Privacy Notice pursuant to Article 13 of EU Regulation 2016/679 GDPR for Telco Services Contract and Activation – SMS Business
MEXEDIA SPA SOCIETA’ BENEFIT
1. Data Controller: Mexedia S.p.A., located at Via di Affogalasino 105, contact information: +39 06 94502581
Purpose of the Notice: This document provides information on the processing of personal data related to telecommunications or telematics communication services, governed by a specific service contract referred to for further details. In this notice, our organization specifies the processing for which it is the data controller. Please note that for processes and activities whose processing purposes can be attributed to the data subject, our organization acts as the data processor, as appropriately regulated during the service contract subscription phase.
For processing carried out on other platforms: Specific information and, if necessary, consents will be provided before specific treatments related to access to platforms, apps, and websites.
2. Purpose of Processing, Data, Provision, Legal Basis, Retention Period, Transfers outside the European Economic Area (EEA)
A- Conclusion and execution of the contract and technical and administrative accounting activities directly related thereto, including legal obligations for identifying the owner of telecommunications or telematics services. |
More Details: Customer’s personal data will be processed for the management of the contractual relationship, enabling the technical management of services, compliance with legal obligations affecting service activation, and administrative and accounting activities such as: ✓ Contract conclusion, user or service holder identification through standard channels. ✓ Legal obligations in civil and tax law (invoice and accounting documentation retention, civil and tax obligations). ✓ Data to enable technical interconnection with networks and ensure communication service and any contract-based or customer-requested services, as well as data for billing and administrative and technical-organizational management of provided services. ✓ Data related to invoicing, including payment management, including bank domiciliation requests or credit card payments, and payment verification. ✓ Receipt and handling of requests from data subjects or complaints. If you do not provide your data, it will not be possible to conclude the contract and provide the service. |
What data we process: ✓ Type of product or service purchased, personal data (name, surname, age, tax code, gender, place and date of birth), residence or domicile address, contact details (phone, email address), copy of ID document and tax code, service holder’s phone number or data related to the contracting party’s representative. ✓ Technical data generated to enable the provision of the purchased communication service. Please note that only external data (technical data for service management) are processed, with no access to content. ✓ Banking and/or payment data to enable payments, including bank domiciliation or credit card charges, and to verify proper payment and contractual compliance. ✓ The above data may also be used in case of attempted fraud to prevent or counteract it, in accordance with the principle of strictly necessary data minimization for the specific case, for the data controller’s legal defense or for any legal disputes until their conclusion |
Legal Basis: ✓ Subscription and activation of services and customer request management: contractual obligation (Art. 6, letter b GDPR) ✓ Identification of the service holder is linked to legal obligations (Art. 6, letter c GDPR). |
✓ Technical traffic data related to service provision for interconnections and technical management: contractual obligation (Art. 6, letter b GDPR) and legal obligation (Art. 6, letter c GDPR) for retention ✓ Intervening in cases of fraudulent use: legitimate interest of the data controller (Art. 6, letter f GDPR). Data may be processed according to the principle of minimization (using only data strictly necessary for the specific case) for the data controller’s legal defense or any legal disputes until their conclusion. |
Timeframes: ✓ Data for contract activation and management, as well as directly related legal obligations, are retained for the duration of the relationship and for an additional 10 years and 6 months, unless legal disputes and proven protection needs may require longer processing in specific cases ✓ Traffic data is processed for administrative purposes for only 6 months, unless there are legal disputes. Additional retention is based on specific legal requirements. ✓ It should be noted that data may be processed according to the principle of minimization (using only data strictly necessary for the specific case) for the data controller’s legal defense or any legal disputes until their conclusion. |
B- Compliance with legal obligations regarding data retention for judicial purposes. |
More details: Processing is strictly related to the obligation to retain telephone and telematic traffic data for judicial purposes as required by current legislation and the management of requests imposed by law. If you do not provide your data, it will not be possible to conclude the contract and provide the service. |
What data we process: ✓ Data generated to enable the provision of telematic or telephone communication service in addition to the service holder, as previously indicated. ✓ Please note that only external data are processed with no access to content. It should be understood that in the exercise of their functions, authorities may, depending on the case, have access to all information stored by the data controller. |
Legal Basis:
The processing of such data is related to legal obligations of the data controller (Art. 6, letter c GDPR).
Timeframes
✓ Data related to telephone and telematic traffic is retained based on legal obligations. The ordinary reference for retention is Article 132 of the Privacy Code, which requires telecommunications traffic data to be retained by the provider for 24 months and telematics traffic data for 12 months from the date of communication. Data related to unanswered calls is retained for 30 days.
- ✓ Currently, in derogation from the above terms, data must be retained for up to 72 months due to legal requirements, but they are only available for certain types of offenses. Article 132 of the Privacy Code provides differentiated access to this data depending on the type of offenses for which access is requested. In case of changes in regulations, retention will necessarily be modified in compliance with legal requirements.
