Privacy Policy pursuant to Article 13 of EU Regulation 2016/679 (GDPR)
Dear User,
This page contains the Privacy Policy for this website and is intended to provide information on how personal data of users interacting with the site and using its services are processed, as well as to fulfill the information obligations under Article 13 of EU Regulation 2016/679 (GDPR).
This privacy notice applies solely to this website and not to any other websites that the user may access via links contained within the pages of this site.
Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “Regulation”) establishes rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules on the free movement of such data. It safeguards the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data.
According to Article 4(1) of the Regulation, “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter, the “Data Subject”).
“Processing” refers to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the Regulation).
Pursuant to Articles 12 et seq. of the Regulation, the Data Subject must be provided with appropriate information regarding the data processing activities carried out by the Data Controller, as well as the rights of the Data Subjects.
Data controller
Digitalrehab srl
Viale Luigi Majno 17A
20129 Milano (MI)
Email: info@ digitalrehab.eu
WebSite: https://www.digitalrehab.eu/
The Data Protection Officer (DPO) appointed by the Data Controller can be contacted at the email address: dpo@digitalrehab.eu.
Purpose and Legal Basis of Processing
The personal data of the user will be processed for the following purposes and with the legal bases indicated below:
-
To conclude a contract with the data subject, execute it, and respond to requests for information regarding the products/services provided by the Data Controller. The legal basis for the processing is represented by Article 6(1)(b) of EU Regulation 2016/679 (“the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract”);
-
To respond to requests sent by the user via email and/or the form present on the website; the legal basis for the processing is represented by Article 6(1)(b) of EU Regulation 2016/679;
-
To collect any spontaneous job applications sent via email from candidates for the potential establishment of an employment/partnership relationship; the legal basis for this type of processing is the legitimate interest of the Data Controller as provided in Article 6(1)(f);
-
To enable and make functional the navigation of the website, as well as to ensure an adequate level of security, integrity, and availability; the legal basis for this type of processing is the legitimate interest of the Data Controller as provided in Article 6(1)(f);
-
To analyze statistical data on aggregated or anonymous data, with the purpose of monitoring the proper functioning of the website, traffic usability, and interest; the legal basis for this type of processing is the legitimate interest of the Data Controller as provided in Article 6(1)(f);
-
To ascertain, exercise, or defend a right in judicial proceedings; the legal basis for this type of processing is the legitimate interest of the Data Controller as provided in Article 6(1)(f);
-
To comply with legal, regulatory, EU, or judicial authority requirements; the legal basis for this type of processing is represented by Article 6(1)(c).
Types of data
The following personal data will be collected and processed for the purposes outlined above:
-
Identifying data (e.g., name, surname)
-
Contact data (e.g., email, phone)
-
Data related to the contractual relationship
-
Navigation data
Navigation data
The IT systems and software procedures used for the operation of this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This includes information that is not collected to be associated with identified individuals, but which, by its nature, could, through processing and association with data held by third parties, allow for the identification of users.
This category includes IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server response (successful, error, etc.), and other parameters related to the operating system and user’s computing environment.
These data are used exclusively for the purpose of obtaining anonymous statistical information on the use of the website and to check its correct functioning, and they are deleted immediately after processing.
The data may be used for the determination of responsibility in case of potential cybercrimes to the detriment of the website.
Refusal to provide data
Apart from what is specified for navigation data, users/visitors are free to provide their personal data. In some cases, however, failure to provide data may result in the inability to conclude or properly execute the contract to which the data subject is a party and/or failure to comply with legal obligations to which the Data Controller is subject.
For processing that requires consent, the provision of data is optional, and the refusal to provide it will not affect the ability to use the products/services offered by the Data Controller. Even if consent is given, the data subject has the right to object, in whole or in part, to the processing of their personal data for the above purposes, by making a simple request to the Data Controller at the contact details provided above.
Source of the data
The data will be provided by the data subject.
Processing Methods
In accordance with Article 5 of the Regulation, the personal data subject to processing will be:
1. Processed in a lawful, fair, and transparent manner in relation to the data subject;
2. Collected and recorded for specified, explicit, and legitimate purposes, and subsequently processed in a manner compatible with those purposes;
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
4. Accurate and, where necessary, kept up to date;
5. Processed in a manner that ensures an adequate level of security;
6. Stored in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed.
Communication of Data
Personal data may be communicated to authorized persons for processing, as well as to external data processors appointed by the controller (a full list of external processors is available from the Data Controller), responsible for managing the above purposes.
