GDPR
The Protection of Personal Data
On this page you will find some information to explain how we process personal data, in compliance with the principles of clarity and transparency required by the GDPR.
What is GDPR
- The General Data Protection Regulation (GDPR) is the European Regulation that regulates the processing of personal data in Europe. It came into force on 25 May 2018 and obliges any legal entity, as part of its business activity, to ensure an adequate level of protection of personal data and to comply with its provisions.
What is meant by “Personal Data”
- Personal data is any information relating to an identified or identifiable natural person. For example, personal data include name and surname, address, telephone number, tax code, e-mail address, photographs, profession, salary, banking details, health conditions. etc. However, those referring to companies and other legal entities, such as name, registered office, VAT number, balance sheet data, company email addresses, are not personal data. However, personal data is that of the natural persons who work there, such as legal representatives, employees, external professionals, etc. Data is personal only when it can be traced back to a natural person. Completely anonymous data is not subject to compliance with the law.
What is the difference between “Common Data” and “Special Data”
- Personal data can be both of a common nature and of a particular nature (i.e. “sensitive data”). Both types of data are subject to GDPR compliance, however sensitive data requires a higher level of attention. Sensitive data includes data relating to health, sexual life and orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (art. 9 GDPR) . Data relating to criminal convictions and crimes or related security measures are also considered data of a particular nature (art. 10 GDPR). All other personal data is considered common data.
What is meant by “Data Processing”
- Processing is considered to be any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.
The roles envisaged by the GDPR
- The GDPR distinguishes some roles assumed by legal entities in the processing of personal data. A legal entity can in fact process the data as data controller, data processor, co-controller or authorized data controller.
Data Controller
- Data controller is the natural or legal person who determines the purposes and means of the processing of personal data. Each company is therefore the owner of the processing of personal data relating to its customers, employees and suppliers. When it comes to a company, the data controller is not its legal representative, but the company itself.
Joint Data Controllers
- Two or more data controllers are joint data controllers who jointly determine the purposes and means of the processing. When it comes to companies, data controllers are not their legal representatives, but the companies themselves.
Data Controller
- The data controller is the natural or legal person who processes personal data on behalf of a data controller. When a company entrusts activities involving the processing of personal data to an external supplier (e.g. employment consultants, accountants, IT service providers, hosting providers, etc.), the latter assumes the role of data controller. Pursuant to art. 28 GDPR, a data controller can only use data processors who present sufficient guarantees to implement adequate technical and organizational measures. The relationship between data controller and data processor must also be regulated by a contract (Data Processing Agreement) or by another suitable legal act in accordance with Union or Member State law. The obligation to provide information to interested parties and to guarantee them the exercise of their rights does not fall to the data controller, but only to the owner.
Authorized for Processing
- Natural persons who operate under the direction and authority of the data controller or data processor (for example employees) and who are called upon to process personal data in carrying out their tasks and duties are authorized to process.
Tafuri Hotel s.r.l. as Data Controller
- Tafuri Hotel s.r.l. is the data controller when it processes personal data on its own behalf and for purposes determined by it. For example, Tafuri Hotel s.r.l. processes as data controller the personal data of its customers and suppliers, natural persons, for accounting purposes and to execute the respective contracts. Likewise, Tafuri Hotel s.r.l. processes the personal data of its employees as data controller, for purposes related to the correct execution of employment contracts, compliance with safety regulations, training, etc.
What are the rights of interested parties with reference to their personal data?
- The interested party has the right to ask the data controller at any time to know the personal data concerning him and which are processed by the latter, pursuant to art. 15 EU Reg. 2016/679. He also has the right to demand the rectification of inaccurate data concerning him and the integration of incomplete data, pursuant to art. 16 EU Reg. 2016/679. The interested party has the right to the deletion of data that are no longer necessary for the purpose for which they are processed, of those processed on the basis of his consent when the latter is revoked, of those unlawfully processed etc. To find out the other cases in which cancellation can be obtained, the interested party can refer to the art. 17 EU Reg. 2016/679. The interested party has the right to obtain the limitation of the processing of his data in the cases described in the art. 18 EU Reg. 2016/679, the portability of your data in the cases described by the art. 20 EU Reg. 2016/679, as well as the right to object to your data being processed in the legitimate interest of the owner or on the basis of a public interest, as permitted by art. 21 EU Reg. 2016/679. In the event that the interested party believes there has been a violation in the processing of his data, he may file a complaint with the Guarantor Authority for the processing of personal data. The interested party may revoke at any time any consent given for the processing of his/her personal data for marketing purposes, without this entailing any prejudicial consequences or preventing the execution of the contract.
Form for exercising privacy rights
- Click on the following button to download the form for exercising your privacy rights, fill it in with your requests and send it to the email address info@fontedil.com or by certified email to tafurisrl2019@pec.it