CUSTOMER PRIVACY NOTICE

Cela srl with registered office in TURIN VIA TREVISO 36 – operational headquarters VIA ISEO 5-7-9 CASTEGNATO 25045 (BS), tax code and VAT number 10073480013 – e-mail info@cela.it, certified e-mail address cela@pec.it., as Data Controller, informs that the processing of personal data transmitted will be performed in compliance with the GDPR 679/2016 and with the national legislation as follows.

Purpose of processing
The processing of your personal data will take place for the purposes related to the correct execution of the contract and for the fulfilment of the tax and accounting obligations incumbent on it.

Legal basis for data processing
The processing of personal data will be carried out, alternatively, for the fulfilment/execution of contractual obligations and/or for the fulfilment of legal, fiscal and contractual obligations related to the same and/or on the basis of a legitimate interest of the Data Controller.

Place of processing and retention
The processing is performed at the registered office and operational headquarters both in paper-based and computer mode and consists of the collection, recording, organisation, retention, consultation, processing, selection, comparison, use, archiving, deletion and destruction. The retention will take place in the same places and will have the duration provided by law, and in any case for the times necessary for execution of the contract. The data retention period will be the one necessary to guarantee the Data Controller the correct fulfilment of the tax, accounting and legal obligations incumbent on it.

Data categories
Your contact details, bank details, personal data of shareholders, of the lawyers represented and of the employees that will be necessary for the exact execution of the contract will be processed.

In the event that the remote assistance service and/or the Industry 4.0 Ipercela remote management system is purchased, Cela srl communicates that in order to guarantee the execution of the service, information will be processed regarding the location of the vehicle as well as the ignition, use, position, inclination, telemetry and active alarms of the vehicle itself. No personal data relating to natural persons using the vehicle will be processed, not even indirectly, by Cela srl and no such data will be transmitted to the same. No responsibility can be attributed to Cela srl for the buyer’s failure to comply with the regulations relating to the processing of the personal data of its employees/collaborators for the use of this technology.

Categories of data subjects
In addition to employees of the Data Controller and to the judicial and police authorities, the categories of data subjects also include social security institutions and tax authorities. In addition, personal data may be transmitted to external data processors pursuant to art. 28 of the GDPR, whose list is available from the Data Controller.

Obligation to communicate data
The communication of personal data is a contractual obligation and is in any case a necessary requirement for conclusion of the contract. If the requested data are not promptly communicated, the Data Controller reserves the right not to execute the contract and/or to terminate the same.

Rights of the data subject
As a data subject, you may exercise the rights provided for by art. 7 of the Privacy Code and by arts. 12, 15 to 22 of the GDPR and you will therefore have the right to request at any time the updating and/or integration of personal data, as well as access to them and/or correction and/or deletion of the same or limitation of the Processing that concerns you or to object to their Processing, in addition to the right to request from the Data Controller your personal data in a format that is structured and readable by an automatic device, also in order to communicate such data to another Data Controller (so-called right of data portability). You may also revoke at any time the consent to the Processing given without prejudice to the lawfulness of the Processing based on the consent given before the revocation. As a data subject, you will have the right to lodge a complaint pursuant to arts. 77 et seq. of the GDPR with a supervisory authority which, for the Italian state, is identified as being the Guarantor for the protection of personal data (www.garanteprivacy.it). The forms, methods and time limits for the submission of a complaint are established and governed by the national legislation in force. The complaint is without prejudice to administrative and judicial actions, which for the Italian State can be proposed alternatively to the same Guarantor or to the competent Court.

Data Controller and Data Protection Officer
The Data Controller, whom you may contact to assert the rights referred to in art. 7 of the Privacy Code and in arts. 12, 15 to 22 of the GDPR, is the company CELA SRL with registered office in TURIN VIA TREVISO 36 – operational headquarters VIA ISEO 5-7-9 CASTEGNATO 25045 (BS), Tax Code and VAT no. 10073480013 – e-mail info@cela.it, certified e-mail address cela@pec.it. The Data Protection Officer of the Data Controller is the lawyer Ms. Maria Capitanio, e-mail m.capitanio@live.com- certified e-mail address maria.capitanio@brescia.pecavvocati.it.

CAREERS PRIVACY NOTICE

Information Notice on the Processing of Personal Data

In accordance with Article 13 of the European Regulation 2016/679 on the protection of personal data (“Regulation”) and applicable national regulations, Cela Srl (hereinafter the “Company”), as the data controller, informs you that the personal data provided by you with the submission of your CV, also through the link on the company website, will be processed in compliance with the current legislative and contractual provisions for the purposes and in the manner indicated below.

