EU REGULATION 2016/679 – GDPR (IN BRIEF REGULATION)

1. FUNDAMENTALS OF LAWFULNESS OF THE PROCESSING

The European regulation confirms that each treatment must be based on an appropriate legal basis; the bases of lawfulness of the processing are indicated in art. 6 of the regulation and coincide, in principle, with those currently provided for by the legislation (consent, fulfillment of contractual obligations, vital interests of the person concerned or of third parties, legal obligations to which the owner is subject, public interest or exercise of public authority, overriding legitimate interest of the owner or third parties to whom the data are communicated).

For the particular categories of data art. 9 regulation, the consent MUST be “explicit”; the same applies to consent to decisions based on automated processing (including profiling – art.22).

• Overriding legitimate interest of a data controller or a third party:

The balance between the legitimate interest of the owner or third party and the rights and freedoms of the interested party is not the responsibility of the Authority but is the responsibility of the owner himself; it is one of the main expressions of the “accountability” principle introduced by the new data protection package.

The legitimate interest of the owner or third party must prevail over the fundamental rights and freedoms of the interested party to constitute a valid basis of lawfulness.

The regulation explicitly clarifies that the legitimate interest of the owner does not constitute a suitable legal basis for the treatments carried out by public authorities in execution of their respective tasks.

1. INFORMATION NOTICES
   • Contents of the information:

The contents of the information are listed exhaustively in articles 13, paragraph 1 and 14, paragraph 1 of the regulation.

The User’s personal data are used by  www.wavewashing.com website of the company Blugenia srl located in Pula (HR) , whose Legal Representative is:  Francesco Mastrorillo . The data controller is Cosima Larosa , in compliance with the principles of protection of personal data established by the GDPR 2016/679 Regulation.

• Disclosure times:

In the case of personal data not collected directly from the interested party (Article 14 of the regulation), the information must be provided within a reasonable time that cannot exceed 1 month from collection, or at the time of communication of the data (to third parties or to the interested party).

• Method of disclosure:

The information is given in electronic format. Furthermore, this information (specifically governed by articles 13 and 14 of the regulation) is provided to the interested party before the data is collected.

1. RIGHTS OF THE INTERESTED PARTIES

The deadline for replying to the interested party, for all rights (including the right of access) is 1 month, which can be extended up to 3 months in particularly complex cases; the owner must in any case give a reply to the interested party within 1 month of the request, even in case of refusal.

It is up to the data controller to evaluate the complexity of the response to the interested party. The reply to the interested party must usually be in writing also through electronic means that facilitate accessibility; it can be given orally provided that the identity of the interested party is proven by other means (Article 12, paragraph 1; see also Article 15, paragraph 3). The answer given to the interested party must not only be “intelligible”, but also concise, transparent and easily accessible, as well as using simple and clear language.

• Right of Access (Article 15):

The right of access provides in any case the right to receive a copy of the personal data being processed.

The information that the owner must provide does not include the “methods” of processing. The data retention period is limited to the time necessary for the execution of the contractual relationship and for the fulfillment of legal obligations.

• Right of cancellation (right to be forgotten art.17):

The so-called right to be forgotten is configured as a right to the cancellation of one’s personal data in an enhanced form. In fact, it is foreseen the obligation for the owners, if they have made the personal data of the interested party public, for example by publishing them on a website, to inform other owners who process the deleted personal data, including any links, of the cancellation request. copy or reproduction (see Article 17, paragraph 2).

The right of cancellation of the regulation has a wider field of application than that referred to in art. 7, paragraph 3, letter b) of the Privacy Code, since the interested party has the right to request the cancellation of their data, for example, even after revocation of consent to the processing (see Article 17, paragraph 1).

• Right to limit the processing (Article 18):

This is a different and more extensive right than the “blocking” of the processing pursuant to art. 7, paragraph 3, letter a), of the Privacy Code, in fact, can be exercised both in the case of violation of the conditions of lawfulness of the processing (as an alternative to the cancellation of the data), and if the interested party requests the rectification of the data. Pending this rectification, by the owner, the interested party may oppose their treatment pursuant to art. 21 of the regulation.

Excluding conservation, any other processing of the data whose limitation is requested is prohibited unless certain circumstances occur (consent of the interested party, verification of rights in court, protection of the rights of another natural or legal person, relevant public interest).

