Last update date: 07/12/2018
PRIVACY INFORMATION PURSUANT TO ART. 13 OF EU REGULATION 2016/679
Definitions
“Personal data” (as per art. 4 number 1 of the EU Regulation 2016/679): any information relating to an identified or identifiable individual («person concerned»); an identifiable person is an individual that can be identified, directly or indirectly, by particular reference to an identifier such as name, identification number, information relating to location, on-line identification data or to one or more characteristic elements of their physical, physiological, genetic, mental, financial, cultural or social identity.
“Processing”, (as per art. 4 number 2 of the EU Regulation 2016/679) means any operation or set of operations, which is performed with or without the aid of automated processes and performed upon personal data or a set of personal data, such as the collection, registration, organisation, structuring, storage, modification or adaptation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Who is the Data Controller? And how can I contact him?
The Data Controller:
CALZAVARA S.p.A. with sole shareholder
Registered office:
Piazza Camillo Finocchiaro Aprile, 3 int. B27
00181 Roma (RM)
Ph. +39 06 700 9315
Email: info@calzavara.it
Local Unit:
Via Corecian, 60
33031 Basiliano (UD)
Ph. +39 0432 84831
Email: info@calzavara.it
1.1 Purposes in accordance with the expression of consent (Art. 6 paragraph 1 (a) of GDPR)
The Personal data may also be processed for certain purposes (for example use of company communication systems for private purposes) for which the person concerned has granted his/her consent.
a. In response to requests or questions made in order to receive information also about our services and our Company;
b. Grant access to the PDF files (datasheets and catalogues);
c. The carrying out of advertising and marketing activities, in the broadest sense of the term (for example, the sending of newsletters and information materials, brochure requests, organisation of events, etc.), via telephone, email, regular post and SMS.
The purposes as set forth under the letters a) and b) are based on the consent obtained by means of the unequivocal positive act of spontaneously supplying the information by the person concerned.
2. The categories of data that are processed
The data processed by the Data Controller is exclusively “personal data” (under Art. 4.1 of the GDPR).
In particular, the pertinent categories of personal data may be, including without limitation:
- Biographical and identification data
- Contact details
3. Recipients or categories of recipients of the personal data (under art. 13 paragraph 1 (e) of the GDPR)
Within the above-mentioned purposes, the Data Controller may communicate your data:
- to companies that are responsible for the processing and the sending of material and communications relating to the past or present relationship with the person concerned;
- to companies and professional operators who provide computing services, including electronic data processing, software management and information technology consulting;
- to professional advertising and mailing companies, including companies that offer enveloping and shipment services for materials and communications as specified above.
4 Conservation period of the data.
4.1 With reference to section 1.1
The personal data may also be processed for purposes for which the person concerned expressed his/her consent.
- For the purposes a), until his/her request has been fulfilled;
- For the purposes b), as long as the user remains registered;
- For the purposes c), not longer than 24 months from when consent was obtained;
Rights of the person concerned (art. 13 paragraph 2 (c) of the GDPR)
The person concerned may revoke his/her consent at any time and it will be effective from the moment of revocation, without prejudice to the time limits set by law. In general terms, the revocation of consent shall take effect only for the future. The processing that was carried out prior to the revocation of the consent will not be altered by this and thus remains lawful.
Once the data is no longer necessary in order to fulfil the obligations as to which refers the section “consent”, the data will be erased, should it however not be possible to erase the data or possible only following a disproportionate effort due to a specific conservation method, the data cannot be processed and shall be archived in a non-accessible area.
5. Rights of the person concerned
The person concerned, in relation to the personal data object of this privacy statement, may exercise the rights as described in the EU Regulation, which are reported below:
- right to access of the person concerned [art. 15 of the EU Regulation] (which consists in the possibility to be informed about the processing carried out on his/her personal data and to receive a copy of it);
- right to rectification of the personal data [art. 16 of the EU Regulation] (the person concerned has the right to rectify incorrect personal data relating to him/her);
- right to erasure of the personal data without undue delay (“Right to be forgotten”) [art. 17 of the EU Regulation] (the person concerned has, and shall have, right to cancellation of his/her own data);
- right to limitation of processing of the personal data in the cases established by art. 18 of the EU Regulation including in case of unlawful data processing or complaint regarding the accuracy of the personal data by the person concerned [art. 18 of the EU Regulation];
- right to data portability [art. 20 of the EU Regulation], (the person concerned may request his/her personal data in a structured format so that it may be transmitted to another Data Controller, in the cases established by the same article);
- right to object to the processing of the personal data [art. 21 of the EU Regulation] (the person concerned has, and shall have, the right to object to the processing of the personal data concerning him/her in the cases established and regulated by art. 21 of the EU Regulation);
- right not to be subject to automated decision-making processes [art. 22 of the EU Regulation] (the person concerned has, and shall have, the right to not be subject to a decision based purely on automated processing).
