Information pursuant to art. 13 of EU Regulation 2016/679 for the protection of personal data (GDPR)
Pursuant to art. 13 of EU Regulation 2016/679 (hereinafter "GDPR"), CRYSTART.IT (hereinafter "Owner") - with registered office in Via Val d'Elsa 47/49, Italy -, in its capacity as Data Controller personal data, in the person of the pro tempore legal representative, informs that your personal data will be processed by CRYSTART.IT itself through manual processing or electronic or automated, IT or telematic tools, with logic strictly related to the purposes listed below and, in any case, in order to guarantee the security and confidentiality of the data.
Identity and contact details of the owner and the person responsible for the protection of personal data
The Data Controller is Andrea Falaschi, in the person of the pro tempore legal representative, with registered office in Empoli.
Purpose, legal basis and lawfulness of the processing
Your personal data are processed by the Data Controller pursuant to art. 6 of the GDPR. In fact, as the aforementioned article states, for it to be lawful, the processing of your personal data should be based on consent or on other legitimate basis provided for by law, taking into account the need to comply with the legal obligation to which the Data Controller is subject or of the need to execute a contract of which you are a party or to execute pre-contractual measures adopted at your request. In the same way, the processing is lawful even if it is necessary for the pursuit of the legitimate interest of the Data Controller, provided that this does not harm the interests, rights and freedoms of your person.
The specific processing purposes and related legal bases are indicated below:
|Purpose of processing
|Legal basis of the processing
|The processing is necessary for the execution of a contract of which the interested party is a party or for the execution of pre-contractual measures adopted at the request of the same
Nature of the provision and consequences of refusal
The provision of data is mandatory for the fulfillment of legal and / or contractual obligations and for those processed for the legitimate interest of the owner.
Therefore, any refusal to provide mandatory data will result in the objective impossibility of pursuing the processing purposes referred to in this Notice (paragraph "Purpose, legal basis and lawfulness of the processing").
Categories of recipients of personal data
The personal data provided and those relating to the execution of the contractual relationship may be disclosed to third parties belonging to the following categories:
Service company for the management of the initiative in question
All subjects belonging to the categories to which the data may be disclosed will use them as "Data Processors" specifically appointed by CRYSTART.IT, pursuant to art. 28 of the GDPR or autonomous "Owners".
The data will also be processed by persons specifically authorized for processing by the Data Controller, pursuant to the GDPR. The personal data processed by CRYSTART.IT are not subject to disclosure.
Retention period of personal data
The personal data processed by CRYSTART.IT will be kept for the time necessary for the execution of the contractual relationship, as well as for that prescribed by civil, fiscal and regulatory laws. Subsequently, the data will be archived until the statutory limitation period with reference to the individual rights that can be enforced.
After these terms, your data will be anonymized or deleted, unless it is necessary to keep it for other and different purposes provided for by express provision of the law.
Below, the details of the duration of the data retention period for the purposes described above, or the criteria used to determine this period (particular data are indicated in italics):
|Category of personal data
|Final terms for cancellation
|Name, address or other personal identification elements
|12 months from the date of entry
Automated decision making
For the pursuit of the processing purposes described above, no decision is made based solely on automated processing that produces legal effects concerning you or that significantly affects your person in a similar way.
Rights of the interested party
Pursuant to and for the purposes of the GDPR, the following rights are recognized as an interested party that you can exercise towards CRYSTART.IT
a) access and confirmation that personal data concerning you is being processed or not, also in order to be aware of the processing and to verify its lawfulness as well as the correctness and updating of such data. In this case, you will be able to obtain the acceding your personal data and information, in particular those relating to the purposes of the processing, the categories of personal data in question, the recipients or categories of recipients to whom the personal data have been or will be communicated, to the retention period, etc .;
b) the rectification, where inaccurate, of the personal data concerning you, as well as the integration of the same where considered incomplete, always in relation to the purposes of the processing. During this period, the Data Controller undertakes not to present the data as certain or definitive, especially to third parties;
c) the deletion of data concerning you, where the data are no longer necessary with respect to the purposes for which they were collected. Please note that cancellation is subject to the existence of valid reasons. If the Data Controller has communicated data concerning you to other Data Controllers or Managers, it is obliged to delete them, adopting reasonable measures, including technical ones, to inform other data controllers that they are processing the personal data in question to delete any link, copy or reproduction of the same (so-called right "to be forgotten"). The cancellation cannot be performed if the processing is necessary, among other things, for the fulfillment of a legal obligation or for the performance of a task of public interest and for the ascertainment, exercise or defense of a law in court;
d) the limitation of the processing. By limitation of processing we mean, among other things, also the possibility of transferring the processed data on a system that is no longer accessible, for storage only and unchangeable. This does not mean that the data are deleted but that the Data Controller must avoid using them during the period of the relative block. This would be particularly necessary in the event that a persistent use of inaccurate and illicitly stored data could damage you. In this case, you can oppose the deletion of personal data and request that its use be limited instead. In the case of data rectification or opposition, you can request the limitation of the processing of that data for the period during which the Data Controller is carrying out the rectification or is evaluating the opposition request. A further case is due to the fact that personal data are necessary for you to ascertain, exercise or defend a right in court, but the Data Controller no longer needs it for the purposes of processing;
e) the opposition, at any time, for reasons connected to your particular situation, to the processing of personal data concerning you in cases where the processing itself is necessary for the performance of a task of public interest or connected to the exercise of public powers with which the Data Controller is invested or if the processing is necessary for the pursuit of the legitimate interest of the same or third parties. Finally, the Data Controller undertakes to refrain from processing your data, unless it proves that there are compelling legitimate reasons to proceed with the processing or to ascertain, exercise or defend a right in court;
f) the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given prior to the revocation, only for the purposes whose legal basis is consent.
These rights may be exercised by contacting the Personal Data Protection Officer (RPD), also known as Data Protection Officer (DPO), by means of a request sent by registered letter with return receipt. at the following address: Via Val d’Elsa 47/49 50053 Empoli (FI), or by sending an e-mail to the e-mail address: firstname.lastname@example.org.
You may also promptly report to the DPO, through the contact details indicated above, any circumstances or events from which a personal data breach may arise, even if only potentially (i.e. any breach of security capable of causing, accidentally or unlawful, destruction, loss, modification, unauthorized disclosure or access to data), in order to allow immediate evaluation and, where necessary, the adoption of actions aimed at countering this event.
Finally, we remind you that you have the right to lodge a complaint with the Guarantor for the Protection of Personal Data or another Supervisory Authority pursuant to art. 13, par. 2, letter d) of the GDPR.
Changes to this Notice
This information may be subject to changes. We therefore recommend that you check this page regularly.