Categories of Data
When submitting the CV to present your profile for an open job position or to provide us with your CV for potential future job positions, the Company collects and processes data such as name, surname, date of birth, email address, phone contacts, address, academic background, previous work experiences, and any other data voluntarily included in the CV or accompanying cover letter.

Data Processing and Storage Methods
The data will be processed at the Company’s registered office and operational headquarters and stored on systems and in archives, including paper archives, managed by the Company. This will be done in accordance with the principles of fairness, loyalty, and transparency provided by the applicable data protection laws, solely for the purpose of evaluating your application for possible employment within the Company. If the CV contains data related to third parties (e.g., references for previous work experiences), you must ensure that you have obtained the consent of such individuals to be contacted by the Company for reference purposes. In such case, you authorize the Company to contact these third parties for references and verification of the information received. The data will be treated to protect your confidentiality and rights through the adoption of suitable technical and organizational measures to ensure a level of security appropriate to the risk (such as the ability to restore access to data in case of incidents, etc.). As part of the selection process, the Company may, in certain circumstances, conduct verification activities on the information provided (e.g., academic qualifications and previous employers).

The submission of the application and any related information is entirely voluntary and optional for website users.

Non-Provision of Data
If you decide to apply, you are free to provide the personal data that you consider most suitable for this purpose. However, in case of non-provision of personal data necessary for your identification (such as personal details or your education), the Company will be unable to evaluate your application, as these are essential data for the assessment of the application by the Company. Your consent is not required for the processing of personal data contained in the CV, as the processing is limited to what is strictly necessary to respond to your request and obtain preliminary information for the possible establishment of a contractual relationship, in accordance with Article 6.1 b) of Regulation EU 679/2016. The Company advises candidates not to include in their CV or otherwise communicate to the Company personal data revealing racial or ethnic origin, religious, philosophical, or other beliefs, political opinions, membership of parties, unions, associations, or organizations of a religious, philosophical, political, or union nature, as well as personal data revealing health or sexual life (so-called special categories of personal data).

Retention Period
Your personal data will be kept for a period not exceeding that necessary to evaluate your application for possible employment within the Company, considering the constantly evolving job market dynamics in which the Company operates and the type of skills and experiences sought. In any case, based on the legitimate interest of the Company in identifying the most suitable profile for the positions that may arise, CVs may be kept for a period of up to 3 years, after which they will be deleted, subject to further retention obligations under applicable law. It is understood that you may update your data at any time or request their deletion.

Authorized Data Processing Entities
For the aforementioned purposes, your data may be disclosed to: a) authorized and duly trained personnel of the Company, including Human Resources and Organization personnel and the contacts of the company functions to which the position for which your profile may be considered belongs; b) third parties, such as personnel selection agencies, for purposes strictly related to the management of the application as independent data controllers; c) third parties to whom the Company entrusts the execution of certain services within the scope of personnel search and selection activities and who have been appointed as data processors for this purpose. These entities act in accordance with the instructions of the Company, as data processors based on specific contractual agreements. The list of such entities is available upon request at the contact details provided below. Personal data will not be subject to disclosure.

Rights of the Data Subject
In relation to the described data processing, you may exercise the rights provided by the Regulation (Articles 15-21), including: a) receive confirmation of the existence of your personal data and access their content (right of access); b) update, modify, and/or correct your personal data (right of rectification); c) request their deletion or restriction of processing for data processed unlawfully, including those not necessary for storage in relation to the purposes for which the data was collected or otherwise processed (right to be forgotten and right to restriction); d) object to processing where provided by the Regulation (right to object); e) revoke consent, if given, without prejudice to the lawfulness of processing based on consent given before revocation; f) receive a copy of the data concerning you in electronic format and request that such data be transmitted to another data controller (right to data portability). To exercise these rights or for further information regarding this notice, you can contact the Data Protection Officer (DPO) by sending an email to privacy@cela.it or by regular mail to the Company’s registered office at the addresses indicated. You may also lodge a complaint with the supervisory authority in case of violation of the data protection regulations.

Data Controller
The data controller is Cela Srl, with registered office in Turin, Via Treviso 36, and operational headquarters in Castegnato (BS), Via Iseo 5-7-9, represented by the current Legal Representative. The Data Protection Officer is available at the address privacy@cela.it.