In pursuit of the above purposes, data may be communicated to other entities acting as independent controllers.
The data may be communicated to:
-
Companies and consultants for legal, accounting, and tax assistance;
-
Entities that provide services for managing IT systems and telecommunications networks, including email services, and website management.
Information may also be communicated whenever required to comply with requests from Autorità Giudiziaria or Pubblica Sicurezza.
Data dissemination
Personal data will not be subject to dissemination.
Data Transfer Abroad
For the purposes outlined above, personal data will be processed within the European Economic Area (EEA). If transferred to third countries, in the absence of an adequacy decision from the European Commission, the applicable legal requirements for transferring personal data to third countries will be respected, such as the Standard Contractual Clauses provided by the European Commission.
Data Retention
In general, personal data will be retained for the time strictly necessary to achieve the purposes for which they were collected and processed, including the retention period required by applicable legislation and, in any case, for a maximum period of 10 years from the cessation of the relationship with the Data Controller, and a maximum of 2 years for purposes that require consent, unless the Data Controller needs to defend a right in legal proceedings.
Rights of the Data Subject
In accordance with Articles 15 et seq. of EU Regulation 2016/679 and applicable national legislation, the data subject can exercise the following rights under the conditions and within the limits provided by the current legislation:
|
Right |
Description |
Requirements |
How to exercise it |
|
Art. 15 Data Subject’s Right of Access |
The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data is not collected from the data subject, any available information as to its source; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested, the information shall be provided in a commonly used electronic format. |
The right to obtain a copy of one’s personal data must not adversely affect the rights and freedoms of others. |
The data subject can exercise their right by sending a request to the contact details of the Data Controller and/or to the email address of the DPO. In order to provide a positive response to the request, it is necessary to provide the information required for the identification of the data subject. Before providing a response, the Data Controller may need to identify the data subject, as the right can only be exercised by the data subject or by a person authorized by them. |
|
Art. 16 Right to rectification |
The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning them without undue delay. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by providing a supplementary statement. |
Processing of inaccurate and/or incomplete data |
The data subject can exercise the right by sending a request to the contact details of the Data Controller and/or the email address of the DPO. In order to provide a positive response to the request, it is necessary to provide the information required for the identification of the data subject. Before providing a response, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or their authorized representative. |
|
Art. 17 Right to erasure (“right to be forgotten”) |
The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the data controller is obliged to erase the personal data without undue delay. If the data controller has made personal data public and is required, pursuant to the preceding paragraph, to erase them, taking into account available technology and the costs of implementation, they shall adopt reasonable measures, including technical ones, to inform data controllers who are processing the personal data of the data subject’s request to erase any link, copy, or reproduction of the personal data. |
The right can be exercised if one of the following grounds applies: a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) The data subject withdraws the consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a), and there is no other legal basis for the processing; c) The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); d) The personal data have been processed unlawfully; e) The personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject; f) The personal data have been collected in relation to the offer of information society services as referred to in Article 8(1) (Where Article 6(1)(a) applies, regarding the direct offer of information society services to children, the processing of a child’s personal data is lawful where the child is at least 16 years old. Where the child is under 16 years old, such processing is lawful only if and to the extent that such consent is given or authorized by the holder of parental responsibility. Member States may set a lower age for these purposes, provided that it is not below 13 years.). The right to erasure does not apply where the processing is necessary: a) For the exercise of the right to freedom of expression and information; b) For the compliance with a legal obligation requiring processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) For reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i), and Article 9(3); d) For archiving purposes in the public interest, scientific or historical research, or statistical purposes in accordance with Article 89(1), to the extent that the right under paragraph 1 risks making impossible or seriously impairing the achievement of the objectives of that processing; or e) For the establishment, exercise, or defense of legal claims. |
The data subject can exercise the right by sending a request to the contact details of the Controller and/or to the email address of the DPO. In order to provide a positive response to the request, it is necessary to provide the necessary information to identify the data subject. Before providing a response, the controller may need to identify the data subject, as the right can only be exercised by the data subject or their authorized representative. |
|
Art. 18 Right to Restriction of Processing |
