Disclosure and Consent - ex Articles 13, 6 and 7 EU Regulation 2016/679 Processing DATA OF MEMBERS and PROSPECTS COLLECTED FROM THE INTERESTED PARTY

The Indian Chamber of Commerce in Italy (The Indian Chamber of Commerce in Italy) (the Data Controller, i.e., the legal entity that determines the purposes and means of the Processing of Personal Data), provides you, in compliance with the regulations set forth in Articles 13, 6, and 7 EU Regulation 2016/679 (hereinafter referred to as GDPR), with information regarding the processing of your personal data.

 

Data Controller: Indian Chamber of Commerce for Italy

National ID (C.F./VAT number): 03399520968

Registered office: Via Ulrico Hoepli n. 3 - 20121 Milan, Italy

Phone: Tel. +39 02 3055 0568

E-mail / PEC Site: Segreteria@icci.it - icci.milano@legalmail.it - www.icci.it

 

The aforementioned contact details are those that you may use in order to exercise your rights of control over the Processing of your personal data, pursuant to Articles 15/22 GDPR, as further explained below.

Description of Processing / Purpose / Conditions of lawfulness and legal basis of reference:

The Processing concerns the data of natural persons who are members or potential members (prospects) of the Owner, which are released by the same interested parties on the occasion of and for the course and conclusion of the association relationship and/or on the occasion of participation even in individual events organized by the Owner, which are collected in direct form and processed for the purposes listed below

 

Purpose Categories of Data Processed Conditions of lawfulness and legal basis Target Categories
 

 

 

 

 

1.Membership relationship management

 Municipal Data

- call sign/business reason;

- address;

- e-mail/PEC;

- telephone numbers;

- tax code/VAT number;

- website

 The processing is necessary for the performance of the contract of association to which the Data Subject is a party or the execution of pre-contractual measures taken at the request of the same (Ref. Art. 6 co. 1 lett. b GDPR). - Employees and/or interns and/or collaborators expressly authorized for processing;

- External consultants for business and administrative management;

- Suppliers and any third parties who collaborate with the Owner in the scope of its business, including Photographer and Videomaker;

- Management program services company (limited to any access for program support)

- I.T. manager(limited to any access for computer assistance)

- Insurance (for claims only)

- Lawyer (only for judicial or extrajudicial litigation and consulting)
 

Particular Data

-facial image and physical characteristics when taking photographs/ videos during Holder's institutional events

  

 

Processing is carried out by virtue of the express consent given

by the Data Subject (Ref. art 6 co. 1 lett. a GDPR).
 

2. Fulfillment of tax and accounting obligations

 Municipal Data

- Name;

- Address;

- Tax code;

- VAT NO.

 The processing is necessary to comply with a legal obligation to which the data controller is subject (Ref. Art. 6 co. 1 lett. c GDPR)  

- Accountant (accounting processing and preparation of documents for fulfillment of legal obligations in tax and fiscal matters)
 

 

3. Historical Archives

 Municipal Data

- name/company name; Particular Data

- Facial image and physical characteristics when taking photographs/ videos during Holder's institutional events

 Treatment is necessary for

the pursuit of a legitimate interest of the Data Controller (Ref. Art. 6 co. 1 lett. f ) GDPR), including under Recitals 39 and 65 GDPR: Association Yearbook

  

 

- Third parties involved in implementation and printing
 

 

 

4. Marketing and profiling

  

 

 

Common data:

- email

  

 

The processing of personal data av- comes by virtue of the express consent given by the Data Subject (Ref. art 6 co. 1 lett. a GDPR)

  

- Third parties (e.g. business partners)

- Social network

- Press/institutional journals

- Institutional website and sites dedicated to specific events and initiatives

- Management service sending newsletter /CRM
 

5. Newsletter

  

Common data:

- email

 The processing of personal data is done by virtue of the express consent given by the Data Subject (Ref. art 6 co. 1 lett. a GDPR)  

- Management service sending newsletter /CRM

Regarding Recipients and Third Parties, it should be noted that personal data may be disclosed, in order to properly carry out all Processing activities necessary to pursue the above purposes, to:

  • Subjects who perform part of the Processing activities and/or activities related and instrumental to the same on behalf of the Data Controller of the Such subjects have been appointed, pursuant to Article 28 GDPR, "Data Processors", having to be understood individually by this locution, pursuant to Article 4 point 8) GDPR "the natural or legal person, public authority, service or other body that processes Personal Data on behalf of the Data Controller". By way of example and not limited to: Consultants and freelancers in individual or associated form, Service Providers on behalf of the Data Controller, Providers of IT services and management of the computer system and telecommunications networks (including e-mail, PEC and telephone company),server/cloud, Providers of Postal and Transportation Services, Banks and entities involved in the management of payment systems, Call Center Service Providers and agencies in charge of promoting the services covered by the Data Controller's business;
  • Individuals, employees and/or contractors of the Data Controller, who have been entrusted with specific and/or multiple Personal Data Processing activities, performing under the direct authority of the Data Controller or Data Processor;
  • any other associations of which the Data Controller may be a member, members, members of the administrative and management body, including the President and, in any case, the managers designated by the Data Controller in the exercise of their functions. Where appointed pursuant to Article 37 GDPR, the Data Protection Officer (DPO or DDP), if any, may also become aware of the personal data;
  • where required by law or to prevent or suppress the commission of a crime, personal data may be disclosed to public bodies or judicial authorities.

 

The full list of Recipients is available from the Holder's offices at the contact details above.

 

In addition, in order to ensure fair and transparent Processing, we inform you that:

  • Your personal data will not be transferred to a third country or international organization;
  • your personal data will not be subject to dissemination or any fully automated decision-making process;
  • The Retention Period of personal data is determined as follows:

 

  1. for the purposes referred to in points 1) and 2) of the above Table, the data will be retained from the beginning of the membership relationship until its conclusion, except, in any case, the Holder's right, for reasons of its own fiscal and legal protection, to retain them for up to 10 years from the aforementioned conclusion and in any case from the tax return to which the documents containing the data refer; in the case of legal disputes, they will be retained for up to 10 years from their conclusion with a final judgment. In case of non-membership in the Association, prospects' data will be deleted after 6 months from their acquisition;
  2. for purposes under point 3) of the above Table, the data will be stored without time limit;
  3. for the purposes set forth in points 4) and 5), the data will be kept and used for the duration of the association relationship and up to 2 years after the term, unless the right to revoke consent. With regard to prospects, in the event of non-association, once the terms indicated in point a)(6 months) have elapsed, the data will also be deleted with regard to these specific purposes;
  • the processing of your personal data will take place at the offices where the Controller is based, with the aid also of electronic means, as well as with the adoption of appropriate security measures for the purpose of the protection of personal data ex art. 32 GDPR;
  • You have the right to request from the Data Controller, pursuant to Articles 15-22 GDPR, access to your personal data and the rectification or deletion thereof (oblìo) or restriction of processing or to object to their processing, as well as portability. The relevant requests may be sent to the Controller's contacts, indicated above, by e-mail or Racc. A/R, enclosing an identity document of the requesting party, for the purpose of the relevant identification by the Controller;
  • if you have provided consent for one or more specific purposes, you have the right to revoke that consent at any time, without affecting the lawfulness of the Processing based on the consent given before revocation;
  • You have the right to lodge a complaint with the Garante, the Supervisory Authority for the Protection of Personal Data, at its known office in Rome, Piazza di Monte Citorio no. 121;
  • You are obliged to provide your personal data for the sole purpose of being able to associate with the Owner and allow the Owner to provide the requested services and to comply with legal regulations, including tax regulations and, therefore, without this, the relationship cannot take place;
  • Instead, the provision of data for the purposes of marketing, profiling and newsletters, referred to in points 4) and 5) of the Table, is always optional. However, any failure to provide and/or failure to consent, may result in the impossibility for the Data Controller to establish and/or continue the relationship for the purposes not consented to, or to follow up on requests for the provision of specific services (e.g. failure to consent to the photo and video service at events/manifestations/conventions organized by the Data Controller, may result in the impossibility to participate).

Milan, 25/05/2018