Requests for the Exercise of Data Subjects’ Rights
The purpose of this procedure is to define the tasks, responsibilities and operating procedures to be adopted when a request is submitted to the Data Controller by data subjects to exercise their rights in relation to the processing of personal data, carried out by or on behalf of Thema S.r.l.
The procedure applies:
- to all employees of Thema S.r.l., regardless of whether they are employees or collaborators;
- to requests relating to all categories of data, regardless of whether common or special;
- to requests from any interested party, regardless of their category (such as employees/collaborators, subjects of video surveillance footage, users/visitors of the website).
- Legislative Decree No. 196/2003 and subsequent amendments and supplements (Privacy Code);
- Regulation (EU) 2016/679 (RGDP).
ACRONYMS AND DEFINITIONS USED
|GDPR||EU Regulation 2016/679 (General Data Protection Regulation).|
|Code D.lgs. 196/2003||Personal Data Protection Code as amended by Legislative Decree 101/2018.|
|Authority||Data Protection Authority.|
|Data controller||Thema S.r.l.|
|Data processor||External party processing personal data on behalf of the Controller (Art. 28 of the RGDP).|
|Contact person||Internal person appointed to handle requests for the exercise of personal data protection rights.|
|Personal data||Any information relating to an identified or identifiable natural person (data subject); an identifiable person is a natural person who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more features of his or her physical, physiological, genetic, mental, economic, cultural or social identity.|
|Processing||Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Interested||The identified or identifiable natural person to whom the personal data refer.|
RIGHTS OF THE INTERESTED PARTIES
Pursuant to Articles 15 et seq. of the GDPR, data subjects may exercise the following rights with regard to their personal data held by Thema S.r.l:
|Art. 15 Right of access by the data subject
Recitals 63, 64
|The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed to enable it to verify the legitimacy of the treatment. The data subject has the right to request access to the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. The right of access allows the controller to provide a copy of the personal data undergoing processing.
The data controller must take all reasonable steps to verify the identity of the data subject requesting access.
|Art. 16 – Right to rectification
|The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.|
|Art 17- Right to erasure (‘right to be forgotten’) Recitals
|The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based; c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing, or objects to the processing of their data for direct marketing purposes, including profiling insofar as it is related to such direct marketing; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services to minors.
Para. 3 of Art. 17 lists the limitations to the exercise of the right, which are based on the legal basis underlying the processing and thus legitimise both data retention and further processing.
The Data Controller may therefore reject the request for erasure if the processing is based:
– for exercising the right of freedom of expression and information;
– for compliance with a legal obligation, for reasons of public interest or in the exercise of public authority;
– for reasons of public interest in the area of public health;
– for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; in so far as the is likely to render impossible or seriously impair the achievement of the objectives of that processing;
– for the establishment, exercise or defence of legal claims.
|Art. 18 -Right to restriction of processing
|The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Para. 2 provides that, in certain cases, notwithstanding the restriction of processing, personal data may exceptionally be processed in cases of: the data subject’s consent or for the establishment, assertion of rights in court; protection of the rights of another person; relevant public interest.
Recital 67 sets out some practical ways to implement the right to limitation:
– temporarily moving the selected data to another processing system (so as not to make them available for normal treatment activities);
– making the selected personal data unavailable to users (where the processing is configured as follows);
– or temporarily removing published data from a website;
– in automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed (if the interested party does not request its deletion).
|Art. 20- Right to data portability
Recitals 57, 68
|The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent; b) the processing is carried out by automated means; b) processing is carried out by automated means. This right does not apply with regard to non-automated processing (paper files or registers). However, this right must not infringe the rights and freedoms of others.
|Art. 21- Right to object
|The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her if the processing is necessary for:
– the performance of a task carried out in the public interest or in connection with the exercise of official authority vested in the data controller;
– the pursuit of the legitimate interest of the data controller, provided that the fundamental rights and freedoms of the data subject are not overridden;
– scientific or historical research or statistical purposes.
The burden of proving that the legal ground on which the processing is based overrides the interests or fundamental rights and freedoms of the data subject therefore lies with the data controller.
Recital 70 specifies that where personal data are processed for direct marketing purposes, the data subject should have the right, at any time and free of charge, to object to such processing, with regard to both initial and further processing, including profiling insofar as it is related to such direct marketing. This right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
|Art.22 Automated individual decision-making, including profiling
|The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This right does not apply when the decision is automated:
– is necessary for entering into, or performance of, a contract between the data subject and a data controller;
– is authorised by Union or Member State law to which the controller is subject;
– is based on the data subject’s explicit consent.
These decisions are explicitly excluded for special data covered by Art. 9 EU Reg. 679/2016, unless:
– the data subject has given his or her explicit consent to the processing of such personal data for one or more specific purposes;
– processing is necessary for reasons of substantial public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject.
