Policy pursuant to Art. 13 of the Personal Data Protection EU Regulation 2016/679 (GDPR)  
- Shop-online customers (e-shop) -     


Pursuant to Art. 13 of EU Regulation 2016/679 (henceforth GDPR), the Istituto Poligrafico e Zecca dello Stato S.p.A. (also Poligrafico) - with registered office in Via Salaria 691, 00138 Rome - in its capacity as Data Controller, in the person of its pro tempore legal representative, hereby informs you that your personal data will be processed by Poligrafico itself by means of manual processing or electronic or otherwise automated, computerised or telematic instruments, with logic strictly related to the purposes listed below and, in any case, in such a way as to guarantee the security and confidentiality of the data.   


1.  Sources of personal data   

The personal data subject to processing are collected directly from the person concerned and are processed in compliance with the law and the confidentiality obligations that inspire Poligrafico's activity.   


2.  Purpose and legal basis of the processing  

The purpose of the processing of your personal data and its legal basis are set out below:  

concluding contracts concerning Poligrafico's services or products or fulfilling pre-contractual and contractual obligations - performance of a contract to which the data subject is party or performance of pre-contractual measures taken at the data subject's request (Art. 6, para. 1(d) of the GDPR). 
fulfilment of legal, regulatory and tax obligations arising from existing relations with you or from an order of the Authority - fulfilment of legal obligations (Art. 6, para. 1(c) of the GDPR). 
responding to requests from registered users/customers - performance of a contract to which the data subject is party or performance of pre-contractual measures taken at the request of the data subject (Art. 6, para. 1(d) of the GDPR).  
archiving - fulfilment of legal obligations (Art. 6, para. 1(c) of the GDPR).   
protection of the Poligrafico's rights arising from the contract - Poligrafico's legitimate interest (Art. 6, para. 1(f) of the GDPR);   
sending advertising material, commercial communications for the direct sale of Poligrafico's products, questionnaires/requests relating to the performance of market research both through automated contact tools (e-mail, SMS, push notifications, WhatsApp and social networks channels) and through telephone calls with operator (so-called marketing) - specific and distinct consent (Art. 6, para. 1(a) of the GDPR);   
profiling the user/customer by analysing the data deriving from the completion of Poligrafico's forms/fiches or derivable from the type of his/her purchases or his/her purchasing behaviour only and exclusively subject to his/her free, optional, specific and explicit consent, which may be revoked at any time, also in order to identify and define his/her tastes, preferences, habits, needs and consumption choices and to customise dedicated offers and promotions (so-called "profiling") (specific and explicit consent (Art. 6, para. 1(a) of the GDPR).  After you have given your consent, you are in any case entitled to object, at any time and without charge, to the processing of your data for this purpose. 
We also inform you that if you are already a customer, we may send you commercial communications (exclusively by e-mail) relating to Poligrafico products similar to those you have already purchased, unless you object, within the limits provided for by Art. 130, paragraph 4 of the Privacy Code (so-called soft-spam). It should be noted, in this regard, that the data subject has the right to object at any time to the processing of his or her personal data for the purposes of direct marketing and profiling in the manner indicated in the above-mentioned notices or through the means indicated in paragraph no. 8 of this Policy.   


3.  Nature of provision and consequences of refusal  

The provision of personal data not subject to consent, for the purposes and in the manner set out in this Policy, is mandatory for the fulfilment of legal and/or contractual/pre-contractual obligations.  

Therefore, any refusal to provide the compulsory data will result in the objective impossibility of pursuing the processing purposes set out in paragraph 2, letters a), b) and c) of this Policy.  

The provision of data subject to your specific consent - possibly given on the Poligrafico e-shop portal - is, on the other hand, optional.   


4.  Categories of recipients of personal data  

Personal data will be processed by persons specifically authorised to do so by the Data Controller, pursuant to the GDPR and Art. 2-quaterdecies of Legislative Decree no. 196/2003 (so-called Privacy Code) as amended and, moreover, may be communicated to third parties, for the purposes set out in point 2 of this Policy, belonging to the following categories:   

external companies that Poligrafico may use for technical and organisational reasons in managing relations with customers, who provide:  
cloud-based software for managing customer-facing services;  
computer services and/or web platforms used by the Poligrafico;  
printing, enveloping, transport and shipping services;  
cloud services for verifying personal data entered during registration by users (omocodia management and address auto-completion/normalisation functionality);  
SaaS peak traffic management services on the site; 
law firms; 
professional firms/companies/consultants providing accounting, tax and fiscal services, as well as auditing services; 
maintenance company for Poligrafico's IT equipment; 
professionals and consultants for the purpose of protecting the Poligrafico's rights arising from the contract; 
companies carrying out auditing and certification of financial statements; 
supervisory bodies.  
All subjects belonging to the categories to which the data may be communicated within the limits of the law and the contract will use them as 'Data Processors' under Art. 28 of the GDPR - specially appointed and instructed by Poligrafico as Data Controller - or autonomous 'Data Controllers'.  

