PRIVACY POLICY – DATA PROTECTION

Considering the c. 1 art. 12 of EU Regulation 679/2016 for those who, having already received information on the so-called web browsing when connecting to this site, they will forward requests through forms or directly to the email addresses indicated, the following information has been prepared:

1) The Data Controller is La Costa Eventi Srl P.I. 02336690462 with registered office in Viareggio(LU), 35507 - Italy and email addresses: a.prosperi@hotmail.it which uses the APPLOADING of Paola Manfredini for the management of this website ; the aforementioned APPLOADING, appointed as Data Processor with authorization to use other managers, is supported, for data protection, by the advice and assistance of a multidisciplinary technical-operational and legal team,

2) The processing of data is aimed and limited to the legitimate interest for the Data Controller to conduct their commercial activities and for the purpose of conducting pre-contractual or contractual phases with users who express interest - all pursuant to lett. b and f of c. 1 art. 6 EU Reg. 679/2016 with reference to recitals C.44 and C.47 of the same EU Reg. 679/2016 - with all this offsetting the principle of consent by providing the interested party with all the regulatory tools referred to below, placing him in the condition of to be able to adjust the cd circulatory system of your data.

3) The data, which will arrive through the e-mail servers concerned, are processed by the Data Controller and may be intended for consultants in partnership, collaborators and / or system administrators rather than in relation to the specific issues and needs posed or highlighted.

4) The retention period of personal data, since it cannot be determined a priori in standardized terms, respects the needs of acknowledgment or fulfillment of the relationship established for the specific request, request or communication in harmony with the corresponding regulatory provisions.

5) At any time the interested party can ask the data controller to access personal data and to correct or delete them or limit the processing of personal data concerning him or to oppose their treatment, in addition to the right to data portability.

6) The interested party has the right to lodge a complaint with a supervisory authority at any time.

7) The communication of personal data, albeit limited to email delivery, is a necessary requirement for the establishment of relationships as well as to allow us to respond to requests and also for the possible start of pre-contractual and / or contractual procedures for the conclusion of a contract.

8) The transfer of personal data abroad or to a non-EU country or to an international organization is limited to Google, MyBusiness as well as Social services such as Facebook, Instagram, YouTube. Considering the impact of the so-called "Schrems II ruling" on the Privacy Shield for the transfer of the data in question, the "exceptions in specific situations" pursuant to art. 49 EU Reg. 679/2016

 

Right of access by the interested party

1. The interested party has the right to obtain from the data controller confirmation as to whether or not personal data concerning him is being processed and, in this case, to obtain access to personal data and the following information:

a) the purposes of the processing;
b) the categories of personal data in question;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients of third countries or international organizations;
d) when possible, the retention period of the personal data envisaged or, if not possible, the criteria used to determine this period;
e) the existence of the right of the interested party to ask the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment;
f) the right to lodge a complaint with a supervisory authority;
g) if the data are not collected from the data subject, all available information on their origin;
h) the existence of an automated decision-making process, including the profiling referred to in Article 22, paragraphs 1 and 4 of EU Reg. 679/2016, and, at least in such cases, significant information on the logic used, as well as the importance and the expected consequences of such processing for the data subject.

2. If personal data are transferred to a third country or to an international organization, the interested party has the right to be informed of the existence of adequate guarantees pursuant to Article 46 of EU Reg. 679/2016 relating to the transfer.

3. The data controller provides a copy of the personal data being processed. In the event of further copies requested by the interested party, the data controller may charge a reasonable fee based on administrative costs. If the interested party submits the request by electronic means, and unless otherwise indicated by the interested party, the information is provided in a commonly used electronic format.

4. The right to obtain a copy referred to in paragraph 3 above must not affect the rights and freedoms of others.

 

Right of rectification

The interested party has the right to obtain from the data controller the correction of inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete personal data, also by providing a supplementary declaration.