ROLES AND RESPONSIBILITIES
The procedure applies to all employees and collaborators of Thema S.r.l. as well as to the Processors appointed pursuant to Article 28 of the GDPR. Compliance with this procedure is mandatory and the solicitation and active involvement of the persons referred to is required. Consequently, they are required to provide the Data Controller with the utmost cooperation in complying with the provisions of the current legislation on the protection of personal data.
STAGES OF THE PROCEDURE
SUBMISSION AND RECEIPT OF REQUEST
Requests to exercise rights may be received directly by the Data Controller or may be intercepted by third parties who, acting as Data Processors, are in direct contact with data subjects.
Requests may be exercised by using the appropriate form “Model for the exercise of personal data protection rights” published in the appropriate section of the institutional website, to be forwarded by email to the address indicated. A copy of the applicant’s identity document must be attached to the request, under penalty of inadmissibility (unless the request is digitally signed by the applicant). The request is always subject to registration, in order to give it the date of receipt useful for calculating deadlines.
The Internal Contact Person takes charge of the request and involves, as soon as possible, the Head of the organisational structure holding the data subject to processing or the Data Processor having competence in relation to the subject of the request.
From a subjective point of view, requests must refer to information relating to “natural persons” held by Thema S.r.l. In fact, the data subject exercising a right must be identified, for the purposes of the most correct investigation of requests.
EVALUATION OF THE REQUEST
The Data Controller shall carry out the assessment of the request submitted by the data subject, with a view to verifying the merits of the request and taking the necessary actions to process the request. Should the assessment of the request reveal reasonable doubts as to the identity of the natural person making the request, the Data Controller shall without delay inform the data subject, who shall provide proof of his/her identity.
RETRIEVAL OF DATA AND PERFORMANCE OF OPERATIONS REQUESTED BY THE DATA SUBJECT
If the request is deemed well-founded, the Data Controller shall identify the organisational structure involved and ensure the necessary involvement of the Designated Subjects and/or Data Processors who hold the data covered by the request. Once the existence of the data contained in the request has been verified, the operations required under Articles 15 to 22 of the GDPR will be carried out (e.g. rectification, integration, deletion). In the event that legal or regulatory provisions do not permit compliance with the request, the appropriate reasons will be provided and the data subject will be informed accordingly.
FEEDBACK TO THE DATA SUBJECT
Pursuant to Article 12(3) of the GDPR, the controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request even if the answer is negative. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. The answer must be formulated in a concise, transparent, intelligible form and drafted in simple and clear language. The mode of response must take into account the channel indicated by the person concerned in the request. In the event of a request to exercise the right to data portability under Article 20 of the GDPR, this must be done by attaching the data in electronic format according to the standard explained in the ‘Guidelines on the right to data portability’ – adopted by the Article 29 Working Party and available at www.garantepri- vacy.it/regolamentoue/portabilita.
Pursuant to Article 12(2) of the GDPR, in the case of data processing carried out for a purpose that does not require, or no longer requires, the identification of the data subject, the Data Controller may not refuse to comply with the data subject’s request, for the purpose of exercising his or her rights, unless the Data Controller proves that he or she is unable to identify the data subject. In the latter case, the rights may only be exercised when the data subject provides further information enabling him/her to be identified.
COSTS FOR MANAGING REQUESTS
Operations concerning the handling of requests to exercise rights recognised by the GDPR shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, refuse to act on the request as provided for in Article 12(5) of the GDPR.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
ARCHIVING OF DOCUMENTATION
Documentation relating to requests by data subjects to exercise their rights is kept by the data controller.
NOTIFICARION REGARDING RECIFICATION OR ERASURE OF PERSONAL DATA OR RESTRICTION OF PROCESSING
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
The communication to such persons shall be made by the Data Controller, within a period of one month from the time of the rectification and/or erasure operation carried out on the data or restriction of processing. The Controller must record these operations in the Register of requests to exercise the rights of data subjects. If the data subject has so requested, the Controller shall provide evidence of the entities to which the personal data concerning him/her have been transmitted.
REGISTER OF REQUESTS TO EXERCISE DATA SUBJECTS’ RIGHTS
The Data Controller documents requests for the exercise of data subject rights by preparing an up-to-date internal Register. The Register of Requests for the Exercise of Data Subjects’ Rights (see 02P_PR- 14.1-00 Registro Richieste Diritti Interessati), shall contain the following information:
- progressive no;
- date of receipt of the request;
- assigned protocol number;
- name of the applicant;
- name of the interested party (if different from the applicant);
- description of the request;
- organisational structures or databases involved;
- action taken with regard to the request;
- references of acknowledgement note to data subject (date and protocol);
- notes and comments.