Art. 1 - Object
1. This Regulation relates to procedural measures and detailed rules for the purpose of better functionality and effectiveness of the implementation of European Regulation (General Data Protection Regulation of 27 April 2016 n. 679, follows with "RGPD" General Regulations data protection), on the protection of individuals with regard to the processing of personal data and on the free movement of such data, in the Association Fontevecchia based in Spoltore, hereinafter: Association.
Art.2 - Data Controller
1. The Association Fontevecchia, represented for the purposes provided by RGPD by the President pro tempore, is the data controller of personal data collected or not in databases, automated or printed (hereinafter referred to as "data"). The President may delegate their functions to the Secretary.
2. The holder is responsible for compliance with the principles applicable to the processing of personal data established by art. 5 RGPD: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; limitation of conservation; integrity and confidentiality.
3. The data controller shall implement appropriate technical and organizational measures to ensure, and be able to demonstrate that the processing of personal data is carried out in conformity with RGPD. The measures are defined right from the design stage and implemented to apply effectively the principles of data protection and to facilitate the exercise of the rights set out in Articles 15-22 RGPD, as well as communications and information necessary for their exercise. The operations necessary for the implementation of the measures are considered in the context of operational programming (DUP), budget and Peg, after appropriate preventive analysis of the current situation, taking into account the costs of implementation, the nature, the scope of application, the context and the purpose of treatment, as also risks arising from the same, having different probability and severity for the rights and freedoms of individuals.
4. The holder shall take appropriate measures to provide the person:
a) the information specified by art. 13 RGPD, if personal data are collected from the same party;
b) the information specified by art. 14 RGPD if personal data have not been obtained from the same party.
5. In the event that a type of treatment, especially if it provides in particular for the use of new technologies can present a high risk for the rights and freedoms of natural persons, the Holder must make an assessment of the impact of treatment on protection of personal data (hereinafter denoted by "DPIA") pursuant to art. 35, RGDP, given the nature, the object, the context and the purpose of the same treatment, taking into account what is indicated by the following art. 9.
6. The holder, in addition, provides:
a) designate the persons responsible for processing in the Secretary of individual structures which make up the organization in the Association Fontevecchia, which are responsible for processing data in existing databases in the organization of their competence joints. For the data processing the Holder may also make use of public or private entities; b) appoint the head of data protection;
c) appoint as Head of treatment by public or private entities to foster activities and services on behalf of the Association, in relation to databases managed by external parties to 'Association under agreements, contracts, or other professional or legal instruments assignments permitted by law, for the realization of activities related to institutional activities; (In relation to the Association's organizational dimensions);
d) prepare the list of the Data Processors of the structures which make up the Ente organization, publishing it in a special section of its website and update it periodically.
7. In the case of exercise of functions and associated services, as well as for the tasks whose management is entrusted to the 'Association of entities and state or regional bodies, when two or more owners jointly determine, by agreement, the purposes and means of processing , one realizes the co-ownership in art. 26 RGPD. The agreement defines the responsibilities of each for the fulfillment of obligations with regard to privacy, with particular reference to the exercise of the rights, and their communication functions of the information referred to in Articles. 13 and 14 of RGPD, without prejudice to possibly as established by the legislation specifically applicable; the agreement can locate a common contact point for those affected.
8. L 'Association promotes adherence to codes of conduct by trade associations and representative professional bodies, or to protection certification mechanisms of the approved data to help ensure the proper application of RGPD and to demonstrate the concrete compliance by the Owner and of the data processors.
Art.3 - Purpose of treatment
1. The treatments are carried out by 'Association for the following purposes:
a) the execution of a task of public interest or in the exercise of public authority. Included in this context the treatments made to:
- the exercise of administrative functions that affect the population and the territory, primarily in the organic sectors of services to the person and the community, buoyancy and land use and economic development;
- the exercise of additional administrative functions for services entrusted to state jurisdiction 'Association under current legislation.
The goal of treatment is determined by the source of law governing it;
b) the fulfillment of a legal obligation to which is subject to the Association. The goal of treatment is determined by the source of law governing it;
c) the execution of a contract with stakeholders;
d) for specific purposes other than those referred to in the preceding paragraphs, provided that the person concerned expresses the consent to the treatment.
