The company, Labybird S.r.l, located in Via Leonardo da Vinci, 16 - 10126 Torino, (hereinafter referred to as the "Company") hereby states that it is acting as the Data Processor pursuant to Articles 4, 7 and 24 of EU Regulation no. 2016/679 dated 27 April 2016 concerning the protection of individuals with regard to processing their personal data (hereafter the "Regulations") regarding aforesaid personal information collected on the website www.docsity.com (the "Site") with particular reference: (1) to processing relating to the registration procedures of users on the Site (hereinafter referred to with the terms "Data Subject" or "User", contextually used both in the singular and in the plural, which refers to adults, such as students, professors, tutors, professionals; individuals over sixteen years of age; minors of sixteen, and above, with parental authorisation); (2) processing related to the provision of web space, cloud and/or electronic platforms made available by the Data Processor - also through third parties - to allow the use of digital services and content on the basis of the provisions of the relevant General Terms and Conditions hereto.
Personal data processing means any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal information, even if not registered in a database, such as the collection, recording, organisation, structuring, storage, processing, selection, blocking, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, elimination or destruction thereof.
The data shall be processed manually and/or with the support of IT or electronic means for the following purposes.
As required by the WP 260/2017 Guidelines on transparency, we firstly provide all details relating to the Data Processor every information to contact them quickly.
Via Leonardo da Vinci, 16 - 10126 Torino
VAT number and registration number in the Register of Companies of Turin no. 10816460017
Share capital €20,000.00
Certified Email: email@example.com
Moreover, as required by the Guidelines on the Personal Data Protection Officer (DPO) WP243/2016, the contact details of the Data Protection Officer (DPO) are also provided.
Via Leonardo da Vinci, 16 - 10126 Torino
DPO dedicated phone number: 011 6938436
DPO dedicated email: firstname.lastname@example.org
Registration to the Site is permitted only to adults, or to minors over the age of 16: pursuant to Article 8 of the Regulations, a minor, who is over 16, may express consent to the processing of personal data in relation to the offer of services provided by the Company on the Website.
Always based on the provisions of Article 8 of the Regulations, the processing of personal data of minors under the age of sixteen can be based on a valid consent given by the minor only on condition that he/she has been authorised by his/her parental guardians to provide such consent or provided that consent was given directly by the parental guardian themselves. Unauthorised registration of under 16 users is not allowed. Upon registering with the Site, the Data Subject confirms that he/she possesses the aforementioned age requirements.
A.1 Pre-contractual and contractual purposes of fulfilment of the contract stipulated with the Data Subject.
Firstly, the initial processing of personal data is required for the purpose of making it possible to stipulate a contract between the Data Subject him/herself and the Company. By "Contract" we mean the contract as a whole, and based on the case:
a) the stipulation of one or more contractual relationships with the Data Subject for the activation of a subscription to the services offered by the Company, for both free and paid services [e.g.: Basic Services, Premium Services (Standard Subscription), Marketplace Services, Services of Tutoring, All-Inclusive Subscriptions, as well as additional services provided on a time to time basis and/or made accessible by the Company through the Website];
b) the fulfilment of the contract of mandate for collection from the User to the Company whenever the Data Subjects stipulate on their own - and as an independent Data Processor - with other site users (through the Marketplace service and the Store function) contracts of sale and/or purchase of Digital Content (i.e. texts, documents and materials in general with educational and/or informative content in digital format) or of Tutoring Content (online lessons provided by teaching staff) that the Company collects payment thereof, and assigns payment to the Data Subject.
To allow the Company to fulfil these obligations under the Contract, the User's relevant personal information will be processed. Furthermore, prior to the conclusion of the Contract, the processing of the Data Subject's personal information may also pursue pre-contractual purposes, such as responding to specific requests from the same, providing technical and negotiation assistance for the registration process, or performing lawful and relevant checks - in compliance with the current ethical codes and good conduct on the processing of personal information - with regard to the veracity of the data provided (especially in the case of minors who require registration). By sheer way of example, and for greater transparency towards the Data Subject, the primary purposes of the processing connected with the fulfilment of the Contract (in each phase) may also be specifically aimed at: providing services as a whole defined by the General Terms and Conditions, maintenance and technical assistance, management of payments between users, management of payment collections by the Company of the sums due on the services rendered; management of any complaints and/or disputes, storage of personal information, use of personal data to make communications relating to the performance of the established contractual relationship, checks on the proper fulfilment of the obligations undertaken, contesting illegal or fraudulent behaviour.
