SH.ITALIA in its capacity as data controller states that the personal data are regarding the contract / task or for the interests envisaged by the agreement. 5 of EU Regulation 679/2016, in a lawful manner, according to the principles of suitability, adequacy, confidentiality and protection established by the Regulation. Further information on the rights of the data subject and the methods for keeping personal data are considered in the information referred to in Articles. 13 and 14 of EU Regulation 679/2016 delivered to each interested party and in the treatment registers distinguishing data type, risk analysis and preventive measures taken. The data controller assumes all responsibility for the aforementioned principles, the contents and the requirements of the European Regulation for the protection of personal data and for the keeping and management of such data.
The European Regulation n. 679/2016 GDPR, applicable in all Member States, recognizes to each person the protection of their personal data that are subject to treatment by third parties, as an expression of respect for human dignity and fundamental human rights and freedoms. The subject of the processing of personal data has, however, a series of rights that can be exercised against the owner or manager who holds your personal data, regulated by Articles 15 and following of the European Regulation, detailed below in detail and made available to the interested party upon request. Therefore, according to the provisions of the European and internal standards in force, we provide you with the following detailed information about your rights: p>
1. Right of access of the interested party (Article 15 GDPR)
The data subject has the right to obtain from the data controller confirmation that the processing of personal data concerning him or her is in progress and, in this case, to obtain access to personal data and the following information:
- a) the purposes of the processing;
- b) the categories of personal data in question;
- c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations;
- d) whenever possible, the retention period of the personal data provided or, if not possible, the criteria used to determine this period; li>
- e) the existence of the right of the data subject to request the data controller to rectify or delete personal data or limit the processing of personal data concerning him / her or to oppose their processing;
- f) the right to lodge a complaint with a supervisory authority;
- g) if the data are not collected from the data subject, all information available on their origin;
- h) the existence of an automated decision-making process, including the profiling referred to in Article 22 (1) and (4) and, at least in such cases, significant information on the logic used, as well as the importance and the expected consequences of such processing for the interested party.
If personal data are transferred to a third country or to an international organization, the data subject has the right to be informed of the existence of adequate safeguards pursuant to Article 46 relating to the transfer. the data subject is also entitled to obtain a copy of the personal data being processed, provided that the request does not affect the rights and freedoms of others. p>
2. Right to rectify personal data (Article 16 GDPR)
The data subject has the right to obtain from the data controller the correction of inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, also by providing an additional declaration. P>
3. Right to cancellation ("right to be forgotten") (Article 17 GDPR)
The data subject has the right to obtain from the data controller the deletion of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay if one of the following reasons exists :
- a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
- (b) the interested party revokes the consent on which the treatment is based in accordance with Article 6 (1) (a) or Article 9 (2) (a) GDPR and if no other basis exists legal for processing;
- c) the party opposes the processing under Article 21 (1) GDPR, and there is no legitimate overriding reason to proceed with the processing, or opposes the processing under Article 21 (2) GDPR
- d) personal data have been processed unlawfully;
- e) personal data must be deleted to fulfill a legal obligation under Union or Member State law to which the controller is subject;
- (f) the personal data have been collected with regard to the information society service offer referred to in Article 8 (1) of the GDPR.
The data controller, if he has made public personal data and is obliged, pursuant to paragraph 1, to delete them, taking into account the available technology and implementation costs, takes reasonable steps, including technical ones, to inform the owners of the processing that is processing personal data of the request of the person concerned to delete any link, copy or reproduction of his personal data. Paragraphs 1 and 2 do not apply to the extent that treatment is necessary:
- a) to exercise the right to freedom of expression and information;
- (b) for the fulfillment of a legal obligation requiring treatment under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of of public authority to which the data controller is invested;
- (c) for reasons of public interest in the field of public health pursuant to Article 9 (2) (h) and (i) and Article 9 (3) of the GDPR;
- (d) for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1), insofar as the right referred to in paragraph 1 risks rendering impossible or seriously affecting the achievement of the objectives of this treatment;
- e) for the assessment, exercise or defense of a right in court.
4. Right to limitation of processing (Article 18 GDPR)
The data subject has the right to obtain from the data controller the limitation of processing when one of the following hypotheses occurs:
- a) the interested party disputes the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
- b) the processing is illegal and the interested party opposes the cancellation of personal data and asks instead that its use is limited;
- c) although the data controller no longer needs it for processing purposes, personal data are necessary for the data subject to ascertain, exercise or defend a right in court;
- d) the data subject has objected to the processing pursuant to Article 21 (1) pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the data subject.
If the processing is limited in accordance with paragraph 1, such personal data shall be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defense of a right in the judicial or to protect the rights of another natural or legal person or for reasons of the public interest of the Union or of a Member State. The data subject who has obtained the limitation of processing pursuant to paragraph 1 shall be informed by the controller before the limitation is revoked.
5. Obligation to notify in case of rectification or cancellation of personal data or limitation of processing (Article 19 GDPR)
The controller shall inform each of the recipients to whom the personal data have been transmitted of any correction or cancellation or limitation of the processing carried out in accordance with Article 16, Article 17 (1) and Article 18, unless proves impossible or involves a disproportionate effort. The data controller informs the recipient of these recipients if the data subject requests it.
6. Right to data portability (Article 20 GDPR)
The data subject has the right to receive, in a structured, commonly used and automatically readable form, the personal data concerning him / her provided to a data controller and has the right to transmit such data to another data controller without impediments from part of the data controller to whom he has provided them if:
- a) the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) or on a contract within the meaning of Article 6 (2) 1, letter b);
- b) the treatment is carried out by automated means.
In exercising its rights to data portability pursuant to paragraph 1, the data subject shall have the right to obtain direct transmission of personal data from one controller to another, if technically feasible. The right referred to in paragraph 1 must not affect the rights and freedoms of others.
7. Diritto di opposizione (Articolo 21 GDPR)
You have the right to object at any time, for reasons connected with your particular situation, to the processing of your personal data pursuant to Article 6, paragraph 1, letters e) of), including profiling on the basis of these provisions. The data controller refrains from further processing personal data unless he demonstrates the existence of binding legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the data subject or for the assessment, exercise or the defense of a right in court. If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him / her for such purposes, including profiling in so far as it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, personal data are no longer processed for these purposes. The right referred to in paragraphs 1 and 2 is explicitly brought to the attention of the data subject and is clearly and separately presented by any other information at the latest at the time of the first communication with the data subject. In the context of the use of information society services and without prejudice to Directive 2002/58 / EC, data subjects may exercise their right to object by automated means using technical specifications. Where personal data are processed for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89 (1), the data subject shall have the right to object to the processing of personal data for reasons connected with his particular situation. concerns, unless the processing is necessary for the performance of a task in the public interest. p>
8. Automated decision-making process concerning natural persons, including profiling (Article 22 GDPR)
1. The data subject shall have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects affecting him or which significantly affects his person in a similar manner.
2. The paragraph 1 does not apply in the event that the decision:
- a) is necessary for the conclusion or execution of a contract between the data subject and a data controller;
- b) is authorized by the law of the Union or of the Member State to which the controller is subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the data subject;
- c) is based on the explicit consent of the interested party.
3. In the cases referred to in paragraph 2 (a) and (c), the controller shall implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention from the controller , to express its opinion and contest the decision.
4. The decisions referred to in paragraph 2 shall not be based on the particular categories of personal data referred to in Article 9 (1), unless application of Article 9 (2) (a) and (g), and adequate measures to protect the rights, freedoms and legitimate interests of the data subject are not in force.