Ex art. 13-14 del Regolamento UE n. 679/2016
The Erika Dursi Agricultural Company (hereinafter the “Data Controller”), pursuant to articles 13 and 14 of the EU Regulation n. 679/2016, makes the information regarding the processing of personal data in the provision of its service known with this communication.
It should be pointed out right away that the entire information must be read keeping in mind that the Data Controller provides a service exclusively aimed at the sale of graphic and digital projects, management packages, tangible assets and training courses.
The information is also based on the Recommendation n. 2/2001 that the European authorities for the protection of personal data, gathered in the Group established by the art. 29 of the directive n. 95/46 / CE, adopted May 17, 2001 to identify some minimum requirements for the collection of personal data online and, in particular, the methods, timing and nature of the information that the data controllers must provide to users when they connect to web pages, regardless of the purpose of the connection, as following consultation of a site, data relating to identified or identifiable persons may be processed.
The information is provided only for the website of the Data Controller and not for other websites that may be consulted by the user via links.
Art. 1. Data Controller – Data Processing and Protection Manager The Data Controller of your data is the Erika Dursi Agricultural Company tel +39 328 9727566, email firstname.lastname@example.org
Any employees of the Data Controller (administrative, commercial staff), as data processors and processors, are all assigned specific data processing duties.
Art. 2. Place of processing of personal data, are processed on the premises of the Data Controller, as well as on computer support by means of the software made available by the different Partners and the devices made available to the subjects authorized to the treatment.
Art. 3. Type of data processed The Data Controller processes only data provided voluntarily by the user, or data acquired from third parties with his explicit consent; data strictly necessary to fulfill any request, be it information or service provision. For the provision of the service and / or for the pre-contractual activities, the Data Controller processes the following categories of data:
- Common personal data
(any information relating to an individual, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number) including: personal, bank / financial data, telephone and data transmission contacts.
- a) Navigation data.
The computer systems of the Website and the Blog collect some Personal Data whose transmission is implicit in the use of Internet communication protocols.
This information is not collected to be associated with you, but by its very nature could, through processing and association with data held by third parties, allow identification.
These data are used in order to obtain anonymous statistical information on the use of the Site and to check its correct functioning; to allow – given the architecture of the systems used – the correct provision of the various features you requested, for security reasons and to ascertain responsibility in the event of hypothetical computer crimes against the Site or third parties.
For example, each time the user accesses the pages on the website of the Data Controller, the user data will be transmitted through the internet browser and saved in protocol files, the so-called log files of the server.
The following data will be saved: date and time of access, name of the site visited, IP address, URL of the referrer (URL of origin through which you arrived on the websites of the Data Controller), the amount of data transmitted, information concerning to the product and browser version used. Users’ IP addresses are deleted or made anonymous at the end of use. In the case of anonymisation, IP addresses will be modified in such a way that they cannot be attributed to a specific natural person except with an excessive effort in terms of time, costs and labor.
We analyze these logfile data sets anonymously in order to improve our offers, find and eliminate errors faster and to check the server’s capabilities. In support of this information on the data acquired by browsing the portal of the Data Controller, the interested party is invited to consult the Cookies session to be considered an integral part of this information.
- b) Data provided voluntarily.
Through the Website you have the possibility to voluntarily provide Personal Data such as name, surname and e-mail address or bank details to make a payment. The Data Controller will process these data in compliance with the Applicable Law, assuming that they refer to you or to third parties who have expressly authorized you to provide them on the basis of an appropriate legal basis that legitimates the processing of the data in question.
With respect to these assumptions, you are acting as an independent Data Controller, assuming all legal obligations and responsibilities. In this sense, confer on the point the broader indemnity with respect to any dispute, claim, claim for compensation for treatment damage, etc. that should reach the Data Controller from third parties whose Personal Data have been processed through your use of the Site in violation of the Applicable Law.
- c) Data processed in interaction with social networks.
In addition to filling out the appropriate service request forms, you can submit this request, if you have a Facebook or Google profile, even by simply clicking on the “Register with Facebook” or “Register with Google” button. In this case, Facebook or Google will automatically send to the Data Controller some of your data, specified in the appropriate “pop-up” window that is displayed at the time of the request, and there will be no need to fill in other forms on your part.