The above-mentioned rights may be exercised in accordance with what has been established by the EU Regulation by sending an email to privacy@calzavara.it
Calzavara S.p.A., pursuant to art. 19 of the EU Regulation, will proceed to informing the recipients to whom the personal data was communicated of any rectification, cancellation or limitation requested of the processing, where this is possible.
When the processing purposes pursued by Calzavara S.p.A. have consent as their legal basis, the person concerned may proceed, at any time, to revocation by sending an email to privacy@calzavara.it. In accordance with art. 7 of the EU Regulation the revocation of consent does not affect the lawfulness of the processing based on the consent given before the revocation.
Exercise of the rights of the person concerned
The person concerned, in relation to the personal data object of this privacy statement, may exercise the rights as described in the EU Regulation, which are reported below:
- right to access of the person concerned [art. 15 of the EU Regulation]: the person concerned has the right to obtain confirmation from the Data Controller whether any such personal data is being processed and, in this case, to access the information expressly envisioned by the mentioned article, including without limitation the processing purposes, the category of the data and recipients, the conservation period, the existence of the right to erasure, rectification or limitation, the right to lodge a complaint, all information available regarding the origin of the data, the existence of an automated decisional process in accordance with art. 22 of the Regulation, as well as a copy of such personal data.
- right to rectification [art. 16 of the EU Regulation]: the person concerned has the right to obtain rectification and/or integration of the inaccurate personal data which concern him by the Data Controller, without undue delay;
- right to cancellation (“right to be forgotten”) [art. 17 of the EU Regulation]: the person concerned has the right to erasure of the personal data relating to him/her without undue delay, if one of the grounds expressly provided for in the aforementioned article, including without limitation the lack of necessity of the processing with respect to the purposes, the revocation of the consent on which the processing is based, objection to the processing in case it is based on a legitimate interest that does not prevail, unlawful use of the data, cancellation required under law, data of minors processed in absence of the conditions for applicability provided for by art. 8 of the Regulation;
- right to limitation of the processing [art. 18 of the EU Regulation]: in the cases established by art. 18, including unlawful processing, complaint regarding the accuracy of such data, objection by the person concerned and the lack of necessity of the processing by the Data Controller, the data of the person concerned shall only be processed for conservation subject to his consent and the other cases expressly established by the mentioned article;
- right to the portability of the data [art. 20 of the EU Regulation]: the person concerned, in case the processing is based on consent or on a contract and carried out by automated means, may request to receive his/her personal data in structured format, commonly used and readable on an automatic device, and has the right to transmit them to another Data Controller;
- right to object [art. 21 of the EU Regulation]: the person concerned has the right to object to the processing of this personal data, in case the processing is based on a legitimate interest that does not prevail or is carried out for direct marketing purposes;
- right not to be subject to automated decision-making processes [art. 22 of EU Regulation]: the person concerned has the right to not be subject to a decision, including profiling, based merely on automated processing (for example carried out exclusively by electronic instruments or computer programs).
The aforementioned description does not replace the text of the articles mentioned to which are referred in full and the full text of the EU regulation can be read at the link below or at the following link.
6. Right to lodge a complaint (art. 13 paragraph 2 (d) of the GDPR)
The person concerned, should he/she feel that his/her rights have been compromised, has the right to lodge a complaint to the Italian Data Protection Authority. For additional information relating to the rights and exercising these, please refer to http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 or send a written communication to the Italian Data Protection Authority (Autorità Garante per la Protezione dei Dati Personali), Piazza Monte Citorio n. 121, 00186 Rome.
7. Possible consequence of a failure to communicate the data (art. 13 paragraph 2 (e) of the GDPR)
Please note that in case the processing purposes have a legal or contractual obligation (or pre-contractual) as legal basis, the person concerned must provide the requested data.
