Treatment of personal data (articles 13 and 14 of Regulation EU 2016/679 – GDPR)
Fondazione CISAM, based in Spoleto, Palazzo Ancaiani, Piazza della Libertà 12, hereby provides you with the information envisaged by the current regulation on personal data protection.
Data Controller
Fondazione Centro Studi sull’Alto Medioevo, head office in Spoleto (Perugia), Palazzo Ancaiani, Piazza della Libertà, 12 Tel.+39 0743 225630 Fax. +39 0743 49902 email : cisam@cisam.org
Data processing purposes
Whilst entering your user profile, we ask you to provide some information that will allow us to provide you with the requested service. We need you to provide your data, name, surname, email address and physical address are necessary in order for us to allow you to purchase our products and for us to comply with the relevant administrative and accounting obligations. Failure to provide such data shall prevent us from enabling your account and it shall be therefore impossible for you to purchase products online from our website. The lawful basis of data processing for the aforesaid purpose is set forth under article 6(1)(b) of Regulation (EU) 2016/679.
We may use the data you provide upon registration, in particular your email address, to send you information concerning new products available on the website, similar to the ones you have previously purchased, pursuant to article no. 130(h) of Legislative Decree no. 196/2003, as amended by Legislative Decree no. 101/2018. We hereby inform you that you may object to the use of your addresses for such purpose at any time, by sending an email to the Data Controller.
Data processing modalities
The data shall be processed, including by means of electronic devices, in accordance with the standards set by the current regulation on personal data protection. The Data Controller shall take the appropriate security measures to prevent the unauthorised access to, disclosure of, modification of or destruction of personal data.
Scope of data disclosure
Your personal data shall be processed by Fondazione CISAM staff that is authorised to process them. Some of your data may be disclosed to service providers Fondazione CISAM resorts to for providing the requested product (shipping company, credit/debit card payment service providers).
Data transfer
Your data shall not be transferred outside the European Union. It is understood that the Data Controller, should it be necessary, may transfer the data within the European Union and/or to third countries. In that case, the Data Controller hereby undertakes to make sure that the transfer of data to third countries shall take place pursuant to the applicable laws, if necessary by entering into agreements that ensure an appropriate level of protection and/or by adopting the standard contract provisions envisaged by the European Commission and/or binding corporate rules.
Data storage
All the personal data provided shall be processed in accordance with the lawfulness, appropriateness, relevance and proportionality standards and solely by means of the modalities, including digital and telematic, that are strictly necessary for pursuing the aforesaid purposes. Under all circumstances, personal data shall be stored for the strictly minimum period required to fulfil the aforesaid purposes.
Personal data for which no storage is required with reference to the aforesaid purposes shall be either deleted or made anonymous. Please note that the information systems adopted for managing the collected data are organised in such a way as to minimise the use of personal data.
Your rights
Being the data subject, the current regulation grants you the rights referred to under articles 15 and following of the GDPR, specifically the rights to:
a) obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
b) obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
c)obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
d) obtain from the controller restriction of processing where one of the following applies: a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject
e) receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: a) the processing is based on a contract; b) he processing is carried out by automated means. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
f) object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
g) not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
h) lodge a complaint with a supervisory authority.
How to exercise your rights
You may exercise your rights at any time by contacting Fondazione CISAM, based in Palazzo Ancaiani, Piazza della Libertà, 12 – 06049 Spoleto (Perugia), tel. 0743 225630, email cisam@cisam.org.