REQUEST FOR THE EXERCISE OF DATA SUBJECTS’ RIGHTS
Privacy Policy information
This page describes how to manage the site https://www.thema-med.com/ with reference to the processing of personal data of users who consult it. This is the information provided pursuant to art. 13 of the 2016/679 European Regulation to those who interact with the company’s web services. The information identifies some minimum requirements for the collection of personal data online, and, in particular, the methods, times and nature of the information that the data controllers must provide to users when they connect to web pages, regardless by the purposes of the connection.
THE OWNER OF THE TREATMENT
The data controller is Thema Srl with registered office in via Saragat, 5 – 40026 Imola (BO), VAT number 02770361208, email info@thema-med.com.
PLACE OF DATA PROCESSING
The treatments connected to the web services of this site take place at the registered office and are only handled by technical staff of the office in charge of processing, or by any occasional appointees maintenance operations. No data deriving from the web service is communicated or disseminated. The personal data provided by users who submit requests to send information material are used for the sole purpose of performing the service or provision requested.
TYPES OF DATA PROCESSED
− Navigation data: the computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response. These data are used only to obtain anonymous statistical information on the use of the site and to check its correct functioning and are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site: except for this possibility, the data on web contacts do not persist for more than seven days.
− Data provided voluntarily by the user: the optional, explicit and voluntary sending of electronic mail to the addresses indicated on this site entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the message. Specific summary information will be progressively reported or displayed on the pages of the site set up for particular services on request.
USE OF COOKIES
With regard to the methods of use of cookies, please refer to the additional and specific “extended information” (Cookie Policy) published on this site and elaborated on the basis of the provisions of the Provision of 8 May 2014 issued by the Italian Guarantor for the protection of personal data as amended from the Provision n. 231 of June 2021, which integrates and completes this document.
OPTIONAL SUPPLY OF DATA
Apart from what is specified for navigation data, the user is free or not to provide personal data. Failure to provide them may make it impossible to obtain what is requested.
METHODS OF PROCESSING
Personal data are processed with automated tools for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.
TRANSFERS TO THIRD COUNTRIES
Personal data may be transferred to foreign countries of the European Union or non-EU and transmitted to private companies and institutional bodies for purposes related to the services requested and for the needs of territorial jurisdiction. The data is sent for cross-border processing, according to the principles of necessity, limited to the strictly necessary information. Data transfer takes place exclusively under the following conditions:
• Countries covered by adequacy decisions pursuant to art. 45 GDPR 679/16 EU;
• in the absence of adequacy decisions, the processing, with reference to Art. 46 GDPR 678/16 EU, takes place after agreement with the recipient of the data in compliance with binding clauses and corporate rules in accordance with article 47; standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2);
• in the absence of adequate guarantees, the Data Controller, pursuant to art. 49 GDPR 679/16 EU, if the transfer is necessary to fulfill contractual and / or legal obligations, it communicates the data by preparing all the technical-organizational security measures such as, where possible, minimization, pseudonymisation of the data, verification of the reliability of the recipient.
RIGHTS OF INTERESTED PARTIES
The subjects to whom the personal data refer have at any time the right to request access to the data and their correction, the cancellation of the same, the limitation of processing, the right to oppose their processing, in addition to the right to the portability of the data. data; they also have the right to lodge a complaint with the supervisory authority. Requests should be addressed to the Data Controller CONTACT DETAILS:
− a registered letter with return receipt to Thema Srl via Saragat, 5 – 40026 Imola (BO), VAT number 02770361208
− an e-mail to info@thema-med.com
− company website https://www.thema-med.com/
This constitutes the “Privacy Policy” of this site which will be subject to updates.
Cookies information
PREMISE
This Cookie Policy has been drafted and customized specifically for the site https://www.thema-med.com/ owned by Thema Srl based in via Saragat, 5 – 40026 Imola (BO), VAT number 02770361208, email info@thema-med.com. This Policy was drawn up on the basis of the provision of the Guarantor for the protection of personal data no. 229 of 8 May 2014 “Identification of the simplified procedures for the information and the acquisition of consent for the use of cookies” and New provision no. 231 of 10 June 2021 “Guidelines for cookies and other tracking tools”. It integrates and updates other information already present on the site and / or previously issued by the company, in combination with which it provides all the elements required by art. 13 of EU Regulation 2016/679.
