ex articolo 13 del Regolamento UE 2016/679
- Who are we and why are we providing you with this document?
Il Mondo di Emilia, individual company held by Alessio Boris (hereinafter, “IlMondoDiEmilia”), has considered that the protection of the personal data of its own and/or potential customers and users is of fundamental importance, ensuring that the processing of personal data, carried out in any manner, whether automated or manual, is carried out in full compliance with the safeguards and rights recognized by the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data (also hereinafter, the “Regulation”) and by the additional applicable rules on the protection of personal data.
The term personal data refers to the definition contained in article 4 at point 1) of the Regulation, i.e. “any information concerning an identified or identifiable natural person; the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, is considered identifiable, physiological, genetic, psychological, economic, cultural or social” (also hereinafter, the” Personal Data”).
The Regulation provides that, before proceeding with the processing of Personal Data – with this term meaning, according to the relevant definition contained in Article 4 at point 2) of the Regulation, “any operation or set of operations, carried out with or without the aid of automated processes applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction” (also hereinafter, the “Treatment”) – it is necessary that the person to whom such Personal Data belongs is informed about the reasons for which such data are requested and how they will be used.
In this regard, this document is intended to provide you, in a simple and intuitive way, with all the useful and necessary information so that you can provide your Personal Data in a conscious and informed manner and, at any time, request and obtain clarifications and / or adjustments.
This information, therefore, has been drawn up on the basis of the principle of transparency and all the elements required by Article 13 of the Regulation and is divided into individual sections (hereinafter ” Sections ” and individually “Section”) each of which deals with one specific topic in order to make reading faster, easier and easier to understand (also hereinafter, the “Information”).
This information is accompanied by a specific form for the release of consent as required by article 7 of the Regulation.
- Who will process your Personal Data?
The company that will process your Personal Data for the main purpose referred to Section D of this Notice and which, therefore, will play data controller role according to the definition contained in the Article 4 at point 7) of the Regulation, “the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data” is: Il Mondo di Emilia, individual company held by Alessio Boris, Via Kramer 17, 20129 Milano, C.F. LSSBRS73S18F952T e P. IVA 11335850969 (also here in after, “Data Controller”).
- Who can you contact?
As required by the Regulations, you can freely contact Il Mondo di Emilia for all questions relating to the processing of your Personal Data and/or if you wish to exercise your rights, as provided in Section G of this Notice, by sending a written communication to [email protected].
D. For what main purpose will your Personal Data be processed?
In order to allow the Data Controller to carry out the Processing activities for the above purposes, it will be necessary to provide the Personal Data marked with the symbol *. In the absence one of the marked data, it will not be possible to process your Personal Data and, consequently, you will not be allowed to complete your registration on the Website and/or benefit from the services provided by the Website for which the provision of Personal Data is required.
The Personal Data that will be requested from you for the pursuit of the aforementioned purposes will be those reported in the registration and / or contact form, i.e., by way of example and not limited to: name, surname, username, date of birth, home address / residence, e-mail address, telephone number, tax code, sexual gender.
In order to allow the creation of personalized children’s books, Personal Data referring to minors (hereinafter, the “Minor”) will be collected, including photos (hereinafter, the “Images”) of them. The Images will be collected exclusively to create personalized books ordered by the User and for no reason will they be sold and/or transferred to third parties. Once the aforementioned purpose has been achieved, the Personal Data and Images referring to the Minor will be immediately deleted.
- Other purposes
The Data Controller, subject to your express, free and unequivocal consent according to Article 6, paragraph 1, point a) of the Regulation, may ask you, in addition to data referred above, other Personal Data such as, by example and not exhaustively, data relating to tastes, preferences, habits, needs and consumer choices, for the following purposes:
- Direct Marketing Purposes: this term refers to the Data Controller’s intention to carry out promotional and/or marketing activities for you. This category includes all activities carried out to promote the products sold by Il Mondo di Emilia.
