Partner in Problems, Leader in Solutions

Procedure for requesting rights regarding the protection of personal data

Gen-Art > Procedure for requesting rights regarding the protection of personal data

PROCEDURE FOR THE MANAGEMENT OF REQUESTS
INHERENT THE RIGHTS REGARDING PROTECTION
OF THE PERSONAL DATA OF THE INTERESTED PARTY

Pursuant to Regulation 679/2016 (GDPR)

 

1. INTRODUCTION

The legislation contained in EU Regulation 2016/679 (hereinafter GDPR) aims to protect the confidentiality of personal data, to prevent inappropriate use from representing a risk and possibly damaging the fundamental freedoms and personal dignity of everyone. In particular, the data processed by GEN-ART SRL are personal information (eg personal data, address, tax code, etc.) and relating to the work activity and the condition of the person during the presence at the premises of the GAN- ART such that, in some cases, the data may fall within the so-called particular data (eg information on the state of HEALTH, JUDICIAL NEWS) indispensable for the execution of the task / services requested. The data subject to the treatments necessary for the provision of services are used by the doctor in compliance with professional secrecy, office secrecy and the rights of the interested party (articles 12 to 22 of the GDPR) and, therefore, based on the principles of legitimacy, correctness, lawfulness, indispensability, relevance and not excess with respect to the purposes for which the data were collected.

 

2. Purpose

 

This document describes the operating procedures adopted by GEN-ART. SRL in order to facilitate and guarantee the management, in a standardized manner and in compliance with the provisions of the GDPR, of the requests to exercise the rights of the interested party, relating to the processing of his personal data. Specifically, the procedural measures arranged by the Data Controller are identified to allow the interested user to obtain at any time information on the use of his data pursuant to art. 12‐21 of the GDPR, and precisely the right:

 

  • of information, communication and transparency (articles 12, 13 and 14);
  • access (Article 15);
  • of rectification (Article 16);
  • cancellation (Article 17);
  • limitation of processing (Article 18); to data portability (Article 20);
  • of opposition to processing (Article 21).

 

It should be noted that if the interested party obtains the rectification, cancellation, or limitation of the processing of his personal data, GEN ART SRL is required to communicate to each of the recipients to whom the personal data have been transmitted the corrections, cancellations and limitations of processing carried out (Article 19). This notification obligation ceases only if this is found to be impossible or - for whatever reason - it is no longer. possible to communicate with the recipient or the communication involves a disproportionate effort. The Data Controller informs the interested party of these recipients if the interested party requests it. Furthermore, the interested party has the right not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning him or significantly affect his person (Article 22).

 

 

3. Definitions

 

Authorized for processing: the natural person, expressly designated, who operates under the authority of the data controller, with specific tasks and functions related to the processing of personal data. Personal data: any information concerning an identified or identifiable natural person ("interested party"); the natural person is considered identifiable who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social.

Particular personal data: any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as processing genetic data, biometric data intended to uniquely identify a natural person, data relating to health or sexual life or sexual orientation of the person.

By way of example, the following are defined:

a) biometric data personal data obtained from a specific technical treatment relating to the physical and behavioral characteristics of a natural person that allow or confirm their unique identification, such as the facial image;

b) data relating to health personal data relating to the physical or mental health of a natural person, which reveal information relating to his state of health, to the existence of conditions compatible with the obligations of fiduciary or mandatory isolation.

c) Judicial data, personal data relating to any civil, criminal, tax and administrative disputes of workers, collaborators, agents or any customers or their employees, natural persons or counterparties.

Interested: natural person to whom the personal data processed by the Data Controller or the Data Processor belong and belong.

Responsible for the treatment: the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller, designated by the latter pursuant to art. 28 of the GDPR.

Data Controller: the natural or legal person, public authority, service or other body which, individually or together with others (joint ownership), determines the purposes and means of the processing of personal data. Holder of the treatment. GEN-ART SRL.

Finishing: any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.

 

 

4. Information on the rights of the interested party

 

The ability to exercise these rights. provided within the various information notices adopted by the Data Controller made to the interested party, in relation to the specific areas of treatment. GEN-ART SRL has prepared general information, in compliance with the provisions of articles 13 and 14 of the GDPR, relating to the information to be provided to the interested party regarding the processing of their personal data in the context of the provision of services. The disclosures indicate the elements required pursuant to the GDPR, in particular:

  • the identity and contact details of the Data Controller;
  • the contact details of the Data Protection Officer;
  • the purposes of the processing and its legal basis;
  • the methods of communication and data management;
  • the data retention time;
  • the scope of communication;
  • the rights of the interested party.

