Privacy Policy

Information on the Processing of the Personal Data pursuant to art. 13 of the 2016/679 EU Regulation

1. General Information

1.1. This document sets out the methods by which Flame'l uses the personal data provided by users («Users») of the website www.theflamel.com (hereinafter also the «Site»). Other websites that can be reached through links on the Site are excluded. To find out more about the ways in which these other sites process personal data, it is recommended to consult the privacy policies of the visited third party sites.
1.2. Personal data provided by Users will be processed in accordance with the provisions of EU Regulation 2016/679 on the protection of personal data (General Regulation on Data Protection - «GDPR»), Legislative Decree 30 June 2003 Nº 196 (Code regarding the protection of personal data) as last amended by Legislative Decree 10 August 2018, Nº 101, as well as any other applicable law regarding privacy and personal data protection.

1.3. The following information is made pursuant to and for the purposes of Article 13 of the GDPR.

2. Holder and Place of Treatment

2.1. The owner of the personal data is Flamel s.r.l., a company incorporated under Italian law with registered office in Milan, via Dante, 4, 20122, Tax Code / VAT Number and Nº of registration with the Milan Companies Register Nº 09525660966, Nº REA MI — 2096030, share capital of €10,000.00 I.V. (hereinafter also referred to as «Holder»).

2.2. For the processing of Personal Data for the purposes of this statement, it is intended any operation or set of operations, performed with the aid of automated processes and applied to Personal Data, such as collection, registration, organization, structuring, storage , adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.

2.3. The User's Personal Data, as defined below, will be processed within the European Union and stored on servers located in the European Union.

3. Types of Data processed

3.1. The Data Controller will process the personal data communicated by you («Personal Data») in compliance with the principles of necessity, transparency, lawfulness, correctness and proportionality of the processing of personal data.

3.2. In particular, the following Personal Data are processed:

3.2.1. Area data: at the time of creation an account will be required to provide certain Personal Data, in particular name and surname, username, password, home address, e-mail address, mobile number; this is data necessary to successfully complete the account creation. Any refusal to provide this data will make it impossible to create an account and access the services related to the reserved area. To access and visit the Site, no personal data is required, nor does any processing take place.

3.2.2. Personal Data in relation to an order: if the User places an order without having created a personal account, at the time of ordering he must provide his Personal Data, including name and surname, e-mail address, mobile number, address of delivery and possibly the billing address (if different). These data are necessary in order to be able to complete the shipment of the order successfully.

3.2.3. Payment Information: which credit card details, PayPal account details or other payment information provided by you to receive the products or services (shipping) requested by you.

3.2.4. Contact details: if the User intends to ask questions to the Owner via email, the email address and the content of the message sent will be processed. The processing of these Personal Data is necessary to provide feedback to the communication received. The provision of further data must be considered absolutely optional.

3.2.5. Navigation data: the computer systems and the software procedures used to consult the Site acquire, for the duration of the connection only, identification data that are not stored permanently or collected. These data, by their very nature, could however allow, through processing and association with data held by third parties, to identify Users.

They are: the IP addresses or the names of the computers used by the Users in connection, the addresses of the URI (Uniform Resource Identifier) notation of the requested resources, the time, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server and other parameters. These data could be used to ascertain responsibility in case of any computer crimes against the Data Controller, its assignees or third parties. We ask you to read our Cookie Policy for the processing of such data.

3.3. We inform you that Personal Data will be processed manually and/or with the support of IT or telematic means.

3.4. The Data Controller will not deal with particular categories of Personal Data in accordance with Article 9 of the GDPR, understood as personal data suitable to detect racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership of Users , as well as genetic data, biometric data suitable to uniquely identify a natural person, data related to the health or sexual life or sexual orientation of Users, or Personal Data pursuant to Article 10 of the GDPR, ie data relating to criminal convictions and crimes or related security measures). Users are advised not to transmit the above information to the Data Controller.

4. Purpose and Legal Basis of Treatment

4.1. The Data Controller will process the User's Personal Data for the achievement of specific purposes and only in the presence of a specific legal basis provided for by the applicable law on privacy and protection of personal data. Specifically, the Data Controller will process Personal Data only when one or more of the following legal bases occurs:

— the processing is necessary for the execution of a contract of which the User is a party or by the execution of pre-contractual measures taken at the request of the User;
— the Holder is bound by a legal obligation to process Personal Data.

