Data Protection Policy
DATA PROTECTION POLICY PURSUANT TO ART. 13 OF EU REGULATION No. 2016/679 (GDPR)
The Controller has issued this policy pursuant to article 13 of EU REGULATION No. 2016/670 (GDPR) regarding personal data that users of the Web site http://www.arlef.it (“Web Site”) provide when using any relevant service.
The Controller is ARLeF – Agenzia regionale per la lingua friulana (“ARLEF” or “Agency”), having its registered office in via della Prefettura 13, Udine (UD), Italy.
You can contact the Controller to exercise your rights under EU REGULATION No. 2016/679 (“GDPR” or “Regulation”) or for any query on processing of your personal data: Ph. +39 0432 555812, e-mail email@example.com
The Controller has appointed a Processor that you may contact at the following address: firstname.lastname@example.org
PURPOSES OF THE PROCESSING
The Controller processes personal data that have been provided on a voluntary basis for a number of purposes:
1) Processing the requests of the data subject. These are actions (queries or contacts; registration and access to the restricted area of the Web Site, etc.) that are strictly necessary to meet the requests of data subjects, including any related or instrumental activities, activities that are based on the Controller business or the protection of its rights or compliance with any applicable laws and/or regulations.
2) Delivery of newsletters (regular updates from the Controller on events, competitions, publications and other ARLeF initiatives) to those who expressly require to receive this newsletter by filling out the relevant form on the Web Site, authorising the Controller to process any relevant personal data.
LEGAL BASIS FOR PROCESSING
Consent to processing by the data subject: purpose no. 2; Implementation of a contract with the data subject as a party or implementation of pre-contractual provisions, adopted upon request of the data subject: purpose no. 1; Compliance of any legal requirement of the Controller: purpose no. 1; Legitimate interests pursued by the Controller: purpose no. 1.
DATA PROVISION AND DENIAL
Should data that are classified as “mandatory” not be provided in the relevant forms or should consent (if required) be denied, services may not be provided.
CATEGORIES OF RECIPIENTS OF PERSONAL DATA
Personal data may only be accessed by authorised persons and any person processing data on behalf of the Controller, that has been appointed as Processors (including but not limited to providers of IT, telematic or technology services). These persons are required to keep personal data confidential also under any appropriate internal rules.
Personal data that data subjects have provided may not be disclosed or made public.
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
As a rule, data processed for the above purposes will not be transferred outside the European Economic Area. Should this be necessary (also in the framework of any relevant IT tool), the Controller hereby represents that the transfer will fully comply with the provisions of Chapter V of the GDPR, i.e.:
– Article 45 Transfers on the basis of an adequacy decision;
– Article 46 Transfers subject to appropriate safeguards;
– Article 47 Binding corporate rules.
If these provisions are not applicable, article 49 applies to such transfer.
CRITERIA ON DATA STORAGE
Personal data are processed for the time required to achieve the purpose of data collection or for any other relevant purpose. Therefore, if personal data are processed for a number of purposes, such data will be stored up to the longest term for the relevant purpose to be achieved; however, such data will no longer be processed for any purposes whose storage time has expired.
Personal data that are no longer needed or for which there’s no longer a legal basis for storage are anonymised irreversibly (or deleted).
Personal data that are provided for purpose no. 1 will be stored for a time deemed as strictly necessary depending on the purpose and, in any case, in compliance with any applicable regulations on personal data protection, retention of accounting records and for the purpose of protecting the rights of the Controller (limitation period under the Italian Civil Code);
As for the newsletter, data will be stored as long as the data subject is registered for the service.
However, every three years, a review will be performed to delete any data that are no longer necessary for the purposes they were collected.
RIGHTS OF DATA SUBJECTS
Data subject are entitled to request:
- Access to personal data and information (art. 15 of the GDPR);
- Rectification or erasure of data (art. 16 and 17 of the GDPR);
- Restriction of processing (art. 18 of the GDPR).
Data subjects may also:
- Object to processing under the terms and the limits specified in art. 21 of the GDPR;
- Exercise the right of data portability (art. 20 of the GDPR).
As for consent-based operations (art. 6, paragraph 1, point a) and art. 9, paragraph 2, point a) of the GDPR), data subjects are entitled to withdraw their consent at any time (notwithstanding the lawfulness of the processing based on consent before the withdrawal).
Finally, if, in the opinion of any data subjects, processing of their data infringes the provisions of the GDPR, they are entitled to lodge a complaint to a supervisory authority (personal data supervision authority or any other competent authority) pursuant to article 77 and following articles of the GDPR.