Cela Srl

PRIVACY NOTICE WHISTLEBLOWING

PURSUANT TO ART. 13 OF EU REGULATION 679/2016 AND LEGISLATIVE DECREE 196/2003 AND SUBSEQUENT AMENDMENTS.

This notice is intended to explain to you, as the Data Subject, the ways in which your personal data will be processed in accordance with the provisions of the legislation on the protection of personal data (EU Regulation 679/2016, GDPR, and Privacy Code 196/2003), specifically concerning your rights and the means of protecting them, related to the report (so-called “”whistleblowing””) you will make through the reporting channel established by the Data Controller pursuant to Legislative Decree 24/2023.

Data Controller:
The Data Controller for the data covered by this notice is Cela S.r.l., with registered office in Turin, Via Treviso 36, and operational headquarters in Via Iseo no. 5-7-9, Castegnato (BS) VAT number Euro 1.593.140,88 fully paid up, represented by its Legal Representative.

Legal basis for processing:
Personal data is collected and processed for purposes strictly related to the management of reports of unlawful conduct, concerning activities and/or behaviors diverging from the procedures implemented by the company. These particularly encompass violations of national or European Union regulations that undermine the public interest or the integrity of the Data Controller, which the reporting individuals become aware of in a public or private working context. Furthermore, it encompasses violations of professional conduct standards and/or ethical principles referred to by current legislation, both internal and external, and/or illicit or fraudulent behaviors attributable to employees, members of social bodies, or third parties (clients, suppliers, consultants, collaborators).

Therefore, the legal basis for the processing is the need to comply with a legal obligation to which the Data Controller is subject, specifically referring to the provisions contained in Legislative Decree 8 June 2001, no. 231 (“Discipline of the administrative liability of legal entities, companies, and associations, even without legal personality, pursuant to Article 11 of Law 29 September 2000, no. 300”) and Legislative Decree 10 March 2023, no. 24 (“Implementation of EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019, on the protection of persons who report breaches of Union law and containing provisions on the protection of persons reporting breaches of national legislative provisions”).

Purpose of processing:
The personal information provided through the report to the competent Office will be processed to ensure:

1) management of the report and whistleblowing procedure;
2) any activities aimed at verifying the validity of the reported fact;
3) adoption of measures consequent to the report;
4) any requests for integration of information to the reporting individual (the so-called whistleblower);
5) protection in court of a right of the Data Controller;
6) response to a request from the Judicial Authority or an Authority assimilated thereto.

Confidentiality and protection of the reporter:
The Data Controller guarantees the confidentiality of the identity of the reporting person, the person involved, and any person mentioned in the report, as well as the content of the report and related documentation. Therefore, except in cases where the criminal liability of the reporting person is established, even by a first-instance judgment, for the offenses of defamation or libel or for the same crimes committed through the report to the judicial or accounting authority, or their civil liability, for the same reasons, in cases of willful misconduct or gross negligence, and subject to other exceptions provided by law (e.g., obligation to report to the judicial authority), the identity of the reporter will be protected from the receipt of the report onward, in accordance with the current provisions of Privacy Regulations. Therefore, subject to the aforementioned exceptions, the Data Controller has determined, pursuant to Article 12, paragraph 2 of Legislative Decree 24/2023, that their identity and any other information from which it can be directly or indirectly inferred cannot be disclosed to subjects other than those competent to receive or follow up on the reports. Your explicit consent will be obtained also in cases where it is necessary to disclose your identity pursuant to Article 12, paragraphs 5 and 6 of Legislative Decree 24/2023, or when it is necessary to decrypt your data in order to enable the defense of the accused in a disciplinary procedure based solely on the report and in which the knowledge of the reporting individual is essential for the defense or for the defense of the person involved.
All those who receive and/or are involved in the management of reports are obliged to protect the confidentiality of such information.

Categories of processed data:
The personal data processed by the Data Controller, in compliance with the whistleblowing procedure, may include common personal data, such as:
– identifying data of the reporting individual (e.g., name, surname, email address, any other contact details provided by the reporting person);
– personal data contained in the reports sent (e.g., personal data – identifying and professional – and any other personal information relating to the reported subject and/or any third parties involved in the report).

The communication of the reporting individual’s identifying personal data (name and surname) and their email address is mandatory in the so-called “named reporting.”

The communication of identifying personal data is not required or mandatory in the so-called “anonymous reporting,” and in this case, in addition to protecting the content of the transmission, the anonymity of transactions between the reporter and the Whistleblowing reporting channel is guaranteed, making it impossible for the recipient and all subjects involved in any way in the management of the transmission to trace the sender.

