Having regard to the full text of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
Entry into force and application (Article 99)
This Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.
It shall apply from 25 May 2018. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, 27 April 2016 For the European Parliament (1) OJ C 229, 31.7.2012, p. 90. (2) OJ C 391, 18.12.2012, p. 127. (3) Position of the European Parliament of 12 March 2014 (not yet published in the Official Journal) and position of the Council at first reading of 8 April 2016 (not yet published in the Official Journal). Position of the European Parliament of 14 April 2016. (4) Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31). (5) Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (C (2003) 1422) (OJ L 124, 20.5.2003, p. 36). (6) Regulation (EC) No. 45/2001 of the European Parliament and of the Council, of 18 December 2000, concerning the protection of individuals in relation to the processing of personal data by the Community institutions and bodies, as well as the free circulation of such data (OJ L 8, 12.1 . 2001, page 1). (7) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 concerning the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of prevention, investigation, verification and prosecution of offenses or the execution of criminal sanctions, and the free movement of such data and repealing Council Framework Decision 2008/977 / JHA (See page 89 of this Official Journal). (8) Directive 2000/31 / EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (‘Directive on electronic commerce ‘) (OJ L 178, 17.7.2000, p. 1). (9) Directive 2011/24 / EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45). (10) Council Directive 93/13 / EEC of 5 April 1993 concerning unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). (11) Regulation (EC) no. 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70). (12) Regulation (EU) no. 182/2011 of the European Parliament and of the Council of 16 February 2011 establishing the rules and general principles relating to the methods of control by the Member States of the exercise of implementing powers attributed to the Commission (OJ L 55 of 28.2.2011 , p. 13). (13) Regulation (EU) no. 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction, recognition and enforcement of judgments in civil and commercial matters (OJ L 351 of 20.12.2012, p. 1). (14) Directive 2003/98 / EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information (OJ L 345, 31.12.2003, p. 90). (15) Regulation (EU) no. 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials of medicinal products for human use and repealing Directive 2001/20 / EC (OJ L 158 of 27.5.2014, p. 1). (16) Regulation (EC) No. 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) no. 1101/2008 of the European Parliament and of the Council, concerning the transmission to the Statistical Institute of the European Communities of statistical data protected by secrecy, Regulation (EC) no. 322/97 of the Council, on Community Statistics, and Council Decision 89/382 / EEC, Euratom, establishing a Statistical Program Committee of the European Communities (OJ L 87, 31.3.2009, p. 164). (17) OJ C 192, 30.6.2012, p. 7. (18) Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications ) (OJ L 201, 31.7.2002, p. 37). (19) Directive (EU) 2015/1535 of the European Parliament and of the Council
(General Data Protection Regulation) General Data Protection Regulation EU 2016/679 governs the protection of persons and other subjects regarding the processing of personal data, treatment that must be based on principles of correctness, lawfulness and transparency and protection of its confidentiality and your rights, in relation to the personal data you will come into possession of. The European standard, in fact, establishes new rules for organizations that hold and process data of individuals residing in the European community, regardless of where they are located. The Regulation is in direct force in all EU countries starting from 25 May 2018. The GDPR regulates the protection of data of natural persons with reference to both the processing and the free circulation of such data and pursues two main purposes:
raise awareness and make the “interested parties” (natural persons) aware when they make their personal data available;
empower both private companies and public authorities that use personal data in the context of their activities.
The holders must, therefore, must declare to the interested parties, in a transparent way, the purposes of the processing and the data booking measures. The regulation confirms that any processing of personal data must be based on a suitable legal basis; the data controllers are required to follow a path of adaptation to the rules, in compliance with the foundations of lawfulness of the processing, which coincide in principle with those already provided for by the Privacy Code Legislative Decree 196/2003 (consent, compliance , contractual obligations, legal obligations to which the owner is subject, etc.).
The owner must always be able to demonstrate that everything possible has been done to avoid and prevent the unauthorized dissemination of sensitive information, even up to the self-report in case of violation or theft of archives containing sensitive data.
