EU REGULATION 2016/679 - GDPR

Tullio Cosentino, registered in the Catania Company Register, CF CSNTLL59C23C351X and VAT no. 05457270873, trade in the sector of jewelery, silverware, goldsmithing, watchmaking, costume jewelery, cod. ATECO 464800, with registered office in Via Spiaggia 383, 95016 Mascali (CT) - contacts: Tel 349 1366278, email to sales@gioiasi.com as Data Controller, i.e. the person who determines the purposes and means of the processing of personal data, pursuant to Article 13 of the EU Privacy Regulation 2016/679, hereinafter GDPR, that the data will be processed in accordance with the methods and purposes of this Information.

DEFINITIONS

  • data controller: the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data;
  • data processor: the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller;
  • recipient: the natural or legal person, public authority, service or other body that receives communication of personal data, whether it is a third party or not.
  • third: the natural or legal person, public authority, service or other body other than the data subject, the data controller, the data controller and the persons authorized to process personal data under the direct authority of the data controller or the manager;
  • profiling: any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, economic situation, health, preferences personal interests, reliability, behavior, location or travel of said natural person;

1. Object of the Treatment

    By processing of personal data we mean any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, even if not registered in a data bank, such as collection, registration, organization, structuring, storage, processing, selection, blocking, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.

    By personal data: identifying data such as name, surname, identification number, location data, telephone, an online identifier, e-mail, bank and payment references or one or more characteristic elements of your physical, physiological identity , genetic, psychological, economic, cultural or social communicated by the customer on the occasion of the conclusion of contracts with Tullio Cosentino with explicit consent pursuant to Article 9 of the GDPR, relating to the processing of sensitive data if necessary and provided for by law.

    The consent of the interested party must be understood as any manifestation of the will of the interested party that is expressed in a free, specific and unequivocal manner, with which the same expresses his consent by unequivocal declaration or positive action, that the personal data concerning him are object of treatment. (GDPR);

2. Data processing pursuant to Article 6 of the GDPR_ Legal basis, Purpose of the processing; consequences of refusal, communication and data accessibility.

The legal basis of the processing can be understood as the source / origin / justification of the processing in a law, in the fulfillment of a contract and in the satisfaction of a request from the interested party.Your personal data are processed pursuant to Article 6 of the GDPR for following service purposes:

  • conclude contracts for the Controller's services;
  • fulfill the pre-contractual, contractual and tax obligations deriving from existing relationships with you;
  • fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority (such as in the field of anti-money laundering);
  • exercise the rights of the owner, for example the right to defense in court;

The provision of data for the aforementioned purposes is mandatory. Refusal to provide data may prevent the fulfillment of the legal obligation by exposing the interested party also to penalties provided for by the legal system; Refusal to provide data may preclude the execution of the contractual obligation and expose the interested party to any liability for breach of contract; Refusal to provide data may result in the data subject not receiving the requested service.

The customer's data may be made accessible for the aforementioned purposes to third-party companies or other subjects that carry out outsourced activities on behalf of the Data Controller, in their capacity as external data processors.

The Data Controller may communicate customer data for the aforementioned purposes to those subjects to whom communication is required by law for the accomplishment of the aforementioned purposes. These subjects will process the data in their capacity as independent data controllers. Customer data will not be disclosed.

3. Data processing pursuant to Article 7 of the GDPR for marketing, promotional and advertising purposes.

The customer's personal data are processed pursuant to Article 7GDPR subject to their specific consent for the following marketing, promotional and advertising purposes.

  • send by e-mail, post and / or text message and / or telephone contacts, newsletters, commercial communications and / or advertising material on products or services offered by the Data Controller and survey of the degree of satisfaction with the quality of services;
  • isend commercial and / or promotional communications from third parties - business partners via e-mail, post and / or sms and / or telephone contacts;

The provision of data for the above purposes is optional. The customer can therefore decide not to provide any data or to subsequently deny the possibility of processing data already provided: in this case, he will not be able to receive newsletters, commercial communications and advertising material relating to the Services offered by the Data Controller. However, you will continue to be entitled to the Services referred to in art. 2

4. Processing methods - Methods of manifestation of the data processing consent - site

The processing of the customer's personal data is carried out by means of the operations indicated in art. 4 n. 2) GDPR and more precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.

Personal data are subjected to both paper and electronic and / or automated processing, with the support of IT or telematic means. Personal data is collected on the website www.gioiasi.com ("Site") with particular reference to the user registration area.