Pursuant to Article 6 of the Regulations, the legal basis of the processing, in all cases and processing provided for under paragraph A, herein, is represented by the following: processing is necessary for the execution of the Contract (or the execution of pre-contractual measures adopted at the request of the Data Subject).
The categories of personal information processed are represented by common personal data.
A.2 Purposes of fulfilment of obligations under the law, rules or EU regulations. Purpose to assert or defend rights.
Secondly, personal data will also be processed to fulfil obligations established by law, regulation or EU legislation including for civil, administrative, accounting and tax purposes.
Finally, personal data may be processed to assert or defend (legal, arbitration, administrative, etc) rights of any kind in the competent courts, whether or not related to the Contract (e.g.: default) or the Site's other legal terms and conditions.
The legal basis of the processing, in these cases, is represented by the need to fulfil a legal obligation to which the Company is subject. Moreover, in the case of actions to assert or defend a right in court, the legal basis of the processing is represented by legitimate interest.
The categories of personal information processed are represented by common personal data.
A.3 Purpose to allow the User's registration on the Company's Website.
Access to and navigation of the Site where the Company offers its services related to the Contract and to the management of a protected area (the User's Dashboard) are free but the possibility of benefiting from the aforementioned services (including free services such as the creation of a personal Dashboard) is allowed only following the Data Subject's registration. The registration process consists of filling in an online form where the user is required to indicate certain personal data for the activation of authentication credentials (login + password) with which they will subsequently access all member's areas and services to registered users.
Therefore further primary purposes of the processing are represented by the need to allow the completion of the required procedures for prior online registration and the creation of an account and to allow the Site administrators to generate and subsequent technical and administrative management (including providing support and technical assistance upon request) of the account itself including Client IDs, activation codes, passwords and similar authentication credentials as created within the registration process. In these primary and main purposes of processing the Data Subject's personal information are also those to allow access to the Site's web pages and, where possible, enjoy online services and pre- and post-contractual assistance for the management of any consequent contractual, administrative, technical or legal profile. With reference to this last processing, the purpose is also to manage any type of request for assistance - technical, commercial and/or contractual - received by the Company concerned and to provide the relevant response.
Finally, among the primary purposes there is also some technical processing carried out through so-called "technical cookies". In these specific cases, technical processing is aimed solely at carrying out the transmission of a communication over an electronic communications network to the extent strictly necessary for the Company to provide the services explicitly requested by the contracted user.
The legal basis of the processing, in these cases, is represented by the need to implement the Contract of which the Data Subject is a party or the pre-contractual measures taken at the request of the same.
In all the cases illustrated above - and based on the applicable regulatory provisions of the Regulations and the current Italian legislative decree on the coordination of national legislation on personal data protection - the Company shall communicate personal data to the following external recipients. As required by the WP 260/2017 Guidelines on transparency, we provide the relevant indications on the recipients of data communication according to the obligations laid down therein (mandatory indication - where possible - of the subjects and entities that receive data communication, including external managers, co-processors, internal managers).
