ex article 13 and 14 of Regulation (UE) 2016/679 – General Data Protection Regulation (“GDPR”)
- Who is the data controller?
The Association, with a registered office in Milan, Via Solari, 9, is the data controller as regards the processing of data.
- What kind of data does the Association process?
During the execution of the Contract, the Association collects and processes the Data provided directly by the Data Subjects or by authorized third parties (e.g. employer of Data subjects), such as:
a) Biographical data: name, surname, place and date of birth, age;
b) Contact details: email address, telephone number;
c) Tax and banking data: tax code, VAT number, IBAN;
Data relating to the state of good health useful for the purposes of its activities, in which the owner requests to participate
Furthermore, for the purposes identified in this Notice, the Association may collect and process particular categories of personal data (“Sensitive Data”), provided directly by Data subjects or authorized third parties (the competent doctor of the Association and / or the employers of the data subjects), such as data relating to health, in particular:
a) the body temperature measured on a daily basis at the time of access to the television and / or cinema locations.
- For what purposes are the data processed?
The Association processes the Data with manual and electronic means for the following purposes:
a) For the carrying out of negotiations and the Contract with the Association also through third parties;
b) To protect and defend the rights and interests of the Association, in particular when necessary for:
(i) Protect, assert or defend the legal rights, privacy, safety or property of the Association, its employees, agents and collaborators;
(ii) Protect the Association from scams and its IT infrastructure;
(iii) To comply with the policies of the Group to which the Association belongs;
(iv) For purposes related to risk management.
c) To comply with applicable laws and legal procedures and to respond to requests from the government authorities concerned;
d) To finalize a corporate transaction, such as a reorganization, merger, sale, joint venture, proposed or actual transfer, transfer or other disposal, in whole or in part, of the activity, assets or shares of the Association (including in relation to bankruptcy or similar proceedings). If the Association is engaged in a merger or in the transfer of all the activity or a substantial part of it, it can transfer the information on the data subjects to one or more parts of the operation
e) With the consent of the Data Subjects of the processing, provided directly or through third parties authorized for this purpose, to send commercial communications to the Data Subjects of the processing via email, SMS, ordinary mail and other electronic and non-electronic means of communication regarding the initiatives, products, services and events of the Association and / or association of the group to which it belongs or of third parties.
- On what legal basis are the Data processed?
For the processing of data the Association relies on the following legal bases:
a) Paragraph 4 (a) is necessary for the implementation of the Contract and therefore the refusal to provide the Data prevents the Association from entering into the Contract or, if already stipulated, from continuing its development;
b) Paragraph 4 (b) is necessary for the pursuit of the legitimate interest of the Association or of third parties and the provision of Data is mandatory (it is understood that the legitimacy of the Association consists: in the defense of one’s rights and interests; in the protection and defense of the rights, privacy, security or assets of the Association, its employees, agents and collaborators; in protecting the Association from scams and its IT infrastructure; in compliance with the policies of the Group to which the Association; in risk management). Therefore the refusal to provide the Data may prevent the Association from continuing the contractual relationship with the interested parties of the Treatment;
c) Paragraph 4 (c) is necessary to fulfill a legal obligation to which the Association is subject and the provision of Data is mandatory. Therefore the refusal to provide the Data may prevent the Association from continuing the contractual relationship with the Data Subjects;
d) Paragraph 4 (d) is carried out on the basis of the legitimate interest of the Association and its counterparties in the execution of the Contract. The Data Subjects can oppose at any time the processing carried out on the basis of the legitimate interest of the Association as described in Paragraph 9 of this Information on Privacy;
e) Paragraph 4 (e), is carried out with the prior consent of the interested parties, expressed on their own behalf, where applicable, and / or on behalf of authorized third parties (e.g. employers of Data subjects) for this purpose. The data subjects can revoke the consent with future effect, at any time, and the revocation of the consent does not affect the lawfulness of the processing carried out before the revocation. The Data Subjects may at any time indicate their preferred communication channel and oppose the processing with respect to some or all communication channels by contacting the Data Controller at the addresses indicated below.
For the processing of Sensitive Data, Paragraphs 4 (f) and 4 (g), the Association relies on the following purposes:
a) the need to fulfill the obligations and exercise the specific rights of the Association or of the interested parties in the field of labor law and social security and protection social;
b) the processing concerns personal data made manifestly public by the interested parties;
c) the need to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their judicial functions;
d) for reasons of public interest in the field of public health, such as protection from serious cross-border threats to health.
- Who has access to the Data?
For the purposes of the processing referred to in this Notice, only those employees to whom the Association has given the authorizations and authorizations may have access to the Data and / or Sensitive Data. Instructions for accessing the data and to the extent necessary for their commercial needs and in any case related to the performance of the Contract. The Association can communicate data to:
a) Third parties appointed and trained as data processors (e.g., cloud service providers, other group subjects, service providers who serve or support the activities of the Association and therefore, for example, associations that provide IT services);
b) Third parties acting as independent data controllers such as experts, consultants and lawyers of the Association, other associations of the group to which the Association belongs, an association resulting from any mergers, divisions or other transformations, service providers of the employers of the data subjects; And
c) Competent authorities, when required and permitted under applicable laws.
