In accordance with current legislation (Article 13 of the General Data Protection Regulation, hereinafter also referred to as “GDPR” or “Regulation”), Altaroma S.c.p.a., with registered office in Via dell’Umiltà no. 48, 00187 Rome, VAT no. 05518911002, in the person of its legal representative pro tempore (hereinafter also referred to as the “Company” or “data controller”), provides users who may want to submit an accreditation request through the form available on accrediti.altaroma.it, in the section dedicated to media and buyer accreditation, with information on the processing of their data.
OWNER AND DATA CONTROLLER
The owner and data controller is Altaroma S.c.p.a., with registered office in Via dell’Umiltà no. 48, 00187 Rome, VAT no. 05518911002. The Company can be contacted by email at the following address: firstname.lastname@example.org
HOW TO CONTACT THE DATA PROTECTION OFFICER
The Data Protection Officer (DPO) can be reached at the following address: Altaroma S.c.p.a. – Responsabile della Protezione dei dati personali, Via dell’Umiltà n. 48, 00187 Roma, email: email@example.com.
TYPES OF DATA PROCESSED
The processed data are personal data relating to users who request accreditation and to the parties connected to them (directors or agencies).
When a user fills in the accreditation request form, his or her IP address is also recorded.
The data controller will also process the personal data listed in the Regulations concerning accreditation procedures.
PURPOSES AND LEGAL BASIS OF PROCESSING
The collected data are used solely to evaluate accreditation requests and to manage relationships with applicants.
The legal basis for the processing of data for the aforementioned purposes is represented by the following: the adoption of measures relating to the pre-contractual relationship (i.e. measures relating to the evaluation of accreditation requests) and the execution of the contract (obligations relating to the granting of accreditation and to the fulfilment of obligations).
If necessary, the data may also be used in the legitimate interest of the controller for the establishment, exercise or defence of legal claims.
PROCESSING OF DATA
The data are processed electronically and, only to a limited extent, in paper form.
In order to process the data collected through its website, the controller will use servers located in Europe and computer systems located at its headquarters. The data provided for the purposes indicated herein will not be transferred abroad.
The data controller will take adequate security measures to prevent loss, illicit or improper use of and unauthorized access to data.
The collected data shall be stored for the time strictly necessary to evaluate accreditation requests. After this storage period, the data relating to those who are not accredited shall be erased, without prejudice to the controller’s rights regarding the establishment, exercise or defence of legal claims (in which case it may be necessary to store data for a longer period).
The data relating to those accredited shall be stored for the entire duration of the initiative. This is without prejudice to the controller’s rights regarding the establishment, exercise or defence of legal claims (in which case it may be necessary to store data for a longer period).
WHAT HAPPENS IF NO DATA ARE PROVIDED?
The provision of data is optional. However, if the data subject refuses to provide data, the controller will not be able to respond to his or her request.
ACCESS TO DATA
The data will be processed by employees and collaborators authorized to process the data. The data may also be accessed by companies that supply computer services and assistance for the purposes related to the activities they carry out on behalf of the controller, by consultants and collaborators hired by the controller to evaluate requests and grant accreditation, and by legal counsels that, if necessary, provide assistance in case of litigations.
It should be noted that some of the parties indicated above act as data processors and that communication to those who act as independent data controllers is made because it is required by law or necessary to fulfil the obligations arising from the contractual relationship or to safeguard the controller’s legitimate interest to keep its computer systems secure and to defend itself with the help of legal counsels.
In any case, the communication of data shall be limited only to the categories of data whose transfer is necessary for the activities performed and the purposes pursued by the data controller.
The data subject may ask the controller to provide a list of the external parties that carry out their activities as data processors.
DATA SUBJECT’S RIGHTS
The data subject is entitled by law to ask the data controller for access to and rectification or erasure of his or her personal data and to exercise his or her right to restriction of processing, to data portability and to object.
The data subject may exercise his or her rights at any time, without any formal procedure, by contacting the controller at the following email address: firstname.lastname@example.org.
Below is a detailed description of the rights granted to the data subject by current legislation on the protection of personal data.
• Right of access, i.e. the data subject’s right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
• Right of rectification, i.e. the data subject’s right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
• Right to erasure, i.e. the data subject’s right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; c) the data subject objects to the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services to a child. However, a request for erasure cannot be accepted to the extent that processing is necessary: a) for exercising the right of freedom of expression and information; b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for reasons of public interest in the area of public health; d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or e) for the establishment, exercise or defence of legal claims.
• Right to restriction of processing, i.e. the data subject’s right to obtain that his or personal data, with the exception of storage, only be processed with his or her consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State where one of the following applies: a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, pending the verification whether the legitimate grounds of the controller override those of the data subject.
• Right to data portability, i.e. the data subject’s right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and, where technically feasible, the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or a contract and the processing is carried out by automated means. The exercise of the right to data portability shall be without prejudice to the right to erasure.
• Right to object, i.e. the data subject’s right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If the data subject considers that the processing of his or her personal data on this website is in breach of the GDPR provisions, he or she shall have the right to lodge a complaint with a supervisory authority, as provided for in Article 77 of the Regulation, or to an effective judicial remedy (Article 79 of the Regulation).