PRIVACY INFORMATION NOTICE PURSUANT TO
ARTICLE 13 OF EU REGULATION 2016/679 – UNDERAGE USER
Municipality of Sirmione (FISCAL CODE 00568450175 – VAT NUMBER 00570860981), with registered office in 25019 Sirmione (BS), piazza Virgilio, n. 52, in compliance with Article 4, paragraph 1, letter c) and Article 24 of the EU Regulation 2016/679 (hereinafter referred to as GDPR) is the personal data processing Controller (hereinafter referred to as Data Controller), and in fulfillment of the obligations set out in Article 13 GDPR provides this Statement which details the processing purposes and means of underage users, the ones of their parents and /or guardians
It is specified that:
– personal data means (according to 4, paragraph 1, subparagraph 1) GDPR) ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’;
– personal data processing (in accordance with 4, paragraph 1, subparagraph 2) GDPR) means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, processing, selection restriction, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.
1. Data Controller and contact details
The Data Controller pursuant to article 24 GDPR, namely the one settling the processing purposes and the means is the Municipality of Sirmione (FISCAL CODE 00568450175 – VAT NUMBER 00570860981), whose contact details are: registered office in 25019 Sirmione (BS), piazza Virgilio, n. 52, telephone number 030 9909100; e-mail address: firstname.lastname@example.org
2. Data Protection Officer and contact details
Under Article. 37 GDPR, Att.y Monica Lippa, with firm in 25121 Brescia, via Solferino n. 26 e-mail address: email@example.com was appointed as external Data Protection Officer
3. Purpose of the processing and legal basis
3.1 The personal data of underage users, their parents and / or guardians are used for the following purposes:
a) responding to specific requests, such as but not limited to any application for registration to events and / or promotional initiatives organized by the Data Controller;
b) fulfilling the legal and / or regulatory obligations of fiscal, administrative and accounting nature;
c) fulfilling the pre-contractual, contractual and tax obligations related to the conclusion and / or execution of contracts;
d) facilitating communications relating to the initiatives and / or events in which the underage user is enrolled;
e) performing statistical analysis by using data in aggregate form;
and, necessary and explicit consent of the one exercising the parental authority on the minor and / or acting as guardian of the latter, in order to:
f) forwarding to the parent and /or guardian, newsletters, informative messages, commercial, promotional and advertising communications on the products and services offered by the Owner by e-mail and / or mail and / or SMS and / or MMS and / or telephone contact in compliance with the principles established by the GDPR;
g) forwarding to the parent and /or guardian newsletters, informative messages, commercial, promotional and advertising communications on products and services offered by Third Parties by e-mail and / or mail and / or SMS and / or MMS and / or telephone contact according to the principles set by the GDPR.
3.2 Underage users and their parents and /or guardians personal data processing for the purposes set out in Article 3.1 letters a), b), c), d) and e) of this information notice, is based on article 6, paragraph 1 letters b) and c) GDPR. For the purposes referred to in Article 3.1, letters f) and g) of this statement, the legal basis of the processing, under Article 6, paragraph 1 letter a) GDPR, is the consent.
4. Data provision nature
For the purposes referred to in Article 3.1 letters a), b), c), d) and e) of this information notice the provision of data is necessary for the fulfillment of the services provided by the Data Controller and any refusal entails the impossibility to perform the same. In order to carry out the processing referred to in Article 3.1 letters a), b), c), d) and e) of this notice, it is not necessary to acquire the consent of the parent exercising the parental authority over the minor and / or of the guardian.
For the purposes referred to in art. 3.1 letters f) and g) of this notice the provision of data of the minor by the parent exercising the parental authority over the minor and / or the guardian is optional and any refusal shall entail the impossibility for the Data Controller to use such information for the aforementioned purposes.
5. Processing Methods
Data processing is carried out through paper, computer and electronic support, also with the help of electronic means, by specifically authorized internal parties and / or through third parties, according to principles strictly related to the purposes set out in this statement. The data are stored in electronic archives and, in a residual way, on paper, so as to guarantee the security and confidentiality of the data. The processing of personal data is performed in compliance with the principles of the GDPR.
6. Data Recipients
Data recipient means, under Article 4, paragraph 1, subparagraph 9) GDPR, ‘a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. … public authorities which may receive personal data in the framework of a particular inquiry in accordance with the laws of the European Union or any of its Member States shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing’.
Notably, in relation to the purposes indicated above, personal data may be communicated to recipients in collaboration with the Data Controller or for the fulfillment of legal obligations. Such recipients are bound to the utmost confidentiality with regard to any information, of which they may become aware and below, by way of example, the relevant categories are reported.
