REGULATIONS FOR THE PROCESSING OF PERSONAL DATA
Based on the approval, on 25 May 2016, of the new EU Regulation, no. 679/2016 which aims to guarantee a uniform and homogeneous regulation on personal data protection throughout the European Union; it is noted that this Community standard constitutes a higher-level source than national standards and that, as regards Italy, it constitutes a reference standard and a parameter of legitimacy for the national legislation in force and, therefore, of the “Privacy Code in force since 01 January 2004, Legislative Decree 196/2003, with the changes introduced by Legislative Decree 101/2018, in force since 19.09.2018, (Italian legislation adaptation to EU Regulation 679_2016) This Regulation aims to make it conform to the new treatment policy legislation that runs within the “AtemporaryStudio/PR di Felluga e Punis”.
It is made clear that the innovations introduced by the EU Regulation translate into organizational, documentary and technical obligations that all the holders of personal data processing must consider in order to allow the full and conscious application of the new regulatory framework on Privacy, and for these reasons, this data controller (the “AtemporaryStudio / PR di Felluga e Punis”, henceforth referred to as “referred to above)” intends to adopt a general procedure for the implementation of the Regulation (hereinafter referred to as “GDPR”), in order to comply with the expected obligations and to demonstrate compliance with the legislation.
4. Data controlle
5. Managers of the treatment
6. Internal agents in charge of processing
7. The data processed
8. Principles relating to the processing of personal data
9. The processing of personal data
10. The processing of sensitive data
11. The processing of the data of the owner’s workforce
12. Register of processing activities
13. Impact assessment on data protection
15. Consent to the processing of data
16. Rights of the interested party
17. Procedures for exercising the rights of the interested party
18. Description of the activity – physical and virtual environments – video surveillance
19. Security measures
20. Staff training
22. Liability in case of violation of the provisions regarding Privacy
23. Communication of violations of personal data (“Data Breach”)
This privacy regulation is an instrument for the application of the Legislative Decree of 30 June 2003, n.196 (“Privacy Code”) as amended and supplemented by Legislative Decree 101/2018 and EU Regulation 2016/679, within the organization of the owner “AtemporaryStudio / PR di Felluga e Punis”; the same will be periodically updated, in line with the new regulations, case law and with the rulings of the Privacy Guarantor.
An examination of the matter as it now emerges reveals a natural change of mentality leading to the full protection of privacy, to be considered not only as a bureaucratic burden but above all as a guarantee of a substantial confidentiality. The policy on the matter, therefore, is to be read both in terms of protection of the rights of the interested parties and of the implementation of correct corporate procedures, taking into account the sensitivity of the underlying interests.
In fact, the right to privacy is a real and inviolable right of the person which is not limited to the protection of confidentiality or data protection, but extends – instrumentally – to the full realization of other rights and fundamental freedoms.
This regulation governs, within the structure of the Owner “AtemporaryStudio / PR di Felluga e Punis” the protection of persons and other subjects with regard to the processing of personal data, in compliance with and in accordance with the new supranational legislation the EU Regulation no. 679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free movement of such data, taking into account the legislative decree 101/2018.
The Owner “AtemporaryStudio/PR di Felluga e Punis” guarantees that the processing of data, for the protection of individuals, will be with respect for their human rights and fundamental freedoms and dignity, with particular reference to privacy, personal identity and the right to data protection personal, regardless of their nationality or residence.
The protection of individuals with regard to the processing of personal data is a fundamental right: “Every person has the right to protection of personal data concerning him or her” (article 8, paragraph 1, the EU Charter on Fundamental Rights).
The Owner “AtemporaryStudio/PR di Felluga e Punis” supports and promotes within it every awareness tool that can consolidate full respect for the right to privacy and improve the quality of its work: one of the essential tools for awareness is staff training. To ensure real knowledge of the provisions of this regulation, at the time of recruitment a copy of this documentation is issued to each employee and he/she undertakes to read and comply with its requirements.
4. DATA CONTROLLER
In general, the “owner”/person responsible for the processing of personal data is the natural person, legal person, PA and any other body, association or organization which is responsible for decisions regarding the aims, methods of processing of personal data and the tools used, including the security profile.
