Pursuant to Legislative Decree 196/03 and Regulation (EU) 2016/679
In compliance with Legislative Decree 196/2003 and Regulation (EU) 2016/679 we inform you that AIGO Srl, through its website, processes your personal data. The Italian and European privacy legislation establishes specific protections for the processing of “personal” data, which may reveal a person’s racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in political parties, trade unions, associations, or organizations of a religious, philosophical, or political nature, as well as those that could reveal their biometric data, state of health, sex life, or judicial data. The processing of such data is permitted only with the explicit consent of the data subject, or “if necessary to fulfill legal obligations and exercise the specific rights of the data controller or the data subject in the field of employment and social security and social protection law” (Article 9 of Regulation (EU) 679/2016; Article 26 of Legislative Decree 196/03).
PURPOSES OF DATA PROCESSING
AIGO Srl assures the interested parties that the personal data collected are complete, relevant, and not excessive, and will be collected exclusively for the purposes indicated below:
- to download content;
- to send your CV using the dedicated module “Work with us”;
- to automatically send e-mail newsletters of an informational and promotional nature, without cost, concerning the activities of AIGO and its customers, in the name of and on behalf of AIGO and its customers (the user has the ability to request deletion of his data at any time by sending a request to email@example.com)
The newsletter will be sent by e-mail. You can authorize AIGO Srl to process your personal data by ticking the appropriate box.
The provision of data is optional. Refusal to provide data will make it impossible to obtain the newsletter service.
METHOD OF DATA PROCESSING
Personal data are mainly processed by automated and electronic means, for the time strictly necessary to achieve the purposes for which they were collected, by entities specifically appointed for this purpose. Specific security measures are observed to prevent the loss of data, the unlawful or incorrect use of the data, as well as any unauthorized access, allowing access only to those in charge or their responsible appointees. The list of the appointed Managers is available at the registered office of the Data Controller. The personal data acquired will be recorded onto computerized media, and managed and stored on servers owned by the Data Controller or by third parties operating under contractual agreement with the Data Controller, located at the headquarters of the third parties and managed in a secure environment with controlled access.
The logic underlying the processing of data is strictly related to the purposes listed above and the processing is based on the data gathered by AIGO Srl.
In any case, the processing of personal data will be in accordance with the law and in compliance with principles of legitimacy and fairness.
COMMUNICATION AND DISSEMINATION OF DATA
The personal data of users may be processed for the purposes specified above, by employees or associates of the Data Controller serving as appointees or managers for the processing of the personal data. Such data may also be communicated to:
- all those entities (including Public Authorities) who have access to personal data by virtue of legal or regulatory provisions.
The communication of such data will in any case be subject to the fact that the rights of the interested party are guaranteed to be protected, and any further communication or dissemination without prior express authorization is prohibited.
RETENTION OF DATA
AIGO Srl guarantees that the data collected will be kept only for the period strictly necessary for the aforesaid purposes, in a manner ensuring the proper provision of the services requested and offered through its website.
IDENTIFICATION OF THE DATA CONTROLLER
The Data Controller is AIGO Srl, Tax/VAT no. 10034470152, with registered office in Piazza Caiazzo 3, Milan, Italy; telephone +39 02 6699271 / fax: +39 02 6692648, e-mail: firstname.lastname@example.org
RIGHTS OF THE DATA SUBJECT
The interested party has the right to request access to their personal data, as well as the updating, rectification or deletion of the data, its portability, and the right to request restriction or to object to the data processing (Articles 7 et seq. of Legislative Decree 196/03, 15-21 Regulation (EU) 679/2016).
The interested party also has the right to revoke the consent given at any previous time, requesting the cancellation of their registration.
To exercise the above rights, the interested party must send a written request to one of the following addresses:
- AIGO S.r.l. Piazza Caiazzo 3, 20124 Milan, Italy, or email@example.com .
The interested party also has the right to lodge a complaint with the Supervisory Authority in the event of a presumed or ascertained violation of their legitimate rights and interests (Article 77 of Regulation (EU) 679/2016).
In any case, the Data Controller reserves the right to fully implement the above requests within and no later than the following terms:
- to take delivery of the request for purposes of processing – 10 working days;
- to process the request – 15 working days from taking delivery of the request.
The Data Controller will communicate the completion of the requested procedure to the interested party in writing.
CONSENT OF THE INTERESTED PARTY FOR THE PROCESSING, COMMUNICATION, AND DISSEMINATION OF THEIR PERSONAL DATA
The interested party, by ticking the authorization box for the processing of data, certifies their free consent for the Data Controller to proceed with the processing of their data as described above, as well as the communication of the data solely to expressly authorized and appointed entities.
This consent is also extended to the processing and communication of personal data pursuant to articles 9 and 10 of Regulation (EU) 679/2016, for the purposes and within the limits expressly indicated in this privacy statement.
REGULATION (EU) 2016/679
ARTICLE 15. Right of access by the data subject
- The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, to have access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the data will be stored, or, if this is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing personal data concerning the data subject, or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in such cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
- Where personal data are transferred to a third country or an international organization, the data subject shall have the right to be informed of the existence of adequate safeguards pursuant to Article 46 relating to the transfer.
- The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
- The right to obtain a copy referred to in paragraph 3 shall not affect the rights and freedoms of others.
ARTICLE 16. Rectification and cancellation
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
ARTICLE 17. Right to erasure (“Right to be forgotten”)
- The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, where one of the following grounds applies:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the data subject withdraws the consent upon which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2) and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been processed unlawfully;
- the personal data have to be erased for compliance with a legal obligation under EU or Member State law to which the controller is subject;
- the personal data have been collected in relation to the provision of information society services referred to in Article 8(1).
- Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers who are processing the personal data that the data subject has requested that any links to, or copy or replication of their personal data be erased.
- Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing by EU or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the field of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defense of legal claims.
ARTICLE 18. Right to restriction of processing
- The data subject has the right to obtain from the controller the restriction of the processing when one of the following applies:
- the accuracy of the personal data is contested by the data subject, and is restricted for the amount of time necessary for the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests that their use be restricted instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required for the data subject for the establishment or defense of legal claims;
- the data subject has objected to the processing operation pursuant to Article 21(1) pending the verification whether the legitimate grounds of the data controller override those of the data subject.
- Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the EU or of a Member State.
- A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
ARTICLE 19. Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1), and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
The controller shall inform the data subject about those recipients if the data subject requests it.
ARTICLE 20. Right to data portability
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transfer those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1), or point (a) of Article 9(2), or on a contract pursuant to point (b) of Article 6(1); and
- the processing is carried out by automated means.
- In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data directly transmitted from one controller to another, where technically feasible.
- The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
ARTICLE 22. Automated individual decision-making, including profiling
- The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her.
- Paragraph 1 shall not apply where the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is authorized by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the subject’s rights and freedoms and legitimate interests;
- is based on the subject’s explicit consent.
- In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
- The decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
LEGISLATIVE DECREE 196/03
ARTICLE 7. Right of access to personal data and other rights
- The interested party has the right to obtain confirmation of the existence or otherwise of personal data concerning him or her, even if not yet recorded, and their communication in intelligible form.
- The interested party has the right to obtain indication of:
- the origin of the personal data;
- the purposes and methods of processing;
- the logic applied in case of processing carried out with the aid of electronic tools;
- the identity of the controller, the managers, and the designated representative pursuant to paragraph 2 of Article 5;
- the entities or categories of entities to whom the personal data may be communicated or who may learn about them as appointed representatives in the territory of the State or as managers or agents.
- The interested party has the right to obtain:
- updating, rectification or, where the party has legitimate interests, the supplementing of the data;
- the cancellation, transformation into anonymous form, or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
- certification to the effect that the operations as per letters a) and b) have been notified, including as regards their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
- The interested party has the right to object, in whole or in part:
- for legitimate reasons, to the processing of personal data concerning him or her, even if pertinent to the purpose of collection;
- to the processing of personal data concerning him or her for purposes of sending advertising materials or direct selling or for the performance of market or commercial communication surveys.
ARTICLE 8. Exercise of rights
- The rights referred to in Article 7 can be exercised by means of a request addressed without formalities to the owner or manager, including through an agent, to which appropriate response must be provided without delay.
- The rights referred to in Article 7 may not be exercised by request to the data controller or the person responsible or by an appeal pursuant to Article 145, if the processing of personal data is carried out:
- on the basis of the provisions of Decree Law No. 143 of 3 May 1991 on money laundering, converted, with amendments, by Law No. 197 of 5 July 1991 and subsequent amendments;
- on the basis of the provisions of Decree Law No. 419 of 31 December 1991 on support for victims of extortionate demands, converted, with amendments, by Law No. 172 of 18 February 1992 and subsequent amendments;
- by parliamentary committees of inquiry established under Article 82 of the Constitution;
- by a public body, other than public economic bodies, on the basis of an express legal provision, for purposes exclusively relating to monetary and currency policy, the payment system, the supervision of intermediaries and credit and financial markets, and the protection of their stability;
- pursuant to Article 24(1)(f), limited to the period during which it could cause actual and concrete prejudice to the conduct of defensive investigations or to the exercise of a judicial right;
- by providers of publicly available electronic communications services in relation to incoming telephone communications, unless this could result in an actual and concrete prejudice to the conduct of the defensive investigations referred to in Law no. 397 of 7 December 2000;
- for reasons of justice, in judicial offices of all kinds and levels, or in the High Council of the Judiciary or other self-governing bodies, or in the Ministry of Justice;
- under Article 53, without prejudice to Law No. 121 of 1 April 1981.
- The Guarantor, also upon notification by the interested party, in the cases referred to in paragraph 2, letters a), b), d), e) and f), shall provide in the manner referred to in Articles 157, 158 and 159 and, in the cases referred to in letters c), g) and h) of the same paragraph, shall provide in the manner referred to in Article 160.
- The exercise of the rights referred to in Article 7, when it does not concern objective data, may take place unless it concerns the rectification or integration of personal data of an evaluative nature, relating to judgments, opinions, or other subjective evaluations, or it concerns the indication of conduct to be implemented or decisions being taken by the data controller.
ARTICLE 9. Modalities of operation
- The request addressed to the owner or manager may be sent by registered letter, fax or e-mail. The Guarantor can identify another suitable system with reference to new technological solutions. Where it concerns the exercise of the rights referred to in article 7, paragraphs 1 and 2, the request may also be made orally and in this case is noted in summary form by the manager or their agent.
- In exercising the rights referred to in Article 7, the interested party may confer, in writing, by delegation or power of attorney, with natural persons, entities, associations, or bodies. The person concerned may also be assisted by a person of his or her choice.
- The rights referred to in Article 7 concerning personal data relating to deceased persons may be exercised by those who have an interest of their own, or act to protect the person concerned, or for family reasons worthy of protection.
- The identity of the interested party is verified on the basis of suitable elements of evaluation, or also by means of available deeds or documents, or by producing or attaching a copy of an identification document. The person acting on behalf of the interested party shall produce or attach a copy of the power of attorney or proxy, which shall have been signed by the data subject in the presence of an agent for the processing, or shall be signed and produced jointly with a copy of an identification document, which shall not have to be certified true pursuant to law.
- The request referred to in Article 7(1) and (2) shall be made freely and without constraint and may be renewed, subject to the existence of justified reasons, at intervals of not less than ninety days.