The Sensitive Data of the Data Subjects may be communicated only to the competent Authorities in the exercise of their respective institutional functions and to the managers of the treatment specifically appointed and instructed by the Association, who have a proven need to know such Sensitive Data for the purposes established by the Association.
Are the data transferred abroad?
The Data could be transferred to countries within and outside the European Union and the European Economic Area, and in the latter case, to recipients who are established in countries that do not guarantee an adequate level of personal data protection according to the protection levels established by the GDPR. In the latter circumstances, the Association will adopt the measures adequate pursuant to article 46 of the GDPR to protect the Data and their transfer. A list of member states can be found on the following link: https://europa.eu/european-union/about– eu/countries/member-countries_en.
In any case, the data subjects have the right to obtain a copy of the appropriate measures for the transfer of data outside the European Economic Area and of the transferred data. By contacting the Association at the address indicated in Paragraph 8 of this Notice.
In the event that the Association must communicate to other associations of the Group to which the Association belongs, the Sensitive Data of the Data Subjects, the Association will only share anonymous and aggregated information between the aforementioned Group associations.
- Do the data subjects have rights regarding their data?
Data subjects have the right, at any time, with regard to their Data and Sensitive Data, to:
a) Receive confirmation that the Data and / or Sensitive Data exist or not and to be informed of their content and source, verify their accuracy and request that they be rectified, updated or modified;
b) Request that the Data / Sensitive data processed in accordance with the applicable law be deleted, made anonymous or that rules are set;
c)Oppose or request that the processing of Data and / or Sensitive Data be limited for legitimate reasons, including commercial purposes;
d) Withdraw consent to the processing of data at any time, without affecting the lawfulness of the data processing carried out before the withdrawal of consent;
e) Receive an electronic copy of the Data and / or Sensitive Data, if you wish to bring your personal data, which you have provided to us, to you or to a different provider (portability of data), where personal data are processed by automatic means and the processing is:
(i) Based on your consent; or
(ii) Necessary for the provision of the Association’s service; And
f) Submit an application to the relevant data protection supervisory authority, or to the Guarantor for the protection of personal data (“Guarantor”).
g) Revoke any consent given, at any time, without the revocation of consent jeopardizing the lawfulness of the Data processing carried out before the revoke.
The rights from point a) to f) can be exercised by contacting the Association at the address indicated in the following Paragraph 8.
In certain circumstances provided for by law, the exercise of the rights referred to in letters a) and e) could be limited, delayed or excluded with a motivated declaration by the association. In such cases, the data subjects may that the Guarantor admit that such limitation, grant or be able to request on legitimate reasons.
- How can you contact the Data Controller?
If the Data Subjects have questions about this Notice or wish to receive the updated list of the Association’s data processors, request information on the appropriate measures for the transfer of Data and Sensitive Data outside the European Union and the European Economic Area and / or the rights provided for in this Notice, They can contact the Association at the following email address: info: email@example.com.
- Data Retention and Processing Methods
a) The Data collected for the purposes indicated in Paragraph 4, letters a) to d) will be kept for the duration of the Contract plus the duration of the limitation period thereafter. upon termination of the Contract, in compliance with the retention periods established by law, which may provide for a retention period of up to 10 years, based on ordinary prescription period in force in Italy;
b) The Data collected for the purposes indicated in Paragraph 4, letter e) will be kept for the duration of the Contract plus another two years after termination;
c) The Sensitive Data collected for the purposes indicated in Paragraph 4, letters f) -g) will be kept for the time necessary to achieve the purposes referred to herein Information in relation to the activities of prevention and management of the state of emergency deriving from the SARS-COV2 virus, so that at the expiry of the aforementioned term such data will be permanently deleted.
The Data and / or Sensitive Data of the Data Subjects will be collected and processed both in oral form, both by paper means and by electronic means, adopting the appropriate measures of technical and organizational security necessary to guarantee their protection. In particular, the Sensitive Data of the Data Subjects will be processed in accordance with the measures established by the “Shared protocol for the protection of workers in the Cinema-Audiovisual Sector” of 7 July 2020, adopted by trade union representatives and relevant trade associations of the sector and validated by the Ministry of Labor and Social Policies.
1. to receive commercial communications via email, SMS, ordinary mail and other electronic and non–electronic means of communication regarding the initiatives,
products, services and events of the Association;
2. to receive commercial communications via email, SMS, ordinary mail and other electronic and non–electronic means of communication regarding the initiatives,
products, services and events of the association of the group to which the Association belongs or of third parties.
Ass. MAB, Maria Antonietta Berlusconi – Via Solari, 9 – 24044 Milano
External manager for data processing: GisellaZilembo_EventiDanza – Via Monte Cervino 11 – Dalmine (BG)