The “treatment” is any operation carried out with or without the aid of electronic tools concerning the collection, registration, organization, storage, consultation, processing, extraction, use, communication, dissemination, deletion, destruction of data (GDPR, article 4).
The owner of the processing of personal data pursuant to and for the purposes of the GDPR is the “AtemporaryStudio/PR di Felluga e Punis”, in the persons of the legal representatives pro tempore Giovanna Felluga and Samantha Punis, with headquarters in Trieste, via Belpoggio n. 1, p. iva / VAT number 01177710322, email: firstname.lastname@example.org —internet: www.atemporarystudio.com; phone numbers and specific addresses available on: http://www.atemporarystudio.com/contatti/
5. MANAGERS OF THE TREATMENT
For the purposes of this regulation “Manager” refers to the individual, legal person, PA and any other body, association and organisation appointed by the owner to process personal data.
In consideration of the complexity and the multiplicity of the Company’s functions, the Owner designates, as Data Processing Managers, only those who are able to put in place sufficient guarantees of suitable technical and organizational measures in such a way that the treatment meets the requirements of the Regulation and ensures the protection of the rights of the data subject (GDPR art.28).
All external subjects which carry out processing operations on the data held by the Owner “AtemporaryStudio / PR di Felluga e Punis”, on behalf and in the interest of the same, for purposes related to the exercise of its functions, are appointed “External Manager” of the data treatment, if they meet the requirements of experience , capability and reliability.
External data treatment managers are obliged to:
- Treat data lawfully, fairly and in full compliance with current legislation on privacy;
- Observe security measures and take all necessary measures that are appropriate to prevent and / or avoid disclosure or dissemination of data, the risk of destruction or loss, even accidental, unauthorized access or unauthorized processing or non-compliance with the purposes of the collection;
- Treat personal data exclusively for the purposes specified in the contract or legal obligations;
- Follow all instructions given by the data controller.
In the event of failure to comply with the aforementioned provisions, the external data treatment manager will answer directly to the Company.
The designation of the external manager is carried out by means of an “appointment document” by the data controller (Attachment 1. – Letter of appointment of the External Manager for the processing of personal data) and through the Operating Instructions included therein, to be attached to the agreements, conventions or contracts that provide for the external assignment of the processing of personal data by the Owner.
The acceptance of the appointment is a necessary condition for the establishment of the legal relationship between the parties.
6. INTERNAL AGENTS IN CHARGE OF PROCESSING
The “persons in charge” of the treatment are the (possible) individuals directly employed by the Owner “AtemporaryStudio / PR di Felluga e Punis” responsible for carrying out the processing operations of personal data within their competence within the indication of the tasks, the permitted treatment and methods
Any employee who is in charge of a specific service and who is required to carry out technical processing operations must be considered “In charge”. The appointment of the person responsible for the processing of personal data is the responsibility of the data controller and the appointment is made in writing, so as to promptly identify the duties of the person in charge and the procedures to be followed to carry out the same and the scope of the permitted processing (Attachment 2. – Letter of appointment of the person in charge of processing personal data).
The person in charge cooperates with the Owner to report any risk situations in the treatment of the data and to provide any information necessary for the performance of the functions of checking or control.
In particular, the person in charge must ensure that, in the course of processing, the data is:
- Treated in a lawful, correct and transparent manner with regard to the interested party;
- Collected and registered for specific, explicit and legitimate purposes and subsequently processed in a manner compatible with these purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed;
- Accurate and, where necessary, updated: to take all reasonable steps to promptly delete or rectify inaccurate data for the purposes for which it is processed;
- Preserved in a form which permits identification of data subjects for a period of time not exceeding that necessary for the achievement of the purposes;
- Treated in such a way that adequate data security is ensured, including protection through appropriate organizational and technical measures, in order to avoid unauthorized or unlawful processing and loss, destruction or accidental damage.
The person in charge is bound to complete confidentiality on the data that he/she has come to know during the performance of his/her activity, committing him/herself to communicating the data exclusively to persons specified by the Owner and only in situations provided for by law.
