PERSONAL DATA PROCESSING DISCLOSURE

Transcription

1 PERSONAL DATA PROCESSING DISCLOSURE This legal text has been licensed to Landoor s.r.l. only for publication on this website. Any copy, change, update and sending of the text to subjects other than the users, or any replication on websites or apps, even if belonging to the licensee, Landoor, is not authorized by the licensor. 1: INTRODUCTION This disclosure should not be considered as a complete text in its own right; rather it supplements and completes the other texts in the Service and in particular the Browsing Terms and Conditions ( and the Disclosure on Personal Data Processing by means of the use of cookies ( assets/attachments/cookie%20policy.pdf). This disclosure will seek to explain to the user who processes the data pertaining to the data subject (hereinafter in this disclosure also referred to as the User ), how this is done, what data is involved and what are his/her rights and how they can be exercised. For specific clarification, if the user does not understand or does not consider the information included in the disclosure to be sufficient, please write to: info@landoor.com. 2: IMPORTANT INFORMATION ABOUT PERSONAL DATA What is meant by personal data? Names and surnames are personal data; more specifically, they are simple identifying data and above all this is not the only personal data on the user. There are also other items: and company. But this is not all: as personal data is information referring to a natural person, the very contents of the communications sent to Landoor or the contents of any attachments to an initial send by the user to Landoor, may include personal data, i.e. information, about the user or third parties. Writing, for example, in an initial communication that a translation is required within the scope of your own profession equates to providing Landoor in any case with personal data, or information. Personal data is all that relating to natural persons (and, therefore, in the case of the form included in this service: name, surname and only if it is the personal address used by the author and not that generally assigned to the company, such as, for example, info@stasafty.com). What does data processing actually mean? The legal definition of processing includes any operation or set of operations concerning the collection, recording, organization, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data. In practical terms, therefore, everything that can be done with the user s data, is processing. Collecting or reading data, for example, or consulting it, therefore also constitutes processing. Why is it important for the user? Data tells us who the user is, what he/she does, likes and does not like. It pertains to the user him/herself and it is important to note, therefore, that as his/her property, he/she has the right to decide whether or not to allow third parties to process it and how this may be done. According to this data, he/she may be sent advertising that can clearly influence his/her consumptions and choices. This is therefore important. Why is it important for Landoor and its partners? It is important because it allows us to provide the service requested. Additionally, as already stressed, data is important because it reveals

2 who the user is and what they need. 3: WHO PROCESSES THE DATA? The Data Controller is the subject that makes the decisions as to how the data is processed and, therefore - amongst others - what precautions should be taken to protect it, where it should be stored (on servers or the cloud, etc.), what data should be requested of the user, what should be processed and to what end, which and to whom it should be transferred, how to manage relations with and the rights of users, who to choose as collaborator, supervisor or simple person in charge of the processing, what instructions to give to collaborators, etc. For this website, the Data Controller is: Landoor S.r.l., società Unipersonale, via Copernico 38, Milan VAT no. and tax code Economic and Administrative Index (REA) MI , capital paid-in, as per the last financial statements: Euro 10,000 (ten thousand). Tel.: info@landoor.com Certified landoor@legalmail.it In order to supply the service, Landoor also uses the collaboration of third parties, as appointed representatives or mostly as processing supervisors and, in particular: Palmabit Srl, with registered office in Montichiari (BS), at Via Oscar Romero 5, for the technical management of the website service Sinapto Srl, with registered office at Via Vincenzo Viviani 8, Milan: this is a service allocated in Italy for the management of the website hosting service (linked website: see the definition at the start of the Browsing Terms): to process requests sent generically to Landoor, but which require a specific competence of the linked website. By way of example, in order to submit an application to work as collaborator with Landoor, a link is used from this website to the linked website and this is then handled by it to ensure a reply. 3/a: TO WHOM IS THE DATA DISCLOSED (OR WHO CAN ACCESS IT)? Landoor discloses the personal data to the above subjects in different ways and for different purposes: Palmabit Srl: access is granted to the database for the management and technical maintenance of the service only Sinapto Srl: the service is used to host the website hosted at hosting-milano Please note that landoor.com does not send any user s data to the linked website; it merely forwards it on. The entry of data into the linked website will be regulated by its own logics and policies. In addition to these, the data may be disclosed to subjects collaborating in the fiscal (for example, company accountant), administrative or operative management of the services supplied to users. 4: WHERE DOES PROCESSING TAKE PLACE? Landoor srl processes the personal data at its offices in Milan and at the corresponding foreign offices (UK, Germany and France, see point 4 of the Terms and Conditions).

