New DGPR Privacy for Associations and Non-Profit Bodies
EU Regulation 2016/679, better known as DGPR, is a European regulation on the processing of personal data and privacy. With this regulation, it is intended to strengthen and make more homogeneous the protection of personal data of citizens and residents of the European Union, both inside and outside the borders of the Union. The legislation entered into force on 25 May 2018.
To comply with the regulation, all associations and similar entities, in the case of the collection of personal data, such as when registering a member or joining an association activity, must communicate a specific information on the processing of data. personal.
The information informs the interested party of which data are being processed, of the purposes and methods of processing, of the data retention period, and more generally of all his rights to protect his privacy.
Below we publish a pro forma of the information, to be adapted in any case on a case-by-case basis, according to specific needs.
INFORMATION FOR THE PROCESSING OF PERSONAL DATA COLLECTED FROM THE INTERESTED PARTY
In relation to the provisions of EU Reg. 2016/679 (European Regulation for the protection of personal data) we hereby communicate the necessary information regarding the processing of personal data provided by the interested party.
This information, which is provided pursuant to art. 13 of EU Reg. 2016/679 (European Regulation for the protection of personal data) and pursuant to art. 13 Legislative Decree 30.6.2003 n. 196 (Privacy Code).
1. HOLDER OF THE TREATMENT
Pursuant to art. 4 and 24 of EU Reg. 2016/679 the data controller is the WOO Association.
2. DATA OBJECT OF THE TREATMENT
The Data Controller processes the personal identification data (for example, name, surname, company name, address, telephone, e-mail, bank and payment details), communicated by the interested party when joining the association.
3. PURPOSE AND LAWFULNESS OF THE PROCESSING
The personal data provided will be processed in compliance with the conditions of lawfulness pursuant to art. 6 lett. b of EU Reg. 2016/679, or for joining and participating in the association and carrying out the activities proposed in favor of the members, and in particular:
- registration in the shareholders' register;
- participation in associative life;
- information on the activities and other proposed initiatives;
- possible compilation of data collection forms for sending an information request to the data controller;
- fulfill contractual obligations, legal obligations and administrative-accounting purposes. For the purposes of applying the provisions on the protection of personal data, the treatments carried out for administrative-accounting purposes are those connected to the performance of organizational, administrative, financial and accounting activities, regardless of the nature of the data processed;
- fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority (such as in the field of anti-money laundering);
- exercise the rights of the owner, for example the right to defense in court;
4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE DATA
The personal data provided may be disclosed to recipients, appointed pursuant to art. 28 of EU Reg. 2016/679, which will process the data as managers and / or as natural persons acting under the authority of the Data Controller and Data Processor, in order to comply with contracts or related purposes. Specifically, the data may be disclosed to recipients belonging to the following categories:
- subjects that provide services for the management of the information system and communication networks of the Data Controller;
- firms or companies in the context of assistance and consultancy relationships;
- competent authorities for the fulfillment of legal obligations and / or provisions of public bodies, upon request;
The subjects belonging to the aforementioned categories perform the function of data processing manager, or operate in total autonomy as separate data controllers.
5. TRANSFER OF DATA TO A THIRD COUNTRY AND / OR AN INTERNATIONAL ORGANIZATION
The personal data provided by the interested party will not be transferred abroad within or outside the European Union.
6. METHOD OF TREATMENT
The processing of the personal data of the interested party is carried out by means of the operations indicated in art. 4 n. 2) GDPR of EU Reg. 2016/679 and more precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Personal data are subjected to both paper and electronic and / or automated processing.
7. DATA RETENTION PERIOD
The processing will be carried out in an automated and / or manual form, with methods and tools aimed at guaranteeing maximum security and confidentiality, by persons specifically appointed to do so.
In compliance with the provisions of art. 5 paragraph 1 letter. e) of EU Reg. 2016/679, the personal data collected will be stored in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which the personal data are processed.
8. NATURE OF THE PROVISION AND REFUSAL
The provision of personal data for the purposes referred to in point 3 of this information document is necessary to follow up on joining the association. Failure to provide personal data may make it impossible to obtain such membership.
9. RIGHTS OF THE INTERESTED PARTIES
The interested party can assert their rights as expressed by the articles. 15, 16, 17, 18, 19, 20, 21, 22 of EU Regulation 2016/679, by contacting the Data Controller, via the e-mail address firstname.lastname@example.org
The interested party has the right, at any time, to:
- obtain confirmation of the existence or not of personal data concerning him, even if not yet registered, and their communication in an intelligible form;
- obtain the indication: a) of the origin of the personal data; b) the purposes and methods of the processing; c) of the logic applied in case of treatment carried out with the aid of electronic instruments; d) the identity of the owner, manager and the representative appointed pursuant to art. 5, paragraph 2 of the Privacy Code and art. 3, paragraph 1, GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the State, managers or agents;
- obtain: a) updating, rectification or, when interested, integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including those which do not need to be
conservation in relation to the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment is proves impossible or involves the use of means that are manifestly disproportionate to the protected right;
- object, in whole or in part: a) for legitimate reasons to the processing of personal data concerning him, even if pertinent to the purpose of the collection; b) to the processing of personal data concerning him for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by e-mail and / or through traditional marketing methods by telephone and / or paper mail.
Where applicable, the interested party also has the rights referred to in Articles. 16-21 GDPR (Right of rectification, right to be forgotten, right to limitation of treatment, right to data portability, right of opposition),
Without prejudice to any other administrative and judicial appeal, if the interested party believes that the processing of data concerning him violates the provisions of EU Reg. 2016/679, pursuant to art. 15 letter f) of the aforementioned EU Reg. 2016/679, has the right to lodge a complaint with the Guarantor for the protection of personal data and, with reference to art. 6 paragraph 1, letter a) and art. 9, paragraph 2, letter a), you have the right to withdraw the consent given at any time.
In the event of a request for data portability by the interested party, the Data Controller will provide the personal data concerning him in a commonly used and readable format, without prejudice to paragraphs 3 and 4 of art. 20 of EU Reg. 2016/679.