INTRODUCTION

The protection of personal data represents an important commitment for Prosecco Cycling Società Sportiva Dilettantistica a r.l. (hereinafter “Prosecco Cycling” or “Company”).

The entry into force of Regulation (EU) 2016/679 “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (hereinafter “GDPR”) provided the opportunity to further adapt the activities carried out by the Company to the principles of transparency and protection of personal data, in compliance with the fundamental rights and freedoms of the data subjects, whether they are employees, collaborators, customers, suppliers or third parties interested in receiving information.

Prosecco Cycling has thus implemented a “Privacy Organizational Model” (MOP) which is described below in general terms, aimed at analyzing all kinds of data processing, organizing them in a functional way and managing them in a secure and transparent manner. This section of the website also includes information on the rights of the data subject and the mode of exercise towards the Data Controller.

CONTENTS

  1. 1 – PRIVACY ORGANIZATIONAL MODEL GDPR
    1. 1.1 SUBJECTS
    2. 1.2 RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
  2. 2 – TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
    1. 2.1 RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA
    2. 2.2 EXERCISE OF RIGHTS
    3. 2.3 FORMS AND INFORMATION NOTICES

1 – PRIVACY ORGANIZATIONAL MODEL GDPR

1.1 SUBJECTS

DATA CONTROLLER

The Data Controller is:
Prosecco Cycling Società Sportiva Dilettantistica a r.l. 
Via G. Marconi n. 17 – 31050 Miane (TV) Italy
Ph. +39 0438 1642391
Mob. +39 334 2211021
E-mail: info@proseccocycling.it
PEC: proseccocyclingssd@pec.it
Tax code/VAT number/Registration number in the Treviso Business Register: 04992830267

PERSONS AUTHORIZED TO PROCESSING (ex Art.29 GDPR)

The MOP provides that each employee / collaborator of the DATA CONTROLLER processes only the data necessary to perform their duties, depending on the internal organization and especially on the purposes indicated and proposed to the Data Subject (so-called principle of “purpose limitation and data minimisation”, art. 5 paragraph 1, points b) and c) del GDPR). A segmentation of the processing has therefore been developed, for homogeneous areas of subjects authorized to the processing, binding the employees / collaborators to a specific area of treatment.

Each authorized subject has received specific instructions from the DATA CONTROLLER regarding the processing of personal data. For this purpose, by design, the information system also consists of different and specific areas.

The employee / collaborator will be able to access only the data necessary to carry out his / her duties from his / her computer station. The designation to the specific processing areas takes place after careful analysis of the company structure and organization as well as of the flow of internal and external data to the Company, and is summarized in a specific internal matrix that punctually identifies the processing scope of each area.

The employee / collaborator also received an internal regulation on the use of IT tools and rules of conduct, on all the information he / she accesses for his / her specific job.

To effectively ensure compliance with the principles on the processing of personal data, the DATA CONTROLLER has also provided training and updating courses for its employees / collaborators who, for the performance of their duties, perform personal data processing activities.

SYSTEM ADMINISTRATORS (INTERNAL AND EXTERNAL)

The DATA CONTROLLER makes use of IT systems to manage and organize his / her activities. For this reason, the activity of the Data Controller has always been based on a careful attention on software construction, mode of use and data security. The subjects who have the privilege of being “administrators” within the company are specifically appointed and trained. The other specialized external companies that access company data are also specifically appointed External Processors and / or External System Administrators pursuant to Art. 28 of the GDPR.

The suppliers of external IT services are chosen with particular attention to their professionalism, not only technical, but also in relation to respect and data protection, privileging certified companies.

DATA PROCESSORS (ex Art. 28 GDPR)

In principle, the DATA CONTROLLER internally manages almost all processing activities. The cases of outsourcing to third parties of some activities that involve data processing on behalf of the DATA CONTROLLER are appropriately indicated in the single information notices. In these cases, the relationship with the third party is regulated by a specific appointment contract as “Data Processor” pursuant to Art. 28 of the GDPR.