1. OWNER, CO-CONTROLLER, RESPONSIBLE, AUTHORIZED FOR THE TREATMENT

The regulation governs the co-ownership of the processing (art.26) and requires the holders to specifically define the respective area of ​​responsibility and the tasks with particular regard to the exercise of the rights of the data subjects, who in any case have the possibility of contacting any of the data controllers indifferently. operating jointly.

1. RISK BASED APPROACH AND MEASURES OF RESPONSIBILITY (ACCOUNTABILITY) OF OWNERS AND MANAGERS

The regulation strongly emphasizes the “accountability” (accountability in the English sense) of owners and managers, that is, on the adoption of proactive behaviors and such as to demonstrate the concrete adoption of measures aimed at ensuring the application of the regulation.

The security measures adopted guarantee a level of security adequate to the risk of the processing. In particular  Bluegenia srl  implements the following technical, physical and organizational measures to protect the User’s personal data from accidental or unauthorized destruction, from accidental loss or alteration, from unauthorized use, modification, disclosure or access, and from all other forms of illegal processing.

• Availability

The Service uses the extensive features of the Server environment to ensure high availability, such as full redundancy, load balancing, automatic scaling capacity, continuous data backup.

No personal data is permanently saved outside the Bluegenia srl server platforms . Physical security is managed by Cosima Larosa .

• Integrity

To ensure integrity, all data transfers are encrypted following best practices for protecting confidentiality and data integrity.

• Confidentiality

All personnel authorized to process data is subject to a confidentiality obligation.

• Transparency

The Data Controller will always keep the User informed of changes in the privacy protection and data security processes, including practices and policies. At any time it is possible to ask for information on where and how the data is saved, used and protected.

• Isolation

Access to personal data is limited to individually authorized personnel. The security and privacy officer issues the permissions and keeps a record of the permissions provided.

• Personal Data Breach Notification

In the event that the User’s data are compromised,  Bluegenia srl. will inform the User himself and the supervisory authorities within 72 hours by email with information on the extent of the violation, the data concerned, any impacts on the Service with the measures aimed at making the data safe, and limiting any adverse effects on personal data .

“Personal data breach” means security breaches that lead to accidental or illegal destruction, loss, alteration, unauthorized disclosure, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of the Service.

1. DATA COLLECTED AND PURPOSE

Like all websites, this site also makes use of log files in which information collected in an automated manner is stored during user visits. The information collected could be the following:

• internet protocol (IP) address;
• type of browser and device parameters used to connect to the site;
• name of the internet service provider (ISP);
• date and time of visit;
• web page of origin of the visitor (referral) and exit;
• possibly the number of clicks.

The aforementioned information is processed in an automated form and collected in an exclusively aggregated form in order to verify the correct functioning of the site, and for security reasons. For security purposes (spam filters, firewalls, virus detection), the automatically recorded data may possibly also include personal data such as the IP address, which could be used, in accordance with applicable laws, in order to block attempts to damage the site itself or to cause damage to other users, or in any case harmful activities or constituting a crime. These data are never used for the identification or profiling of the User, but only for the purpose of protecting the site and its users (such information will be treated on the basis of the legitimate interests of the owner).

If the site allows the insertion of comments, or in the case of specific services requested by the User, the site automatically detects and records some identification data of the User, including the email address. These data are voluntarily provided by the User at the time of the request to provide the service. By inserting a comment or other information, the User expressly accepts the privacy policy, and in particular agrees that the contents entered are freely disseminated to third parties.

The data received will be used exclusively for the provision of the requested service and only for the time necessary for the provision of the service.

The information that users of the site will deem to make public through the services and tools made available to them, are provided by the User knowingly and voluntarily, exempting this site from any responsibility for any violations of the laws. It is up to the User to verify that they have permission to enter personal data of third parties or content protected by national and international regulations.

The data collected by the site during its operation are used exclusively for the purposes indicated above and kept for the time strictly necessary to carry out the specified activities. In any case, the data collected by the site will never be provided to third parties, for any reason, unless it is a legitimate request by the judicial authority and only in the cases provided for by law.

• Place of processing

The data collected by the site are processed at the headquarters of the Data Controller, and at the web Hosting datacenter which is responsible for the processing, processing the data on behalf of the owner; is located in the European Economic Area and acts in accordance with European standards.