DATA PROCESSING INFORMATION
REGULATION (EU) No 679/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
M.A.C. 200 srl processes the data in compliance with the provisions of European Regulation 679/16 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Pursuant to articles 13 and 14 of the above mentioned regulation, information is provided regarding the identification data of the data controller and the data controller in relation to the processing of personal data relating to contracts and the provision of services.
The owner of the data treatment is M.A.C. 200 srl.
The person in charge of data processing is Mr. Marchisio Pier Antonio.
Type of data processed
The data provided and processed by. are:
- Administrative, accounting
Purpose of treatment
We inform you that the personal data, provided directly by the person concerned and/or collected by M.A.C. 200 srl are processed for purposes related to the provision of the service subject of the contract
The data provided to the Owner to provide the services available are processed lawfully and fairly, are also collected and recorded for specific purposes, explicit and legitimate further specified and are used in processing operations that are not incompatible with these purposes
The personal data ( personal identification data such as, for example: name and surname, company name, fiscal code and VAT number, address, telephone / fax, e-mail, bank and payment references ) are collected and processed:
To carry out customer relations activities on the basis of pre-contractual and contractual agreements;
For administrative, fiscal or accounting purposes related to the customer – supplier relationship and to fulfill the obligations generally imposed on the Owner by laws or regulations, by Community legislation, by requests of judicial authorities or to exercise the rights of the Owner (such as the right of defense in court).
Modalities of treatment and access to data
The data collected through the signing of standard contracts in analog format are processed both in paper form and with computer and telematic tools and may be processed in aggregate for statistical purposes and verification of quality standards of assistance and maintenance services, excluding in this case the processing of identification data.
The data are accessible exclusively by persons in charge, suitably trained and informed about their duties and the activities they are allowed on the data collected, who work on behalf of M.A.C. 200 srl and who are recipients of instructions and tasks given by the person in charge of processing, by means of a letter of appointment
The data controller will process the data for the purposes indicated above, pursuing his own legitimate interests that do not prevail over the interests or rights and freedoms of the data subject.
Scope of communication and possible dissemination
Customer and client data may be communicated to public authorities or operators of a public service when submitting applications to participate in procedures for the selection of the contractor, for the purpose of awarding contracts or concessions for the supply of goods or services, as provided for by public procurement legislation, for purposes of technical qualification.
The data relating to the contract and service activity may be communicated to commercial consultants for administrative and accounting purposes and to lawyers for any management of disputes.
Data may also be communicated to police or judicial authorities for the purpose of investigating or prosecuting criminal offences committed by the users of telematic services, where necessary.
The data are not subject to dissemination, except for data from enterprises and companies for purposes of commercial reference.
The data may be processed in order to identify certain characteristics of certain types of recipients in order to convey the activities of communication and advertising aimed at the interests of the recipients themselves
Retention of personal data
M.A.C. 200 srl will keep the data of the interested parties in a form that allows their identification for a period of time that does not exceed the achievement of the purposes for which the data were collected; they will therefore be kept until the existence of the contractual relationship in place.
The data strictly necessary for the fiscal and accounting fulfilments, since the purpose for which they were collected has ceased to exist, will be kept for a period of 10 years, as required by the regulations on the subject.
The interested party has the right to request, at any time, the modification of the structures governed by this paragraph through the exercise of the rights referred to in the following paragraph
Rights of the data subject
The interested party may exercise the rights referred to in Articles 16 to 22 of European Regulation 679/16:
Art 16 – Right of rectification – The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the person concerned has the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.
Art 17 – Right to erasure – The data subject has the right to obtain from the data controller the erasure of personal data concerning him without undue delay and the data controller has the obligation to erase personal data without undue delay, if there is one of the following reasons: a) the personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; 4.5.2016 EN Official Journal of the European Union L 119/43 (b) the data subject withdraws the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and if there is no other legal basis for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for processing, or objects to the processing pursuant to Article 21(2); (e) personal data must be deleted in order to fulfil a legal obligation under Union law or the law of the Member State to which the data controller is subject; (f) personal data have been collected in connection with the provision of information society services as referred to in Article 8(1). 2. The data controller, if it has made personal data public and is obliged, pursuant to paragraph 1, to delete them, shall take reasonable measures, including technical measures, to inform data controllers who are processing personal data of the data subject’s request to delete any links, copies or reproductions of his or her personal data, taking into account available technology and implementation costs. 3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (b) for the fulfilment of a legal obligation requiring the processing provided for by Union law or law of the Member State to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; (d) for the purpose of archiving in the public interest, scientific or historical research or for statistical purposes in accordance with Article 89(1), in so far as the right referred to in paragraph 1 is likely to make it impossible to achieve the objectives of such processing or to prejudice them substantially; or (e) for the establishment, exercise or defence of legal claims.
