In compliance with current Regulations (Article 13 of the General Regulation concerning the Protection of Personal Data, hereinafter “GDPR), users browsing the website www.livialopresti.it (hereinafter “website”) are informed as follows on the processing of their data.
Data-processing controller and contacts
The data-processing controller is Livia Lo Presti, Via Giuseppe Bovini 35 – 48123 Ravenna – VAT Code 02303370395. The data-processing controller can be contacted via the email address email@example.com.
WHAT ARE THE PROCESSED DATA?
The processed data are browsing data and data provided spontaneously by the user.
IT systems and software procedures adopted to ensure the running of this website acquire, during their normal exercise, certain personal data, the transmission of which is implicit in the use of Internet communication protocols.
This information is not gathered so as to be associated with identified subjects. Nevertheless, by their nature they might, through elaboration and association with data by third parties, allow the identification of users.
In this data category we may mention: IP addresses or the domain names of the computers adopted by users connecting to the website, URI (Uniform Resource Identifier) addresses of the requested resources, the method used to submit the request to the server, the file dimension obtained as a response, the numeric code indicating the server data response status (success, error, etc.) and other parameters related to the operative system and IT environment of the user.
Data provided spontaneously by the user
PURPOSES AND LEGAL BASIS OF THE PROCESSING
Browsing data: PURPOSES AND LEGAL BASIS
Browsing data are acquired to obtain statistical information on use of the website, for security purposes and to check the correct functioning of the website. Data may be used to verify liabilities in case of computer crimes damaging the website.
The legal basis of the processing of such data is legitimate interest and, in case of a request by the Authorities, legal obligations.
Data provided spontaneously by the user: PURPOSES AND LEGAL BASIS
Personal data given by the user spontaneously by contacting the controller are used only to answer their requests.
The legal basis for processing such data is therefore the execution of precontractual measures.
If necessary, data will be used where the controller has a legitimate interest in verifying the security and correct functioning of the adopted IT systems and enacting defensive measures or defending a right in a Court.
Gathered data are processed with IT tools and, only on a residual basis, on paper. Adequate security measures have been adopted in order to prevent the loss of data, illegal or incorrect use and non-authorized access.
Servers located within the European territory are used for data processing related to hosting services of the website.
The controller uses third-party services (GSuite) that entail an international transfer of data, taking place with the guarantee offered by the Adequacy Decision taken by the European Commission (Privacy Shield) and by standard contractual clauses.
Data directly provided by the data subjects are stored for the strictly limited period of time necessary to respond to the data subjects’ requests and then are subsequently cancelled, excepting cases where an assignment is being confirmed (in this case the data will be kept for the whole duration of the relationship and in compliance with legal obligations) and defensive needs (that might require further conservation).
Browsing data do not exist for more than seven days and are immediately erased after their aggregation, unless required for criminal investigations by the Judicial Authority.
WHAT HAPPENS IF DATA ARE NOT PROVIDED?
With the exception of browsing data which are necessary to perform IT and electronic transmissionc protocols, provision of data by users via the available modalities is free and optional. However, in the absence of this provision of data, the controller will not be able to answer the data subjects’ requests and data subjects will not be able to submit any request.
WHO IS ENTITLED TO KNOW THE DATA?
Data shall be made known to the empowered Authorities in case of specific requests which the controller has the legal obligation to answer. Data shall be also made known to companies and advisors consulted by the controller to receive the hosting service and the assistance and maintenance services of the adopted services, as well as to advisors handling legal disputes and legal assistance on occasion of disputes requiring their involvement.
It is specified that some of the indicated subjects are responsible for the processing and that communications to those acting as independent controllers are performed in compliance with legal obligations or as necessary to fulfil the obligations deriving from the contract or in the controller’s legitimate interest to maintain the security of the IT systems and perform defence activities via legal advisors.
The data subject may request from the controller the list of external subjects who perform activities as data processing controllers.
Such communication is however limited to data categories for which the transmission is necessary to perform the activities and purposes pursued.
The rights of data subjects
The Law acknowledges the right to ask the data controller for access to personal data, their rectification or cancellation, or the limitation to their processing or to oppose to their processing, in addition to the right to data portability.