The owner must carry out the following activities:
1) provide clear information to data subjects on data collection; (2) highlight the purposes of the processing and the cases of use; (3) define the data retention and deletion criteria; (4) protect personal data with appropriate security measures; (5) employ a data protection officer (for large organizations; (6) report violations to authorities; (7) keep records;
proceed with personal and employee training.
From the moment personal data is collected, their protection and the use for which the information is collected must be clearly stated and organized. It is not allowed: (1) to collect or manage data without specifying the purposes; (2) hold information once the purpose in execution of the right to be forgotten of the interested parties has ceased.
As a result of the accountability principle, there is no minimum list of precautions to be taken but in the event of a request from the authorities or unauthorized disclosure of personal data, it is necessary to demonstrate that everything possible has been done to protect them according to the means available. Otherwise, penalties of up to 20 million euros or up to 4% of turnover are envisaged, imposed by the privacy authority following the checks carried out by the judicial police. These changes affect the organizational processes of companies and professionals and apply to everyone, from public activities to small and medium-sized enterprises.
Therefore, whoever processes sensitive data relating to the privacy of the person concerned must specify:
the data controller, that is, specify who is the subject who processes the data;
the data protection officer, clearly and transparently identifying a responsible person; the purposes of the data processing, in fact, the processing is aimed solely for the realization of the purposes pursued by the subject who processes said data within the limits of the statutory provisions envisaged and in compliance with the provisions of the GDPR General Data Protection Regulation EU 2016/679 ; the processing of categories of personal data, in fact, it is forbidden to process personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as to process genetic data, biometric data intended to identify in uniquely a natural person, data relating to a person’s health or sexual life or sexual orientation. This prohibition does not apply if the interested party has given his explicit consent to the processing of such personal data for one or more specific purposes;
indicate the retention period of personal data; inform about the rights of the interested party, in fact, the interested party has the right to ask the data controller to access personal data and to correct or delete them or limit the processing of personal data concerning him and to oppose their processing, in addition to the right to data portability;
informing about the right to complain, in fact, the interested party has the right to lodge a complaint with the competent authority; indicate the source of the personal data, for example from where said personal data are extracted. Indicate the automated decision-making process relating to natural persons including profiling. The interested party has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person, this does not apply in the event that the decision is based on the consent of the interested party. Profiling consists of the automated processing of personal data and the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, economic situation, health, personal preferences. , the interests, reliability, behavior, location or travel of that natural person. The automated decision-making process is the tool that allows the operator to make decisions with technological means without human intervention or involvement. Automated decisions can be based on data provided directly by the persons concerned, for example through a questionnaire, or obtained by observing people or deriving from a previously created individual profile;
specify the information provided by the data controller. The data controller provides the personal data information within a reasonable time after obtaining the personal data, but at the latest within one month, in consideration of the specific circumstances in which the personal data are processed and in the event that the personal data are intended for communication with the interested party, at the latest at the time of the first communication to the interested party; or if communication to another recipient is envisaged, no later than the first communication of personal data;
specify the methods of processing personal data. If the data controller intends to further process the personal data for a purpose other than that for which they were obtained, before such further processing, it provides the data subject with information on this different purpose and any other relevant information.
Information pursuant to the GDPR general regulation on data protection eu 2016/679
Dear user concerned pursuant to the GDPR General Data Protection Regulation EU 2016/679 which governs the protection of persons and other subjects regarding the processing of your personal data, based on principles of correctness, lawfulness and transparency and protection of your privacy and of your rights, in relation to the personal data that this Company will come into possession of, we inform you of the following:
Purpose of data processing
The processing is aimed solely at the achievement of the Company’s purposes which are reflected in the activity relating to the operation of the site in accordance with the provisions of the GDPR General Data Protection Regulation EU 2016/679. Specifically, we process your personal data for the purpose of purchasing and delivering products and services and, therefore,to receive and manage orders, provide products and services for payments and to communicate with you the orders you have placed or to communicate with you regarding our services with different channels such as email or mobile phone.