Art. 18 – Right to limitation of processing – 1. The interested party has the right to obtain from the holder of the treatment the limitation of the treatment when one of the following cases occurs: a) the data subject disputes the accuracy of the personal data for the period necessary for the data controller to verify the accuracy of such personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead that their use be limited; c) although the data controller no longer needs the data for the purposes of processing, the personal data are necessary for the data subject to ascertain, exercise or defend a right in court; d) the data subject has opposed the processing pursuant to Article 21(1), pending verification of whether the legitimate reasons of the data controller over those of the data subject prevail. 2. If processing is restricted in accordance with paragraph 1, such personal data shall, except for storage, be processed only with the consent of the data subject or for the establishment, exercise or defence of judicial claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State. L 119/44 EN Official Journal of the European Union 4.5.2016 3. A data subject who has obtained the restriction on processing pursuant to paragraph 1 shall be informed by the data controller before that restriction is lifted.
Art 19 – Right to obtain notification from the data controller in cases of rectification, erasure or deletion of personal data – The data controller shall inform each of the recipients to whom the personal data have been transmitted of any rectification, erasure or restriction of the processing carried out in accordance with Articles 16, 17(1) and 18, unless this proves impossible or involves a disproportionate effort. The data controller shall inform the data subject of these recipients if the data subject so requests.
Art. 20 – Right to portability – 1. The data subject shall have the right to receive personal data relating to him/her which are provided to a data controller in a structured, commonly used and machine-readable format and shall have the right to transfer such data to another data controller without any hindrance from the data controller to which he/she has provided them if: (a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b); and (b) the processing is carried out by automated means. 2. In exercising their rights regarding data portability pursuant to paragraph 1, the data subject shall have the right to obtain the direct transfer of personal data from one data controller to another, where technically feasible. 3. The exercise of the right provided for in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. 4. The right referred to in paragraph 1 shall not affect the rights and freedoms of others.
Art. 21 – Right to object – The data subject has the right to object at any time, on grounds relating to his/her particular situation, to the processing of his/her personal data pursuant to Article 6(1)(e) or (f), including profiling on the basis of such provisions. The owner of the treatment refrains from further processing personal data unless he demonstrates the existence of legitimate compelling reasons to proceed with the treatment that prevail over the interests, rights and freedoms of the person concerned or for the determination, exercise or defense of a right in court. 2. Where personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to the processing of personal data relating to him which is carried out for such purposes, including profiling insofar as it is related to such direct marketing. 3. If the data subject objects to processing for direct marketing purposes, personal data shall no longer be processed for such purposes. 4.5.2016 EN Official Journal of the European Union L 119/45 4. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information at the latest at the time of the first communication with the data subject. 5. In the context of the use of information society services and without prejudice to Directive 2002/58/EC, the data subject may exercise his/her right to object by automated means using technical specifications. 6. Where personal data are processed for purposes of scientific or historical research or for statistical purposes in accordance with Article 89(1), the data subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data relating to them, except where such processing is necessary for the performance of a task carried out in the public interest.
Art 22 – Right to refuse an automated process – The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar manner. 2. Paragraph 1 shall not apply where the decision: (a) is necessary for the conclusion or performance of a contract between the data subject and a data controller; (b) is authorised by Union law or law of the Member State to which the data controller is subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; and (c) is based on the data subject’s explicit consent. 3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention from the data controller, to express his or her opinion and to contest the decision. 4. The decisions referred to in paragraph 2 shall not be based on the special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and adequate measures are in place to protect the rights, freedoms and legitimate interests of the data subject.
In this sense, the data subject shall be granted access to his/her data in order to
- Verify its veracity
- Modify them if they become inaccurate
- Supplementing them with a supplementary declaration
- Request their cancellation
- Limit the treatment
- Opposition to treatment
- The data controller is obliged to respond without unjustified reason.
Deletion of data
In compliance with the corresponding right of access to the data subject, xxx has put in place procedures for data subjects to request the erasure without undue delay of their personal data or the restriction of the processing of their personal data for the following reasons:
Because data are no longer necessary for the purposes for which they were collected
Why the data subject withdrew his/her consent
Why the data subject opposes the treatment
Because data is being processed unlawfully.
In order to exercise the rights provided for in Articles 16 to 22 of EU Regulation 679/16, the interested party must address a specific written request to M.A.C. 200 srl.