Authorisation declaration for processing identifiable, sensitive and legal personal data pursuant to Legislative Decree no. 196/2003 and EU Regulation 2016/679
The User, herein after referred to as “Data subject” according to the meaning set forth by letter “i” of art. 4, Legislative Decree 196/03, meaning, “natural person, legal person, body or association to which the personal data refers”,
- the User/Data Subject is the subject who accesses website catellanismith.com (herein after also referred to as WEBSITE for brevity sake), by registering his/her Personal Data to use the functions allowed by the website, of legal age in full possession of his faculty;
- for the purposes of EU Regulation 2016/679, the term “Data subject” refers to any identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- for the purposes of EU Regulation 2016/679, “Personal Data” means any information relating to the Data Subject, “Genetic data“ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, “Biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data, and “Data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
- for the purposes of EU Regulation 2016/679 “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; “Cross-border processing“ means processing of personal data which takes place in the context of the activities of establishments (intended the management location chosen by the Controller and place where the main processing activities are executed by the Processor) in more than one EU Member State; or processing of personal data which takes place in the context of the activities of establishments in one single EU Member State, but which substantially affects data subjects in more than one Member State;
- for the purposes of EU Regulation 2016/679, “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- for the purposes of EU Regulation 2016/679, “Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- for the purposes of EU Regulation 2016/679, “Controller” means the natural or legal person, public authority, agency or other body which, along or jointly with others, determines the purposes and means of the processing of personal data; “Processor” means a natural or legal person, public authority agency or other body which processes personal data on behalf of the controller, “Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not, “Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- for the purposes of EU Regulation 2016/679, “Supervisory authority” means a supervisory authority that monitors the proper application of EU Regulation 2016/679 in the Italian Republic, in particular the Data Protection Supervisor with office in Rome, Piazza di Monte Citorio no. 121 – certified email: email@example.com.
The identification details of the Controller are as follows:
CATELLANI & SMITH S.R.L. – email: firstname.lastname@example.org.
The Controller can be contacted at the following email address: email@example.com.
Any change of Processor shall be also notified upon renewal of this consent, by amending the name of the Processor thereto.
The Personal Data is processed lawfully, fairly and in a transparent manner, only for scopes related to the functions allowed by the WEBSITE.
The WEBSITE collects, records, organises, stores, modifies, selects, extracts, compares, uses, aligns, combines, discloses, deletes and blocks the personal data processed to attain the scopes of the WEBSITE, to render the online services offered by the WEBSITE and for administrative, management, organisational, tax and accounting activities of the Controller.
Personal Data is also collected for commercial purposes, in line with the scope for which the User/Data subject registered to the WEBSITE and anyhow, for related scopes and/or instrumental to the WEBSITE’s management activities, excluding therefore any other use and/or use in conflict with the interests of the User/Data subject, granted legal obligations that shall be fulfilled by the Controller or Processor.
The processed Personal Data shall be exclusively limited and pertinent to the WEBSITE’s functions for which the User/Data subject has registered.
The Personal Data shall be exact and, if needed, updated according to the User/Data subject’s indications upon registration.
The Personal Data shall be stored for the time required to execute the activities object of the permitted processing, and for maximum ten (10) years from the termination of the permitted processing. Nonetheless, the processing term can never exceed said period, unless the consent is renewed by the Data Subject.
Moreover, the Personal Data will be processed through suitable methods that ensure security and prevent loss or destruction, even partial (e.g. Firewall, incremental and differential system backups of daily character, storage of copies on icloud or online, antivirus systems, change of passwords for data access by persons appointed by the Controller, with suitable frequency).
To said scope, it is specified that the processing by the WEBSITE does not imply high risks for the rights and freedoms of natural persons; however, the processing does not concern racial or ethnic origins, political opinions, religious believes, trade union memberships, genetic or biometric data that may univocally identify a natural person, data concerning health, sex life or sexual orientation or criminal convictions; therefore, profiling and marketing activities will not be executed based on said data but exclusively according to the preferences related to the products purchased or viewed through the WEBSITE’s platform.
Personal Data will be acquired and processed also for the scopes set forth by anti money-laundering laws, pursuant to EU Directive no. 2001/97 EC, Legislative Decree no. 56/2004 and subsequent changes and acknowledgement integrations and by implementation Ministerial Decrees, and you are aware of the possibility that said data may be disclosed to the Italian Exchange Office (UIC) to verify the punctual fulfilment of the afore-cited obligations.
Conferment of Personal Data is optional and not mandatory, unless specifically foreseen by law, however said action is required to register to the WEBSITE and the relative consent to Processing is a condition to be able to subscribe. Personal Data is conferred each time the Data subject accesses the WEBSITE to register and logs in to manage/use the services offered or connects his/her account on a third party’s site to his/her WEBSITE account, where permitted by the latter.
