Gdpr

You are in: / Gdpr

GDPR

Below is a detailed summary of the main points regarding data processing. The full text is available by clicking here.

Principles applicable to the processing of personal data

  • Personal data are:
    1. processed in a lawful, fair and transparent manner towards the data subject ("lawfulness, fairness and transparency");
    2. collected for specified, explicit and legitimate purposes, and subsequently processed in a manner that is not incompatible with those purposes; further processing of personal data for archiving in the public interest, scientific or historical research or statistical purposes is not, in accordance with Article 89(1), considered incompatible with the original purposes ("purpose limitation");
    3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");
    4. accurate and, if necessary, up-to-date; all reasonable steps must be taken to delete or rectify in a timely manner data that are inaccurate in relation to the purposes for which they are processed ("accuracy");
    5. retained in a form which permits identification of data subjects for a period of time not exceeding the fulfilment of the purposes for which they are processed; personal data may be retained for longer periods provided that they are processed solely for archiving in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of the data subject ("limitation of storage");
    6. processed in a manner that ensures adequate security of personal data, including protection, through appropriate technical and organizational measures, from unauthorized or unlawful processing and accidental loss, destruction or damage ("integrity and confidentiality").
  • The data controller is responsible for compliance with paragraph 1 and able to prove it ("accountability").

Conditions for consent

  • Where processing is based on consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of his or her personal data.
  • If the data subject's consent is given in the context of a written statement that also covers other matters, the request for consent shall be presented in a manner clearly distinguishable from the other matters, in a comprehensible and easily accessible form, using plain and simple language. No part of such a statement that constitutes a violation of these regulations shall be binding.
  • Data subjects have the right to revoke their consent at any time. Withdrawal of consent does not affect the lawfulness of the processing based on the consent before the withdrawal. Prior to giving consent, the data subject shall be informed of this. Consent shall be revoked as easily as it is given.
  • In assessing whether consent has been freely given, the utmost consideration shall be given to whether, among other things, the performance of a contract, including the provision of a service, is conditional on the provision of consent to the processing of personal data not necessary for the performance of that contract.

Information to be provided if personal data are collected from the data subject

  • Where data relating to the data subject are collected from the data subject, the data controller shall provide the data subject with the following information at the time the personal data are obtained:
    1. The identity and contact details of the data controller and, where applicable, its representative;
    2. The contact details of the data protection officer, where applicable;
    3. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
    4. where the processing is based on Article 6(1)(f), the legitimate interests pursued by the data controller or a third party;
    5. The recipients or categories of recipients of personal data, if any;
    6. where applicable, the intention of the data controller to transfer personal data to a third country or international organization and the existence or absence of a Commission adequacy decision or, in the case of transfers under Article 46 or 47, or the second paragraph of Article 49, reference to appropriate or adequate safeguards and the means of obtaining a copy of such data or the place where such data have been made available.
  • In addition to the information referred to in paragraph 1, at the time personal data are obtained, the data controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing:
    1. The period of retention of personal data or, if this is not possible, the criteria used to determine this period;
    2. the existence of the data subject's right to request from the data controller access to and rectification or erasure of personal data or restriction of processing concerning him or her or to object to its processing, as well as the right to data portability;
    3. where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time without affecting the lawfulness of the processing based on the consent given before the withdrawal;
    4. The right to file a complaint with a supervisory authority;
    5. whether the provision of personal data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract, and whether the data subject has an obligation to provide the personal data as well as the possible consequences of not providing such data;
    6. the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information about the logic used, as well as the importance and expected consequences of such processing for the data subject.
  • Where the data controller intends to further process personal data for a purpose other than the purpose for which it was collected, the data controller shall, prior to such further processing, provide the data subject with information regarding that other purpose and any additional relevant information referred to in paragraph 2.
  • Paragraphs 1, 2 and 3 do not apply if and to the extent that the data subject already has the information.

Right of rectification

The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning him/her without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration.

Right to erasure ("right to be forgotten")

  • The data subject shall have the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay, and the data controller shall be obliged to erase the personal data without undue delay if one of the following grounds exists:
    1. personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    2. the data subject withdraws the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and if there is no other legal basis for the processing;
    3. the data subject objects to processing under Article 21(1) and there is no overriding legitimate reason for processing, or objects to processing under Article 21(2);
    4. personal data have been unlawfully processed;
    5. personal data must be deleted in order to comply with a legal obligation under Union or Member State law to which the data controller is subject;
    6. personal data were collected in connection with the provision of information society services referred to in Article 8(1).
  • The data controller, if it has made personal data public and is obliged under paragraph 1 to erase it, taking into account available technology and implementation costs shall take reasonable measures, including technical measures, to inform data controllers who are processing personal data of the data subject's request to erase any link, copy or reproduction of his or her personal data.
  • Paragraphs 1 and 2 do not apply to the extent that the treatment is necessary:
    1. for the exercise of the right to freedom of expression and information;
    2. for the performance of a legal obligation requiring processing provided for by Union or Member State law to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
    3. for reasons of public interest in the field of public health in accordance with Article 9 (2) (h) and (i) and Article 9 (3);
    4. for archiving purposes in the public interest, scientific or historical research, or statistical purposes in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of such processing;
    5. for the establishment, exercise or defense of a right in court.

