PRIVACY POLICY FOR THE PROCESSING OF PERSONAL DATA PURSUANT TO
ARTICLE 13 OF EUROPEAN REGULATION NO. 679/2016
Dear Data Subject, we wish to inform you that the General Data Protection Regulation (Reg. EU 2016/679, henceforth GDPR) provides for the protection of natural persons with regard to the processing of Personal Data as a fundamental right. In accordance with the aforementioned law, the processing of personal data must be based on the principles of propriety, lawfulness and transparency and the protection of your privacy and your rights.
The following notice fulfils the obligation set out in Article 13 of the GDPR.
Matter Solutions s.r.l., with registered office in Via del Serafico 159, 00142 Rome, with VAT number 09175681007, as the Data Controller (hereinafter “Data Controller”) informs you pursuant to Articles 13and 14 of Regulation EU 679/2016 (hereinafter “GDPR”) that the Data collected will be processed in the manner and for the purposes set out below:
1. Subject of the processing
Personal data and special categories of personal Data provided by the data subject are processed by the Data Controller for the purpose of executing a contract the data subjects are a party to. Based on the assumption of lawfulness that allows the processing of personal Data for one or more specific purposes upon receipt of the express consent of the data subject, it will also be possible to process the personal data by other means including but not limited to photographs and audio-visual images depicting/recording participants at the event. Such Data may also be subject to publication/dissemination as defined below.
2. Legal basis and purpose of the processing
The personal Data (photo and audio-video images) will be processed for the following activities:
a) documentation, promotion and publicity of the event and the activities carried out by the Data Controller. During the course of the event, the Data Controller may acquire images and/or audio-video recordings of event participants. The collection of images is subject to the prior acquisition of the authorisation for their use referred to on page 1 of this document.
b) dissemination and publication of the Data on the Data Controller’s websites and/or in company reports, also available online, and on public and social platforms. The Data collected by the Data Controller may be used for the purposes specified, and in any case bound by the processing described above or for the purposes of documentation and promotion with regard to the event organised by the Data Controller and to the products and services offered by the Data Controller, and in any case to promote its business, and only if processing is authorised. More specifically, they may be published and then disseminated on:
– company websites and social networks,
– company brochures or leaflets,
– platforms used thereby, as well as for streaming of the event online (where present),
– any other medium however intended for the dissemination of your Data and used by the Data Controller for promotion of the activity.
c) For information security purposes. The Data Controller processes the Data collected directly or through its suppliers to the extent strictly necessary and proportionate to ensure the security and ability of a network or servers connected to it to withstand, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity and confidentiality of the Personal Data stored or transmitted.
To this end, the Data Controller has put in place procedures for handling Data Breaches in compliance with the legal obligations it is bound by.
3. Methods of processing and storage
The processing will be carried out by means of the operations set out in Article 4 of the GDPR and may take place either through computer systems (cloud, Internet, intranet, computers and mobile devices) and automated processes or on paper (archives), in a structured, commonly used and readable format. The Data Controller ensures that only the personal Data strictly necessary for the legitimate execution of the process will be collected, in compliance with the principle of Data minimisation pursuant to Article 5, paragraph 1, letter c), of the GDPR. The paper and above all electronic archives in which the collected Data are stored and archived are protected by effective and adequate security measures to counter the risks of breach considered by the Data Controller. The Data Controller provides for the periodic and constant verification of the measures adopted, especially for electronic and online devices, to guarantee the confidentiality of the Personal Data processed, filed and stored through them, especially if belonging to special categories. Personal data is stored for the time necessary to perform the activities connected with the management of the authorisation to use the images and their dissemination and for the fulfilment of the legal or other obligations arising therefrom. The computer files are located within the borders of the UE (or EEA) and there are no plans to connect or interact with databases located abroad.
