POLICY PURSUANT TO ARTICLE 13 OF REGULATION(EU) No. 679/2016
With specific reference to the personal data defined in article 4 para. 1 no. 1) of Regulation (EU) no. 679/2016 (hereinafter the “Regulation”), of which you are the “Data Subject”, the company AQUA S.P.A. (hereinafter “AQUA”) (VAT no. IT02026440350), in the person of its legal representative, with registered office at Via T. Crotti 1, 42018 San Martino in Rio (RE), Italy, in the person of its pro-tempore legal representative, as “Controller” pursuant to article 4 para. 1 no. 7) of the regulation, hereby provides the following information which is valid and effective as of 25.5.2018.
1. Nature and type of your data which is gathered and processed.
1.1. Your data which is subject to processing falls exclusively within the category referred to as “Personal data” pursuant to article 4 para. 1 no. 1 of the regulation: (“any information relating to an identified or identifiable natural person (‘data subject’)”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”).
2. Information on the “Controller”.
2.1. The “Controller” of the processing of your personal data pursuant to article 4 para. 1 no. 7) of the regulation is the company AQUA S.P.A. (hereinafter “AQUA”) (VAT no. IT02026440350), in the person of its legal representative, with registered office at Via T. Crotti 1, 42018 San Martino in Rio (RE), Italy, in the person of its legal representative pro tempore, who can be contacted at the following address: email@example.com.
2.2. Please note that any changes or updates regarding data relating to the above-mentioned data subject will be appropriately published in the dedicated “Privacy” section of the Controller’s website.
3. Purposes of the Processing.
3.1. Pursuant to article 5 para. 1 b) of the Regulation, we hereby inform you that your personal data will be collected and subsequently processed directly to fulfil requests for sending newsletters and corresponding mailing list subscription, involving product and marketing/promotional information relating to the activities performed by the Controller, in full compliance with the principles of legality and correctness and legal provisions.
4. Nature of consent to data processing
4.1 Your consent to the data processing outlined in article 1.1. of this policy for the purposes outlined in the foregoing article 3.1. is optional; as such, note that if you refuse to provide consent to the processing in question it will be impossible for the Controller to fulfil your request to send you the company’s newsletters.
5. Recipients of the collected and processed personal information.
5.1. Pursuant to article 13 para. 1 e) and f) of the regulation, we hereby inform you that, where your consent has been provided with regard to the purposes outlined in the foregoing article 3.1 of this policy, your personal data may be transferred to third parties, solely for the reason of compliance with the purposes described in greater detail in article 3 above, such as, for instance, IT support companies based in Italy, the EU or a third country, with the express exception of those considered “inadequate” by the European commission pursuant to article 45 of the Regulation.
5.2 Any personal data collected shall not be disclosed or communicated to third parties.
6. Retention period of the collected and processed personal information.
6.1. Pursuant to article 13 para. 2 a) of the Regulation, we hereby notify you that the data subject’s information will be retained until a request is made objecting to the sending and their desire to no longer receive newsletters, through the methods made available each time a newsletter is sent out.
7. Data Processing Methods:
7.1. We hereby inform you that your data, as detailed in the foregoing article 1.1. of this policy, will be processed with hardcopy, electronic or computerised media, in full compliance with legal provisions, in accordance with the principles of correctness and legality, and in such a way as to ensure their confidentiality.
8. Principles applied to the processing of your data.
8.1. Pursuant to article 5 of the Regulation, we hereby inform you that your personal data will be:
- Processed in an appropriate, legal and transparent manner;
- Collected for specific, explicit and legitimate purposes, and subsequently processed in a manner consistent with such purposes;
- Adequate, relevant and limited to the minimum necessary for the purposes for which the data are processed;
- Precise, and, where necessary, up to date;
- Kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which they were processed;
- Processed in such a way as to provide sufficient security for the personal information processed, including appropriate technical and organisational measures, against unauthorised or unlawful access, disclosure, dissemination, alteration, or destruction or accidental loss.