IMPORTANT NOTICE
All third parties are informed that the use of this information, or even only some parts of it, on other websites in reference to which it would certainly be irrelevant and / or incorrect and / or incongruent, may lead to the infliction of heavy sanctions by the Guarantor Authority for the protection of personal data.
WHAT ARE COOKIES
In practical and non-technical terms, the cookie can be considered a tracking system consisting of a small file, stored by the website in the user’s device while browsing, used with the aim of saving the preferences shown during navigation. and to improve the performance of the website, optimizing the browsing experience. In technical terms, cookies are defined as text strings (generally formed by the combination of letters and numbers) that the websites (so-called first parties) visited by the user or different sites / web servers (so-called third parties) place and they store, directly and / or indirectly within a terminal device (PC, tablet, smartphone, etc.) that is available to the user. The servers for internet browsing or for device operation can store cookies and then retransmit them to the same sites that generated them, in view of a subsequent visit by the same user. Specifically, these tracking tools allow the Site to recognize a particular device or browser.
TYPES OF COOKIES AND RELATED PURPOSES
Cookies can be classified into:
• Technical cookies used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary for the provider of an information society service explicitly requested by the contractor or by the user to provide this service as required by ‘art. 122 paragraph 1 of the Privacy Code. These types of cookies do not require the acquisition of consent by the user but must be indicated in the cookie policy.
• Profiling cookies used to link specific actions or behavioral patterns to specific, identified or identifiable subjects in order to allow the owner to modulate the provision of the service in a more personalized way and to send advertising messages in line with the preferences expressed by the user during the navigation.
• Analytics cookies installed on the user’s terminal by managers of the visited site or third-party sites. Third-party cookies, mainly having analysis purposes, mostly derive from the Google Analytics functions. You can get more information on Google Analytics by clicking on the following link: http://www.google.it/intl/it/analytics. In any case, cookies do not allow the data subject to be identified and are intended to refer to the single device or single application in order to avoid tracking the user’s browsing data. Analytics cookies can be treated in the same way as technical cookies, and therefore regardless of the user’s consent, under the following conditions:
- The use is limited to the production of aggregate statistics that can be used in relation to the site visited by the user;
- With reference to the so-called third-party analytics cookies, the fourth part of the IP address being tracked must be masked;
- With regard to the so-called third-party analytics cookies, the third party must be prevented from using the analytics cookies in combination with other processing or transmitting them to other third parties.
APPLICABLE LAW
For the use of cookies and other technical tracking tools, the data controller is subject to the sole obligation to provide specific information to the interested party. With regard to cookies and other tracking tools for purposes other than technical ones, their use is permitted only after obtaining the user’s informed consent, which must be expressed with an unequivocal act pursuant to Recital 32.
CONSENT ACQUISITION MECHANISM
The data controller guarantees the mechanism for acquiring consent through the presentation of a banner when the user first accesses the site.
The banner contains:
- An information on the site’s use of technical cookies with a link to the privacy policy and cookie policy.
- Button that allows consent to be accepted.
- Button that allows user to deny consent.
- Button that allows you to configure cookie settings/preferences. The latter leads to a further band where you can select and customise your ‘privacy settings’.
In the event that the user does not consent to the use of cookies and other tracking tools, and in the event that the user has chosen to give consent only for the use of certain cookies, the choice is recorded and no longer solicited, except in the following cases:
- when one or more conditions of the processing significantly change
- when it is impossible for the site operator to know whether a cookie has already been stored in the device
- when at least 6 months have elapsed since the previous presentation of the banner.