The persons in charge must receive suitable and analytical instructions, even for homogeneous groups of functions, regarding the activities on the assigned data and the obligations to which they are required.
7. THE DATA PROCESSED
The Owner, in carrying out their functions, is able to process data even in an automated manner (totally or partially), within the following categories:
- the employee’s personal data (if it is present)
- Data of suppliers
- Data of Directors
- Data of clients
The data that is or may be processed by the Owner “AtemporaryStudio / PR di Felluga e Punis” falls into the following categories:
- Common personal data: representing any information relating to the individual, identified or identifiable.
- Sensitive data: personal data that could reveal racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of political parties, trade unions, associations or organizations of religious, philosophical, political or union type; in addition to personal data disclosing the state of health of the individual.
8. PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA
Personal data is:
- Treated in a lawful, correct and transparent way with regard to the interested party;
- Collected for specific, explicit and legitimate purposes;
- Adequate, relevant and not excessive (limited) to what is necessary with respect to the objectives pursued (the “principle of data minimization”);
- Accurate and, where necessary, updated;
- Processing is permitted only if and to the extent that at least one of the following conditions applies (GDPR articles 5 and 6):
- The data subject has consented to the processing of personal data for one or more specific purposes;
- Processing is necessary for the execution of a contract of which the party concerned is a party or for the execution of pre-contractual measures taken at the request of the same;
- The processing is necessary to protect the vital interests of the data subject or of another individual;
Treatment is necessary to achieve the legitimate interest of the data controller or third parties, provided that not overridden by the interests and freedoms that require the protection of personal data.
9. THE PROCESSING OF PERSONAL DATA
“Processing” is understood to mean all operations or sets of operations, performed with or without the aid of automated processes applied to personal data or sets of personal data relating to the types indicated in article 4 of the GDPR.
The processing of data can only be carried out by the Owner, the managers and the persons in charge. Processing by unauthorized persons is not permitted.
10. THE PROCESSING OF SENSITIVE DATA
The Owner “AtemporaryStudio/PR di Felluga e Punis” may process sensitive data only when the processing is authorized by an express provision of law and in execution of contractual clauses.
In any case involving the processing sensitive data, it is necessary to verify, preliminarily and during the treatment, that the data processed is indispensable for carrying out the permitted activity and the use of anonymous data would not be sufficient.
Such processing should be carried out by procedures designed to prevent violation of the rights and fundamental freedoms and the dignity of the individual.
11. THE PROCESSING OF THE DATA OF THE OWNER’S WORKFORCE
The Owner “AtemporaryStudio/PR di Felluga e Punis” may process the data, even of a sensitive nature, of its employees for the purposes of establishing and managing work relationships of any kind.
For the processing of data related to the management of relationships (or internship or any other) with employees, specific information is provided (Attachment 3 – Information for the processing of employee data).
According to law, the Owner must take the utmost caution in the processing of personal information of employees which may reveal the state of health, sexual habits, political beliefs, trade union membership, religious, philosophical or other views and racial and ethnic origin. The processing of the employees’ sensitive data must take place according to the principles of necessity and indispensability that require minimal use of personal and sensitive data and, when it cannot be avoided, to process only that information which is indispensable for the management of the employment relationship.
The Owner, when processing sensitive data related to the health of employees, respects the principles of necessity and indispensability.
12. REGISTER OF PROCESSING ACTIVITIES
The data controller AtemporaryStudio/PR di Felluga e Punis, even though not required to do so in accordance with point 5) of article 30 of the European Regulation, chooses to establish a register, in both written and electronic format, of the processing activities carried out under their own responsibility, which will be kept updated.
This register contains the following information:
- The name and contact details of the data controller;
- The purposes of the data processing;
- The description of the categories of data subjects and of the categories of personal data;
- The categories of the processes carried out;
- The categories of recipients to whom personal data is or will be communicated;
- Indication of the security measures applied;
- Possible options for data transfers abroad;
- Indication of the time limits provided for the deletion of the different categories of data.
13. IMPACT ASSESSMENT ON DATA PROTECTION
The impact assessment of the protection of personal data processing must be carried out by the Owner when a type of data processing, given its nature, context and purpose, may pose a risk to the rights and freedoms of individuals.