The data subject has the right to obtain from the data controller the restriction of processing. If the processing is restricted under the previous paragraph, the personal data will only be processed, except for storage, with the consent of the data subject or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of significant public interest in the Union or a Member State. The data subject who has obtained the restriction of processing under the initial paragraph will be informed by the data controller before the restriction is lifted. |
The right can be exercised if one of the following reasons applies: a) The data subject contests the accuracy of the personal data, for the period necessary for the data controller to verify the accuracy of such personal data; b) The processing is unlawful, and the data subject objects to the deletion of the personal data and requests instead the restriction of its use; c) Although the data controller no longer needs the personal data for processing purposes, the personal data is required by the data subject for the establishment, exercise, or defense of a legal claim; d) The data subject has objected to processing pursuant to Article 21, paragraph 1, while awaiting verification of whether the legitimate interests of the data controller override those of the data subject. |
The data subject can exercise the right by sending a request to the contact details of the Controller and/or to the email address of the DPO. In order to provide a positive response to the request, it is necessary to provide the necessary information to identify the data subject. Before providing a response, the controller may need to identify the data subject, as the right can only be exercised by the data subject or their authorized representative. |
|
Art. 19 Obligation to Notify in Case of Rectification or Deletion of Personal Data or Restriction of Processing |
The data controller shall communicate to each recipient to whom the personal data have been disclosed any rectifications, deletions, or restrictions on processing carried out in accordance with Article 16, Article 17(1), and Article 18, unless this proves impossible or involves disproportionate effort. The data controller shall inform the data subject of such recipients if the data subject requests it. |
|
The data subject can exercise the right by sending a request to the contact details of the Data Controller and/or to the email address of the DPO. In order to provide a positive response to the request, it is necessary to provide the information required to identify the data subject. Before providing a response, the Data Controller may need to identify the data subject, as the right can only be exercised by the data subject or a person authorized by them. |
|
Art. 20 Right to Data Portability |
The data subject has the right to receive, in a structured, commonly used, and machine-readable format, the personal data concerning them that they have provided to a data controller, and the right to transmit those data to another data controller without hindrance from the controller to whom the data have been provided. In exercising their rights regarding data portability as mentioned in the previous paragraph, the data subject has the right to obtain the direct transmission of their personal data from one data controller to another, if technically feasible. The exercise of the right referred to in the initial paragraph does not affect the provisions of Article 17 – Right to erasure (“right to be forgotten”). |
The right may be exercised if one of the following conditions applies: a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a), or on a contract pursuant to Article 6(1)(b); and b) the processing is carried out by automated means. This right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. The exercise of the right must not adversely affect the rights and freedoms of others. |
The data subject can exercise the right by sending a request to the contact details of the Data Controller and/or to the email address of the DPO. In order to provide a positive response to the request, it is necessary to provide the information required to identify the data subject. Before providing a response, the Data Controller may need to identify the data subject, as the right can only be exercised by the data subject or by a delegated representative. |
|
Art. 21 Right to object |
The data subject has the right to object at any time. The data controller shall refrain from further processing the personal data unless they can demonstrate the existence of compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such purposes, including profiling to the extent that it is related to such direct marketing. If the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. Where personal data are processed for scientific or historical research or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to their particular situation, has the right to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest. |
The right may be exercised if one of the following reasons applies:
|
The data subject can exercise the right by sending a request to the contact details of the Data Controller and/or to the email address of the Data Protection Officer (DPO). In order to provide a positive response to the request, it is necessary to provide the information required to identify the data subject. In the context of the use of information society services and without prejudice to Directive 2002/58/EC, the data subject can exercise their right to object through automated means that use specific techniques. Before providing a response, the Data Controller may need to identify the data subject, as the right can only be exercised by the data subject or by their delegate. |
In general, to exercise their rights, the data subject can contact the Data Controller by writing to the contact details provided above.
Before providing a response, the Data Controller may need to identify the data subject.
A written response will be provided without undue delay and, in any case, no later than one month from the receipt of the request.
Complaint
If the data subject believes that the processing of their personal data violates the provisions of EU Regulation 2016/679, they have the right to file a complaint with the Data Protection Authority, based in Rome, pursuant to Article 77 of the Regulation, as well as to take legal action before the judicial authority.