Should the Data Subject be authorised to use mobile apps linked to the WEBSITE, data concerning the location of the data subject is also conferred, stored and processed, including general information (e.g. IP address, postal code) and more specific information (e.g. GPS functions available on the mobile devices used to login the platform or related specific functions). If the Data Subject logs in the WEBSITE from a mobile device and does not wish the device to disclose information on his/her position, he/she can disable the GPS or other location tracking functions on the device, if this option is permitted by the latter.
The User/Data subject is aware of the Processing of “Log data“, which are automatically recorded by our servers or cloud servers, also hosted by Third parties, each time the User/Data subject logs in the WEBSITE or uses it, regardless of whether he/she is a registered user or logged in from his/her account; for example, this data are the IP address, login date and time, font of text character, hardware and software used to login, login and logout sites and URL, number of clicks, viewed pages and order of said pages, as well as the time spent on particular pages. Said data are also object of separate consent that the Data Subject releases to the Controller performing search engine activities on the web, the so called browser (e.g. Google) and can be used for analytics service and track the User/Data subject’s activities based on the interaction with the WEBSITE.
No users’ personal data is acquired by the WEBSITE through cookies. Cookies to transmit personal information are not used, neither persistent cookies of any type, or tracking systems of users. The use of session cookies (which are not stored permanently on the user’s computer and are deleted when closing the browser) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server), which are necessary to allow the secure and efficient browsing the site. The session cookies used in this site also avoid resorting to other IT techniques that may prejudice the privacy of the users’ browsing activity and do not allow acquiring personal identifiers of the user. The cookies to integrate third party’s products and software functions (Google Maps, YouTube videos, integrations with social networks, online payments, etc) integrate functions developed by third parties on the site pages in order to share the site contents or use third party’s software services (e.g. software to generate maps and other software that offer additional services). The cookies are sent by third party’s domains and partner sites that offer their functions on the site pages. You can view the settings of your browser’s cookies in the website or the relative producer (e.g.: Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera, etc.).
The WEBSITE may allow the collection of information on the Users‘ online activities by Third parties.
The Data subject grants consent to the transmission of Personal Data, also of sensitive and legal type, to Third parties (e.g. Lawyer, web Suppliers who manage and maintain the site and management programs used by the Controller’s organisation, Accountant for accounting and tax purposes related to the Controller’s business activity).
Should the data required for registration and browsing not be conferred, registration to the WEBSITE cannot be accepted and/or continued and the account will not be enabled or it will be deleted if the consents to renew the authorisation to Personal Data Processing are denied.
The WEBSITE may allow Third parties, previously authorised by the User/Data Subject, to collect information on the User’s online activities also for profiling the User’s purchases and for commercial purposes.
The WEBSITE collects and processes data also for its own commercial purpose and Third party’s, including for example User profiling (e.g. Google Analytic, Google Font, CRM Customer Relationship Management), analysis of purchase preferences, comparison of prices and offers, comparison of products, marketing and commercial promotion activities, and to customise the WEBSITE’s offer according to the User/Data subject’s tastes and needs.
Should processing of personal data of any nature be authorised, including sensitive, legal, genetic, biometric data or data concerning health, these can be disclosed to Italian Public subjects and competent Italian Judicial Authorities within the limits and for the scopes related to the authorised Processing, for their institutional scopes and, therefore, for the scopes of the subjects appointed to acknowledge and/or process them.
The Controller does not transfer the data referring to the Data Subject abroad or to third countries.
The Data subject is entitled to exercise the rights set forth by art. 7 (“Right to access personal data and other rights”), Legislative Decree no. 196, which content the Data Subject declares to know, acknowledging the full text indicated in note 5 at the bottom of this authorisation.
The User/Data Subject is entitled to exercise the following rights pursuant to EU Regulation 2016/679, by sending a request to the Controller:
– right to access (art. 15 of the afore-cited EU Regulation) data to verify whether certain information is being processed and processing scopes, category of processed data, recipients of potential communications of processed data, storage period of the processed data, potential existence of an automated decision-making process, including profiling as set forth by art. 22, par. 1 and 4 of EU Regulation 2016/679;
– right to rectification, including integration of incomplete data (art. 16 of the afore-cited EU Regulation);
– right to erasure (art. 17 of the afore-cited EU Regulation) data with no delays, upon request of the Data subject and compulsorily, if:
- they are no longer required for the Processing scopes;
- consent to Processing has been revoked;
- the Data Subject objects to the Processing pursuant to art. 21 of the EU Regulation;
- data have been unlawfully processed;
- the erasure obligation is set forth by Italian or EU laws.
The erasure obligation is not applicable in case the right of freedom of expression and information is exercised to fulfil a legal obligation that imposes processing for reasons of public interest or national security that request processing, for justice purposes that justify processing.