to third party service providers to whom communication is necessary for the performance of the services covered by the Contract. As required by the WP 260/2017 Guidelines on transparency, where the Data Processor chooses to indicate the recipients of the data by categories, they must justify why they consider this approach correct and, in any case, the reference category must not be generic but specific, making reference to the activities carried out, the sector, industry, and the territorial location of the recipients identified by this category. In this perspective, and in this case the Company considers the approach for recipient categories of communication to be correct, given that the nominative indication of suppliers and sub-suppliers would be exorbitant. It is always possible for the Data Subject to make an informal request by email to email@example.com fora complete list of data recipients. The third party recipients of personal data are represented by the following categories: companies in the banking and credit sector that provide services for the management of financial transactions related to collections and payments; suppliers in the ICT services sector for installation, assistance and maintenance of IT and electronics for systems and services functionally connected and necessary for the performance of the services covered by the Contract; subjects that carry out archival activities for the documentation relating to the relationships with the Data Subject; subjects that provide services for the management of the Company's electronic platforms; subjects that carry out activities of control, revision and certification of the activities carried out by the Company; subjects that carry out debt-collection activities; companies that provide contractual assistance to customers (e.g. call centres); persons, companies or professional firms, which provide assistance, advice or collaboration to the Company in accounting, administrative, legal, tax and financial matters relating to the Contract; companies and institutional subjects operating in the field of fraud prevention; service providers aimed at verifying the accuracy and validity of personal and tax data;
to other internal personnel and persons authorised to the processing forming part of the Company's organisational chart, based on roles or functions and/or specific internal company procedures. Personal data will be made accessible only to those who need it due to their job or hierarchical position. These persons are appropriately identified as persons authorised to carry out processing pursuant to Articles 29 and 32 of the Regulations and are obliged to the legal commitment to confidentiality and are specifically instructed in order to avoid losses, destruction, unauthorised access or unauthorised processing of data.
Individual's personal data will not be disseminated elsewhere on the site, unless otherwise indicated on the User's personal Dashboard (that they manage autonomously as an independent Data Processor), where there are options or functions selected by the Data Subject (in this case it would establish on its own as the independent Data Processor on the scope of dissemination) that render such information visible to not identified or identifiable recipients.
In all the cases described above in Paragraphs A and B (for the hypothesis of communication to third parties) - and having regard to the legal bases pursuant to Article 6 of the Regulations - the Company is not obliged to acquire any specific consent to the Data Subject's processing. All the aforementioned processing pursues primary purposes for which the Regulations exclude the need to acquire specific consent, applying alternatively different legal-case law bases that legitimise and render the processing lawful without consent. In particular, these are the legal bases of the processing necessary to fulfil obligations arising from a contract of which the Data Subject is a party or to fulfil, before the conclusion of the contract, specific requests from the Data Subject; of the necessary processing to fulfil an obligation established by law, by a regulation or by EU legislation or - finally - of the necessary processing for the purpose of action or defence of a right in court or to pursue a legitimate interest of the Company.
Should the User not intend to provide such personal data requested and necessary on the basis of the foregoing, the consequence would be that of the impossibility to proceed with the execution of the Contract and its relative products and services proposed on a time to time basis. In such circumstance, browsing the Site as an unregistered user would still be possible.
The personal data collected will be processed - subject to the Data Subject's consent - also for the following secondary and homogeneous purposes of processing: to pursue purposes of commercial promotion, advertising communication, solicitation to purchase behaviour, market research, surveys (online or through forms), statistical elaborations (of an identifying nature), other marketing researches in a broad sense (including prize events, games and competitions) of products and/or services related to the Company (hereinafter, "Processing for Marketing Purposes"). For informative transparency's sake, and as requested by WP259 Guidelines on consent under the Rules issued by the Group of European Guarantors, as an exception to the rule of granularity of consent (as many consents as are the purposes and processing operations, should these be heterogeneous) it should be noted that these Guidelines authorise a single formula of consent "To cover various processing operations, where such processing operations pursue a series of unitary purposes"; moreover, according to Point 32 of the aforementioned Rules, a single consent can be applied "to all processing activities carried out for the same purpose or purposes". The objectives indicated herein are objectively attributable to the pursuit of a unitary purpose, due to the fact that the processing operations are different, being that of commercial promotion and marketing in the broad sense. Consequently, by conferring a unified consent to the Processing for Marketing Purposes the Data Subject specifically takes note of the homogeneous and different promotional, commercial and marketing purposes specified in detail (including the consequent management and administrative activities) and expressly authorises aforesaid processing and purposes, both where the means used for the Processing for Marketing Purposes via telephone with an operator or other non-electronic means, not electronic or not supported by automatic, electronic or electronic mechanisms and/or procedures where the means used are email, fax, text messages, automatic systems without an operator's or similar intervention, including electronic platforms and other electronic means) that - lastly - as a specific and further legal basis of Processing for Marketing Purposes pursuant to Article 6, Paragraph 1, Letter (a) of the Regulations.