3 The personal data, as regards Landoor, is allocated in a SINAPTO server in Milan. The third parties used by Landoor (Palmabit and Sinapto) process personal data at its offices in Europe (Italy). 5: WHAT DATA IS PROCESSED? According to the significant quality of data, we can identify: - Identifying data: name, surname, and company. - Content data: the information that can be assumed or read from the content of the communications sent by the user to Landoor.com. For example, if the text of the communication specifies profession, telephone or also subject of the service for which information is requested, information, i.e. personal data, is disclosed to Landoor. - Analytical statistical data: this is data made anonymous and aggregated. A sort of survey obtained from the joining of data as conferred above. They may have technical or statistical meaning and Landoor processes it to statistically establish the effectiveness of the website. 6: WHY IS IT PROCESSED? Landoor.com processes users data to communicate with them or to process requests they submit to the service. More specifically, it may also use third parties, and in particular linked websites or services, to help process requests (which may even be for information only, quotations, etc.). To this end, the following data is processed: name, surname, address, address, telephone number, VAT number and bank details. The data is also processed for marketing purposes pertaining to Landoor and, therefore, to convey information or commercial proposals relative to related services in any case coming under the showcase of services present on the Landoor.com website (please note that these related services in any case come under the Landoor group). 7: HOW IS THE DATA CONFERRED (BY THE USER)? All data is conferred by the user. Name, surname, , company and contents are, in fact, that written in the form to mail or sent to Landoor. The user must enter truthful data (as regards identifying data). In addition to the data conferred by the user when filling in the form or sending the to Landoor, there is also data that can be obtained from the system by analyzing the contents of the letter written or attached by the user. This is the data that the user actively confers, even if potentially without considering it, but if processed, it may take on different, greater value that he/ she believes insofar as it can be used to summarize, profile and classify him/her. To date, however, Landoor does not perform any form of profiling. If it should decide to start profiling, it will specifically disclose this, if necessary obtaining due consent. 8: WHAT DATA IS COMPULSORY AND WHAT IS OPTIONAL (AND WHAT ARE THE CONSEQUENCES OF REFUSAL TO PROVIDE THE DATA)? Only data relating to user identification, i.e. name and surname (needed to identify him/her) and contact data ( address, which may, however, be the company address, such as info@domainname.it), used to contact the user and process his/her requests, is compulsory. Failure to confer this data (i.e. name and surname and ) will make it impossible to use the service as it prevents identification of the sender and, accordingly, any reply. Data relating to the company is optional. Finally, there is physiological data: that defined above as contents data. In this regard, it is impossible to discriminate between compulsory and optional insofar as it is formed as the natural

4 consequence of the writing of the message contents. 9: HOW DOES PROCESSING TAKE PLACE? Data is collected and processed using electronic instruments. It is hosted on a server in the EU, with the application of https protocol security systems. It is protected by means of data encryption and other security measures that, to avoid being more easily overcome, are not listed in this document. Only persons duly authorized to do so and who have been assigned individual authentication credentials, can access and process the data. 10: FOR HOW LONG IS IT PROCESSED? Data is processed for as long as it is necessary for the purpose for which it was conferred; this is without prejudice to any legal storage obligations (for example ten-year storage of communications of a fiscal or commercial nature, see amongst others, Italian Presidential Decree 600/1973). In order to process the request submitted by by the user, the data will be processed until completion of the provision requested, save for the above obligation to store communications: for example, in the event of a request for quotation, data will be processed until the client has refused the quotation or - if accepted - until the service contracted pursuant to the precontractual quotation, has been completed. If required legally, such as, for example, for tax purposes or to enable the identification of the user in the event of crimes, it will be stored for the time required by the related laws. Finally, data that is processed on the basis of user consent will be processed for as long as said consent contains, in connection with a given processing (remember that consent can always be modified and revoked). It is important to know that Landoor.com can manage and control only data stored and processed under the scope of its own system; any data transferred or disclosed to third parties will be processed autonomously by the third parties to whom it is disclosed, in accordance with their privacy policies. In any case, if Landoor should cease processing the personal data of a user, it will notify the cessation to the subjects to whom the data is disclosed, but cannot guarantee the cessation of processing by the latter. 11: WHAT IS THE LEGAL BASIS FOR PROCESSING? Data is processed firstly in order to fulfill the user s requests (execution of the contract or request for service). To this end, name and surname and address will therefore be used and the contents of the communication will be read, in order to fulfill it or in any case reply to it. Secondly, the data is processed to fulfill legal obligations (e.g. regarding the storage of correspondence). Personal data may also be processed on the basis of any consent given by the user. In this case, data may only be processed for the time for which consent remains and only for the purpose for which consent was given. It should be stressed, as regards consent, that the user may choose to give (or not give) consent differently for each type of processing, and is not obliged to give or not give consent to all processing for which it is required; consent can always be revoked. For example, if the data is transferred to third companies for both marketing and profiling purposes, two separate consents are needed, which the user may freely choose to give or not to give,