Art.4 - Data Processor
1. A manager is appointed the sole Manager of the processing of all existing personal databases in the joint organization of competence. The only charge is to be able to offer sufficient guarantees in terms of specialized knowledge, experience, capability and reliability, to implement the technical and organizational measures in art. 6 addressed to ensure that the treatments are carried out in accordance with RGPD.
2. Members of the Association, data processors, are appointed, usually by means of assignment order of the President, which are strictly regulated:
- the subject matter, the duration, the nature and purpose of treatment or of the assigned treatments;
- the type of personal data being processed and the categories concerned;
- the obligations and rights of the data controller.
Such regulations may also be contained in a special agreement or contract to be entered into between the Holder and each designated responsible.
3. The holder may claim for the processing of data, including sensitive, public or private entities, as managers of the treatment, the guarantees referred to in paragraph 1, stipulating legal acts in writing, specifying the purpose pursued, the type of data, the duration of treatment, the obligations and rights of the data and methods of treatment.
4. The acts that regulate the relationship between the Holder and the Head of treatment should include in particular the provisions of Art. 28, p. 3, RGPD; such acts may be based on standard contractual clauses adopted by the Authority for the protection of personal data or by the European Commission.
5. Is it permitted the appointment of sub-responsible for the processing by each of the processing for specific processing activities in respect of the same contractual obligations that bind the Holder and the primary charge; the processing operations can be carried out only by officers who operate under the direct authority of the Director following the instructions given to them in writing that specifically identify the scope of the permitted treatment.
The manager responds, even before the holder, the work of subresponsabile also for the purposes of compensation for damage caused by the treatment, unless proves that the harmful event is not attributable in any way and has supervised adequately on the work order the sub-manager.
6. The data processor ensures that any person acting under its authority and with access to personal data in possession of proper training and education and has agreed to confidentiality or has an adequate legal obligations of confidentiality.
7. The data processing manager provides, for its own area of
competence, to all the activities required by law and all the tasks entrusted by the Owner, analytically specified in writing in the act of designation, and in particular orders:
- keeping a register of the categories of processing activities performed on behalf of the owner;
- the adoption of appropriate technical and organizational measures to ensure the security of processing;
- the awareness and the training of personnel participating in the treatments and the related control activities;
- the appointment of the Data Protection Manager (RPD), if this delegated by the Owner;
- to assist the owner in conducting impact assessment on Data Protection (hereinafter denoted by "DPIA") while providing any information in its possession;
- to inform the Holder without undue delay, knowledge of cases of violation of personal data (cd. "Data breach"), for the subsequent notification of the violation to the Privacy Guarantor, in the event that the owner himself is probable that the violation of data may arise risks for the rights and freedoms of data subjects.
Article 5 - Data Protection Manager
1. The Data Protection Manager (hereinafter indicated with "RPD") is identified in the single figure of the __________, member of the Association.
2. The DPO may be chosen from among the members of the Association. The Holder and the Head of treatment shall ensure that the RPD maintains its specialist knowledge through adequate, specific and periodic training.
Art.6 - Security of processing
1. L 'Association puts in place adequate technical and organizational measures to ensure a level of security appropriate to the risk taking into account the state of the art and the costs of implementing, as well as the nature, scope, context and purpose of treatment, as well as the risk of varying probability and severity for the rights and freedoms of individuals.
2. The technical and organizational security measures to be put in place to reduce the risks of treatment comprise: pseudonymisation; minimization; encryption of personal data; the ability to ensure the continued confidentiality, integrity, availability and resiliency of systems and services that process personal data; the ability to promptly restore the availability and access of data in case of physical or technical incident; a procedure to test, verify and regularly evaluate the effectiveness of technical and organizational measures to ensure the safety of the treatment.
3. 'technical and organizational measures that can be taken:
- authentication systems; authorization systems; security systems (antivirus, firewall, intrusion detection, etc.);
- Fire-fighting measures; intrusion detection systems; surveillance systems; protection systems with video surveillance; record access; doors, cabinets and containers fitted with locks and fire retardants; copying systems and storage of electronic files; other measures to promptly restore the availability and access of data in case of physical or technical accident.
