Privacy Policy

Poly Menu Privacy Policy

For the avoidance of doubt, we clarify the following terms as defined by the GDPR

Processing: any operation involving the collection, recording, organization, storage, consultation, treatment, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure, and destruction of data, even without the use of electronic tools.

Personal Information: any information relating to a natural person, including an identifiable personal identification number, in particular to an individual who is identified or identifiable in particular by reference to other information.

Personal Information is categorized as follows

General Data: For example, first name, last name, address, etc.
Special Data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; health-related data; data concerning sex life or sexual orientation; genetic data; biometric data (such as fingerprints or facial images).
Criminal data: personal information relating to criminal convictions, offenses, and security measures.
Data that may threaten the freedom and dignity of individuals, for example, profiling based on decisions that, when processed on a large scale, have legal effects or affect them in a similar way; Special Data (Article 9) or Criminal Data (Article 10).

1. purposes of processing
The Data Controller processes your first name, surname, company name, address, telephone number, e-mail, bank and payment information that you provide in connection with your existing relationship with the Data Controller. This primarily relates to the "Poly Menu" service.

2. purposes of processing
Your personal data is processed for the conclusion and execution of the existing relationship with the data controller. The data may be processed in the following cases

Without your explicit consent (Art. 6 para. b, e GDPR; Art. 24 para. a, b, c Privacy Act):
To execute a contract relating to the Administrator's services;
to fulfill prior contractual, contractual and tax obligations arising from our existing relationship with you;
to fulfill an obligation under a statute, regulation, EU law or order of a competent authority (e.g. anti-money laundering);
To exercise the rights of the data controller, such as the right of defense in court;

With your explicit consent (Article 7 GDPR; Articles 23 and 130 of the Personal Data Protection Act):
To send you newsletters, commercial communications and/or advertising materials by e-mail, postal and/or SMS and/or telephone contact to survey your satisfaction with the quality of the Administrator and its services;
to send commercial and/or promotional communications from third parties (e.g. business partners, insurance companies, other companies in the Group) by email, postal and/or SMS and/or telephone contact.

3. how we process
The processing of your Personal Data is carried out by the operations set out in Article 4(2) of the GDPR (and, where applicable, Article 4 of the Data Protection Act): Collection, recording, organization, storage, consultation, processing, rectification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction. Your personal data applies to paper and electronic and/or automated processing.

The Data Controller will process your Personal Data for as long as necessary to fulfill the above purposes, in no case exceeding 10 years after the end of the relationship, and no longer than 2 years after data collection for marketing purposes.

4. data access and communication
Your data may be accessed for the following purposes

Data Controller's employees and collaborators, appointed persons and/or system administrators;
third-party companies or other entities performing outsourced activities on behalf of the Data Controller (e.g. credit institutions, professional firms, consultants, insurance companies, etc.); external data processors (those identified in "All. A", as updated periodically).

Without your explicit consent (Article 6 (b) and (c) GDPR; Article 24 (a, b, d) Privacy Act), the Data Controller may communicate your data to supervisory authorities (e.g. IVASS), judicial authorities, insurance companies, and to fulfill legal obligations for the purposes set forth in Article 2 (A). They will process the data in their capacity as autonomous data controllers.

5. nature of data provision and consequences of refusal to respond
The provision of data for the purposes set out in point A of Article 2 is mandatory, otherwise the services set out in Article 2 cannot be guaranteed.

On the other hand, the provision of data for the purposes of Section 2.B is optional. You may choose not to provide data or to later object to the possibility of processing the data already provided. In this case, you will not receive newsletters, commercial communications and advertising materials.

6. Duration
Your personal data will be collected for the purposes set out in Section 1 and will be kept for different periods of time depending on the relevant purposes. If you require additional information, you may request any information and inspect the records at the Company's headquarters.

7. Data Subject Rights
As a data subject, you have the rights provided by Articles 13 and 15-22 of the GDPR (and, where applicable, Article 7 of the Personal Data Protection Act).

8. legal basis for processing
Processing is only lawful if at least one of the following conditions applies

The data subject has consented to the processing of his or her personal data for a specific purpose;
the processing is necessary for the performance of a contract to which the data subject is a party or for taking pre-contractual steps at the request of the data subject; and
the processing is necessary for compliance with a legal obligation to which the data controller is subject;
the processing is necessary to protect the vital interests of the data subject or another natural person;
the processing is necessary for the performance of a task of public interest or for the exercise of a public authority vested in the data controller;
the processing is necessary for the pursuit of the legitimate interests of the Data Controller or a third party. However, this does not apply if the interests or fundamental rights and freedoms of the Data Subject, which require the protection of their personal data, are overridden, in particular if the Data Subject is a child.

9. How to exercise your rights
You can exercise your rights at any time by

Sending a letter by registered mail with acknowledgment of receipt to the holder;
Sending an e-mail to info@poly.menu