INFORMATION ON THE PROCESSING OF PERSONAL DATA
This information is provided pursuant to Article 13 of Legislative Decree no. 196 of 30 June 2003 and subsequent amendments (the Personal Data Protection Code), as well as pursuant to Article 14 of Regulation (EU) 2016/679 (GDPR).
We inform you that the personal data you provide will be processed in compliance with the principles of protection established by the Personal Data Protection Code and subsequent amendments, as well as with all European and national legislative interventions and/or measures of the Supervisory Authorities also subsequent to the signing of this Information Notice.
To better understand this Policy, the link below refers to Article 5 of the GDPR, which provides a list of useful definitions.
(See Article 5 of the GDPR, at the bottom of the page)
1.PURPOSE OF PROCESSING
The processing is necessary and functional for the use of the www.millergroup.it website.
The purpose is to allow users to contact Miller Group S.r.l directly, to be able to obtain more information about the services it offers, to be able to apply for a job position within the company or to request the receipt of an informative newsletter specially prepared for users.
The processing of the Data is necessary in order to deal with the requests received from the users of the website and to allow Miller Group S.r.l to answer any questions, to contact possible new candidates or clients or to send the informative newsletter to the users who request it.
2.TYPE OF DATA COLLECTED AND PROCESSED
Users are informed that the Personal Data collected and processed are qualified as personal identification data.
In order to contact Miller Group S.r.l directly, the following personal data will be compulsorily requested from each user:
Any refusal to provide such data will result in the impossibility of contacting us. Required fields are marked with an asterisk (*).
The following personal data may also be optionally entered in order to facilitate better communication:
In order to apply for a job position within Miller Group S.r.l, on the other hand, the following personal data will be compulsorily requested from each user:
Refusal to provide this data will result in the impossibility of contacting us. Required fields are marked with an asterisk (*).
In order to receive Miller Group S.r.l informative newsletter, the following data will be compulsorily requested from each user:
Any refusal to provide such data will result in the impossibility of receiving the informative newsletter. Mandatory fields are marked with an asterisk (*).
3.DATA CONTROLLER, DATA PROCESSORS AND APPOINTEES
The data controller is Miller Group S.r.l, in the person of its legal representatives pro tempore, with registered office in Francolino (Milan), via dell’Industria n. 1, P. Iva 07204280965, PEC: miller@legalmail.it, mail: info@millerconsulenze.it.
4.PROCESSING METHODS
The personal data provided will be processed at the registered office of Miller Group S.r.l, in 20074 – Francolino (MI), via dell’Industria n. 1, using analogue procedures in the manner and within the limits necessary to pursue the aforementioned purposes and will be stored at the same office.
Users are also informed that the personal data provided will be processed with the use of computerised procedures in the manner and within the limits necessary to pursue the aforementioned purposes. To this end, we inform you that the Data Controller uses mail.google.com (Gmail) in order to process the requests received.
5.STORAGE PERIOD
We inform you that the Data provided will be processed and stored by the Data Controller for the purposes strictly related to the possibility of processing requests received from users or in order to contact possible candidates.
Once the customers/candidates have been contacted, the data will be kept for a period of 60 days. At the end of this period the data will be deleted.
6.USERS’ RIGHTS
Users may at any time exercise their rights vis-à-vis the Data Controller pursuant to Legislative Decree 193/2006 and Regulation (EU) 2016/679.
For the sake of completeness, all rights as enshrined in the GDPR are listed below.
A.DATA SUBJECT’S RIGHT OF ACCESS – Art. 15 Regulation (EU) 2016/679
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him/her are being processed and, if so, to obtain access to the personal data and to the following:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organisations;
d) where possible, the period for which the personal data will be retained or, if that is not possible, the criteria used to determine that period;
e) the existence of the right of the data subject to request from the controller the rectification or erasure of personal data concerning him or her or to object to the processing of personal data concerning him or her;
f) the right to lodge a complaint with a supervisory authority;
g) where the data are not collected from the data subject, all available information as to their source;
h) the existence of an automated decision-making process, including profiling as referred to in Article 22(1) and (4) and, at least in such cases, meaningful information on the logic used, as well as the importance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the existence of appropriate safeguards within the meaning of Article 46 relating to the transfer.
