Privacy policy

Provided pursuant to Articles 13, 14 and 26 of the European General Data Protection Regulation 2016/679 ("GDPR")

1. Who processes your data?

Data controller
GS1 Italy, with registered office in Via P. Paleocapa n. 7, 20121 Milan (Italy), Fiscal Code 80140330152, represents in Italy GS1 which is the international body that administers and coordinates the correct implementation of the "GS1" system for the coding of products in the consumer goods sector, as well as the "ECR" system relating to the strategic and operational interfacing between industry and distribution and between these entities and the end consumers.

In carrying out its activities, GS1 Italy collects and processes your personal data as Data Controller, and, in this capacity, ensures the application of appropriate organisational and technical measures for the protection of personal data in compliance with the provisions of the applicable laws and regulations.

With reference to certain processing operations, as specified below, GS1 Italy may process personal data as joint controller with GS1 Italy Servizi S.r.l., a sole shareholder company wholly owned by GS1 Italy, with registered office in Via P. Paleocapa n. 7, 20121 Milan (Italy), Fiscal Code 06166030962 (hereinafter referred to as "Joint Data Controller" and, jointly with GS1 Italy, referred to as "Joint Data Controllers"), with whom goals and objectives are shared, aimed in particular at offering companies techniques, operational solutions, standards and tools to optimise the efficiency of processes related to the production and distribution system. GS1 Italy Servizi S.r.l. is in fact statutorily in charge of the provision, especially in the interests of GS1 Italy member companies, of services aimed at facilitating the implementation of rules, standards and specifications drawn up by GS1 Italy itself. 

In the light of the reasons of synergy and sharing of resources, the Joint Data Controllers may process personal data pursuant to and for the purposes of Article 26 of the GDPR, in order to develop commercial and marketing strategies through initiatives, also for promotional purposes, aimed at developing and/or consolidating relations with their member companies, customers and, in general, with users and to improve the knowledge of their respective services and products.

With reference to some processing operations of personal data which are directly collected - in the associative phase of the companies to GS1 - by A.D.M. - Associazione Distribuzione Moderna, with registered office in Via Paleocapa n. 7, 20121 Milan (Italy), Fiscal Code 97364340154 and/or by I.B.C. - Associazione Industrie Beni di Consumo, with registered office in Via Gabrio Serbelloni n. 5, 20122 Milan (Italy), Fiscal Code 97364440152, GS1 Italy may also process this personal data as joint controller with A.D.M. and I.B.C. (as well as with GS1 Italy Servizi S.r.l.) pursuant to and for the purposes of Article 26 of the GDPR, for proven reasons of synergy and sharing of resources for: a) the preparatory activities to the establishment of the contractual/associative relationship and for the subsequent execution and management of such relationship and those instrumental and functional activities to its performance, b) for the fulfilment of any other obligation arising from the contract, as well as c) for the purpose of being able to develop shared commercial and marketing strategies, through the performance of activities and initiatives, also for promotional purposes, aimed at developing and/or consolidating relations with its member companies, customers and, in general, actual and potential users and at improving the knowledge and dissemination of its respective services and products, also in the perspective of the completeness of the service and of the expansion of the range of services offered to end users.
 

2.    Who collects personal data and which personal data are collected?

GS1 Italy collects and processes personal data such as, by way of example but not limited to, company name, first name, last name, fiscal code/VAT number, email address, professional landline and/or mobile phone number, company name where you work and covered role, IP address used in the possible navigation of the websites managed by and referable to the Data Controller or to the Joint Data Controller, as well as data related to the commercial and/or professional activity of said company and its contact details (PEC address, legal office address) and bank details (for the payment of the membership fee and/or other fees, where applicable). Images, photos and/or videos of you may also be collected during events or conferences. With respect to the processing of such data, you may receive a supplement to this Privacy Policy and a specific waiver and request for the collection and processing of personal data.

In addition to the provisions of the Data Controller's Cookie Policy, the following data may also be collected and processed through: a) the websites managed by and referable to the Data Controller or to the Joint Data Controller, b) the use of the relevant functionalities, c) the filling in of electronic forms and the use of services provided therein: 

• browsing data: this data includes, by way of example, the data that the server automatically records each time the website is visited, such as the IP addresses of the computers used by the users who connect to the website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and IT environment. This category of data also includes the "Social Buttons" that exclusively allow the connection and display of the Data Controller and Joint Data Controller social network profiles (created on social networks such as, for example, Facebook, Instagram, YouTube). These "buttons" exclusively allow users who are browsing the website to reach with a "click" the social networks referable to the Data Controller or to Joint Data Controller. The interactions that take place within the social networks are in any case subject to the rules and privacy settings of the respective social networks;
• personal data voluntarily provided by users/visitors: this is data that is provided by users by filling in electronic forms in order to send information or contact requests or, where applicable, for the purpose of creating an account on the websites and/or for requesting, ordering and using the services made available therein. This category includes, by way of example, name and surname, company e-mail address and phone number, company name and covered role, further data and information that may be contained in messages sent to the addresses indicated on the websites or by filling in any electronic forms published therein.

