Privacy Policy
AREA39 Srl – Privacy Policy
ON THE MATTER OF PROTECTION OF PERSONAL DATA IN ACCORDANCE WITH ART.12 et seq. EU REGULATION 679/2016
Area39 Srl is attentive to the aspects of personal data protection and respects the principles of privacy and dignity of individuals.
According to the new EU Regulation 679/2016 and in observance of the principle of accountability any processing of personal data must be lawful and fair. It must be transparent to individuals how personal data concerning them is collected, accessed, or otherwise processed, as well as the extent to which the same data is or will be processed.
The principle of transparency requires that information and communications related to the processing of such data be easily accessible and understandable and that simple and clear language be used.
This principle relates, in particular, to informing data subjects about the identity of the data controller and the purposes of the processing and further information (see Articles 13 and 14 of EU Regulation 679/2016) to ensure fair and transparent processing with regard to the natural persons concerned and their rights to obtain confirmation and communication of a processing of personal data concerning them (on this point see Recital 39, EU Regulation 679/2016).
Please review carefully the following statement.
Area39 Srl in its capacity as the Data Controller, in the person of the pro-tempore legal representative, pursuant to and for the purposes of EU Regulation 2016/679, hereby informs the interested party that the personal data assumed concerning him/her, acquired by the Data Controller or which will be subsequently requested and/or communicated by third parties, are necessary and will be used for the purposes indicated below.
PURPOSE AND LAWFULNESS OF THE PROCESSING
Pursuant to EU Regulation 679/2016, personal data:
– Are processed lawfully, fairly and transparently towards the data subject (Art. 5);
– The same are collected for specified, explicit and legitimate purposes, and subsequently processed in a manner that is not incompatible with those purposes (Art. 5);
The purposes for which the data are collected are as follows:
Pursuit of purposes instrumental to the information activities requested by you in the field of wine and newspaper in general.
Survey of the degree of satisfaction of the interested party on the quality of services rendered by the writer, including statistical analysis;
Data may be processed for the purpose of sending service communications, handling requests for clarification, reports and handling of complaints in relation to the contractual relationship established, as well as for its fulfillment.
The personal data provided by you for the sending of our Area39 Srl newsletters may be used for marketing purposes (i.e., merely by way of example, for the promotion of events, the sending of advertising campaigns, promotions and offers), on services offered by us and similar to those used by you, both by automated means, but also through traditional means. It is our legitimate interest to be able to provide you with such information.
MODALITIES OF PROCESSING AND OBLIGATION OF CONFIDENTIALITY
The processing of data is carried out through computer tools and/or paper media, by individuals committed to confidentiality, with logic related to the purposes and in any case in such a way as to ensure the security and confidentiality of the data. The data collected will not be disclosed and disseminated to third parties in accordance with the law.
COMMUNICATION TO THIRD PARTIES
Your personal data may be disclosed to third parties known to us only and exclusively for the above purposes and, especially, to the following categories of parties:
– External companies that perform services on our behalf;
– Entities and public administrations for legal fulfillments;
– Professionals who may be of support in legal fulfillments.
These subjects will process personal data as External Managers.
STORAGE TIMES
Pursuant to Article 5 of EU Regulation 679/2016, “Principles applicable to the processing of personal data,” personal data shall be stored in a form that permits the identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed.
The personal data of the data subjects may also be kept for longer periods in compliance with the fulfillments related to the applicable legal regulations (by way of example in the field of accounting) and, in any case, by applying any technical-organizational measures suitable to activate mechanisms for anonymization of the data.
RIGHTS OF THE DATA SUBJECT
Pursuant to in current legislation, the data subject may assert his or her rights towards the Data Controller as expressed in EU Regulation 679/2016, namely:
RIGHT OF ACCESS
Art. 15
The data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed and, if so, to obtain access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly if recipients in third countries or international organizations;
(d) when possible, the expected period of retention of personal data or, if this is not possible, the criteria used to determine this period;
(e) the existence of the data subject’s right to request from the controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her or to object to their processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the data are not collected from the data subject, all available information about their origin;
(h) the existence of an automated decision-making process, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information about the logic used, as well as the importance and the envisaged consequences of such processing for the data subject.
1. Where personal data are transferred to a third country or international organization, the data subject has the right to be informed of the existence of appropriate safeguards under Article 46 relating to the transfer.
