PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 – GDPR
The European legislation on the protection of personal data – Regulation (EU) 2016/679 of the European Parliament and of the Council (from now on, also, “GDPR”) provides a series of obligations for those who carry out “treatment” of personal data referred to other subjects (so-called “interested parties”).
In light of the above and pursuant to art. 13 GDPR, we therefore communicate the following information.
1. Identity and contact details of the Data Controller
The owner of the processing of personal data is GARNET S.R.L. with administrative / operational headquarters in Via De Gasperi 31, 20863 Concorezzo (MB) – Italy, in the person of the legal representative Mr. Leopoldo Iurino, the contact details of the owner of the processing of personal data are indicated below.
– E-mail address / PEC for any communications: email@example.com.
– Telephone number for any communications: +39 039/6886158.
2. Subjects authorized to process data (appointees)
Authorized to process personal data, in compliance with European legislation on the processing of personal data are the employees of Garnet Srl, as well as the employees of the same structure.
3. Purposes of the processing to which the personal data are destined
Data held by Garnet S.r.l. as the data controller, they will be used for the following processing purposes:
-finality related to the execution of the existing contract / agreement between the parties.
4. Legal basis of the processing
The personal data provided are processed for the aforementioned purpose, as well as on the basis of consent, also for the purpose of complying with a contractual / pre-contractual, legal, regulatory, and legal requirement, as well as provisions issued by legitimate authorities and by supervisory bodies and control.
The explicit legislative references updated to their latest state of revision which provide for the obligations or obligations on the basis of which the processing of the data could possibly be carried out are available and can be consulted with the data controller and in any case are part of the current law of Union and of the Member State to which the data controller is subject.
5. Processing methods
The processing of personal data takes place – according to the principles of correctness, lawfulness and transparency – and, in any case, in compliance with the provisions of art. 6 GDPR.
The treatment will be carried out by means of the operations or set of operations indicated in the art. 4, point 2 of the GDPR and that is by means of the collection, recording, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination, making available, limitation, cancellation or destruction, selection, blocking of personal data.
The operations can be carried out with or without the use of electronic or automated means, in compliance with the rules of confidentiality and security provided by law, regulations, or by specific internal provisions.
The data has been collected and will be collected exclusively from the interested party. If, instead, the data were collected from third parties, Garnet S.r.l. will promptly transmit the information to the interested party, in accordance with the provisions of art. 14 GDPR.
The treatment will be carried out by the data controller and / or authorized persons in charge of processing who will operate under the direct authority of the data controller in accordance with the instructions given by the data controller.
The processing will be carried out using manual, computerized and telematic tools with logics strictly related to the same purposes and in any case in order to guarantee the security and confidentiality of the data.
The filing of the documentation is carried out both electronically and on paper.
Here are some essential information:
· The collection of personal data is limited to the minimum necessary for each specific purpose of the processing;
· The processing of personal data is limited to the purposes for which they were collected;
· The storage of personal data is limited to the minimum necessary for each specific purpose of the processing;
· No personal data is provided to third parties without consent;
· The sale or rental of personal data is not carried out.
· There are no automated decision-making processes of your personal data.
6. Nature of data provision
In order to pursue the purpose of the aforementioned processing, you must authorize the processing of your personal data. In the event of refusal or refusal to respond, in fact, the Data Controller will not be able to collect information necessary for the purpose mentioned above.
7. Communication and / or dissemination of data
The personal data of a particular nature collected during the performance of the contract will not be disclosed to third parties except in the cases provided for by law. Personal data, on the other hand, may be communicated, in compliance with the GDPR, to the following categories of recipients:
· Professionals such as accountants, lawyers and tax consultants, whose intervention is deemed necessary;
· social Security institutions;
· Other bodies, authorities or public institutions;
· Credit institutions;
· Supplementary funds.
Personal data, in any case, will not be subject to disclosure (intending for this, to give knowledge of personal data to undetermined subjects, in any form, even through their provision or consultation).
8. Transfer of personal data to a third country or to an international organization
The personal data collected may be transferred to EU countries and to third countries as long as this is necessary for the purposes of processing and in any case in compliance with the provisions of European legislation on the transfer of personal data to third countries or towards international organizations (articles 44-47 and 49 of the GDPR).
9. Period of storage of personal data / criteria used to determine this period
We report that, in compliance with the principles of lawfulness, limitation of purposes and minimization of data, pursuant to art. 5 GDPR 2016/679, the period of storage of personal data is established for a period of time not exceeding the achievement of the purposes for which they are collected / processed and, in any case, in compliance with the times prescribed by law.
It is envisaged that an annual check will be carried out on the processed data and on the possibility of being able to cancel them if they are no longer necessary for the intended purposes.
10. Rights of the interested party
As an interested party, at any time, you can exercise your rights towards the data controller or data controller by contacting the data controller using the following contact details: firstname.lastname@example.org.– tel +39 039/6886158 .
In order to guarantee the correct exercise of the rights, the interested party must be identifiable in an unequivocal manner. The owner undertakes to provide feedback within 30 days and, if it is impossible to comply with these times, to justify any extension of the deadlines. The response will be free of charge except in cases of groundlessness or excessive requests for which a fee may be charged not exceeding the costs actually incurred for the research carried out in the specific case. The rights relating to personal data concerning deceased persons may be exercised by those who have an interest in their own or acts to protect the interested party or for family reasons worthy of protection.
The interested party can also lodge a complaint with the supervisory authority, as well as revoke the consent given.
In case of violation of personal data suffered by the company (so-called Data Breach), in compliance with art. 33 of the GDPR, the holder will notify the competent control authority within 72 hours from the moment in which he became aware of the fact and will also communicate the event to the interested party, except for the cases of exclusion provided for by the law. ‘art. 34, par.3 of the GDPR.
The interested party has the right to obtain confirmation of whether or not a processing of personal data concerning him is being carried out and to obtain access and information referred to in 15 of the GDPR.
Furthermore, the interested party has the right to obtain:
• updating, rectification, integration of data and limitation (articles 15 and 16 of the GDPR);
• cancellation (right to oblivion, art. 17 of the GDPR), transformation into anonymous form or blocking of data processed in violation of the law (including those for which conservation is not necessary in relation to the purposes for which they were collected or subsequently processed);
• certification that the operations referred to in the above points have also been brought to the attention of those to whom the data have been communicated or disseminated, except in the case where such fulfillment proves impossible or involves the use of means manifestly disproportionate to the right protected by the company;
• the portability of data (direct transmission from one holder to another) and the copy of the data being processed (art. 20 of the GDPR).
The interested party has the right of opposition pursuant to art. 21 of the GDPR and the right not to be subjected to an automated decision-making process pursuant to art. 22 of the GDPR, and in particular has the right to oppose:
• to the processing of personal data concerning the interested party including profiling for legitimate reasons, even if pertinent to the purpose of collection;
• to the processing of personal data concerning the person concerned for the purposes of: sending advertising material, direct sales, carrying out market research, commercial communications;
• to the processing of data processed for scientific or historical research purposes or for statistical purposes except in the case of public interest in the processing.