– right to restriction of processing (art. 18 of the afore-cited EU Regulation) if the accuracy of the personal data is contested by the Data subject, for a period enabling the controller to verify the accuracy of the personal data, the processing is unlawful and the data subject opposes to erasure of the personal data, the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data subject for the establishment, exercise or defence of legal claims, and when the Data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Data subject.
– Controller’s obligation to notify (art. 19 of the afore-cited EU Regulation) potential Recipients of personal data, of any erasures, rectifications and restrictions to processing.
– right to data portability (art. 20 of the afore-cited EU Regulation), the Data subject shall have the right to receive the personal data concerning him or her, in a structured, commonly used, durable and machine-readable format from automated devices, also in multiple copies, via email at the address specifically indicated by the User/Data subject, free of charge, and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, when processing is carried out by automated means like in this case;
– right to object to the processing of his/her Personal Data (art. 21 of the afore-cited EU Regulation), unless the Controller demonstrates compelling legitimate grounds for the processing;
– right not to be subject to a decision based on automated processing, including profiling, unless said decision-making method is necessary for entering into, or performance of, a contract between Data subject and a Data Controller, is authorised by Union or Member State law, or is based on the Data subject’s explicit consent (art. 22 of the afore-cited EU Regulation).
The Controller declares that there are no specific risks related to the processing of the Data Subject’s Personal Data, to have evaluated any filing and processing duty and risk, to have accurately selected the best security measures to ensure privacy and non-disclosure of the Data Subject’s Personal Data.
The Controller reserves the right to use any suitable security method including encryption, pseudonymisation, coding of processed personal data.
The processing of identification, sensitive and legal personal data will take place within the limits set forth by law in accordance to art. 25, Legislative Decree no. 196/03, which content the Data Subject declares to know, acknowledging the text indicated in note 6 at the bottom of this authorisation, and EU Regulation 2016/679; for the abovementioned scopes, in addition to processing, data may also be subject to notification and/or disclosure in technical terms, as further specified in letters “a”, “l” and “m” of par. 1, art. 4, Legislative Decree no. 196/03, which the Data Subject acknowledges to be set out in note 7 at the bottom of this authorisation, and EU Regulation 2016/679.
The WEBSITE’s Controller and owner may be involved in merger, incorporation, purchase, division transactions and in this case, may transfer their corporate assets including the personal data of the Data Subject, who acknowledges and accepts the foregoing; in this case, the Data Subject will be informed of his/her personal data that are transferred or anyhow object of different privacy policies and/or authorisations.
The Data subject agrees to keep his/her personal data up-to-date and to the scope, will notify any change or update to the Controller.
Pursuant to the above, the User/ Data subject spontaneously declares to authorise the processing of his/her personal data, in conformity to the foregoing and as set forth by Legislative Decree no. 196/03 and EU Regulation 2016/679.
Pursuant to the above, the User/ Data subject spontaneously declares to authorise the processing of his/her personal data for commercial scopes, including profiling, marketing and transmission of commercial and promotional communications, in conformity to the foregoing and as set forth by Legislative Decree no. 196/03 and EU Regulation 2016/679.
- ART.26 par. 4 letter “c” – GUARANTEES FOR SENSITIVE DATA: “(…) 4. Sensitive data may be object of processing also without consent, prior authorisation by the Italian Data Protection Supervisor: c) when processing is required to execute defensive investigations as set forth by Law no. 397 of 7th December 2000 or – anyhow- assert or defend a right in trial, provided that data are processed exclusively for said scopes and for the time strictly required to attain them. If the data may reveal details on the state of health or sex life, the right must be equal to that boasted by the Data Subject or be a human right or other inviolable and fundamental right or right to freedom (…)”.
- ART.13 – INFORMATION: “1. The Data subject or person of whom personal data is collected, are previously informed orally or in writing about:: a) the processing scopes and methods to which data are destined; b) compulsory or optional nature of the data conferment; c) consequences of a potential refusal; d) subjects or categories of subjects to whom the personal data may be disclosed or who may come to acquire knowledge thereof in the capacity of processors or persons appointed by controllers, and scopes of disclosure of said data; e) the rights set forth by art. 7; f) the personal details of the data controller and, if appointed, the representative on the State territory pursuant to art. 5 and the data processor. If several data processors have been designated by the data controller, at least one of them shall be referred to, and the communication networks or the mechanisms for easily accessing the updated list of the data processors shall be specified. If a data processor has been designated to provide responses to data subjects in case the rights set forth by art. 7 are exercised, such data processor shall be referred to. 2. The information set forth by par. 1 shall also contain the items referred to in specific provisions of this Code and may fail to include certain items if the latter are already known to the entity providing the data or their knowledge may concretely impair supervisory or control activities carried out by public bodies for purposes related to defence or State security, or else for the prevention, suppression or detection of offences. 3. The Italian Data Protection Supervisor can identify, with its own provision, simplified modalities for the information given in particular by the telephone services for public assistance and information. 4. Whenever the personal data are not collected from the Data subject, the information as per par. 1, also including the categories of processed data, shall be provided to the Data subject at the time of recording such data or, if their communication is foreseen, no later than when the data are first communicated. 5. The provision set forth by par. 4 is not applicable when: a) the data are processed in compliance with an obligation imposed by law, a regulation or EU legislation; b) the data is processed to carry out defensive investigations as set forth by Law no. 397 of 7th December 2000, or otherwise, to enforce or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer that is necessary therefore; c) the provision of information to the Data subject involves an effort that is declared by the Data Protection Supervisor to be manifestly disproportionate compared to the right to be protected – in which case the Data Protection Supervisor shall lay down suitable measures – of if it proves impossible in the opinion of the Data Protection Supervisor”.