The DATA CONTROLLER entrusts this processing activity to external parties that have sufficient guarantees to implement adequate technical and organizational measures to meet the requirements of the GDPR and guarantee the protection of the rights of the data subjects.

1.2 RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS

According to the principles of the so-called “accountability”, the DATA CONTROLLER must implement a series of measures – organizational, physical, legal, technical and IT measures – aimed at preventing the risk of violation of the personal rights and freedoms of the data subjects. To achieve this goal, a constant risk analysis is carried out, based on the processing activities, the tools used, the type and amount of data processed.

RECORDS OF PROCESSING ACTIVITIES (ex Art. 30 GDPR) AND DATA PROTECTION IMPACT ASSESSMENT (ex Art. 35 GDPR)

The MOP provides for a careful and constant analysis of the risks for the processing of personal data, identified for each activity or service provided through a Records of processing activities pursuant to Art. 30, paragraph 1, of the GDPR.

After analyzing the processing activities carried out by the OWNER, it is believed that to date there are no activities at risk such as to require a specific impact assessment pursuant to Art. 35 of the GDPR (so-called “DPIA”).

The analysis of IT risks and corporate hardware and software infrastructures and IT adaptation measures was carried out by our System Administrator with appropriate tools and check lists.

The results of the analysis allowed the technicians to further improve the protection measures against cyber attacks and cyber threats, gradually and proportionally to the risk for the rights and freedoms of data subjects.

2 – TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT

2.1 RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA

The DATA CONTROLLER, also in this document, considers it essential to inform data subjects of the existence of some rights regarding the protection of personal data, listed below.

  • Right to be informed(transparency in data processing)

The data subject has the right to be informed on how the DATA CONTROLLER process his / her personal data, for what purposes and on other information provided by Art. 13 of the GDPR. For this purpose, the DATA CONTROLLER has developed organizational processes that allow, at the time of acquisition or request of personal data, the release of an information notice created “ad hoc” according to the category of data subjects to which the data subject belongs (employee, customer, supplier, etc.). This document allows to adequately inform all the data subjects to whom the data refer on how the processing is carried out by the DATA CONTROLLER. The information notice may be requested with a specific application addressed to the DATA CONTROLLER.

  • Right to withdraw consent (Art. 13)

You have the right to withdraw your consent at any time for all processing whose presupposition of legitimacy is your expression of consent. The withdrawal of consent does not affect the lawfulness of the previous processing.

  • Right of access to data (Art.15)

You may request a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.You have the right to request a copy of the personal data undergoing processing.

  • Right to rectification (Art. 16)

You have the right to request the rectification of inaccurate personal data concerning you andto have incomplete personal data completed.

  • Right to erasure (Art.17)

You have the right to obtain from the Data Controller the erasure of personal data concerning you if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if you withdraw consent, if there are no overriding legitimate grounds to proceed with the profiling processing, if the data have been unlawfully processed, if the personal data have to be erased for compliance with a legal obligation; if the data relate to web services provided to minors without consent.

The erasure can take place unless the right to freedom of expression and information prevail, unless they are kept for the for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority; for reasons of public interest in the area of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or for the establishment, exercise or defence of legal claims.

  • Right to restriction of processing (Art. 18)

You have the right to obtain from the Data Controller restriction of processing where the accuracy of the personal data is contested by you (for a period enabling the controller to verify the accuracy of the personal data) or the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; or the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims.

  • Right to data portability (Art. 20)

You have the right to receive the personal data concerning youprovided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller wherethe processing is based on consent or on a contract and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority and that such transmission does not adversely affect the rights and freedoms of others.

  • Right to object (Art. 21)

You have the right object in whole or in part and at any time to the processing of your personal data if the processing is carried out for the pursuit of a legitimate interest of the Owner or for direct marketing purposes.

  • Right to contact the Guarantor for the protection of personal data (Art. 77)

Without prejudice to any other administrative or judicial remedy, if you consider that the processing of personal data relating to you infringes the Regulation on the protection of personal data, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

2.2 EXERCISE OF RIGHTS

For the effective exercise of your rights, you can ask the DATA CONTROLLER for information.