PRIVACY POLICY

on the processing of personal data

Arts. 12 et seq of Regulation (EU) 2016/679 (GDPR)

 

FOREWORD

In compliance with the provisions of EU Regulation 2016/679 (hereafter GDPR) we hereby provide information regarding the processing of personal data provided by the data subject, relating to the relationships with the Data Controller (as defined hereafter).

The information is provided pursuant to art. 13 GDPR. 

 

 

1. IDENTITY AND CONTACT DETAILS

 

The Data Controller is Pay My Table, with registered office in Zac des Barbanniers, 5 Promenade de la Bonnette, 92230 Gennevilliers, France and the contact data are: email: zpmt.privacy@zucchetti.com, tel: +33(0)186860101.

 

 

 

2. PURPOSE OF PROCESSING, LEGAL BASIS AND DATA STORAGE PERIOD

 

Purpose	Types of data that can be processed:	Legal basis	Storage period*
a)   Pre-contractual/contractual To provide information on products and services marketed, if requested by the data subject; execution of existing contractual relationships.	Personal data and contact details; data necessary for the execution of the contractual relationship.	Performance of a contract to which you are a party or pre-contractual measure taken at the request of the data subject; Fulfilment of legal obligations.   Art. 6, paragraph 1 letters b) and c) GDPR.	According to law
b)  Direct Marketing Sending advertising material, newsletters, promotional and commercial communications by automated means of contact (email and instant messaging) and traditional means (telephone calls with operator and regular mail), relating to products and/or events and/or training courses in relation to, as well as for conducting market studies, statistical analysis and customer satisfaction surveys.	Personal data and contact details.	Consent (required with contract or specific request); (optional and can be withdrawn at any time). Art. 6, paragraph 1 letter a) GDPR.	Until withdrawal of consent for such a purpose and / or five years after giving consent.
c)   Marketing to existing customers sending communications relating to contracted products/services and/or products/services similar to those already agreed (newsletters, webinars, events, training activities).	Personal data and contact details; data relating to the company you belong to and your position there.	Legitimate interest Art. 6, paragraph 1 letter f) GDPR.	Until consent is withdrawn.
d)   Indirect marketing Disclosure of data to business partners/third parties so that they can send marketing communications to you.	Personal data and contact details.	Consent (required with contract or specific request); (optional and can be withdrawn at any time). Art. 6, paragraph 1 letter a) GDPR.	Until withdrawal of consent for such a purpose and/or five years after the last interaction with the Data Controller.
e)   Content collection and publication: generation of case histories and publication on social network sites, in newspapers, magazines and on websites of images, videos, reviews, ratings and other content that the data subject may freely decide to share with the Data Controller, as well as on any other means of communication used (as provided for each time your consent is requested)	Personal data; images, sounds, company you belong to, professional role and experience, nickname, social network profile	Consent (optional and can be withdrawn at any time). Art. 6, paragraph 1 letter a) GDPR.	Until withdrawal of consent for such a purpose and/or five years after the last interaction with the Data Controller.
f)    If necessary, to ascertain, exercise or defend the rights of the Data Controller in judicial proceedings	Personal data and contact details; data necessary for the execution of the contractual relationship.	Legitimate interest (judicial protection). Art. 6, paragraph 1 letter f) GDPR.	For the time necessary to exercise rights in court.
g)   Registration on Internet Portals	Personal data and contact details, data relating to the company you belong to and your position there.	Express consent.	Five years from last interaction.
h)   Purpose of support with purchased products and services	Master data, contact data, personal data depending on the product/service contracted	Execution of a contract to which you are a party (to resolve anomalies and malfunctions); Legitimate interest (for analysis aimed at improving service).	Five years from last interaction.

 

*After deletion, data may be retained for an additional period of up to one year, depending on backup storage policies.

 

 

 

3. OBLIGATORY NATURE OF PROVISION OF DATA

 

The data subject must provide necessary data for carrying out the contractual relationship to the Data Controller, as well as the data necessary to fulfil the obligations provided for by laws, regulations, community standards, and by provisions of Authorities legitimated by law and by supervisory and control bodies (referred to in purposes a) and f) above).

