Data Protection Notice
pursuant to Article 13 of Regulation (EU) 2016/679
General Data Protection Regulation
By means of this information notice (“Notice”), the Data Controller, as defined below, wish to inform You on the purposes and methods of the processing of Your personal data and on the rights that Regulation (UE) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) entrust You.
1. Who is the Data Controller
The Data Controller is Stiga S.p.A. (“Stiga” or the “Data Controller”), with registered office in 31033 Castelfranco Veneto (TV), Italy, via del Lavoro 6.
The Data Controller appointed a data protection officer (“Data Protection Officer” or “DPO”), that You may contact for the exercise of Your rights as listed in article 8 below, as well as for asking any further information, at the following addresses: STIGA S.p.A, DPO office, via del Lavoro 6, 31033 Castelfranco Veneto, Italy; e-mail: firstname.lastname@example.org.
2. Which personal data we process
2.1 Specific requests
Pursuant to a specific request by You, and for the purposes set forth in article 3 of this Notice, the Data Controller processes the following personal data:
common data and contact details, such as the name, surname, address, phone number, e- mail address and other addresses.
2.3 Browsing data
The IT systems and programs used for the functioning of the Website collect some personal data whose transmission is implicit in the usage of the Internet communication protocols (e.g. IP addresses or domain names of computers used by users who connect to the Website, URI addresses - Uniform Resource Identifier – of the requested resources, time of the request, method used in submitting the request to the server, file size obtained in response, numerical code about the status of the response made by the server – favorable outcome, error, etc. - and other parameters related to the operating system and the user's IT environment). Although those are information that are not collected to be associated with identified data subjects, by their nature they could, through processing and association with data held by third parties, allow identification of data subjects.
These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check its correct functioning and are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical IT crimes to the detriment of the Website: except for this eventuality, at present the data on web contacts do not persist for more than seven days.
In some cases, personal data are collected by Stiga with the use of different technologies, including that of "cookies". Cookies are made up of a series of data that a website sends to a "browser" (which could be Your browser). Those information can then be stored on a computer (even Your computer) through a tag that identifies the computer but not the user.
2.5 Application(s) (App)
For Stiga’s application(s) management we process, according to the specific application used, the following data: name, surname, e-mail address, phone number, Company, job title, dealer code.
3. Purposes of processing and legal basis
3.1 Management of Your request
The processing is necessary for permitting the browsing on the Website and to reply to Your specific requests, included, but not limited to, sending You technical information on Stiga products, managing Your access to Stiga’s media database, etc.
The legal basis for the processing is therefore the execution of Your request, pursuant to Article 6, first paragraph, letter b), of the GDPR; therefore, Your consent is not necessary to allow the processing.
In case You provide us with Your specific consent, we may process Your personal data also for providing You with commercial information on products and services marketed by Stiga; as well as for making You part of statistical analysis, polls and market surveys with regard to products and services marketed by Stiga.
The legal basis for the processing activity is Your consent, pursuant to Article 6, first paragraph, letter a), of the GDPR.
Even if You grant us Your consent, You may request us to cease the processing for marketing purposes at any time, by sending an email to the following address: email@example.com [, or by clicking on the link contained in each e-mail You will receive].
3.3 Application(s) management
Your personal data will be processed for the purpose of enabling Your registration and access to the Data Controller’s application “Stiga Club” / “Stiga Shed” (“App”), pursuant to Your request.
The legal basis for the processing is therefore the performance of a contract, pursuant to Article 6, first paragraph, letter b), of the GDPR; therefore, Your consent is not necessary to allow the processing.
4. Nature of the personal data processing and consequences of a refusal
The processing of Your personal data is a mandatory requirement for (i) the management of Your request and (ii) enabling Your registration and access to the App, and therefore Your refusal to provide the personal data expressly indicated as mandatory, as the case may be, will result in the impossibility for the Data Controller to do so and to provide You with the App’s service.
If You refuse to grant us Your consent to process Your personal data also for marketing activities, we will not be able to provide You with special offers and/or information on new products and services; however, this will not impair the management of any different request from Your side.
5. Data Retention
The Data Controller will process your personal data, for the purposes indicated above, only for the time necessary for the management of Your request or , as well as for the fulfillment of any legal obligation provided by any applicable European and/or Member State’s laws and/or regulations. Your personal data will be subsequently retained by the Data Controller for a period equal to  year / equal to the applicable statute of limitation and then deleted.