COOKIES USED – RETENTION TIMES – PURPOSE – TRANSFER OF DATA TO THIRD PARTIES
COOKIE NAME | PURPOSES | TYPE OF COOKIE | DURATION | SOURCE | USE |
caosLocalGa_gid | Technical | THIRD PARTIES | Persistent
(6 mos) |
daan.dev | Proximisation data collection Google |
caosLocalGa | Technical | THIRD PARTIES | Persistent
(6 mos) |
daan.dev | Proximisation data collection Google |
_gat_gtag_UA_159442970_1 | Analytics | THIRD PARTIES | Persistent
(6 mos) |
Collection of site usage statistics | |
_ga_328542626 | Analytics | THIRD PARTIES | Persistent
(6 mos) |
Collection of site usage statistics | |
__utma, __utmb, __utmc, __utmt, __utmz, _ga, _gat, _gid | Analytics | THIRD PARTIES | Persistent
(6 mos) |
Collection of site usage statistics | |
wp-wpml_current_language | Technical | THIRD PARTIES | Persistent
(6 mos) |
WordPress WPML | Multilingual WordPress session |
wordpress_sec_33c34e59393546f5737d9c90263722d5 | Technical | THIRD PARTIES | Persistent
(6 mos) |
WordPress | WordPress usage session |
BROWSER SETTINGS
We also inform you that the user can configure, freely and at any time, his privacy parameters in relation to the installation and use of cookies, directly through his navigation program (browser) following the relative instructions.
In particular, the user can set the so-called “private navigation”, thanks to which his navigation program interrupts the saving of the history of the sites visited, any passwords entered, cookies and other information on the pages visited.
We warn that in the event that the user decides to disable all cookies (including those of a technical nature), the quality and speed of the services offered by this website could drastically deteriorate and access to some sections of the site could be lost.
RIGHTS OF INTERESTED PARTIES
We inform you that as interested in the treatment you have the right to exercise the following rights:
Right of access pursuant to art. 15 of EU Reg. 20167679, the interested party has the right to confirm whether or not personal data concerning you is being processed and in this case, he can obtain, among other things, access to your personal data and information concerning the purposes of the processing, the categories of personal data in question, the recipients or categories of recipients to whom the personal data have been or will be communicated.
Right of rectification pursuant to art. 16 of the Regulation: − rectification of inaccurate personal data concerning you without undue delay − integration of your personal data, if incomplete.
Right to cancellation (“right to be forgotten”) pursuant to art. 17 of the Regulation deletion of personal data concerning you without undue delay.
Right to limitation of treatment pursuant to art. 18 of the Regulation limitation of processing in the following cases:
- the data subject disputes the accuracy of the personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
- the processing is unlawful and the interested party opposes the cancellation of personal data and requests instead that its use be limited;
- although the data controller no longer needs it for processing purposes, personal data are necessary for the data subject to ascertain, exercise or defend a right in court;
- the interested party opposed the processing pursuant to article 21, paragraph 1, pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party
Right to data portability pursuant to art. 20 of the Regulations it is possible to receive in a structured format, commonly used and readable by an automatic device, the personal data concerning you and in our possession;
Right to transmit such data to another data controller without impediments by the data controller to whom it provided them in the cases referred to in Article 20 of the Regulation.
Right of opposition for treatments carried out pursuant to article 6, paragraph 1 letters e) or f) and pursuant to art. 21 of the Opposition Regulation, at any time, for reasons connected with your particular situation, to the processing of personal data concerning you including profiling.
The aforementioned requests may be addressed to the Data Controller
Requests can be sent via:
- a registered letter with return receipt to Thema Srl via Saragat, 5 – 40026 Imola (BO)
- email to info@thema-med.com
Furthermore, in the event that it is believed that the processing has been carried out in violation of the legislation on the protection of personal data, the right to lodge a complaint with the Guarantor Authority for the protection of personal data, Piazza Venezia, 11 – 00187 – Rome is recognized.
Contact Form Information
PREMISE
Pursuant to art. 13 of Regulation (EU) 2016/679 is Thema Srl with registered office in via Saragat, 5 – 40026 Imola (BO), VAT number 02770361208, email info@thema-med.com, as Data Controller, informs users of the processing of personal data deriving from the compilation of the contact form.
DATA CONTROLLER
The data controller is Thema Srl with registered office in via Saragat, 5 – 40026 Imola (BO), VAT number 02770361208, email info@thema-med.com
INTERESTED
Users using internet services interested in contacting the owner of the treatment and the relative registration to the contact form.
DATA PROCESSED
The data processed are those entered in the contact form or identified data such as name, surname and company and contact data such as telephone and personal email. The data collected are only those strictly necessary for the requested fulfillment, respecting the owner the principle of minimization enshrined in Art. 5 of the European Regulation.
