INFORMATION ON THE PROCESSING OF PERSONAL DATA (Ex Art. 12 and 13 of EU Regulation 2016/679 of the European Parliament and of the Council) Dear Sirs, The Company Gefond S.r.l. with registered office in Via Triboniano, 103 - 20156 Milan VAT No. 11194610157, as the Data Controller, informs you that the EU Regulation 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation"), lays down rules on the protection of natural persons with regard to the processing of personal data, as well as rules on the free movement of such data. The Regulation protects the fundamental rights and freedoms of natural persons, in particular the right to protection of personal data. The data controller (natural or legal person who determines the purposes and means of the processing of personal data) shall take appropriate measures to provide the data subject with all information relating to the processing. In accordance with the legislation indicated, such processing will be based on the principles of fairness, lawfulness and transparency and the protection of your confidentiality and your rights. Pursuant to Articles 12 and 13 of EU Regulation 2016/679, in the event that data relating to the data subject is collected from the data subject, the Data Controller shall provide the data subject with the following information at the time the personal data is obtained:
- 1. Object of Treatment
The Data Controller processes personal data, identification data concerning a natural person (interested party) such as name, surname, identification number, company name, address, telephone, e-mail, bank and payment references etc........ communicated by you when concluding contracts for the services of the Data Controller.
- 2. Data Controller and Representative of the Data Controller
The Data Controller is: Gefond S.r.l. c/o Gefond S.r.l. with registered office in Via Triboniano, 103 - 20156 Milan P.IVA 11194610157, Tel +39 02 3340154 / Fax +39 02 33401961, firstname.lastname@example.org The Data Controller's representative (where applicable) is : GEFOND SRL The updated list of Data Processors (where applicable) and of the persons in charge of the processing is kept at the registered office of the Data Controller.
- 3. Data Protection Officer (if applicable)
The Data Protection Officer is: GEFOND SRL
- 4. Purpose of data processing
The data you provide will be processed without your express consent for the following purposes: 2A)performance of a contract 3A) performance of pre-contractual measures 4A) legal obligation to which the data controller is subject 7A) pursuit of the legitimate interest of the data controller or of third parties. The processing of the data is lawful because: 2C) processing is necessary for the performance of a contract to which the data subject is party or for the performance of measures pre-contractual arrangements adopted at its request, 3C) processing is necessary for compliance with a legal obligation to which the data controller is subject; 4C) processing is necessary in order to protect the vital interests of the data subject or of another natural person; 6C) processing is necessary for the purposes of pursuing the legitimate interests of the data controller or of a third party, provided that the interests or the fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail, in particular where the data subject is a minor). Pursuant to Section 13(3), the Data Controller undertakes not to use the personal data acquired for processing purposes other than those for which they were collected, without having provided further information to the data subject regarding such other purpose and any further relevant information as referred to in Section 2, or without having requested additional consent (where mandatory).
- 5. Legitimate interests of the data controller (where applicable only if the conditions of lawfulness of the processing referred to in point 3 are of type 6C)
The processing of data is based on the following legitimate interests: possible right of defence in court.
- 6. Methods of data processing
The processing of personal data shall be carried out by means of the operations indicated in Article 4, paragraph 2), namely: collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, restriction, deletion or destruction; The processing of data shall be carried out by means of instruments and procedures suitable to guarantee their security and confidentiality. Personal data will be processed in the following ways: ■ paper-based manual ■ computerised manual (without automated decision-making) ■ other: Video recording
- 7. Dissemination of data
Without the need for your express consent (ex art. 6 letters b) and c)), the Data Controller may communicate your data for the above-mentioned purposes to Supervisory Bodies, Judicial Authorities, insurance companies, as well as to those subjects to whom communication is compulsory by law for the fulfilment of the above-mentioned purposes. These subjects will process the data in their capacity as autonomous data controllers. ■ the data may be/will be communicated to the following categories of recipients: external processors who take part in the business process solely to fulfil specific legal obligations and in compliance with contractual obligations, public and private entities with tax, social security, welfare and insurance purposes
- 8. Dissemination of data to a third country or international organisation
■ Data personal will not be transferred to a Third Country or to an International organization.
