Last modify: 01/04/2018
LAWFULNESS FOUNDATIONS OF PROCESSING
European regulation confirms that every processing must be well- founded in an adequate legal basis. Lawfulness foundations of processing are specified in article 6 of the Regulation and these coincide, broadly, with those currently foreseen by the Code (consent, compliance of contractual obligations, vital interests of interested person or of a third party, law's obligation in which the owner is subjected, public interest or the exercise of public authorities, legitimate and prevalent interest of the owner or a third party to whom the data are communicated).
As regards the sensitive data article 9 of the Regulation, the consent must be explicit; the same applies to the consent to decisions based on automated processing (profiling included – article 22).
It need not be "documented in writing", it isn't required the "written form", even if this is the correct way to configure the unequivocal consent and its being "explicit" (as regards sensible data); moreover, the owner (article 7.1) must demonstrate that the person concerned has given consent to a specific processing.
Vital interest of a third party:
You can invoke this legal basis only if every other lawfulness condition has been applied.
Legitimate and prevailing interest of a owner or a third
The balancing between the legitimate interest of the owner or a third party and rights and liberties of the person concerned isn't entitled to the authority but to the owner. This is one of the main expression of the accountability principle introduced by the new packet of data protection. The legitimate interest of the owner or of a third party has to prevail over fundamental rights and liberties of the person concerned in order to build a valid lawfulness foundation.
The regulation explicitly clarifies that the legitimate interest of the owner doesn't constitute a suitable legal basis as regards the treatments conducted by public authorities in execution of the respective tasks.
The report's subjects are peremptorily listed in the article 13, paragraph 1 and 14, paragraph 1 of the regulation and partly they are wider compared to the privacy code.
This company's Manifatture dell'Adriatico Srl website www.extraflexmaterassi.it, located in Nereto (TE) at Via Roma 103, the owner of the treatment is DE BERARDINIS DANIELE.
In particular, the owner must always specify what is his legitimate interest, if this last constitute the legal basis of processing or if he transfers personal data in third countries and, if affirmative, through what countries. The regulation also foresees other information since these are "necessary to guarantee a correct and transparent treatment": in particular, the owner has to specify the data collection period or the parameter followed to establish the collection's period. If the treatment involves decisional automated processes (profiling included), the report must specify that and it must also indicate the logic of those decisional processes and the consequences foreseen for the data subject.
Time of the report:
In case of personal data which aren't directly collected from the interested person (article 14 of the regulation), the report must be provided within a reasonable term which can't exceed one month from the data collection or at the time of data communication (to a third party or to the interested person).
The way of the report:
The regulation specifies, in a much more detail than the Privacy Code, the characteristics of the report which must be concise, transparent, intelligible for the data subject and easily accessible; a clear and simple language must be used, the report must be given, in principle, in writing and preferably in electronic form.
The report (regulated by articles 13 and 14 of the regulation) must be given to the data subject before carrying out the data collection. In any case, the owner must specify his identity and the one of the possible representative in the Italian territory, the purpose of the processing, the rights of the data subjects (the right to data portability included), if a responsible of the processing exists, what is his identity, and who are the recipients of the data.
RIGHTS OF DATA SUBJECTS
The time limit for the answer to the data subject is, for all the rights (right of access included) one month, extensible until 3 months in case of particular complexity; anyway, the owner must give a feedback to the data subject within 1 month from the request, also in the case of denial.
The owner, who is the person who owns and the legal representative of the company Manifatture dell'Adriatico Srl, must evaluate the complexity of the feedback given to the data subject. The feedback must normally be in writing, also through electronic means which facilitate accessibility; it can be given orally only if the data subject himself requires it (article 12, paragraph 1; see also article 15, paragraph 3).
The answer given to the data subject must be intelligible, concise, transparent and easily accessible, in addition to using a clear and simple language.
- Right of access (article 15):
The right of access foresees in any case the right to receive a copy of personal data in question. Among the information the owner mustn't give the way of treatment. On the contrary he must indicate the period for which retention is required and, where it isn't possible, the criterion used to define this period, and the guarantees applied in case of transfer of data towards third countries.
- Right to erasure (right to be forgotten article 17)
The so-called right to be forgotten is like the right to erasure of personal data in a more strong way. The owners, in fact, must inform (if the personal data of the interested party: for example, publishing them on a web-site) other owners about the request of cancellation of personal data, "link, copies or reproduction included" (see also article 17, paragraph 2). The field of application is wider than the one referred to in the article 7, subparagraph 3, letter b), of the Code, because the interested party has the right to ask the cancellation of the data, for example, even after the withdrawal of consent for processing. (see also article 17, paragraph 1)
- Right to restriction of processing (article 18):
It concerns a different and wider right than the block of the treatment referred to in the article 7, subparagraph 3, letter a), of the Code: in particular, this is exercisable not only in case of violation of the conditions of lawfulness of processing (as an alternative to the cancellation of the data), even if the interested party asks the correction of the data (waiting for the correction from the owner) or opposes to their processing under article 21 of the regulation (waiting for the valuation from the owner). Every other processing of data, conservation excluded, is forbidden unless certain circumstances are used (interested party's consent, rights detection in court, protection of the rights of a natural or legal person, relevant public interest).
