POLICY STATEMENT
REGARDING THE PROTECTION OF PERSONAL INFORMATION PURSUANT TO ART. 12 and ff. REGULATION (EU) 679/2016
Pursuant to new Regulation 679/2016, in deference to the principle of accountability any handling of personal information should be lawful, correct and transparent. These principles imply that the person concerned should be informed of the existence and the purpose of the said information and of the rights s/he may exercise.
From this perspective the Data Controller shall supply the person concerned with the information necessary in order to ensure the correct use in deference to the principle of accountability.
We hereby request that you read the following policy statement from this viewpoint.
Stazione Leopolda S.r.l. with head office in Via Faenza, 113 – Florence, in its capacity as the Data Controller, in the person of the pro-tempore legal representative, pursuant to and as an effect of Regulation (EU) 2016/679, informs the person concerned herewith that the personal information collected acquired by the Data Controller or that may subsequently be requested and/or passed on by third parties, is necessary and shall be used for the purposes indicated below.
The personal information shall, generally speaking, consist of personal data or company names or e-mail addresses or telephone numbers.
PURPOSES OF DATA HANDLING
The personal information collected shall be used in order to inform you about our events, fairs, exhibitions and our initiatives in general.
The personal information handled does not require your consent. In fact the handling of your personal information is necessary for the pursuit of the legitimate interest of Stazione Leopolda S.r.l. to inform you about our initiatives.
You shall, in any case, be free to request your cancellation from our mailing list at any time by writing to: privacy@stazione-leopolda.com
METHOD OF HANDLING AND CONFIDENTIALITY OBLIGATION
The personal information shall be handled using IT tools and/or paper mediums by subjects who are committed to discretion, applying a reasoning that is connected to the purposes stated and in any case in order to guarantee the safety and confidentiality of the information.
The personal information collected shall not be circulated or distributed to third parties in accordance with the law.
PASSING ON OF INFORMATION TO THIRD PARTIES
Your personal information shall only and exclusively be passed on to third parties known to us for the purposes stated above and, in particular, to the following subject categories:
- External companies and Professionals carrying out services on our behalf (in the capacity of duly nominated external Managers);
- Institutions and Public Administration bodies for the fulfillment of any necessary legal requirements.
STORAGE TIMES
The personal information of the persons concerned shall be stored for the amount of time necessary for executing the existing relationship between the parties and fulfilling the relevant obligations, confirming the retention of the same in accordance with current law, and it shall be deleted upon the expiry of the same.
RIGHTS OF THE PERSON CONCERNED
Pursuant to current regulations the person concerned may exercise his/her rights vis-à-vis the Data Controller, as expressed by Regulation 679/2016, i.e.:
- Right of access (art. 15);
- Right of correction (art. 16);
- Right of deletion (art. 17);
- Right to restrict handling (art. 18);
- Right to data portability (art. 20);
- Right to oppose handling (art. 21);
- Right to withdraw consent;
- Right to lodge a complaint with the controlling Authority.
The individual rights of the person concerned are detailed below.
RIGHT OF ACCESS - art. 15
The person concerned shall have the right to obtain from the Data Controller confirmation of whether or not his/her personal information is being handled and if it is, to obtain access to the personal data and the following information:
- a) the purposes of the data handling;
- b) the categories of personal information in question;
- c) the recipients or categories of recipients to whom the personal information has been or will be passed on, in particular where the recipients are in third countries or are international organizations;
- d) the expected period of retention of the personal information where possible or, where this is not possible, the criteria used to determine this period;
- e) the existence of the right of person concerned to request that the Data Controller corrects or deletes the personal information or restricts the handling of the personal information concerning the same or to oppose the handling of the same;
- f) the right lodge a complaint with a controlling Authority;
- g) in the event that the data has not been collected from the person concerned, all the information available about its origins;
- h) the existence of an automated decisional process, including the profiling as per article 22, paragraphs 1 and 4 and, in such cases at least, significant information regarding the reasoning used, as well as the importance and consequences envisaged of the said handling for the person concerned.
In the event that the personal information has been transferred to a third party country or an international organization, the person concerned shall have the right to be informed of the existence of adequate guarantees related to the transfer pursuant to article 46.
The Data Controller shall provide a copy of the personal information being handled. In the case that additional copies are requested by the person concerned, the Data Controller may charge a reasonable contribution to the expenses based on the administrative costs. If the person concerned presents the request using electronic methods and unless otherwise indicated by the person concerned, the information shall be provided in a commonly used electronic format.
The right to obtain a copy shall not prejudice the rights and freedoms of others.
RIGHT OF CORRECTION - art. 16
The person concerned shall have the right to obtain the correction by the Data Controller of inaccurate personal information concerning the same without any unjustified delay. Taking into account the purposes of the data handling, the person concerned shall have the right to obtain the integration of incomplete personal information, also providing a supplementary statement.
RIGHT OF DELETION - art. 17
- The person concerned shall have the right to obtain from the Data Controller the deletion of the personal information concerning the same without any unjustified delay and the Data Controller shall be obliged to delete the personal information without any unjustified delay, in the presence of one of the following grounds:
- a) the personal information is no longer necessary for the purposes for which it was collected or otherwise handled;
- b) the person concerned withdraws the consent on which the handling is based in compliance with article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), and where no other legal basis exists for handling the same;
- c) the person concerned opposes the handling pursuant to article 21, paragraph 1, and no prevailing legitimate reason exists for proceeding to handle the data, or if the same opposes the handling pursuant to article 21, paragraph 2;
- d) the personal information has been handled illicitly;
- e) the personal information has to be deleted in order to comply with a legal obligation required by the law of the Union or the Member State to which the Data Controller is subject;
- f) the personal information was collected in relation to the offering of services by the information company as per article 8, paragraph 1.