Art. 4. Purpose of processing The Data Controller informs that it will process personal data to the extent strictly necessary to fulfill the following purposes:
- a) purposes related to the execution of a contract of which you are a party or to the execution of pre-contractual measures adopted at your request;
- b) purposes related to the fulfillment of a legal obligation to which the Data Controller is subject;
- c) purposes necessary to ascertain, exercise or defend a right in judicial proceedings or whenever the judicial authorities exercise their jurisdictional functions;
- d) allow navigation of the Site and provision of the services of the Data Controller;
- e) find specific requests addressed to the Data Controller;
- f) fulfill any obligations required by applicable laws, regulations or EU legislation, or meet requests from the authorities;
- g) carry out direct marketing via e-mail for services similar to those you have subscribed to, unless you expressly refuse to receive such communications, which you may express during registration or on subsequent occasions;
- h) carry out marketing / newsletter activities such as: developing studies, research, market statistics; send information and promotional material concerning the activities, services and products of the Data Controller and their business Partners (without there being any communication of personal data owned by the Data Controller to the aforementioned Partners); send you surveys to improve the service (“customer satisfaction”). These communications may be sent by e-mail or text message, via paper mail and / or use of the telephone with operator and / or through the official pages of the Data Controller on social networks; it is specified that the Data Controller collects a single consent for the marketing purposes described herein, pursuant to the General Provision of the Guarantor for the Protection of Personal Data “Guidelines on promotional activity and contrast to spam”, of 4 July 2013 ; if, in any case, you wish to oppose the processing of your data for the purposes of marketing performed with the means indicated herein, you may at any time do so by contacting the Data Controller at the addresses indicated in the “Contacts” section of this statement, without prejudice to the lawfulness of the processing based on the consent given before the revocation;
- l) for statistical or research purposes, without it being possible to trace your identity.
The user at any time has the right to revoke his authorization for the use of personal data for these purposes, even only partially or for specific communication methods. This operation does not include additional costs and it will only be necessary to send a communication to the known contacts of the Data Controller.
Art. 5. Processing methods The information systems and computer programs are configured to minimize the use of personal data and identification data, so as to exclude the processing when the purposes can be pursued by means of anonymous data or the use of appropriate methods that allow identification of the interested party only in case of need.
To access the service offered by the Data Controller, the data subject will initially provide only common personal data that will be processed by administrative staff.
Indeed, the Data Controller takes all possible security initiatives and measures to prevent the appointees from processing data that is not necessary for the purpose of completing the related purpose.
Your personal data will be recorded, processed, managed and archived with the aid of electronic computer tools and only in paper format.
In any case, the chosen method will not affect the security and confidentiality of the data that remains guaranteed.
Personal data is managed with automated tools for the time strictly necessary to achieve the purposes of the processing. Specific security measures are observed to prevent the loss of data, illicit or incorrect use and unauthorized access.
In this sense there is a widespread distribution of responsibilities and the possible activities on the data are defined through regulations and operating instructions to the appointees. The Data Controller has undertaken to guarantee training and updating courses on privacy issues, on potential dangers and on responsibilities related to data processing. In addition, all operators who access the computerized systems are identifiable, bound by professional secrecy and / or office and in any case authorized for processing.
In cases where special laws provide for the processing of data in anonymous form (protection of victims of acts of sexual violence and pedophilia, seropositivity, use of drugs, psychotropic substances and alcohol, voluntary interruption of pregnancy, anonymity, services offered by family counseling, responsible procreation choices, etc.) the data are obscured at the time of their creation in accordance with the provisions of the law in force and are not subject to processing.
The Owner does not perform profiling on the processed data.
Art. 6. Security measures
The processing of personal data is guaranteed by the application of suitable and preventive security measures that allow to minimize the risks of destruction or loss, even accidental, of the data, unauthorized access or treatment that is not permitted or does not comply with the purpose of collection.
Organizational choices and operating procedures regarding security in the processing of personal data are also defined by the processing of sensitive personal data by electronic means.
The security system for personal data identifies the organizational choices and operating procedures concerning security in the processing of personal data, in particular with regard to:
- the list of personal data processing;
- access to authorized personnel based on the purpose of the processing;
- the analysis of the risks incumbent on the data;
- the measures to be taken to ensure the integrity and availability of data;
- the description of the criteria and methods for restoring data availability following destruction or damage;
- the provision of training interventions for the persons in charge of processing, to make them aware of the risks incumbent on the data, of the measures available to prevent harmful events, of the profiles of the regulation on the protection of the most relevant personal data in relation to the relative activities, of the responsibilities that derive and how to update on the minimum measures adopted by the Data Controller;
- the description of the criteria to be adopted to guarantee the adoption of the minimum security measures in the event of processing of personal data entrusted outside the structure of the Data Controller or transferred abroad;
- for the personal data suitable to reveal the state of health and the sexual life, the identification of the criteria to adopt for the encryption or for the separation of such data from the other personal data of the interested one.