5 differently. The service records the time and date of the consents and any revocation of such. 12: HOW WILL THE SERVICE DISTURB THE USER? The user sending a communication by means of the website to Landoor.com: may receive or other communications from Landoor: these will be operative s or in any case replies to communications sent by the User. These s are essential to the correct management of the service (and may, if used, come from linked websites). He/she may receive s or other commercial communications from Landoor offering services promoted by Landoor and related to it: he/she can request to no longer receive such and Landoor will be required to satisfy the user s request (this is called soft spam ). The screen may display commercial communications processed on the basis of the information processed and obtained from the fingerprinting service (using cookies or similar instruments: please refer to the cookies disclosure) whilst using the service or other services. 13: WHAT RIGHTS DO USERS HAVE? Users have a series of rights. First and foremost, the user has the right to be informed of: categories of data that is processed (see points 2 and 5); source of the data, i.e. the method of data conferral within the service (see point 7); purpose of data processing, i.e. why the data is processed (see point 6); method of data processing (see point 9); details of the controller and any data supervisors (see point 3); subjects to whom the data is disclosed (see point 3/a); length of time for which data is stored and processed (see point 10); the right to make a complaint to the Italian Data Protection Authority, via the following link: existence of whether or not Landoor or third parties adopt a profiling process; legal basis for processing (see point 11); right to revoke consent; interests pursued by the controller by means of processing (e.g. promotion of services connected with Landoor.com). In addition to the rights to simply obtain information, there are also operative rights. Specifically: The data subject has the right to know if his/her data is processed by the controller. He/she has the right to know what data is processed, why, for how long, if it is disclosed to third parties and where said addressees are. The data subject also has the right to have a copy of the data he/she has supplied to us. If data has been processed using automated methods and on the basis of his/her consent or a contract, he/she may ask - if technically possible - that the data is sent to the data subject him/ herself or to any new controller (see the right to portability), as long as this operation does not harm the rights (and data) of other persons. In this case, a request may also be made to erase data (except where the law requires the Controller to store it). If personal data is inexact or incomplete, the data subject may ask that it be rectified or completed, providing instructions in this sense. If the Controller needs to verify the exactness of the data

6 disputed by the data, he/she may, in turn, obtain a restriction of data processing to which he/she objects (the right to restriction means that the data is usually stored and not processed at all, except by specific consent of the data subject or in order to exercise a right in a place of law). If the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, the data subject can request that it be erased. If, however, the data is needed by the data subject to exercise a right in a court of law, he/she can request a restriction to such. If there is no consent, or if consent has been revoked (and there are no other reasons making data processing legitimate), the data subject may ask for it to be erased. If the data regards children under the age of sixteen, if processed under the scope of information society services and consent has not been given or processing authorized by subjects acting as legal guardians, the data subject has the right to have the data erased. If processing is unlawful because data is processed without consent, legitimate interest by the Controller, contract for the fulfillment of which processing is necessary, there is a legal obligation to processing by the Controller, the data subject may ask that the data be erased or the processing restricted. Data is processed on the basis of a legitimate interest of the Controller in the absence of interests or rights or fundamental freedoms of the data subject considered to be prevalent or to fulfill a task of public interest by the Controller. If the data subject objects to said processing, the right to object may be exercised or one or more of the following actions requested: - erasure; - restriction (whilst awaiting verification as to whether or not any prevalent legitimate interests of the controller exist). If data is processed for direct marketing purposes (i.e. to promote Controller services), the data subject may object to said processing. In this case, the personal data is no longer processed to this end and, if processed only to this end, is erased. If, on the basis of the consent of the data subject or in order to fulfill a contract, data is processed according to an automated decision-making process (such as, for example, profiling), the data subject has the right to request and obtain human intervention in said decision-making process or to in any case express an opinion. For a detailed explanation of the rights, see below: Right to access: The user has the right to obtain confirmation from the data controller of whether or not processing is being carried out on personal data regarding him/her, the purpose (i.e. the aims) of the processing of his/her personal data, what personal data is processed (and, as mentioned, to what end), to whom the data may be disclosed or transferred (and where), storage time and data processing, any existence of a profiling process (i.e. data analysis with related assessment of conduct, tastes, location, etc. of the data subject). If the data has been collected by a subject other than the controller, the right to access also includes the faculty to ask from whom the Controller received the data. Finally, the data subject has the right to ask for a copy of his/her data: if this cannot be directly