– Authorities, public administration bodies as well as supervisory and control bodies for their institutional purposes.
– Data Processors, advisors, advisory firms, professional firms that collaborate with the Data Controller for the achievement of the above mentioned purposes and for the fulfillment of legal obligations.
– Data Processors that provide services for the management of the information system of the Data Controller.
– Licensed professionals for the purpose of studying and resolving any legal and contractual issues.
– Banks or similar organizations.
– Health organizations.
7. Data dissemination and communication
The personal data of underage users, their parents and / or guardians are neither disseminated nor transferred.
Communication to third parties, other than the Data Controller and Processor Supervisors – internal or external to the organizational structure of the Data Controller – identified and appointed pursuant to articles 24 and 28 GDPR, is provided where necessary.
In any case, data processing by third parties shall be achieved under the principles of correctness, proportionality and necessariness, as well as in compliance with the applicable law provisions.
8. Data processing place
The contractually agreed data processing activity is performed within a member state of the European Union (EU) or within a member state of the European Economic Area (EEA).
Nevertheless, data processing may involve the transfer of data to a non-EU or non-EEA country. In this case, the Data Controller guarantees that the transfer, if necessary, shall only be carried out under the specific conditions set out in articles 44 and following of the GDPR. The transfer of data to a non-EU or non-EEA country requires your prior consent.
9. Retention times
The data shall be retained in compliance with the principle of proportionality and in any case for the period necessary for the achievement of the purposes laid down in Article 3.1 letters a), b), c), d) and e) of this statement and in any case not later than 10 fiscal years from the termination of the relationship. For the purposes set out in Article 3.1. letters f) and g) of this notice your data shall be retained until the moment of consent withdrawal.
10. Data Security
The Data Controller shall adopt the appropriate technical and organizational measures for data protection in order to prevent any loss of data, illicit or incorrect use and unauthorized access.
11. Rights of the data subject
Notice is hereby given that, according to article 13, paragraph 2, letter b) GDPR, in relation to the processing of personal data in question, in order to warrant a correct and transparent processing, the following rights may be exercised.:
11.1. Rights of access and information (according to article 15 GDPR): in order to obtain from the Data Controller of the processing any information on the existence or not of data processing concerning the minor, the parent exercising the parental authority over the underage user and / or the guardian, as well as to access the related personal data and information on the purposes of the processing, the recipients or with regard to the categories of recipients to whom the data are transmitted.
11.2. Right to rectification (according to article 16 GDPR), to erasure (in compliance with article 17 GDPR) and to restriction (under article 18 GDPR): in order to apply for rectification and erasure of personal data of the minor, of the parent exercising the parental authority over the underage user and / or of the guardian and the restriction of processing by the processing Data Controller.
11.3. Right to portability (under article 20 GDPR): in order to obtain, in a structured, common and automatically-readable format, personal data concerning the minor, the parent exercising the parental authority on the underage user and / or the guardian, supplied to the processing Data Controller moreover the latter has the right to forward such data to another data controller, provided that this operation is technically feasible.
11.4. Right of opposition (pursuant to article 21 GDPR): in order to oppose the processing of data of the minor, of the parent exercising the parental authority on the underage user and / or of the guardian.
To exercise the rights set out in article 13, paragraph 2, letters b) and e) GDPR, you can write to the Municipality of Sirmione (FISCAL CODE 00568450175 – VAT NUMBER 00570860981), with registered office in 25019 Sirmione (BS) , piazza Virgilio n. 52, or to the following e-mail address: firstname.lastname@example.org otherwise you can contact the Municipality dealing the following telephone number 030 9909100
12. Right to lodge a complaint
Pursuant to Article 13 paragraph 2 letter d) GDPR, notice is hereby given that, furthermore, the right to lodge the complaint to the supervisory authority in accordance with article 77 GDPR where the data processing is deemed to be achieved infringing the provisions of the European Regulation.
Pursuant to articles 6 and 7 GDPR, consent to the processing of personal data is necessary, for the purposes laid down in Article 3.1 letters f) and g) and in Article 8 of this statement.
The consent may be withdrawn at any time and without indication of the reasons, by forwarding the withdrawal declaration to the following address: Municipality of Sirmione (FISCAL CODE 00568450175 – VAT NUMBER 00570860981), with registered office in 25019 Sirmione (BS), piazza Virgilio n. 52, telephone number 030 9909100, or to the following e-mail address: email@example.com
The withdrawal of consent does not affect the lawfulness of the treatment based on the same prior to the revocation.