The data controller shall provide a copy of the personal data being processed. If further copies are requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means and unless otherwise specified by the data subject, the information shall be provided in a commonly used electronic format.
The right to obtain a copy referred to in paragraph 3 shall not infringe the rights and freedoms of others.
B.RIGHT OF RECTIFICATION – Art. 15 Reg. (EU) 2016/679
The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him/her without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration.
C.RIGHT TO DELETE (“RIGHT TO OBLIGATION”) – Art. 17 Reg. (EU) 2016/679
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall be obliged to erase the personal data without undue delay if any of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws the consent on which the processing is based in accordance with point (a) of Article 6(1) or point (a) of Article 9(2) and if there is no other legal basis for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there is no overriding legitimate ground for the processing, or objects to the processing pursuant to Article 21(2);
d) personal data are unlawfully processed;
e) the personal data must be erased in order to comply with a legal obligation laid down by Union law or by the Member State to which the controller is subject;
f) the personal data have been collected in connection with the offering of information society services referred to in Article 8(1).1.
Where the controller has made personal data public and is obliged under paragraph 1 to erase them, having regard to the available technology and the costs of implementation, the controller shall take reasonable steps, including technical measures, to inform the controllers who are processing the personal data, of the data subject’s request to erase any link, copy or reproduction of his or her personal data.
Paragraphs 1 and 2 shall not apply to the extent that the processing is necessary:
a) for the exercise of the right to freedom of expression and information;
b) for compliance with a legal obligation to which the processing is subject under Union or Member State law or for the performance of a task carried out in the public interest; or
c) for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
d) for archiving in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the purposes of such processing; or
e) for the establishment, exercise or defence of legal claims.
D.RIGHT TO LIMITATION OF PROCESSING – Art. 18 Reg. (EU) 2016/679
The data subject shall have the right to obtain from the controller the restriction of processing, when one of the following cases occurs:
a) the data subject disputes the accuracy of the personal data, for the period necessary for the controller to verify the accuracy of such personal data;
b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead that their use be restricted;
c) although the controller no longer needs the personal data for processing purposes, the personal data are necessary for the establishment, exercise or defence of legal claims by the data subject;
d) the data subject has objected to the processing pursuant to Article 21(1), pending verification as to whether the legitimate reasons of the controller for the processing override those of the data subject.
If the processing is restricted pursuant to paragraph 1, such personal data shall, except for storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.
A data subject who has obtained a restriction of processing pursuant to paragraph 1 shall be informed by the controller before that restriction is lifted.
E.RIGHT TO DATA PORTABILITY – Article 20 Reg. (EU) 2016/6799
The data subject shall have the right to receive in a structured, commonly used and machine-readable format personal data concerning him or her that have been provided to a data controller and shall have the right to transmit those data to another data controller, without hindrance from the data controller to whom he or she has provided them, where:
a) the processing is based on consent within the meaning of Article 6(1)(a) or Article 9(2)(a) or on a contract within the meaning of Article 6(1)(b); and
b) the processing is carried out by automated means.
When exercising his or her rights in relation to data portability pursuant to paragraph 1, the data subject shall have the right to obtain the direct transmission of personal data from one controller to another, if technically feasible.
The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right referred to in paragraph 1 shall not affect the rights and freedoms of others.
F.RIGHT OF OPPOSITION – Article 21 Regulation (EU) 2016/679
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Article 6(1)(e) or (f), including profiling on the basis of those provisions. The controller shall refrain from further processing personal data, unless he demonstrates the existence of compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling, insofar as it is related to such direct marketing.
Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for those purposes.
The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information, at the latest at the time of the first communication with the data subject.