For maximum transparency aimed at providing informed consent by the user concerned, we specify that registration on the Site is exclusively required for users who register as they intend to consent to the processing of their personal data for the purposes of the Services referred to in art 2 or Marketing Purposes referred to in art. 3 or both of this information. If the user does not intend to give consent to the processing for the purposes of services referred to in art 2 and for marketing purposes pursuant to art. 3 he must not (nor will he be able) to register, except for the ability to browse and view the contents of the Site as an unregistered user. The registration process consists in completing an online form in which it is required to indicate certain personal data for the activation of authentication credentials (login + password) with which the interested party will access all the functions reserved for registered users to manage the receipt of communications pursuant to the purposes indicated in articles 2 and 3 of this information. With a view to absolute transparency, the Company informs the data subject that the data will be collected and subsequently processed on the basis of a specific provision of free, revocable, verifiable and unambiguous consent by means of a specific consent form attached to this information.

The user can give their consent by authorizing the processing of their data that pursue the purposes and purposes referred to in Articles 2-3-5-6- of this information by means of the appropriate consent form attached to this.

5. Profiling - Automated decision-making process - Processing of personal data for marketing and service profiling purposes - Consent for Profiling TREATMENT

It is possible that for marketing and service improvement purposes, the Company will process the so-called profiling data referred to in art. 4, paragraph 1, n. (4) of the EU Regulation / Guidelines on automated decision-making and profiling with respect to the rules set out in the European Regulation 2016/679 - GDPR., "Any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to the professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or travel of that person physical person"; It is also possible to give rise to an automated decision-making process that induces decisions to be made only through technological means, (i.e. without human involvement) and can be based on data provided directly by the interested party (e.g. via forms or a questionnaire), or on data obtained from tracking programs (e.g. individual geolocation provided by an app) or data deriving from previously created profiles. Pursuant to Article 22 paragraph 2 of the EU Privacy Regulation, by way of derogation from the general prohibition of a fully automated decision-making process, this process is allowed, including profiling when the decision is necessary for the conclusion or execution of a contract between the data subject and the data controller, when the decision is authorized by the law of the Union or of the Member State to which the data controller is subject; when the decision is based on the explicit consent of the interested party. The profiling in question can be carried out essentially through: a) processing, in an automated manner, the personal data of authenticated users in relation to the use of the service for forwarding and receiving e-mail messages; b) crossing of personal data collected in relation to the supply and relative use of several different functions among those made available to the user; The Company informs that the profiling activity may concern "individual" personal data or "aggregate" personal data deriving from detailed individual personal data. To proceed with a personal data profiling treatment it is mandatory to acquire a specific, express, documented, preventive and completely optional consent and also separate from the consent to the treatment for the purpose of services referred to in art 2 and consent to the treatment for the purpose of Marketing referred to in Article 3 of this information. This is the consent to the processing of data for Marketing Profiling Purposes and / or for Service Profiling purposes also through the use of Cookies. If the interested party does not intend to give consent to the Processing for Profiling Purposes, the consequence will be that there will be no profiling by the Company and no communication to third parties and the data collected will be processed only and exclusively by the Company, where the user has provided the relevant Consent.

6. Use of profiling cookies, aimed at creating user profiles and sending advertising messages based on the preferences expressed by them.

This site www.gioiasi.com ("Site") DOES NOT use profiling cookies for the purposes of services referred to in art. 2 and for marketing purposes pursuant to art. 3 of this information.

7. Storage

Personal data will be stored in compliance with the principle of proportionality and in any case until the purposes of the processing have been pursued and in any case for no more than 7 years from the termination of the relationship for the Service Purposes referred to in Article 2 and no later than 2 years from the collection of data for the purposes referred to in art. 3 of Marketing or until - if previously - the revocation of the specific consent by the interested party takes place. Likewise for the data subject to Profiling treatment. Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.

8. Rights of the interested party

As an interested party, the customer can exercise the rights provided and contemplated by the EU Privacy Regulation and more precisely: Right of rectification, right to be forgotten, right to limitation of treatment, right to data portability, right to object, as well as the right of complaint to the Guarantor Authority.

In particular:

Right of Revocation

Pursuant to Article 7 point 3 of the EU GDPR Regulation, the interested party can revoke his consent at any time, and has the right to do so with the same simplicity with which he granted it. the lawfulness of the processing based on consent before revocation.

