Last update: 03/19/2021

Dear user,
to access and use the services offered by this application called SMARTECH APP (hereinafter referred to as the “APP”), our Company needs to process some of your personal data for the purposes specified below. In this regard, pursuant to art. 13 of Regulation (EU) 2016/679 (hereinafter referred to as “GDPR”), we wish to provide you with appropriate information regarding your personal data processing.

1 Data controller

1.1 The personal data controller is Immergas S.p.A. based in Brescello – Via Cisa Ligure, 95 – 42041 Reggio Emilia, Italy (hereinafter referred to as “Immergas”), which you can get in touch with to exercise your rights by e-mail at privacy@immergas.com, or by ordinary mail at the data controller’s address.

2 Categories of personal data processed

2.1 Processing will only concern personal data which is strictly relevant and effective for pursuing the purposes referred to in point 3 below. In particular, the following categories of personal data may be processed:
2.1.1 identification data, such as name, surname, address or telephone number;
2.1.2 electronic identification data such as user name (account), password or e-mail address
2.1.3 connection data, i.e. information about smartphones, or more generally the devices used to access the APP. This information may include, but is not limited to, the operating system of the device, or details about the Internet service provider, mobile network, IP address, etc.
2.1.4 system operation data, i.e. data concerning the operating parameters of the central heating / cooling system.
2.1.5 location data, namely data used to identify the geographical position of a mobile device.

3 Purpose of processing

3.1 The Controller may process the personal data of any user accessing the APP referred to in point 3 above, exclusively for the purpose of making the following features available to them:
3.1.1 Independent and remote adjustment of their systems;
3.1.2 Go-ahead to an authorised Technical Support Centre to remotely adjust their systems. This service is enabled only upon specific authorisation by the user, who can revoke it at any time by accessing the appropriate APP permission section.
3.1.3 Display through the APP of the system’s operation status and/or anomalies.
3.1.4 Use of the “Away” service, i.e. the ability to automatically adjust and set the thermal comfort of the system based on the proximity/vicinity of the user to their own system. The service is enabled only upon specific user authorisation by choosing the “Activate” option when using the Away feature for the first time. The user can at any time activate or deactivate the location services by accessing the appropriate permission section for locating their mobile device.

4 Geolocation

The Away service referred to in the previous point needs to acquire data about the geographical position of the user’s mobile device (smartphone). It should be noted that the APP does not store any historical data on the user’s position, preventing both a continuous view of his/her position and any reconstruction of the relevant paths. The APP exclusively records – at periodic intervals of time – the proximity/vicinity status of the user to the system.

5 Legal basis of processing

5.1 Personal data are processed only with the user’s approval.

6 Type of data provision and consequences of a refusal to provide personal data

6.1 The provision of personal data is optional, i.e. the user is not required to provide any of the personal data referred to in point 2 above. However, failure to provide personal data by the user may make it impossible for the user to use – fully or in part – the functions of the APP.

7 Processing methods

7.1 Personal data processing may concern all the operations referred to under art. 4, paragraph 2 of the GDPR. In any case, the principles applicable to data processing, as set forth in art. 5 of the GDPR, will be complied with. Data will be processed both manually and through IT tools. Data will be stored in hard copies and electronic archives.
7.2 Processing will be carried out directly by the Controller’s organisation, as better specified in point 9 below, or through third parties, service providers for the Controller, appointed as Data Processors for this purpose, in accordance with the provisions of art. 28 of the GDPR.
7.3 In any case, data will be processed with logic strictly related to the purposes under point 3 above and with methods that guarantee security and confidentiality, by taking suitable measures to prevent alteration, erasure, destruction, unauthorised access or any processing that is not allowed or does not comply with the collection purposes.

8 Profiling

8.1 The user’s personal data are not processed through an automated decision-making process, including profiling, whereby profiling refers to any form of automated processing of the personal data aimed at analysing or foreseeing certain personal aspects including, by way of example, personal preferences, interests or behaviour of the Website users.

9 Data access scope

9.1 The subjects expressly authorised by the Controller may have access to personal data within the Controller’s organisational structure as well as within the limits and according to the procedures set out for the respective assignments, and exclusively in order to pursue the purposes referred to in point 3 above.

10 Recipients of the personal data

10.1 The processing of personal data may be entrusted by the Controller to external companies which carry out, on the Controller’s behalf, specific activities related to the purposes referred to under point 3 and, as a result of their experience, expertise and reliability, guarantee full compliance with the current provisions on data processing, protection and safety, and which will, in this case, be appointed as Data Processors pursuant to the provisions of art. 28 of the GDPR.
10.2 Personal data may also be disclosed to external public or private subjects, operating as independent data controllers, whereby they are entitled to request the data.

11 Transfer of personal data outside the European Union

11.1 Personal data will not be transferred by the Controller to third countries or international organisations outside the European Union unless the safeguard mechanisms provided for in CHAPTER V, articles 44 and following, of the GDPR have been adopted and are in force.

12 Personal data retention period

12.1 Personal data will be stored until the purposes referred to in point 3 have been fulfilled. Once the aforementioned purposes have been fulfilled, the Controller will delete the personal data.

13 Rights of the data subject

With regard to his/her personal data, the user, as the data subject, may exercise the rights provided for by the GDPR set out below. The exercise of rights is free of charge pursuant to art. 12 of the GDPR. However, in the event of clearly unfounded or excessive requests, also due to their repetitiveness, the Controller may charge a reasonable fee due to the administrative costs incurred to manage the request, or deny fulfilling it.
art. 7 Right to withdraw consent. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
art. 15 Right of access. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. When requested by the data subject, the controller shall provide a copy of the personal data undergoing processing.
art. 16 Right to rectification. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and the right to have incomplete personal data completed.
art. 17 Right to erasure (so-called “right to be forgotten”). The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay and within the limits as provided for by art. 17 of the GDPR.
art. 18 Right to restriction of processing. The data subject shall have the right to obtain from the controller restriction of processing in the cases envisaged by art. 18 of the GDPR.
art. 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing. The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
art. 20 Right to data portability. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.
art. 22 Automated individual decision-making, including profiling. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
art. 77 Right to lodge a complaint with a supervisory authority. The data subject shall have the right to lodge a complaint with a supervisory authority, in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR provisions.