 

Right to cancellation ("right to be forgotten")

1. The data subject has the right to obtain from the data controller the cancellation of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay, if one of the following reasons exists:
a) the personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
b) the interested party revokes the consent on which the processing is based in accordance with article 6, paragraph 1, letter a) of EU Reg. 679/2016, or article 9, paragraph 2, letter a) of the same of Reg. . EU 679/2016, and if there is no other legal basis for the processing;
c) the interested party opposes the processing pursuant to Article 21, paragraph 1, and there is no legitimate overriding reason to proceed with the processing, or opposes the processing pursuant to Article 21, paragraph 2 of EU Reg. 679 / 2016;
d) the personal data have been unlawfully processed;
e) personal data must be deleted to fulfill a legal obligation under the law of the Union or of the Member State to which the data controller is subject;
f) the personal data were collected in relation to the information society service offer referred to in Article 8, paragraph 1.
2 of EU Reg. 679/2016.

2. The data controller, if he has made personal data public and is obliged, pursuant to paragraph 1, to delete them, taking into account the available technology and implementation costs, he shall take reasonable measures, including technical ones, to inform the data controllers who are processing the personal data of the request of the interested party to delete any link, copy or reproduction of his personal data.

3. Paragraphs 1 and 2 do not apply to the extent that the processing is necessary:
a) for the exercise of the right to freedom of expression and information;
b) for the fulfillment of a legal obligation that requires the processing provided for by the law of the Union or of the Member State to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of public authority of which the data controller is invested;
c) for reasons of public interest in the public health sector in accordance with Article 9, paragraph 2, letters h) and i) of EU Reg. 679/2016, and of Article 9, paragraph 3 of the same Reg. EU 679 / 2016;
d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89, paragraph 1 of EU Reg. 679/2016, to the extent that the right referred to in paragraph 1 risks making it impossible or to seriously jeopardize the achievement of the objectives of this treatment; or
e) for the assessment, exercise or defense of a right in court.

 

Right to limitation of treatment

1. The interested party has the right to obtain from the data controller the limitation of processing when one of the following hypotheses occurs:
a) the data subject disputes the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
b) the processing is unlawful and the interested party opposes the cancellation of personal data and instead requests that its use be limited;
c) although the data controller no longer needs it for processing purposes, the personal data are necessary for the data subject to ascertain, exercise or defend a right in court;
d) the interested party opposed the processing pursuant to Article 21, paragraph 1 of EU Reg. 679/2016, pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party .

2. If the processing is limited pursuant to paragraph 1, such personal data are processed, except for storage, only with the consent of the interested party or for the assessment, exercise or defense of a right in court or to protect the rights of another natural or legal person or for reasons of significant public interest of the Union or of a Member State.

3. The interested party who has obtained the limitation of processing pursuant to paragraph 1 is informed by the data controller before this limitation is revoked.

 

Obligation to notify in case of rectification or cancellation of personal data or limitation of processing

The data controller communicates to each of the recipients to whom the personal data have been transmitted any corrections or cancellations or limitations of the processing carried out pursuant to article 16, article 17, paragraph 1 of EU Reg. 679/2016, and of 'article 18 of the same of the EU Reg. 679/2016, unless this proves impossible or involves a disproportionate effort. The data controller communicates these recipients to the interested party if the interested party requests it.

 

Right to data portability

1. The interested party has the right to receive in a structured format, commonly used and readable by an automatic device, the personal data concerning him provided to a data controller and has the right to transmit such data to another data controller without impediments on the part of the data controller to whom he provided them if:
a) the processing is based on consent pursuant to Article 6, paragraph 1, letter a) of EU Reg. 679/2016, or of Article 9, paragraph 2, letter a) of EU Reg. 679/2016, or on a contract pursuant to article 6, paragraph 1, letter
b) of the same of EU Reg. 679/2016; And b) the processing is carried out by automated means.

