EU REGULATION 2016/679 – GDPR (IN SHORT REGULATION) FUNDAMENTALS OF LEGALITY OF THE TREATMENT

The European regulation confirms that each treatment must be based on an appropriate legal basis; the grounds for the lawfulness of the processing are indicated in art. 6 of the regulation and coincide, in principle, with those currently provided for by the legislation (consent, fulfillment of contractual obligations, vital interests of the person concerned or of third parties, legal obligations to which the owner is subject, public interest or exercise of public powers, prevailing legitimate interest of the owner or of third parties to whom the data are communicated).

For the particular categories of data art. 9 regulation, consent MUST be "explicit"; the same applies to consent to decisions based on automated processing (including profiling - art. 22).

Prevailing legitimate interest of a controller or a third party:

The balance between the legitimate interest of the holder or of the third party and the rights and freedoms of the interested party is not up to the Authority but is the task of the holder himself; it is one of the main expressions of the principle of "accountability" introduced by the new data protection package.

The legitimate interest of the owner or of the third party must prevail over the fundamental rights and freedoms of the interested party to constitute a valid basis of lawfulness.

The regulation expressly clarifies that the legitimate interest of the owner does not constitute a suitable legal basis for the treatments carried out by the public authorities in the execution of their respective tasks.

INFORMATION

Information contents:

The contents of the disclosure are exhaustively listed in articles 13, paragraph 1 and 14, paragraph 1 of the regulation.

The User's personal data is used by www.detic.it, the website of the company Giovanni Gaudiano srl, whose Legal Representative is Mr. John Gaudiano. The data controller is Giovanni Gaudiano in compliance with the personal data protection principles established by the GDPR Regulation 2016/679.

Information times:

In the case of personal data not collected directly from the interested party (art. 14 of the regulation), the information must be provided within a reasonable term which cannot exceed 1 month from the collection, or at the time of communication of the data (to third parties or to the interested party).

Disclosure methods:

The information is given in electronic format. Furthermore, this information (specifically governed by articles 13 and 14 of the regulation) is provided to the interested party before the data is collected.

RIGHTS OF INTERESTED PARTIES

The deadline for responding to the interested party, for all rights (including the right of access) is 1 month, which can be extended up to 3 months in particularly complex cases; the holder must in any case give feedback to the interested party within 1 month of the request, even in the event of a refusal.

It is up to the data controller to evaluate the complexity of the response to the data subject. As a rule, the reply to the interested party must take place in written form also through electronic instruments which favor its accessibility; it can be given orally provided that the identity of the data subject is proven by other means (Article 12(1); see also Article 15(3)). The answer provided to the data subject must not only be "intelligible", but also concise, transparent and easily accessible, as well as using simple and clear language.

Right of Access (art. 15):

The right of access provides in any case the right to receive a copy of the personal data being processed.

The information that the owner must provide does not include the "methods" of treatment. The data retention period is limited to the time necessary for the execution of the contractual relationship and for the fulfillment of the legal obligations.

Right of cancellation (right to be forgotten art.17):

The so-called right to be forgotten is configured as a right to the cancellation of one's personal data in a strengthened form. In fact, if they have made the data subject's personal data public, for example by publishing them on a website, the holders are required to inform other holders who process the deleted personal data of the cancellation request, including any link, copying or reproduction (see art. 17, paragraph 2).

The right of cancellation of the regulation has a wider field of application than that referred to in art. 7, paragraph 3, letter b) of the Privacy Code, since the interested party has the right to request the cancellation of their data, for example, even after revocation of consent to treatment (see article 17, paragraph 1).

Right to limit processing (Article 18):

This is a different and more extensive right than the "blocking" of the treatment pursuant to art. 7, paragraph 3, letter a), of the Privacy Code, in fact it can be exercised both in the case of violation of the conditions of lawfulness of the treatment (as an alternative to the cancellation of the data itself), and if the interested party requests the rectification of the data. Pending this rectification by the owner, the interested party can oppose their treatment pursuant to art. 21 of the regulation.

Excluding storage, any other processing of the data for which limitation is requested is prohibited unless certain circumstances exist (consent of the interested party, verification of rights in court, protection of the rights of another natural or legal person, significant public interest).

