SUBJECT: Information on the processing of personal data pursuant to Article 13 of the EU Regulation No. 2016/679 (hereinafter “GDPR”)
The GDPR, EU Regulation No. 2016/679, together with the Personal Data Code, sets the framework for the protection and safeguarding of personal data, stipulating that “the data subject” must be informed in advance about the use of data concerning him or her by the Data Controller. Specifically, the GDPR clarifies that it is to be understood as:
– “personal data” means any information concerning an identified or identifiable natural person
(“data subject”); an identifiable person shall mean a natural person who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier, or to one or more characteristic elements of his or her physical, physiological, genetic, mental, economic, cultural or social identity;
– “processing” means any operation or set of operations, whether or not by automated means, applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction;
– “data controller” means the natural or legal person, public authority, service or other body which, individually or jointly with others, determines the purposes and means of processing of personal data.
In observance of the above, Niuma S.r.l., as the Data Controller, provides this notice.
1. Principles that inspire the Processing carried out by Niuma S.r.l.
The processing of personal data carried out by Niuma S.r.l. is based on the principles of correctness, lawfulness, transparency and protection of the confidentiality and rights of the interested party.
Niuma S.r.l. informs that, for the establishment and execution of its contractual relationships, it is necessary to acquire certain categories of data (in particular, among others, personal data and tax data) relating to the data subject, its employees, collaborators and customers, data qualified as personal by law and, in particular, by the GDPR. Personal data are acquired directly from the data subject, or also through third parties previously authorized to do so by the data subject, by means of paper, electronic and/or telematic support.
2. Purposes of the processing:
a) The data are processed and stored in relation to contractual requirements and the consequent fulfillment of legal and tax obligations, as well as to enable the effective management of the contractual relationships themselves;
b) The data are processed for any other legal, administrative as well as organizational purposes strictly related and instrumental to the existing contractual relationship and its successful outcome;
c) Data are subject to collection, storage and processing for purposes of updating and promotion regarding the activities carried out by Niuma S.r.l, as well as regarding the services, products, courses, activities, etc. offered by the same; the processing of data for the described promotional purposes will not in any way be carried out through third parties, not even with prior authorization from the Data Controller, as Niuma S.r.l. does not transfer the collected data to third parties, except in the case in which the transfer configures an express legal obligation or order of an Authority of the State or of the
European Union;
3. Method and duration of processing:
Data may be collected, processed and stored on paper, electronic, computer and/or telematic media.
The data will be processed in compliance with the applicable legislation in force and stored in such a way as to (i) ensure its confidentiality, (ii) avoid its destruction, (iii) prevent its use by unauthorized third parties unrelated to Niuma S.r.l.
In particular, it is specified that the data will be stored on computer media, using measures that prevent their use by third parties who have not been previously authorized. The processing of data on paper and computer media is carried out only by personnel in charge and authorized for access. Documents containing personal data are used by appointees for the period strictly necessary for the operations to be carried out and are kept in special archives with access
authorized in order to guarantee their confidentiality. Niuma S.r.l. will keep the personal data of the Data Subject for the time necessary to fulfill the above purposes. In particular, it is specified that the data will be stored and processed for the entire duration of the contractual relationship and even after the same for the time necessary to fulfill legal and administrative obligations and/or to protect the rights of the Data Controller. For the purposes of point 2 letter (c), the processing and storage of personal data will be carried out for a period
of 5 years from the termination of the relationship.
4. Obligation or option to provide data:
The provision of consent to the processing of personal data for the purposes referred to in points (a) and (b) of Article 2 is a necessary condition for the provision of the services covered by the contractual relationship. In case of refusal to provide consent, Niuma S.r.l. will not be able to provide the services or fulfill the obligations covered by the
related contractual conditions.
On the other hand, consent in relation to the purposes referred to in points (c) and (e) of art. 2 is optional and may be freely refused by the Data Subject.
5. Access to data
The following categories of subjects may have access to the data of the Interested Party, in their capacity as data processors or persons in charge of the processing, for the fulfillment of the tasks and duties assigned to them, limited to the purposes and methods previously stated:
Employees (e.g., secretarial staff, administrative office staff, managers);
Directors and auditors;
Consultants of the company;
Collaborators.