2. In exercising their rights relating to data portability in accordance with paragraph 1, the interested party has the right to obtain the direct transmission of personal data from one data controller to the other, if technically feasible.

3. The exercise of the right referred to in paragraph 1 of this article is without prejudice to Article 17 of EU Reg. 679/2016. This right does not apply to the processing necessary for the performance of a task of public interest or related to the exercise of public authority vested in the data controller.

4. The right referred to in paragraph 1 must not affect the rights and freedoms of others.

 

Right to object
1. The interested party has the right to object at any time, for reasons connected to his particular situation, to the processing of personal data concerning him pursuant to article 6, paragraph 1, letters e) or f) of EU Reg. 679 / 2016, including profiling based on these provisions. The data controller refrains from further processing personal data unless he demonstrates the existence of compelling legitimate reasons for proceeding with the processing that prevail over the interests, rights and freedoms of the data subject or for ascertaining, exercising or the defense of a right in court.

2. If personal data are processed for direct marketing purposes, the interested party has the right to object at any time to the processing of personal data concerning him for these purposes, including profiling to the extent that it is connected to such marketing. direct.

3. If the interested party objects to the processing for direct marketing purposes, the personal data are no longer processed for these purposes.

4. The right referred to in paragraphs 1 and 2 is explicitly brought to the attention of the interested party and is presented clearly and separately from any other information at the latest at the time of the first communication with the interested party.

5. In the context of the use of information society services and without prejudice to Directive 2002/58 / EC, the interested party may exercise his or her right of opposition with automated means that use specific techniques.

6. If personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89, paragraph 1 of EU Reg. 679/2016, the interested party, for reasons connected with his particular situation, has the right to oppose the processing of personal data concerning him, except if the processing is necessary for the performance of a task of public interest.

 

Automated decision-making process relating to natural persons, including profiling

1. The interested party has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person in a similar way.

2. Paragraph 1 does not apply if the decision:
a) is necessary for the conclusion or execution of a contract between the data subject and a data controller;
b) is authorized by the law of the Union or of the Member State to which the data controller is subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the data subject;
c) is based on the explicit consent of the interested party.

3. In the cases referred to in paragraph 2, letters a) and c), the data controller implements appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the data controller of the processing, to express their opinion and to contest the decision.

4. The decisions referred to in paragraph 2 are not based on the particular categories of personal data referred to in Article 9, paragraph 1 of EU Reg. 679/2016, unless Article 9, paragraph 2 applies , letters a) or g) of the same of the EU Reg. 679/2016, and adequate measures are not in force to protect the rights, freedoms and legitimate interests of the data subject.

 

Communication of a personal data breach to the interested party

1. When the violation of personal data is likely to present a high risk for the rights and freedoms of individuals, the data controller communicates the violation to the interested party without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this article describes in simple and clear language the nature of the personal data breach and contains at least the information and measures referred to in article 33, paragraph 3, letters b) , c) and d) of EU Reg. 679/2016.

3. Notification to the interested party referred to in paragraph 1 is not required if one of the following conditions is met:
a) the data controller has implemented adequate technical and organizational protection measures and these measures had been applied to the personal data subject to the violation, in particular those intended to make personal data incomprehensible to anyone not authorized to access it, such as encryption;
b) the data controller has subsequently adopted measures to avoid the occurrence of a high risk for the rights and freedoms of the data subjects referred to in paragraph 1;
c) such communication would require disproportionate efforts. In this case, instead, a public communication or a similar measure is carried out, through which the data subjects are informed with similar effectiveness.

4. In the event that the data controller has not yet communicated the personal data breach to the data subject, the supervisory authority may request, after assessing the probability that the personal data breach presents a high risk, to do so or may decide that one of the conditions in paragraph 3 is met.

 

NOTE

The information was formulated on the specifications of the service provided through this website and in relation to the Privacy management system of the Data Controller.


Revised: November 27, 2020