>_Data Protection

Protection of Personal Data – Code Blue Italy srl

A. General Notes

Code Blue Italy srl and its affiliated companies (hereinafter referred to as "Codeblue") take the protection of the user's personal data very seriously and comply with the relevant regulations. Personal data is processed only to the extent necessary for the respective purpose. Our employees are obliged to maintain confidentiality and comply with legal provisions on data protection.

Below we clarify what information we collect, how it is used, and how to exercise your rights. The data protection notice can be viewed and printed at any time from the "Data Protection" tab in the footer of each page.

This data protection notice applies to the Codeblue website, our social media presence, email communication, and mobile apps for smartphones and other devices.

For clarifications, contact the data controller listed below, follow the provided links, and/or view other information on third-party pages. Our contact details can also be found in the Legal Notice section.

1. Data Controller

The data controller is Code Blue Italy Srl

Via Stresa 6

20125 Milan (MI)

Contact details of our data protection officer: Code Blue Italy Srl

Via Stresa 6

20125 Milan (MI)

[dpo@codeblueitaly.it](mailto:dpo@codeblueitaly.it)

+39 0291518

2. Personal Data

Personal data includes all information related to an identified or identifiable natural person (e.g., their name, address, or phone number).

Special categories of personal data are a particularly protected subset of personal data and are described in Article 9 of the General Data Protection Regulation (GDPR). These include, in particular, health data and biometric data.

Essentially, the personal data we collect is provided directly by the user. Unless the user provides otherwise, we process the personal data communicated by the user electronically and the information we collect in written or electronic form when they visit our web pages or during telephone conversations with our employees. This is done solely for the purpose of providing and administering our services and based on contact forms completed by the user or other correspondence.

3. Third-Party Access to User's Personal Data

The processing of personal data is carried out by us and, unless explicitly excluded, by service providers commissioned by us. In the latter two cases, we ensure that group companies or service providers comply with the relevant data protection regulations and the obligations arising from this notice.

Disclosure of personal data without the user's consent occurs only to state authorities authorized to receive information, where we are obliged to do so by law or by a court decision (Art. 6 para. 1 lit. c) GDPR).

Furthermore, disclosure pursuant to Art. 6 para. 1 lit. f) GDPR may take place if necessary for the assertion, exercise, or defense of rights and if there is no reason to assume that the user has a prevailing legitimate interest in the non-disclosure of their data.

If this is legally permitted and necessary pursuant to Art. 6 para. 1 sentence 1 lit. b) GDPR, disclosure of the user's data to third parties also takes place.

4. Recipients of User's Personal Data

Within the scope of legal powers, the user's personal data may be disclosed in particular to the following categories of recipients:

  • Web analytics service providers
  • IT service providers who process data as part of service provision (e.g., for IT maintenance activities, hosting service providers)
  • Service providers for file and data destruction, printing services
  • Marketing and sales service providers
  • Newsletter and logistics service providers
  • Suppliers, e.g., of materials and services
  • Cooperation partners
  • Payment service providers
  • Credit agencies and debt collection companies
  • Dealers
  • Auditors, accountants, consulting firms, insurance companies
  • Other Dussmann companies, if necessary in connection with an offer, a tender, or for the initiation, realization, or execution of a business relationship
  • Courts, authorities, legal advisors, or arbitration courts, if necessary to ensure compliance with applicable law or to assert, exercise, or defend rights

Internal group recipients are partly located in third countries (non-EU). Within the group, for data protection contracts based on EU standard protection clauses, Dussmann ensures that the user's personal data is adequately protected even at the recipient's location.

The legal basis for the transmission of data within the group is Art. 6 para. 1 lit. f) GDPR. The exchange of data within the group for internal administrative purposes constitutes a legitimate interest (Recital 48 GDPR).

Before transmitting user information to third parties, we take appropriate measures and ensure that recipients are obliged to comply with applicable data protection laws and maintain the confidentiality of personal data. Where necessary, data transmission takes place within the framework of a data processing agreement to ensure that data is processed only for the intended purpose and that adequate security measures are guaranteed.

5. Information on Data Transfer to the USA

Our website also contains tools from companies based in the USA. When these tools are active, the user's personal data may be transferred to the respective company's servers located in the USA. It is noted that the USA is not a safe third country in terms of data protection guaranteed in the EU. US companies are obliged to provide personal data to security authorities without the possibility for the user to take legal action. Therefore, it cannot be excluded that US authorities (e.g., intelligence services) process, evaluate, and permanently store the user's data located on US servers. We have no influence on these processing activities.

6. Data Retention Period

If no explicit retention period is specified at the time of collection (e.g., within the framework of a consent declaration) or within this data protection notice, personal data is deleted when it is no longer necessary to fulfill the purpose for which it was stored, unless legal retention obligations (e.g., tax or commercial obligations) prevent deletion.

If we store the user's data solely for the purpose of fulfilling retention obligations, it is generally blocked so that it can only be accessed if necessary concerning the purpose of the retention obligation.

If the user wishes to delete the data or revoke consent to its processing, the data is deleted as soon as possible, provided there is no retention obligation.