Pursuant to the General Provision of the Privacy Guarantor dated 15 May 2013, entitled "Consent to the processing of personal data for purposes of direct marketing through traditional and automated contact tools", this is applicable in accordance with the criterion of compatibility with the Regulation, which specifically draws the Data Subject's attention to the fact that:
consent given for the sending of commercial and promotional communications through the use of electronic mail, fax, text messages, automatic systems without an operator's or similar intervention, including electronic platforms and other electronic means implies the receipt of such communications, not only through these automated methods of contact, but also through traditional methods such as ordinary mail or phone calls;
the right to oppose the processing of personal data for purposes of "direct marketing" through the aforementioned automated methods of contact, will in any case extend to the traditional ones and, even in this case, the possibility of exercising such law in part, as required by Article 21 of the Regulations, both with respect to determined means and processing;
the possibility remains for the Data Subject who does not give consent in the terms indicated above, to express any wish to receive communications for the aforementioned marketing purposes exclusively through traditional methods of contact, where provided for: this will be freely exercised by simply sending an email to firstname.lastname@example.org
For the purposes of the principle of compliance with the privacy obligations for the Data Processor, and in compliance with the principles of simplification of the same obligations pursuant to the General Provision of the Guarantor for privacy dated 15 May 2013 entitled "Consent to the processing of personal data for purposes of "direct marketing" through traditional and automated contact tools", the Company informs the Data Subject that the specific consent formula available on the basis of the procedure to gather consents from time to time envisaged will be unitary and comprehensive and will refer to all possible means of marketing, without prejudice to the possibility for the Data Subject to express a different will as to the use of certain means and not others for the receipt, with the consent, of marketing communications by simply sending an email to email@example.com Furthermore, similarly for the purposes of the principle of compliance with the privacy obligations for the Data Processor in compliance with the principles of simplification of the same obligations, the Company informs the Data Subject, also pursuant to the Regulations and Guide WP259 on consent pursuant to the Rules issued by the Group of European Guarantors, that a specific consent formula will be unitary and comprehensive and will also refer to all the different and possible marketing purposes expressed herein (i.e. without multiplying the formulas of consent for each distinct marketing purpose pursued by the Data Processor), without prejudice to the possibility for the Data Subject to notify a different intention regarding giving, refusing or withdrawing consent for individual marketing purposes by simply sending an email to firstname.lastname@example.org
To proceed with the Processing for Marketing Purposes it is mandatory for each Data Processor to obtain an informed, free, unambiguous, specific, separate, express, documented, preventive and completely optional consent from the Data Subject.
Consequently, should the Data Subject decide to provide the specific consent as requested above, they shall be informed in advance and aware that the purposes of the processing are pursued exclusively for a specific commercial, advertising, promotional and marketing nature, with the consequence that the Data Subject does not intend to submit their data to Processing for Marketing Purposes, they shall be free and there will be no consequences for the current Contract (even in the event of a subsequent revocation of the consent given, without prejudice to the processing of the data up to that moment legitimately carried out pursuant to Article 21 of the Regulations). With a view to absolute transparency, the Company summarises the purposes of the processing in greater detail:
to send advertising and informative material (e.g. Newsletters), promotional or otherwise commercial information;
to carry out direct sales or placement of the Company's products or services;
to send commercial information or make interactive commercial communications also pursuant to Legislative Decree 206/2005 through electronic communications networks and services;
to elaborate studies, research, market statistics, sample research, conduct surveys even those involving identification of the Data Subject;
to organise and/or promote prize events (games, competitions and prize operations) pursuant to Presidential Decree 430/2001;
to send unsolicited commercial communications pursuant to Article 9 of Legislative Decree no. 70 dated 9 April 2003.
Therefore, by granting the entirely optional consent, the Data Subject specifically acknowledges and authorises such treatments and/or processing that pursue the homogeneous other purposes than those set forth herein.