Information concerning the reported facts may be processed, depending on the contents of the report, including any references to data concerning third parties that may be involved in the reported facts and mentioned by the reporting individual or acquired during subsequent investigative activities.

Refusal to provide personal data:
Any refusal to provide common identifying and contact data (name, surname, and email address) of the reporting individual in the so-called “named report” will result in the inability of the Data Controller to follow up on the submitted report. The provision of the reporting individual’s personal data is optional in the “anonymous report.”

Methods of personal data processing:
The Data Controller collects and/or receives the reporting individual’s personal data through their input via the reporting channel established by the Data Controller and accessible from the company’s website. The data will be processed both electronically and on paper and will be managed by the personnel of the Data Controller specifically appointed and trained. Your data may also be processed by subjects authorized by law to access it and by Data Processing Managers specifically appointed pursuant to Article 28 GDPR by the Data Controller, and the list of these is kept by the Data Controller. Please note that if personal data clearly not relevant to the report are accidentally acquired during the handling of the reports, they will be promptly deleted.

Data retention:
Data related to the reports and related documentation will be retained for no longer than five years from the date of communication of the final outcome of the reporting procedure at the operational headquarters and the registered office of the Data Controller and/or at the appointed Data Processor. In the event of disputes concerning the circumstances reported, the data may be kept for a longer period, coinciding with the duration of the dispute itself, in addition to the prescription and/or expiration period.

Transfer of data outside the EU:
Data will be processed within the European Union, where the Data Controller or Processors have their headquarters or servers. Data will not be transferred outside the European Union.
Data Subject Rights: At any time, the Data Subject may exercise the rights under Articles 15 and following of EU Regulation 679/2016, GDPR, as listed below. For obvious reasons of protecting the reporter’s confidentiality, reporting subjects are encouraged to exercise their rights, particularly those concerning rectification or deletion of their personal data, using the same platform indicated in the whistleblowing procedure for reporting and by sending a request through the platform in this regard.

Right of access (Art. 15 GDPR): Right of the Data Subject to obtain from the Data Controller confirmation as to whether or not personal data concerning them are being processed and, if so, to access such data;
Right to lodge a complaint with a supervisory authority (Art. 15 1. f) GDPR): The Data Subject has the right to lodge a complaint under Articles 77 and following GDPR with a supervisory authority, which for the Italian state is identified as the Garante per la protezione dei dati personali (www.garanteprivacy.it). The forms, methods, and terms for submitting the complaint are provided and regulated by current national legislation. The complaint does not affect administrative and judicial actions, which for the Italian state can be alternatively proposed to the same Garante or to the competent Court;

Right to rectification (Art. 16 GDPR): Right of the Data Subject to obtain from the Data Controller the rectification of inaccurate personal data concerning them without undue delay. If the provided data is incomplete, it can be supplemented by the Data Subject through a supplementary statement;
Right to erasure (right to be forgotten) (Art. 17 GDPR): The Data Subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay. In this case, the Data Controller shall have the obligation to erase such data without undue delay;

Right to restriction of processing (Art. 18 GDPR):
Right of the Data Subject to obtain restriction of processing in certain situations: the Data Subject disputes the accuracy of personal data; the processing is unlawful, and the Data Subject opposes the erasure of the data, instead requesting restriction; the personal data are required for the establishment, exercise, or defense of a legal claim; the Data Subject has objected to processing, pending the verification of the legitimate grounds of the Data Controller overriding those of the Data Subject;

Right to data portability (Art. 20 GDPR): The Data Subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, and the right to transmit such data to another controller without hindrance from the Data Controller in cases where: a) the processing is based on consent pursuant to Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), or on a contract pursuant to Article 6, paragraph 1, letter b); the processing is carried out by automated means;

Right to object (Art. 21 GDPR):
Right of the Data Subject to object to the processing of their personal data.

Contact details:
To contact the Data Controller, you can call the following phone number: 0039 030 988 4084, or email: info@cela.it, or certified mail to the registered office in Turin, Via Treviso 36 and/or the operational headquarters in Via Iseo no. 5-7-9, Castegnato (BS).
To contact the Data Protection Officer (DPO), you can call the following phone number: 0039 3404728795 or email: privacy@cela.it.

The Data Controller
Cela s.r.l.
§ I declare that I have received the information pursuant to Article 13 of GDPR 679/2016 and have understood it in its entirety.