Treatment of categories of personal data
It is forbidden to process personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as to process genetic data, biometric data intended to uniquely identify a natural person, related data a person’s health or sexual life or sexual orientation. this prohibition does not apply if the interested party has given his explicit consent to the processing of such personal data for one or more specific purposes and in the following cases: (a) the interested party has given his explicit consent to the processing of such personal data for one or more specific purposes, except in cases where the law of the Union or of the Member States provides that the interested party cannot revoke the prohibition referred to in paragraph 1; (b) the processing is necessary to fulfill the obligations and exercise the specific rights of the data controller or the data subject regarding labor law and social security and social protection, to the extent authorized by Union law or of the Member States or by a collective agreement under the law of the Member States, in the presence of appropriate safeguards for the fundamental rights and interests of the data subject; (c) the processing is necessary to protect a vital interest of the data subject or of another natural person if the data subject is physically or legally unable to give his / her consent; (d) the processing is carried out, in the context of its legitimate activities and with adequate guarantees, by a foundation, association or other non-profit organization that pursues political, philosophical, religious or trade union purposes, provided that the processing concerns only the members, former members or persons who have regular contact with the foundation, association or body for its purposes and that personal data are not disclosed externally without the consent of the interested party; (e) the processing concerns personal data made manifestly public by the interested party; (f) the processing is necessary to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their judicial functions; (g) the processing is necessary for reasons of significant public interest on the basis of Union or Member State law, which must be proportionate to the purpose pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject; (h) the processing is necessary for the purposes of preventive medicine or occupational medicine, assessment of the employee’s working capacity, diagnosis, health or social assistance or therapy or management of health or social systems and services on the basis of Union law or Member States or in accordance with the contract with a health professional, subject to the conditions and guarantees referred to in paragraph 3; (i) the processing is necessary for reasons of public interest in the public health sector, such as protection from serious cross-border threats to health or the guarantee of high standards of quality and safety of healthcare and medicines and devices doctors, on the basis of Union or Member State law which provides for appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy; (j) the processing is necessary for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89, paragraph 1, on the basis of Union or national law, which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject.
Data retention period
Personal data will be kept for the entire duration of the browsing session on the site. once said retention terms have elapsed as specified above, your personal data will be destroyed, deleted or made anonymous, compatibly with the technical cancellation and backup procedures. We keep your personal data exclusively to allow you to use our services continuously for the time necessary to pursue our purposes as described here.For example, we keep the history of your transactions so that you can examine the purchases made by you and, therefore , repeat orders if you wish and shipping addresses to improve our services.
Rights of the interested party
The interested party has the right to ask the data controller to access personal data and to rectify it
Right of complaint
The interested party has the right to lodge a complaint with the competent authority for the control and compliance with the rules on the protection of personal data which in Italy is represented by the Guarantor for the Protection of Personal Data.
The personal data of the interested party are acquired by browsing and / or using the site. In general, the data of the users concerned relating to the IP addresses or domain names of the computers used by the users who connect to the site, the addresses in URI notation (uniform resource idebtifier) of the requested resources, the time of the request, the method are acquired. used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (e.g. Success, error, etc.), other parameters relating to the operating system and the IT environment of the ‘user, the information relating to the user’s behavior on the site, the pages that have been visited or searched, in order to select and make specific advertisements to the user of the site and the data relating to the browsing behavior held on the site using, for for example, cookies. In the processing of personal data that can, directly or indirectly, identify your person, we try to respect a principle of strict necessity. For this reason, we have configured our site in such a way that the use of personal data is reduced to a minimum and in such a way as to limit the processing of personal data that allow us to identify the person of the user only in case of need and upon request. of the authorities and police forces such as data relating to traffic and its stay on the site or its IP address or to ascertain responsibility in case of hypothetical computer crimes against the site. . When you use our site you provide us with information when you are looking for a product or service or when you place an order or contact us for assistance. In these cases, in fact, you provide us with data such as your contact details, delivery address or payment details. Specifically, you provide us with data directly when you communicate with us by phone, email or otherwise or when you fill out the forms in order to obtain a refund or to obtain a product replacement. In carrying out the activities as described above, therefore, you provide us with personal data relating to your name and surname, your address, your telephone number, your email, your age. While we automatically acquire information relating to your IP address, the URL path including date and time, the number of cookies, the product and content you have viewed or searched for, page load times, download errors, duration of navigation on the pages visited and the telephone numbers used to call our customer service, we can also receive updated information on delivery and address from our couriers from other sources in order to deliver your next orders more easily and quickly.