Art. 7 Treatment recipients
The subjects that will treat your personal data are:
– subjects in charge within the structure of the Data Controller, necessary for the provision of the services offered;
– subjects that typically act as controllers, ie:
- i) persons, companies or professional offices that provide assistance and advice to the Data Controller in accounting, administrative, legal, tax and financial matters;
- ii) subjects delegated to carry out technical maintenance activities;
iii) credit institutions, insurance companies and brokers;
iii) parent companies, subsidiaries and affiliates of the Data Controller, limited to the pursuit of administrative and accounting purposes related to the performance of organizational, administrative, financial and accounting activities;
– persons authorized by the Data Controller to process Personal Data that are committed to confidentiality or have an adequate legal obligation of confidentiality; (eg employees and collaborators of the Data Controller);
– subjects, entities or authorities to which it is mandatory to communicate your personal data pursuant to legal provisions or orders of the authorities;
– courts in the performance of their duties when required by Applicable Law.
The display of personal data takes place only by the authorized parties according to precise procedures, relating to the content of the contract signed by the interested party to the processing and in compliance with the purposes already described.
The designation is carried out by means of an “appointment deed” included in the agreements, conventions or contracts that provide for the assignment of the processing of personal data outside the Company.
7.1 Internal Data Processors
The Data Controller, in consideration of the complexity and multiplicity of the institutional functions of the Company, designates as Data Processors:
- each manager in charge of an operational unit of the company, for the paper databases and for the electronic databases of the single structures;
- the Manager in charge of the IT Service for centrally managed electronic databases;
- all external subjects that, in any way, use the Data Controller data bank on behalf of and in the interest of the Data Controller for purposes related to the exercise of its business functions (Article 9).
The designation of internal managers is linked to the assignment of the structure assignment and is considered accepted by signing the contract.
The Data Controller must inform each Data Processor, as identified by the Regulation, of the responsibilities entrusted to him in relation to the provisions of current regulations.
Each manager must guarantee:
– the timely and complete compliance with the Company’s duties provided for by the Code, including the safety profile;
– compliance with the provisions of this Regulation as well as the specific instructions given by the Owner;
– interaction with the Guarantor in case of request for information or other assessments;
– the adoption of appropriate measures to guarantee, in the organization of services and services, respect for the rights, fundamental freedoms and dignity of the persons concerned, as well as professional secrecy, without prejudice to the provisions of current legislation and the company security system regarding the methods of processing sensitive data and minimum security measures.
The Data Processing Manager, in relation to the implementation of security measures, has the following tasks:
- draw up and update the list of types of treatments carried out (census – art. 16);
- request the IT Service Manager to assign to each person in charge of processing a personal and non-reusable personal identification code for access to data;
- keep the passwords for access to data by the Distributors;
- check with the IT Service Manager the effectiveness of the protection and antivirus programs as well as define the access measures to the premises and the security measures against the risk of intrusion;
- to ensure that all security measures regarding the Company’s data are applied within the Company itself and outside, if they are accessed by third parties such as Data Processors;
- inform the Data Controller in the eventuality of risks are detected.
- All those who, in any way, manage the personal data of third parties individually and separately from the individual structure, assume the quality of independent “Data Controllers” individually.
7.2 External Data Processors
All external parties that carry out processing operations on the Company’s databases, on behalf of and in the interests of the same, for purposes connected with the exercise of corporate functions, are appointed as “external Managers” of the processing.
The external managers have the obligation:
- to process the data lawfully, fairly and in full compliance with current privacy legislation;
- to comply with the security measures provided for by the Privacy Code and to take all measures that are suitable to prevent and / or avoid the communication or dissemination of data, the risk of destruction or loss, even accidental, of unauthorized access or treatment unauthorized or not in accordance with the purposes of collection;
- to appoint the persons in charge of processing within them;
- to guarantee that the processed data are made known only to the personnel in charge of the processing;
- to process the personal data, also of a sensitive and health nature, of the Patients exclusively for the purposes envisaged by the contract or by the agreement;
- to comply with the instructions given by the Data Controller;
- to specify the places where data processing takes place.
In the event of failure to comply with the aforementioned provisions, the external data processors must be considered independent “Data Controllers” of the processing and therefore subject to the respective obligations and therefore respond directly and exclusively for any violations of the law.
7.3 Data Processors
Each employee in charge of a specific service and required to carry out technical processing operations is to be considered, for all purposes, “Appointed” pursuant to art. 30 of the Privacy Code.