The data provided will be processed by the owner in order to contact the user as requested by the data controller.
PURPOSE OF THE PROCESSING
The personal data entered in the registration form, sent by choice of the user and voluntarily will be used to respond to the requests submitted by the user or in order to fulfill the contact requested by the form itself. The computer systems of this process provide for the use of e-mail configured in a manner that guarantees the confidentiality and integrity of the information.
NATURE OF THE PROVISION AND LEGAL BASIS OF THE PROCESSING
The provision of data is mandatory to find the user’s request, the legal basis of the processing is found in art. 6 lett. b) of the EU Reg. 679/2016 the execution of pre-contractual measures adopted at the request of the interested party.
METHODS OF PROCESSING
The data processing is carried out through IT procedures or in any case telematic means and paper supports by subjects, internal or external, specifically appointed and authorized to do so and committed to confidentiality. The data are processed and stored with suitable tools to guarantee their security, integrity and confidentiality through the adoption of adequate security measures as required by law.
RETENTION TIMES
The data will be kept for 2 years from the transmission of the contact request.
COMMUNICATION, DISSEMINATION, TRANSFER
The data collected will not be disclosed, sold or exchanged with third parties without the express consent of the interested party, except for any communications to authorized third parties – committed to confidentiality or in the case appointed as data processors pursuant to art. 28 of Regulation (EU) 2016/679. The complete and updated list of data processors is available, upon request, through the methods indicated in this information. The data may be communicated to the competent authorities, according to the terms of the law.
Personal data may be transferred to foreign countries of the European Union or non-EU and transmitted to private companies and institutional bodies for purposes related to the services requested and for the needs of territorial jurisdiction. The data is sent for cross-border processing, according to the principles of necessity, limited to the strictly necessary information. Data transfer takes place exclusively under the following conditions:
- Countries covered by adequacy decisions pursuant to art. 45 GDPR 679/16 EU;
- in the absence of adequacy decisions, the processing, with reference to Art. 46 GDPR 678/16 EU, takes place after agreement with the recipient of the data in compliance with binding clauses and corporate rules in accordance with article 47; standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2);
- in the absence of adequate guarantees, the Data Controller, pursuant to art. 49 GDPR 679/16 EU, if the transfer is necessary to fulfill contractual and / or legal obligations, it communicates the data by preparing all the technical-organizational security measures such as, where possible, minimization, pseudonymisation of the data, verification of the reliability of the recipient.
RIGHTS OF INTERESTED PARTIES
At any time, the interested parties have the right to access their personal data, to request its correction, updating and relative cancellation. It is also possible to oppose the processing and request its limitation.
The aforementioned requests may be addressed to Thema Srl based in via Saragat, 5 – 40026 Imola (BO), VAT number 02770361208, email info@thema-med.com. Furthermore, in the event that it is believed that the processing has been carried out in violation of the legislation on the protection of personal data, the right to lodge a complaint with the Guarantor Authority for the protection of personal data, Piazza Venezia, 11 – 00187 – Rome is recognized.
Information Newsletter subscription form
PREMISE
Pursuant to Article 13 of Regulation (EU) 2016/679, Thema S.r.l. with headquarters in via Saragat, 5 – 40026 Imola (BO), P. Iva 02770361208, email info@thema-med.com
DATA CONTROLLER
The data controller is Thema S.r.l. with headquarters in via Saragat, 5 – 40026 Imola (BO), P. Iva 02770361208, email info@thema-med.com
INTERESTED PARTIES
Users users of Internet services interested in subscribing to the newsletter
DATA PROCESSED
The data processed are personal identification data such as first name, last name and contact data such as institutional email address necessary to send regulatory updates.
PURPOSE OF PROCESSING
The purpose of the processing is to receive regulatory updates regarding products and services offered by the data controller.
NATURE OF PROVISION AND LEGAL BASIS FOR PROCESSING
The provision of data is optional. Any refusal to provide the data does not entail any negative consequences, but determines results in the inability of the data controller to process requests to send the newsletter. The legal basis of the processing is found in the legitimate interest of the data controller, pursuant to Art. 6 letter f) of Reg. Eu. 679/2016.