The data controller of your personal data is Hit-Italia-s.a.s. based in Settimo di Montalto Uffugo 87046 (CS) at Via Benedetto Croce n.156 email: email@example.com – tel. +39_0984_1905924 .The person in charge of the protection of your personal data Hit-Italia-SAS based in Via Benedetto Croce n.156 – Settimo di Montalto Uffugo 87046 – Cosenza email: firstname.lastname@example.org – tel. 0984_1905924 Although not specifically reported here, we refer in full to the GDPR General Data Protection Regulation EU 2016/679. We also inform you that while browsing our site some personal data are automatically acquired through the use of normal internet communication protocols. This information, which is collected not for the purpose of being associated with specific interests, could, as a result of processing and association with data already held by the Company or by third parties, to allow the identification of users of the site. In this case, Hit-Italia-Sas will not be held responsible. If you wish to stop sending your personal data, please notify us by e-mail to the following email address email@example.com in this case you will not be able to use our services.
automated decision-making process relating to natural persons including profiling
The interested party has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person, this does not apply in the event that the decision is based on the consent of the interested party. Profiling consists of the automated processing of personal data and the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, the situation economic, health, personal preferences, interests, reliability, behavior, location or travel of said natural person. The automated decision-making process is the tool that allows the operator to make decisions with technological means without human intervention or involvement. Automated decisions can be based on data provided directly by the persons concerned, for example through a questionnaire, or obtained by observing people or deriving from a previously created individual profile. Your personal data will be processed with automated tools for the time strictly necessary to achieve the purposes for which they were collected and in compliance with the principle of necessity and proportionality, avoiding the processing of personal data if the operations can be carried out through the use of the data. we have adopted specific security measures to prevent the loss of personal data, illicit or incorrect use and unauthorized access but we advise you not to forget that it is essential for the security of your data that your device is equipped of tools such as antivirus constantly updated and that the provider that provides your connection to the internet guarantees the safe transmission of data through firewalls, antispamming filters and similar safeguards.
Information provided by the data controller
The data controller provides the personal data information within a reasonable time after obtaining the personal data, but at the latest within one month, in consideration of the specific circumstances in which the personal data are processed and in the event that the personal data are intended for communication with the interested party, at the latest at the time of the first communication to the interested party; or if communication to another recipient is envisaged, no later than the first communication of personal data. Some personal data are strictly necessary for the operation of the site, others may be used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning, and are deleted immediately after processing. You can access your data which includes your name and surname, your address, your telephone number, your email and the method of your payment.
Personal data security and legal basis
Our systems are designed to ensure the security and privacy of your personal data. In fact, we are committed to protecting the security of your personal data by adopting physical, electronic and organizational security measures. We could, therefore, ask to verify the identity of the person who asks us for their personal data. Furthermore, our systems and devices offer security to protect your data from loss or unauthorized access. however, it is also important that you take appropriate measures to prevent unauthorized access to your password on your computer, device or application.
The General Data Protection Regulation of the European Union requires that the processing of personal data be based on a legal basis. For the processing of your personal data we use the legal basis of the execution of a contract of which the interested party (you) is a party pursuant to Article 6 of the GDPR (General Data Protection Regulation) EU General Data Protection Regulation 2016/679 when we provide you with products or services or communicate with you about them. This legal basis includes where we use your personal data to receive and manage your orders, provide orders and services and process payments.