The data subject may, at any time, assert his/her rights, with no formalities, by writing to the controller at the email address firstname.lastname@example.org.
Here follow the rights acknowledged by current legislation regarding the protection of personal data.
- Right of access: i.e. the right to obtain confirmation from the data controller whether or his/her personal data are being processed. If yes, he/she shall have access to those personal data as well as the following information: a) processing purposes; b) categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations; (d) the retention period of personal data or, if this is not possible, the criteria used to determine such period; e) the existence of the right of the interested party to ask the data controller to correct or delete personal data or limit the processing of personal data or to be against their treatment; f) the right to file a complaint with a supervisory authority; g) all information regarding the origin of the data, if these are not collected from the interested party, h) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the used logic as well as the importance and expected consequences for the interested party for the processing. Whenever personal data are transferred to a third country or an international organization, the interested party has the right to be informed of the existence of adequate guarantees relating to the transfer.
- Right of rectification: i.e. the right to ask the data controller to rectify incomplete or incorrect personal data without unnecessary delay. Considering the purposes of the processing, the interested party has the right ask his/her personal data to be integrated, also by providing an additional declaration.
- Right to cancellation: i.e. the right to ask the data controller to delete one’s personal data without unnecessary delay, if: a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) the interested party revokes the consent on which the processing of his/her data is based on, and if there is no other legal basis for the processing; c) the interested party is against the processing because it is needed for the execution of a task of public interest or connected to the exercise of public authority for which the holder is appointed, or for the pursuit of legitimate interest and there is no legitimate reason to proceed the processing, or he/she is against processing for direct marketing purposes; d) personal data have been processed unlawfully; e) personal data must be deleted to fulfil a legal obligation under the EU or Member State law to which the data controller is subject to; f) personal data have been collected in relation to an offer by information society services of minors. However, the request for cancellation cannot be accepted if the processing is necessary: a) for the exercise of the right to freedom of expression and information; b) for the fulfilment of a legal obligation requiring processing under the EU or a Member State law to which the data controller is subject to or for the performance of a task carried out in the public interest or in the exercise of official authority; c) for reasons of public interest in the public health sector; d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, insofar as the cancellation risks make it impossible or seriously prejudice the achievement of the objectives of such treatment; or e) for the assessment, exercise or defence of a right in court.
- Right of limitation, i.e. the right to be guaranteed that data are processed, except for retention, only with the consent of the interested party or for the assessment, exercise or defence of a right in court or to protect the rights of another personal or legal person, or for reasons of significant public interest of the EU or a Member State, if: a) the interested party questions the accuracy of personal data for the period needed by the data controller to verify the accuracy of such personal data; b) the processing is illegal and the interested party is against the cancellation of his/her personal data and asks that they are used in a limited way instead; c) although the data controller no longer needs the data for processing purposes, the interested party needs them, in order to verify, exercise or defend a right in court; d) the interested party has opposed the processing carried out because it is necessary for the execution of a task of public interest or connected to the exercise of public authority the owner was appointed with, or for the pursuit of the legitimate interests of the data controller or third parties, waiting for verification of a possible prevalence of legitimate reasons of the data controller as opposed to those of the interested party.
- Right to portability, i.e. the right to receive personal data (given to the holder) in a structured, commonly used and readable way from automatic devices, and the right to transfer such data to another holder without impediments by the holder they were given, as well as the right to obtain direct transfer of his/her personal data from one holder to another, if technically feasible, should the processing be based on consent or on a contract and the processing is done by automated means. This right does not affect the right to cancellation.
- Right of opposition, i.e. the right of the interested party to oppose at any time, for reasons connected to his/her particular situation, the processing of personal data, since it is necessary for the performance of a task of public interest or related to the exercise of public authority for which the holder was appointed with, or for the pursuit of the legitimate interest of the data controller or third parties. If personal data are processed for direct marketing purposes, the interested party has the right to oppose the processing of personal data at any time, including profiling in so far as it is related to such direct marketing.
The data subject is informed that, in case in case he/she believes that the processing of his/her personal data is violating what stated on the GDPR, he/she has the right to lodge a complaint with the Privacy Authority as per Art. 77 of the Regulation, or to bring the issue before the appropriate judicial offices (Art. 79 of the Regulation).