In any case, regardless of the purpose that is relevant among those listed above, personal data will be made accessible to consultants of Niuma S.r.l., only where there is a need, and always subject to our letter of assignment that expressly imposes on them the duty of confidentiality and security.
6. Communication of data
Without the need for express consent, pursuant to ‘art. 6 of the GDPR, the Data Controller may communicate the data of the Data Subject to Authorities, Agencies and Supervisory Bodies, Judicial Authorities, insurance companies for the provision of insurance services, as well as to those subjects to whom the communication is required by law to fulfill the obligations required by law, regulation, Community legislation or an order of the Authority or to exercise the rights of Niuma S.r.l., for example, to the defense in court. Said subjects will process the data in their capacity as autonomous data controllers. Except as specified above, the personal data collected and processed by Niuma S.r.l. will not be disseminated, therefore in no way will these data be brought to the attention of third parties, neither determined nor undetermined subjects, neither by mere provision nor by simple consultation.
7. Transfer of data
Personal data are stored at the Data Controller or also outsourced on servers located in Italy and therefore within the European Union. It is in any case understood that the Niuma S.r.l., if necessary, will have the right to move the servers also outside the EU. In this case, the Owner assures as of now that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, subject to the stipulation
of the standard contractual clauses provided by the European Commission.
8. Rights of the data subject:
Niuma S.r.l. makes it known that the data subject is entitled to the rights set forth in Article 15 of the GDPR, namely the rights to:
1. obtain confirmation of the existence or otherwise of personal data concerning him/her, even if not yet registered, and their communication in intelligible form;
2. obtain an indication of:
(a) the origin of the personal data;
b) of the purposes and methods of processing;
c) the logic applied in case of processing carried out with the aid of electronic instruments;
d) of the identification details of the data controller, data processors and the representative designated pursuant to
Article 3, paragraph 1, GDPR;
e) of the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as designated representative in the territory of the State, managers or appointees;
3. obtain:
(a) the updating, rectification or, when interested, the integration of data;
b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including those that do not need to be kept in relation to the purposes for which the data were collected or subsequently processed;
c) certification that the operations referred to in letters a) and b) have been brought to the attention, also
as regards their content, to those to whom the data have been communicated or disseminated, except where this proves impossible or involves a manifestly disproportionate use of means in relation to the protected right;
4. oppose, in whole or in part:
(a) for legitimate reasons to the processing of personal data concerning you, even if pertinent to the purpose of collection;
b) to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated calling systems without the intervention of an operator by email and/or through traditional marketing methods by telephone and/or paper mail.
It should be noted that the data subject’s right to object, set forth in point b) above, for direct marketing purposes through automated modalities extends to traditional ones and that, in any case, the possibility for the data subject to exercise the right to object even partially remains unaffected. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither type of communication.
5. request cancellation or limitation of the processing of his or her data;
6. submit a complaint to the Privacy Authority, according to the procedures provided for by the regulations in force.
Please note that since the processing of data is based on Article 6(1)(a) or Article 9(2)(a) GDPR (EU Regulation 2016/679) the Data Subject has the right to withdraw consent at any time without affecting the lawfulness of the processing based on the consent before the revocation.
9. Methods of exercising rights
You may at any time exercise your rights by sending:
a registered letter a./r. to Niuma S.r.l. – at the head office in Rome, Via Giacomo Peroni, 400;
an e-mail to Niuma S.r.l.’s certified e-mail address, which can be found at the INIPEC public register (www.inipec.gov.it).
For any further information, and to enforce the rights granted to you by the GDPR, you may contact the persons indicated in the following point.
10. Data Controller, Data Processor and Persons in Charge
The Data Controller is Niuma S.r.l., with registered office in Rome, Via Giacomo Peroni 400, in the person of the legal representative pro tempore, Pietro Carra, Via La Spezia, 11, 20142, Milan;
The Data Processor is indicated in the persons of:
– Pietro Carra, Via Giacomo Peroni 400, 00131, Rome;
– Giovanni Baruffini, Via Giacomo Peroni 400, 00131, Rome;
The updated list of data processors and processors is kept at the registered office of the data controller.