- Where the Data Controller has made personal information public and is obliged to delete the same pursuant to paragraph 1, taking into account the technology available and the costs of implementation, it shall adopt reasonable – including technical – measures to inform the Data Controllers handling the personal information of the request of the person concerned to delete any links, copies or reproductions of the said personal information.
- Paragraphs 1 and 2 shall not apply in the event that the data handling is necessary:
- a) in order to exercise the right to freedom of expression and information;
- b) to fulfill a legal obligation that requires the handling envisaged by the law of the Union or of the Member State to which the Data Controller is subject or for the execution of a duty carried out in the public interest or the exercising of public powers of which the Data Controller is invested;
- c) for reasons of public interest in the state health sector in compliance with article 9, paragraph 2, letters h) and i), and article 9, paragraph 3;
- d) for the purposes of filing in the public interest, for scientific or historic research or for statistical purposes in compliance with article 89, paragraph 1, to the extent which the right cited in paragraph 1 risks making the attainment of the objectives of such handling impossible or seriously prejudiced; or
- e) for verifying, exercising or defending a right in a judicial venue.
RIGHT TO RESTRICT HANDLING - art. 18
- The person concerned shall have the right to obtain from the Data Controller the restriction of the handling should one of the following possible situations occur:
- a) the person concerned contests the accuracy of the personal information, for the period necessary for the Data Controller to verify the accuracy of the said personal information;
- b) the handling is illicit and the person concerned opposes the deletion of the personal information and instead requests that its use be restricted;
- c) although the Data Controller no longer has any need for the same for handling purposes, the personal information is necessary to the person concerned for verifying, exercising or defending a right in a judicial venue;
- d) the person concerned is opposed to the handling pursuant to article 21, paragraph 1, whilst awaiting the verification of the possible prevalence of the legitimate grounds of the Data Controller with respect to those of the person concerned.
- Where the handling is restricted in accordance with paragraph 1, such personal information shall only be handled, with the exception of the purposes of data retention, with the consent of the person concerned or for verifying, exercising or defending a right in a judicial venue or in order to protect the rights of another natural or legal person or for significant reasons of public interest of the Union or of a Member State.
- The person concerned who has obtained the restriction of data handling in accordance with paragraph 1 shall be informed by the Data Controller before the said restriction is revoked.
RIGHT TO DATA PORTABILITY - art. 20
- The person concerned shall have the right to receive the personal information concerning the same supplied to a Data Controller in a commonly used structured format which is legible from an automatic device and shall have the right to transmit this information to another Data Controller without any impediment by the Data Controller providing the same where:
- a) the handling is based on consent pursuant to article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), or on a contract pursuant to article 6, paragraph 1, letter b); and
- b) the handling is carried out using automated equipment.
- In exercising his/her rights concerning data portability in accordance with paragraph 1, the person concerned shall have the right to obtain the direct transmission of the personal information from one Data Controller to another, if technically feasible.
- The exercising of the right cited in paragraph 1 of this article shall not compromise article 17. This right shall not be applicable in the case of handling that is necessary for executing a duty of public interest or connected with the exercising of the public powers of which the Data Controller is invested.
- The right cited in paragraph 1 shall not prejudice the rights and freedoms of others.
RIGHT TO OPPOSE HANDLING - art. 21
- The person concerned shall have the right to oppose, at any time, for reasons connected with his/her particular situation, the handling of the personal information regarding the same pursuant to article 6, paragraph 1, letters e) or f), including profiling based on these provisions. The Data Controller shall abstain from further handling of the personal information unless the same demonstrates the existence of legitimate binding grounds for proceeding with the handling that prevail over the interests, rights and freedoms of the person concerned or for verifying, exercising or defending a right in a judicial venue.
- In the event that the personal information is handled for the purposes of direct marketing, the person concerned shall have the right to oppose at any time the handling of the personal information regarding the same carried out for such purposes, including profiling, to the extent to which it is connected with the said direct marketing.
- In the event that the person concerned opposes the handling for the purposes of direct marketing, the personal information shall no longer be the object of handling for such purposes.
- The right cited in paragraphs 1 and 2 shall be explicitly brought to the attention of the person concerned and shall be presented clearly and separately from any other information upon the first communication with the person concerned at the latest.
- Within the context of the utilization of services of the information company and with the exception of directive 2002/58/EC, the person concerned may exercise his/her right of opposition with automated equipment that uses specific technology.
- In the event that the personal information is handled for the purposes of scientific or historic research or for statistical purposes in accordance with article 89, paragraph 1, the person concerned shall have the right to oppose the handling of the personal information regarding the same for reasons connected with his/her particular situation unless the handling is necessary for the execution of a duty of public interest.
In addition to the rights cited above, the person concerned shall have the right to lodge a complaint with the controlling authority according to the law.
DATA CONTROLLER AND PRIVACY COMMUNICATIONS
The Data Controller is Stazione Leopolda S.r.l., with head office in Florence, Via Faenza, 113.
The Data Controller shall make the following address available for all communications regarding the above articles of Regulation (EU) 2016/679: privacy@stazione-leopolda.com
Florence, 25 May 2018