Preamble
What is this document?
This document is the privacy notice on the processing of personal data related to the GIES website.
Why this document?
The GDPR (San Marino Law 171/2018 and EU Regulation 2016/679), in Article 13, requires that you (the data subject) be informed about the personal data being processed and by whom, to ensure that the processing is fair and transparent. Below you will find clearly listed:
- who will process your data (Controller and Processors)
- which personal data will be processed
- the purposes for which personal data will be processed
- for how long the data will be processed
- what your rights are
Which laws does this document refer to?
This privacy notice is provided taking into account the combined provisions of:
- Law 171/2018 on the Protection of Natural Persons with regard to the Processing of Personal Data (GDPR SM)
- European Regulation on the Protection of Personal Data EU 2016/679 (EU GDPR)
- Legislative Decree 196/2003, as amended by Legislative Decree 101/2018 and subsequent amendments (Italian Privacy Code)
Privacy Notice
Data Controller and Data Protection Officer
Pursuant to EU Regulation 2016/679 (“GDPR”), GRUPPO INFORMATICA E SERVIZI GIES S.r.l. (“Controller”), with registered office in via Genghettino, 11 - 47892, Acquaviva, Republic of San Marino and reachable at privacy@gies.sm, as Data Controller, informs you that it will process the personal data of users of the website www.gies.sm (hereinafter, the “Website”).
The Controller has appointed a Data Protection Officer (“DPO”), available for any information regarding the processing of personal data and the exercise of data subjects’ rights. The DPO can be contacted, in addition to the physical address of GIES, also at the email address dpo@gies.sm or via certified email at dpogies@legalmail.it.
Categories and types of data processed and source of acquisition
The Controller will process the personal data collected during browsing and use of the Website, including:
- identification and personal data (e.g. first name, last name);
- contact data (e.g. phone number and email address);
- browsing data such as IP addresses or domain names of the devices used to connect, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (success, error, etc.) and other parameters related to the user’s operating system and IT environment. Hereinafter, also “Personal Data”.
The Controller guarantees that, in line with the principles of data minimization and necessity, the Personal Data collected and processed will be strictly limited to what is necessary for the purposes described below. Should the Controller acquire information that is irrelevant or unnecessary, it will refrain from using such information.
As to the source of the Personal Data, they are usually collected directly from the data subject when browsing and using the Website.
Purposes, legal basis and optional nature of processing
Personal data are collected and processed for the following purposes:
a) Website usage purposes
The Controller will process Personal Data to enable browsing of the Website and to respond to any contact requests. For this purpose, the Controller will process Personal Data pursuant to art. 6, para. 1, letter b) of the GDPR. Providing Personal Data for Website usage purposes is necessary for browsing and using the Website; without such data, it may not be possible to browse the Website or submit contact requests.
b) Compliance purposes
The Controller will process Personal Data to comply with legal obligations, regulations or national and EU legislation, including the provisions of supervisory authorities and/or judicial and/or administrative authorities. For this purpose, the Controller will process Personal Data pursuant to art. 6, para. 1, letter c) of the GDPR.
c) Defensive purposes
The Controller may process Personal Data, if necessary, to establish, exercise or defend a legal claim in court or out of court, including debt recovery. For this purpose, the Controller will process Personal Data pursuant to art. 6, para. 1, letter f) of the GDPR, as it has a legitimate interest in establishing, exercising or defending its rights.
Categories of recipients of personal data and purpose of communication
Personal Data may be shared with:
- natural persons authorized by the Controller to process Personal Data under art. 29 of the GDPR, in light of their job duties (employees and system administrators, etc.);
- service providers (such as IT providers, hosting providers, etc.) typically acting as Data Processors under art. 28 of the GDPR;
- subjects, entities or authorities, acting as independent controllers, to whom the Personal Data must be communicated under legal provisions or orders from authorities.
No dissemination of Personal Data to unspecified recipients is foreseen.
Transfer of personal data
Some Personal Data may be shared with recipients located in a third country outside the European Economic Area or with an international organization. The Controller ensures that the processing of Personal Data by such recipients is carried out in compliance with the GDPR. In particular, transfers will be based on an adequacy decision of the European Commission or on the Standard Contractual Clauses approved by the European Commission, or on another appropriate legal basis, in compliance with the Recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board.
Further information is available from the Controller or the DPO at the above contacts.
Retention of personal data
Personal Data will be retained only for the time strictly necessary to achieve the purposes for which they are collected, in compliance with the principles of data minimization and storage limitation under art. 5, para. 1, letters c) and e) of the GDPR.
In particular, Personal Data processed for Website usage purposes will be retained for the time strictly necessary to achieve those purposes, in accordance with mandatory legal retention periods.
The Controller reserves the right, in any case, to retain Personal Data, even after browsing, for the time necessary to fulfill compliance and defensive purposes.
Further information is available from the Controller and/or DPO at the above contacts.
Data processing methods
For the above purposes, Personal Data are processed using manual, IT and telematic tools, strictly related to the purposes themselves, and in any case in ways that ensure the security and confidentiality of the data, as well as compliance with legal obligations.
Rights of data subjects
Data subjects have the right to request from the Controller, at any time and where legally applicable:
- Access to their Personal Data (and/or a copy thereof), as well as further information on the ongoing processing;
- Rectification or updating of their Personal Data processed by the Controller, if incomplete or outdated;
- Deletion of their Personal Data from the Controller’s databases, if they consider the processing unnecessary or unlawful;
- Restriction of the processing of their Personal Data by the Controller, if they consider their Personal Data incorrect, unnecessary or unlawfully processed, or if they have objected to the processing;
- The right to data portability, i.e. to obtain in a structured, commonly used and machine-readable format a copy of the Personal Data provided to the Controller, or to request transmission to another Controller;
- The right to object to the processing of their Personal Data, based on legal grounds relating to their particular situation, which they believe should prevent the Controller from processing their Personal Data.
Requests to exercise these rights must be made in writing to the Controller or the DPO at the contacts indicated above.
In any case, if a data subject believes that the processing of their Personal Data by the Controller violates applicable law, they have the right to lodge a complaint with the Supervisory Authority for the Protection of Personal Data, pursuant to art. 77 of the GDPR, or to take appropriate legal action under art. 79 of the GDPR.
Last update: 11/13/2024