7 downloaded from his/her personal account, the copy will be supplied in computerized format unless the data subject should request a different format (see Art. 15 of the GDPR). Right to rectification: The data subject has the right to obtain the rectification, or correction, if his/her personal data should be inexact (if in doubt as to the correctness, see also that said on the right to restriction: in this case, in fact, data will be stored, not processed for the purposes for which it is normally processed, until the controller has verified whether or not it is exact). If the data is incomplete and completion is necessary or appropriate for the purposes for which it is processed, the data subject may obtain its supplementation, to this end also supplying a supplementary declaration. Right to obtain erasure of data: the data subject has the right to obtain the erasure of data in the following cases: his/her data is no longer necessary for the purpose for which it was collected or in any case processed; data was processed on t he basis of consent that the data subject has revoked (as long as, in justification of the processing, other legal reasons do not remain, such as the execution of a contract, fulfillment of a legal obligation binding on the controller); the data subject has objected to processing (see objection): if he/she objects in the case of direct marketing, the data - if used only to this end - must be erased (and in any case can no longer be processed for direct marketing purposes), whilst in other cases (if, that is, data is processed for other legitimate interests of the Controller as indicated in the disclosure or for the Controller to carry out a task of public interest), it is only erased if there is no overriding reason (see objection) requiring its storage. For the time necessary to establish whether or not there are any overriding reasons, processing may be restricted; data has been processed unlawfully, and therefore without the controller being entitled to do so (as an alternative to erasure, the data subject may request restriction, as indicated below); data must be erased where there is a legal obligation to do so; data regarding children under the age of 16, collected under the scope of the supply of (online) information society services and consent or authorization has not been given by the parents, to the processing. Erasure will not be assured, however, in the following cases: if data is processed under the scope of a legitimate exercise of the freedom of expression or information (in the controller s opinion, without prejudice to the right of the data subject to contact the Authority or court as indicated above); if the processing of the data is necessary in order to fulfill a legal obligation binding on the Controller or to fulfill a task performed by the Controller in the public interests; if data is processed for reasons of public order or public health; if data is archived for public interests, scientific or historic research, as long as made anonymous if possible or at least pseudonymized (i.e. processed in a manner that it is not possible to identify the data subject, except by means of additional information with respect to that immediately available) and if the minimum data necessary to this end is used; if data processing is necessary in order to exercise or protect a right in a court of law (criminal). Right to restriction: is the right to mark the data and restrict its use to storage only. In this case, therefore, the Controller does not erase it, but only stores it without performing any other