Right of access and right of rectification

Article 15 of the EU Privacy Regulation establishes that the data subject has the right to request and obtain from the data controller access to personal data concerning him.

In particular, the interested party has the right to know:

  1. the purposes of the processing;
  2. the categories of personal data processed;
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients of third countries or international organizations;
  4. when possible, the retention period of the personal data provided or, if not possible, the criteria used to determine this period;
  5. the existence of the right of the interested party to ask the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment;
  6. the right to lodge a complaint with a supervisory authority;
  7. if the data are not collected from the data subject, all available information on their origin;
  8. the existence of an automated decision-making process, including profiling, and significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject.

If personal data are transferred to a third country, the interested party has the right to be informed of the existence of adequate guarantees with respect to the protection provided in the third country.

In addition, the data controller provides digital access to the data subject to a copy of the personal data being processed and, in the event of a request for paper copies, the data controller may charge a reasonable fee for administrative costs.

As regards the right of rectification (Article 16 of the EU Regulation), the interested party has the right to obtain from the data controller, without undue delay, the correction of inaccurate data concerning him and, therefore, the integration of incomplete personal data. .

Right to be forgotten

The right of cancellation (right to be forgotten) of the data subject's personal data, specifying the changes introduced by the EU privacy regulation on the subject.

Article 17 of the EU Regulation provides for the right of the interested party to obtain the cancellation of their personal data without undue delay, even after the withdrawal of consent to the processing.

Right to limitation of treatment

With the new EU Privacy Regulation, Article 18, the interested party has the right to obtain from the owner a limited processing of their data when disputing the accuracy of personal data; when the processing is unlawful and if the interested party has opposed the processing, pursuant to Article 21, paragraph 1, of the Regulation, pending verification of the possible prevalence of the legitimate reasons of the data controller or of the rights of the 'interested.

Furthermore, the right of limitation can be invoked in the event that the data controller no longer needs to keep the data for the purposes of the processing, but these may be necessary for the data subject to ascertain, exercise or defend a right in court. Therefore, if the processing is limited, the personal data of the data subject are processed, excluding storage, only with his consent. The limitation can be revoked and, in this case, the data controller must inform the data subject.

On the subject in question, a noteworthy recommendation emerges in the guidelines of the Privacy Guarantor, namely: “the right to limitation requires that personal data be“ marked ”pending further determinations; therefore, it is advisable that the owners provide in their information systems (electronic or not) suitable measures for this purpose ".

Right to data portability

This right contemplated by Article 20 of the EU Privacy Regulation allows the interested party to receive the personal data concerning him provided to a data controller in a structured format, commonly used and readable by an automatic device, so that he can transmit them to a another data controller without impediments on the part of the owner to whom it provided them (such as, for example, a different service provider). Exercising the right to portability must not affect the rights and freedoms of others. Personal data relating to the data subject are portable, therefore anonymous data is excluded. To be portable, the data must be processed through automated tools. Archives and paper records are therefore excluded.

Furthermore, only data processed with the consent of the interested party on the basis of a contract stipulated with the interested party are portable. The data must have been provided knowingly and actively by the interested party (such as, for example, the registration data entered by filling out an online form, i.e. username, age, email address, etc.).

Right to object to data processing

The interested party also enjoys the right to object.

Article 21 of the new Regulation governed this right, which by definition allows the interested party to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him. Nothing has changed with respect to Directive 46/95 / EC.

Paragraph 2 of the aforementioned article states that: "in the event that personal data are processed for direct marketing purposes, the interested party has the right to object at any time to the processing of personal data concerning him / her carried out for these purposes, including profiling to the extent that it is connected to this direct marketing purpose ".

If personal data are processed for scientific or historical research purposes, the interested party has the right to object to the processing of personal data concerning him, except if the processing is necessary for the performance of a task of public interest (the Article 21 (6)).

Right to lodge a complaint with the Guarantor Authority

The interested party has the right to lodge a complaint with the Guarantor Authority as governed by Regulation 2016/679, in Chapter VIII ("Means of appeal, ...") - Articles from 77 to 82.

9. How to exercise rights

You can exercise your rights at any time by sending:

  • a registered letter a.r. a Tullio Cosentino - Via Spiaggia, 383 95016 Mascali (CT)
  • an e-mail to the address info@gioiasi.com

10. Owner, manager and appointees

The Data Controller is Tullio Cosentino;

The updated list of data processors and persons in charge of processing is kept at the registered office of the Data Controller.