CONTROLLER NSR srl
Data Protection Rights?
Read Regulation 2016/679 from article 15 to article 22; under certain circumstances, by law the person has the right to:
• Request information about him/her whether we hold personal information and, if so, what that information is and why we are holding/using it. • Request access to his/her personal information (commonly known as a “data subject access request”). This enables to receive a copy of the personal information we hold about it and to check that we are lawfully processing it. • Request correction of the personal information that we hold about him/her. This enables to have any incomplete or inaccurate information we hold about he/she corrected. The person can exercise this right sending an email. • Request erasure of his/her personal information. This enables the person to ask us to delete or remove personal information where there is no good reason for us continuing to process it. The person also have the right to ask us to delete or remove his/her personal information where he/she has exercised his/her right to object to processing (see below). A person can exercise this right sending an email. • Object to processing of personal information where we are relying on a legitimate interest (or those of a third party) and there is something about particular situation which makes a person wants to object to processing on this ground. A person also has the right to object where we are processing his/her personal information for direct marketing purposes. • Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using personal information or profiling. • Request the restriction of processing of personal information. This enables a person to ask us to suspend the processing of personal information about him/her, for example if he/she wants us to establish its accuracy or the reason for processing it. • Request transfer of personal information in an electronic and structured form to the person or to another party (commonly known as a right to “data portability”). This enables the person to take his/her data from us in an electronically useable format (.xls) and to be able to transfer his/her data to another party in an electronically useable format. If the person wants to exercise this right send an email. • Withdraw consent. In the limited circumstances where a person may have provided his/her consent to the collection, processing and transfer of personal information for a specific purpose, he/she has the right to withdraw his consent for that specific processing at any time. Once we have received notification that he/she has withdrawn the consent, we will no longer process the information for the purpose or purposes a person originally agreed to, unless we have another legitimate basis for doing so in law.
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of GDPR 2016/679, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with Privacy Regulation.
If a person wants to exercise any of these rights, send an email. A person has not to pay a fee to access his/her personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from a person to help us confirm his/her identity and ensure his/her rights to access to the information (or to exercise any other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Personal data processing, performed also with the help of IT tools, has the following purposes:
1) to comply with the obligations established by law, by a regulation, by a contract, by EU legislation or by an order of the Authority (such as on Money-Laundering);
2) to fulfil the administrative, accounting and tax obligations for the products/services you purchased. The data acquired for these purposes is stored with us for the time provided for by the respective Italian regulations (ten years);
3) to make a price quotation of our products/services following your request. In this case we store data for one year;
4) to send informations we believe may be of interest to you before, during and after the purchase of our products;
5) to offer personalized and updates services to the clients during and after the purchase of our products;
6) to send by mail, e-mail, sms, promotional messages and updates on our rates and special offers;
The provision of data is:
- mandatory and therefore does not require your consent to points 1), 2) and 3 of the above list, but failure to provide it makes it impossible to execute the contract or to make a price quotation;
- optional with reference to points 4), 5), 6) of the above list and, therefore, there will be no consequences, except our inability to serve you at our best.
In addition, We apply technical and organisational security measures in order to protect data from being manipulated, destroyed or lost. We authorize you to process the personal data of our employees, external collaborators and partner in compliance with the new European Data Protection Law.
For any further information, and to assert the rights acknowledged to you by the European Regulation, you can contact:
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.