EU REGULATION 2016/679 - GDPR (REGULATION FOR SHORT)

  1. BASICS OF LAWFULNESS OF PROCESSING

The European regulation confirms that all processing must be based on an appropriate legal basis; the grounds for lawfulness of processing are set out in Article 6 of the regulation and coincide, in principle, with those currently provided for in the legislation (consent, fulfilment of contractual obligations, vital interests of the data subject or of third parties, legal obligations to which the data controller is subject, public interest or exercise of public authority, overriding legitimate interest of the data controller or of third parties to whom the data are disclosed).

For special categories of data Art. 9 regulation, consent MUST be 'explicit'; the same applies to consent to decisions established on automated processing (including profiling - Art. 22).

  • Overriding legitimate interest of a proprietor or a third party:

Balancing the legitimate interests of the data controller or the third party against the rights and freedoms of the data subject is not a matter for the authority but for the data controller himself; this is one of the main expressions of the principle of 'empowerment' included in the new data protection package.

The legitimate interest of the owner or third party must prevail over the fundamental rights and freedoms of the data subject in order to establish a valid basis for lawfulness.

The regulation expressly clarifies that the legitimate interest of the controller does not provide a suitable legal basis for processing by public authorities in the performance of their respective tasks.

  1. INFORMATIVE REPORT
    • Information content:

The contents of the disclosure are exhaustively listed in Articles 13(1) and 14(1) of the Regulation.

The User's personal data are managed from  www.miserviva.it company website Mister B SRL located in Trani at Via Lettini, 17 Trani whose legal representative is:  Mister B SRL . The data controller is Mister B SRL in compliance with the data protection principles laid down in the GDPR Regulation 2016/679.

  • Timing of disclosure:

In the case of personal data not collected directly from the data subject (Art. 14 of the regulation), the information must be provided within a reasonable period of time, which may not exceed 1 month after collection, or at the time of communication of the data to the data subject).

  • Mode of disclosure:

The information is given in electronic format. Furthermore, this information (governed specifically by Articles 13 and 14 of the Regulation) is provided within the first data collection.

  1. RIGHTS OF THE INTERESTED PARTIES

The time limit for a reply within, for all rights is 1 month, extendable up to 3 months in cases of particular complexity; the holder must in any case dare a reply within 1 month of the request, even in case of refusal.

It is up to the data controller to assess the complexity of the acknowledgement in the data subject. The reply within the rule must be in writing, including by electronic means that facilitate accessibility; it may be given orally provided that the identity of the data subject is proven by other means (Art. 12(1); see also Art. 15(3)). The answer given within must not only be 'intelligible', but also concise, transparent and easily accessible, as well as using simple and clear language.

  • Right of access (Art. 15):

The right of access is in any case provided for in the right to receive a copy of the personal data undergoing processing.

The information to be provided by the controller does not include the 'modalities' of the processing. The period of data retention is limited to the time necessary for the performance of the contractual relationship and the fulfilment of legal obligations.

  • Right to erasure (right to be forgotten art. 17):

The so-called right to be forgotten takes the form of a right to have one's personal data deleted in an enhanced form. Indeed, it provides for an obligation of data controllers, if they have made the personal data of the data subject public, e.g. by publishing them on a website, to inform the request of other data controllers who process the deleted personal data, including linking, copying or reproducing information (see Art. 17(2)).

The right of deletion has a broader scope than that of Art. 7(3)(b) of the Privacy Code, since the data subject has the right to request the removal of his or her data, for instance, even after withdrawal of consent to processing (see Art. 17(1)).

  • Right of appeal of processing (Art. 18):

This is a different and more extensive right compared to the 'blocking' of processing under Article 7(3)(a) of the Privacy Code; in fact, it can be exercised both in the event of a breach of the conditions for lawful processing, and if the data subject requests rectification of the data. Pending rectification by the data controller, the data subject may object to their processing pursuant to Art. 21 of the regulation.

Excluding storage, any other processing of the data whose presence is requested is prohibited unless certain circumstances apply (consent of the data subject, establishment of rights in court, protection of the rights of another natural or legal person, relevant public interest).