The evaluation must include at least:
- A systematic description of the intended processes and the purposes of the processing, including, where applicable, the legitimate interest pursued by the Owner;
- An assessment of the necessity and proportionality of the processes in relation to the purposes;
- A risk assessment for the rights and freedoms of the interested parties;
- The measures envisaged to address risks, including safeguards, security measures and data protection mechanisms and to demonstrate compliance with this regulation and the legislation in force.
When changes in the risk represented by the activities related to the processing occur, the data controller shall, if necessary, review the impact assessment on data protection.
The Owner AtemporaryStudio/PR di Felluga e Punis, even though there is no obligation to comply with the provisions of article 35 of the European Regulations, chooses to draw up and update the impact assessment, including it in a single document together with the aforementioned Register of Treatments.
The Register of Treatments and Impact Assessment constitute Attachment no. 4 to this regulatory document.
The data controller, at the time of the collection of personal data, is required to provide the interested party, through the staff in charge, with the required information, expressed in writing, by means of appropriate tools:
- Through appropriate forms to be delivered to interested parties;
- Through notices easily visible to the public, for example through publication on the website.
The information includes:
- The purposes and methods of the data processing;
- An indication of the optional nature of the provision of data;
- An indication of the Owner;
- Data processing in special cases;
- An indication of the rights of the user, patient, client;
- The scope of the communication and dissemination of data.
(Attachment no. 3, employee information; attachment no. 4: supplier information; attachment no. 5: client information)
15. CONSENT TO THE PROCESSING OF DATA
In the processing of personal or sensitive data carried out for the pursuit of purposes other than those binding, in implementation of legal obligations or the execution of contracts, the Data Controller will organize methods for the facilitation of the expression of consent by the interested party (GDPR articles 81 and 82).
Consent must be given by the interested party by the completion of the appropriate form (Attachment No. 6 – Form for expression of consent), upon delivery and acknowledgment of the specific information.
This consent will be valid and effective until the revocation of the same: consent is validly given for the use of certain characteristics, or is made freely and specifically in reference to a clearly identified treatment which is documented in writing.
The interested party has the right to withdraw consent at any time, with the same ease with which it was expressed. The withdrawal of consent does not affect the lawfulness of the treatment based on consent before revocation.
16. RIGHTS OF THE INTERESTED PARTY
The “interested party” is the subject, the individual, to whom the data being processed refers.
The Owner “AtemporaryStudio/PR di Felluga e Punis” will implement all measures necessary to facilitate the exercise of the rights of the data subject pursuant to articles 12-22 of the GDPR.
To this end, European legislation provides that the person concerned has the right to obtain from the data controller:
- Confirmation of the existence or non-existence of personal data concerning him/her and:
- The origin of the data;
- Purposes and methods of treatment;
- The logic applied and the criteria used in electronic data processing;
- The identity details of the Owner and data controller;
- The persons and categories of persons to whom the data may be disclosed;
- The data retention period and the criteria used for the determination of this period;
- Communication of data;
- Correction, updating or integration of data;
- Erasure of data (“the right to be forgotten“);
- Transformation into anonymous form or blocking in the event that they are in violation of the law;
- Limitation of processing pursuant to article 18, letters a), b), c) and d) of the GDPR;
- Reception in a structured format, for normal and readable use, of the personal data concerning him/her;
- Propositions for opposition to the processing of data;
- A copy of the personal data being processed.
17. PROCEDURES FOR EXERCISING THE RIGHTS OF THE INTERESTED PARTY
The request for the exercise of the rights specified in Article 16 of this Regulation may be sent to:
- By the interested party directly;
- Through another individual or association to which he/she has given a proxy or power of attorney in writing;
- Through those exercising authority or guardianship.
The interested party can submit or send the request to exercise these rights through the forms provided (Attachment 7 – Form for exercising the rights of the interested party).
The person responsible for evaluating the request is the Data Controller, who decides on the admissibility of the request for access.
The request must be acknowledged within 30 days from the date of receipt of the same.
