FULL PRIVACY NOTICE (MEMBERSHIP)
Who are we and how do we use your personal data?
The Controller puts the policy into practice with regard to the collection and processing of personal data and to the exercise of your rights recognized by the applicable regulations (Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, so-called GDPR, and Legislative Decree no. 2003/196, known as the “Privacy Code”). The Controller takes care to update the policies and practices applied for the protection of personal data whenever this becomes necessary and, in any case, when there are amendments to the legislation and changes within the organization that could affect the processing of personal data.
How does the Controller collect and process your data?
The Controller gathers and/or receives information about you, provided for membership purposes or in any case obtained over the course of the relationship, such as your first name, last name, ID card data, taxpayer code, company, physical and e-mail address, land and/or mobile phone number. Your personal data will be processed for the following purposes:
1) handling the contract relationship and related measures, including legal and regulatory
Your personal data is processed for the purposes of implementing and managing participation in the activities of the Council, for delegation-related activities arising from your role in the same and, in any case, for the purposes of ensuring the performance of all activities necessary, preliminary and preparatory, or subsequent, to managing membership of the Council (including, by way of mere example, service communications). In this case, the legal basis for processing the personal data is the performance of the contract entered into with the Controller and the activities and measures associated with the contractual relationship, as well as the Controller’s need to comply with the obligations provided for by law, regulations, EU regulations, etc.
3) pursuit of the legitimate interests of the Controller and/or third parties
Your personal data may also be processed for organizational purposes or purposes related to security; property, asset or personal protection; crime prevention; dispute and pre-dispute management in the event of breaches complaints, legal action and/or transactions. In the aforementioned cases, the legal basis for processing is the pursuit of a legitimate interest of the Controller and/or third parties (e.g. other associates).
4) for purposes of information security
Including through its suppliers (third parties and/or recipients), the Controller only processes your personal data, including IT data (such as logic accesses) or data concerning traffic, when strictly necessary and proportionally as required to guarantee the security and ability of a network or servers connected with it to resist (at a given security level) unforeseen events or illegal or criminal acts that compromise the availability, authenticity, integrity and confidentiality of the personal information stored or transmitted.
To this end, the Controller provides procedures to manage data breaches, in accordance with the legal requirements with which it is required to comply.
5) sending informational messages
The Controller may also process the data provided by you in order to send informational messages concerning initiatives and events run by the Council, by e-mail to the e-mail address voluntarily provided by you in the Membership Form.
In this case, the legal basis for processing your personal data is the pursuit of a legitimate interest of the data subject and the Council, i.e. keeping in touch with you and updating you on the events and initiatives run by the Council, in light of your membership of the same, and following your participation in similar events and initiatives, in accordance with whereas clause no. 47 of the GDPR.
To whom are your personal data communicated?
Your personal data are handled on the basis of the contract and obligations, including legislative and/or regulatory on which they are dependent.
Your data will not be communicated to third parties/recipients for their independent purposes unless:
- you give your permission by way of consent, which you will be asked to provide, as necessary, in a specific, express and voluntary manner;
- it is required to fulfill the obligations prescribed by the contract or by applicable laws governing it (for example, for safeguarding your rights, for reporting to monitoring authorities, etc.);
- communication is made to the financial administration, public supervisory and control bodies in relation to whom the Controller is required to meet specific obligations deriving from the specific nature of the activity performed;
- they have been authorized or have a legally recognized right to receive your personal data. This is the case, for example, with family members, members of the same household or legal representatives (administrators, guardians etc.);
- they are partners and sponsors of the Council, who support the controller in managing joint initiatives and events for the benefit of associates (e.g. conferences, webinars, etc.);
- they are suppliers to the Controller, who may receive and/or access your personal data in their capacity as duly identified data processors bound by instructions in accordance with the requirements of privacy regulations (e.g. IT providers, parties appointed to send informational messages on behalf of the Council, etc.).
What happens if you do not provide your data?
If you do not provide your personal data, the Controller cannot perform the processing associated with managing the membership contract and associated services, or comply with the obligations that depend on such. Processing of personal data in pursuit of the legitimate interests of the Controller and/or third parties, while not strictly required to perform the contractual relationship, is in any case closely associated with the same and, as such, any refusal to provide the data may make proper management of the relationship with the Controller impossible.
