It has the express purpose of inform the user about the processing of your personal data in accordance with the law and the recent EU Regulation 679/2016, which profoundly changed the discipline.
A website must have a Data Controller Data Controllerr). The data controller is the person who has decision-making and organizational power on the processing, as well as deciding the methods of data processing and is the person responsible towards the privacy guarantor. Two or more joint owners can also be appointed. In this case, it is mandatory for the user to know what the competences of each co-owner are, through a link indicating the agreement between them.
The data controller is supported by Data Processor Data Processorr). This figure is the one who processes the data on behalf of the data controller. This means that it will be a subject close to the owner, from which it receives directives on how to manage the data. The Data Processor must be a competent figure able to fully satisfy the security put in place by the Data Controller.
These two figures are flanked by the Data Protection Officer DPO,), who, despite being appointed directly by the owner, is in any case an independent subject from the latter. The DPO, previously only optional, is now a figure at times mandatory pursuant to Article 37 of EU Regulation 679/2016. This article indicates the obliged subjects and those who are exempt. In any case, the DPO, called RPD in Italian, is an independent subject and processes the data autonomously. Furthermore, it is directly responsible and communicates with the privacy guarantor. Ultimately, the designation of the DPO reflects the new approach of the GDPR, towards ana responsibility for data processing, being aimed at facilitating the implementation of the regulation by the owner and manager. The role of the DPO is to protect personal data, not the interests of the data controller.
Therefore, while the Data Processor is a figure close to the Data Controller, the DPO is a much more independent figure, who cannot or must receive orders from the Data Controller on the effective protection of data.
Returning to the information, the place where the data will be processed, which coincides with the headquarters of the data controller.
It is essential to also insert the purpose of data processing. In fact, according to the new legislation, the data must be kept for a period suitable for achieving the purposes set by the site, and then be deleted. Therefore it is mandatory that the purposes are indicated in a clear and concise manner within the information.
The types of Cookies which are used on the web page. Cookies are short pieces of information that can be saved on the user's computer when the browser calls up a specific website. With them, the server sends information that will be re-read and updated every time the user returns to the site.
There are various types of cookies:
- Technical cookies: by law, are those used for the sole purpose of "carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or by the user to provide this service ". They are not used for other purposes and are normally installed directly by the owner or manager of the website.
- Third party cookies: occur when a third party places cookies on an internet page. In this case, the user must be informed that there will be cookies from other subjects in addition to those of the web page. Typical third-party cookies are those of social networks
- Profiling cookies: they are aimed at creating profiles relating to the user and are used in order to send advertising messages in line with the preferences expressed by the user while surfing the net. According to the privacy guarantor these can be:
- of advertising profiling, that is, that collect and process user data for advertising purposes eg. to pass them on to advertising dealers;);
- of retargeting activities, consisting of forms of online advertising chosen based on the user's previous actions or searches on the web eg. Google AdWords;);
- set by social network;
- of statistical activities, managed by third parties (ex. Google Analytics..
The document must also indicate whether the site allows social network plug-in and any data transfer to companies located in extra-continental countries.
It is also important to mention what are the new rights of the data subject under the new European legislation, such as the right to deletion of data, L'update of the same or of oppose to a possible transfer of data.
How to use the document?
Through this document you can:
- Indicate the website for which the following document is used;
- Indicate the data owner and the place in which these will be treated;
- Indicate the presence of multiple holders of the treatment;
- Indicate the responsible of the DPO data;);
- Indicate which are the purpose of data processing, and the time that the site will need to use them;
- Determine which ones Cookies will be used by the site, if only technical cookies, third-party cookies and / or profiling cookies;
- Indicate if the site uses social network plug-in;
- Indicate whether the user will receive notifications for any site updates.
Once you have the document, it must be inserted into the website's web page and made available to the user.
EU REGULATION 2016/67979 of the European Parliament and Council, of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC general regulation on data protection.).
Legislative Decree 181/18, on "Provisions for the adaptation of national legislation to the provisions of EU regulation 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and repealing Directive 95/46 / EC General Data Protection Regulation "which amends thea il Legislative Decree 196/2003, "Code regarding the protection of personal data."