1. RESPECT FOR THE PROTECTION OF NATURAL SUBJECTS REGARDING THE PROCESSING OF PERSONAL DATA, AS WELL AS FREE CIRCULATION OF SUCH DATA
‘Istituto di storia della carta “Gianfranco Fedrigoni”’, ISTOCARTA (Institute of History of Paper “Gianfranco Fedrigoni”) (hereinafter referred to as “ISTOCARTA”) places great value on the respect of Privacy of its interlocutors and is committed to protecting it, by enforcing the provisions laid down by European and Italian laws on matters of Privacy.
ISTOCARTA shall hereby engage in informing about the modalities/procedures of collection and use of personal data provided by the User, as well as the procedures and provisions regulating its enforcement.
3. SOURCE OF DATA
ISTOCARTA shall acquire personal data from the User concerned. The type of information requested may include personal data, as in the case of natural persons, company name, name (should the name be integral part of the User’s company name), address, telephone number, e-mail address, information regarding invoicing and all data deemed necessary for carrying out successful commercial transactions.
4. LAWFULNESS OF PROCESSING
ISTOCARTA processes all data in compliance with the principles laid down in art. 5 of GDPR: 1. Following consent granted (as pursuant to art.6 first paragraph letter a); 2. For the fulfillment of the provisions set forth by a contract where the User represents one party , or the performance of pre-contractual terms adopted following a request made by the User himself (as pursuant to art. 6 first paragraph letter b); 3. processing is necessary for compliance with a legal obligation to which the controller is subject; 4. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (as pursuant to art. 6 first paragraph letter f).
The User can revoke his/her consent at any moment, by sending an e-mail to: firstname.lastname@example.org.
Consent revocation shall in no way prejudice the lawfulness of data processing made on the basis of the User’s consent, thus before it was revoked (art. 7 paragraph 3).
ISTOCARTA shall not accept consent given by any person under and not of the age of 16 unless such consent be not granted under the supervision of a parent/s or whomsoever has parental authority.
5. DATA COLLECTION
Data collected may differ according to the modalities/procedures governing their collection and use.
Data collected via automatized means
The following data may be collected during the surfing of the web that can qualify the User and which shall be stored in the website’s log files:
· Protocol Internet address (IP);
· Browser type;
· Parameters of the device used to connect to the website;
· Name of internet service provider (ISP);
· Date and time of hit;
· User’s web page referral and logout;
· Number of clicks.
The aforementioned data shall also be used to analyze Users’ trends and to collect data in aggregate form, in order to manage and ensure safety on the site.
Data supplied voluntarily by Users
Data that users may give filling the paper, or the website’s registration form:
· name and surname;
· e-mail address;
· home address and city;
· name of the Entity - Institute - Company;
· VAT number / tax identification number;
· IBAN code.
The aforementioned data, voluntarily provided by the User on request or after entering his/her request, shall exclusively be used for providing the service or performance requested and processed only for the time required to provide the service or for the fulfillment of contractual relations, if any.
6. COMMUNICATION AND DICLOSURE OF PERSONAL DATA
ISTOCARTA shall pledge not to disclose any confidential information it will have acquired. Companies, natural persons and/or professionals providing services to ISTOCARTA (e.g. commercial, management services, information, insurance systems management services, banking and non-banking intermediation services, as well as factoring, shipment management, correspondence enveloping and posting services, credit management and protection services) who, as a result of their activities, will learn the data collected by ISTOCARTA, shall pledge not to disclose this information and are not authorized to use it for any purposes other than the purposes for which the information was communicated/ disclosed to them .
7. PURPOSES OF DATA COLLECTION
Data collected by ISTOCARTA shall be used in order to properly and lawfully carry out its activities. Some of them are
mentioned below, which are to be intended as a non-exhaustive example:
1. Promotional activities, data collection for statistical purposes, sending correspondence, publications, catalogues and invitation cards; market surveys;
2. Contacts and preliminary negotiations during the stipulation of contracts; performance of various types of documents/actions or group of operations necessary for the fulfillment of contractual obligations
3. Performance of obligations associated with or ancillary to the contract c/o private or public bodies; fulfillment of obligations set forth by the law;
4. protection of ISTOCARTA’s assets;
5. to become a member of ISTOCARTA..
