DISCLOSURE PURSUANT TO SECTION 13 OF LEGISLATIVE DECREE 196 OF 30 JUNE 2003 - ITALIAN PERSONAL DATA PROTECTION CODE
I) Introduction to the new Italian Data Protection Code and glossary of terms used
The Code presently in force combines in a single statute the provisions of Law 675/1996 and other previously issued Italian legislative decrees, regulations and codes of professional conduct. It also contains major changes that reflect the decisions issued by the "Garante per la protezione dei dati personali" (the "Garante" or "Data Protection Ombudsman") and EU Directive 2002/58/EC ("Directive on privacy and electronic communications" or "Directive 2002/58").
Legislative Decree 196 of 30 June 2003 (the "Decree") has introduced significant changes to these previous statutes, including clearer terminology and improved definition of base concepts. To facilitate comprehension of the terminology used in this statute, Section 4 of the Decree is cited here in its entirety:
Section 4 of Legislative Decree 196 of 30 June 2003
1. For the purposes of this Code:
"processing" shall mean any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data, whether the latter are contained or not in a data bank;
"personal data" shall mean any information relating to natural or legal persons, bodies or associations that are or can be identified, even indirectly, by reference to any other information including a personal identification number;
"identification data" shall mean personal data allowing a data subject to be directly identified;
"sensitive data" shall mean personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations
or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life;
"judicial data" shall mean personal data disclosing the measures referred to in Section 3(1), letters a) to o) and r) to u), of Presidential Decree no. 313 of 14 November 2002 concerning the criminal record office, the register of offence-related administrative sanctions and the relevant current charges, or the status of being either defendant or the subject of investigations pursuant to Sections 60 and 61 of the Criminal Procedure Code;
"data controller" shall mean any natural or legal person, public administration, body, association or other entity that is competent, also jointly with another data controller, to determine purposes and methods of the processing of personal data and the relevant means, including security matters;
"data processor" shall mean any natural or legal person, public administration, body, association or other agency that processes personal data on the controller's behalf;
"persons in charge of the processing" shall mean the natural persons that have been authorised by the data controller or processor to carry out processing operations;
"data subject" shall mean any natural or legal person, body or association that is the subject of the personal data;
"communication" shall mean disclosing personal data to one or more identified entities other than the data subject, the data controller's representative in the State's territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data;
"dissemination" shall mean disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data;
"anonymous data" shall mean any data that either in origin or on account of its having been processed cannot be associated with any identified or identifiable data subject;
"blocking" shall mean keeping personal data by temporarily suspending any other processing operation;
"data bank" shall mean any organised set of personal data, divided into one or more units located in one or more places;
"Garante" shall mean the authority referred to in Section 153 as set up under Act no. 675 of 31 December 1996.
2. Furthermore, for the purposes of this Code:
"electronic communication" shall mean any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable or identified subscriber or user receiving the information;
"call" means a connection established by means of a publicly available telephone service allowing two-way communication in real time;
"electronic communications network" shall mean transmission systems and switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, networks used for radio and television broadcasting, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, and cable television networks, irrespective of the type of information conveyed;
"public communications network" shall mean an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services;
"electronic communications service" shall mean a service which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, to the extent that this is provided for in Article 2, letter c) of Directive 2202/21/EC of the European Parliament and of the Council of 7 March 2002;
"subscriber" shall mean any natural or legal person, body or association who or which is party to a contract with the provider of publicly available electronic communications services for the supply of such services, or is anyhow the recipient of such services by means of pre-paid cards;
"user" shall mean a natural person using a publicly available electronic communications service for private or business purposes, without necessarily being a subscriber to such service;
"traffic data" shall mean any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof;
"location data" shall mean any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service;
"value added service" shall mean any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof;
"electronic mail" shall mean any text, voice, sound or image message sent over a public communications network, which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient.
3. And for the purposes of this Code:
"minimum measures" shall mean the technical, informational, organizational, logistics and procedural security measures affording the minimum level of protection which is required by having regard to the risks mentioned in Section 31;
"electronic means" shall mean computers, computer software and any electronic and/or automated device used for performing the processing;
"computerised authentication" shall mean a set of electronic tools and procedures to verify identity also indirectly,
"authentication credentials" shall mean the data and devices in the possession of a person, whether known by or uniquely related to the latter, that are used for computer authentication,
"password" shall mean the component of an authentication credential associated with and known to a person, consisting of a sequence of characters or other data in electronic format,
"authorisation profile" shall mean the information uniquely associated with a person that allows determining the data that may be accessed by said person as well as the processing operations said person may perform,
"authorisation system" shall mean the tools and procedures enabling access to the data and the relevant processing mechanisms as a function of the requesting party's authorisation profile.