The Distributor, in carrying out the operations strictly connected to the fulfillment of his functions, must strictly follow the instructions given by the Owner and the Manager, committing himself to adopt all the security measures provided for by these Regulations as well as any other measure that is suitable to prevent and / or avoid communication or dissemination of data, the risk, even accidental, of destruction or loss, unauthorized access or unauthorized processing or processing that does not comply with the purposes of the collection.
The Distributor collaborates with the Owner and the Responsible reporting any risk situations in the processing of data and providing any information necessary for the performance of the control functions.
In particular, the Distributor must ensure that, during the treatment, the data is:
– treated lawfully and fairly;
– collected and recorded for specific, explicit and legitimate purposes, and used in other processing operations in terms compatible with these purposes;
– exact and, if necessary, updated, relevant, complete, not excessive and, if sensitive data, indispensable with respect to the purposes for which they are collected or subsequently processed;
– kept in a form that allows the identification of the interested party for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed.
The Distributor is required to maintain complete confidentiality on the data of which he has become aware during the performance of his activity, committing himself to communicate the data exclusively to the subjects indicated by the Owner and the Responsible, only in the cases provided for by the law and / or in the business activity.
The appointment of the Distributor is carried out by means of the employee’s preposition, with an assumption order or service order, to the single service unit for which the scope of treatment allowed by means of data entry forms is identified.
The Persons in charge must receive suitable and analytical instructions, also for homogeneous groups of functions, regarding the activities on the data entrusted (insertion, updating, cancellation, etc.) and the obligations to which they are required.
Art. 8 Nature of data provision and consent Consent to the processing of personal data is as voluntary as it is indispensable for the purpose of providing the requested service, ie the main purpose of data processing (including related administrative activities), since the non-consent would prevent you from taking advantage of the service.
Here are some special cases of acquiring consent to the processing of data based on special laws or specific categories of reports:
- a) minors
The consent to the processing of data of a child under the age of 16 must be signed by at least one parent exercising parental authority.
- b) Persons Subjected to Custody Citation
Il tutore presenta il modulo del consenso al trattamento dei dati per conto dell’utente tutelato, intestandolo all’utente stesso e completandolo con i propri dati anagrafici e con la propria firma; a tale modulo allega la documentazione emessa dall’Autorità Giudiziaria o, in alternativa, una autodichiarazione di potestà tutoria.
- c) Person Who Cannot Sign
The user who cannot sign the consent form for illiteracy, for temporary or permanent physical impediment, without legal representative, can express his consent verbally or with other ways (gestures), of which the operator acknowledges (perhaps with the help of a family member, who knows how to express the patient) with the aid of audiovisual recording tools that will be stored and used exclusively in the event of disputes.
8.1 Marketing purposes
If the customer gives explicit consent, the contact details provided may be used by the Data Controller for the promotion of products or services similar to those that the customer has purchased or accepted, for sending advertising material exclusively for the aforementioned services or for carrying out commercial communications.
By granting consent to the Treatment for Marketing Purposes, pursuant to art. 6, paragraph 1, letter a) of the Regulations, the interested party specifically acknowledges the promotional, commercial and marketing purposes in a broad sense of the treatment and expressly authorizes said processing whether the means used for the Treatment for Marketing Purposes are the telephone with operator or other non-electronic means, not telematic or not supported by automatic, electronic or telematic mechanisms and / or procedures which, where the means used for the Treatment for Marketing Purposes are electronic mail, fax, sms, mms, automatic systems without operator intervention and the like, including electronic platforms and other electronic means.
Pursuant to the General Provision of the Privacy Guarantor of May 15, 2013 entitled “Consent to the processing of personal data for the purposes of” direct marketing “through traditional and automated contact tools”, the attention of the interested parties is specifically pointed to the fact that:
- the consent eventually given for the sending of commercial and promotional communications through computer or telematic methods will imply the receipt of such communications, not only through said automated contact methods, but also through traditional methods, such as paper mail or calls by operator;
- the collection of consent from time to time will be unitary and overall and will refer to all the possible means of marketing processing. To proceed to the Treatment for Marketing Purposes it is mandatory to acquire a specific, separate, express, documented, preventive and completely optional consent.
- it is without prejudice to the possibility of revoking the consent to the processing of personal data free of charge for the purposes of “direct marketing”, even partially with respect to certain means or treatments;
- the aforementioned revocation may be exercised by writing to email@example.com and that the opposition to such treatment will not produce any consequences on the provision of the services.