On the other hand, the processing of your personal data for the purposes of receiving informational messages on initiatives and events run by the Council, to the e-mail address provided by you in the Membership Form, is entirely at your discretion and optional; you can choose to object to such processing using the unsubscribe options provided in those messages, without in any way impeding your membership of the Council.
How and for how long are your data stored?
How
Your personal data are processed via hardcopy or electronic procedures by specially authorized and trained internal employees. They are allowed access to your personal data in the measure and within the limits necessary for processing of your personal data.
The Controller periodically audits the tools whereby your data are processed and the security measures contemplated for them, which require constant updating; the Controller verifies, also via the authorized processors, that no personal data are collected, processed, filed or held unless it is necessary; regular audits ensure that the data are preserved with the guarantee of integrity and authenticity and that they are used for the purposes of the processing effectively done.
Where
The data are kept in hardcopy, electronic and telematic archives located within the European Economic Area. The data may be transferred, for the purposes referred to above, to countries inside or outside the European Economic Area. In the event of transfers of data to countries where the protection standards are not equivalent to those in Italy, the Council will take the necessary measures provided for by the GDPR to protect the data in the context of that transfer (e.g. standard contractual clauses, Privacy Shield, etc.). You may request information on such measures and a copy of the data using the contact details below.
For how long
Personal data handled by the Controller are held for the time required to fulfill the activities connected with the management of the contract with the Controller and up to ten years following its termination (art. 2946 of the Italian civil code) or when the rights governing it can be enforced (as provided for in art. 2935 of the Italian civil code), as well as for fulfilling the obligations (e.g. fiscal and accounting) that continue to exist also following the termination of the contract (art. 2220 of the Italian civil code), for which the Controller must retain only the data required for these purposes. This in no way prejudices those cases regarding the rights deriving from the contract which are enforced by court action; in such cases, only your data specifically required for this purpose will be processed for the length of time strictly necessary.
However, you retain the right to oppose processing at any time, based on a legitimate interest, for reasons connected with your particular situation, where applicable pursuant to the GDPR and the Privacy Code.
What rights do you have?
At any time, free of charge and without any special procedures for making the request, in accordance with the provisions of the GDPR and the Privacy Code, you can:
- obtain confirmation that your data are being processed by the Controller;
- object to the processing of your personal data;
- access your personal data and know the origin (when the data were not obtained from you directly), the purposes and aims of processing, the data of the subjects receiving them, the period of conservation of your data or the criteria used to determine it;
- withdraw consent at any moment in time, where this constitutes the basis of the processing. Withdrawing consent will not however undermine the lawfulness of the processing based on the consent provided before the actual withdrawal.
- update or correct your personal data so that they are always exact and accurate;
- delete your personal data from the databases and/or archives of the Controller when, among other things, they are no longer necessary for the purpose for which they were processed or if they were received illegitimately, and whenever there are any of the conditions contemplated by law; and in any case if processing is not justified by another equally legitimate reason;
- limit processing of your personal data to certain circumstances, such as those in which their accuracy has been challenged, for the period necessary to the Controller to check their accuracy. You must be informed, within a congruous time, also about when the period of suspension is terminated or the cause of the limitation to processing has been resolved, and the limitation revoked;
- obtain your personal data, if received and/or processed by the Controller with your consent and/or if they are processed on the basis of a contract and using automatic methods, in a computerized form, including for sharing them with another processing entity.
In this case, the Controller must proceed without delay and, in any case, no longer than one month from receiving your request. If necessary, this deadline may be extended to two months, given the complexity and number of requests received by the Controller. In such situations, within a month of receiving your request, the Controller must inform you and provide the reasons for the deadline extension.
For further information or to send your request, please write to the Controller at consiusa@consiusa.org.
How can you lodge a complaint?
Without prejudice to any other administrative or judicial action, you may lodge a complaint to the relevant authority, i.e. the one operating and having its jurisdiction in the country where you regularly reside or work (in Italy, the Guarantor for the Protection of Personal Data www.garanteprivacy.it) or, if different, in the member state in which the violation of the GDPR occurred.
Any update to this information notice will be sent to you promptly by congruent means and you will also be informed if the Controller continues processing your data for additional purposes which are not compatible with those to which this information refers, before proceeding and in time for you to provide your consent, where necessary.