MODALITIES OF THE PROCESSING
The processing of data is carried out through computer procedures or telematic means and paper media by persons, internal or external, specially appointed, authorized and committed to confidentiality. The data are processed and stored with appropriate tools to ensure their security, integrity and confidentiality through the adoption of appropriate measures as required by law.
STORAGE TIMES
The data will be kept in a form that allows identification for the data subject for two years after enrollment, it being understood that upon revocation using the opt-out technique, the Data Controller will proceed to delete his data.
COMMUNICATION, DISSEMINATION, TRANSFER
The data collected will not be disseminated, sold or exchanged with third parties without the express consent of the data subject, except for any communication to authorized third parties – committed to confidentiality or in the case appointed as data controllers ex art. 28 of Regulation (EU) 2016/679. The complete and updated list of data processors can be found, upon request, through the modalities indicated in this information notice. The data may be communicated to the competent authorities, according to the terms of the law.
There are no plans to transfer the data outside the European Union.
RIGHTS OF DATA SUBJECTS
At any time, data subjects have: the right to access their personal data, to ask for its rectification, updating and relative deletion. It is, also, possible to object to the processing and request its limitation.
The aforementioned requests can be addressed to Thema S.r.l. with headquarters in via Saragat, 5 – 40026 Imola (BO), P. Iva 02770361208, email info@thema-med.com
In addition, in the event that you believe that the processing has been carried out in violation of the legislation on the protection of personal data, you have the right to lodge a complaint with the Guarantor Authority for the Protection of Personal Data, Piazza Venezia, 11 – 00187 – Rome.
Mail information for the site
The content of the e-mails is to be considered confidential. Therefore, the information in them or in any attachments contained are reserved exclusively for the recipients. Persons or subjects other than the recipients themselves, also pursuant to art. 616 of the Criminal Code, are not authorized to read, copy, modify, disseminate the message to third parties. Whoever receives our communication by mistake, do not use it and do not make it known to anyone, but delete it from his inbox and notify the sender. The authenticity of the sender and the contents are not guaranteed, except for digitally signed documents.
All the e-mail boxes of the domain “[…]@thema-med.com” are company mailboxes and, as such, are used for communications in the workplace. Therefore, for needs connected with the operational activity, any message can be read by the entire office to which the sender belongs. At any time, the interested parties have the right to access their personal data, to request its correction, updating and relative cancellation. It is also possible to oppose the processing and request its limitation.
Furthermore, in the event that it is believed that the processing has been carried out in violation of the legislation on the protection of personal data, the right to lodge a complaint with the Guarantor Authority for the protection of personal data, Piazza Venezia, 11 – 00187 – Rome is recognized.
Information Work with us
PREMISE
Thema Srl based in via Saragat, 5 – 40026 Imola (BO), VAT number 02770361208, email info@thema-med.com, as Data Controller of personal data pursuant to art. 4 and 13 of EU Regulation 2016/679 informs you that it will process your personal data manually and / or with the support of computerized means exclusively to evaluate your application for the purpose of a possible future establishment of an employment relationship with the Society. We invite you to indicate in your CV only information that is relevant to the position for which you intend to apply, and which is not strictly personal and private in nature.
TYPE OF DATA
The data processed identification data such as name and surname, contact details such as personal emails and any other information present in the attached Curriculum vitae. These include information relating to:
1. educational qualifications, professional experience, skills, abilities and competences essential to fill the role you have chosen or for any position that we will propose to you;
2. the owner may also process particular data ex. Art. 9 of EU Regulation 679/2016 relating to his person for the purposes strictly necessary for the recruitment if it is essential for the procedure itself.
PURPOSE OF THE PROCESSING
Your data will be processed in order to carry out personnel selection activities. The processing is necessary to respond to your application or to offer you, at a later time, a new proposal if your profile is deemed appropriate to our needs.
LEGAL BASIS OF THE PROCESSING
The legal basis for the processing of data is represented by the fulfillment of pre – contractual obligations as identified by art. 6 lett. b) of the EU Regulation, as well as from the legitimate interest of the data controller
DATA RECIPIENTS
The data may be disclosed to employees and collaborators of the Data Controller who will be able to process your data in compliance with the instructions given by the Data Controller.
Your personal data may be processed by third parties who collaborate with the Data Controller for the same purposes. These subjects may, depending on the case, operate as independent data controllers or specifically appointed data processors.
