INFORMATION ON THE PERSONAL DATA PROCESSING
UPDATED ON OCTOBER 15, 2019
This Information on the processing of personal data (hereinafter, “Information“) is provided pursuant to Art.13 of Regulation(EU) no. 679/2016 (General Data Protection Regulation – hereinafter, “GDPR“).
The Data Controller is DDB S.r.l.,with registered seat in Milano, Via Savona, no. 97, VAT no. 08834110010 (hereinafter, the “Controller“).
Categories of personal data processed
The Controller will process the following categories of personal data pertaining to the visitors of the website www.ddbgroup.it (hereinafter, respectively, the “Data Subject(s)” and the “Site“):
- Browsing data
- Browsing data
Purposes of the processing and legal bases for the processing
Personal data are directly obtained from Data Subjects during their visit to the Site and will be processed for the following purposes and in accordance with the following legal bases.
Purpose Legal basis 1 Allow the Data Subject to browse the Site, obtain anonymous statistical information on its use, verify the correct functioning of the Site, carry out monitoring activities to support its security and identify actions aimed at its improvement. Legitimate interest pursued by the Controller – art.6.1(f) GDPR Comply with any legal obligation imposed upon the Controller.E.g.: to reply to administrative, Court or any other public Authorities’ request, disclosure to law enforcement Compliance with a legal obligation to which the Controller is subject – art.6.1(c) GDPR Enable the Controller to enforce its rights and deal with legal claims Legitimate interest pursued by the Controller – art.6.1(f) GDPR
With reference to the Purposes of the processing referred to in paragraphs 1., and 3. above, the following is specified:
Purpose Legitimate interest pursued 1 Allow the Data Subject to browse the Site, obtain anonymous statistical information on its use, verify the correct functioning of the Site, carry out monitoring activities to support its security and identify actions aimed at its improvement. Interest of the Controller to verify the correct functioning and security of the Site and to improve it 3 Enable the Controller to enforce its rights and deal with legal claims Interest of the Controller to enforce its legal rights in the event of complaints
Categories of recipients of the personal data
In order to fulfill the above-mentioned Purposes, the personal data of the Data Subject may also be processed by third parties other than the Controller.
Such processing will be carried out by some of these parties on behalf of the Controller (in this case, they will act as Data Processors, pursuant to Art. 28 GDPR):
- IT service providers;
- Web hosting service providers;
- Platform and Application service providers;
Information of Data Subjects may be disclosed with other parties, who will process them as independent controllers. In particular:
- Subjects and judicial or regulatory authorities, whose right of access to personal data is expressly envisaged by law, regulations, or provisions issued by the competent authorities;
Transfer of personal data outside the European Economic Area (EEA)
Personal data collected by the Controller may be transferred outside the EEA to countries that ensure an adequate level of protection, on the basis of an adequacy decision adopted by the European Commission, or of Standard Contractual Clauses approved by the European Commission, which have been adopted by the Controller.
Data retention period
The information collected by the Controller will be retained until the fulfillment of the above-described Purposes. Moreover, the Data Controller specifies the following:
- Browsing data will be retained for no more than 7 (seven) days;
- The data collected by the Controller to enforce its rights and deal with legal claims will be retained for the limitation period provided for under the Italian law, starting from the date of the collection.These terms may be extended in the event of disputes, requests made by the competent authorities or when required by the applicable law.
At the end of the above-mentioned periods for which the personal data will be retained, personal data will be deleted, or in any case made unintelligible by the Controller – for example, by technical measures which may include encryption or anonymization.
Processing of personal data
The Controller will process personal data through the adoption of adequate technical, physical and organizational measures. The Controller collects browsing information automatically through the Site. Processing operations by means of automated decision-making processes, including profiling pursuant to art. 22.1 and 22.4 of the GDPR, are not envisaged.
Failure to provide personal data
Rights of the Data Subject
Data subjects have the right to obtain from the Data Controller, where appropriate, access to their personal data as well as rectification or erasure of such data or the restriction of the processing concerning them, and to object to the processing (pursuant to Articles 15 to 22 ofthe Regulation). In order to exercise the above-mentioned rights, the Data Subject may contact the Controller at its e-mail address firstname.lastname@example.org.
Right to lodge a complaint with a supervisory authority and right to an effective judicial remedy
Data Subjects who consider that their rights under the GDPR have been infringed as a result of the processing of their personal data in non-compliance with the GDPR itself, have the right to lodge a complaint with a Supervisory Authority(as provided for under art. 77 GDPR), or to bring an action before the courts of the Member State where the Controller has an establishment, or where Data Subject has his or her residence(pursuant to art. 79 GDPR).