8. PERSONAL DATA STORAGE TIME
The data shall be stored for the time strictly necessary to carry out the afore-mentioned data processing purposes and, in any case, to fulfill any legal obligations deriving thereof.
9. RIGHTS OF THE USER
As far as data provided are concerned, the User is entitled to exercise his/her rights over the Data Controller as pursuant to articles from 15 to 21 of GDPR, that herein after are explained in details:
Art. 15 – The user’s right of access
The User holds the right to obtain confirmation from the Data Controller whether his/her personal data are being processed or not and in the event, to obtain access to his/her personal data and following information:
a) The purposes of data processing;
b) The categories of personal data concerned;
c) The recipients or categories of recipients to whom the personal data have been or will be disclosed to, in particular, where recipients be third -party countries or international organizations;
d) Wherever deemed possible, the specified storage time of personal data and, where not possible, the criteria applied to specify an eventual timeline for said storage;
e) The User’s right to ask the Data Controller to amend or delete his/her personal data or to limit the processing of personal data concerning him/her or to object to the processing of his/her personal data;
f) The right to file a complaint to a supervisory body;
g) In the event that User’s data not have been provided by him/her personally, all the information available on their source;
h) The existence of an automatized decision-making process, including profiling activity, at least in such cases, significant information on the criteria adopted in processing such information, as well as the importance and the consequences foreseen for the User in the case of such processing;
i) Should the personal data be transferred to a third-party country or international organization, the User shall know if adequate guarantees on safe transmission have been put in place, as pursuant to art. 46 relating to the transmission of personal data (see hereinafter).
Whereas, the Data Controller shall provide a copy of the personal data processed, in no way thereby infringing the rights and freedom of others. In case there be additional copies requested by the User, the Data Controller shall have the faculty to charge a reasonable sum at his/her own discretion regarding any eventual administrative costs incurred in said request. Should the request be made via any electronic means of communication, unless otherwise requested by the User himself/herself, the information shall be provided in a common electronic format.
Art. 16 – The Right to Rectify Data
The User shall have the right to obtain from Data Controller the correction of any inaccurate personal data without undue delay. Bearing in mind the purposes behind the processing of data, the User has the right to obtain integration of incomplete personal data, by simply presenting a supplementary statement.
Art. 17 – Right to Delete Data ( the right to be forgotten )
The User shall have the right to obtain from Data Controller the cancellation of his/her personal data without undue delay and the Data Controller shall pledge to cancel them without undue delay for one of the following reasons:
a) Personal data are deemed to be no longer necessary for the purposes they were collected or otherwise processed;
b) The User revokes his/her consent on the processing of his/her personal data or should no legal basis exist for the processing;
c) The User opposes said processing and no prevailing legitimate reason exist for the processing, or in the event the User objects to said processing for the purposes of marketing activities;
d) Should the personal data have been processed without his/her consent ( unlawfully );
e) Personal data need to be deleted in fulfillment of a legal obligation pursuant to the law of the E.U. or national law governing such matters of the country of origin of the Data Controller ;
Hence, if the Data Controller has disclosed personal data and has been obliged to cancel them, taking into account the technology available and any implementation costs, the Data Controller shall be obliged to adopt any reasonable measure, even technical, to inform Data Controllers who are processing the data, of the User’s request to cancel any link, copy or reproduction of his/her personal data.
All the afore-going shall not apply where processing be deemed necessary:
a) to exercise the right of freedom of expression/speech and information;
b) to fulfill a legal obligation requiring the processing of personal data or for the performance of a task in the public interest or for the performance of public authority granted to the Data Controller regarding matters on data processing;
c) for reasons pertaining to public interest regarding public health;
d) for filing purposes in the interest of the public, scientific or historic research or statistical purposes.
Art. 18 – Right of limitation of data processing
The User is entitled to obtain from Data Controller the limitation on the processing of his/her data, in case one of following assumptions occurs:
a) the User considers his/her data to be inaccurate/incorrect, for the time-line deemed necessary to the Data Controller to verify the accuracy of such personal data;
b) in the event the processing be deemed unlawful and the User objects to the cancellation of his/her personal data and requests a limitation of their use, instead;
c) though personal data no longer be useful to the Data Controller for processing purposes, such personal data are necessary to the User to ascertain, exercise or defend a right in a legal proceeding;
d) should the User object to the processing of his/her data during the process of verification of the prevalence of legitimate reasons of the Data Controller with respect to those of the User.