It this is not the case, it will be impossible for the Data Controller to proceed with the pursuit of the specific purposes of the processing.
8. Existence of an automated decisional process (including profiling)
Currently the use of purely automated decisional processes as mentioned in detail by article 22 of the GDPR is excluded. Should it in the future be decided to establish such processes for single cases, the person concerned will receive a separate notification in case this is envisioned by law or an update of this privacy statement.
9. Methods of processing
The personal data will be processed in paper, electronic and telematic form and included in the relevant databases (potential clients, clients, users, etc.) which may be accessed by, and thus they may gain knowledge of them, the staff expressly designated by the Data Controller such as Controllers or Subjects authorised to process personal data, who may consult, use, elaborate, compare or carry out any other activity, also automated, in compliance with the applicable legal provisions to guarantee, amongst others, the confidentiality and the safety of the data as well as their accuracy, their updating and the relevance of the data for the purposes declared.
10. Right to lodge a complaint (art. 13 paragraph 2 (d) of the GDPR)
The person concerned, should he/she feel that his/her rights have been compromised, has the right to lodge a complaint to the Italian Data Protection Authority, according to the methods indicated by this Authority at the following Internet address http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 or by sending a written communication to the Italian Data Protection Authority, Piazza Monte Citorio n. 121, 00186 Rome.
11. Possible consequence of a failure to communicate the data (art. 13 paragraph 2 (e) of the GDPR)
Please note that in case the processing purposes have a legal or contractual obligation (or pre-contractual) as legal basis, the person concerned must provide the requested data.
It this is not the case, it will be impossible for the Data Controller to proceed with the pursuit of the specific purposes of the processing.
12. Existence of an automated decisional process (including profiling)
Currently the use of purely automated decisional processes as mentioned in detail by article 22 of the GDPR is excluded. Should it in the future be decided to establish such processes for single cases, the person concerned will receive a separate notification in case this is envisioned by law or an update of this privacy statement.
13. Methods of processing
The personal data will be processed in paper, electronic and telematic form and included in the relevant databases which may be accessed by, and thus they may gain knowledge of them, the staff expressly designated by the Data Controller such as Controllers or Subjects authorised to process personal data, who may consult, use, elaborate, compare or carry out any other activity, also automated, in compliance with the applicable legal provisions to guarantee, amongst others, the confidentiality and the safety of the data as well as their accuracy, their updating and the relevance of the data for the purposes declared.
Data processing for navigation purposes
The computer systems and the software procedures used to operate this website acquire, during the normal course of operation, some personal data whose transmission is implicit in the use of communication protocols of the Internet.
It concerns information that is not collected in order to be associated to identifiable concerned parties, but which could due to their nature allow identification of the users through elaboration and association with data held by third parties.
Amongst the information gathered there are IP addresses, type of browser or operating system used, URI addresses (uniform resource identifier), domain name and the addresses of the websites from which the access or exit was done (referring/exit pages), the time in which the request was made to the server, the method used and information relating to the reply received, additional information on the user’s site navigation (please also refer to the section on cookies) and other parameters relating to the user’s operating system and information system environment.
This data could also be used to identify and establish responsibility in the event of computer crimes to the detriment of the site.
Use of cookies
The following information is supplied to the user in implementation of the provision of the Data Protection Supervisor of 8 May 2014 “Identification of the simplified procedures for the disclosure of information and the acquisition of consent for the use of cookies”.
What are cookies?
Cookies are small text strings which a website may send, while browsing, to your device (whether this is a PC, a notebook, a smart phone or tablet, they are normally stored in the browser used during navigation). The same website that sent them, can then read and register the cookies which are located on the same device to obtain various types of information. Which type? Every cookies has a well-defined role.
How many cookies are there?
There are two basic macro-categories, with different characteristics: technical cookies and profiling cookies.
Technical cookies are generally necessary for the correct functioning of the website and to allow navigation; without these, you might not be able to view the pages correctly or use certain services. For example, a technical cookies is essential in order for the user to remain connected during the entire visit to a website, or to memorise language, viewing settings and so on. Technical cookies can be further divided in:
- navigation cookies, which guarantee normal navigation and use of the website (allowing, for example, to make a purchase or to authenticate for access restricted areas);
- cookie analytics, similar to technical cookies but only as far as they are used directly by the administrator of the website to collect information, in aggregate form, regarding the number of users and how they visit the same site;
- functionality cookies, which allow the user to navigate on the basis of a set of selected criteria (for example, language, the products selected for purchase) in order to improve the service offered.