In the context of the use of information society services and without prejudice to Directive 2002/58/EC, the data subject may exercise his/her right to object by automated means using specific techniques.
Where personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), the data subject shall, on grounds relating to his or her particular situation, have the right to object to the processing of personal data relating to him or her, except where the processing is necessary for the performance of a task carried out in the public interest.
ART. 5 GDPR
For the purposes of this Regulation, the following definitions shall apply:
Personal data: any information relating to an identified or identifiable natural person, also referred to as ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity;
Processing: any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Limitation of processing: the marking of stored personal data with the aim of limiting their processing in the future;
Profiling: any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of that person’s professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Pseudonymisation: the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organisational measures to ensure that such personal data is not attributed to an identified or identifiable natural person;
Archive: any structured set of personal data accessible according to specified criteria, regardless of whether this set is centralised, decentralised or functionally or geographically dispersed;
Controller: the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to his designation may be established by Union or Member State law;
Controller: the natural or legal person, public authority, service or other body which processes personal data on behalf of the controller;
Recipient: the natural or legal person, public authority, service or other body receiving communication of personal data, whether a third party or not. However, public authorities which may receive communication of personal data in the context of a specific investigation in accordance with Union or Member State law are not considered recipients; the processing of such data by those public authorities is in accordance with the applicable data protection rules according to the purposes of the processing;
Third party: the natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorised to process personal data under the direct authority of the controller or processor;
Consent of the data subject: any manifestation of the data subject’s free, specific, informed and unambiguous will, whereby the data subject indicates his/her assent, by way of a statement or unambiguous affirmative action, that personal data relating to him/her be processed;
Personal data breach: a breach of security leading accidentally or unlawfully to the destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed;
Genetic data: personal data relating to hereditary or acquired genetic characteristics of a natural person that provide unambiguous information on the physiology or health of that natural person, resulting in particular from the analysis of a biological sample of that natural person;
Biometric data: personal data obtained by specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm their unambiguous identification, such as facial image or dactyloscopic data;
Health-related data: personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health;
Main establishment:
a) in relation to a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to order the implementation of those decisions, in which case the establishment which has taken such decisions shall be deemed to be the main establishment;
b) in relation to a controller with establishments in more than one Member State, the place where its central administration in the Union is located or, where the controller does not have a central administration in the Union, the establishment of the controller in the Union where the main processing activities are carried out in the context of the activities of an establishment of the controller in so far as that controller is subject to specific obligations under this Regulation;
Representative means the natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents them in relation to their respective obligations under this Regulation;
Enterprise: a natural or legal person, regardless of its legal form, engaged in an economic activity, including partnerships or associations regularly engaged in an economic activity;
Enterprise group: a group consisting of a parent company and the companies controlled by it;
Binding Corporate Rules: the personal data protection policies applied by a controller or processor established on the territory of a Member State to the transfer or set of transfers of personal data to a controller or processor in one or more third countries, in the context of a business group or a group of undertakings carrying on a common economic activity;
Supervisory authority: an independent public authority established by a Member State in accordance with Article 51;
Supervisory authority concerned: a supervisory authority affected by the processing of personal data because:
a) the controller or processor is established on the territory of the Member State of that supervisory authority;
b) data subjects residing in the Member State of the supervisory authority are or are likely to be substantially affected by the processing; or
c)a complaint has been lodged with that supervisory authority;
Cross-border processing:
a) processing of personal data which takes place in the course of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union, but which affects or is likely to affect substantially data subjects in more than one Member State;
Relevant and reasoned objection: an objection to the draft decision as to whether or not there is an infringement of this Regulation, or whether or not the action envisaged in relation to the controller or processor complies with this Regulation, which objection clearly demonstrates the relevance of the risks posed by the draft decision with regard to the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union;
Information society service: the service defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
International organisation: an organisation and bodies governed by public international law subordinate to it or any other body established by or on the basis of an agreement between two or more States.
