Privacy Policy


Subject: Information for the processing, communication and dissemination of data, in application of the European Data Protection Regulation -Reg. 679/2016 (GDPR)


Pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR), laying down provisions for the protection of natural persons with regard to the processing of personal data, the Data Controller is required to provide data subjects with certain information regarding the use of their personal data.

In particular, the undersigned GAMMA PLAST SAS in the performance of its activities/functions needs to process information and personal data referring to individuals operating on behalf of its organisation, acting in the role of Data Controller under the GDPR.

The information and personal data provided by you, or acquired as part of the contractual relationship with the undersigned, are processed in compliance with applicable laws and confidentiality obligations that have always inspired the activity of GAMMA PLAST SAS, as well as in compliance with fundamental rights and freedoms, the dignity of the data subject, respect for personal identity and the right to protection of personal data, with particular reference (ref. Art. 5 – Principles applicable to the processing of personal data) to the principles of lawfulness, correctness and transparency, purpose limitation, data minimisation, accuracy, GAMMA PLAST SAS. storage limitation, integrity and confidentiality

The data controller is: GAMMA PLAST SAS


The processing of data, is aimed at the pre-contractual and contractual management of activities carried out on behalf of the customer by GAMMA PLAST SAS. In particular, we highlight the following purposes

a) Commercial and pre-contractual management, relating to all activities preceding the stipulation of the contract;

b) Administrative and accounting management;

c) Management of design, supply, delivery and assistance services for the solutions and products

supplied as per contract and/or order;

d) Post-sales commercial and promotional management, with regard to solutions, new products

organisation of events, in line with the proposed services and solutions.

The processing will be carried out with the prevalent aid of electronic instruments, and may concern data and information on computerised or paper supports, by specially authorised persons.

In general, for the aforementioned purposes, depending on the case, the data will be stored at our company, at the customer’s IT infrastructure, at our datacentres, or at external datacentres that are our suppliers, and will be communicated exclusively to the competent subjects, internal or external to the organisation, as described below, for the performance of the services necessary for the proper management of the contractual relationship and the underlying services, with a guarantee of protection of the rights of the data subject.


The processing of personal data by the Data Controller is legitimised by the following conditions (art.6 of the GDPR):

CF and PIVA: 01487120121

Viale Rimembranze, 18

21052 Busto Arsizio (VA) +39.0331.679.272

Page 1 / 3

The data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes.
The processing is necessary for the performance of a contract to which the data subject is party and for the possible execution of pre-contractual or post-contractual measures taken at the data subject’s request.
Processing is necessary to comply with a legal obligation to which the Data Controller is subject (in particular for administrative and accounting purposes).
The processing is justified by a legitimate interest of the Data Controller, such as the sending of commercial and/or promotional communications relating to products and services similar to those covered by the contractual relationship


The personal data collected by GAMMA PLAST SAS may also be communicated, within the limits and in the forms strictly pertinent to the above-mentioned purposes, to the following subjects or categories of subjects:

Subjects to whom the communication is required by law, regulation or national and EU legislation as well as for the performance of contractual or pre-contractual obligations.
Credit Institutions, Insurance Companies and other entities for the performance of contractual or pre-contractual obligations (disbursement of payments, stipulation of compulsory insurance policies, etc.);
External firms and professionals specialised in consultancy for the management of accounting and tax aspects for the fulfilment of legal obligations (e.g. accountants, auditing firms, etc.);
Companies that carry out any transport and shipping activities for the subject goods in relation to the customer’s contact details.
Cloud service providers for data centre management


The Data Controller does not transfer personal data to third countries or international organisations.

However, it reserves the possibility of using cloud services; in which case, the service providers will be selected from among those who provide adequate guarantees, as provided for in Article 46 GDPR 679/16.


The provision of data must be considered obligatory with regard to the processing that the organisation must carry out in order to fulfil its obligations towards the interested party based on the relationship (or contract) in place, as well as legal obligations, rules, regulations – see paragraph purposes, a) b) and c) – Failure to provide such data may make it impossible for GAMMA PLAST SAS to continue the relationship in place.