OWNER, MANAGERS AND THE REPRESENTATIVE OF THE PROCESSING
The regulation regulates the co-ownership of processing (article 26) and impose the owners to define the respective area of responsibility and tasks with particular regard to the use of interested party's rights, who can indifferently address to one of the owner who work together; it fixes more in detail (than article 29 of the Code) the characteristics of the act with which the owner designate a manager of processing giving him specific tasks: it must concern, in fact, a contract and it has to regulate the subjects in paragraph 3 of article 28 with the aim to demonstrate that the manager gives "sufficient guarantee" such as, in particular, nature, the duration and the purpose of processing or the assigned processing, data categories about processing, technical and organisational measures which consent the respect of the instructions given by the owner and, in general, the dispositions contained in the regulation.
THE APPROACH BASED ON RISK AND OWNERS AND MANAGERS' MEASURES OF
The regulation vigorously emphasises owners and managers' accountability, that is to say, the adoption of proactive behaviours which demonstrate the adoption of measures which assure the application of the regulation.
Among those activities there are many fundamental which are connected to the second criterion found in the regulation related to the management of owners' obligations, that is to say the risk related to the processing. This last is the risk of negative impacts on freedoms and on the right of interested parties. Those impacts must be analysed through an evaluation process (see also article 35 and 36) taking into account the known and defined risks and technical and organisational measures that the owner has to adopt to mitigate the risks. The owner will be able to decide independently if the processing starts on the outcome of this evaluation (by adopting the suitable measures to sufficiently mitigate the risk) that is to say to consult the competent supervisory authority in order to obtain indications about how to handle the residual risk; the authority won't have the task to authorize the processing, but to indicate the additional measures to implement and it will be able to adopt, where necessary, all the remedial measures pursuant to article 58: from the warning for the owner to the limitation or the prohibition to proceed to the processing.
Therefore, the intervention of the supervisory authority will be mainly "ex post", that is to say it will follow the determinations taken by the owner; it explains the abolition of some institutes foreseen by the 1995 directive and by the Italian code from 25 of May 2018, such as the prior notification of the processing to the supervisory authority and the so-called prior check (see also article 17 of the Code) which are substituted by the obligation for the owner to possess a processing register and, to do impact assessments in complete independence. Moreover, supervisory authorities and in particular the "European data protection committee" will have a fundamental role in order to guarantee consistency of approach and provide analytical and interpretative aids.
- Security Measures:
Security measures must "ensure a level of security that is appropriate to the risk" of processing (article 32, paragraph 1); in this regards, the list of paragraph 1, article 32, is open and it isn't exhaustive. The attention is drawn on the possibility to use the accession to specific codes of conduct or to certification schemes in order to certify the adequacy of the security measures.
- Notification of personal data violation:
From 25 of may 2018 all the owners, not only the provider of electronic communication services available to general public, will be able to notify to the supervisory authority personal data violation, in 72 hours and "without unjustified delay", but only if they believe that this violation brings to risks for the rights and the freedom of interested subject. Therefore, the notification of the violation to the authority isn't obligatory, being subordinate to the evaluation of the risk for the interested subject. If the risk is high, the interested subject must mi informed of the violation, "without unjustified delay"; the exceptions are the circumstances indicated at paragraph 3, article 34, which coincide only partially with those currently mentioned in the article 32-bis of the Code.
All the owners of processing must document in any case the suffered violation of personal data, even if they aren't notified to the supervisory authority and aren't communicated to the interested subjects, as well as its circumstances and consequences and the measures taken (see also article 33, paragraph 5); this obligation isn't different from the one currently foreseen by article 32-bis, subparagraph 7, of the Code. Therefore, the owners of processing must adopt necessary measures to document any potential violation, because they have to provide this document, upon request, to the Guarantor in case of findings.
- Data Protection Officer:
The designation of a "data protection officer" reflects the approach that is precisely the regulation (see also article 39), being finalized to facilitate the implementation of the regulation by the owner/manager. Among the tasks of a DPO there are "staff training and awareness" and the supervisory on the development of the impact assessment according to article 35. Its designation is obligatory in few cases (see also article 37) and the regulation defines the subjective and objective characteristics of that figure (independence, authority, management skills: see also article 38 and 39) so that the work team, former article 29, considered appropriate to clarify through recent guidelines, available also on the Garantor's website.
- Legal basis for the processing
- Data collection and purpose
This website, like all websites, uses log files where information are gathered automatically during users visits. The information gathered may be the following:
- internet protocol address (IP);
- type of browser and the parameters of the device used to log on the website;
- internet service provider's name;
- date and time of visiting;
- web page of the visitor;
- eventually the number of clicks.