2. The data controller shall provide a copy of the personal data being processed. In case of additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, and unless otherwise specified by the data subject, the information shall be provided in a commonly used electronic format.
The right to obtain a copy shall not infringe upon the rights and freedoms of others
RIGHT OF RECTIFICATION
Art. 16
The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning him/her without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration.
RIGHT TO CANCELLATION
Article 17
1. The data subject shall have the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay, and the data controller shall be obliged to erase the personal data without undue delay, if any of the following grounds exist:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and if there is no other legal basis for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there is no overriding legitimate ground for processing, or objects to the processing pursuant to Article 21(2);
(d) personal data have been processed unlawfully;
(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the data controller is subject;
(f) personal data have been collected in connection with the provision of information society services referred to in Article 8(1).
2. Where a data controller has made personal data public and is obliged under paragraph 1 to erase it, taking into account available technology and the costs of implementation it shall take reasonable measures, including technical measures, to inform data controllers who are processing personal data of the data subject’s request to erase any link, copy or reproduction of his or her personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that the processing is necessary:
(a) for the exercise of the right to freedom of expression and information;
(b) for the performance of a legal obligation requiring processing laid down in Union or Member State law to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
(c) for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
(d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to render impossible or seriously jeopardize the attainment of the objectives of such processing;
(e) for the establishment, exercise or defense of legal claims.
RIGHT TO LIMITATION OF PROCESSING
Art. 18
1. The data subject shall have the right to obtain from the data controller the restriction of processing when any of the following occurs:
(a) the data subject disputes the accuracy of personal data, for the period necessary for the controller to verify the accuracy of such personal data;
(b) the processing is unlawful and the data subject objects to the erasure of the personal data and instead requests that their use be restricted;
(c) although the data controller no longer needs the data for the purposes of the processing, the personal data are necessary for the data subject to establish, exercise or defend a legal claim;
(d) the data subject has objected to the processing pursuant to Article 21(1), pending verification as to whether the legitimate grounds of the data controller override those of the data subject.
2. Where processing is restricted pursuant to paragraph 1, such personal data shall be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defense of a legal claim or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.
3. A data subject who has obtained a restriction of processing pursuant to paragraph 1 shall be informed by the data controller before such restriction is lifted.
RIGHT TO DATA PORTABILITY
Art. 20
1. The data subject shall have the right to receive in a structured, commonly used and machine-readable format the personal data concerning him/her that he/she has provided to a data controller and shall have the right to transmit those data to another data controller without hindrance by the data controller to whom he/she has provided them where:
(a) the processing is based on consent within the meaning of Article 6(1)(a) or Article 9(2)(a) or on a contract within the meaning of Article 6(1)(b);
(b) the processing is carried out by automated means.
2. When exercising his or her rights in relation to data portability pursuant to paragraph 1, the data subject shall have the right to obtain the direct transmission of personal data from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not affect the rights and freedoms of others.
RIGHT TO OBJECT TO PROCESSING
Article 21
1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to points (e) or (f) of Article 6(1), including profiling on the basis of those provisions. The controller shall refrain from further processing the personal data unless he can demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling insofar as it is related to such direct marketing.
3. Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information at the latest at the time of the first communication with the data subject.
5. In the context of the use of information society services and without prejudice to Directive 2002/58/EC, the data subject may exercise his/her right to object by automated means using specific techniques.
6. Where personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), the data subject shall have the right, on grounds relating to his or her particular situation, to object to the processing of personal data relating to him or her, except where the processing is necessary for the performance of a task carried out in the public interest.
In addition to the aforementioned rights, the data subject has the right to withdraw consent upon appropriate request, as well as to lodge a complaint with the supervisory authority if required by law.
OWNER AND PRIVACY NOTICES
The Data Controller is Area39 Srl, with registered and operational office in Via Sarpi, 90 – 35138 Padova, and secondary office: loc. Querceta – 53024 Montalcino (Siena)
For any communication pursuant to the above-mentioned articles of EU Regulation 679/2016, the Data Controller provides the email address info@area39.org.
PROCEDURE
RIGHTS OF THE DATA SUBJECT
PURSUANT TO ARTICLES 15 TO 23 OF REGULATION 679/2016
The EU Data Protection Regulation 679/2016 provides among its cornerstones for the protection of the rights of the data subject in the processing of personal data.
These rights give the data subject control over the types of data used, the manner in which the data is processed and gives him or her the possibility to restrict such use, to object as well as to delete personal data in certain circumstances.
