Privacy Policy

Information about data management on the website www.ricreature.eu

 

1. Purpose of the Policy:

Agnes Lorincz, Individual Entrepreneur (registered office: Via Savoia 09080 Boroneddu (OR), Italy.), hereinafter referred to as the "Entrepreneur," as data controller, carries out its data processing activities in accordance with the provisions of Regulation 2016/679 of the European Parliament and of the Council ("GDPR"). The purpose of this Notice is to provide visitors registered on the Entrepreneur's websites with information about the data processed by the Entrepreneur in the operation of the website and other activities related to data management. The terms used in this notice have the same meaning as defined in the EU Regulation 2016/679 ("GDPR").

2. Definitions:

- "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

- "Processing" means any operation or set of operations that is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

- "Restriction of processing" means the marking of stored personal data for the purpose of restricting their future processing

- 'Profiling' means any form of automated processing of personal data by which personal data are used to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict characteristics associated with the work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of that natural person

- 'Pseudonymization' means the processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without further information being required, provided that such further information is stored separately and technical and organizational measures are taken to ensure that no association with identified or identifiable natural persons is possible

- 'Filing system' means a set of personal data, structured in any way, whether centralized, decentralized or structured according to functional or geographical criteria, which is accessible on the basis of specified criteria; 7. 'controller' means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law; 8. 'processor' means the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller

- "Recipient" means a natural or legal person, public authority, agency, or any other body to whom or with which personal data is disclosed, whether or not a third party. Public authorities which may have access to personal data in the framework of an individual inquiry in accordance with Union or Member State law shall not be considered recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing

- 'Third party' means a natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, or the persons who, under the direct authority of the controller or processor, are authorized to process personal data

- 'Consent of the data subject' means a freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she signifies his or her agreement to the processing of personal data relating to him or her by means of a statement or an unambiguous act of affirmation

- 'Personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed

- 'Genetic data' means any personal data relating to the inherited or acquired genetic characteristics of a natural person which contains specific information about the physiology or state of health of that person and which results primarily from the analysis of a biological sample taken from that natural person

- 'Biometric data' means any personal data relating to the physical, physiological, or behavioral characteristics of a natural person obtained by means of specific technical procedures that allow or confirm the unique identification of a natural person, such as facial image or dactyloscopy data

- 'Health data' means personal data relating to the physical or mental health of a natural person, including data relating to the provision of health services to a natural person, which contain information about the health of the natural person

- "activity center": (a) in the case of a controller having establishments in more than one Member State, the place of its central administration within the Union; however, where decisions on the purposes and means of the processing of personal data are taken at another place of activity of the controller within the Union, and the latter place of activity has the competence to implement those decisions, the place of activity which took those decisions shall be considered the center of activity; (b) in the case of a processor having its place of business in more than one Member State, the place of its central administration within the Union or, where the processor does not have a central administration in the Union, the place of business of the processor within the Union where the main processing activities in relation to the activities carried out at the place of business of the processor take place, where the processor is subject to obligations under this Regulation

- 'Representative' means a natural or legal person established or resident in the Union and designated in writing by the controller or processor pursuant to Article 27 to represent the controller or processor in relation to the obligations incumbent on the controller or processor under this Regulation

- 'Undertaking' means any natural or legal person engaged in an economic activity, regardless of the legal form of that person, including partnerships or associations of persons engaged in a regular economic activity

- 'Group of undertakings' means the controlling undertaking and the undertakings controlled by it

- 'Binding Corporate Rules' means the rules on the protection of personal data that a controller or processor established in the territory of a Member State of the Union follows in one or more third countries in respect of the transfer or series of transfers of personal data by a controller or processor within the same group of undertakings or the same group of undertakings engaged in joint economic activities

- 'Supervisory authority' means an independent public authority established by a Member State in accordance with Article 51

- 'Supervisory authority concerned' means a supervisory authority that is concerned with the processing of personal data for one of the following reasons: a) the controller or processor is established in the territory of the Member State of that supervisory authority; b) the processing significantly affects or is likely to significantly affect data subjects residing in the Member State of the supervisory authority; or c) a complaint has been lodged with that supervisory authority.

