Registration to the newsletter service, reserved to users aged 14 and over, requires the provisions of some personal data.
As required by the current legislation concerning personal data protection (art. 13 General Data Protection Regulation, hereafter also GDPR), Schalcon S.p.a. (hereafter also indicated as “Data Controller” or “Company”) provides the users who wish to register to the newsletter service with some information relating to the processing of the data acquired.
Registration to the newsletter is reserved to the users who have an e-mail address and are aged 14 or above. The newsletter contains communications of a promotional and commercial nature
ABOUT THE DATA CONTROLLER AND HOW TO CONTACT IT
The Data Controller is Schalcon S.p.A., with registered office in Viale Enrico Ortolani, 195 - 00125 Rome, VAT reg. no. 01137561005. Use the e-mail address firstname.lastname@example.org to contact the Company
WHICH DATA IS PROCESSED?
The processed data is the data provided by the user by filling in the specific form for the registration to the newsletter service and the IP address.
WHAT ARE THE PURPOSES AND LEGAL BASES OF THE PROCESSING?
The personal data provided by the user through the specific form is used to allow the data subject to register to the newsletter and periodically receive the promotional and commercial communications sent via e-mail to the e-mail address specified.
The legal base for the processing of such data is the consent, since the data subject registers to a service that implies the sending of promotional e-mails. The consent can be revoked at any time.
Should it be deemed necessary, the data may also then be used for the legitimate interest of the data controller to carry out defensive activities or to assert or defend a right in court.
HOW IS THE DATA MANAGED?
The data is processed through the platform and the IT tools offered by the “MailChimp” service of the US company The Rocket Science Group, LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308; therefore, in case of subscribing to the newsletter service, the data of the data subject may be transmitted and known by this US company providing the service, which adheres to the adequacy decision of the European Commission called “Privacy Shield”, with this guaranteeing the respect of the personal data that is the subject of the processing, and acting as data processor for this service. The specifications relating to this service are available at the following links http://mailchimp.com/legal/terms/ and http://mailchimp.com/legal/privacy/.
The data is stored until the data subject objects to the sending and wishes to cease to receive the newsletter, and in any case not beyond two years from registering the personal data.
This is without prejudice to any defensive requirements, based on which the data may be stored beyond the terms specified.
WHO MAY KNOW THE DATA?
The data will be processed by the personnel of the Data Controller authorised for the processing.
The data may be known by the consultants or the companies that provide IT provision and support services for the activities carried out on the behalf of the data controller and by consultants for litigation management purposes and for legal assistance in case of disputes that need its involvement.
As already mentioned, the data may also be known by the provider of the MailChimp service, used to manage the newsletter service.
It is hereby specified that some of the subjects stated above work as data processors and that the communication to those who work as independent data controllers is made to fulfil some legal obligations or because it is needed to comply with the obligations deriving from the contractual relationship or in the legitimate interest of the data controller, consisting in maintaining the security of the IT systems and performing the defensive activities through legal consultants.
The data subject may request from the Data Controller the list of the external subjects that perform their activity as data processors.
In any case the communication is limited only to those data categories whose transmission is necessary in order to carry out the activities and achieve the purposes pursued.
WHAT HAPPENS IF THE DATA IS NOT PROVIDED?
The provision of data is optional. However, in its absence it will not be possible to register to the newsletter service and receive the e-mails sent periodically.
WHAT ARE THE DATA SUBJECTS’ RIGHTS?
The law grants the data subjects the right to ask the data controller to access the personal data and to adjust or erase it or to restrict the processing that concerns them or to object to its processing, in addition to the right to data portability.
The data subject may assert his/her rights at any time, without formalities, by contacting the data controller at the e-mail address email@example.com
Reported below in detail are the rights recognised by the current legislation concerning personal data protection.