Corollary to these rights is the right to complain and to judicial protection in the event of infringements in connection with unauthorized or unlawful processing.
The purpose of this procedure is first to identify these rights, as well as to establish the timeframe in which they are to be acknowledged and how they can be exercised. Lastly, this document identifies the person responsible for responding to petitioners.
The purpose of this procedure is to facilitate the data subject within the meaning of Article 12(2) in exercising his or her rights.
RIGHTS OF THE DATA SUBJECT
Article 15
Right of access of the data subject
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him are being processed and, if so, to obtain access to the personal data and to the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if they are recipients in third countries or international organizations;
(d) where possible, the proposed period of retention of the personal data or, if this is not possible, the criteria used to determine that period;
(e) the existence of the right of the data subject to request from the controller the rectification or erasure of personal data concerning him/her or to object to the processing of personal data concerning him/her;
(f ) the right to lodge a complaint with a supervisory authority;
(g) where the data are not collected from the data subject, all available information on their origin;
(h) the existence of an automated decision-making process, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information on the logic used, as well as the importance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the existence of appropriate safeguards in accordance with Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing.
In case of further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, and unless otherwise specified by the data subject, the information shall be provided in a commonly used electronic format.
4. The right to obtain a copy referred to in paragraph 3 shall not infringe the rights and freedoms of others.
Rectification and cancellation
Article 16
Right of rectification
The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him/her without undue delay. Having regard to the purposes of the processing, the data subject shall have the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration.
Article 17
Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him/her without undue delay and the controller shall be obliged to erase the personal data without undue delay, if any of the following grounds applies
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on which the processing is based in accordance with point (a) of Article 6(1) or point (a) of Article 9(2) and if there is no other legal basis for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there is no overriding legitimate ground for the processing, or objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data must be erased in order to comply with a legal obligation laid down by Union or Member State law to which the controller is subject;
(f ) the personal data were collected in connection with the offering of information society services as referred to in Article 8(1).
2. Where the controller has made personal data public and is obliged under paragraph 1 to erase them, the controller shall, taking into account available technology and the costs of implementation, take reasonable steps, including technical measures, to inform the controllers who are processing the personal data of the data subject’s request to erase any link, copy or reproduction of his or her personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that the processing is necessary
(a) for the exercise of the right to freedom of expression and information;
(b) for compliance with a legal obligation to which the processing is subject under Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
(d) for archiving in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1), in so far as the right referred to in paragraph 1 is likely to render impossible or seriously jeopardize the attainment of the objectives of such processing;
(e) for the establishment, exercise or defense of legal claims.
Article 18
Right of restriction of processing
1. The data subject shall have the right to obtain from the controller the restriction of processing when one of the following cases occurs:
(a) the data subject contests the accuracy of the personal data, for the period necessary for the controller to verify the accuracy of those personal data;
(b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead that their use be restricted;
(c) although the controller no longer needs them for the purposes of the processing, the
personal data are necessary to the data subject for the establishment, exercise or defense of legal claims;
(d) the data subject has objected to the processing pursuant to Article 21(1), pending verification as to whether the legitimate reasons of the controller prevail over those of the data subject.
2. Where processing is restricted pursuant to paragraph 1, such personal data shall, except for storage, only be processed with the consent of the data subject or for the establishment, exercise or defense of legal claims or the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.
3. A data subject who has obtained a restriction of processing pursuant to paragraph 1 shall be informed by the controller before that restriction is lifted.
Article 19
Obligation to notify in case of rectification or erasure of personal data
or restriction of processing
The controller shall notify each recipient to whom the personal data have been transmitted of any rectification or erasure or restriction of processing carried out pursuant to Article 16, Article 17(1) and Article 18, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of such recipients if the data subject so requests.
Article 20
Right to data portability
1. The data subject shall have the right to receive, in a structured, commonly used and machine-readable format, personal data concerning him/her that he/she has provided to a data controller and shall have the right to transmit those data to another data controller without hindrance from the data controller to whom he/she has provided them where:
(a) the processing is based on consent within the meaning of Article 6(1)(a) or Article 9(2)(a) or on a contract within the meaning of Article 6(1)(b);
(b) the processing is carried out by automated means.
2. When exercising his/her rights with regard to data portability pursuant to paragraph 1, the data subject shall have the right to obtain the direct transmission of personal data from one controller to another, if technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not affect the rights and freedoms of others.