 

 

4. Types of rights exercisable by interested parties

4.1 Right of access (Article 15 of the GDPR)

 

This right d. to the interested party the possibility of requesting information regarding their personal data that are processed by GEN ART SRL and the criterion underlying such processing. Specifically, pursuant to art. 15 of the GDPR, the interested party has the right to obtain confirmation from the Data Controller regarding the existence of personal data processing concerning him and, if so, to access personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data in question;
  • the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if they are recipients of third countries or international organizations;
  • where possible, the retention period of the personal data provided, or, if not possible, the criteria used to determine the period;
  • if the data are not collected from the interested party, all available information on their origin;
  • if personal data are transferred to a third country or to an international organization, the existence of adequate safeguards relating to the transfer pursuant to art. 46 of the GDPR;
  • the existence of any automated decision-making process, including profiling, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject. In fact, pursuant to art. 22 of the GDPR, the interested party has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person in a similar way.

This right does not apply if the decision:

  • it is necessary for the conclusion or execution of a contract between the data subject and a data controller;
  • is authorized by the law of the Union or of the Member State to which the Data Controller is subject, which also specifies adequate measures to protect the rights, freedoms and legitimate interests of the data subject; is based on the explicit consent of the interested party.

 

GEN-ART SRL as Data Controller, must provide a copy of the personal data being processed to the interested party, except in the event that this creates damage to the rights and freedoms of others. If the interested party submits the request through electronic devices, and unless otherwise indicated by the interested party, the information is provided in a common electronic format.

 

 

4.2 Right of rectification (Article 16 of the GDPR)

 

This right d. to the interested party the possibility of obtaining the correction of inaccurate personal data that are processed by GEN-ART SRL and of obtaining the integration of incomplete personal data. Specifically, pursuant to art. 16 of the GDPR, the interested party has the right to obtain from the Data Controller the correction of inaccurate personal data concerning him without undue delay, taking into account the purposes of the processing. The interested party has the right to obtain the integration of incomplete personal data, also by providing an additional declaration.

 

 

4.3 Right of cancellation (Article 17 GDPR)

 

This right d. to the interested party the possibility of requesting the cancellation of their data and can be exercised only in the presence of certain conditions, specifically indicated by art. 17 of the GDPR. Pursuant to art. 17 of the GDPR, the interested party has the right to obtain from the Data Controller the deletion of data concerning him without undue delay and the Data Controller is obliged to delete personal data without undue delay, if one of the following reasons exists :

 

  • the personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
  • the interested party revokes the consent on which the processing is based and there are no further legal bases that legitimize the processing;
  • the interested party opposes the processing and there is no legitimate overriding reason to proceed with the processing;
  • the personal data have been unlawfully processed by the Data Controller;
  • the deletion of personal data derives from a legal obligation dictated by the law of the EU or of the Member State in which the Data Controller is based.

 

To carry out the deletion of data GEN-ART SRL can provide by destroying or proceeding to their anomization, that is to subject the data to treatments that no longer make it possible to identify the interested party.

 

 

4.4 Right to restriction of processing (Article 18 of the GDPR)

 

The limitation of processing that the interested party, and he alone, has the right to obtain from GEN-ART SRL substantially consists in the temporary execution of the sole operation of conservation of personal data, with consequent unusability and inaccessibility of the data for the entire limitation period. Pursuant to art. 18 of the GDPR, the interested party has the right to obtain from the Data Controller the limitation of the treatment when one of the following hypotheses occurs:

  • the data subject disputes the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of the personal data;
  • the processing is unlawful and the interested party opposes the cancellation of personal data and asks instead that it
  • use is limited;
  • although the Data Controller no longer needs it for processing purposes, personal data are necessary for the interested party to ascertain, exercise or defend a right in court;
  • the interested party opposed the processing (pursuant to art.21), pending checks on the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the interested party.

 

If the processing is limited, such personal data are processed, except for storage, only with the consent of the interested party or for the assessment, exercise or defense of a right in court or to protect the rights of a other natural or legal person or for reasons of significant public interest of the Union or of a Member State.

 

 

4.5 Right to data portability (Article 20 GDPR)

 

This right gives the interested party the possibility to ask GEN-ART SRL to receive their data in a structured format, or to transmit them directly to another Data Controller. Pursuant to art. 20 of the GDPR, the interested party has the right to receive in a structured format, commonly used and readable by an automatic device, the personal data concerning him provided to a Data Controller and has the right to transmit such data to another Data Controller. unimpeded processing by the Data Controller to whom it provided them if the processing:

 

  • is based on the data subject's consent to the processing of his or her personal data for one or more specific purposes, unless the law of the Union or of the Member States provides that the data subject cannot revoke the prohibition on processing particular categories of data ex art. 9 par.1 GDPR; - is based on a contract pursuant to art. 6 par.1 lett. b) GDPR; - is carried out by automated means.
  • In exercising their rights regarding data portability, the interested party has the right to obtain the direct transmission of personal data from one Data Controller to another, where it is technically feasible. The right to data portability does not affect the right of cancellation, where permitted. This right does not apply to the processing necessary for the execution of a task carried out in the public interest or in the exercise of public authorities attributed to the Data Controller. The right to data portability does not affect the rights and freedoms of others.