Profiling cookies are more sophisticated. These cookies are responsible for profiling the user and are used in order to send advertising messages reflecting the preferences expressed by the user during navigation. Cookies can also be classified as:
- session cookies, which are erased immediately after closing the web browser;
- persistent cookies, which – unlike the session cookies – remain inside the browser for a certain amount of time. These are used, for example, to recognise the device which connects to the site allowing for easier authentication of the user;
- first part cookies, i.e. cookies generated and managed directly by the manager of the website which the user is visiting;
- third part cookies, which are generated and managed by parties other than the administrator of the website which the user is visiting (usually pursuant to an agreement between the manager of the website and the third party).
Which cookies are used by the website Calzavara S.p.A.?
The website www.calzavara.it uses two types of cookies:
- session cookies for authentication (PDF download, acceptance of cookies, management of the browsing sessions)
- tracking cookies (Google Analytics).
SESSION COOKIES (INDISPENSABLE FOR THE MANAGEMENT OF THE WEBSITE AND FOR ACCESS TO CONFIDENTIAL FILES)
The website www.calzavara.it uses HTTP cookies to manage the download of PDF documents. The use of session cookies (which are not permanently stored on the user’s computer and are removed when the browser is closed) is strictly limited to the transmission of session identification data necessary to allow a safe exploration of the website.
Name | Type | Duration | Function |
PHPSESSID | Session cookie | Expires at the end of the session | Stores the user’s session |
_icl_current_language | Session cookie | Expires at the end of the session | Stores the user’s language |
_icl_visitor_lang_js | Session cookie | Expires at the end of the session | Stores the language redirection |
wpml_browser_redirect_test | Session cookie | Expires at the end of the session | Check if cookies are enabled |
wpml_referer_url | Session cookie | Expires at the end of the session | Stores the last requested URL |
DownloadPDF | Persistent cookie | 1 year | It stores the user data to enable the user for future downloads without registration |
TRACKING COOKIES
Tracking cookies can be disabled without any consequences for the site navigation. The website www.calzavara.it uses Google Analytics by Google, Inc. (hereinafter “Google”) to generate statistics regarding the use of the web portal; Google Analytics uses cookies (not third party) that do not memorise personal data. The information obtainable from the cookies relating to the use of the website by users (including IP addresses) will be transmitted by the user’s browser to Google, with office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, and stored on the company’s server.
According to the terms of service in use, Google will use this information, acting as autonomous data controller, in order to trace and examine the use of the website, draw up reports on the site activity for use by the website operators and provide other services connected to the activity of the website, to the method of connecting (mobile, PC, browser used etc.), to the search mode and how the pages of the portal are reached. Google may also transfer this information to third parties where required to do so by law or where third parties process the aforementioned information on behalf of Google. Google will not associate IP addresses to any other data in Google’s possession. To consult Google’s privacy statement, relating to the Google Anayltics service, please refer to the following website http://www.google.com/intl/en/analytics/privacyoverview.html. To learn more about Google’s privacy policy, please visit the website http://www.google.com/intl/it/privacy/privacy-policy.html.
Name | Type | Duration | Function |
_ga | Tracking cookie | 2 years | It stores the user data for the generation of statistics on the use of the website |
THIRD PARTY COOKIES
The website www.calzavara.it uses services managed by other organisations (third parties). An example is the presence of social plugin (Linkedin, Facebook, Twitter, etc). The most common use of the social plugin is aimed at sharing content through social networks. The presence of these plugins involves the transmission of cookies from and to all websites managed by third parties. The management of the gathered information by “third parties” is governed by the pertaining information notices to which you are requested to refer.
In order to guarantee greater transparency and comfort, below you will find a list with web addresses with their various information notices and how they manage cookies.
- Linkedin cookie policy: https://www.linkedin.com/legal/cookie-policy
- Linkedin (configuration): https://www.linkedin.com/settings/
- Twitter cookie policy: https://support.twitter.com/articles/20170514
- Twitter (configuration): https://twitter.com/settings/security
- Facebook cookie policy: https://www.facebook.com/help/cookies/
- Facebook (configuration): accedere al proprio account. Sezione privacy.