- 9. Nature of the provision of data and consequences of refusal to respond
The data controller is obliged to inform the data subject whether the provision of personal data is a legal or contractual obligation or a prerequisite for the conclusion of a contract, and whether the data subject is obliged to provide the personal data as well as the possible consequences of failure to do so; The provision of data is: ■ obligatory (Point 4, letters A) Where the provision of data for the purposes indicated is obligatory, the reason for the obligation is due to performance of a contract or pre-contractual measures. Where the provision of data for the purposes indicated is mandatory, any refusal to provide such data ■ could result in the contract not being executed, ■ could lead to partial performance of the contract, ■ failure to continue the relationship, ■ failure to provide services.
- 10. Data Retention
The Controller shall process personal data for the time strictly necessary to fulfil the above purposes and in any case for no longer than 10 years after termination of the relationship for the Service Purposes. ■ The personal data processed will be kept until: 10 years after termination of the contract.
- 11. Security measures
The Owner, in accordance with art. 32 of EU Regulation 2016/679, has adopted physical, technical and organizational data protection measures in order to ensure an adequate level of security against the risk of destruction, loss, misuse or alteration of an accidental or illegal nature.
- 12. Rights of the interested party
At any time the person concerned may exercise his/her rights towards the data controller. Article 13 letter b) of EU Regulation 2016/679, states that when personal data are obtained, the data controller provides the data subject with the following rights necessary to ensure the correct and transparent processing of personal data:
- - access to data (Art. 15)
- - rectification of data processing (art. 16)
- - deletion of data (Art. 17)
- - limitation of data processing (Art. 18)
- - of opposition to the processing of data (Art. 21)
- - data portability (Art. 20).
In addition to the rights set out in Article 13, the EU Regulation provides that the person concerned may exercise further rights:
- - revocation of consent (Art. 7)
- - lodge a complaint with a supervisory authority (Art. 77).
Attached are the articles dealing specifically with the individual rights of the interested party.
- 13. Right to withdraw consent (Art. 7)
Article 7 paragraph 3, states that the data subject has the right to withdraw his or her consent at any time in the following cases - where the processing is based on the consent given to the processing of his or her data for one or more specific purposes (Article 6(1)(a)), - where the processing relates to special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation) and is based on consent to the processing of one's own data for one or more specific purposes (Article 9(2)(a)). Withdrawal of consent shall not affect the lawfulness of the processing based on the consent given before the withdrawal. Before giving consent, the data subject shall be informed thereof. Consent shall be withdrawn as easily as it is given.
- 14. Right to complain to a supervisory authority (Art. 77)
Article 77 states that if the data subject considers that processing concerning him or her is in breach of this Regulation, he or she has the right to lodge a complaint with a supervisory authority, namely in the Member State in which he or she normally resides or works or in the place where the alleged breach occurred. This is without prejudice to any other administrative or judicial remedy. The controller shall inform the data subject of the possibility of lodging a complaint with a supervisory authority and of seeking judicial remedy. The supervisory authority to which the complaint is lodged shall inform the complainant of the status or outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78. The data subject shall also have the right to an effective judicial remedy if the supervisory authority does not deal with a complaint or does not inform the data subject within three months of the status or outcome of the complaint lodged. This is without prejudice to any other administrative or judicial remedy.
- 15. Procedures for the exercise of the rights of the data subject
The interested party may at any time exercise the rights by sending the Data Controller and/or the Data Processor (if appointed): - a registered letter A.R to the address: c/o Gefond S.r.l. with registered office in via Montefeltro, 6 - 20156 Milan VAT no. 11194610157, - an e-mail to: email@example.com The Data Controller GEFOND SRL Milan Li 31.07.2019 _________________________________________ Signature (in full and legible)