18. DESCRIPTION OF THE ACTIVITY – PHYSICAL AND VIRTUAL ENVIRONMENTS – VIDEO SURVEILLANCE
AtemporaryStudio / PR is an associated studio – which will soon take on a corporate role (at which time necessary variations will also be put in place in the present policy) – composed of professionals registered with the association of journalists. The corporate purpose is communication and consultation aimed at the world of design and contemporary art, founded precisely by Samantha Punis and Giovanna Felluga in their respective fields of press officer / creative director and artistic advice / mediation, with the clear intention of proposing a custom template approach to the world of design and contemporary art.
The Studio is situated inside a large apartment located on the first floor of the building at Via Belpoggio n. 1 in Trieste; the spaces are rented and the apartment (for the exclusive use of the office) is shared with other parties (Priamo Press Office, Giraldi Graphic Studio, RNDR Architetti); the rooms used by the Owner are autonomous and are equipped with locking mechanisms that prevent third parties from gaining access; the whole apartment, in itself, is then provided with adequate locks and security bar.
There is no video surveillance system: there is only a video intercom that does not record; the doors are equipped with safety bars. During opening hours the entrance and offices are manned by the staff.
The Owner has their own virtual environment: in particular, the website mentioned above is active and monitored and managed; the professionals use Apple computers and devices, for which access requirements and related credentials are provided. The wi-fi connection is guaranteed by Telecom; the hardware and software management function is given to an external agency (Infoera di Trieste) appointed for this purpose as data controller.
19. SECURITY MEASURES
The Owner guarantees the application of suitable preventative security measures that help to minimize the risk of destruction or loss, even accidental, of the processed data, unauthorized access or treatment which is not permitted or not consistent with the purpose of data collection.
The security measures include:
- Possible anonymisation and encryption of personal data;
- Procedures to ensure the confidentiality, integrity and availability of data processing systems and services;
- Methods to ensure timely restoration of access to personal data in the event of a physical or technical accident.
20. STAFF TRAINING
The Owner organizes training and refresher courses on the protection of privacy and protection of personal data, aimed at knowledge of the rules, the adoption of appropriate behaviour patterns and treatment procedures, and the knowledge of safety measures for data treatment and retention, identifying risks and methods to prevent data damage.
Within the offices of the Owner, uniform disclosure models are adopted as per the attachments to the present regulation which are periodically updated.
22. LIABILITY IN CASE OF VIOLATIONS OF THE PROVISIONS REGARDING PRIVACY
Failure to comply with provisions on confidentiality of personal data with the penalties provided for by the new legislation; the data controller is liable for the damage caused by his/her treatment in violation of this Regulation.
The data processor is liable for the damage caused by the treatment only if obligations under this Regulation specifically directed to him/her have not been fulfilled, or he/she has acted in a manner incompatible with or contrary to the legitimate instructions given by the Owner.
The Owner or data processor is exempt from liability only if they are able to show that the damaging event is in no way attributable to them.
23. COMMUNICATIONS OF VIOLATIONS OF PERSONAL DATA (“Data Breach”)
The communication of the violation of personal data should be made by the holder to the Privacy Guarantor within 72 hours of the knowledge of the event.
The notification must:
- Describe the nature of the violation;
- Describe the probable consequences of the violation;
- Describe the measures adopted or which it is proposed to adopt.
When the data breach presents a high risk for the rights of the individual, the holder will communicate the violation and the nature of the same to the interested party, by means of simple and clear language.
For anything not provided for in this regulation, the provisions for the protection of personal data from European Regulation 2016/679, of 27 April 2016 in addition to the Privacy Code, as applicable in relation to the changes and additions made with Legislative Decree 101/2018, effective from 19 September 2018, are applied.
This regulation will be updated following further amendments to the current regulations regarding privacy and protection of personal data.
Below is a list of the forms prepared for the purpose of the adaptation to the provisions of this regulation and of the new European legislation in the field of personal data processing:
1. Letter of appointment of the external manager for the processing of personal data
2. Appointment of the data processor
3. Information regarding data processing for employees
4. Information for the processing of data for other parties – suppliers
6. Form for the expression of consent
7. Form for exercising the rights of the interested party
8. Register of data processing and impact assessment.