4. For the purposes of this Code:
"historical purposes" shall mean purposes related to studies, investigations, research and documentation concerning characters, events and situations of the past;
"statistical purposes" shall mean purposes related to statistical investigations or the production of statistical results, also by means of statistical information systems;
"scientific purposes" shall mean purposes related to studies and systematic investigations that are aimed at developing scientific knowledge in a given sector.
II) The following information is provided pursuant to and in accordance with Section 13 of Legislative Decree 196 of 30 June 2003:
1. The personal data that you volunteer when filling out the Registration Form will be processed using computerised, online and other procedures for the following purposes:
purposes directly connected with and instrumental to provision of the Product/Service of DigiTouch SpA ;
market surveys, transmission of advertising material, marketing and commercial promotion of products and services offered by DigiTouch SpA or third parties, however these activities might be performed;
surveys of user satisfaction with the quality of the products and/or services that are provided and the activities that are performed by DigiTouch SpA or third parties, either directly or by specialised outsourcers, and by means of personal or telephone interviews, questionnaires, etc.;
iv. statistical analyses.
2. By signing this form, you grant your specific consent to processing of your personal data by means of the procedures and for the purposes set out at clauses 1.
3. Your personal data may be processed for the purposes set out in clause 1 of this disclosure by means of the following procedures, inter alia:fax, telephone - with or without operator assistance, electronic mail, text messages ("SMS") and other information systems and/or automated communication systems.
4. Your personal data may be transferred to foreign countries in compliance with and to the extent allowed in Sections 42, 43, 44, 45 of Title VII: Transborder Data Flows, Legislative Decree 196 of 30 June 2003. By signing this form, you also specifically grant your consent, pursuant to Section 43(1)(letter a) to transfer of your personal data to countries outside the European Union.
5. You have the following rights set out in Section 7 of Legislative Decree 196/2003 in regard to treatment of your personal data as described hereinabove. In particular, you may:
i. obtain information about the data concerning you (source, purposes and methods of processing, the logic applied to processing with the aid of electronic tools, the parties to whom the data may be communicated or who may acquire them in their capacity as designated representative on national territory, data processor or person in charge of the processing);
ii. updating, rectification or, where interested therein, integration of the data;
iii. deletion, transformation into anonymous form or blocking of data that have been processed unlawfully;
iv. certification to the effect that the occurrence and content of the operations mentioned hereinabove at sub-indents 5(ii) and 5(iii) have been notified to the persons or entities to whom or to which the data were communicated or disclosed, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
v. You have the right to object, in whole or in part, on legitimate grounds to the processing of personal data concerning you, even if they are material to the purpose for which they were collected;
vi. You have the right to object, in whole or in part, on legitimate grounds to the processing of personal data concerning you, when this is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.
vii. The data controller is DigiTouch S.rl. con sede in Viale Vittorio Veneto, 22 - 20124 Milano. The owners of the processing data are: Paolo Mardegan and Simone Ranucci.
In particular, if you send to the request for deletion of your personal data in accordance with Section 7 of Legislative Decree 196/2003, DigiTouch SpA shall immediately delete them without any further notices and/or communication being necessary. Deletion of your data will result in immediate termination of the Service.
In order to exercise these rights, and for all notices and/or requests regarding the processing of your personal data, please write to firstname.lastname@example.org or send a letter via registered mail with return receipt to the following address: DigiTouch SpA Viale Vittorio Veneto, 22 - 20124 Milano (Italy).
6. The acquisition of your personal data is optional.However, the failure to provide any or all of the personal data requested to fill out the Registration Form for the purposes set out clause II 1(i) hereinabove of this disclosure will make it impossible for DigiTouch SpA to provide the full Service itself.The data are processed according to the following procedure:
when you fill out the Registration Form, you are asked to provide: your name, company, e-mail address, phone, Country, app or m-site url.
providing the data as specified at sub-indent (i) is absolutely optional. Refusing to provide the data will have no consequence, except for rendering it impossible to use the services offered by DigiTouch S.rl.
7. Security Measures
DigiTouch SpA guarantees that your data will be protected by adequate security measures, in accordance with the provisions of Title V - Data and system security, Chapter I - Security measures, and Chapter II Minimum security measures, reference to Sections 31, 32, 33, 34, 35, 36 of Legislative Decree 196 of 30 June 2003.
In particular, DigiTouch SpA shall implement adequate procedures to reduce the risks of intentional or accidental destruction or loss of the data, or unauthorised access, or processing that is unauthorised or inconsistent with the purposes of the data collection.
Given the nature of the internet and its technical characteristics, it is impossible to exclude situations where third parties might acquire the content of communications or messages transmitted over the internet.
Call us at +39 0289295100 or fill in the form below. We will contact you soon.
Viale Vittorio Veneto 22
Main entrance: Via Zarotto 2A
20124 Milan (Mi) - Italy