PERSONAL DATA PROCESSING NOTICE
This document sets out methods and purposes of the personal data processing undertaken by
Via Donatello 19/a
20131 – Milano (Italy)
in its capacity as the organiser of the Italian Sustainability Photo Award (the “ISPA”) and data controller (the “Controller”), and the other information that has to be given under Italian data protection legislation to a subject who is willing to apply for the ISPA, including information on his rights and on how to exercise those rights.
Regulation (EU) 2016/679 (the “Regulation”) and Legislative Decree no. 196/2003, as modified by Legislative Decree no. 101/2018, set out rules concerning the protection of fundamental rights and freedoms of natural persons with regard to the processing of personal data.
Article 4(1) of the Regulation defines “Personal Data” as any information relating to an identified or identifiable natural person (the “Data Subject”).
“Processing” is defined as any operation or set of operations which is performed on personal data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4 of the Regulation).
Additionally, pursuant to Articles 12 et seq. of the Regulation, the Data Subject must be given certain information concerning i. the Processing activities carried out by the Controller and ii. the rights of the Data Subject.
1. Purposes of the processing and legal basis
The purposes of the processing of Personal Data by the Controller are the following:
- i. performance of its obligations as the organiser of the ISPA;
- ii. compliance with a legally binding obligation to which the Controller is subject;
- iii. iii. providing additional information on events or other activities organised by the Data Controller, where freely and expressly consented to by the Data Subject.
Since the processing of Personal Data for the purposes under points i. and ii. above is necessary for the Controller’s performance of contractual and/or pre-contractual obligations and for compliance with specific legal obligations, respectively, the Data Subject’s consent is not required for such processing.
The processing of Personal Data for the purposes under point iii. above shall be undertaken by the Controller only whether a specific prior authorization by the Data Subject is granted.
2. Processing methods and storage
In compliance with Article 5 of the Regulation, the Personal Data subject to the Processing are:
- i. processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
- ii. collected and recorded for specified, explicit and legitimate purposes and further processed compatibly with those purposes;
- iii. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- iv. accurate and, where necessary, up-to-date;
- v. processed in a manner that ensures appropriate security;
- vi. kept in a form that permits identification of the Data Subject for no longer than is necessary for the purposes for which the Personal Data are processed.
The Personal Data are processed by the Controller by automated and non-automated means; the electronic storage of Personal Data occurs on secure servers located in controlled areas with restricted access.
Specific security measures are observed to prevent data being lost or used in an unlawful or improper manner, and to prevent unathorised access.
3. Collection of personal data
The collection of Personal Data does not include sensitive data.
4. Retention of personal data
Personal Data are retained for the time strictly necessary to fulfil the purposes for which they have been collected and processed. As a general principle, therefore, Personal Data are stored for the entire duration of the Data Subject contractual relationship with the Controller.
However, it is understood that once the contractual relationship with the Controller ends and with it the relevant Processing purposes, the Controller is nevertheless obliged and/or has the right to continue to retain the Personal Data, in whole or in part, for certain purposes, as expressly required by specific law provisions (e.g. the obligation to keep accounting records for 10 years pursuant to Section 2220 of the Italian Civil Code) or to exercise or defend a right in a proceeding (e.g. in case of possible claims concerning the activities carried out by the Controller).
5. Disclosure of personal data
Personal Data are accessible to the personnel of the Controller with specific responsibilities in relation to its Processing.
6. Public disclosure of personal data
Personal Data are not subject to public disclosure.
7. Transfer of personal data abroad
Personal Data may be transferred to European Union member States and to third countries outside the European Union within the purposes set forth in paragraph 1 above. Personal Data may be transferred to third countries outside the European Union only if the country to which Personal Data are transferred provides appropriate safeguards. In the lack of Data Subject rights and appropriate safeguards, Personal Data may be transferred only with the explicit Data Subject consent or if specific situations listed in article 49 of the Regulation arise.
8. Rights of the data subject
The Data Subject may at any time access the Personal Data for the purpose of correcting, deleting or limiting the use of data and, in general, of exercising the rights expressly granted by the applicable laws on the protection of Personal Data. Those rights are: to obtain confirmation of the existence of the Personal Data and to receive the data in an intelligible manner, to know the source of the data and the purposes and the methods of its Processing; to obtain the contact information of the Controller, of the data processors and of the individual or the categories of individuals the Personal Data may be disclosed to; to verify the accuracy of the Personal Data and to have them completed, updated or rectified; to ask for erasure, conversion into anonymous form or the blocking of access to Personal Data processed in violation of the law, and, in any case, to object, in whole or in part, for legitimate reasons to their Processing; to Personal Data portability, and the right to lodge a complaint with, or report or submit a claim to the Italian Data Protection Authority, where appropriate. In addition, the applicable law gives a Data Subject the right to object to Personal Data processing for the purposes set forth in point iii. of paragraph 1 of this privacy notice, and to withdraw consent to such Personal Data Processing at any moment, without affecting, however, the lawfulness of the Processing carried out by the Controller based on consent before its withdrawal.
9. Communications and exercise of the data subject’s rigths
To exercise the rights listed under paragraph 8, the Data Subject may at any time contact the Controller by sending an e-mail to firstname.lastname@example.org.