manage and monitor the order, anyhow no later than 10 years from the date of invoicing.
  • (eventual) data for the payment: 10 years from the date of payment.
  • data needed for the management of the data subject’s requests: for the time necessary to meet the demand.
  • C.V. data 24 months;
  • data collected for the purpose of sending newsletters and commercial communications: until consent is revoked by means of an subscription request. Please note that data processing will not be indefinite, as after 10 years of inactive profile, it will be deactivated.

DATA DISSEMINATION

In addition to the data (personal and contact details) that may be shared with third parties, should you consent to this, your personal data may also be disclosed to:

  • to that subject who/which have the possibility to access to these data in compliance with legal provisions.
  • our contractors, employees within the scope of their respective responsibilities and under specific instructions to process Your data.
    • third parties, properly selected, experienced, capable and reliable, who/which offer appropriate guarantees regarding the application of the provision on data protection, including the data security requirements. These subjects are appointed as “Data Processor” and will carry out their activity under the instructions and the authorizations given by joint Controllers. Among these, by way of example (the list is not exhaustive):
    • companies for the management of the website.
    • marketing company
    • agents

NATURE OF DATA PROCESSING

Web browsing data

Information systems and software procedures designed to grant the functioning of this website record, as a standard operation, some personal data, the transmission of which is implied in the use of Internet Protocols.These information are not collected to be associated with individual users, but, by their very nature, they could allow the identification of the users through processing and combination with third parties data.IP addresses fall under this category, as well as domain names related to computer used by users who access to the website, including further parameters related to the operating system and the technical environnement of the user.

Personal Data

  • STAGE AND PURPOSE OF PROCESSING FOR REGISTRATION ON THE WEBSITE AND FOR THE MANAGEMENT AND EXECUTION OF PURCHASE ORDERS
    PERSONAL DATA
    • common personal data: name, surname, fiscal code/VAT nr
    • e-mail address
    • delivery address
    • (eventual) invoicing data

  • STAGE AND PURPOSE OF PROCESSING FOR ENQUIRIES VIA THE ‘CONTACT’ SECTION
    PERSONAL DATA
    • Common personal data
    • Data of residence/ home data
    • Contact details
    • Eventual personal data in the message

  • STAGE AND PURPOSE OF PROCESSING ACCOUNT MANAGEMENT
    PERSONAL DATA
    • User (e-mail address)
    • Password
  • STAGE AND PURPOSE OF PROCESSING
    SUBSCRIBING TO NEWSLETTERS AND SENDING COMMERCIAL COMMUNICATIONS BY E-MAIL
    PERSONAL DATA
    • E-mail address

The optional or voluntary sending of e-mail to the addresses identified on this website implies the recording of the e-mail address of the sender, which is necessary to reply to the requests

SECURITY MEASURES

A.S.T.R.A. BIO adopts specific security measures to minimize the risks of loss and damage of data (even when due to accidents), the risk of unauthorised accesses or undue or non-complaint processing, or not related to the identified and abovementioned purposes.

Cookies

The use of cookies is part of the Operator's privacy policy and complies with the new Guidelines on the use of cookies and other tracking tools issued on 10.06.2021 and entered into force on 9.01.2022. Please see Cookie Privacy (link).

Rights pursuant to arts. 15, 16, 17 18, 20, 21 e 22 of REG. (EU) 2016/679

We would like to remind you that, in addition to the right to lodge a complaint with a supervisory authority, EU REG. 2016/679 grants you the rights listed below, which you can assert by addressing a specific request to the Data Controller.

Art. 15- Right of access

The Data Subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information about the processing.

Art. 16 - Right to rectification

The Data Subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Art. 17 - Right to erasure (‘right to be forgotten’)

The Data Subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.

Art. 18 - Right to restriction of processing

The Data Subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the personal data.
  • the processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead.
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims.
  • the Data Subject has objected to processing pursuant to Article 21 paragraph 1 pending the verification whether the legitimate grounds of the controller override those of the Data Subject.

Art. 20 - Right to data portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

In exercising his or her right to data portability pursuant to paragraph 1, the Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Art. 21 – Right to object

The Data Subject shall have the right to object, on grounds relating to his or her situation, at any time to processing of personal data concerning him or her which is based on point e) or f) of Article 6, including profiling based on those provisions.

Art. 22 - Automated individual decision-making, including profiling

The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Withdrawal of the consent

The data subject also has the right to withdraw consent to the processing of his or her personal data.Once this has been done, the personal data will be removed from the archives as soon as possible.

Should you need further information about your personal data processing or to exercise your rights, please write to:: commerciale@irisbio.com. We inform you that, before proceeding with providing and/or modifying any information, it may be necessary to verify your identity and to answer some questions.A reply will be provided as soon as possible, within 30 days of the request. Further to the e-mail address reported above, you can also submit your queries, to art. 26 of the REG. EU 2016/679, writing to:
A.S.T.R.A. BIO S.r.l.
S.P. 9 Km 3 + 135 - 26030 Casteldidone (CR)
ITALIA