- Purposes of profiling: this term refers to the Data Controller’s intention to profile you, i.e. to analyse your tastes, preferences and consumption habits also related to market surveys and statistical analysis.
This category includes any form of automated processing of Personal Data for the purpose of evaluating specific personal aspects such as those relating to, but not limited to, personal preferences, interests, reliability, behaviour, location.
The processing of your Personal Data for the purposes referred to in points (i) and (ii) above doesn’t require your consent, which will necessarily respect the conditions of article 7 of the Regulation, thereby determining the lawfulness of the Processing of your Personal Data.
The modalities of contact for the purpose of direct marketing and profiling activities as in points (i) and (ii) above, may consist of both automated (email, sms, mms, fax) and traditional (e.g. postal mail) methods. In any case, and as in Section H, you may object to the Processing and/or withdraw your consent, even in part, for example by consenting only to traditional methods of contact.
- To which parties may your Personal Data be disclosed?
Your Personal Data may be disclosed to specific parties regarded as recipients of such Personal Data. Article 4(9) of the Regulation defines a recipient of Personal Data as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” (also hereinafter, the “Recipients”).
In this context, in order to properly carry out all of processing activities necessary to fulfil the purposes set out in this Policy, the following recipients may find themselves in a position where they need to process your Personal Data:
-third parties which perform part of the Processing and/or activities connected with or instrumental to the processing on behalf of the Controller. These parties have been appointed as processors, i.e. pursuant to Article 4, point 8) of the Regulation “a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller” (hereinafter, the “Data Processor”);
-individuals employed by and/or contracted by the Controller, who have been assigned one or more activities relating to the processing of your Personal Data. These individuals have been given specific instructions concerning the security and correct use of Personal Data and are defined pursuant to Article 4(10) of the Regulation, as persons who under the direct authority of the Controller or Processor, are authorised to process Personal Data.
Where required by law or to prevent or suppress the commission of an offence, your Personal Data may be disclosed to public bodies or to the courts without them being regarded as Recipients. According to the Article 4 (9) of the Regulation, public authorities which may receive personal data in the framework of a particular inquiry in accordance with the European Union or Member State law shall not be regarded as recipients.
- How long your Personal Data will be processed?
One of the principles that applies to the processing of your Personal Data concerns limited storage periods, regulated by article 5, paragraph 1, point (e) of the Regulation which states “Personal Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject”.
For this reason, your Personal Data will be processed by the Data Controller for no longer than is needed for the purposes set out in Section D of this Policy. Specifically, the period for which your personal data will be limited to the strict minimum, as indicated in Recital 39 of the Regulation, ie. until the termination of the existing contractual relationship between you and the Data Controller , although further retention may be required or allowed by law, as provided for in Recital 65 of the Regulation.
As regards the processing carried out for the purposes laid down in this Policy for which a consent has been sought, the Data Controller may lawfully process your Personal Data until you communicate, using one of the methods provided for in the Section E of this Privacy Notice, your wish to withdraw consent to one or all the purposes for which it was requested. Should you withdraw your consent, the Data Controller will be required to immediately stop processing your Personal Data for such purposes.
- Is it possible to revoke the consent given and how?
In accordance with the Regulation, if you have given your consent to the processing of your Personal Data for one or more of the purposes for which it was sought, you may, at any time, withdraw it, in whole or in part, without affecting the lawfulness of Processing based on consent given before its withdrawal.
The procedure to withdraw consent and exercise your right to object is very simple and straightforward: you only have to contact the Data Controller by means of the contact channels provided in Sections C and I of this Privacy Notice.
In addition to the above and to keep things simple, if you happen to receive advertising emails from the Data Controller that are no longer of interest to you, simply click on the unsubscribe button at the bottom to longer receive no further communication.
- What are your rights?
In accordance with the Regulation, you may exercise the following rights at any time, to the Data Controller.