9. Rights of the data subject.
9.1. In relation to your personal data processed by the Controller, we hereby inform you that you may exercise the following rights, listed here in full:
Data subject’s right of access (art. 15 of the Regulation)
“1. The data subject has the right to obtain confirmation from the Controller as to whether processing of personal data relating to them is in progress, and if it is, to obtain access to the personal data and the following information: a) the purposes of the Processing; b) the categories of personal data in question; c) The recipients or categories of recipients of the personal data, including in third countries or international organisations; d) where possible, the planned retention time for the personal data, or where this is not possible, the criteria used to determine this period; e) the existence of the data subject’s right to request the correction or deletion of such data or limitation of the processing of personal data relating to them, or else to object to its processing; f) The right to lodge a complaint with a supervisory authority; g) When the data have not been collected from the data subject, all information available on their origin; h) The existence of any automated decision-making processes, including profiling as define in article 22 paras. 1 and 4, in this case, significant information on the logic used, as well as the importance and consequences of the processing for the data subject. 2. When the personal data have been transmitted to third countries or international organisations, the data subject has the right to information on the existence of appropriate guarantees pursuant to article 46 with regard to the transfer. 3. The Controller provides a copy of the personal information subject to processing. In the event that further copies are requested by the data subject, the Controller may charge a reasonable fee to cover administrative costs. If the data subject makes the request via electronic means, and unless otherwise indicated by the data subject, the information shall be provided in a commonly used electronic format. 4. The right to obtain a copy of the information outlined in paragraph 3 must not impinge on the rights and freedoms of third parties”.
Right to Correction (Art. 16 of the Regulation)
“The data subject has the right to request correction of inaccurate personal data relating to them without undue delay. Taking into account the purposes of the processing, the data subject has the right to supplement incomplete personal data, including through the supply of a supplementary declaration”.
Right to Deletion (Art. 17 of the Regulation)
“1. The data subject has the right to request deletion of their personal data from the Controller without undue delay, and the Controller is obliged to delete such personal data without undue delay, if one of the following motivations apply: a) The personal data are no longer necessary for the purposes for which they are gathered or otherwise processed; b) The data subject revokes their consent on which the processing was based in accordance with article 6, para. 1 a), or article 9, para. 2 a), and if there is no further legal basis for the processing; c) the data subject objects to processing pursuant to article 21, para. 1, and there is no prevailing legitimate reason for the processing, or they object to the processing pursuant to article 21, para. 2; d) The personal data were processed illegitimately; e) The personal data must be deleted to comply with a legal obligation imposed by EU law or by the member state to which the Controller is subject; f) The personal data were collected with regard to the offering of information society services pursuant to article 8, para. 1). 2. If the Controller has published personal data and is required to delete them pursuant to paragraph 1, taking into account the available technology and implementation costs, will take reasonable steps, including technical ones, to inform the Controllers who are processing the personal data, of the data subject’s request to delete any link, copy or reproduction of their personal information. 3. Paragraphs 1 and 2 do not apply within the extent to which the processing is necessary: a)To exercise the right to free speech and information; b) To comply with a legal obligation requiring processing imposed by EU law or by the member state to which the Controller is subject for performance of a task carried out in the public interest or in exercising public powers which the Controller holds; c) for reasons of public interest in the field of public health pursuant to article 9, para. 2 h) and i), and article 9, para. 3; d) For the purposes of archiving in the public interest, of scientific or historical research, or for statistical purposes pursuant to article 89, para. 1, to the extent that the right under para. 1 risks making the achievement of the goals of such processing impossible or extremely difficult; or e) for the establishment, exercise or defence of a legal right before a court”.
Right to limit the processing (Art. 18 of the Regulation)
“1. The data subject has the right to obtain limitation of the processing when one of the following situations applies: a) The data subject contests the accuracy of the personal data, for the period necessary for the Controller to check the accuracy of the personal data; b) The processing is unlawful, but the data subject opposes deletion of the data and instead requests the application of restriction measures; c) Although the Controller no longer requires them for the purposes of the processing, the personal data are required for the establishment, exercise or defence of a legal right before a court; d) The data subject has objected to processing pursuant to article 21, para. 1, while awaiting confirmation of the merit of any prevalence of legitimate reasons for processing compared to those of the data subject. 2. If the processing is limited pursuant to para. 1, such data are to be processed, except for retention, only with the consent of the data subject or for the establishment, exercise or defence of a legal right before a court, or to protect the rights of another natural or legal person or for reasons of public interest relevant to the EU or a member state. 3. Data subjects who have obtained limitation of processing pursuant to para. 1 shall be informed by the Controller before such limitation is revoked”.