3.    On what legal bases and for what purposes are personal data processed?

Personal data is processed for the following purposes:

(i)    a) for the activities preparatory to the establishment of the contractual/associative relationship with GS1 Italy and/or GS1 Italy Servizi S.r.l. (as well as with A.D.M. or I.B.C.), b) for the subsequent execution and management of such relationship and for the activities related and functional to its performance, c) for the fulfilment of any other obligation arising from the contract, d) for the management of the websites referable to the Data Controller or the Joint Data Controller and of the services rendered through them, as well as e) to follow up on the request to receive information (Article 6, letter (b), GDPR);
(ii)    for the fulfilment of legal obligations (Article 6 (c), GDPR). The processing of the data may be necessary or required by the fulfilment of obligations arising from the law or from national and/or EU legislation in force and applicable to the Data Controller, as well as from provisions issued by competent authorities and bodies;
(iii)    to pursue a legitimate interest of the Data Controller (Article 6 (f) GDPR). In the context of relationships with data subjects there is a legitimate interest of Data Controller to process personal data: a) for the legal defence of a right or interest before any competent authority or body, expressly including for debt recovery purposes, b) to proceed - also as a result of a partly automated, but not intrusive, "profiling" activity, which is proportionate and does not entail any negative or significant consequences for the data subject because it is carried out for statistical purposes and does not mainly concern personal data - to make a direct offer of products or services similar to those which were previously purchased, limited to the e-mail address provided in the context of the contractual relationship and unless the data subject objects to such processing (so-called soft spamming).

The processing of personal data may also take place, by virtue of a legitimate interest of the Data Controller or the Joint Data Controller, for the purpose of carrying out the following promotional activities: 

a.    for the sending of invitations and the subsequent management of your possible interest events, meetings, working groups for confrontation and cooperation purposes (such as, by way of example, the participation in the "ECR Italy" working area), seminars, round tables, conventions and meetings (also aimed at training), organised and managed by the Data Controller and/or the Joint Data Controller or by third parties, autonomously or in collaboration with third parties from time to time identified in the invitations (brochures and/or presentations) that shall be transmitted or delivered to collect your possible participation (hereinafter referred to as "Event"/"Events");
b.    for the invitation to participate in surveys of various kinds, the creation and sending of newsletters, publications, studies, survey results, market analyses or analyses of specific industrial or commercial sectors, as well as any other kind of informative material, of your possible interest, prepared, edited and/or published by the Data Controller and/or the Joint Data Controller, independently or in collaboration with third parties (hereinafter referred to as "Publications");
c.    to manage relations and interactions with the referents or "contact persons" of member companies, actual and potential clients and any other subjects with whom GS1 Italy and/or GS1 Italy Servizi S.r.l. have established associative or contractual/commercial relations, in order to better understand their needs and expectations, improve and develop new services. In order to achieve these purposes, personal data of the "contact persons", including yours, will be storage and retained in special databases owned by and/or available to the Joint Data Controllers.

The above initiatives may be managed and implemented by email or by telephone. 
With regard to said matters, we remind you that you may, at any time, object to the commercial communications received by e-mail and unsubscribe from marketing by clicking on the appropriate link in the e-mails received or by sending a communication in the manner set out in the paragraph below "What are the rights under the GDPR?" as well as withdraw any consent given, easily, freely and free of charge by sending a communication in the manner set out in the paragraph below "What are the rights under the GDPR?"

4.    What happens in case of failure to provide personal data? 

The provision of personal data is not mandatory, but it is necessary to enable the management of the contractual relationship and the fulfilment of any legal obligations, with the consequence that failure to provide, partial or incorrect provision of the data will make impossible, as applicable, to fulfil the contractual relationship and to execute the related services and/or to implement and process specific requests made by the data subject. Failure to provide the data may affect the possibility of interacting with the Data Controller for associative or contractual purposes.

5.    Who can access to personal data?

Personal data you provide may be made accessible to:

•    employees, outside staff and consultants of the Data Controller and the Joint Data Controller, as persons authorised to process data pursuant to Article 29 of the GDPR;
•    legal or supervisory authorities, general government and other authorities, public bodies and organisations (domestic and foreign) in fulfilment of regulatory obligations, which will process them as autonomous data controllers;
•    professionals and consultants, appointed by the Data Controller and/or by the Joint Data Controller to carry out activities related to the management of the organisation and/or the management of professional assignments or the possible defence in court, including, by way of example, auditing and financial statement certification companies, quality surveying and certification companies, banking institutions for the management of payments supervisory and control bodies, accounting and tax consultants, legal consultants, credit recovery and consulting companies, IT assistance and data processing companies (e.g. web hosting, data entry, management and maintenance of IT infrastructures and services, etc.), postal service and mailing companies; all in their capacity, as applicable, as authorised persons, data processors or autonomous data controllers;
•    a) GS1 AISBL (with registered office in Avenue Louise 326, b.10, 1050 Brussels, Belgium), an entity governed by Belgian law which is the world's leading organisation in the definition of standards for the supply chain and is represented in Italy by GS1 Italy, as autonomous data controller, as well as b) to the network of national GS1 Member Organisations (as better identified on the following website https://www.gs1.org/contact/overview/alphabetical) for the publication and sharing of data in the global registries (GS1 Registry Platform) where the data is stored and retained. These organisations are all subject to the same privacy compliance obligations;
•    any partners or contractual party connected or related to the Events or Publications as well as partners in projects referable to GS1 Italy and/or GS1 Italy Servizi S.r.l. or participants in initiatives managed and coordinated by them (e.g. the Solution Partner Program or similar) as well as to third parties carrying out outsourcing activities in the interest of the Data Controller and/or the Joint Data Controller, for the performance of activities and services functional to the organisation and/or management of the Event or the sending of the Publications; all in their capacity as data processors.

With reference to the purposes described above, certain personal data may be made accessible through the GS1 Registry Platform as part of the related services rendered by the Data Controller and/or the Joint Data Controller.

Any international transfer of data to countries outside the European Union and/or the European Economic Area ("EEA") will only take place in compliance with the limits and conditions set forth in the GDPR and, therefore, only to countries that guarantee an adequate level of protection of personal data, where such adequacy is established by a decision of the European Commission or guaranteed on the basis of contractual instruments and specific clauses that ensure the implementation of technical and organisational security measures suitable for the protection of personal data. In any event, data will not be disclosed or disseminated, except where they are required and in accordance with the law, to law enforcement, legal authorities, information and security bodies or other public entities and for purposes of defence or State security or for the prevention, detection or prosecution of criminal offences.

6.    How personal data are processed?

Personal data is processed through electronic and paper-based means and tools made available to persons acting under the authority of the Data Controller and, as applicable, of the Joint Data Controller who are authorised and trained for this purpose. The paper and electronic archives are protected by adequate security measures to counter the risk of violation.
In particular, personal data is also processed through the GS1 Registry Platform, which allows GS1 organisations to access to such data.

7.    How long personal data are retained?

Personal data processed by the Data Controller is retained for the time necessary to carry out the activities connected to the management of the associative or contractual relationship and for the related legal obligations and, for the period following its termination, for the fulfilment of any obligations necessary for the proper performance of the contractual or business relationship. Personal data processed on the basis of consent is retained until the consent is revoked.

For processing based on the legitimate interest of the Data Controller (or the Joint Controller), personal data will be retained as long as this legitimate interest exists and, in any case, as long as there is an active relationship with the data subject, without prejudice to the data subject right to at any time object to such processing.
When the purposes justifying the retention of personal data have been fulfilled, such data will be deleted.

8.    What are the rights under the GDPR?

In accordance with the provisions of GDPR, you has the right to:

•    access to personal data, i.e. to obtain confirmation of the existence of the processing of your personal data and to obtain specific information on the processing, such as, the purposes, the categories of data being processed and the existence of the other rights set out below;
•    obtain the correction of personal data, i.e. obtaining the rectification/integration of your personal data;
•    obtain the cancellation of personal data, i.e. obtaining the deletion of your data if (i) such data is no longer necessary for the purposes for which it was collected, (ii) you object to the processing of your personal data and there is no other overriding reasons for the processing, (iii) the personal data must be deleted due to legal obligation. This right does not apply if the processing is necessary for the fulfilment of a legal obligation or for the judicial ascertainment or exercise of a right;
•    obtain the restriction of processing of personal data, i.e. obtaining the restriction of the processing of your personal data, which means that data processing will be suspended for a certain period of time;
•    obtain the portability of personal data, i.e. the right to receive personal data in a structured, commonly used and machine-readable format and to transmit them to another data controller in the case of automatic processing based on consent or the performance of contractual obligations;
•    oppose to processing of personal data, i.e. objecting to the processing based on legitimate interest, unless the Data Controller or the Joint Data Controller demonstrate the existence of legitimate grounds for processing which prevail on the rights of the data subject;
•    lodge a complaint to the competent supervisory authority (http://www.garanteprivacy.it/) in the cases provided for in Article 77 of the GDPR.

The above-mentioned rights, together with any request for clarification regarding the assessment of the existence of legitimate interest or the profiling activity, may be exercised by making a request to the Data Controller by writing to the above addresses or by sending an email to privacy@gs1it.org. A reply will be reasonably provided within five working days.

The updated version of this Privacy Policy can be found on the web page: https://interno1.gs1it.org/en/privacy/. 
Any amendments or updates will be brought to the user's attention by publication on the mentioned web page of the site and will be applicable and binding from that moment on.

[Last update: 28/02/2023]