4. The conformity of the data processing to RGDP in the field of personal data protection is demonstrated through the adoption of safety measures or adherence to approved codes of conduct or to an approved certification mechanism.
5. L 'Association and each charge of the treatment are obliged to give adequate instructions on compliance with those measures anyone acting on their behalf, and have access to personal data.
6. The names and data of the holder contact, or data processors and the Head of Data Protection are published on the association's corporate website.
7. Remain in place the security measures currently provided for treatment of sensitive data for the relevant public interest objectives in respect of the specific implementing regulations (under Articles. 20:22, Legislative Decree. N. 193/2006).
Article 7 - Register of processing activities
1. The register of processing operations carried out by the data controller shall include at least the following information:
a) the name and contact data of the Association, the President and / or his Delegate under the preceding art.2, possibly of the Co-owner of the treatment, the RPD; b) the purpose of treatment;
c) a concise description of the categories of interested parties, and the categories of personal data;
d) the categories of recipients to whom the personal data have been or will be communicated;
e) any transfer of personal data to a third country or an international organization;
f) where established, the deadlines provided for the cancellation of different categories of data;
g) the call to the technical and organizational security measures of treatment adopted, according to the preceding art.6.
2. The Register is kept by the holder or by the person delegated by him in accordance with art. 2, at the offices of the organizational structure in telematics / paper form, according to the attached diagram A to this Regulation.
3. The holder may decide to hold a single Register of treatments containing the information specified in the preceding paragraphs, and those referred to in art. 8, by replacing both types of registry governed by the same, according to the attached schema C to the present Regulations.
Art.8 - Register of categories of activities covered
1. The register of the categories of activities covered by each Director as per Art. 4, contains the following information:
a) the name and contact details of the charge of the treatment and the RPD;
b) the categories of treatments performed by each Manager: collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, comparison, interconnection, restriction, erasure, destruction, profiling, pseudonymisation, any other operation applied to personal data;
c) any transfer of personal data to a third country or an international organization;
d) the call to the technical and organizational security measures of treatment adopted, according to the preceding art.6.
2. The register is kept by the Head of the treatment at the offices of its organizational structure in telematics / paper form, according to the attached diagram B hereto.
3. The data processor may decide to entrust the task to the RPD that the Registry, under the responsibility of the same charge.
Art.9 - Impact assessments on data protection
1. In the case in which a type of treatment, especially if in particular involves the use of new technologies, can present a high risk for the rights and freedoms of individuals, the Holder, before carrying out the treatment, it must implement a impact assessment for the same treatment (DPIA) pursuant to art. 35 RGDP, given the nature, the object, the context and objectives of the same treatment. The DPIA is a procedure that allows to achieve and demonstrate compliance with the standards of the treatment in question.
2. For the purposes of the decision to withhold the DPIA take into account the lists of the types of treatment or entities not subject to evaluation as drawn up and published by the Privacy Guarantor under the AT. 35, pp. 4-6, RGDP.
3. The DPIA is carried out in the presence of a high risk for the rights and freedoms of individuals. Notwithstanding the provisions of Art. 35, p. 3, RGDP, the criteria under which the treatments are highlighted determinants an inherently high risk, are as follows:
a) treatment or evaluation scoring, including profiling and predictive activities, concerning a matter relating to job performance, the economic situation, health, preferences or personal interests, reliability or behavior, location or the movement of 'interested;
b) automated decisions that produce significant legal effects or of a similar nature, ie treatments aimed to take decisions on which interested legal effects on the physical person or that affect in a similar way significantly above natural persons;
c) systematic monitoring, ie treatments used to observe, monitor or control the persons concerned, including the collection of data through networks or systematic surveillance of an area accessible to the public;
d) sensitive data processing or extremely personal data, namely the special categories of personal data relating to art. 9, RGDP;
e) large-scale processing of data, taking into account: the number of number of subjects affected by treatment, in numerical terms or as a percentage compared to the reference population; volume of data and / or scope of the various types of data to be processed; duration or persistence of treatment; geographic scope of treatment;
f) combination or comparison of data sets, in accordance with rules that are beyond the reasonable expectations of the person concerned;
g) data related to affected vulnerable, each affected particularly vulnerable and deserving of special protection in which you can identify a situation of imbalance in the relationship with the data processor, such as the employees of, individuals with psychiatric disorders, asylum seekers , patients, the elderly and children;
h) innovative uses or application of new technological or organizational solutions;
i) all those treatments that, by itself, prevent those concerned to exercise a right or to make use of a service or a contract. In the case where a treatment satisfies at least two of the above criteria it is necessary, in general, lead a DPIA, except that the Holder justifiably considers that it can not present a high risk; the owner can justifiably believe that for a treatment that only meets one of the above criteria should still conducting a DPIA.