Furthermore, the Data Controller informs the data subject that the data may also be disclosed to third party trading partners. The consent to the Treatment for Marketing Purposes – where provided by the interested party – does not also cover the different and further marketing treatment represented by the communication to third parties of the data for the same purposes. To proceed with such communication to the outside it is mandatory to acquire from the interested party a further, separate, additional, documented, expressed and completely optional consent, in compliance with the General Provision of the Guarantor of 4 July 2013 bearing the guidelines to combat spam.
Pursuant to the General Provision of the Guarantor of 4 July 2013, containing the guidelines to combat spam, the third party recipients of the communications of the personal data of the interested parties for the subsequent Treatment for Marketing Purposes can be identified with reference to the following subjects and the following categories commodities or economics:
- a) Third parties belonging to the product sectors of publishing, sports companies, suppliers of goods and electronic communication services, Internet service providers, communication agencies, companies that provide insurance and financial services, companies in the food and restaurant industry, clothing, ICT hardware and software, banks and credit institutions, travel agencies, companies that offer services in the tourism sector, companies that offer services and goods for the person, companies that supply goods and services in the energy and gas sector.
The provision of personal data to the Data Controller and the provision of both consent to the Treatment for Marketing Purposes and the distinct consent to the communication to third parties for the Treatment for Marketing Purposes for the purposes and with the methods illustrated above are absolutely optional and always revocable.
Since some of the processing purposes pursued are of a specific commercial, advertising, promotional and marketing nature in a broad sense and that the modules on the Site pursue such purposes by default, if the interested party does not intend to consent to the Treatment for Purpose of Marketing the consequence will be the impossibility to use the services of the Data Controller. Failure to provide the Treatment for Marketing Purposes will result in interference and / or consequences on other possible contractual, contractual or other relationships with the user.
Art. 9 Data transfer abroad
Your personal data may also be transferred to other countries belonging to the European Union, exclusively to allow the employees of the Data Controller to carry out their work in execution of the contract.
Your personal data may also be transferred to the United States (a country not belonging to the European Union) exclusively to allow the employees of the Data Controller to carry out their work in execution of the contract. For this reason, no sensitive data will be transferred abroad. The transfer of personal data to the United States is guaranteed above all by the “adequacy decision” of the European Commission on the Privacy regulation of that country.
Art. 10 Rights of the interested party
As a subject interested in the processing of personal data, you may at any time avail of the faculties and rights provided by the art. 13 paragraph 2 lett. re a) b) c) d) e) of the EU Regulation 679/2016.
In particular it is up to you: · The right to obtain confirmation of the existence or not of personal data concerning you; · The right of access, that is to have communication of the data concerning it upon simple request; · The right of opposition which provides for the possibility of objecting to the processing of personal data for legitimate reasons. · The right of rectification, ie modification and updating of data; · The right to be forgotten, that is, to see the data concerning you deleted. In order to implement the right to oblivion, the following distinction must be made:
– if the processing of the data presupposes an express consent, the only revocation of the latter will be sufficient to obtain the cancellation, to be considered automatic, of the data;
– if the processing of the data presupposes a consent for conclusive facts, the cancellation can be implemented, upon request, only if the personal data are no longer necessary with respect to the purposes for which they were collected or processed. · The right to limit the processing which minimizes the use of the data processing to what is necessary for the purposes of the same. However, this right is provided only in the following mandatory cases:
– where the interested party contests the accuracy of personal data and for the time strictly necessary to verify its accuracy;
– where, in the presence of unlawful processing, the data subject opposes the deletion of data;
– where, if the Data Controller no longer needs to keep the data, the interested party has an interest in their storage for the purposes of exercising or defending a right in court;
– in case of opposition to the treatment, but only for the time necessary to establish the pre-eminence between the interest of the Data Controller and the right of the data subject.
The limitation can be revoked at any time and before the revocation is effective the Owner will inform the interested party. · The right to the portability of data provided by the data subject which allows the data subject to receive the personal data concerning him / her in a commonly used format.
- The right to withdraw consent to the processing of data for the primary purposes of processing at any time. However, revocation of the consent could make it impossible to provide the service and in any case does not affect the lawfulness of the processing based on the consent given before the revocation;
– The right to withdraw consent to the processing of data for secondary marketing and newsletter processing purposes at any time. Withdrawal of consent does not make it impossible not to use the services of the Data Controller. In any case, such revocation does not affect the lawfulness of the processing based on the consent given before the revocation; – The right to complain about the violation of the law to the Privacy Authority, without prejudice to any other legal action.
Requests should be sent by e-mail to the address: firstname.lastname@example.org
Art. 11 Data retention period
The data retention period is set by the Data Controller within 10 years of the last legally relevant treatment or from the acquisition of consent to the processing itself.
For any further clarification, the interested party can connect to http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1812198