- 'Cross-border processing of personal data' means: (a) the processing of personal data within the Union in the context of activities carried out by a controller or processor established in more than one Member State at sites located in more than one Member State; or (b) the processing of personal data within the Union in the context of activities carried out by a controller or processor at a single site in more than one Member State which substantially affects or is likely to substantially affect data subjects in more than one Member State

- 'Relevant and well-founded objection' means an objection to a draft decision raised with regard to whether this Regulation has been infringed or whether the envisaged measure concerning the controller or processor is in compliance with this Regulation; the objection must clearly demonstrate the significance of the risks posed by the draft decision to the fundamental rights and freedoms of data subjects and, where applicable, to the free flow of personal data within the Union

- 'International organization' means an organization governed by public international law or its subsidiary bodies or any other body which is established by or under an agreement between two or more countries.

 

3. Principles concerning the processing of personal data:

The Entrepreneur shall process personal data in a lawful and fair manner, for a specific purpose, in a data-sparing, accurate, limited storage, confidential and accountable, and transparent to the data subject.

Personal Data:

- collected only for specified, explicit, and legitimate purposes

- processed only in a manner compatible with those purposes

- be adequate and relevant

- be limited to the minimum necessary

- be accurate and, where necessary, kept up to date

- be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

- ensure adequate security of the data during their processing, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage

​

4. Processing during registration and newsletter sending:

The fact of data collection and the purpose of data processing:

a) With regard to registration, the Entrepreneur offers individual sessions and group training for natural persons. The purpose is to provide direct information on current events and new services and to comply with the Entrepreneur's data reporting obligations pursuant to the Adult Education Act, Article 20/A (1) (c).

b) In relation to the sending of newsletters. In the absence of registration, the Entrepreneur will not send advertising messages, and the registered user may unsubscribe from receiving the newsletter orally, electronically, or by post. Registration for the newsletter requires acceptance of the privacy statement on the website.

Data subjects.

Date, time, surname, first name, email address, telephone number, billing address, and date of birth. Additional data that the Entrepreneur is obliged to record in the Adult Education Data Reporting System (hereinafter referred to as FAR): social security number and tax identification number.

Legal basis for data processing. Obligation to notify and provide data on group training courses and workshops pursuant to Section 20/A of the Fktv. In the event of the creation of an accounting voucher.

Duration of data processing: In the case of personal data processing based on voluntary consent, it is until the voluntary consent is withdrawn.  In the event of a request for erasure, personal data not subject to a legal obligation will be erased without delay.

 

5. Operating a contact point:

The fact of data collection and the purpose of data processing: Entrepreneur provides on the website the possibility for prospective partners to contact him directly. In order to use the contact point, it is necessary to accept the data protection statement on the website.

Data subjects: visitors who have given their consent via the Entrepreneur's contact point.

Data processed: name, telephone number, email address

Legal basis for data processing.

Duration of processing: until the data subject's consent is withdrawn. The data subject may withdraw his or her consent to the storage of his or her personal data at any time by contacting the contact details provided in the Data Security and Privacy Policy.

The data subject may revoke his or her consent to the processing of personal data.1.2.1.

 

6: Statistics about visitors of the website and the use of Google Analytics:

ricreature.eu wants to send cookies to your computer to enhance your user experience on the website. It is important for us to protect your personal data and to inform you about how it is used. The information is for information purposes only and is intended to help you enjoy your time on our website.

Definition of a cookie:

A small text file containing information that is stored on your computer when you visit a website. It is used to help websites remember what you did while you were there. For example, it stores information about whether you clicked on certain links or pages, logged in with your username, or read certain pages on the site months or even years before.

 

There are different types of cookies, and without them, websites will not work as you expect. Ricreature.eu also uses cookies to ensure the best user experience and only uses the most necessary and useful cookies.

What types of cookies are on ricreature.eu?

Cookies may be either persistent or valid at the time of use, and we distinguish between first-party and third-party cookies. Below we explain what these terms mean so that you can better understand the cookies we use and why we use them.

Cookies that are valid at the time of your browsing session:

Browsing session cookies allow you to be recognized when you visit a website so that any page changes or selections can be remembered by the browser from page to page. These cookies allow you to move quickly and easily through the many pages of a website without having to identify yourself or repeat processes on each page you visit. Cookies that are valid during a browsing session are temporary and expire as soon as you close your browser or leave the website.

Persistent cookies:

Persistent cookies are cookies that remain "persistent" on your computer for a certain period of time after the browsing session has expired and, therefore, allow you to recall users' preferences or actions during subsequent visits to the website.

Cookies from the website operator:

These are cookies from the website operator of the website you are browsing.