4. The holder guarantees the execution of DPIA and is responsible for the same. The holder may entrust the conducting material of DPIA to another entity, internal or external to the Association. The Holder should also consult with the RPD to take the decision to withhold the DPIA; such consultation and the resulting decisions taken by the Owner must be documented within the DPIA. The RPD monitors the performance of DPIA. The data processor must assist the owner in the DPIA run by providing any necessary information. The head of information systems security, if appointed, and / or the office responsible for the systems, provide support to the Owner for the conduct of DPIA.
5. The DPO may propose the holding of a DPIA in relation to a specific treatment, collaborating in order to fine-tune the methodology, define the quality of the evaluation process of the risk and the acceptability or otherwise of the level of residual risk. The head of information systems security, if appointed, and / or the office responsible for the systems, may propose to conduct a DPIA in relation to a specific treatment, with regard to safety or operational requirements.
6. The DPIA is not necessary in the following cases:
- if the treatment may not result in a higher risk for the rights and freedoms of natural persons pursuant to art. 35, p. 1, RGDP;
- if the nature, scope, context and purposes of the processing are similar to those of a treatment for which has already been conducted a DPIA. In this case you can use the results of DPIA turning point for the similar treatment;
- if treatment has been audited by the Privacy Guarantor before May 2018 under specific conditions that have not changed; - whether a treatment finds its legal basis in current legislation governing the specific treatment, and has already conducted a DPIA upon definition of that legal basis. It is not necessary to conduct a DPIA for those treatments that are of Privacy or from an RDP already been subject to preliminary verification by the Supervisor and continue with the same object of this verification mode. In addition, account should be taken that the permissions of the Privacy Guarantor based on Directive 95/46 / EC remain in force until they are not modified, replaced or repealed.
7. The DPIA is conducted before giving rise to treatment, through the following processes:
a) systematic description of the context, of the treatments provided, the purpose of the treatment and taking into account the observance of codes of conduct approved. They are also indicated: the personal data being processed, the recipients and the expected period of retention of data; a functional description of the treatment; the tools involved in the processing of personal data (hardware, software, networks, people, paper or paper-based transmission channels); b) assessment of the necessity and proportionality of treatment, based on:
. the specific, explicit and legitimate purposes;
. lawfulness of the processing;
. adequate, relevant and limited to what is necessary;
. the limited period of conservation;
. the information provided to interested parties;
. the right of access and portability of data;
. the right to rectification and deletion, opposition and limitation of treatment;
. relationships with controllers;
. guarantees for international transfers of data;
. prior consultation of the Guarantor privacy;
c) assessment of risks to the rights and freedoms of data subjects, particularly considering the probability and severity of identified risks. They are determined the origin, nature, and severity of the particular risks or, more specifically, of each individual risk (illegitimate access, unwanted changes, unavailability of data) from the point of view of those concerned);
d) identifying measures required to address and mitigate risks, ensure the protection of personal data and demonstrate compliance to treatment with the RGPD, taking into account the rights and legitimate interests of the parties and other persons concerned.
8. The holder may collect the views of stakeholders or their representatives, if the same can be identified beforehand. The lack of consultation is specifically motivated, as well as the decision taken in a manner different dall'opinione those concerned.
9. The owner must consult the Privacy Guarantor before proceeding to treatment if the results of DPIA conduct indicate the existence of a high residual risk. The holder shall consult the Privacy Guarantor even in cases where the legislation establishes the obligation to consult and / or obtain the prior approval of the same authority, for processing performed for performing tasks in the public interest, such as treatments related to social protection and public health.
