PRIVACY NOTICE PURSUANT TO ART. 12 AND 13 OF EU REGULATION No. 679/2016 AND CONSENT TO THE PROCESSING OF PERSONAL DATA
EU Regulation no. 679/2016 (also referred to herein as the GDPR) establishes rules relating to the protection of natural persons with regard to the processing of personal data and on the free movement of such data. In order to protect the fundamental rights and freedoms of natural persons, the Regulation therefore imposes on data controllers the obligation to provide data subjects the information referred to in articles 12, 13 and 14, and specification of the rights of data subjects provided for under articles from 15 to 22 of the GDPR.
Information pursuant to art. 13 (1)
Controller and contacts
The Controller is Ordine dei Cavalieri del Tartufo e dei Vini di Alba, whose registered address is Via Castello no. 5 – 12060 Grinzane Cavour (CN) – Italy; taxpayer ID no.: 81011470044 - Tel: +39 0173 262159 - Mail: firstname.lastname@example.org
Ordine dei Cavalieri del Tartufo e dei Vini di Alba informs you that your personal data will be processed:
- pursuant to articles 12 and 13 of EU Regulation no. 679/2016 (General Data Protection Regulation, referred to hereinafter as the “GDPR”), by specifically authorized parties only for the purposes and by the methods which will be specified hereinbelow in relation to the operation of the www.cavalierideltartufo.it web portal.
Data Protection Officer contact details
The activities performed by the Controller for the purposes given in the privacy notice are not included among those envisaged in art. 37 of EU Reg. no. 679/2016.
Subject, purposes of the processing
The Controller informs you that the personal data you provide on requesting information will be processed only for the purposes of carrying out the service requested.
Your data, as described above, will be subject to processing in the ways and forms laid down in the GDPR to perform the website’s functions.
In particular, the personal data you supply to the Controller will be processed for the pursuit of the following purposes:
- to comply with specific requests you make to the Controller through the Website and its communication tools;
- to provide information relating to the services of the Controller further to requests for information you make by email, ask for info and other communication tools such as, for example, telephone or fax;
- other purposes which are additional to or connected to those listed above and fall within the sphere of the Website’s activities.
This information notice only applies in reference to the above-mentioned www.cavalierideltartufo.it web portal.
Legal basis of processing
Apart from what has been set out above in relation to browsing data, the processing of the above personal data communicated by you to the Controller has the following legal basis:
The nature of this legal basis is therefore merely optional and not mandatory, as its only consequence may be that the Controller is unable to deliver the above-mentioned services of direct communication or contractual/pre-contractual performance.
the processing is not based on art. 6 par.1 (f)
recipients and categories of recipients of the data collected and data transfer
In particular, in relation to the above-mentioned purposes the data could be disclosed to the following parties and/or categories of parties, or may be disclosed to organizations and/or persons performing services, either internally or externally, on behalf of the Data Controller. For greater clarity, these include without being limited to: parties – inside or outside the company - which provide computing and telematic services for the management of the IT system used by the Controller and telecommunications networks (including email and web portal and website management and hosting); parties which the Controller reserves the right to appoint as processors; tax authorities and other companies or public entities in compliance with regulatory obligations; authorities with jurisdiction and/or bodies supervising compliance with legal obligations; consulting firms and practices; law firms and practices for the protection of contractual rights; parties which perform operations checking, auditing and certifying the activities put in place by the Controller as external data processors pursuant to art. 28 of the GDPR, or independently as separate Controllers.
The data will not be disseminated, to be understood as meaning that no unspecified parties will in any way be made aware of or have available or be able to consult the data unless granted free and well-informed specific consent for each type of processing.
Information pursuant to art. 13, par. 2
period of storage of the data
In accordance with the principles of lawfulness, limitation of the purposes and storage and minimization of data, pursuant to art. 5 of the GDPR the period for which your personal data will be stored will be no longer than is necessary for the achievement of the purposes for which the personal data are collected and processed.
rights of data subjects
- Right of Access and Rectification
Pursuant to art. 15 of the GDPR, as data subject you have the right to obtain from the Controller confirmation of whether or not processing of personal data relating to you exists, and to obtain access to said data and to all the information referred to in art. 15, paragraph 1 (a) to (h) through the issuing of a copy of the data subject to processing in a structured, commonly used, machine-readable and interoperable format.
Pursuant to art. 16 of the GDPR, as data subject you have the right to obtain from the Controller the rectification and/or completion of the data subject to processing if they are not updated and/or are inaccurate and/or incomplete.
- Right to Erasure and Right of Restriction
Pursuant to art. 17 of the GDPR, as data subject you have the right to obtain from the Controller the erasure of personal data concerning you without undue delay only in the cases provided for under art. 17, paragraph 1 from (a) to (f), except in the event of art. 17 paragraph 3 specifically applying.