- ART.4 – DEFINITIONS: (…) b) < personal data >, any information relating to a natural person, legal person, body or association, which can be identified or are identifiable, also indirectly, by reference to any other information, including a personal identification number ; c) < identification data>, personal data that allow identifying the data subject directly; d) < sensitive data >, personal data revealing racial or ethic origin, religious or philosophical beliefs or other beliefs, political opinions, membership to parties, unions, associations or organisations of religious, philosophical, political or union character, and data that reveal the state of health and sex life ; e) < judicial data >, personal data revealing measures of the type set forth by art. 3, par. 1, letters from a) to o) and from r) to u) of Presidential Decree no. 313 of 14/11/2002, concerning criminal records, records of administrative sanctions resulting from offences and related charges, or the condition of accused person or person under investigation pursuant to art. 60 and 61 of the Criminal Code“.
- ART.4 – DEFINITIONS: (…) f) <Controller >, the natural, legal person, public administration and any other body, association or organism which decides – also with another controller – about the processing scopes and methods of personal data and tools used, including the security profile ; g) < processor >, the natural, legal person, public administration and any other body, association or organism appointed by the controller for personal data processing; h) <persons appointed by the Controller>, natural persons authorised by the controller or processor, to process data”.
- ART. 7 – RIGHT TO ACCESS PERSONAL DATA AND OTHER RIGHTS: 1. The Data subject has the right to obtain confirmation of the existence or his/her personal data even if not registered yet and their disclosure in intelligible form. 2. The Data subject has the right to obtain indication: a) of the origin of personal data, b) processing scopes and methods; c) logic applied in case of processing executed with electronic tools; d) identification details of the controller, processors and appointed representative pursuant to art. 5 par. 2; e) subjects or categories of subjects to whom the personal data may be disclosed or who may come to acquire knowledge thereof in the capacity of representative appointed in the State Territory, processors or controllers. 3. The Data subject has the right to obtain: a) data updating, rectification or integration, as required; b) erasure, transformation in anonymous form or block of data processed in breach of laws, including those data which are not required to be stored in relation to the scopes for which they were collected or subsequently processed; c) confirmation that the operations set forth by letters from „a” to “b” were disclosed, also in terms of content, to those subjects to whom data was disclosed or diffused, unless said fulfilment involves an effort that is impossible or manifestly disproportionate compared to the right to be protected. 4. The Data Subject has the right to fully or partially object: a) to the processing of his/her personal data for legitimate reasons, even if pertinent to the collection scope; b) to the processing of his/her personal data for the transmission of advertising or direct sale material or for market researches or business communications“.
- ART.25 – PROHIBITIONS TO DISCLOSE AND DIFFUSE: “1. Disclosure and diffusion are prohibited, in addition to the prohibition set forth by the Data Protection Supervisor and Judicial Authority: a) with regards to personal data for which erasure was ordered, or the time set forth by art. 11, par. 1, letter “e”, has been prescribed; b) for scopes other than those indicated in the processing notice, if required. 2. Without prejudice to communication or diffusion of data, pursuant to law, requested by the police, judicial authority, training and security bodies and other public subjects in conformity to art. 58, par. 2, for purposes related to defence or State security, or else for the prevention, suppression or detection of offences”.
- ART.4 – DEFINITIONS: (…) a) < processing > any operation or series of operations, also carried out without electronic tools, concerning the collection, recording, organisation, storage, consultation, elaboration, modification, selection, extraction, comparison, use, combination, block, disclosure, diffusion, erasure and destruction of data, even if not registered in a database (…); l) < disclosure > disclosure of personal data to one or more determined subjects other than the Data Subject, by the representative appointed by the Controller in the State territory, processor or persons appointed in any form, also by making them available or by consultation ; m) < diffusion > disclosure of personal data to undetermined subjects, in any form, also by making them available or by consultation”.