- ✓ It should be noted that data may be processed according to the principle of minimization (using only data strictly necessary for the specific case) for the data controller’s legal defense or any legal disputes until their conclusion.
C – Management of data subject rights. |
More Details: ✓ The purpose is related to receiving, analyzing, and managing requests to exercise data subject rights, including interaction with the data subject and providing appropriate responses and clarifications. |
What data we process:
Depending on the type of request, we process all necessary data to ensure the correct exercise of data subject rights.
Legal Basis: Ensuring the exercise of rights is a specific legal obligation (Art. 6, letter c GDPR).
Timeframes:
✓ Data are processed for the time necessary to manage requests and to verify the same. The usual retention period is 5 years.
✓ It should be noted that data may be processed according to the principle of minimization (using only data strictly necessary for the specific case) for the data controller’s legal defense or any legal disputes until their conclusion.
D – Commercial communications regarding all products and activities of the data controller.
More details
- ✓ With the consent of the data subject, we may conduct commercial actions regarding all products and services provided by our organization. The data subject can choose the preferred contact method (SMS, email, calls with an operator, automated calls, or all methods).
- ✓ The data subject can object at any time, either through automated procedures managed with links provided in each communication, using systems made available by the data controller (apps, dedicated customer website area), or by contacting our organization. Opposition is simple and free and can apply to all communication methods or only to specific ones.
- ✓ Concerning phone contacts, in addition to the data subject’s right to object, the provisions of the regulations establishing and regulating the public opposition register will be guaranteed, even in case of service contract termination.
- ✓ If you do not provide your dati the indicated communications cannot be sent without any other consequences. What data we process: ✓ Name, surname, email, and/or phone number. ✓ The data subject can choose the preferred contact method: email, SMS, calls with or without an operator, all methods. Legal Basis: Consent of the data subject (Art. 6, letter a GDPR).
Timeframes:
- ✓ Data are processed until the data subject objects, which can apply to all or only specific contact methods, as chosen by the data subject. Subsequently, data are processed only for the management of data subject rights (see explicitly stated purpose).
- ✓ It should be noted that data may be processed according to the principle of minimization (using only data strictly necessary for the specific case) for the data controller’s legal defense or any legal disputes until their conclusion.
3. Third-Party Communications
Data will not be disclosed. They will be processed by providers of technological, professional, IT, and consulting services who, as a rule, operate as data processors. It is understood that data will be processed in compliance with the principle of minimization, handling only data strictly necessary for the specific activity and, where possible, anonymized or anonymized data.
In particular, categories of entities may include:
- Entities providing services for data acquisition, processing, and processing necessary for the use of services, user identification, handling of user requests, and more generally, activities related to the processing carried out by the data controller, and for the provision of contractually provided services.
- Customer support entities. Entities engaged in archiving and data entry.
- Entities providing services for the management of the data controller’s information system, including archiving and information security in accordance with regulations.
- Other electronic communications operators, for the management of interconnection and roaming relationships, and more generally, to ensure the correct provision of telephone and telematic connection services based on the provided service
- sEntities engaged in the transmission, packaging, transport, and distribution of communications to customers.
- Credit assignee companies or debt recovery entities, banks for domiciliation purposes.
- Entities performing control, review, and certification of activities carried out by the data controller.
- Entities performing technical and organizational tasks on behalf of the data controller
Sales agents, studies, and companies within the scope of assistance and consultancy relationships. - Data may also be communicated to independent third-party data controllers, particularly with reference to public authorities, if legal conditions are met and in the exercise of their functions.
4. Transfers outside the European Economic Area (EEA)
Data is processed within the European Union. If transfer is necessary, GDPR safeguards, such as standard contractual clauses promoted by the EU Commission for regulating transfers outside the European Economic Area, will be used, along with any supplementary measures as indicated by the EDPB.
- Data Subject Rights – Articles 15, 16, 17, 18, 19, 20, 21, and 77 of the GDPR We inform you of the right to know the recipients of possible communications, access personal data, rectify, erase, and potentially forget, restrict processing, data portability, and object to the processing of personal data concerning you. We also inform you that, if the legal basis is consent, you have the right to revoke it at any time, without affecting the lawfulness of processing based on consent before revocation (Art. 7, paragraph 3 GDPR). Pursuant to Article 77 of the Regulation, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State where you habitually reside, work, or where the alleged violation occurred, which in Italy corresponds to the Italian Data Protection Authority, whose details can be found at www.garanteprivacy.it or by contacting the judicial authority. The exercise of these rights will be evaluated and guaranteed promptly where possible because, in certain cases, such as access to telephone or telematic traffic data, requests must be balanced against other legal requirements that may limit their exercise.
- Data Protection Officer Contact: dpo@mexedia.com
This notice was prepared on July 4, 2023.