Whereas said processing be limited, data will be processed, except for their storage, only with the User’s consent or to ascertain, exercise or defend a right in a legal proceeding or to protect the rights of another natural person or legal entity, or whenever deemed necessary for reasons of significant public interest, as set forth by the E.U. or other member state.
The User who has obtained the limitation on the processing of his/her personal data, shall be informed by the Data Controller prior to any eventual revocation of said limitation.
Art. 19 – Obligation to notify in the event of rectification or cancellation of personal data or limitation in their processing
The Data Controller shall pledge to inform each and every recipient the personal data were transmitted to, of any possible amendment or cancellation or limitation on the processing of such personal data, except where it proves impossible or involves the use of means/efforts manifestly disproportionate to the protected right. The Data Controller shall be obliged to inform the User of any recipient to whom the data may have been transmitted to upon the User’s request.
Art. 20 – Right to Data Portability
As long as the rights and freedom of others be not infringed, the User is entitled to receive personal data that may concern him/her in a typical and legible format via an automatized device, which were sent to a Data Controller and shall have the right to transmit these data to another Data Controller other than the one already in possession of his/her data, without any impediment form his/her side, in the case that:
a) data processing be based on the User’s consent or be in accordance to a contract;
b) data processing be carried out via automatized means.
In the exercise of the afore-going rights, the User shall be entitled to obtain a direct transmission of his/her personal data from one Data Controller to another, wherever technically speaking feasible.
Art. 21 – Right to object
The User has the right to object, at any time and in accordance to and in association with his/her specific situation, to the processing of personal data that concern the User, also including profiling activity.
The Data Controller shall pledge to respect the User’s request, thus avoiding to further process such data, unless the Data Controller is able to present evidence of existing legitimate underlying reasons for the performance of said processing, which may prevail over the interests, rights and freedom of the User or to ascertain, exercise or defend a right in a legal proceeding.
In the event personal data be processed for direct marketing purpose , then the User shall have the right to object to the processing of his/her personal data at any moment, including profiling activity, to the measure and to the extent that such data be intended specifically and only for direct marketing purposes.
Should nevertheless the personal data be processed for either scientific, historic or statistical purposes as pursuant to the provision laid down in article 89, paragraph 1, then shall the User, in accordance to and in association with his/her specific situation, have the right to object to the processing of his/her personal data, except where such processing be deemed necessary for the performance of a task in the public interest.
10. AUTOMATIZED DECISION-MAKING PROCESSES (Art. 22)
The User shall not be subject to any decisions based solely on automatized data processing, including profiling activity, that may produce judicial side-effects that could involve him/her or which could significantly influence the User himself/herself.
11. HOW THE USER’S RIGHTS CAN BE EXERCISED
In order to exercise the rights specified in the afore-going paragraph 7, the User can send a written communication to the Data Controller via ordinary mail or via e-mail to the following address: email@example.com.
The Data Controller shall reply to the User in accordance to the provisions prescribed in art. 12 of GDPR (Information, communications and transparent procedures in the exercise of the User’s rights ). In particular, the Data Controller shall provide the User with all the information relating to any action that is to be undertaken relating to a request, as pursuant to articles from 15 to 22 without any undue delay, specifically within and not over one month as from receipt of the said request. The afore-going deadline may be extended to two months whenever deemed necessary, taking into account the total number and complexity of requests that have been made. The Data Controller shall hence duly inform the User of the extended deadline and give reasons for the delay within a month from receipt of the request.
Whenever deemed necessary by the User and as long as the User be in possession of sound evidence, the User may exercise the right to file a complaint to a local authority competent in such matters (such as the Italian Data Protection Authority – firstname.lastname@example.org).
12. PLACE OF DATA PROCESSING
Data collected shall be stored in the head-office of ISTOCARTA, Viale Pietro Miliani 31/33, 60044 Fabriano (AN) – ITALIA and in the OVH Europe servers.
14. DATA CONTROLLER AND DATA PROCESSORS
The Data Controller of data processing is: ‘Istituto di Storia della Carta “Gianfranco Fedrigoni”, ISTOCARTA’ - Viale Pietro Miliani 31/33, 60044 Fabriano (AN) - ITALY.