OWNER, CO-OWNER, RESPONSIBLE, AUTHORIZED TO PROCESS

The regulation governs the co-ownership of the treatment (art. 26) and requires the data controllers to specifically define their respective sphere of responsibility and tasks with particular regard to the exercise of the rights of the interested parties, who in any case have the possibility of contacting any of the data controllers indifferently operating jointly.

RISK-BASED APPROACH AND ACCOUNTABILITY MEASURES OF OWNER AND MANAGER

The regulation strongly emphasizes the "responsibility" (accountability in the English sense) of owners and managers, ie, the adoption of proactive behaviors such as to demonstrate the concrete adoption of measures aimed at ensuring the application of the regulation.

The security measures adopted guarantee a level of security appropriate to the risk of the treatment. In particular, Giovanni Gaudiano srl implements the following technical, physical and organizational measures to protect the User's personal data from accidental or unauthorized destruction, accidental loss or alteration, use, modification, disclosure or unauthorized access, and from all other forms of unlawful processing.

Availability

The Service uses the extensive features of the Server environment to ensure high availability, such as full redundancy, load balancing, automatic scaling capability, continuous data backup.

No personal data is saved permanently outside the server platforms of detic.it

Integrity

To ensure integrity, all data transfers are encrypted following best practices for protecting data privacy and integrity.

Confidentiality

All personnel authorized to process data is subject to a constraint of confidentiality.

Transparency

The Data Controller will always keep the User informed of changes in the privacy and data security protection processes, including practices and policies. At any time, you can request information on where and how your data is saved, used and protected.

Isolation

Access to personal data is limited to individually authorized personnel. The Security and Privacy Officer issues permissions and maintains a record of the permissions given.

Personal Data Breach Notification

In the event that the User's data is compromised, Giovanni Gaudiano srl. will inform the User and the supervisory authorities within 72 hours via email with information on the extent of the violation, the data involved, any impacts on the Service with measures aimed at securing the data, and limiting any adverse effects on personal data.

"Personal Data Breach" means breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of the Service.

DATA COLLECTED AND PURPOSE

Like all websites, this site also makes use of log files in which information collected in an automated manner is kept during user visits. The information collected could be the following:

internet protocol (IP) address;
type of browser and parameters of the device used to connect to the site;
name of the internet service provider (ISP);
date and time of visit;
web page of origin of the visitor (referral) and exit;
possibly the number of clicks.
The aforementioned information is processed in an automated form and collected in an exclusively aggregated form in order to verify the correct functioning of the site, and for security reasons. For security purposes (spam filters, firewalls, virus detection), the automatically recorded data may possibly also include personal data such as the IP address, which could be used, in compliance with applicable laws, in order to block attempts to damage the site itself or to cause damage to other users, or in any case harmful activities or activities constituting a crime. These data are never used for the identification or profiling of the User, but only for the purpose of protecting the site and its users (this information will be treated on the basis of the legitimate interests of the owner).

If the site allows the insertion of comments, or in the case of specific services requested by the User, the site automatically detects and records some identification data of the User, including the email address. These data are intended to be voluntarily provided by the User at the time of requesting the provision of the service. By inserting a comment or other information, the User expressly accepts the privacy information, and in particular agrees that the contents inserted are freely disclosed to third parties as well.

The data received will be used exclusively for the provision of the requested service and only for the time necessary for the provision of the service.

The information that users of the site will deem to make public through the services and tools made available to them, are provided by the User knowingly and voluntarily, exempting this site from any liability regarding any violations of the law. It is up to the User to verify that they have permission to enter personal data of third parties or content protected by national and international standards.

The data collected by the site during its operation are used exclusively for the purposes indicated above and kept for the time strictly necessary to carry out the specified activities. In any case, the data collected by the site will never be provided to third parties, for any reason, unless it is a legitimate request by the judicial authority and only in the cases provided for by law.

Place of treatment

The data collected by the site are processed at the headquarters of the Data Controller, and at the data center of the web Hosting which is responsible for processing, processing the data on behalf of the owner; is located in the European Economic Area and acts in accordance with European standards.