In any case, even if the data party has given consent to authorise the Company to pursue all the purposes of the Processing for Marketing Purposes, they are free at any time to revoke the same by simply sending an email to email@example.com or using the privacy settings management function in the restricted area on the Site: e.g. by changing the settings on the personal dashboard), following receipt of a request for opt-out, the Company will promptly proceed to the removal and deletion of data from the databases used for the Processing for Marketing Purposes. The mere receipt of a cancellation request will automatically be validated as a confirmation of cancellation.
We inform you specifically and separately, as required by Article 21 of the Regulations, that the Data Subject has the right to oppose the processing of their personal data for such purposes at any time and that if the User opposes the processing for direct marketing purposes, personal data will no longer be able to be processed for these ends.
The Company will use this information for aggregate statistical purposes to provide a better service to its users. The user can unsubscribe from the newsletter at any time, through the appropriate link sent in each newsletter. Specific consent to processing, pursuant to Article 21 of the Regulations, is always revocable and at any time you can oppose the processing for marketing purposes.
Personal data subject-matter of Processing for Marketing Purposes shall not be disseminated.
We draw particular attention to the fact that the provision of personal data to the Company and the provision both of consent to the Processing for Marketing Purposes relating to the purposes and with the methods illustrated herein, are absolutely optional and facultative (and in any case revocable without formalities even following the service) and failure to provide data thereto shall not result in consequences other than the impossibility for the Company to proceed with the marketing data processing herein.
In the event of refusal of the marketing consent, there shall be no interference and/or consequence on the negotiated, contractual or other relations referred to in the Contract and whose processing of personal data falls within the primary purposes of the processing referred to in Paragraphs A and B of this Privacy Disclosure Paper.
Exclusively with reference to the use of the email indicated by the Data Subject at the time of conclusion of the Contract, it will be possible for the Company to send (without the need to acquire additional specific consent) information and advertising material provided that it relates exclusively to similar products and/or services to those covered by the Contract. It remains in this particular hypothesis the right of the Data Subject to oppose the treatment at any time (by notifying an opt-out via email to firstname.lastname@example.org) upon receipt thereof. In any case, the Data Subject, on the occasion of sending any email communication made by the Companies for the purposes set forth herein, will be duly informed of the possibility to oppose the processing at any time, in an easy and free manner. Such opposition will not produce any consequence on the Contract.
In the other cases of use of the Data Subject's email to send dissimilar informative and advertising materials to the products and/or services covered of the already stipulated Contract, requires a specific and separate consent.
It is possible that for the purposes of marketing and improvement of services, the Company processes so-called "profiling" data.
For such processing, and for the purpose of complete information, reference is made to the definition in Article 4, Paragraph 1, no. (4) of the EU Regulation: "profiling": any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to an individual, in particular for analysing or providing for aspects concerning professional performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movement of that individual".
The profiling activity may concern "individual" or "aggregated" personal data resulting from detailed individual personal data. To clarify what "profiling" consists of, we can refer to the following parameters as an example:
data is structured and coordinated on the basis of predefined parameters identified from time to time, depending on the company needs (regardless of marketing, contractual, administrative, etc. purposes);
initial data, considered individually, may include personal information of a variegated type, including contractual data and information relating to the transactions made, or to the downloaded Digital Content or Tutoring; or to revenues earned in the Marketplace Services, etc., but it is only following profiling (i.e. structuring according to pre-established parameters) that it is possible to derive further indications referring to each Data Subject, further indications (i.e. the "profile") that they would not derive from the mere informational aptitude of individually or separately considered data.
In other words, profiling in the narrow sense can achieve the availability of an information asset that goes well beyond the information considered individually and relating to each Data Subject; in addition, profiling in the strict sense provides an added value given by the multiple correlations that can be established between the individual data collected, in order to obtain further useful information.
As to the obligations for the companies to provide - pursuant to Article 13, Paragraph 2, Letter f) of the Regulations - information on the logic of the profiling processing and the importance and consequences of such processing, the following is further clarified. Basic elements of profiling processing shall be:
1) the predetermination of parameters for structuring the singularly contemplated data;
2) comparison, cross-referencing and the relationship between this data and the comparative analysis carried out on the basis of predefined parameters, also by means of automated processes (i.e. the cataloguing of individual data in clusters);
3) obtaining a profile through the foregoing activities and allowing the identification of the interested PdV and the additional analytical indications with respect to the individual data and making it possible to generate the mapping/segmentation into homogeneous behavioural groups (dynamic creation of behavioural profiles).