Right of access: pursuant to article 15 of the Regulation, you have the right to obtain from the Controller and/or the Joint Controllers confirmation as to whether or not your Personal Data are being processed, and, where that is the case, obtain access to the Personal Data and the following information: a) the purposes of the processing; b) the categories of Personal Data concerned; c) the Recipients or categories of Recipient to whom the personal data have been or will be disclosed, in particular Recipients in third countries or international organisations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the Data Controller rectification or erasure of Personal Data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the Personal Data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject . All this information can be found in this Privacy Notice that will always be available in the Privacy section of this websites.
Right to rectification: you have the right to obtain, pursuant to article 16 of the Regulation, the rectification of your inaccurate Personal Data. Taking into account the purposes of the Processing, you also have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
Right to erasure: you have the right to obtain, pursuant to Article 17 of the Regulation, the erasure of your personal data without undue delay and the Data Controller shall erase your Personal Data where one of the following grounds applies: a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) you have withdrawn consent on which the Processing of your Personal Data is based, and where there is no other legal ground for the Processing; c) you have objected to the Processing pursuant to Article 21(1) or (2) of the Regulation and there are no overriding legitimate grounds for the Processing of your Personal Data; d) your Personal Data have been unlawfully processed; e) your personal data have to be erased for compliance with a legal obligation in the European Union or Member State law to which the Data Controller is subject. In certain cases, as provided for in Article 17(3) of the Regulation, the Controller and/or the Joint Controllers are entitled not to erase your Personal Data if their Processing is necessary, for instance, for exercising the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest; for archiving, scientific or historical research purposes in the public interest; or for the establishment, exercise or defence of legal claims.
Right to restriction of processing: you have the right to obtain, under Article 18 of the Regulation, from the Data Controller restriction of Processing where one of the following applies: a) you have contested the accuracy of your Personal Data (the restriction will be for a period enabling the Data Controller to verify the accuracy of the Personal Data); b) the Processing is unlawful but you oppose the erasure of your Personal Data and request that their use be restricted instead; c) although the Data Controller no longer need them for the purposes of the Processing, your Personal Data are required for the establishment, exercise or defence of legal claims; d) you have objected to the Processing under Article 21(1) of the Regulation pending verification whether the legitimate grounds of the Data Controller override your own. If the Processing is restricted your Personal Data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important reasons of public interest. We will in any case inform you before the restriction of processing has been lifted.
Right to data portability: under Article 20(1) of the Regulation you have the right at any time to ask for and receive all your Personal Data processed by the Data Controller in a structured, commonly used and machine-readable format or to ask for it to be transmitted to another controller without hindrance. In this case you will need to provide us with full and accurate details of the new controller to which you would like your Personal Data to be transferred, and to give us your authorization in writing.
Right to object: under Article 21of the Regulation, you have the right to object at any time to the Processing of your Personal Data a) if they are processed for purposes of direct marketing, including profiling to the extent that it is related to such direct marketing.
You also have the right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent Data Protection Authority if you believe that the processing of your personal data by the Data Controller is in violation of the Regulation and/or applicable law.
To exercise any of the above rights, you may simply contact the Data sending an email to [email protected].
- Where will your Personal Data be processed?
Your Personal Data will be processed by the Data Controller within the European Union.
In case for technical and/or operational issues, it is necessary to rely on entities outside the European Union, those entities, where they process Personal Data on behalf of the Data Controller, will be appointed as Processors pursuant to Article 28 of the Regulation and the transfer of your Personal Data to those entities, which will be limited to the performance of specific Processing activities, will be performed in accordance with the provisions of Chapter V of the Regulation. All necessary safeguards will be taken to guarantee the highest degree of protection of your Personal Data, since the transfer will be based on: (a) adequacy decisions by the European Commission with regard to the third country; (b) standard contractual clauses provided for by the European Commission; (c) the adoption of binding corporate rules.
In every case, you can ask the Data Controller for further details whenever your Personal Data have been processed outside the European Union, by asking for evidence of the specific safeguards in place.
Version: January 2021