PRIVACY INFORMATION NOTICE PURSUANT TO ARTICLE 13 OF EU REGULATION 2016/679 – USER
Municipality of Sirmione (FISCAL CODE 00568450175 – VAT NUMBER 00570860981), with registered office in 25019 Sirmione (BS), piazza Virgilio, n. 52, in compliance with Article 4, paragraph 1, letter c) and Article 24 of the EU Regulation 2016/679 (hereinafter referred to as GDPR) is the personal data processing Controller (hereinafter referred to as Data Controller), and in fulfillment of the obligations set out in Article 13 GDPR provides this Statement which details the processing purposes and means of your personal data.
It is specified that:
– personal data means (according to 4, paragraph 1, subparagraph 1) GDPR) ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’;
– personal data processing (in accordance with 4, paragraph 1, subparagraph 2) GDPR) means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, processing, selection restriction, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.
1. Data Controller and contact details
The Data Controller pursuant to article 24 GDPR, namely the one settling the processing purposes and the means is the Municipality of Sirmione (FISCAL(FISCAL CODE 00568450175 – VAT NUMBER 00570860981), whose contact details are: registered office in 25019 Sirmione (BS), piazza Virgilio, n. 52 – Telephone number 030 9909100; e-mail address: firstname.lastname@example.org
2. Data Protection Officer and contact details
Under Article. 37 GDPR, Att.y Monica Lippa, with firm in 25121 Brescia, via Solferino n. 26 e-mail address: email@example.com was appointed as external Data Protection Officer
3. Purpose of the processing and legal basis
3.1 Your personal data as subject of processing are used for the following purposes::
a) responding to your specific requests, such as but not limited to any application for registration to events and / or promotional initiatives organized by the Data Controller;
b) fulfilling the legal and / or regulatory obligations of fiscal, administrative and accounting nature;
c) fulfilling the pre-contractual, contractual and tax obligations related to the conclusion and / or execution of contracts you entered into;
d) facilitating communications relating to the initiatives and / or events you have enrolled in;
e) performing statistical analysis by using data in aggregate form;
and, subject to your explicit, free, unconditional and revocable consent, to:
f) forwarding, newsletters, informative messages, commercial, promotional and advertising communications on the products and services offered by the Owner by e-mail and / or mail and / or SMS and / or MMS and / or telephone contact in compliance with the principles established by the GDPR;
g) forwarding newsletters, informative messages, commercial, promotional and advertising communications on products and services offered by Third Parties by e-mail and / or mail and / or SMS and / or MMS and / or telephone contact according to the principles set by the GDPR.
3.2 The processing of your personal data and that of any employees and / or collaborators, for the purposes set out in Article 3.1 letters a), b), c), d) and e) of this information notice, is based on article 6, paragraph 1 letters b) and c) GDPR. For the purposes referred to in Article 3.1, letters f) and g) of this statement, the legal basis of the processing, under Article 6, paragraph 1 letter a) GDPR, is the consent.
4. Data provision nature
For the purposes referred to in Article 3.1 letters a), b), c), d) and e) of this information notice the provision of data is necessary for the fulfillment of the services provided by the Data Controller and any refusal entails the impossibility to perform the same. In order to carry out the processing referred to in Article 3.1 letters a), b), c), d) and e) of this notice, it is not necessary to acquire the consent of the data subject.
For the purposes set out in Article 3.1 letters f) and g) of this notice the provision of data is optional and any refusal shall entail the impossibility for the Data Controller to use such information for the aforementioned purposes.
5. Processing Methods
Data processing is carried out through paper, computer and electronic support, also with the help of electronic means, by specifically authorized internal parties and / or through third parties, according to principles strictly related to the purposes set out in this statement. The data are stored in electronic archives and, in a residual way, on paper, so as to guarantee the security and confidentiality of the data. The processing of personal data is performed in compliance with the principles of the GDPR.
6. Data recipients
Data recipient means, under Article 4, paragraph 1, subparagraph 9) GDPR, ‘a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. … public authorities which may receive personal data in the framework of a particular inquiry in accordance with the laws of the European Union or any of its Member States shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing’.
Notably, in relation to the purposes indicated above, personal data may be communicated to recipients in collaboration with the Data Controller or for the fulfillment of legal obligations. Such recipients are bound to the utmost confidentiality with regard to any information, of which they may become aware and below, by way of example, the relevant categories are reported.