The processing described herein shall be referred to below as the whole "Profiling processing".
The Company could proceed to the following *Profiling*processing, as in the case of detection of:
number and type of purchase of subscriptions to the Company's services carried out in a predetermined timeframe;
number and type of expenses carried out in a predetermined timeframe;
number and type of new contracts on the Marketplace stipulated in a predetermined timeframe;
number and type of assistance requests submitted over a predetermined timeframe;
number and type of contestations received and/or sent within a predetermined timeframe.
To proceed to a Profiling Processing it is mandatory to acquire a specific, separate (also from the marketing consent referred to in paragraph C), expressed, documented, preventive and entirely optional consent.
Consequently, should the Data Subject opt to give specific consent, they shall be informed in advance and aware that the purposes of the processing pursued are of a specific commercial, advertising, promotional and marketing nature based on a Profiling Processing. With a view to absolute transparency, the Company therefore informs that the data collected on the basis of a specific provision of consent may be the subject of a Profiling Processing for the same purposes referred to in Paragraph C herein.
We draw particular attention to the fact that the provision of personal data to the Company and the provision of consent to the Processing for Marketing Purposes for the purposes and with the methods illustrated herein, are absolutely optional (and in any case revocable without formalities even following the service) and failure to provide data thereto shall not result in consequences other than the impossibility for the Company to proceed with the processing of marketing data herein.
In the event of refusal of consent to the Profiling processing there shall be no interference and/or consequence on the contractual relationships referred to under the Contract.
Profiling Data shall not be disseminated.
Pursuant to Article 13, Paragraph 1, Letter (f) of the Regulations, we hereby inform you that certain personal information of the Data Subject may be transferred to a country outside the European Union. Specifically, this refers to the United States of America and Brazil where some companies providing services related to the management of the Contract and the Site are located.
This transfer will take place pursuant to Article 46 (Transfer subject to adequate guarantees), Paragraph 2, Letter c) of the Regulations, i.e. through the adoption of a Contract for the transfer of personal data to third countries that incorporates the standard data protection clauses adopted by the EU Commission.
At the headquarters of each of the Companies as indicated above, the Transfer of personal data is available, which may be requested for an extract from the Data Subject, as required by Article 13 of the Regulations.
The data will be kept for the periods specified in the relevant legislation, which are specified below pursuant to Article 13, Paragraph 2, Letter (a) of the Regulations: ten years from the termination of the contractual relationship for documents and related data of a civil, accounting and tax nature as required by the ongoing legislation.
With reference instead to the personal data subject-matter of Processing for Marketing Purposes or Processing for Profiling Purposes, these shall be retained in accordance with the principle of proportionality and minimisation for the duration of the Contract or - if the Contract continues to be in force, until the revocation of specific consent by the Data Subject to the ancillary and secondary processing and profiling (including communication to third parties for the same purposes), and therefore the retention times in this case are related to the choice of the User to proceed with the revocation.
Pursuant to Articles 13, Paragraph 2, Letters (b) and (d), from 15 to 22 of the Regulations, the Data Subject is hereby informed that they:
a) have the right to ask the Company for access to personal data, rectification or cancellation of the same or limitation of the processing that concern them or to oppose their processing, in the cases provided thereto;
b) have the right to propose - in Italy - a complaint to the Guarantor for the protection of personal data, as competent authority, following the procedures and indications published on the official website of the Authority on www.garanteprivacy.it;
c) alternatively, they have the right to lodge a complaint with another European privacy authority located in the place of habitual residence or domicile in Europe of those who dispute a violation of their rights, following the procedures and indications thereto;
d) any corrections or cancellations or limitations on processing carried out at the request of the Data Subject - unless this proves impossible or involves a disproportionate effort - shall be communicated by the Company to each of the recipients to whom the personal data have been transmitted. The Company may communicate the recipients to the Data Subject upon request from the same.