10. The DPIA must be carried out - with the possible review of the assessments conducted -also for ongoing treatments that may present a higher risk for the rights and freedoms of individuals, in the event that variations of the original risks have occurred given the nature, scope, context and purposes of the same treatment.
Art. 10 - Personal data breach
1. For violation of personal data (hereinafter "data breach") refers to the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed by the Association.
2. The owner, if it considers likely from data breaches might generate risks to the rights and freedoms of data subjects, give the notification of the violation to the Privacy Guarantor. The notification must take place within 72 hours and in any case without undue delay. The data processor is obliged to inform the Holder without undue delay after becoming aware of the violation.
3. The main risks to the rights and freedoms of data resulting from a violation, in accordance with Recital 75 of the RGPD, are as follows:
- bodily, material or immaterial to natural persons;
- loss of personal data control;
- limitation of rights, discrimination;
- theft or identity fraud;
- financial losses, economic or social damage.
- unauthorized decryption of pseudonymisation;
- injury to reputation;
- loss of confidentiality of personal information protected by professional secrecy (health, judicial).
4. If the owner believes that the risk to the rights and freedoms of leading to the violation is high, then it must inform the latter, without undue delay, with a simple and clear language in order to make them understand the nature of the violation of personal data occurred. The risks to the rights and freedoms of data subjects can be considered "high" when the violation can, as an example:
- involve a significant amount of personal data and / or stakeholders;
- relate to specific categories of personal data;
- include data that can further enhance the potential risks (eg location data, financial, related to the habits and preferences); - bring about imminent risks and with a high probability of occurrence (eg risk of financial loss in case of theft of data on credit cards);
- impact on persons who may be considered vulnerable because of their conditions (eg vulnerable users, minors under investigation).
5. The notification must have the required minimum content of art. RGPD 33, and also the communication to the person concerned must contain at least the information and the measures referred to in art. 33.
6. The holder shall appropriately document the violations suffered personal information, although not communicated to the supervisory authorities, as well as the circumstances surrounding them, the consequences and the measures taken or to be taken to remedy it. Such documentation must be kept with the utmost care and diligence as may be required by the Privacy in order to verify compliance with the provisions of the RGPD.
Art.11 - Referral
1. All matters not expressly governed by these provisions, the provisions of RGPD and all of its existing implementing rules.
For the purpose of the registers proposals, we shall apply:
- Categories treatment
Collection; registration; organization; structuring; storage; adaptation or alteration; extraction; consultation; use; disclosure by transmission; dissemination or any other form of making available; comparison or interconnection; limitation; erasure or destruction; profiling; pseudonymisation; every other operation applied to personal data.
- Categories of personal data
Identification data: name and surname, residence, domicile, birth, online ID (username, password, customer ID, etc.), family situation, images, characteristic elements of the physical, physiological, genetic, mental, economic, cultural, social. Data regarding the lifestyle Economic, financial, equity, fiscale.Dati connection: IP address, login, other. localization data: location, GPS, GSM, other.
- Purpose of treatment
Organization and advertising of events organized by the Association.
- technical and organizational measures
pseudonymisation; minimization; encryption; specific measures to ensure the continued confidentiality, integrity, availability and resiliency of systems and services that process personal data; specific procedures to test, verify and regularly evaluate the effectiveness of technical and organizational measures to ensure security of processing; other specific measures taken for the treatment in question. Authentication systems; authorization systems; security systems (antivirus, firewall, intrusion detection, etc.) - adopted for the treatment in question or from the Service / Organization as a whole.
Fire-fighting measures; intrusion detection systems; surveillance systems; protection systems with video surveillance; record access; doors, cabinets and containers fitted with locks; copying systems and storing electronic files; other measures to promptly restore the availability and access of data in case of physical or technical incident - adopted for the treatment in question or from the Service / Organization as a whole. Procedures to test, verify and regularly evaluate the effectiveness of technical and organizational measures to ensure the safety of the treatment.
- Sensitive data
Data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, life or sexual orientation, genetic and biometric data, data relating to criminal convictions.
- Categories concerned
Citizens residing; under the age of 16; voters; taxpayers; users; participants in the proceedings; employees; administrators; providers; other.
- Recipient Categories
Individuals; public authorities and other PA; private legal persons; other subjects.