Policy GDPR

Regolamento UE 2016/679 – GDPR

Company policy for the protection of personal data, in order to protect the fundamental rights and freedoms of natural persons who use the site

 

1. PURPOSE
2. DESCRIPTION
3. SCOPE OF
4. INFORMATION SECURITY POLICY
5. RESPONSIBILITY OF INFORMATION SECURITY POLICY

 

1. PURPOSE

The purpose of this document is to describe the general principles of security and privacy obligations of the information and personal data defined by the Data Controller and ensures to all the subjects involved in the data processing, in order to develop an efficient and a secure management system of procedures and processes for the security of personal data respecting the fundamental rights and freedoms of individuals, in compliance with the 2016/679 European Regulation, from now on GDPR

 

2. DESCRIPTION

bluAlghero-Sardinia intends to pursue objectives of information security, personal data, technological, physical, logical and organizational structure and their management. This means achieving and maintaining a secure information management system by respecting the principles set out in articles 5 and 6 of the GDPR;

  • Lawfulness, fairness, transparency;
  • Guarantee with respect to the management and collection of data for the sole contractual purposes, determined, explicit and legitimate, and subsequently treated in a way that is not incompatible with these purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization” principle);
  • Exact and, if necessary, updated; all reasonable steps must be taken to cancel or correct inaccurate data in relation to the purposes for which they are processed (“accuracy”);
  • Keep in a form that allows identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed;
  • Treated in such a way as to guarantee adequate security of personal data, including protection, by means of appropriate technical and organizational measures, by unauthorized or unlawful processing and by the accidental loss, destruction or damage “principle of integrity and confidentiality”;
  • Safeguard the consistency of information from unauthorized changes
  • Ensure the reliability of the information source channels;
  • Ensure the protection and control of personal data.

 

3. SCOPE OF

The policy for the protection of personal data applies to all processes and resources involved in the design, implementation, start-up and continuous delivery in the field of services.

The products and services supplied are described below and the methods of delivery are illustrated.

Products and serviced:
Web platform for the promotion of the territory and offer of tourist services for booking and assistance to tourists. Advertisements for accommodation and companies.

 

4. INFORMATION SECURITY POLICY

 

  • The verification of data that will be processed with identification of the various types of data and categories of membership. The verification of the purpose of each processing and of the legal basis on which each of them is based, also in order to provide adequate information to the parties concerned, as required by art. 13 and 14 of the GDPR;
  • The preparation of the information (or its update) that must be provided to the interested parties in compliance with all the elements indicated in art. 13 and 14 of the GDPR. In particular, interested parties must be made aware of the rights that the Regulation recognizes them (right of access, right to be forgotten, right of rectification, right of limitation and objection to treatment, right to data portability); the information for the subjects involved in the data processing of which the customer is the data controller is provided by the client if data collection is required in the software or services used;
  • The establishment of a procedure to be adopted in the event of any data breaches (so-called Data Breach referred to in articles 33 and 34 of the GDPR), for example at the occurrence of disclosure (intentional or otherwise), destruction, loss, modification or unauthorized access to personal data being processed. In fact, the GDPR provides specific obligations in the event of a violation of this kind, due to an IT attack, abusive access or an accident. In these cases the GDPR imposes, as required by art. 33, for the Data Controller the obligation to notify the supervisory authority of the violation within 72 hours (or in any case without delay). In the event that the violation occurred to assume that there is also a high and current danger for the rights and freedoms of those concerned, the latter must also be directly informed without delay of what happened;
  • In Article. 35 of the GDPR, it is the responsibility of the Data Controller (and with the possibility of consulting the Data Protection Manager if appointed) to carry out an impact assessment on data protection in the event that a type of treatment, also in consideration of the nature, object, context and purpose of the treatment itself, present a high risk for the rights and freedoms of natural persons. It should be noted that the GDPR does not establish a real obligation to carry out the impact assessment, but it is recalled that the Regulation provides for a general obligation, on the part of the Data Controller, to implement the appropriate measures in order to adequately manage the risks for the rights and freedoms of data subjects that may derive from the processing of their data. It will therefore be advisable to carry out the impact assessment even when the legal obligation to do so is not incumbent on the Data Controller.
  • Articles 37 – 38 and 39 introduce another fulfillment required by the Data Controller which consists in the designation of the Data Protection Officer also referred to as Data Protection Officer. This appointment, as required by art. 37 of the GDPR, is mandatory only in a series of hypotheses, in particular, in the event that the processing of data is carried out by a public authority or a public body (with the exception of the jurisdictional authorities when they perform their duties); where the principal activities performed by the controller or processor consist of operations which, by their nature, scope or purpose, require regular and systematic monitoring of those affected on a large scale; and finally, in the case in which the main activities carried out consist in the treatment, on a large scale, of sensitive data or data relating to criminal convictions and crimes consisting in the unlawful processing of personal data. As also suggested by the Group of 29, the advisory and independent body, made up of a representative of the personal data protection authorities appointed by each Member State who prepared the Guidelines and dictated regular appointment of the person responsible for the protection of personal data, when the Regulation does not specifically require the appointment of a DPO, this figure may in any case be designated by the holder or by the person in charge of the processing on a voluntary basis.

5. RESPONSIBILITY OF INFORMATION SECURITY POLICY

The “data controller” and the “manager” are responsible for the information management system, in line with the evolution of the company and market context, evaluating possible actions to be taken in relation to events such as:

· Significant changes in the business;
· New threats compared to those considered in the risk analysis activity;
· Significant safety incidents;
· Evolution of the regulatory or legislative framework on the safe processing of information.

 

Updates regarding the use of cookies and the regulations on the processing of personal data can be viewed on the Cookie and Privacy pages of the blualghero-sardinia website

 

Happy surfing!

 

Lucia Pisanu

OWNER blualghero-sardinia.com