This notice, which is intended for all persons browsing the site www.hsd.it
(herinafter “the site”), is issued pursuant to Article 13 of Regulation (EU) 2016/679 (herinafter “GDPR”) and in accordance with Article 122 of Italian Legislative Decree 196/2003 (herinafter “Privacy Code”).
1. Who is the “controller” of the personal data (i.e., the person who decides on the purposes and methods of data processing)?
The Data Controller is HSD S.p.A., with registered office at Via della Meccanica, 16, Pesaro (PU), Italy, phone number: +39 0541 979001, Tax Code and VAT number IT01376450415, email email@example.com (hereinafter “HSD”).
2. How can the “data protection officer” (“DPO”) be contacted?
The DPO can be contacted at firstname.lastname@example.org.
3. Which types of personal data are processed?
a. Browsing data
The IT systems and software procedures in place to ensure that this website runs smoothly acquire, during their normal functioning, certain personal data which are implicitly sent when the internet communication protocols are used. This information is not collected in order to be associated with identified data subjects, but instead consists of information which, by its very nature, when processed and associated with data held by third parties, could lead to the identification of the users. This data category includes the IP addresses or domain names of the computers used by those who connect to the website, the URIs (Uniform Resource Identifiers) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response provided by the server (successful, error, etc.) and other parameters relative to the user’s operating system and IT environment.
This data may be processed in order:
• to enable the proper functioning of the site and to monitor this, and to carry out maintenance activities;
• to obtain anonymous statistical information regarding the use of the site.
• to ascertain any possible liability in the event of the commission of any hypothetical computer crimes causing damage to the site itself, and therefore,to exercise and/or defend the company's rights in court.
b. Data provided voluntarily by the user
The provision of personal data is necessary in order to use certain services; for more information, please refer to the specific notice pursuant to Article 13 of the GDPR, as provided when the data is collected.
4. To whom is the data transmitted?
The data may also be processed by third parties acting on behalf of the company; these third parties are designated as data processors pursuant to Article 28 of the GDPR, and may include natural and/or legal persons who carry out activities that enable the aforementioned purposes to be achieved (e.g. service providers for the management of the site, such as system outsourcers, companies that provide internet connectivity services, consultancy companies etc.).
The data are processed by employees of the company - from the departments responsible for pursuing the aforementioned purposes - who have been expressly authorised to process it and who have received adequate operating instructions.
5. Transfer of data outside the EU
The data may be transferred to persons or organisations that are based in countries outside the EU and the EEA, and in particular in the USA. In such cases, the standard contractual clauses adopted by the European Commission pursuant to Article 46 (2) (c) of the GDPR are used as adequate safeguards, with the possible stipulation of "additional measures" to ensure a level of protection that is essentially equivalent to that required by EU law.
6. Rights of the data subject
Data subjects may exercise the rights set out in Articles 15-22 of the GDPR against the company, and more specifically, may:
i) request access to the data that regards them and to the information referred to in Article 15 (purpose of data processing, categories of personal data, etc.);
ii) request erasure of the data in the cases provided for under Article 17, in cases where the company no longer has the right to process this data ;
iii) in order to obtain the rectification of inaccurate data or the completion of data that is incomplete;
iv) in order to obtain the restriction of processing (i.e. temporarily ensuring that the data is only stored), in the cases provided for under Article 18 of the GDPR;
v) the data subject, at any given moment and in a simple, free manner, objects - for reasons related to their particular situation - to the processing of data that is performed on the basis of the legitimate interest of the data controller.
vi) Where the processing is based on consent or on a contract and is performed using automated means, the data subject is entitled to receive the data in a structured, commonly used and machine-readable format, and if technically feasible, to freely send this data to another data controller.
To exercise these rights, the data subject may contact the company at any time, by sending a request either via email to the following address email@example.com or via registered letter to the following address: Via della meccanica, 16, Pesaro (PU), Italy.
Data subjects shall have the right to lodge a complaint with the Italian Data Protection Authority or the competent supervisory authority in the Member State where they habitually reside or work or in the Member State where the alleged infringement has occurred.
The data subject has the right to obtain the erasure of their data in the following cases in particular:
a) where the personal data are no longer required for the purposes for which they were collected or otherwise processed;
b) where the data subject withdraws the consent upon which the processing is based, in accordance with Article 6.1(a) or Article 9.2 (a), and where no other legal basis exists for the processing;
c) where the data subject objects to the processing of their data pursuant to Article 21.1 and where there are no prevailing legitimate grounds for processing, or where the data subject objects to the processing pursuant to Article 21.2;
d) where the personal data have been unlawfully processed;
e) where the personal data must be erased in order to comply with a legal obligation as stipulated by the law of the European Union or Member State to which the data controller is subject;
f) where the personal data have been collected in relation to the provision of IT company services, as referred to in Article 8.1.
The conditions under which the restriction of data processing may be obtained are as follows:
a) the accuracy of the personal data is challenged by the data subject, for a period enabling the controller to verify the accuracy of said data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21.1 of the GDPR, pending verification of whether the legitimate grounds of the controller override those of the data subject.
7/29/2022 2:12:53 PM