The exercise of rights is not subject to any form of constraint and is free of charge. Only in the event of a request for further copies of information requested by the Data Subject, will the Company be able to charge a reasonable fee based on administrative costs. Should the Data Subject make the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form. The specific address of the Company to transmit claims for the exercise of rights as recognised by the Regulations is as follows: email@example.com No other formalities are required. Responses shall be given in accordance with the provisions of Article 12, Paragraph 3 of the Regulations ("The Data Processor provides the Data Subject with regard to the action taken on a request pursuant to Articles 15 to 22 without undue delay and, in any case, no later than one month after receipt of the request. Such period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Data Processor shall inform the Data Subject of any such extension within one month of receipt of the request, in conjunction with the reasons for the delay. Where the Data Subject makes the request by means of electronic form, such information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject")
Based on the provisions of the Guidelines on transparency WP 260/2017 issued by the Group of EU Guarantors, in indicating the rights of the Data Subject, the Data Processor must specify a summary of each right in question and must provide separate indications on the right to portability.
The Company informs the Data Subject about the specific right to portability. Article 20 of the General Data Protection Regulation introduces the new right to data portability. This right allows the Data Subject to receive the personal data provided to the Company in a structured format, commonly usable and readable by an automatic device, and - under certain conditions - to transmit them to another Data Processor without impediments.
Only personal information that (a) pertains to the Data Subject and (b) has been provided by the Data Subject to the Company; (c) is processed electronically in connection with the stipulation of a contract.
Data portability includes the right of the Data Subject to receive a subset of their personal data processed by the Company and to keep them for further use or for personal purposes. This storing can take place on a personal support or on a private cloud, without necessarily involving the transmission of information to another Data Processor. Portability is a sort of integration and strengthening of the different right of access to personal data, also provided for by Article 15 of the Regulations.
In the event the Data Subject requests for the portability together with the direct transmission of their data to another data controller, please note that this right is subject to the condition of technical feasibility: Article 20, Paragraph 2 of the Regulations provides that data may be transmitted directly from one owner to another at the request of the Data Subject, and where this is technically possible. The technical feasibility of transmission from one Data Processor to another must be assessed on a case-by-case basis. Point 68 of the Regulations clarifies the limits of what is "technically feasible", specifying that "it should not imply the obligation for Data Processors to adopt or maintain technically compatible processing systems". Therefore, direct transmission of data from the Company to another processor may occur if it is possible to establish communication between the two processors' systems (transferor and receiver) securely, and if the receiving system is technically able to receive the incoming data. If technical impediments preclude direct transmission, the Company will provide detailed information and explanation to the Data Subject.With regard to the compatibility of formats to ensure portability, the Company shall comply with the provisions of Paragraph 1021, Letter (b) of Law 205/2017 ("presence of adequate infrastructures for the compatibility of the formats where data is made available to the Data Subjects") if in force following 25 May 2018 and in any case within the limits of what has been clarified by the Guidelines on data portability WP242 issued by the Group of European Guarantors ("The expectation is that the owner transmits personal data in a compatible format, but this does not impose any obligation on the other Data Processors to support this format").
We inform you that according to the Guidelines on data portability WP242, Data Processors who comply with a request for portability have no specific obligation to verify the quality of the data before transmitting them. Furthermore, portability does not impose any obligation on the Company to retain data for a period longer than necessary or further than specified. Above all, it does not impose any further obligation to retain personal data for the sole purpose of fulfilling a potential request for portability.
Exercising the right to data portability (or any other right under the Regulations) does not affect any other rights. The Data Subject can continue to benefit from the service offered by the companies even after a portability operation has been completed. Portability does not result in automatic deletion of data stored in the Company's systems nor does it affect the retention period originally envisaged for the transmitted data. The Data Subject can exercise these rights as long as the Company is carrying out processing.