DATA TRANSFER
Personal data are not transferred to countries outside the European Union or outside the EU.
DATA RETENTION
The personal data you provide will be kept for the time strictly necessary to pursue the purposes highlighted and in any case for a period not exceeding 24 months: at the expiry of this term, your data will be deleted.
RIGHTS OF THE INTERESTED PARTY
Pursuant to articles 13, paragraph 2, and from 15 to 21 of the Regulations, we inform you that with regard to the processing of your personal data, you may exercise the following rights:
1. Right to obtain access to personal data and the following information:
• confirmation as to whether or not personal data is being processed;
• the purposes of the processing;
• the categories of personal data;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed;
• if the data are not collected from the interested party, all the information available on their origin the existence of an automated decision-making process, including profiling;
• a copy of the personal data being processed.
2. Right of rectification and integration of personal data;
3. Right to delete data (“right to be forgotten”) if one of the following reasons exists:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the interested party revokes the consent to the processing of data and there is no other legal basis for the processing;
- the interested party opposes the processing and there is no legitimate overriding reason to proceed with the processing;
- the personal data have been unlawfully processed;
- personal data must be deleted to fulfill a legal obligation under the law of the Union or of the Member State to which the data controller is subject.
The data controller, if he has made personal data public and is obliged to delete them, must inform the other owners who process the personal data of the request to delete any link, copy or reproduction of his data.
4. Right to limitation of processing in the event that:
- the interested party contests the accuracy of the personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
- the processing is unlawful and the interested party opposes the cancellation of personal data and requests instead that its use be limited;
- although the data controller no longer needs them for processing purposes, the personal data are necessary for the data subject to ascertain, exercise or defend a right in court;
- the interested party opposed the processing, pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party.
5. Right to lodge a complaint with the Guarantor for the protection of personal data, following the procedures and indications published on the official website of the Authority www.garanteprivacy.it.
6. Right to data portability of the interested party or the right to receive in a structured format, commonly used and readable by an automatic device, the personal data concerning him provided to a data controller and possibly transmit them to another data controller, if the processing is based on consent or on a contract and is carried out by automated means. Where technically possible, the interested party has the right to obtain the direct transmission of data from one data controller to another.
7. Right to object at any time to the processing of personal data, including profiling, in particular in the event that:
- the processing takes place on the basis of the legitimate interest of the owner, after explaining the reasons for the opposition;
- personal data are processed for direct marketing purposes.
8. Right not to be subjected to a decision based solely on automated processing, including profiling, except in cases where the decision: is necessary for the conclusion or execution of a contract between the data subject and a data controller, is authorized by the law of the Union or of the Member State to which the data controller is subject or is based on the explicit consent of the data subject.
The exercise of the rights is not subject to any formal constraint and is free.
HOW TO EXERCISE THE RIGHTS
The interested party may exercise the rights at any time by sending:
• a registered letter with return receipt to Thema Srl via Saragat, 5 – 40026 Imola (BO)
• email to info@thema-med.com
Requests for the Exercise of Data Subjects’ Rights
FOREWORD
PURPOSE
The purpose of this procedure is to define the tasks, responsibilities and operating procedures to be adopted when a request is submitted to the Data Controller by data subjects to exercise their rights in relation to the processing of personal data, carried out by or on behalf of Thema S.r.l.
The procedure applies:
- to all employees of Thema S.r.l., regardless of whether they are employees or collaborators;
- to requests relating to all categories of data, regardless of whether common or special;
- to requests from any interested party, regardless of their category (such as employees/collaborators, subjects of video surveillance footage, users/visitors of the website).
REGULATORY REFERENCES
- Legislative Decree No. 196/2003 and subsequent amendments and supplements (Privacy Code);
- Regulation (EU) 2016/679 (RGDP).