Pursuant to art. 18 paragraph 1 (a) to (d), of the GDPR, as data subject you have the right to request and obtain from the Controller the restriction of the processing of your personal data, or that said data not be subject to further processing or alteration. The Controller guarantees that the restriction of processing is implemented using appropriate technical means ensuring its inaccessibility and inalterability.
- Right to Data Portability
Pursuant to art. 20 of the GDPR, as data subject you have the right to receive from the Controller the personal data concerning you which has been processed using automated means in a structured, commonly used and machine-readable format, and also have the right to transmit those data to another controller, or to obtain direct transmission of said data by the Controller, where technically feasible, to another specifically identified data controller.
- Right to Object
Pursuant to art. 21 of the GDPR, as data subject you have the right to object at any time to the processing of personal data concerning you on grounds relating to your particular situation in the event of the processing of your data being necessary (1) for the performance of a task carried out for reasons of public interest and/or in relation to the exercising of official authority vested in the Controller; (2) for the pursuance of a legitimate interest of the Controller or a third party; (3) for profiling activities if carried out by the Controller on the basis of the preceding points. You also have the right to object to the processing of your personal data on grounds relating to your particular situation if they are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
- methods of exercising the above rights
You may exercise your above rights by emailing a request to email@example.com or writing by registered mail with return receipt requested to the address given above.
The Controller will confirm receipt of your request and provide you with information relating to the action taken with reference to the exercising of your rights provided for under articles 15 to 22 of the GDPR within 1 (one) month of the receipt of your request. If necessary, and taking into consideration the complexity and number of requests, the Controller may extend this deadline by 2 (two) months, subject to justification being sent within 1 (one) month of the receipt of your request.
The Controller will disclose any rectifications, erasures, limitations and objections to all the recipients identified by art. 4, paragraph 1 (9) of the GDPR to whom the data have been transmitted, unless it proves to be impossible and/or involves disproportionate effort.
In the event of the Controller failing to comply with your request within 1 (one) month of its receipt, you will be informed by the Controller of the reasons for this failure to comply and of your right to lodge a complaint with the supervisory authority (Data Protection Authority), as specified pursuant to art. 13, paragraph 2 (d) and regulated by article 77 and subsequent articles of the GDPR.
- Right to Withdraw
Pursuant to art. 6 par. 1 (a) you have given your consent to the processing of your data for the purposes specified above and therefore the nature of your express consent is merely optional and not mandatory with no consequences other than the impossibility for the Controller to properly perform the above direct communication services. In any case, the consent you may have given may be withdrawn by you at any time, interrupting corporate services and activities with immediate effect. Such withdrawal will not compromise the lawfulness of the processing based on the consent given prior to the withdrawal.
- Right to Complain
Pursuant to art. 77 of the GDPR, as data subject you have the right to lodge a complaint with a supervisory authority in accordance with the methods indicated in said article.
- Consequences of failure to disclose your data
The communication of your data is not a legal obligation. But as specified above, it is based on the condition of lawfulness of the processing, or your express, freely given, specific, informed and unambiguous consent or, if necessary, the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
The nature of both these legal bases is therefore merely optional and not mandatory, with no consequences other than the impossibility for the Controller to properly perform the above direct communication services or carry out its contractual/pre-contractual performance. In any case, the consent you may have given may, as said, be withdrawn by you at any time, interrupting corporate services and activities with immediate effect.
- Automated decision-making and profiling
The Controller informs you that no automated decision-making processes - in other words processes aimed at taking decisions based only on technological means on the basis of predetermined criteria (without human involvement) - are used for the purposes of processing your personal data, and no profiling will be performed in order to use your personal data to analyze or predict aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements etc.
The processing of the personal data you disclose is performed by means of the operations indicated in art. 4 2) of the GDPR, and to be precise: collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, disclosure, erasure or destruction of the data.
The personal data you disclose are subjected to automated processing for the time which is strictly necessary in order to achieve the purposes for which they have been collected using technical and organizational methods employed to prevent the loss, illegal or improper use and unauthorized access to the data, and therefore such as to guarantee a level of security appropriate to the risk pursuant to art. 32 of the GDPR by suitably authorized parties in compliance with the provisions of art. 29 of the GDPR, or employees and/or associates of the Controller in their capacity as authorized parties and/or system administrators who may perform consultation, use, processing, alignment and any other appropriate operation in compliance with the provisions of law necessary to guarantee, among other things, the confidentiality and security of the data as well as the accuracy, updating and relevance of the data in accordance with the declared purposes and methods.
In particular, unless specified otherwise herein the personal data you disclose will be subject to processing only at the registered offices of the Data Controller and will not therefore be disseminated, and pursuant to art. 13, paragraph 1 (e) they may only be processed by authorized parties and/or external data processors (in the person of single professionals and/or professional associations), including explicitly the hosting company and/or technical personnel assigned to the management and/or maintenance of the Website, but only and exclusively for the purposes expressly and specifically indicated above.