The Company undertakes to fulfil requests for portability within 30 days of receipt thereof, reserving, pursuant to Article 12, Paragraph 3 of the Regulations, the right to fulfil the request within three months in cases of greater complexity. The portability request must be addressed to the following email address: firstname.lastname@example.org
The Regulations confer a series of rights to the Data Subject that according to the Guidelines on Transparency WP 260 it is mandatory to summarise their main contents within the disclosure paper. These rights are summarised below:
Right of access (to personal data only): the right to obtain confirmation from the Data Processor that personal data is being processed concerning the Data Subject and, in this case, to obtain access to personal data and to be informed about the purposes of the processing; on the categories of personal data in question; on the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients are in other countries or belong to international organisations; whenever possible, on the retention period of the personal data provided or, if this is not possible, on the criteria used to determine such period; if the data has not been collected from the Data Subject, the right to receive every information available on its origin; the right to receive information on the existence of an automated decision-making process, including profiling and significant information on the logic employed, as well as the importance and expected consequences of such processing for the Data Subject.
Right of rectification and integration: The Data Subject has the right to obtain the correction of any inaccurate personal data without undue delay from the Data Processor. Taking into account the purposes of the processing, the Data Subject has the right to obtain the integration of incomplete personal data, also by providing an additional declaration. The Data Processor shall inform each of the recipients to whom the personal data have been transmitted of any corrections, unless this proves impossible or involves a disproportionate effort. The Data Processor shall inform the Data Subject about those recipients upon request of the latter.
Right to cancel: the Data Subject has the right to obtain from the Data Processor the cancellation of their personal data without unjustified delay (and where the specific reasons pursuant to Article 17, Paragraph 3 of the Regulations do not exist, on the contrary they relieve the Data Processor from the obligation of cancellation) if personal data is no longer necessary with respect to the purposes for which they were collected or otherwise processed; or if the Data Subject revokes the consent and there is no other legal basis for the processing; or if the Data Subject opposes the processing for marketing or profiling purposes, also by revoking its consent; if the personal data has been processed unlawfully or concerns information collected from minors, in violation of Article 8 of the Regulations. The Data Processor communicates to each of the recipients to whom the personal data has been transmitted, any cancellations, unless this proves impossible or involves a disproportionate effort. The Data Processor shall inform the Data Subject about those recipients upon request of the latter.
Right to limitation of processing: the Data Subject has the right to obtain the limitation of the processing from the Data Processor (i.e., according to the definition of "processing limitation" provided by Article 4 of the Regulations: "the marking of personal data stored with the objective to limit processing in the future") when one of the following hypotheses occurs: the Data Subject disputes the accuracy of personal data for the period necessary for the Data Processor to verify the accuracy of such personal data; the processing is illegal and the interested party opposes the cancellation of personal data and asks instead that its use is limited; although the Data Processor no longer needs it for processing purposes, personal data is necessary for the Data Subject to ascertain, exercise or defend a right in court; the interested party opposed marketing processing, pending verification of the possible prevalence of the legitimate reasons of the Data Processor with respect to those of the Data Subject. If processing is limited, such personal data shall be processed, except for storage, only with the Data Subject's consent or for the assessment, exercise or defence of a right in court or to protect the rights of another natural or legal person or for reasons of significant public interest the party who has obtained the limitation of processing is informed by the Data Processor before such limitation is revoked. The Data Processor shall inform each of the recipients to whom the personal data have been transmitted of any limitations, unless this proves impossible or involves a disproportionate effort. The Data Processor shall inform the Data Subject about those recipients upon request of the latter.
The right to oppose: the Data Subject has the right at any time to oppose, for reasons related to their particular situation, to the processing of their personal data concerning carried out by the Data Processor or for the performance of a task of public interest or connected to the exercise of public powers vested in the Data Processor or carried out for the pursuit of the legitimate interests of the Data Processor including by third parties (including profiling). Furthermore, if personal data is processed for direct marketing or commercial profiling purposes, they have the right at any time to oppose the processing of personal data for such purposes.
Right not to be subjected to automated decisions, including profiling: the Data Subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning the same or which significantly affects their person, except in cases where the automated decision is necessary for the conclusion or execution of a contract between the Data Subject and a Data Processor; is required by law, in compliance with measures and precautions; or is based on the explicit consent of the person concerned.
For any purpose, the link to the Articles from 15 to 23 of the Rules on the rights of the Data Subject.