The Personal Data processed by the Data Controller is kept for the time necessary to carry out the activities related to the authorisation for the use of the images and audio-visual recordings collected and released to the Data Controller pursuant to Italian Law no. 633 of 22 April 194 (Copyright Law). The images and audio-visual recordings collected shall be retained by the Data Controller for 20 years from the date of their creation, as they are considered non-creative works (pursuant to Articles 87 et seq. of Italian Law no. 633 of 22 April 1941). This without prejudice to the right to withdraw consent and authorisation, and without prejudice to the right of the data subject to object at any time to processing based on a legitimate interest for reasons relating to the particular circumstances of the data subject.
4. Nature of the provision of Data and consequences of refusal
The provision of Personal Data is mandatory for the purposes described in point 1. Failure to provide such Data will result in failure to provide the requested service, its proper performance and any legal requirements. It is understood that should the data subject withdraw the authorisation or object to the dissemination of their Data then it will not be disseminated by the Data Controller. It is specified that the withdrawal will take effect from the date of communication of the request. The Data Controller will be required to certify that the photographic images and/or video-sound recordings subject to withdrawal have been removed. It is understood that the withdrawal shall have no effect with respect to processing already carried out, and the same shall apply in the event that the erasure/removal of the Data has become impossible or otherwise difficult to carry out, such as for example in the event of its being saved by third parties on their own PCs or other media and its publication in brochures or company leaflets.
5. Access to the Data
I The Data collected shall be processed for the above purposes by employees and/or contractors of the Data Controller in their capacity as appointees and/or internal data processors and/or system administrators. It will be processed by third parties (e.g. suppliers) where they perform outsourcing on behalf of the Data Controller, in their capacity as external data processors.
6. Disclosure of the Data
Without your express consent (pursuant to Article 6, letters b), c) of the GDPR), the Data Controller ay disclose your Data to Public Bodies in order to comply with the obligations envisaged by laws, regulations or Community legislation or imposed by the Authorities, which will process it in their7. 8. capacity as autonomous data controllers. Normally the service providers chosen operate through data centres located within the territory of the European Union. If your Data will be transferred outside the European Economic Area (EEA), including for the purpose of technical management of the Data collected, this shall take place exclusively in full compliance with the GDPR, to companies adhering to the Privacy Shield (USA) or Third countries with recognised specific guarantees of adequacy from the European Commission, or when adequate safeguards for the protection of Personal Data are provided by means of agreements or contractual clauses (including Binding Corporate Rules – BCRs, and standard contractual clauses).
7. Rights of the data subject
At any time you may exercise your rights vis-à-vis the Data Controller pursuant to Articles 15-22 of Regulation EU 2016/679, and specifically:
a) request confirmation of the existence or otherwise of your personal Data;
b) obtain information of the purposes of the processing, the categories of personal Data, the recipients or categories of recipients to whom the personal Data have been or will be disclosed, and where possible the storage period;
c) obtain the rectification and erasure of the Data;
d) obtain the restriction of its processing;
e) obtain portability of the Data, i.e. receive it from the Data Controller in a commonly used, machine- readable format, and transmit them to another Data Controller without hindrance;
f) object to the processing at any time, including in the case of processing for direct marketing;
g) oppose automated decision-making relating to natural persons, including profiling;
h) ask the Data Controller for access to and rectification or erasure of the personal Data or the restriction of its processing or to object to its processing, as well as the right to Data portability;
i) withdraw your consent at any time and without prejudice to the lawfulness of the processing based on the consent given prior to withdrawal;
j) lodge a complaint with a supervisory authority by contacting the Data Controller or the DPO, sending an email to info@mattergroup.com.
In order to ensure the protection of the data subject’s personal information, we may need to request further specific information confirming the identity of the requesting data subject and thus guarantee the right to access the information (or to exercise any of the other rights) only to persons entitled to receive such communications. This is another security measure put in place for the protection of the personal Data. Requesting access to one’s personal information (or to exercise one of the aforementioned rights) is done free of charge. However, if the request is clearly unfounded or excessive, we may charge a reasonable fee taking into account the administrative costs incurred in providing the information, or refuse to comply with the request in such circumstances.
8. Data Controller and Data Protection Officer (DPO)
The Data Controller is: Matter Solutions s.r.l., with registered office in Via del Serafico 159, 00142 Rome.