Right to data portability

  • The data subject shall have the right to receive in a structured, commonly used and machine-readable format personal data concerning him or her that have been provided to a data controller and shall have the right to transmit such data to another data controller without hindrance by the data controller to whom he or she has provided them if:
    1. the processing is based on consent under Article 6(1)(a) or Article 9(2)(a) or a contract under Article 6(1)(b); and
    2. the processing is carried out by automated means.
  • When exercising his or her rights regarding data portability under paragraph 1, the data subject has the right to obtain direct transmission of personal data from one data controller to another, if technically feasible.
  • The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
  • The right referred to in paragraph 1 must not infringe on the rights and freedoms of others.

Data protection by design and protection by default

  • Taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of the processing, as well as risks having different probability and severity for the rights and freedoms of natural persons constituted by the processing both at the time of determining the means of processing and at the time of processing itself, the controller shall implement appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement data protection principles, such as minimization, and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and to protect the rights of data subjects.
  • The data controller shall implement appropriate technical and organizational measures to ensure that only personal data necessary for each specific purpose of processing are processed by default. This obligation applies to the amount of personal data collected, the scope of processing, the storage period, and accessibility. In particular, these measures ensure that, by default, personal data are not made accessible to an indefinite number of individuals without the intervention of the individual.
  • A certification mechanism approved under Article 42 may be used as an element to demonstrate compliance with the requirements of paragraphs 1 and 2 of this Article.

Notification of a personal data breach to the supervisory authority

  • In the event of a personal data breach, the controller shall notify the competent supervisory authority in accordance with Article 55 of the breach without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the personal data breach is unlikely to present a risk to the rights and freedoms of natural persons. Where notification to the supervisory authority is not made within 72 hours, it shall be accompanied by the reasons for the delay.
  • The controller shall inform the data controller without undue delay after becoming aware of the breach.
  • The notification referred to in paragraph 1 must at least:
    1. describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects involved and the categories and approximate number of personal data records involved;
    2. Communicate the name and contact details of the data protection officer or other contact point from which to obtain more information;
    3. Describe the likely consequences of the personal data breach;
    4. describe the measures taken or proposed to be taken by the data controller to remedy the personal data breach and also, where appropriate, to mitigate its possible adverse effects.
  • If and to the extent that it is not possible to provide the information at the same time, the information may be provided at later stages without further undue delay.
  • The data controller shall document any personal data breach, including the circumstances surrounding it, its consequences and the measures taken to remedy it. Such documentation shall enable the supervisory authority to verify compliance with this article.

Notification of a personal data breach to the data subject

  • When a personal data breach is likely to present a high risk to the rights and freedoms of natural persons, the data controller shall notify the data subject of the breach without undue delay.
  • The notice to the data subject referred to in paragraph 1 of this Article shall describe in simple and clear language the nature of the personal data breach and contain at least the information and measures referred to in Article 33(3)(b), (c) and (d).
  • Notification to the data subject under paragraph 1 is not required if one of the following conditions is met:
    1. the data controller had implemented appropriate technical and organizational protection measures, and these measures had been applied to the personal data subject to the breach, particularly those designed to make the personal data unintelligible to anyone not authorized to access it, such as encryption;
    2. the data controller has subsequently taken measures to avert the occurrence of a high risk to the rights and freedoms of data subjects referred to in paragraph 1;
    3. Such communication would require disproportionate efforts. In such a case, a public notice or similar measure, through which those affected are informed with similar effectiveness, shall be made instead.
  • In cases where the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after assessing the likelihood that the personal data breach poses a high risk, require the data subject to do so or may decide that one of the conditions in paragraph 3 is met.

Distretto Dolce Sicilia Cooperative Society
Via Tripoli, 3 - 90138 Palermo (PA)
Tel. +39 393 5733378
email: info@distrettodolcesicilia.it - distrettodolcesicilia@pec.net

Privacy Policy Cookies Policy GDPR Data deletion request
Sicily Region logos for Sweet Sicily
Sweet Sicily District
Privacy Overview

This Web site uses cookies to enable us to provide the best user experience possible. Cookie information is stored in your browser. They can be session-only or permanent. Click on the button to the left "information pages" to view our policy.

Thank you for your cooperation.