As for the management for the App, the Data Controller will process your personal data only for the time You will remain registered to the App.
As for the marketing activities, your data will processed until 10 years from our receipt of Your consent, notwithstanding that you will be able to immediately interrupt the processing as specified in preceding article 3.
6. Methods by which your personal data will be processed
Your personal data will be processed, pursuant to the provisions of the GDPR, by means of paper, computerized and telematics tools, for the purposes indicated above and with adequate methods to guarantee their security and confidentiality in accordance to Article 32 of the GDPR.
7. To which subjects your personal data may be communicated and who may get to know them
For the purposes described in paragraph 3 above, Your personal data will be disclosed to other companies of the Stiga group, employees, external consultants and, in general, Stiga group personnel, who will act as person authorized to the processing of personal data, specifically appointed as internal delegates.
In addition, Your personal data will be processed by the following third parties:
service providers for the management of the IT system;
service providers for technical assistance;
logistic companies, carriers, forwarders;
other service providers that assist Stiga in the provision/management of the App;
other service providers.
The above subjects shall act, in some cases, as autonomous data controller, in other case as data processors specifically appointed by the Data Controller pursuant to Article 28 of the GDPR. You may request a list of our data processors at the contact details indicated at article 1 above.
Your personal data will not be disclosed to the public.
8. Your rights as data subject
With regard to the processing described in this Notice, You may exercise any of the rights described in this section in accordance with Articles 15 through 21 of the GDPR. In particular:
Managing Your Information - Right of access
Article 15 of the GDPR: right to obtain from the data controller confirmation as to whether or not Your personal data are being processed, and, where that is the case, access to the personal data and the following information (also by receiving a copy of the same):
the purposes of the processing;
categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
the envisaged period for which the personal data will be stored or the criteria used to determine such period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with the supervisory authority;
the source of the persona data, if not collected directly;
the existence of automated decision-making, including profiling;
Rectification of Inaccurate or Incomplete Information - Right of rectification
Article 16 of the GDPR: the right to obtain, without undue delay, the rectification of inaccurate personal data or the integration of the same;
Erasure - Right to erasure
Article of the 17 GDPR: the right to obtain from the controller the erasure of Your personal data without undue delay, if:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
You withdraw Your consent, and there is no other legal basis for the processing;
You object to the processing of Your personal data on legitimate grounds;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation;
the personal data have been collected in relation to the offer of information society services referred to in Article 8, first paragraph, of the GDPR.;
If You no longer want us to use Your information, You can request that we erase Your personal information. Please note that if You request the erasure of Your personal data, we may retain and use Your personal data to the extent necessary to comply with our legal obligations or for the performance of a duty carried out in the public interest or in the exercise of official authority vested in the Data Controller, or for the establishment, exercise or defense of legal claims. For example, we may keep some of your information for tax, legal reporting and auditing obligations.
Restriction of processing - Right to restriction on processing
Article 18 of the GDPR: right to obtain from the controller restriction of processing if:
the accuracy of the personal data is contested by You, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and You oppose the erasure of the personal data and request the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by You for the establishment, exercise or defense of legal claims;
You have objected to processing pursuant to Article 21, first paragraph, of the GDPR pending the verification whether the legitimate grounds of the controller override Yours.
Data Access and Portability - Right of portability
Article 20 of the GDPR: the right to receive, in a structured format, commonly used and readable by an automatic device the personal data concerning Yourself provided to the Data Controller and the right to transmit the same to another data controller without impediment, if the processing is based on consent and is made with automated means. Furthermore, the right to obtain that Your personal data are transmitted directly from the Data Controller to another data controller, if this is technically feasible;
file a complaint to the competent data protection authority by sending a notice to the Italian Data Protection Supervisory Authority at Piazza di Monte Citorio n. 121 - 00186 Roma, e-mail: firstname.lastname@example.org or to the Data Protection Supervisory Authority of your habitual residence, place of work or place of the alleged infringement.
The above rights may be exercised by contacting the Data Controller and the DPO at the contact details indicated in previous article 1. Please note that we may ask You to verify Your identity before taking further action on Your request.