Right to object and automated decision-making concerning natural persons
Article 21
Right to object
1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to points (e) or (f ) of Article 6(1), including profiling on the basis of those provisions.
The controller shall refrain from further processing the personal data unless he demonstrates the existence of compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him/her carried out for such purposes, including profiling insofar as it is related to such direct marketing.
3. Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information at the latest at the time of the first communication with the data subject.
5. In the context of the use of information society services and without prejudice to Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using specific techniques.
6. Where personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), the data subject shall have the right, on grounds relating to his or her particular situation, to object to the processing of personal data relating to him or her, except where the processing is necessary for the performance of a task carried out in the public interest.
Article 22
Automated decision-making concerning natural persons, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way.
2. Paragraph 1 shall not apply where the decision:
(a) is necessary for the conclusion or performance of a contract between the data subject and a data controller, which also lays down appropriate measures to protect the rights, freedoms and legitimate interests of the data subject;
(b) is authorized by Union law or by the law of the Member State to which the controller is subject;
(c) is based on the explicit consent of the data subject.
3. In the cases referred to in points (a) and (c) of paragraph 2, the controller shall implement appropriate measures appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the controller, to express his or her views and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on the special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and appropriate measures are in place to protect the rights, freedoms and legitimate interests of the data subject.
Restrictions
Article 23
Limitations (C73)
1. The law of the Union or the law of the Member State to which the controller or processor is subject may, by means of legislative measures, restrict the scope of the obligations and rights provided for in Articles 12 to 22 and 34 and in Article 5, in so far as the provisions contained therein correspond to the rights and obligations provided for in Articles 12 to 22, where such a restriction respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a) national security;
(b) defense;
(c) public security;
(d) the prevention, investigation, detection and prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security;
(e) other important general public interest objectives of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary interests, budgetary and taxation matters, public health and social security;
(f ) safeguarding the independence of the judiciary and judicial proceedings;
(g) activities aimed at preventing, investigating, detecting and prosecuting breaches of ethics of the regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in the cases referred to in (a) to (e) and (g);
(i) the protection of the data subject or of the rights and freedoms of others;
(j) the enforcement of civil actions.
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions concerning at least, where appropriate:
(a) the purposes of the processing or the categories of processing;
(b) the categories of personal data;
(c) the scope of the limitations introduced;
(d) the safeguards to prevent misuse or unlawful access or transfer;
(e) the precise identification of the controller or categories of controllers;
(f ) the applicable storage periods and safeguards having regard to the nature, scope and purposes of the processing or categories of processing;
(g) the risks for the rights and freedoms of data subjects;
(h) the right of data subjects to be informed of the restriction, unless this would compromise the purpose of the processing.
Judicial protection
Regulation 679/2016 provides in its Chapter VIII for remedies to protect the data subject.
In particular Articles 77 (Right to lodge a complaint with the Supervisory Authority), Article 78 (Right to an effective judicial remedy against the Supervisory Authority) and Article 70 (Right to an effective judicial remedy against the controller or processor).
MODALITIES FOR EXERCISING RIGHTS AND REPLYING
The rights of the data subject may be exercised by email, pec, registered letter with return receipt.
The data controller, directly or through one of its appointees, shall provide the data subject with the information relating to the request submitted by the data subject without undue delay and, in any event, within 30 days of receipt of the request.
This period may be extended by a further 60 days if necessary, taking into account the complexity and number of requests. The data controller shall inform the data subject of this extension and of the reasons for the delay, within 30 days of receipt of the request. If the data subject submits the request by electronic means, the information shall be provided, where possible, by electronic means, unless otherwise specified by the data subject.
If the data controller does not comply with the data subject’s request, the data controller shall inform the data subject without delay, and at the latest within 30 days of receipt of the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The information provided by the data subject and any communication and action taken are free of charge.
If the data subject’s requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the controller may:
(a) charge a reasonable fee taking into account the administrative costs incurred in providing the information or communication or taking the requested action;
(b) refuse to comply with the request. The controller shall bear the burden of proving that the request is manifestly unfounded or excessive. Where the controller has reasonable doubts as to the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request further information necessary to confirm the identity of the data subject.
The Data Controller
Area39 Srl, with registered and operational office in Via Sarpi, 90 – 35138 Padua, and secondary office: loc. Querceta – 53024 Montalcino (Siena)