 

 

4.6 Right to object to processing (Article 21 of the GDPR)

 

This right gives the interested party the possibility of opposing the processing of their personal data, thus expressing the continuing control over them. GEN-ART SRL, having received this request, must therefore definitively stop the processing of personal data. Pursuant to art. 21 of the GDPR, the interested party has the right to object at any time, for reasons connected to his particular situation, to the processing of personal data concerning him, including profiling on the basis of these provisions. The Data Controller refrains from further processing personal data unless he demonstrates the existence of compelling legitimate reasons for proceeding with the processing that prevail over the interests, rights and freedoms of the data subject or for ascertaining, exercising or the defense of a right in court. The right to object is explicitly brought to the attention of the interested party and is presented clearly and separately from any other information. If personal data are processed for scientific or historical research purposes or for statistical purposes, the interested party, for reasons connected to his particular situation, has the right to object to the processing of personal data concerning him, except if the processing is necessary for the performance of a task of public interest.

 

 

5. Limitations on the exercise of rights

 

5.1 Right of access and cancellation

 

This procedure does not regulate the exercise of the right of access and cancellation to personal data in the following cases:

  • personal data subject to joint ownership for which GEN-ART SRL has no competence;
  • personal data of third-party natural persons collected in execution of the assignment given by GEN-ART SRL e
    covered by professional and official secrecy;
  • the personal data of third parties or of the customer or of the owner collected by virtue of the assignment given
    requests by the Client by virtue of an assignment or a service contract that is not paid at the time of the access request;
  • personal data of any type no longer. available from GEN-ART SRL following: - termination of the terms of custody / archiving;
    - cessation of use for the purposes of the treatments in place;
    - anonymization of references directly or indirectly aimed at detecting the identity of the data subject;
  • personal data for which not. the right of access can be exercised, on the basis of specific legal provisions (eg data attributable to the relationships between GEN-ART SRL, its customer, the Judicial or Police Authorities);
  • personal data that cannot be deleted as they are subject to unlimited storage in accordance with the law.

 

 

5.2 Right of rectification

 

This procedure does not regulate the exercise of the right of rectification / integration of personal data relating to:

  • customer data or data subjects of which the customer is the owner;
  • personal identification and contact data acquired from public sources;
  • personal data no longer available at GEN-ART SRL following:
    - termination of the terms of custody / archiving;
    - cessation of use for the purposes of the treatments in place;
    - anomization of references directly or indirectly aimed at detecting the identity of the interested party.

 

 

6. Procedures for submitting requests

 

6.2 Request for information and / or clarifications

 

The interested party can always request information about the ordinary methods of processing, through: requests for information and clarifications to be sent to the e-mail address administration @ genart.com. The subject of these requests is limited to the provision of general and organizational information on the ordinary methods of processing personal data adopted by GEN-ART SRL, strictly excluding the communication of any other type of information. Your telephone number can be entered in the request for direct contact.

General requests for information and clarifications in writing, limited to the provision of general information on the ordinary methods of processing personal data adopted and on the methods of exercising the rights of the interested party. These requests must be submitted to the attention of GEN ART SRL at the following e-mail address [email protected] or to the PEC address [email protected].

 

The applications, if not digitally signed, must be signed on paper and accompanied by a copy of the valid identity document of the interested party.

a) The interested party can send formal requests to exercise their rights or reports of alleged non-compliance or violations to the addresses referred to in letter "b" or by registered letter with return receipt to the following address GEN-ART SRL SRLS via Nettunense n ° 185 - 00075 Lanuvio (RM) ATTACHING A COPY OF A DOCUMENT IN THE COURSE OF VALIDITY TO THE REQUEST AT THE END OF THE ORIGINAL.

 

 

7. Common elements of compliance for the correct management of responses to requests from interested parties

 

7.1 The request can be:

 

  • Evadible: in this case the request is legitimate, the information and supporting documentation sent are clear and complete, the interested party is identified and the rights of third parties are not affected.
  • Suspended due to missing information: the request is legitimate but the information and documentation provided in support of the request are not complete and / or clear or the subject has not clearly identified himself. The request cannot be processed immediately and is therefore suspended for additional information.
  • Rejected: the request does not have the minimum legitimacy requirements to be considered legitimate and therefore is rejected.

 

 

7.2 Time limits for providing the answer

 

The deadline for providing the answer to the interested party is defined by art. 12 of the GDPR, paragraphs 3 and 4, according to which GEN-ART SRL provides the interested party with information relating to the action taken regarding a request pursuant to art. from 15 to 22 without undue delay and, in any case, at the latest within one month of receipt of the request. This deadline can be extended by two months, if necessary, taking into account the complexity and number of requests. In this case, within one month of receiving the request, GEN-ART SRL informs the interested party of the need to postpone the forwarding of the response, giving account of the reasons for the delay and the possibility of proposing a complaint to the supervisory authority and to propose a judicial appeal. . For requests for information and / or clarifications addressed directly to the e-mail address, the deadline for replying is 30 days from receipt of the request. This deadline can be extended by a further 30 days, if necessary, taking into account the complexity and number of requests. The reply to the interested party is free and, where possible and unless otherwise requested by the interested party, it takes place via electronic means.