7. Security

We take all necessary technical and organizational security measures to protect the user's personal data from loss and misuse at all times. The user's personal data is stored in a secure operating environment that is not accessible to the public. SSL or TLS encryption is used on all websites. The user's data is encrypted directly during transmission. For security reasons, we do not provide further information here.

8. User Rights

Revocation of Consent

Once consent to the processing of personal data has been given, the user can revoke it at any time with future effect. The legality of the processing carried out based on the consent remains unaffected until the revocation. In case of revocation, we will promptly delete the affected data if further processing cannot be based on a legal basis for processing without consent. The user can send their revocation to [dpo@codeblueitaly.it](mailto:dpo@codeblueitaly.it) or, alternatively, by letter to Code Blue Italy srl, via Stresa 6, 20125 Milan (MI).

Other Rights

The user has the right to request confirmation from the respective data controller within Code Blue Italy Srl whether their personal data is being processed; if this is the case, they have the right to access such personal data and the information listed in detail in Art. 15 GDPR.

The user has the right to request the immediate correction of incorrect personal data or the completion of incomplete personal data (Art. 16 GDPR).

The user has the right to request the immediate deletion of their personal data if one of the reasons listed in detail in Art. 17 GDPR applies, e.g., if such data is no longer necessary for the purposes pursued (right to erasure).

The user has the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR applies, e.g., in case of objection to processing.

The user has the right to receive their data provided to us in a structured, commonly used, and machine-readable format or to request the respective data controller to transmit such data to another data controller (right to data portability, Art. 20 GDPR), if technically possible.

If we transfer the user's personal data to a country outside the EU that does not offer adequate protection, we generally conclude a contract that ensures adequate protection of personal data. Additionally, we use standard data protection clauses available at the following URL: ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

The user has the right to object at any time to the processing of their personal data for reasons arising from their specific situation. The respective data controller will refrain from processing the user's personal data unless they can demonstrate compelling legitimate grounds for processing that override the user's interests, rights, and freedoms or if the processing serves to assert, exercise, or defend a legal claim (Art. 21 GDPR).

The user can object at any time to the use of their personal data for direct marketing purposes without further consideration. In this case, we will no longer use the user's personal data for direct marketing purposes.

Without prejudice to any other administrative or judicial remedy, the user has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates the GDPR (Art. 77 GDPR). The user can assert this right with a supervisory authority, particularly in the member state where they habitually reside, work, or where the alleged violation occurred.

An overview of other national and international data protection authorities can be found here.

B. Data Processing When Visiting Our Web Pages

1. Categories of Data, Purposes, and Legal Bases of Data Processing

When the user visits our web pages and/or concludes a contract with us via a web page, we process their personal data. The processing may concern the following data:

  • Surname, first name
  • Address
  • Company name or designation
  • Email address
  • Phone/fax number
  • Date and time of the request
  • Content of the request (specific page)
  • Access status / HTTP status code
  • Amount of data transmitted
  • Website from which the request originates
  • Browser type and version
  • Language and version of the browser software
  • IP address and internet access provider
  • Operating system
  • For mobile devices, possibly the manufacturer/type designation
  • Goods/service
  • Bank and credit card data
  • Health/care data
  • Message/data in the text field

We process this data for the management of the web pages (Art. 6 para. 1 lit. b) and f) GDPR), for the fulfillment and execution of contracts (Art. 6 para. 1 lit. b) GDPR), and for our own advertising purposes (if the user provides consent pursuant to Art. 6 para. 1 lit. a) GDPR or based on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR). Additionally, we use this data to fulfill our legal obligations to regional and federal authorities (e.g., tax office) (Art. 6 para. 1 lit. c) GDPR). For contract conclusion, clear identification of the user requires at least their surname, first name, and address. Without this data, we cannot fulfill the respective contracts. If the user wishes to voluntarily provide us with other data, we will process it based on Art. 6 para. 1 lit. f) GDPR.

2. Log Files

When visiting some of our pages, we generally temporarily save the connection data (so-called server log files) automatically transmitted to us by the user's browser to ensure system security and stability, perfect website structuring, and other administrative purposes. These are:

  • Browser type and version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request
  • IP address

Processing is based on Art. 6 para. 1 lit. f) GDPR. In addition to system security and stability, our legitimate interests are the evaluation of usage data of our website, the pursuit of rights, crime investigations, and the maintenance of our IT systems.

3. Contact Forms

If the user uses a contact form on our websites, the data entered by them (e.g., gender, name, company, address, email, phone, message) will be processed to enable us to respond accordingly, forward the message to the right partners within Dussmann, and allow the user to be contacted by them.

The legal basis for processing is Art. 6 para. 1 lit. f) GDPR and, if the user's request aims at concluding a contract, the legal basis for processing the necessary data is Art. 6 para. 1 lit. b) GDPR. Our legitimate interest is to respond to the user's request.

4. Request via Email, Phone, or Fax

If the user contacts us via email, phone, or fax, the data entered by them (e.g., name, email address, phone number, request) will be processed for the purpose of processing their request.