The right of access, i.e. the right to obtain from the data controller the confirmation that personal data that concerns him/her is being processed and in this case, to obtain access to the personal data and the following information: a) the purposes of the processing; b) the data categories in question; c) the recipients or the categories of recipients to which the personal data was or will be communicated, in particular if these are recipients from third party countries or international organisations; d) when possible, the set period of retention of the personal data or, if it is not possible, the criteria adopted to determine this period; and) the existence of the right of the data subject to ask the data controller to rectify or erase the personal data or to restrict the processing of the personal data that concerns him/her or to object to its processing; f) the right to put forward a complaint to a supervisory authority; g) if the data is not collected at the data subject’s, all the information available on its origin; h) the existence of an automated decision-making process, including profiling and, at least in these cases, significant information on the logic used, as well as the importance and the consequences that such processing has for the data subject. Should the personal data be transferred to a third country or to an international organisation, the data subject then has the right to be informed about the existence of appropriate safeguards relating to the transfer.
The right to rectification, i.e. the right to obtain from the data controller the rectification of the incorrect personal data that concerns him/her without undue delay. Considering the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, also by providing a supplementary declaration
The right to erasure, i.e. the right to obtain from the data controller the erasure of the personal data that concerns him/her without undue delay if: a) the personal data is no longer necessary to achieve the purposes for which it was collected or otherwise processed; b) the data subject revokes the consent on which the processing is based and if there is no other legal principle for the processing; c) the data subject objects to the processing carried out as this is necessary for the execution of a task of public interest or connected to the exercise of public powers granted to the data controller or to pursue the legitimate interest and there is no legitimate prevailing reason to proceed with the processing, or objects to the processing for direct marketing purposes; d) the personal data was processed unlawfully; e) the personal data must be erased to fulfil a legal obligation under the law of the European Union or of the Member State to which the Data Controller is subject; f) the personal data was collected in relation to the supply of services of the information company to minors. However the erasure request may not be accepted if the processing is necessary: a) to exercise the right to freedom of expression and information; b) to fulfil a legal obligation that requires the processing required by the law of the European Union or of the Member State to which the Data Controller is subject or for the execution of a task performed in the public interest or in the exercise of public powers granted to the data controller; c) for reasons of public interest in the public healthcare sector; d) for archiving purposes in the public interest, in the interest of scientific or historic research or for statistical reasons, to the extent that the deletion may risks making impossible or seriously jeopardising the achievement of the objectives for such processing; or e) to ascertain, exercise or defend a right in court.
The right to restriction, i.e. the right to obtain that the data be processed, except that for retention purposes, only with the consent of the data subject to ascertain, exercise or defend a right in court or to protect the rights of another natural or legal person or for reasons of relevant public interest in the Union or another Member State if: a) the data subject challenges the accuracy of the personal data, for the period needed by the data controller to verify the accuracy of such personal data; b) the data processing is unlawful and the data subject objects to the erasure of the personal data and instead asks that its use be restricted; c) even though the data controller no longer needs it for processing purposes, the personal data is necessary for the data subject to verify, exercise or defend a right in court; d) the data subject objected to the processing carried out because it is necessary for the execution of a task of public interest or connected to the exercise of public powers granted to the data controller or to pursue the legitimate interest of the data controller or of third parties, while awaiting the check concerning the possible prevalence of the legitimate reasons of the data controller over those of the data subject.
The right to data portability, i.e. the right to receive in a structured, commonly used format that can be read by an automatic device, the personal data concerning him/her, provided to the data controller, with the right to forward such data to another data controller with no barrier by the data controller it was provided to, as well as the right to obtain the direct transmission of the personal data from one data controller to the other, if technically feasible, should the processing be based on the consent or on a contract and the processing is performed with automated means. This right is without prejudice to the right to erasure.
The right to object, i.e. the right of the data subject to object at any time, for reasons connected to his/her particular situation, to the processing of the personal data that concerns him/her, performed because it is necessary in order to execute a task of public interest or connected to the exercise of public powers granted to the data controller or to pursue the legitimate interest of the data controller or of third parties. Should the personal data be processed for direct marketing purposes, the data subject has the right to object at any time to the processing of the personal data that concerns him/her carried out for these purposes, including profiling to the extent that it is connected to this direct marketing
The data subject is then informed that, in the event he/she deems the processing of his/her personal data to be taking place in breach of GDPR provisions, he/she has the right to lodge a complaint before a supervisory authority, as provided for by art. 77 of the Regulation or to bring the issue before the competent courts (art. 79 of the Regulation).