Disabling cookies
It is possible to deny consent for the use of cookies by selecting the appropriate setting in your own browser: it will nevertheless be possible to normally use the website www.calzavara.it. Below you will find links explaining how to disable cookies for the most popular browsers:
- Google Chrome: https://support.google.com/chrome/bin/answer.py?hl=it-IT&answer=95647&p=cpn_cookies
- Mozilla Firefox: http://support.mozilla.org/it/kb/Bloccare%20i%20cookie?redirectlocale=en-US&redirectslug=Blocking+cookies
- Apple Safari: http://www.apple.com/it/privacy/use-of-cookies/
Check your cookies
It is possible to view behavioural cookies present in your browser to track activity by visiting the following address:
http://www.youronlinechoices.com/uk/
Notice regarding minors of under 14 years
The minors of under 14 years cannot provide personal data. Calzavara S.p.A. shall not be responsible in any way for the collection of personal data or false declarations supplied by the minor and in the event that use of these were to be identified, Calzavara S.p.A. shall facilitate the right of access and of erasure forwarded by the legal guardian or whoever holds parental responsibility.
Exercise of the rights of the person concerned
The person concerned, in relation to the personal data object of this privacy statement, may exercise the rights as described in the EU Regulation, which are reported below:
- right to access of the person concerned [art. 15 of the EU Regulation]: the person concerned has the right to obtain confirmation from the Data Controller whether any such personal data is being processed and, in this case, to access the information expressly envisioned by the mentioned article, including without limitation the processing purposes, the category of the data and recipients, the conservation period, the existence of the right to erasure, rectification or limitation, the right to lodge a complaint, all information available regarding the origin of the data, the existence of an automated decisional process in accordance with art. 22 of the Regulation, as well as a copy of such personal data.
- right to rectification [art. 16 of the EU Regulation]: the person concerned has the right to obtain rectification and/or integration of the inaccurate personal data relating to him/her by the Data Controller, without undue delay;
- right to cancellation (“right to be forgotten”) [art. 17 of the EU Regulation]: : the person concerned has the right to erasure of the personal data relating to him/her without undue delay, if one of the grounds expressly provided for in the aforementioned article, including without limitation the lack of necessity of the processing with respect to the purposes, the revocation of the consent on which the processing is based, objection to the processing in case it is based on a legitimate interest that does not prevail, unlawful use of the data, cancellation required under law, data of minors processed in absence of the conditions for applicability provided for by art. 8 of the Regulation;
- right to limitation of the processing [art. 18 of the EU Regulation]: in the cases established by art. 18, including unlawful processing, complaint regarding the accuracy of such data, objection by the person concerned and the lack of necessity of the processing by the Data Controller, the data of the person concerned shall only be processed for conservation subject to his/her consent and the other cases expressly established by the mentioned article;
- right to the portability of the data [art. 20 of the EU Regulation]: the person concerned, in case the processing is based on consent or on a contract and carried out by automated means, may request to receive his/her personal data in a structured format, commonly used and readable on an automatic device, and has the right to transmit them to another Data Controller;
- right to object [art. 21 of the EU Regulation]: the person concerned has the right to object to the processing of this personal data, in case the processing is based on a legitimate interest that does not prevail or is carried out for direct marketing purposes;
- right not to be subject to automated decision-making processes [art. 22 of EU Regulation]: the person concerned has the right to not be subject to a decision, including profiling, based merely on automated processing (for example carried out exclusively by electronic instruments or computer programs).
The aforementioned description does not replace the text of the articles mentioned therein to which are referred in full and the full text of the EU regulation can be read at the following link
Right to lodge a complaint
The person concerned, should he/she feel that his/her rights have been compromised, has the right to lodge a complaint to the Italian Data Protection Authority, according to what is specified by mentioned Authority at the following Internet address:
http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524.
For more detailed information regarding the rights of the persons concerned set out by the Guarantor, please refer to the following link.
Amendments and updates
This privacy statement shows the last update date in its header.
Calzavara S.p.A. may also make amendments and/or integrations to mentioned privacy policy also as a consequence of possible subsequent legislative amendments and/or integrations.