Right to data portability (Art. 20 of the Regulation)
“1. The data subject has the right to receive a copy of personal data relating to them in a structured and commonly used electronic format which can be read by an automatic device, which they may then freely transmit to another Data Controller when: a) the processing is based on consent pursuant to article 6, para. 1 a), or article 9, para. 2 a), or on a contract pursuant to article 6, para. 1 b); and b) The processing is performed with automated tools. 2. In exercising their rights to data portability pursuant to paragraph 1, the data subject has the right to request direct transmission of personal data from one Controller to another, where technically feasible. 3. Exercise of the rights under para. 1 of this article is without prejudice to article 17. This right does not apply to processing required to perform an operation in the public interest or related to the exercise of public powers with which the Controller is invested. 4. The rights under paragraph 1 must not impinge on the rights and freedoms of third parties”.
Right to Objection (Art. 21 of the Regulation)
“1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them pursuant to article 6, para. 1 e) or f), including profiling on the basis of such measures. The Controller shall cease to perform further processing of the personal data unless it can demonstrate the existence of compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject, or for the establishment, exercise or defence of a legal right before a court. 2. When the personal data are processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing for this purpose of personal data concerning them, including profiling to the extent it is connected to such direct marketing. 3. Should the data subject oppose to processing for the purposes of direct marketing, the personal data shall no longer be subject to processing for this purpose. 4. The right under paras. 1 and 2 is explicitly brought to the attention of the data subject and presented clearly and separately from any other information, no later than the time of initial communication with the data subject. 5. During use of information society services, and without prejudice to Directive 2002/58/EC, the data subject can exercise their objection via electronic means using technical specifications. 6. When the personal data are processed for the purposes of scientific or historical research, or for statistical purposes pursuant to article 89, para. 1, the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them, except when such processing is required to perform an operation in the public interest”.
Right to lodge a complaint with the supervisory authority (Article 77 of the Regulation)
“1. Without prejudice to any other administrative remedy or out-of-court redress, every data subject shall have the right to lodge a complaint with a supervisory authority in the member state in which they are normally resident, work or where the presumed violation occurs if they consider that the processing of personal data relating to them does not comply with this Regulation. 2. The supervisory authority with whom the claim is lodged shall inform the claimant of the status or result of the complaint, including the possibility to legal recourse pursuant to article 78”.
Right to seek effective judicial remedy against the supervisory authority (Article 78 of the Regulation)
“1. Without prejudice to any other administrative remedy or out-of-court redress, every natural or legal person has the right to seek effective judicial remedy against a legally binding decision by the supervisory authority relating to them. 2. Without prejudice to any other administrative remedy or out-of-court redress, every natural or legal person has the right to seek effective judicial remedy when the competent supervisory authority pursuant to articles 55 and 56 does not process a complaint or does not inform them of the status or outcome of the complaint made under article 77 within three months. 3. Actions against supervisory authorities are to be brought before the courts of the member state in which the supervisory authority is established. 4. When appeals are made against a decision of a supervisory authority preceded by an opinion or decision of the committee within the scope of the consistency mechanism, the supervisory authority shall notify the court of said decision”.
9.2. Pursuant to article 12 para. 1 of the Regulation, AQUA commits to provide you with the notifications pursuant to articles 15 to 22 of the Regulation in a concise, clear, intelligible and easily accessible format, using simple and clear language: this information will be provided in writing or using other (also electronic) means or, upon request of the data subject, will be provided orally, subject to confirmation of the data subject’s identity via other means.
9.3. Pursuant to article 12 para. 3 of the Regulation, the Controller hereby informs you that it commits to providing you with information on the actions taken against a request pursuant to articles 15 to 22 without undue delay, and in any case within a month of receipt of the same; this term may be extended by two months, where necessary, due to the complexity and number of requests.
9.4. In order to exercise the above-mentioned rights detailed in this article, the data subject may use the contact details given in article 2 of this “Policy”.