In addition, the data covered by this Policy are processed by Poligrafico's internal Data Processors appointed pursuant to current legislation, whose constantly updated list is available on Poligrafico's institutional website www.ipzs.it, in the Privacy section.  

Your personal data will not be disseminated.     


5. Transfers outside the EU 

The data referred to in this Policy will be processed within the European Economic Area (EEA). However, the use of certain instruments by Poligrafico may entail, albeit on a residual basis, a transfer of the same to entities established in countries that do not belong to the European Union (EU) or the EEA. This transfer, in any case, is carried out in compliance with Chapter V of the GDPR.    


6.  Personal data retention period  

Your personal data are stored for the entire period of validity of the user account registered on the Poligrafico e-shop platform. In the event of deactivation of the user, the data are in any case retained until the statute of limitations of the rights arising from the contractual relationship has expired, but no longer than 10 years from the end of the contractual relationship. Thereafter, all documents relating to the business relationship are retained for archiving purposes within the limits of the statute of limitations of enforceable rights.  

As far as marketing purposes are concerned, your data will be processed for a period of 24 months after the collection of your consent, subject to your right of revocation at any time. On the other hand, with reference to the profiling purposes, your data will be processed for a period of 12 months from the collection of your consent, subject to your right of revocation.  

Thereafter, the data will be automatically deleted or permanently anonymised in a non-reversible manner. 


7.  Automated decision-making  

For the pursuit of the processing purposes described above, no decision is taken based solely on automated processing that produces legal effects concerning the data subject or affects him/her in a similarly significant way.  


8.  Rights of the data subject  

The data subject may exercise - within the limits of the law - the following rights vis-√†-vis Poligrafico:  

the right to obtain confirmation from the data controller as to whether or not personal data relating to you are being processed and, if so, to obtain access to the personal data and information provided for in Art. 15 of the GDPR and, in particular, those relating to the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, the storage period, etc;   
where inaccurate, the right to obtain the rectification of personal data concerning you, as well as the integration of such data where they are considered incomplete, always in relation to the purposes of the processing (Art. 16 of the GDPR.  
the right to erasure of data ('right to be forgotten'), where one of the cases referred to in Art. 17 of the GDPR is met;   
the right to restriction of processing, in the cases provided for in Art. 18 of the GDPR;  
the right to data portability pursuant to Art. 20 of the GDPR;  
the right to object to processing pursuant to Art. 21 of the GDPR;  
the right to withdraw consent at any time without prejudice to the lawfulness of the processing by consent given before the withdrawal, only for the purposes for which consent is the legal basis (Art. 7 of the GDPR).   
These rights may be exercised by sending a request to the Data Protection Officer (DPO) at the following address: Via Salaria, 691 - 00138 Rome, or by e-mail to the following e-mail addresses: privacy@ipzs.it or rpd@pec.ipzs.it.   

Moreover, the person concerned may revoke consent at any time by accessing the Reserved Area of the account on the Poligrafico e-shop portal. Withdrawal of consent does not affect the lawfulness of processing based on the consent previously given. 

Finally, please note that the exercise of the above rights may be restricted, delayed or excluded - pursuant to Art. 2-undecies of Legislative Decree 196/2003 as amended, if it may result in actual and concrete prejudice to the conduct of defensive investigations, to the exercise of a right in court, and to the confidentiality of the identity of the employee who reports the offence of which he/she has become aware by reason of his office (so-called whistleblowing).  

Please note, pursuant to Art. 13, para. 2(d) of the GDPR, that the data subject has the right to lodge a complaint with the Garante (Italian Data Protection Authority) or another supervisory authority in accordance with Article 77 GDPR.  


9. Amendments to this Policy 

This Policy notice is subject to change. We therefore recommend that you regularly check the Privacy section of www.shop.ipzs.it.     


Last updated: 28-05-2024