GDPR

This document provides an overview of the GDPR, illustrating its regulatory context, scope of application, fundamental principles, data subject rights, and obligations related to the processing of personal data.

I. Regulatory context and purpose

From March 25, 2018, Regulation (EU) 2016/679 – GDPR is directly applicable to all European Union Member States.

In Italy, the legislation is subject to the Code on personal data protection, under the supervision of the Garante per la protezione dei dati personali (Italian Data Protection Authority).

The main obligations under the GDPR include:

  • strengthening control over personal data;

  • ensuring transparency and security of processing;

  • defining the responsibility of data processors.

II. Scope of application

The GDPR applies, among other things:

  • to anyone located in the European Union, regardless of their nationality, for data processing;

  • to non-EU offers that provide goods or services to individuals in Italy or other Member States, or allow monitoring of online behavior, for example through cookies or tracking technologies.

The application for purely personal or household use remains excluded.

III. Fundamental principles of processing

All processing of personal data must comply with the fundamental principles of the GDPR, such as:

  • lawfulness, fairness, and transparency, based on a valid legal basis;

  • purpose limitation, with data used exclusively for the determined and legitimate purpose;

  • data minimization, limiting the quantity to what is necessary;

  • accuracy, with data updated whenever appropriate;

  • storage limitation, avoiding periods longer than necessary;

  • integrity and confidentiality, through adequate technical and organizational measures.

IV. Data subject rights

In accordance with the GDPR, data subjects have the following rights, by way of example but not exhaustive:

  • right to information and access, for information on data processing and a copy;

  • right to rectification, in case of inaccurate or incomplete data;

  • right to erasure (right to be forgotten), when the foreseen conditions exist;

  • right to restriction of processing, in specific situations;

  • right to data portability, in a structured and readable format;

  • right to object, in particular to processing based on your legitimate interest.

If you are under 18, the processing of your data requires the consent of the holder of parental responsibility, where applicable.

V. Obligations of data processors

Those who process personal data are required to comply with a series of obligations, including:

  • executing the documented instructions of the data controller;

  • adopting adequate security measures, such as encryption, access control, and system protection;

  • not responding directly to data subjects without prior notice;

  • reporting personal data breaches to the competent authority, if necessary and if affected;

  • maintaining a record of processing activities;

  • conducting, when applicable, a Data Protection Impact Assessment (DPIA);

  • designating and communicating with a Data Protection Officer (DPO), without prior notice.

VI. Extra-EU data transfer

The transfer of personal data outside the European Economic Area (EEA) is authorized only when adequate safeguards are in place, such as:

  • an adequacy decision adopted by the European Commission; or

  • the adoption of Standard Contractual Clauses (SCCs), possibly accompanied by additional security measures, such as encryption.

VII. Supervisory authority and sanctions

In Italy, the competence for personal data protection lies with:

  • carrying out control and inspection activities;

  • limiting or allowing non-compliant transactions;

  • applying administrative health measures that could amount to 20 million euros or 4% of the total annual turnover, whichever is higher.

The GDPR provides for consent not to disclose information relating to the processing of your data after it has been collected; in accordance with instructions, this could mean that you apply the applicable standards.

II. GDPR relevance

The application of the GDPR contributes to:

  • improving protection and transparency for users;

  • strengthening compliant data management without digital services;

  • promoting a more reliable digital ecosystem, online, with Google and Google Merchant Center rules.

VII. Contact

For the purposes of the General Data Protection Regulation (GDPR) or for any information relating to the processing of personal data, you can contact the Data Protection Authority (DPO):

  • Email:info@ub4arredamenti.com

The worst thing you can do depends on the circumstances and applicable standards.