Pursuant to Article 13 of the European Regulation (EU) 2016/679 (hereinafter GDPR) and in relation to the personal data of which Kyma srl will become available with the assignment, we communicate the following:
The data controller is Kyma srl (P.IVA 01577300534) in the person of the pro-tempore legal representative with headquarters in Follonica (GR) Via del Fonditore n.113. The owner can also be contacted by e-mail at the following address: firstname.lastname@example.org.
Purpose of data processing
The processing is aimed at the correct and complete execution of the professional assignment received from the client, including the contractual and pre-contractual activity necessary for the service requested, the consequent fulfilments of the execution of the service itself, including accounting and tax, and whatever else is necessary to comply with the obligations imposed on the Holder by the regulations in force.
The client assumes responsibility for the personal data of third parties, transmitted or shared with the Holder through the website and guarantees that he/she has the right to communicate and transmit them, releasing the Holder from any liability to said third parties.
Legal basis for processing
The Controller processes the client’s personal data lawfully, where the processing:
– is necessary for the performance of the professional assignment, the contract to which the client is a party or the performance of pre-contractual measures taken upon request;
– Is necessary to fulfill a legal obligation incumbent on Kyma srl;
– Is based on express consent.
Consequences of non-disclosure of personal data
With regard to personal data related to the execution of the contract to which the client is a party or related to the fulfillment of a regulatory obligation (e.g.: fulfillments related to the keeping of accounting and tax records), the failure to provide personal data prevents the completion of the contractual relationship itself.
The client’s personal data, which are processed for the above purposes, will be retained for the period of the duration of the contract and, thereafter, for as long as the professional is subject to retention obligations for tax purposes or for other purposes required by law or regulation.
Communication of data
Client data may be communicated to:
– consultants and accountants or other professionals who provide functional services for the above purposes;
– banking and insurance institutions that provide functional services for the purposes indicated above;
– parties that process data in execution of specific legal obligations;
– judicial or administrative authorities for the fulfillment of legal obligations.
Data profiling and dissemination
Customer personal data are not subject to dissemination or any fully automated decision-making process, including profiling.
Policy in the event of a data breach
In the context of the GDPR, a so-called personal data breach (data breach) occurs when accidentally or unlawfully, as a result of a breach of the Data Controller’s security system, there is unauthorized access and/or destruction and/or loss and/or modification and/or disclosure of personal data stored or transmitted on electronic networks by the Company.
In accordance with the provisions of the GDPR, in cases of a personal data breach, the Data Controller notifies the breach to the competent supervisory authority, which for Italy is the Data Protection Authority, within 72 hours of becoming aware of it, unless the personal data breach is unlikely to present a risk to the rights and freedoms of natural persons.
When a personal data breach is likely to present a high risk to the rights and freedoms of natural persons, the Data Controller shall also notify the data subject of the breach, unless:
(a) the Data Controller has implemented appropriate technical and organizational protection measures, such as encryption;
(b) the Data Controller has taken measures to prevent the occurrence of a high risk to the rights and freedoms of data subjects;
(c) said disclosure would require disproportionate efforts. In such a case, a public notice or similar measure, through which data subjects are informed with similar effectiveness, shall be made instead.
Rights of the data subject
The rights granted to the customer by the GDPR include the following:
– to request from the Company access to his personal data and information related to them; rectification of inaccurate data or supplementation of incomplete data; deletion of data concerning him (upon the occurrence of one of the conditions provided for in Article 17 paragraph 1 GDPR and in compliance with of the exceptions provided for in paragraph 3 of the same article); the limitation of the processing of your personal data upon the occurrence of one of the hypotheses indicated in art.18 paragraph 1 GDPR;
– request and obtain from the Company-in the hypotheses in which the legal basis of the processing is the contract or consent, and the same is carried out by automated means-your personal data in a structured, machine-readable format, also for the purpose of communicating such data to another data controller (so-called right to portability of personal data)
– object at any time to the processing of your personal data in the event of special situations concerning you;
– withdraw consent at any time, limited to cases where the processing is based on consent for one or more specific purposes and concerns common personal data (such as date and place of birth) or special categories of data (such as those revealing your racial origin, political opinions, religious beliefs, state of health or sex life). Processing based on consent and carried out prior to the revocation of consent, however, retains its lawfulness;
– file a complaint with the Data Protection Authority.