4.2. The following table lists the purposes for which the User's Personal Data are processed by the Data Controller and the legal basis on which the processing is based.

Purpose of the treatment Legal Basis:

— Allowing the shipment of an order, management of a purchase order and related administrative activities Execution of a contract.
— Allow the creation of an account by the User and use of services related to the reserved area Execution of pre-contractual measures at the request of the interested party.
— Finding a communication or a User question. Execution of pre-contractual measures at the request of the User.
— Allowing the use of all the features of the site correctly. Execution of a contract.
— Fulfilment of legal obligations, regulations or provisions of the community legislation. Obligation of law
— Sending commercial communications and direct marketing, carried out using «traditional» methods or through «automated» contact systems. Consent of the User.
— Analysis of the propensity to use the products and services offered by the Owner, the definition of individual and group profiles, the proposition of individual offers. Consent of the User.

4.3. The provision of Personal Data is necessary in all cases where processing is carried out on the basis of a legal obligation or to execute a contract of which the User is a party or from the execution of pre-contractual measures taken at the request of the User. In such cases, a possible refusal could imply for the owner the impossibility to proceed with the purpose for which the Personal Data are collected.

4.4. The provision of Personal Data by the User is voluntary for the further purposes indicated in the table. Failure to provide consent in relation to these final purposes will have no consequences on the conclusion of the contract. The mandatory or optional nature of the provision will be specified at the time of collection.

5. Address of Personal Data

5.1. Your Personal Data may be made accessible for the purposes mentioned above:

— to the employees and collaborators of the Data Controller, agents acting as data processors;
— to Third Parties, such as companies in charge of delivering the products, duly authorized, for the sole purpose of following up the request / order of the User to use the service of purchase/sale of products through the Site.

5.2. Appropriate security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.

6. Period of Conservation of Personal Data

6.1. The Personal Data processed for the purposes set out above will be retained in accordance with the principles of proportionality and necessity, and in any case for the whole period necessary to achieve the purposes for which they were collected or according to the applicable law.

6.2. The User's Personal Data will normally be kept for as long as the User does not withdraw his consent.

7. User Rights

7.1. In compliance with articles 15—22 of the GDPR, the Users have the right to access their Personal Data at any time, and in particular to obtain confirmation of the existence or not of Personal Data concerning them and their communication in an intelligible form in such a way as to allow portability to another holder, to know the origin of the Personal Data, the purposes and methods of the processing; to obtain an indication of the identification details of the owner, the managers and the subjects or categories of subjects to whom the Personal Data may be communicated.

7.2. Users also have the right to verify the accuracy of Personal Data or request its integration or updating or correction. Users also have the right to request cancellation, limitation, transformation into anonymous form or blocking of personal data processed in violation of the law, as well as to object, in whole or in part, for legitimate reasons to their processing.

7.3. The User has the right to object at any time to the processing of his Personal Data carried out for direct marketing purposes. The right to object to such processing performed through automated contact means also extends to the processing of Personal Data through traditional means of contact, unless you wish to oppose only in part. If you oppose the processing for direct marketing purposes, the User's Personal Data will no longer be processed for these purposes.

7.4. Without prejudice to any other administrative or judicial appeal, the User who considers that the processing that regards it violates the law on the protection of personal data has the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he normally resides , work or the place where the alleged violation occurred.

7.5. In the event that it intends to refer to the Guarantor for the protection of personal data, you can do it at the following address (s) / address: Piazza di Monte Citorio n. 121, 00186, Rome; Fax: (+39) 06 69677 3785, Telephone switchboard: (+39) 06 696771, E-mail: garante@gpdp.it.

8. Minors

8.1. We do not knowingly deal with data relating to minors. If the User provides Personal Data or otherwise performs transactions with us, he automatically declares that he is eighteen years of age and has full power to execute these transactions and to be legally bound by them.

8.2. Should the Data Controller be informed or become aware of the fact that a minor has provided us with his Personal Data on the Website or otherwise, we will immediately delete such Personal Data.

9. Changes to this Notice

9.1. This Notice may from time to time be subject to changes in order to implement changes in national and/or Community legislation or for adaptation to technological innovations or for other reasons.

9.2. Any new versions will be published on the Website.

10. Contacts and Complaints

10.1. For any questions or information related to this Personal Data Protection Notice, you may contact, as well as for the exercise of the rights and for the revocation of consent, the User may send a communication to the email address: privacy@theflamel.com

Date of last update: 10/12/2018