Regulatory references relating to the rights of the person concerned
Article 15
Right to access of the person concerned
1. The person concerned has the right to obtain confirmation from the Data Controller whether any such personal data is being processed and, in this case, to access the personal data and the following information:
a) the processing purposes;
b) the categories of the personal data in question;
c) the recipients or the categories of recipients to who the personal data have been or shall be communicated, especially if recipients of third counties or international organisations;
d) if possible, the planned conservation period of the personal data or, if this is not possible, the criteria used to determine such a period;
e) the existence of the right of the person concerned to request the Data Controller to rectify or erase personal data or to limit the processing of the personal data that concern him/her or to object to their processing;
f) the right to lodge a complaint to supervisory authorities;
g) in the event the data was not collected from the person concerned, all information available relating to their origin;
h) the existence of an automated decisional process, including profiling as set forth in article 22, paragraphs 1 and 4 and, at least in these cases, significant information relating to the logic used, as well as the importance and the consequences of such processing for the person concerned.
2. In the event the personal data is transferred to a third country or to an international organisation, the person concerned has the right to be informed of the existence of adequate guarantees pursuant to article 46 on transfer.
3. The Data Controller shall supply a copy of the processed personal data. In case the person concerned requests additional copies, the Data Controller may charge a reasonable fee based on administrative costs. If the person concerned presents the request via electronic means, and unless stated otherwise by the person concerned, the information shall be supplied in a commonly used electronic format.
4. The right to obtain a copy as laid down in paragraph 3 shall not affect the rights and freedoms of others.
Article 16
Right to rectification
The person concerned has the right to obtain rectification and/or integration of the inaccurate personal data relating to him/her by the Data Controller, without undue delay. Bearing in mind the purpose of the processing, the person concerned has the right to obtain integration of incomplete personal data, also by supplying a supplementary statement.
Article 17
Right to cancellation («right to be forgotten»)
1. The person concerned has the right to obtain erasure of the personal data relating to him/her by the Data Controller without undue delay and the Data Controller has the obligation to erase the personal data without undue delay, if one of the following grounds exists:
a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
b) the person concerned revokes the consent on which the processing is based in compliance with article 6, paragraph 1, letter a), or with article 9, paragraph 2 letter a), and if there is no other legal ground for the processing;
c) the person concerned objects to the processing in accordance with article 21, paragraph 1 and there is no legitimate ground that prevails to proceed to processing, or objects to the processing in accordance with article 21, paragraph 2;
d) the personal data has been processed unlawfully;
e) the personal data needs to be erased in order to fulfil a legal obligation established by the EU law or a Member State to which the Data Controller is subject;
f) the personal data is collected with regard to the offering of information society services referred to in article 8, paragraph 1.
2. The Data Controller, in the event he has made the personal data public and is obliged, pursuant to paragraph 1, to erase them, bearing in mind the available technology and the costs for the implementation, will adopt reasonable measures, also technical to inform the Data Controllers that they are processing the personal data on request of the person concerned to erase all links, copies or reproduction of his/her personal data.
3. Paragraphs 1 and 2 shall not apply to the extent in which the processing is necessary:
a) to exercise the right to the freedom of expression and information;
b) to fulfil a legal obligation which requires the processing established by the EU law or a Member State to which the Data Controller is subject or to carry out work in the public interest or in the exercise of official authority vested in the Data Controller;
c) for reasons of public interest in the public health pursuant to article 9, paragraph 2, letters h) and i) and of article 9, paragraph 3;
d) for public archiving, scientific or historic research purposes, or for statistic purposes in accordance with article 89, paragraph 1 to the extent in which the right under paragraph 1 may make it impossible or seriously affect the pursuit of the objectives of such processing; or
e) for the determination, execution or defence of a right before a court.
Article 18
Right to limitation of the processing
1. The person concerned has the right to obtain the limitation of the processing from the Data Controller in one of the following assumptions:
a) the person concerned disputes the accuracy of the personal data, for the time required for the data controller to verify the accuracy of such personal data;
b) the processing is unlawful and the person concerned objects to the erasure of the personal data but rather requests that the use of them is limited;
c) even though the data controller does not require them any more for processing purposes, the personal data is necessary for the person concerned in order to determine, exercise or defend a right before a court;
d) the person concerned has objected to the processing in accordance with article 21, paragraph 1 pending verification in relation to the prevalence of the legitimate grounds of the Data Controller with respect to those of the person concerned.
