This document aims to outline the management methods used for processing the personal data of those using the services rendered by the company on the Customer’s behalf. This privacy statement is compliant with EU REGULATION 2016/679 ISSUED BY THE EUROPEAN PARLIAMENT AND COUNCIL of the 27 April 2016 and adheres to the DPMS 44001:2016 code of conduct rev. 00 of the 25-05-2016 KHC
THE DATA CONTROLLER
As a result of the client’s desire to benefit from one of the services offered by the company, data regarding identified or identifiable individuals may be processed. The “data controller” is the company called JANUS S.R.L. based in Rome (Italy), Largo di Porta San Pancrazio 1, post code 00153 in the person of its Legal Representative Mr Alberto de Benedictis
The Data Controller has appointed as External Data Processor the Company named Soc. Area Comunicazione e informatica srl via Gian Domenico Romagnosi, 3 post code 00196 – Rome (Italy) VAT registration n. 06066831006, nominating it to carry out the services envisaged under the contract entered into with the Customer and summarised here below:
The processing made necessary by the services rendered will take place on the aforementioned premises of the Data Processor and will be seen to only by the technical staff employed at the Offices in charge of processing. Should it prove necessary, the data ensuing from the services rendered may be processed by staff members of the company in charge of maintaining the technological side of the website, JANUS S.r.l. (external data processor pursuant to article 37 of EU regulation n. 679/2016 – GDPR) upon the premises of the company itself.
NATURE OF DATA PROCESSED
Data supplied voluntarily by the user. Transmitting, disclosing and/or optionally, explicitly and voluntarily sending emails to the addresses indicated leads to the subsequent acquisition of the sender’s address as well as of all user details required to answer the requests. Categories of data subjects: Natural persons, legal entities as well as public and private organisations. Data-type category common data personal data
OPTIONAL NATURE OF DATA PROVISION
The user is free to supply personal data as long as he/she has been informed by the personnel carrying out the collection that without his/her consent, providing the services requested will not be possible and users will not be able to obtain what they want. Minimum security measures for the data: The operating system of the server on which the web application and data base is housed is installed on a cloud-based piece of hardware infrastructure provided by Aruba which is able to guarantee exceptional levels of data integrity, availability and confidentiality. Retention period for the personal data: Your personal data will be processed for profiling purposes for 12 months only from the moment of collection. Furthermore, your personal data processed as described herein will in any case be deleted within 30 days as from the time the last contractual relationship with the Data Controller is dissolved. In any case, should you wish to withdraw your consent or object to the processing, your personal data will be deleted within 30 days of your request. The Recipient of the Processing is the company called JANUS S.R.L. based in Rome (Italy), Largo di Porta San Pancrazio 1, post code 00153 in the person of its Legal Representative Mr Alberto de Benedictis
METHODS OF DATA HANDLING
The personal data is processed with automated procedures for the time strictly necessary to achieve the purposes for which the data was collected. Specific security methods are observed to prevent data loss, unlawful or incorrect usage and unauthorised access.
RIGHTS OF THE DATA SUBJECTS
• right of access – article 15 of the GDPR: the right to obtain from confirmation as to whether or not personal data concerning him or her is being processed, and, should this be the case, access to the personal data, including a copy thereof:
• right to rectification – article 16 of the GDPR: the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her as well as the right to have incomplete personal data supplemented with additional details.;
• right to erasure (right to be forgotten) – article 17 of the GDPR: the right to obtain the erasure of personal data concerning him or her without undue delay.
• right to restriction of processing – article 18 of the GDPR: the right to obtain restriction of processing, whenever:
1 the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2 the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
3 the data subject requires the personal data for the establishment, exercise or defence of legal claims;
4 the data subject has objected to processing pursuant to Article 21 of the GDPR, pending the verification whether the legitimate grounds of the controller override those of the data subject.
• right to data portability – article 20 of the GDPR: the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, whenever the processing is based on consent and carried out by automated means. Furthermore, the data subject is entitled to have the personal data transmitted directly from the Bank to another controller, whenever this is technically feasible;
• right to object– article 21 of the GDPR: the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her whenever said processing is necessary for the purposes of the legitimate interests pursued by the controller or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, this includes any profiling based on these provisions. The controller shall no longer process the personal data unless the controller demonstrates legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Furthermore the data subject is entitled to object at any time to the processing of personal data concerning him or her for direct-marketing purposes, which includes profiling to the extent that it is related to such direct marketing. The rights listed above may be exercised by making contact with the Controller through the individuals in charge as outlined previously. Exercising your rights as a data subject shall be free of charge, pursuant to article 12 of the GDPR. Nevertheless, in the event of manifestly unfounded or inadmissible cases, especially in the case of recurrent requests, the Controller may have to charge a reasonable amount to cover administrative expenses incurred to fulfil such requests, or may otherwise refuse to fulfil them.
• THE RIGHT OF WITHDRAWAL:
• The data subject has the right to withdraw his/her consent at any given time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
• THE RIGHT TO COMPLAIN:
• The data subject has the right to lodge a complaint with the Italian Data Protection Authority situated in Piazza di Montecitorio n. 121, 00186, Rome (Italy). Requests must ALSO be sent: – by email to the following address: firstname.lastname@example.org – by fax to the following number: (+39) 06 5882003