Conferment is not compulsory for all other purposes and, even if conferred, may be revoked at any time by the party concerned. In the event of failure to provide consent, the consequences shall be assessed on a case-by-case basis, taking into account the specific case. For type d) purposes, communications will always be accompanied by a data processing notice and the right to withdraw from communications of a commercial or promotional nature will always be given.


Data are retained only for the period necessary for the purposes for which they are processed or within the terms provided for by national and EU laws, rules and regulations with which the organisation must comply (e.g. accounting and tax regulations, etc.). A periodical check is to be carried out annually on the data processed and on the possibility of their deletion if they are no longer necessary for the intended purposes.


The Data Controller undertakes to provide the person concerned with feedback on any requests he or she may have in relation to the data processing carried out, within 30 days and, should it be impossible to comply with such timeframes, to justify any extension of the timeframe. The response will be free of charge, except in cases of unfounded or excessive requests, for which a fee may be charged not exceeding the costs actually incurred for the research carried out.

In particular, we would like to remind you of the rights of the interested party to access, rectify or cancel data, and those to limit or oppose processing, as set out in the tables below.


Page 2 / 3

Access (Art. 15)


– Confirmation of the data subject’s data processing by the Controller.

– Access to the data subject’s personal data processed by the Controller.

– Information on purposes, categories of data processed, recipients of any communications

(especially if in third countries), expected retention period and origin of data collected

taken from third parties.

– Information on the existence of the right to rectification or erasure of data and limitation or

opposition to their processing and to lodge a complaint with the Garante.

– The possible existence of automated decision making or profiling, information on the logic used and the consequences of such processing.

Rectification (Art. 16)

– Rectification by the Data Controller, without undue delay, of inaccurate personal data concerning the data subject and
– integration of incomplete personal data.

Cancellation (Art. 17)


In cases of:

– data no longer necessary for the purposes for which they were collected;

– withdrawal of consent, if there is no other legal basis for the processing;

– objection to processing, if there is no overriding legitimate reason;

– unlawful processing;

– legal obligation;

– and finally, in cases related to the consent of minors, in relation to the provision of information society services.


Limitation (Art. 18)


Transitional regime of abstention from processing in cases of:

– contestation of accuracy,

– opposition to deletion in the event of unlawful processing,

– data no longer needed by the Controller but necessary for the data subject to exercise a right,

– opposition to processing.

Pending the conclusion of the investigations, the Data Controller is obliged to retain the data and only carries out any further processing under certain conditions.


Portability (Art. 20)


For processing based on consent or on a contract, the data subject has the right to receive from the Controller his personal data in ‘commonly used’ electronic format in order to transmit it to another Controller (also directly from Controller to Controller). Portable’ personal data are those which the data subject has provided to the Controller directly and explicitly, but also those collected during the provision of the service, such as, for example, traffic or navigation data (for network service providers).


Opposition (Art. 21)


Opposition to the processing of one’s own personal data based on the lawfulness of the exercise of public interest or the legitimate interest of the Controller, including direct marketing or possible profiling.
The Controller shall refrain from processing, except for legitimate reasons overriding the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of a right in court.

The Data Controller is obliged in any case to stop processing for direct marketing purposes if the data subject objects to his data being used for that purpose.

Other rights granted to data subjects are those in the table below.
Complaint Right to lodge a complaint with a Supervisory Authority (Privacy Guarantor), if the data subject (art. 77) considers that the processing concerning him/her violates the Regulation.

For processing operations legitimated by consent, the data subject has the right to revoke it at any time without prejudice to the lawfulness based on the consent given before revocation.

Yours sincerely

Compensation (Art. 82)


The right to obtain from the Controller and/or the Data Processor full and effective compensation for any damage suffered, whether tangible or intangible (financial loss, identity theft, discrimination, etc.), if caused by the processing of the data subject’s personal data in breach of the Regulation and the Controller and/or the Data Processor are unable to prove that the damaging event is not their fault.