European Regulation 2016/679, hereinafter the “GDPR”
Think Water Srl, with offices at Via delle Pezze, 35 – 35013 Cittadella (PD), Italy, Tax Code and VAT no. 03985480288, as the Controller (in terms of processing personal data), hereinafter referred to as the “Controller”, informs you, pursuant to article 13 of Italian Legislative Decree 30.6.2003 no. 196 (hereinafter the “Privacy Code”) and article 13 of EU Regulation no. 2016/679 (hereinafter the “GDPR”) that your personal data will be processed for the purposes and by the methods that follow.

The subject of the processing The Controller processes personal data, identifying and non-sensitive data (specifically, first name, last name, VAT no., email address, telephone number – hereinafter referred to as the “personal data” or simply the “data””) that you provide when requesting information about the Controller’s products or services or when compiling a contact form at our web site.

Purposes Data will be processed for the purposes related to fulfilling the following obligations, regarding legal and contractual obligations and for other purposes:
· To fulfil obligations required by law in terms of tax and accounting;
· To manage clients and suppliers;
· To schedule activities;
· For historical client and supplier invoicing;
· For post-sales support;
· To manage disputes;
· For debt recovery activities;
· To manage quality;
· To measure the level of client satisfaction;
· To communicate new services and/or products that the Controller is offering.
The processing of functional data to fulfil these obligations is necessary to properly manage the relationship and providing this data is mandatory in order to achieve the purposes indicated above. Failure to provide this data, or providing inaccurate data, regarding the mandatory information, may make it impossible for the Controller to ensure the adequacy of the processing itself.

Methods of processing personal data Processing your personal data is done by those operational methods indicated in article 4 of the Privacy Code and article 4(2) of the GDPR, specifically:
· the collection, recording, organisation, storage, consultation, processing, alteration, selection, extraction, comparison, use, interconnection, block, communication, erasure and destruction of the data.
Your personal data is subject to both paper-based and electronic processing. The Controller will process your personal data for the time necessary to fulfil the purposes as mentioned above and, in any case, for no longer than 10 years from the termination of the relationship for Service Purposes and for no longer than 5 years from the date the data is collected for Marketing Purposes. Processing is carried out in compliance with those methods referred to in articles 6 and 32 of the GDPR and by the adoption of appropriate security measures. Personal data will be processed solely by those personnel expressly authorised by the Controller to do so and by external subjects duly appointed by the Controller. Third parties who carry out processing operations on behalf of the Controller are expressly appointed as external Processors for the relevant processing.

Access to data Data may be made accessible for the purposes referred to in the section, Purposes:
· to the Controller’s employees and collaborators, in their role as persons in charge of the processing and/or internal processors and/or system administrators;
· to the Controller’s partners or suppliers (for example, as part of the technical management of the services, to store personal data, etc.) or to third- party subjects (for example, service providers who manage and maintain the web site, suppliers, credit institutes, professional firms, etc.) to whom
activities are out-sourced by the Controller and who act as external processors.

Communicating to third parties Data will be communicated exclusively to those competent parties in order to fulfil the services necessary to properly manage the relationship, with the assurance that the data subject’s rights will be safeguarded:
· Consulting companies regarding accounting, administrative and tax matters;
· Companies providing IT services;
· Consultants and professionals, as well as in an associated form;
· Debt recovery companies;
· Banks and credit institutes;
· Other public and/or private entities to whom communicating data is mandatory or necessary in order to fulfil a legal obligation or is, in any case, functional to administrating the relationship.

Divulging data Your personal data will not be divulged in any way whatsoever.

Storage period for personal data Your data will be stored in our archives or with authorised Processors solely for the time needed for the processing purposes, subject to complying with the storage times.

Transferring data
Managing and storing personal data will be done on servers located within the European Union, controlled by the Controller and/or controlled by third-party companies assigned and duly appointed as Processors. Currently, the servers are located in Italy. Data will not be transferred outside of the European Union. In any case, it is understood that the Controller, whenever the same should consider it necessary, will have the right to move the location of the servers in Italy and/or in the European Union and/or to a non-EU country. In this case, the Controller hereby states that the transfer of data outside of the EU shall be carried out in compliance with the applicable laws, stipulating, if necessary, agreements to guarantee an adequate level of protection and/or adopting the standard contractual clauses as provided for by the European Commission.

Methods of processing personal data
Personal data will be processed with paper/electronic tools for the time strictly necessary to fulfil the purposes for which the data was collected. Specific security measures have been implemented to prevent any loss of data as well as unlawful use of and unauthorised access to data.

The data subject’s rights
As a data subject, you have those rights referred to in article 7 of the Privacy Code and article 15 of the GDPR and, specifically, you have the right:
· to obtain confirmation or otherwise of the personal data that concerns you even if the data has not yet been recorded, and to receive a copy of the data in an intelligible form;
· to obtain an indication of: · the origins of the personal data;
· the purposes for which and the methods by which processing is carried out;
· the logic applied in the event that processing is carried out with the use of electronic tools;
· the identifying details for the Controller, Processors and the designated representative pursuant to article 5(2) of the Privacy Code and article 3(1) of the GDPR; e) the subjects and the categories of subjects to whom your personal data may have been communicated or who may become aware of your personal data in their capacity as the designated representative in the country, or as a processor or as a person in charge of the processing;
· to have:
· the data updated, rectified or, where necessary, integrated;
· the data erased, transformed into an anonymous form or to block the data that has been processed in breach of the law, including that data whose storage is not needed in relation to the purposes for which the data was collected and subsequently processed;
· confirmation that the operations referred to in a) and b), above, have been brought to the attention, including by way of their contents, of whomever the data has been sent or divulged, except in the case in which fulfilling such a request proves impossible or involves an effort manifestly disproportionate to the protected right;
· to object to, in whole or in part:
· for legitimate reasons, the processing of the personal data that concerns you, even if pertinent to the reason for which the data was collected;
· the processing of the personal data that concerns you in order to send advertising material or to carry out direct sales or to perform market research or to send commercial communications, through the use of automated calling systems without the intervention of an operator, by email and/or through traditional marketing means by telephone and/or through the postal service. It should be noted that the data subject’s right to object, as described in b), above, for direct marketing purposes by automated means extends to traditional means and that, in any case, the option remains for the data subject to exercise his/her right to oppose processing even partially. Therefore, the data subject may decide to receive communications only through traditional means or only automated communication or neither type of communication.

Where applicable, the data subject also has those rights referred to in articles 16-21 of the GDPR (the right to rectification, the right to be forgotten, the right to restrict processing, the right to data portability, and the right to oppose processing), as well as the right to lodge a complaint with a Supervisory Body.

Exercising the data subject’s rights
A data subject may, at any time, exercise his/her rights:
by emailing: info@thinkwater.com
by faxing: 049 5971699
by sending a registered letter with return receipt to: Via delle Pezze, 35 – 35013 Cittadella (PD)

Contatta il supporto think:water