ACRONYMS AND DEFINITIONS USED
GDPR | EU Regulation 2016/679 (General Data Protection Regulation). |
Code D.lgs. 196/2003 | Personal Data Protection Code as amended by Legislative Decree 101/2018. |
Authority | Data Protection Authority. |
Data controller | Thema S.r.l. |
Data processor | External party processing personal data on behalf of the Controller (Art. 28 of the RGDP). |
Contact person | Internal person appointed to handle requests for the exercise of personal data protection rights. |
Personal data | Any information relating to an identified or identifiable natural person (data subject); an identifiable person is a natural person who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more features of his or her physical, physiological, genetic, mental, economic, cultural or social identity. |
Processing | Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Interested | The identified or identifiable natural person to whom the personal data refer. |
RIGHTS OF THE INTERESTED PARTIES
Pursuant to Articles 15 et seq. of the GDPR, data subjects may exercise the following rights with regard to their personal data held by Thema S.r.l:
Art. 15 Right of access by the data subject
Recitals 63, 64 |
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed to enable it to verify the legitimacy of the treatment. The data subject has the right to request access to the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. The right of access allows the controller to provide a copy of the personal data undergoing processing.
The data controller must take all reasonable steps to verify the identity of the data subject requesting access. |
Art. 16 – Right to rectification
Recital 65 |
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. |
Art 17- Right to erasure (‘right to be forgotten’) Recitals
15,16,17,18,19,20,21
|
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based; c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing, or objects to the processing of their data for direct marketing purposes, including profiling insofar as it is related to such direct marketing; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services to minors.
Para. 3 of Art. 17 lists the limitations to the exercise of the right, which are based on the legal basis underlying the processing and thus legitimise both data retention and further processing. The Data Controller may therefore reject the request for erasure if the processing is based: – for exercising the right of freedom of expression and information; – for compliance with a legal obligation, for reasons of public interest or in the exercise of public authority; – for reasons of public interest in the area of public health; – for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; in so far as the is likely to render impossible or seriously impair the achievement of the objectives of that processing; – for the establishment, exercise or defence of legal claims. |
Art. 18 -Right to restriction of processing
Recital 67
|
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject. Para. 2 provides that, in certain cases, notwithstanding the restriction of processing, personal data may exceptionally be processed in cases of: the data subject’s consent or for the establishment, assertion of rights in court; protection of the rights of another person; relevant public interest. Recital 67 sets out some practical ways to implement the right to limitation: – temporarily moving the selected data to another processing system (so as not to make them available for normal treatment activities); – making the selected personal data unavailable to users (where the processing is configured as follows); – or temporarily removing published data from a website; – in automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed (if the interested party does not request its deletion). |
Art. 20- Right to data portability
Recitals 57, 68
|
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent; b) the processing is carried out by automated means; b) processing is carried out by automated means. This right does not apply with regard to non-automated processing (paper files or registers). However, this right must not infringe the rights and freedoms of others.
|
Art. 21- Right to object
Recitals 69,70
|
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her if the processing is necessary for:
– the performance of a task carried out in the public interest or in connection with the exercise of official authority vested in the data controller; – the pursuit of the legitimate interest of the data controller, provided that the fundamental rights and freedoms of the data subject are not overridden; – scientific or historical research or statistical purposes. The burden of proving that the legal ground on which the processing is based overrides the interests or fundamental rights and freedoms of the data subject therefore lies with the data controller. Recital 70 specifies that where personal data are processed for direct marketing purposes, the data subject should have the right, at any time and free of charge, to object to such processing, with regard to both initial and further processing, including profiling insofar as it is related to such direct marketing. This right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information. |
Art.22 Automated individual decision-making, including profiling
Recitals 71,72 |
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This right does not apply when the decision is automated:
– is necessary for entering into, or performance of, a contract between the data subject and a data controller; – is authorised by Union or Member State law to which the controller is subject; – is based on the data subject’s explicit consent. These decisions are explicitly excluded for special data covered by Art. 9 EU Reg. 679/2016, unless: – the data subject has given his or her explicit consent to the processing of such personal data for one or more specific purposes; – processing is necessary for reasons of substantial public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject. |
ROLES AND RESPONSIBILITIES
The procedure applies to all employees and collaborators of Thema S.r.l. as well as to the Processors appointed pursuant to Article 28 of the GDPR. Compliance with this procedure is mandatory and the solicitation and active involvement of the persons referred to is required. Consequently, they are required to provide the Data Controller with the utmost cooperation in complying with the provisions of the current legislation on the protection of personal data.