Data that are not essential for the performance of the contractual relationship are qualified and considered supplementary and their provision by the data subject, if requested, is optional and subject to consent. Consent provided may be withdrawn by the data subject at any time by sending an email to the address: zpmt.privacy@zucchetti.com. Such withdrawal shall in no way affect the lawfulness of processing based on the consents given prior to withdrawal of consent.

 

 

 

4. PROCESSING METHODS

 

Personal data will be recorded, processed and stored in the Data Controller’s archive, paper and electronic, in compliance with the appropriate technical and organizational measures referred to in Art. 32 of the GDPR. The processing of the data subject personal data may consist of any operation or set of operations described in Art. 4, paragraph 1, point 2 of the GDPR.

Personal data will be processed using suitable tools and procedures that guarantee security and confidentiality. Such processing may be carried out directly and/or via delegated third parties, both manually using hard-copy support and electronically using IT equipment and other instruments. In order to manage properly the relationship and fulfilment of legal obligations, personal data may be entered in the internal documentation of the Data Controller and, if necessary, in the documents and registers required by law.

Your data may be processed by the employees of the company departments of the Data Controller assigned to the pursuit of the above-mentioned purposes. These employees have been expressly authorized to process the data and have received adequate operating instructions pursuant to and for the purposes of Art. 29 GDPR.

 

 

 

5. CATEGORIES OF RECIPIENTS OF PERSONAL DATA

 

The data may be communicated and processed by external parties operating as autonomous data controllers under Articles 4 and 24 GDPR such as, for example, authorities and supervisory and control bodies and in general public or private subjects entitled to request the data and / or subjects operating as data processors under Art. 28 GDPR), such as consulting firms and / or professional firms, and / or legal and tax professionals and insurance companies.

The data may also be disclosed to the Data Controller’s business partners for the performance of services related to the execution of the contract or for carrying out commercial actions by the same, subject to your express consent.

 

 

 

6. DATA TRANSFER TO COUNTRIES OUTSIDE THE EU

 

The data provided by the data subject will be processed in European Union countries and/or in Switzerland. In the event that the personal data of the data subject isn’t processed in an EU country and/or in Switzerland, the rights attributed to the latter by the Community legislation will be guaranteed and the data subject will be promptly notified.

 

 

 

7. RIGHTS OF THE DATA SUBJECT

 

Pursuant to Articles 15 et seq of the GDPR, the data subject may exercise the following rights:

1. access: to obtain confirmation of whether or not the personal data of the data subject are being processed and the right to access them; requests that are manifestly unfounded, excessive or repetitive cannot be answered;
2. rectification: to correct/obtain the correction of personal data if incorrect or outdated and to complete data if incomplete;
3. erasure/to be forgotten: in some cases, to obtain the erasure of the personal data provided; this is not an absolute right, as the Data Controller may have legitimate or legal reasons to store them;
4. limitation: the data will be stored, but cannot be processed further, in the cases foreseen by the regulation;
5. portability: to move, copy or transfer data from the Data Controller’s databases to third parties. This applies only to data provided by the data subject for the performance of a contract or for which express consent has been given and the processing is carried out by automated means;
6. objection to direct marketing;
7. withdraw of the consent at any time if processing is based on consent. 

 

It should also be noted that - before processing the requests - the Data Controller may ascertain the identity of the data subject, in order to evaluate the legitimacy of the same.

 

To exercise such rights, the data subject may contact the Data Controller at zpmt.privacy@zucchetti.com or call +33(0)186860101 or write to the Pay My Table, privacy office, in Zac des Barbanniers, 5 Promenade de la Bonnette, 92230 Gennevilliers.

The Data Controller will respond within 30 days of receiving the data subject formal request.

If the abovementioned rights concerning data subject personal data are infringed, the latest may complain to the competent authority.

 

 

 

 

THE DATA CONTROLLER