  1. OWNER, CO-OWNER, CONTROLLER, AUTHORISED PROCESSOR

The regulation regulates co-ownership of processing (Art. 26) and requires data controllers to define their respective spheres of responsibility and tasks with particular regard to the exercise of the rights of data subjects, who are in any case free to address any one of the jointly operating data controllers.

  1. RISK-BASED APPROACH AND ACCOUNTABILITY (RESPONSIBILITY) MEASURES FOR OWNERS AND MANAGERS

The regulation strongly emphasises the 'empowerment' of owners and managers, i.e., the use of proactive changes that demonstrate the concrete adoption of measures to ensure regulation.

Security measures adjust a level of security appropriate to the risk of the processing. In particular  Mister B SRL  implements the following technical, physical and organisational measures to protect the User's personal data from accidental or unauthorised destruction, accidental loss or alteration, unprotected use, modification, disclosure or access, and all other forms of unlawful processing.

  • Availability

The service utilises the extensive features of the Server environment to ensure high availability, such as full redundancy, load balancing, automatic scaling, and continuous data backup.

No personal data is permanently stored outside the server platforms of Mister B SRL .

  • Integrity

To ensure integrity, all data checks are encrypted following best practices for protecting confidentiality and data integrity.

  • confidentiality

All personnel authorised to process data are subject to a confidentiality obligation.

  • Transparency

The Data Controller will always keep you informed of changes in its privacy and data security processes, including its practices and policies. At any time you can request information on where and how your data is saved, used and protected.

  • Insulation

Access to personal data is restricted to individually authorised personnel. The security and privacy officer shall make the arrangements and keep a record of the arrangements made.

  • Data breach notification

In the event that the User's data is compromised,  Mister B SRL  will inform the User and the supervisory authorities within 72 hours by e-mail with information on the authority of the regulation, the data affected, possible impacts on the Service with measures to secure the data, and the effects of adverse effects on Personal Data.

A 'personal data breach' means a breach of security involving the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed in connection with the provision of the Service.

  1. DATA COLLECTED AND PURPOSE

Like all websites, this site also makes use of log files in which information collected automatically during user visits is stored. The information collected may be as follows:

  • Internet Protocol (IP) address;
  • browser type and parameters of the device used to connect to the site;
  • name of the internet service provider (ISP);
  • date and time of visit;
  • the visitor's source (referral) and exit web pages;
  • possibly the number of clicks.

This information is processed automatically and collected in a strictly aggregate form for the purpose of verifying the proper functioning of the site, and for security reasons. For security purposes (anti-spam filters, firewalls, virus detection), the automatically recorded data may possibly include personal data such as IP returns, which could be used, in accordance with the laws in force on the subject, for the purposes of attempts to damage the site itself or to cause damage to other users, or in any case harmful or criminal activities. Such data will never be used for user or user profiling purposes, but only for the protection of the site and its users (such information will be processed according to the legitimate interests of the owner).

In the event that the site allows the posting of comments, or in the event of specific services requested by the User, the site is automatically registered and records certain data identifying the User, including postal data. This data is understood to be voluntarily provided by the User when requesting the service. By entering a comment or other information, the User expressly accepts the privacy policy, and in particular by adhering to the content assigned is also freely disclosed to third parties.

The data received is allocated for the provision of the requested service and only for the time necessary for the provision of the service.

The information that users of the site deem to make public through the services and tools made available to them is provided by the User knowingly and voluntarily, exempting this site from any liability for any breach of law. It is up to the User to verify that he/she has permission to enter personal data of third parties or content protected by national and international regulations.

The data collected by the site during its operation are organised separately for the functions indicated above and kept for the time strictly necessary to carry out the precise activities. In any case, the data collected by the site will never be provided to third parties, for any reason whatsoever, except in the case of a legitimate request by a judicial authority and only in the cases provided for by law.

  • Place of processing

The data collected by the site are processed at the data controller's premises, and at the web hosting data centre, which is responsible for processing, processing data on behalf of the data controller; it is located in the European Economic Area and acts in accordance with European standards.