STAGES OF THE PROCEDURE
SUBMISSION AND RECEIPT OF REQUEST
Requests to exercise rights may be received directly by the Data Controller or may be intercepted by third parties who, acting as Data Processors, are in direct contact with data subjects.
Requests may be exercised by using the appropriate form “Model for the exercise of personal data protection rights” published in the appropriate section of the institutional website, to be forwarded by email to the address indicated. A copy of the applicant’s identity document must be attached to the request, under penalty of inadmissibility (unless the request is digitally signed by the applicant). The request is always subject to registration, in order to give it the date of receipt useful for calculating deadlines.
The Internal Contact Person takes charge of the request and involves, as soon as possible, the Head of the organisational structure holding the data subject to processing or the Data Processor having competence in relation to the subject of the request.
From a subjective point of view, requests must refer to information relating to “natural persons” held by Thema S.r.l. In fact, the data subject exercising a right must be identified, for the purposes of the most correct investigation of requests.
EVALUATION OF THE REQUEST
The Data Controller shall carry out the assessment of the request submitted by the data subject, with a view to verifying the merits of the request and taking the necessary actions to process the request. Should the assessment of the request reveal reasonable doubts as to the identity of the natural person making the request, the Data Controller shall without delay inform the data subject, who shall provide proof of his/her identity.
RETRIEVAL OF DATA AND PERFORMANCE OF OPERATIONS REQUESTED BY THE DATA SUBJECT
If the request is deemed well-founded, the Data Controller shall identify the organisational structure involved and ensure the necessary involvement of the Designated Subjects and/or Data Processors who hold the data covered by the request. Once the existence of the data contained in the request has been verified, the operations required under Articles 15 to 22 of the GDPR will be carried out (e.g. rectification, integration, deletion). In the event that legal or regulatory provisions do not permit compliance with the request, the appropriate reasons will be provided and the data subject will be informed accordingly.
FEEDBACK TO THE DATA SUBJECT
Pursuant to Article 12(3) of the GDPR, the controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request even if the answer is negative. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. The answer must be formulated in a concise, transparent, intelligible form and drafted in simple and clear language. The mode of response must take into account the channel indicated by the person concerned in the request. In the event of a request to exercise the right to data portability under Article 20 of the GDPR, this must be done by attaching the data in electronic format according to the standard explained in the ‘Guidelines on the right to data portability’ – adopted by the Article 29 Working Party and available at www.garantepri- vacy.it/regolamentoue/portabilita.
Pursuant to Article 12(2) of the GDPR, in the case of data processing carried out for a purpose that does not require, or no longer requires, the identification of the data subject, the Data Controller may not refuse to comply with the data subject’s request, for the purpose of exercising his or her rights, unless the Data Controller proves that he or she is unable to identify the data subject. In the latter case, the rights may only be exercised when the data subject provides further information enabling him/her to be identified.
COSTS FOR MANAGING REQUESTS
Operations concerning the handling of requests to exercise rights recognised by the GDPR shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, refuse to act on the request as provided for in Article 12(5) of the GDPR.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
ARCHIVING OF DOCUMENTATION
Documentation relating to requests by data subjects to exercise their rights is kept by the data controller.
NOTIFICARION REGARDING RECIFICATION OR ERASURE OF PERSONAL DATA OR RESTRICTION OF PROCESSING
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
The communication to such persons shall be made by the Data Controller, within a period of one month from the time of the rectification and/or erasure operation carried out on the data or restriction of processing. The Controller must record these operations in the Register of requests to exercise the rights of data subjects. If the data subject has so requested, the Controller shall provide evidence of the entities to which the personal data concerning him/her have been transmitted.
REGISTER OF REQUESTS TO EXERCISE DATA SUBJECTS’ RIGHTS
The Data Controller documents requests for the exercise of data subject rights by preparing an up-to-date internal Register. The Register of Requests for the Exercise of Data Subjects’ Rights (see 02P_PR- 14.1-00 Registro Richieste Diritti Interessati), shall contain the following information:
- progressive no;
- date of receipt of the request;
- assigned protocol number;
- name of the applicant;
- name of the interested party (if different from the applicant);
- description of the request;
- organisational structures or databases involved;
- action taken with regard to the request;
- references of acknowledgement note to data subject (date and protocol);
- notes and comments.