Data processing is carried out pursuant to Art. 6 para. 1 lit. b) GDPR if the user's request aims at concluding or fulfilling a contract. In all other cases, processing is based on our legitimate interest in effectively processing the request addressed to us (Art. 6 para. 1 lit. f) GDPR) or the user's consent (Art. 6 para. 1 lit. f) GDPR), if required.

We will delete the data sent by the user through contact requests if the purpose of data storage ceases to exist (e.g., after processing the user's request) or if the user asks us to delete it or revokes their consent to storage. Mandatory legal provisions, particularly regarding retention periods, remain unaffected.

5. Newsletter

If the user orders a newsletter offered by us, we only need a valid email address from them. Additional data is optional. After registration, our system sends the user an email containing an activation link with which the user can confirm the newsletter subscription. This ensures that the user is indeed the owner of the provided email address and agrees to receive the newsletter. Inclusion in the recipient list and sending of newsletters only takes place after the user has confirmed the activation link in the registration email for receiving newsletters (so-called double opt-in procedure). Upon newsletter registration, the user's IP address, as well as the date and time of registration, are saved. This processing takes place based on Art. 6 para. 1 lit. a) GDPR. The user can revoke their consent at any time with future effect by contacting the addresses provided in the data protection notice or via the unsubscribe link found in each newsletter.

The data stored by us for receiving the newsletter is saved until the user unsubscribes from the newsletter and is then deleted, except for personal data necessary as proof of eligibility to send the newsletter. These are saved from the beginning not for sending the newsletter but to prove eligibility. The legal basis for saving (including continued saving) such data is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest is to prove eligibility to send the newsletter.

6. Assignment via Online Portal

In case of a request or assignment via an online portal managed by us, the data necessary for preparing an offer, processing, and handling are requested through mandatory fields: for example, the user's full name, email address, address (delivery and billing), information for contract fulfillment, bank and credit card data. This data is recorded in a customer account.

We process the data entered by the user for preparing an offer, order, booking, fulfillment, handling of the contractual relationship, and complaints, requests, and billing. Where necessary, the data required for the respective activity is forwarded to the respective support staff or an external service company.

Personal data is deleted after the purpose is fulfilled or, if still necessary for fulfillment, handling, and billing of the contractual relationship or actions such as complaints, requests, billing, or for fulfilling legal obligations, it is blocked and reused only for these purposes.

The legal basis for the above-described data processing is Art. 6 para. 1 lit. b) GDPR and, for handling complaints, also Art. 6 para. 1 lit. c) GDPR.

7. News/Job Alerts

With our news or job alerts, the user is automatically informed as soon as new contributions or new jobs are available in the business areas or companies they have chosen and corresponding to their filter criteria. We only need a valid email address from them. Upon registration for the news/job alert, the user's IP address, as well as the date and time of registration and the user's filter criteria, are saved. The page on which the registration takes place is also saved for the news alert. The data will only be used for sending notifications. This processing takes place based on Art. 6 para. 1 lit. a) GDPR. The user can revoke their consent at any time with future effect by contacting the addresses provided in the data protection notice or via the unsubscribe link found in each news/job alert.

The data stored by us for receiving news/job alerts is saved until the user unsubscribes from them and is then deleted. The data stored by us to prove eligibility to send news/job alerts remains unaffected. The legal basis for saving (including continued saving) such data is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest is to prove eligibility to send news/job alerts.

8. Cookies, Tracking Pixels, and Similar Technologies

Our web pages partly use cookies. "Cookies" are small text files that allow specific user-related information to be stored on the user's terminal device (PC, laptop, tablet, smartphone, etc.) when they visit one of our websites (hereinafter collectively referred to as "cookies"). Cookies help us determine the frequency of use and the number of users of our web pages and structure our offers for the user more comfortably and efficiently. On our websites, we use "session cookies" (deleted again after the end of the browser session) and "permanent cookies" (which remain on the user's terminal device even after the end of the browser session).

Third-party cookies may also be stored on the user's terminal device when they visit our website (third-party cookies). They allow us or the user to use certain services of the third-party company (e.g., cookies for processing payment services).

Cookies have various functions. Some cookies are technically necessary, as certain website functions would not work without them. Other cookies serve to evaluate user behavior or display advertising.

The storage duration depends on the respective cookie and is further specified below. Some cookies are deleted after less than an hour, while others may remain stored on a computer for several years. The user can also influence the storage duration. The user can manually delete all cookies stored on their browser at any time (see also "Right to Object" below). Additionally, cookies based on consent are deleted at the latest after the revocation of consent, which does not affect the legality of previous storage.

Cookies necessary for executing the electronic communication process (necessary cookies) or for providing certain functions desired by the user (e.g., for the shopping cart function) or for optimizing the website (e.g., cookies for measuring web audience) are stored based on Art. 6 para. 1 lit. f) GDPR, unless another legal basis is indicated. As website operators, we have a legitimate interest in storing cookies for the optimized and error-free provision of our services. If consent is requested for storing cookies, the storage of the relevant cookies takes place solely based on the user's consent (Art. 6 para. 1 lit. a) GDPR). The user's consent is revocable at any time.