Privacy statement in compliance with art. 13 of Legislative Decree n. 196/2003 and following the entry into force of EU Regulation 679/2016
In compliance with article 13 of Legislative Decree 196/2003 and following the entry into force of the EU Regulation 679/2016 pursuant to provisions set forth in art. 13 of the foregoing European Regulation, this privacy statement aims at describing the methods adopted for processing personal data of the participants (hence “The Data Subject”) in order to enable the online registration to events organised and managed by Eurotraining S.r.l. Unipersonale (hence “The Controller”).
Purpose of the processing
The personal data1 of the Data Subject is being processed in the context of the Controllers commercial activity, for the following purposes:
1. subscription and participation to the Event;
2. fiscal, administrative and accounting duties strictly connected to above participation;
3. execution of specific duties prescribed by law, regulation or EU norms (such as administration of credits for Continuing Medical Education);
4. distribution free of charge of documentation relating to the Event;
5. use of the imagine and/or voice of the Data Subject as recorded during the Event, in videos, audio recordings and/or photographs of the Event published on the website and social networks of the Controller as well as on the website and the social networks of the Events, if any;
6. receipt of documentation from the Controller in order to be updated on all its projects, initiatives and events, both my means of automated tools (such as newsletters, e-mails, SMS, MMS) and by means of traditional tools (hardcopy mail and/or operator calls) in the same area of interest.
The processing of the personal data is executed, under authority of the Controller, by entities specifically commissioned, authorized and instructed for the processing as per section 30 of the Privacy Law and sections of the Data Protection Regulation, by means of manual, automated or telecom tools, with logics strictly connected to the scopes and in any case in such a way as to guarantee confidentiality and security of the personal data.
Without prejudice to the legal norms, the personal data will be kept for a period of time defined on the basis of criteria related to the nature and duration of the Event, as well as on further needs of the Data Subject.
Juridical basis for processing, nature of transfer and consequences of denial, consent by Data Subject
With reference to the purposes listed at the section 1, items 1., 2., 3., 4.,5. and 6, transfer of the personal data is mandatory and represents a necessary condition to the registration and subsequent participation to the Event and the receipt of documentation from the Controller about future projects, initiatives and events in the same area of interest. Indeed, failure to transfer will determine impossibility of registering the Data Subject to the Event and of involving him/her in any initiative of the Event or other Controller’s future projects, initiatives and events of the same area of interest; thus, the juridical base of the related processing is the full participation to the Event and the next update on the Controller’s future projects, initiatives and events of the same area of interest, as per section 6, paragraph 1, letter b) of the Data Protection Regulation.
Entities and categories of entities to which the personal data may be communicated and context of communication
With regards to the purposes of the processing as indicated above, and within the strict boundaries of pertinence to these purposes, the personal data of the Data Subject will be communicated in Italy, in the European Union or beyond the European Union, to the following entities, for the purpose of subscription and subsequent participation to the Event:
(i) to fiscal Authorities and other public Authorities, where mandatory by law or upon their request;
(ii) to financial institutions for the execution of payments related to the subscription;
(iii) to the structures and/or external companies that the Controller uses for the purpose of executing connected activities, instrumental or consequent to registration and subsequent participation to the Event (such as press services, data processing and IT consultancies, promotional activities by companies participating in the Event, mailing of the event’s program, credits for Continuing Medical Education, hotel reservations etc.);
(iv) to external consultants (e.g. for management of fiscal duties) if not designated Processors in writing.
Above entities, to whom the personal data of the Data Subject will be or may be communicated (insofar as not being designated Processors), will treat the personal data as Controllers according to the Privacy Law, in full autonomy, being completely separated from the original processing executed by the Controller.
Without the consent to communication of the personal data and to related processing, in those cases where it is foreseen as by Privacy Law, the operations which require the communication might not be executed, with consequences known to the Data Subject.
A detailed and constantly updated list of these entities, including their respective offices, is always available at the Controller’s legal office.
As mentioned before, the image or the voice of the Data Subject recorded over the course of the Event may be used in videos, audio recordings and/or photographs of the Event, published on the website and the social media of the Controller, as well as on the website and the social media of the Event itself, if any.
Whenever necessary for the execution of the contract, the personal data of the Data Subject may be transferred to countries within the European Union and/or to countries outside the European Union, in full compliance with the norms of the Privacy Law, the Data Protection Regulation, the rulings and decisions of the related data protection authority as well as the EU regulations.
In particular, where necessary, the Controller commits to complying with the norms defined by, respectively, decisions 2001/497/CE, 2004/915/CE and 2010/87/EU (according to the specific case), which oblige to the signing of so-called “typical contractual clauses” between the juridical entities involved in data processing outside of the European Union.
Rights of the Data Subject
Art. 7 Legislative Decree 196/2003 and art. 15 EU Regulation 679/2016 – Right of access to personal data and other rights
The Data Subject is entitled at any time to receive confirmation of the existence or otherwise of personal data that concern him, including where those data have not yet been recorded, and to have those data communicated in an intelligible form. The Data Subject is entitled to be informed of the source of the personal data; the purposes and methods of processing; the logic applied in the event that processing is carried out electronically; details identifying the Data Controller, the Data Processor and the representative appointed pursuant to article 5, paragraph 2 of Legislative Decree 196/2003 and to article 15 of the EU Regulation 679/2016; the entities or categories of entities whom or which the personal data may be communicated to or who or which may get to know such data. The data subject is entitled to have the data updated, rectified or, where he/she so wishes, supplemented; where data are processed in breach of the law, including data which, in light of the purposes for which they were collected or subsequently processed, do not necessarily need to be stored, to have those data deleted, made anonymous or blocked; to a statement confirming that the steps specified herein, and the contents of those steps, have been brought to the attention of parties to whom the data have been communicated or disseminated, save where this proves to be impossible or would require the use of resources that is manifestly disproportionate to the right being protected. The Data Subject is entitled to object – in whole or in part – on lawful grounds to the processing of personal data that concerns him, including where the processing is relevant to the purposes for which they were collected; to the processing of personal data that concern him in order to send advertising material or for the purposes of direct sales or to carry out market research or for the purposes of commercial communications. In particular, the data subject is entitled to ask at any time to the Data Controller the access to personal data and the rectification, erasure or limitation of the processing of data concerning him or to object to their processing, in addition to the right of data portability. Moreover, the data subject is entitled to withdraw his consent at any time without affecting the lawfulness of the processing based on the consent given before withdrawing it. The Data Subject is entitled to lodge a complaint with the supervisory Authority. Rights can be exercised by sending a notice to the e-mail address firstname.lastname@example.org.
5. Duration of the processing.
The personal data of the Subject Data shall be kept for the period of time that is strictly necessary in order to organise and manage the event and then filed in the database of the Controller.
1 As per section 4 of the Data Protection Regulation, “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.