8 processing. The controller keeps it separately from the rest only if so requested by the data subject: it may, in fact, be that he/she has an interest in the data, albeit only stored for the purposes of the restriction, remaining in the original place. The right to restriction exists in the following hypotheses: if the data subject challenges the exactness of data, for the period necessary to verify the exactness of said data (see that said in terms of the right to rectification); if processing is unlawful and the data subject does not request that the data be erased, but merely that processing be restricted (in order to very probably later exercise his/her rights); if processing is no longer necessary for the purpose for which the data has been collected or processed, but the data is needed by th data subject for the ascertainment, exercise or protection of a right in a court of law (in this case, therefore, although no longer needing to be processed, it is stored insofar as it is necessary in a legal setting to the data subject); if processing has been objected to (not in the case of objection to data processing for direct marketing) and the controller needs to check if there are any overriding reasons that make the processing necessary (see right to erasure, point 3, and to object). The data subject is informed by the controller if the restriction is revoked. The information will take into account revocation time and the data processing that will be carried out after said revocation. Right to portability: is the right to obtain a copy of the data supplied by the data subject (in any way) to the controller, if processed using automated means and if processed on the basis of consent given by the data subject or in fulfillment of the contract to which the data subject is party. The copy must be legible by an automatic device and the file must be in a common format. The data subject shall also have the right to ask that said copy is sent to another Controller, as long as this is technically feasible. The right to portability cannot harm other person s rights and freedoms: if, therefore, the personal data of the data subject cannot technically be split form the data of other persons, the right to portability cannot be exercised. Right to object: if the personal data is processed in order to fulfill a task of public interest assigned to the Controller or for a legitimate interest of such, the data subject may object to such, i.e. may declare that the data must not be processed to this end. If the right to object is exercised, the controller shall abstain from any further processing of the data (take note: from any further processing, it need not necessarily erase such, insofar as to this end, a specific request is needed by the data subject): if, however, the Controller can show that there are urgent, legitimate reasons by which to pursue processing and if it can show that said reasons prevail over the interests, rights and freedoms of the data subject, then it will continue the processing (without prejudice to the faculty of the data subject to contact the Authority, court or to ask, in the meantime, that processing be limited). Despite opposition, processing may be continued in any case for the ascertainment, exercise or protection of a right in a court of law. In any case, if data is processed for a lawful interest of the controller, which consists of the execution of direct marketing activities, if the data subject objects, the data can no longer be processed to this end. Right not to be subjected to automated decisions: The data subject has the right not to be subjected to automated decisions (such as, merely by way of example, profiling), which have legal

9 effects in his/her regard or which affect his/her life. This right does not exist when the decision based purely on automated means is authorized by a specific law or if the data subject has consented to such or if it is necessary to the execution of a contract stipulated between the data subject and the Controller. In any case, if the decision is authorized by the consent given by the data subject or necessary to the execution of the contract, the data subject has the right to obtain human intervention to revise the decision, express an opinion to this end and in any case object to the decision. 14: HOW THEY CAN BE EXERCISED Procedure: the data subject can exercise his/her rights by sending a specific request to this end to the following address: info@landoor.com. The Controller must respond within thirty days. If the Controller is unable to reply to the request within these terms, it may defer said compliance for up to two months must shall, in any case - within the original terms of thirty days - notify the data subject both of the extension to the terms and the reasons for such. The Controller may, if it has reason to do so, follow up on the user s request. In this case, it must provide a grounded reason within a month of the request. In any case, the user may contact the Authority or court. If the controller has any doubt as to the identity of the person making the request or exercising any of the rights, it may request more information to confirm the identity of the party making the request. The Controller must reply using the same channel used by the user for the request, unless the user him/herself asks that a reply be given through a different channel. The requests and replies are free of charge, unless evidently unfounded or repetitive. In this latter case, the Controller may debit out-of-pocket expenses incurred for the reply (and, therefore, the payroll costs, costs of materials, etc.). 15: WHAT RIGHTS AND DUTIES DO USERS HAVE? As, as specified on several occasions, sending a communication contains (or in any case may contain) personal information about the user or third parties, both in the body of the text and in any attachments and as, as a rule, the first communication sent through landoor.com is not that in which the appointment is made in detail (which will then be carried out by one of the linked services), the user is asked to adopt care and prudence in including data and information in such communications, particularly if the information refers to third parties. The user is also obliged to provide truthful data. 16: DATA BREACH If any of the following events should occur: access, removal, loss, erasure, disclosure or unauthorized change (i.e. data breach), without prejudice to the urgent technical measures to be implemented to block the event (as far as possible) and reduce the relevant damaging effects, Landoor undertakes to: - restore the service efficiently as quickly as possible, recovering the data available from the last useful back-up performed; - inform the users, directly if circumstances allow or generically (by means of a notice on the home page of the Service or by communication sent to all users, including those whose data may not actually be affected by the events) of the type of event, when it took place, the measures adopted (without going into detail, so as to avoid facilitating any new attacks), in order to reduce the

10 damages and avoid any similar new events, as well as the measures and aspects the user must, on his/her part, implement to reduce the probability of new events and limit the consequences of those which have already occurred. The original version of the above text of the DISCLOSURE is held at the server of the company Sinapto S.r.l. Text valid starting 5/1/2018.