The data relating to our customers are essential for our business and, therefore, we do not disclose such personal data of our customers to third parties. In the event that it becomes necessary to communicate your personal data to third parties, you will be promptly informed and you can choose whether or not to consent to this communication to third parties.
Right of withdrawal and methods of exercise: The Legislative Decree 206/05 adjadorned with the Legislative Decree 21/2014 of the Consumer Code provides that the consumer (ie a natural person who purchases the goods for purposes not related to his professional order present on the website in question), for purchases made online, can exercise the right of withdrawal within 14 days of receipt of the purchased product which must, consequently, be returned to the seller with shipping costs to be paid by the consumer within 14 days. Therefore, to exercise the right of withdrawal, the consumer must simultaneously: (1a). download, fill in and sign the form of the will to exercise the right of withdrawal which is located at the following link: www.hitshop.es/asistencia-y-devoluciones/reembolso
(2a) send said form with attached identity document to the following address Hit_Italia_sas Via Benedetto Croce n.156 – Settimo di Montalto Uffugo 87046 – Cosenza by registered letter with return receipt within 14 days; (3a). send the package with the product subject to the right of withdrawal in its original packaging to the same address as in point n (2a) with shipping costs to be paid by the consumer within 14 days. The seller, having received the package with the product subject to the right of withdrawal, provides, within 14 working days, to reimburse the price of the product using the same payment method adopted during the purchase or to replace the product after verbal agreement with the customer himself. Attention The right of withdrawal applies to the product purchased in its entirety; it is not possible to exercise withdrawal only on part of the purchased product. The purchased good must be intact and returned complete in all its parts including any accessory equipment. The shipping costs for returning the goods are fully charged to the customer in case of purchase with the cash on delivery method of payment. The product shipped, until the certificate of receipt in our warehouse, is under the complete responsibility of the customer; in case of damage to the goods during transport, he will notify the Customer of the incident to allow him to promptly file a complaint against the courier he has chosen and obtain a refund of the value of the goods (if insured); in this case, the product will be made available to the Customer for its return, at the same time canceling the request for withdrawal; Hit-Italia-sas is not responsible in any way for damage or theft / loss of goods returned by uninsured shipments; Upon its arrival at the warehouse, the product will be examined to assess any damage or tampering not caused by transport. Should the product or any accessory equipment be damaged, it will not be possible to obtain a refund of the price which will be allowed only in the event that the returned product is intact. Hit-Italia-sas will refund the Customer the full amount already paid, in the shortest possible time and in any case within 14 (fourteen) days from the date on which the communication of the right of withdrawal is received as well as the shipment of the product by the consumer.The reimbursement of the price of the product will take place through the same payment method adopted during the purchase or by another method that will be promptly communicated to the customer. Refunds will be issued after 14 working days provided the product arrives intact and without damage or wear at our warehouses. The conditions contained in this document may be modified by us, without notice and will be valid from the date of publication on the website. We therefore invite our customers to periodically read this document.
Right of withdrawal, exclusions:
We remind our customers that for beauty and / or cosmetic products, for services provided in relation to IT certifications, training credits, services of any kind, for food products, for service contracts, for the supply of goods, for the supply of made-to-measure goods, of goods that risk deteriorating, of sealed goods, of goods inseparably mixed with others, for the supply of alcoholic beverages, for the supply of audio recordings, for the supply of newspapers, for the service of rental or catering for sale on our site you cannot exercise the right of withdrawal as these products fall within the cases listed in art. 59 of Legislative Decree 205/2006 entitled “Exceptions to the right of withdrawal” which provides for the exclusion of the right of withdrawal for: (a) service contracts after the complete provision of the service if the execution has begun with the agreement expressed by the consumer and with the acceptance of the loss of the right of withdrawal following the full ese.