– Authorities, public administration bodies as well as supervisory and control bodies for their institutional purposes.
– Data Processors, advisors, advisory firms, professional firms that collaborate with the Data Controller for the achievement of the above mentioned purposes and for the fulfillment of legal obligations.
– Data Processors that provide services for the management of the information system of the Data Controller.
– Licensed professionals for the purpose of studying and resolving any legal and contractual issues.
– Banks or similar organizations.
– Health organizations.
7. Data dissemination and communication
Your personal data are neither subject to dissemination nor to transfer.
Communication to third parties, other than the Data Controller and Processor Supervisors – internal or external to the organizational structure of the Data Controller – identified and appointed pursuant to articles 24 and 28 GDPR, is provided where necessary.
In any case, data processing by third parties shall be achieved under the principles of correctness, proportionality and necessariness, as well as in compliance with the applicable law provisions.
8. Data processing place and any transfer of data outside the EU
The data processing activity is performed within a member state of the European Union (EU) or within a member state of the European Economic Area (EEA).
Nevertheless, data processing may involve the transfer of data to a non-EU or non-EEA country. In this case, the Data Controller guarantees that the transfer, if necessary, shall only be carried out under the specific conditions set out in articles 44 and following of the GDPR. The transfer of data to a non-EU or non-EEA country requires your prior consent.
9. Retention times
The data shall be retained in compliance with the principle of proportionality and in any case for the period necessary for the achievement of the purposes laid down in Article 3.1 letters a), b), c), d) and e) of this statement and in any case not later than 10 fiscal years from the termination of the relationship. For the purposes set out in Article 3.1. letters f) and g) of this notice your data shall be retained until the moment of consent withdrawal.
10. Data Security
The Data Controller shall adopt the appropriate technical and organizational measures for data protection in order to prevent any loss of data, illicit or incorrect use and unauthorized access.
11. Rights of the data subject
Notice is hereby given that, according to article 13, paragraph 2, letter b) GDPR, in relation to the processing of personal data in question, in order to warrant a correct and transparent processing, the following rights may be exercised:
11.1. Rights of access and information (according to article 15 GDPR): in order to obtain from the Data Controller of the processing any information on the existence or not of data processing concernine you as well as access to your personal data and information on the purposes of the processing, the recipients or the categories of recipients to whom the data are transmitted.
11.2. Right to rectification (according to article 16 GDPR), to erasure (pursuant to article 17 GDPR) and to restriction (in compliance with article 18 GDPR): in order to apply for the rectification and erasure of your personal data and the restriction of the processing by the processing Data Controller.
11.3. Right to portability (under article 20 GDPR): in order to obtain, in a structured, common and automatically-readable format, personal data concerning you, supplied to the processing Data Controller moreover you have the right to forward such data to another data controller, provided that this operation is technically feasible
11.4. Right of opposition (pursuant to artiche 21 GDPR): in order to oppose the processing of your data.
To exercise the rights set out in article 13, paragraph 2, letters b) and e) GDPR, you can write to the Municipality of Sirmione (FISCAL CODE 00568450175 – VAT NUMBER 00570860981), with registered office in 25019 Sirmione (BS) , piazza Virgilio n. 52, or to the following e-mail address: firstname.lastname@example.org otherwise you can contact the Municipality dealing the following telephone number 030 9909100
12. Right to lodge a complaint
Pursuant to Article 13 paragraph 2 letter d) GDPR, notice is hereby given that, furthermore, the right to lodge the complaint to the supervisory authority in accordance with article 77 GDPR where the data processing is deemed to be achieved infringing the provisions of the European Regulation.
Pursuant to articles 6 and 7 GDPR, allow the processing of personal data to be done, for the purposes laid down in Article 3.1, letters f) and g) and in Article 8 of this statement.
The consent may be withdrawn at any time and without indication of the reasons, by forwarding the withdrawal declaration to the following address: Municipality of Sirmione (FISCAL CODE 00568450175 – VAT NUMBER 00570860981), with registered office in 25019 Sirmione (BS), piazza Virgilio n. 52, – telephone number 030 9909100, or to the following e-mail address: email@example.com
The withdrawal of consent does not affect the lawfulness of the treatment based on the same prior to the revocation.