2. If the processing is limited in accordance with paragraph 1, such personal data is processed, with the exception of storage, only with the consent of the person concerned or in order to determine, exercise or defend a right before a court or to protect the rights of another natural or legal person or for reasons of relevant public interest of the EU law or a Member State.
3. The person concerned who has obtained the limitation of the processing in accordance with paragraph 1 is informed by the Data Controller before such limitation is revoked.
Article 19
Obligation to notify in case of rectification or cancellation of the personal data or limitation of processing
The Data Controller shall communicate all rectifications or cancellations or limitations of the processing to each of the recipients to whom the personal data has been transmitted in accordance with article 16, article 17, paragraph 1 and of article 18, unless this proves impossible or requires a disproportionate effort. The Data Controller shall communicate such recipients to the person concerned should the person concerned so request.
Article 20
Right to the portability of the data
1. The person concerned has the right to receive the personal data relating to him/her in a structured format, commonly used and readable on an automatic device, supplied to a Data Controller and has the right to transmit such data to another Data Controller without hindrance from the Data Controller to which he/she supplied them if:
a) the processing is based on the consent in accordance with article 6, paragraph 1, letter a), or with article 9, paragraph 2, letter a), or on a contract in accordance with article 6, paragraph 1, letter b): and
b) the processing is carried out with automated means.
2. In exercising his/her rights relating to the portability of the data in accordance with paragraph 1, the person concerned has the right to obtain the direct transmission of the personal data by one Data Controller to another, if technically feasible.
3. The exercise of the right to which refers paragraph 1 of this article does not affect article 17. Such a right does not apply to the processing necessary for the performance of a task in the public interest or in the exercise of official authority vested in the Data Controller.
4. The right referred to in paragraph 1 shall not affect the rights or the freedoms of others.
Article 21
Right to object
1. The person concerned has the right to object, at any time, for reasons relating to his/her particular situation, to the processing of the personal data relating to him/her in accordance with article 6, paragraph 1, letters e) and f), including profiling on the the basis of these provisions, the Data Controller shall abstain from further processing the personal data unless he demonstrates that there are relevant legitimate grounds to proceed to the processing which prevail on the interests, on the rights and on the freedoms of the person concerned or to determine, exercise or defend a right before a court.
2. In the event the personal data is processed for direct marketing purposes, the person concerned has the right to object at any time to the processing of the personal data relating to him/her for such marketing, including profiling to the extent in which it is connected to the direct marketing.
3. In the event the person concerned should object to the processing for direct marketing purposes, the personal data is no longer subject to the processing for those purposes.
4. The right referred to in paragraphs 1 and 2 is explicitly brought to the attention of the person concerned and is clearly and separately presented from any other information, at the latest at the time of the first communication with the person concerned.
5. In the context of the information society services and without prejudice to Directive 2002/58/EC, the person concerned may exercise his/her right to object by automated means which use technical specifications.
6. In the event that the personal data is processed for scientific or historic research purposes or for statistic purposes in accordance with article 89, paragraph 1, the person concerned, for reasons connected to his/her particular situation, has the right to object to the processing of the personal data relating to him/her, unless the processing is necessary in order to carry out a task of public interest.
Article 22
Automated decisional process relating to natural persons, including profiling
1. The person concerned has the right to not be subjected to a decision based merely on automated processing, including profiling, which produces legal effects concerning him/her or which affects this natural person significantly in the same way.
2. Paragraph 1 does not apply in the event in which the decision:
a) is necessary for the conclusion or the performance of a contract between the person concerned and the Data Controller;
b) is authorised by the EU law or of a member State to which the Data Controller is subject, which also specifies adequate measures for the protection of the rights, of the freedoms and of the legitimate interests of the person concerned;
c) is based on the explicit consent of the person concerned.
3. In the cases referred to under paragraph 2, letters a) and c), the Data Controller shall implement appropriate measures to protect the rights, the freedoms and the legitimate interests of the person concerned, at least the right to obtain human intervention by the Data Controller, to express his/her own opinion and to contest the decision.
4. The decisions referred to under paragraph 2 are not based on the particular categories of personal data as laid down in article 9, paragraph 1, unless article 9, paragraph 2, letters a) or g) are applicable and there are no adequate measures in force to protect the rights, the freedoms and the legitimate interests of the person concerned.