Those information are processed automatically and gathered in aggregated form in order to verify the correct functioning of the web site, and for security reason. For security reasons (antispam filters, firewall, virus protection) data collected automatically may comprehend personal data too such as IP, that may be used, in accordance with the law existing, in order to block attempts of damaging. These data are never used for the identification or the user profiling, but only to protect the website and its users (these information will be processed on the basis of the legitimate interests of the owner).
Data received will be only used for the provision of the service required and for the only time needed to the provision of the service.
The website users provides the information knowingly and voluntarily, by exempting this website from any responsibility on any possible violation of the laws. The users must verify the permission for the introduction of third parties personal data or content protected by national and international laws.
Data collected by the website during its functioning are only used for the purposes abovementioned and are stored for the time absolutely necessary to carry out the activities specified. In any case data which are recognised by the site will be never given to third parties, for no reasons, unless it is self-defence from the judicial authority and as otherwise required by law.
- Place of processing
Data collected by the website are processed at the seat of the processing owner and at the web hosting datacenter, which is responsible of data processing, drawing up data on behalf of the owner, it is in the economic European space and acts in accordance with European laws.
Session cookies are essential to distinguish among logged users and are useful to avoid that a function requested can be provided to the wrong user, as well as for security purposes to avoid cyber attacks to the site. Session cookies don't have personal data and last for the only session in progress, that is until the closure of the browser. For those consensus isn't required. Functionality cookies used by the site are closely necessary for the use of the site, in particular they are linked to a request of functionality from the user (such as login) for which consensus isn't required.
Technical session cookie
The use of session cookie is closely limited to the transmission of session identifiers (casual numbers generate by the server) which are necessary to consent the safety and efficient exploration of the site.
Session cookies, used in this site, avoid the use of other computer techniques which are potentially injurious for the privacy of user's web surfing and don't consent the acquisition of personal data which identify the user. Those cookies are processed with technology modalities.
Other technical cookies
The website www.extraflexmaterassi.it uses some technical cookies that are inserted to record consensus to the use of analytics cookie and proliferation's one. He can feel free to erase the cookie from his computer.
There are other cookies which are essential for the proper functioning of the website. These cookies provide services required by users and permit to surf the website using its best performances. This cookie cannot be disabled because it's necessary for the proper functioning of the site.
Il presente sito web utilizza i seguenti tipi di cookie:
- Cookie tecnici (Necessari)
- Cookie analytics (Statistiche)
- Cookie marketing (Marketing)
Cookie tecnici (Necessari)
I cookie tecnici aiutano a contribuire a rendere fruibile un sito web abilitando le funzioni di base come la navigazione della pagina e l'accesso alle aree protette del sito. Il sito web non può funzionare correttamente senza questi cookie.
Cookie analytics (Statistiche)
I cookie analytics aiutano i proprietari del sito web a capire come i visitatori interagiscono con i siti raccogliendo e trasmettendo informazioni in forma anonima.
Il presente sito web si avvale del servizio Google Analytics della società Google, Inc. (di seguito "Google") per la generazione di statistiche sull'utilizzo del portale web. Il luogo del trattamento dei dati è negli USA.
L'utilizzo delle informazioni dell'utente da parte di Google Analytics avviene in forma anonima (IP anonimo). Anche se inseriti nella seguente categoria, i cookie di Google Analytics vengono considerati cookie tecnici grazie all'anonimato degli utenti.
Per consultare l'informativa privacy della società Google, relativa al servizio Google Analytics, si invita ad accedere al seguente link
Cookie marketing (Marketing)
I cookie marketing vengono utilizzati per monitorare i visitatori nei siti web. L'intento è quello di visualizzare annunci pertinenti e coinvolgenti per il singolo utente e quindi quelli di maggior valore per gli editori e gli inserzionisti terzi.
Il presente sito web si avvale del servizio Youtube della società Google, Inc. (di seguito "Google") per la visualizzazione di video. Il luogo del trattamento dei dati è negli USA.
Per consultare l'informativa privacy della società Google, relativa al servizio Youtube, si invita ad accedere al seguente link
Il presente sito web si avvale del servizio Google Maps della società Google, Inc. (di seguito "Google") per la visualizzazione di mappe interattive. Il luogo del trattamento dei dati è negli USA.
How to disable cookies
The majority of the browser permit to refuse/accept cookies. The user can manage his preferences about cookies through the functions contained in common browsers which permit to erase/remove cookies (all or some of them) or to change the approach of the browser in order to block the sending of the cookies or to limit to specific website. Therefore you can deny cookies use, following the disablement procedure provided from your browser.
Information which are not contained in this policy
Major information about personal data processing can be required in any moment to the owner of processing using contact information.
Our website is run by a general audience and it doesn't offer services addressed to children. If we find out that a minor gave us personal data without parental or guardian authorization, we'll erase immediately these information.
Defence in court
User's personal data can be used for the owner defence in court or in the stages leading to an eventual establishment of the process, from abuses in the use of the same or of the services connected from the user.
After a subpoena, a court order or another legal proceeding; in order to establish or exercise the rights granted by law; in order to defend us from an eventual legal action against us or for another purpose.
The user declare to be aware that the owner may be asked to reveal data upon request of public authorities.