In accordance with current legislation (Article 13 of the General Data Protection Regulation, hereinafter also referred to as “GDPR”), Altaroma S.c.p.a., in the person of its legal representative pro tempore (hereinafter also referred to as the “Company” or “data controller”), provides users of the website www.digitalrunway.altaroma.it with information on the processing of their data.
OWNER AND DATA CONTROLLER
The Owner and Data Controller is Altaroma S.c.p.a., with registered office in Via dell’Umiltà no. 48, 00187 Rome, VAT no. IT05518911002. The Company can be contacted by email at the following address: firstname.lastname@example.org.
HOW TO CONTACT THE DATA PROTECTION OFFICER
The Owner and Data Controller has appointed the Data Protection Officer, who can be contacted at the following address: email@example.com.
TYPES OF DATA PROCESSED
The data processed are browsing data and data provided spontaneously by the user.
Data provided directly by the user
This category includes all personal data provided voluntarily by the user (for example, when requesting information by calling the numbers indicated on the website or when writing to the e-mail addresses indicated on the website).
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transfer is implicit in the use of Internet communication protocols.
This information is not collected to be associated with identified data subjects, but by its very nature, if processed and associated with data held by third parties, it could make it possible to identify users.
This category of data includes IP addresses or domain names of the computers used by the users who connect to the website, URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and computer environment of the user.
Information acquired through cookies and other tracking systems
PURPOSES AND LEGAL BASIS OF PROCESSING
Data provided directly by the user: purposes and legal basis
The personal data provided voluntarily by the user by contacting the data controller are used only to process any requests made and to use the services offered through the website.
The legal basis for the processing of these data is the execution of pre-contractual measures and of the obligations arising from the contract.
If necessary, the data may also be used in the legitimate interest of the controller for the establishment, exercise or defence of legal claims.
Browsing data: purposes and legal basis
The browsing data are used to obtain statistical information on the use of the website, for security purposes and to check its correct functioning. They could also be used to ascertain responsibility in the event of any computer crimes committed to the detriment of the website.
The legal basis for the processing of these data is the legitimate interest of the data controller and, in the case of requests by the Authorities, statutory obligations.
Information acquired through cookies and other tracking systems
The legal basis for non-technical cookies is consent, which may be revoked at any time.
PROCESSING OF DATA
The data collected are processed through computer systems that guarantee adequate security measures to prevent loss, illicit or improper use of and unauthorized access to data, and only to a limited extent in paper form.
Transfer of data abroad
The website is hosted within the European Union and no data is transferred outside the EU.
Some services integrated in the website are provided by American companies and they involve a transfer of data abroad. This transfer of data takes place with the guarantees offered by standard contractual clauses.
Data storage period
The data provided directly by the data subject shall be stored for the time strictly necessary to meet requests. After this storage period, the data shall be erased, without prejudice to the controller’s rights regarding the establishment, exercise or defence of legal claims (in which case it may be necessary to store data for a longer period).
The browsing data of users accessing the website are acquired and stored by the hosting provider whose services are used by the data controller in accordance with legal obligations.
With regard to the storage of data of registered Users, please refer to the User Privacy Notice that can be accessed through a specific link on the website.
WHAT HAPPENS IF NO DATA ARE PROVIDED?
With the exception of browsing data necessary to implement electronic and IT protocols, the provision of data by users through the various available methods is free and optional. However, any refusal to provide the data will make it impossible to respond to requests and to use the services of the website.
ACCESS TO DATA
The data will be processed by the data controller through authorized personnel.
The data will also be known to the companies that supply assistance, hosting and maintenance services to the data controller, and by legal counsels that, if necessary, provide assistance in case of litigations. Access to data may also be granted to competent authorities in the event of specific requests which the controller is required by law to fulfil.
It should be noted that some of the parties indicated above act as data processors and that communication to those who act as independent data controllers is made because it is required by law or necessary to fulfil the obligations arising from the contractual relationship or to safeguard the controller’s legitimate interest to keep its computer systems secure and to defend itself with the help of legal counsels.
In any case, the communication of data shall be limited only to the categories of data whose transfer is necessary for the activities performed and the purposes pursued by the data controller.
The data subject may ask the controller to provide a list of the external parties that carry out their activities as data processors.
DATA SUBJECT’S RIGHTS
The data subject is entitled by law to ask the data controller for access to and rectification or erasure of his or her personal data and to exercise his or her right to restriction of processing, to data portability and to object.
The data subject may exercise his or her rights at any time, without any formal procedure, by contacting the data controller or the Data Protection Officer through the contact details indicated in this User Privacy Notice. The controller will reply within 30 days of receipt of the request, as provided for by current regulations.
Below is a detailed description of the rights granted to the data subject by current legislation on the protection of personal data.
- Right of access, i.e. the data subject’s right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
- Right of rectification, i.e. the data subject’s right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure, i.e. the data subject’s right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; c) the data subject objects to the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services to a child. However, a request for erasure cannot be accepted to the extent that processing is necessary: a) for exercising the right of freedom of expression and information; b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for reasons of public interest in the area of public health; d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or e) for the establishment, exercise or defence of legal claims.
- Right to restriction of processing, i.e. the data subject’s right to obtain that his or personal data, with the exception of storage, only be processed with his or her consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State where one of the following applies: a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, pending the verification whether the legitimate grounds of the controller override those of the data subject.
- Right to data portability, i.e. the data subject’s right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and, where technically feasible, the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or a contract and the processing is carried out by automated means. The exercise of the right to data portability shall be without prejudice to the right to erasure.
- Right to object, i.e. the data subject’s right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If the data subject considers that the processing of his or her personal data is in breach of the GDPR provisions, he or she shall have the right to lodge a complaint with a supervisory authority, as provided for in Article 77 of the Regulation, or to an effective judicial remedy (Article 79 of the Regulation).
Last updated: 25/11/2020