Third-party cookies:

Cookies may also be your own (internal) or third-party (external) cookies. Internal cookies are set by the website you visit, while external cookies are set by someone else. Ricreature.eu only allows the setting of external cookies that have been approved in advance.

Google Analytics files are used to monitor the site and to obtain information about how the site is used. This information is used to generate statistics and to develop the portal further. Google Analytics files store information in an anonymous form, such as the number of visitors to the site or sub-pages viewed. These files are set by Google Analytics. For more information, please visit http://www.google.com/analytics. To disable tracking by Google Analytics on all pages, please visit http://tools.google.com/dlpage/gaoptout.

To accept cookies:

We only place cookies on your computer, phone, or tablet with your consent. You can give this consent by clicking the "Accept" button on the cookie pop-up. If you do not wish to receive cookies linked to our website on your computer, phone, or tablet, you can refuse the cookie. Even if you initially consent to the use of cookies, you can always choose to disable and delete cookies in your internet browser settings.

Setting and deleting cookies

If you choose to opt out of cookies, you can delete them from your browser's cookie folder. You can set your browser to block cookies anyway or to display a warning message before a cookie is stored. These settings are usually available in your browser's "settings" or "preferences" menu. If you have further questions, we recommend you visit the 'All About Cookies' website: http://www.allaboutcookies.org

​

7 Other rights of data subjects:

- Right of access

The data subject has the right to receive feedback from the controller as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data collected by the controller.

- Right to rectification

A data subject shall have the right to obtain, upon his or her request, the rectification of inaccurate personal data relating to him or her by the controller without undue delay. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.

- Right to erasure

The data subject shall have the right to obtain, upon his or her request, the erasure of personal data concerning him or her without undue delay by the controller, and the controller shall be obliged to erase personal data without undue delay in the circumstances set out in Article 17(1) of Regulation EU 2016/679.

- Right to be forgotten

Where the controller has disclosed personal data and is under an obligation to erase it, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the erasure of the links to or copies or replicas of the personal data in question.

- Right to restriction of processing

The data subject shall have the right to obtain, at his or her request, the restriction of processing by the controller where one of the following conditions is met:

- the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period of time which allows the controller to verify the accuracy of the personal data

- the processing is unlawful, and the data subject opposes the erasure of the data and requests instead the restriction of their use

- the data processor no longer needs the personal data for the purposes of the processing, but the data subject needs them for the establishment, exercise, or defense of legal claims

- the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject.

- Right to data portability

A data subject shall have the right to receive personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data if the processing is based on consent in accordance with Article 6(1)(a) of Regulation EU 2016/679 and the processing is carried out by automated means.

- Right to object

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data based on Article 6(1)(a) of Regulation EU 2016/679, including profiling based on those provisions. In this case, the controller may no longer process the personal data.

- Automated decision-making in individual cases, including profiling

A data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The previous paragraph shall not apply where the decision:

- necessary for entering into, or the performance of, a contract between the data subject and the controller

- is permitted by Union or Member State law applicable to the controller, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or

- is based on the explicit consent of the data subject.

8. Time limits for taking action regarding the processing of the website:

The Entrepreneur shall provide information on the action taken in response to requests concerning the processing within 1 month of receipt of the request. This time limit may be extended by 2 months for legitimate reasons. The Entrepreneur shall provide information on the extension of the deadline within 1 month of receipt of the request, stating the reasons for the delay. If the Entrepreneur fails to take action on a request by a data subject, it shall inform the data subject without delay, but at the latest within 1 month of receipt of the request, of the reasons for the failure to take action and of the means of complaint to the supervisory authority and the courts.

9. Security of data processing:

The controller and the processor shall implement appropriate technical and organizational measures, taking into account the state of the art and the cost of implementation, the nature, scope, context, and purposes of the processing, and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the level of risk, including, where appropriate:

- pseudonymisation and encryption of personal data

- ensuring the continued confidentiality, integrity, availability, and resilience of the systems and services used to process personal data

- in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner

- a procedure for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures taken to ensure the security of data processing.

10. informing the data subject of the data protection incident and notifying the incident to the supervisory authority:

The Entrepreneur shall report the data protection incident to the competent supervisory authority without undue delay and no later than 72 hours after becoming aware of it unless the data protection incident is not likely to pose a risk to the rights and freedoms of natural persons.

If the personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects, the controller shall inform the data subject of the personal data breach without undue delay.

11. Remedies:

The Entrepreneur shall delete the personal data if:

- where the personal data are no longer necessary for the purposes for which they were collected or otherwise processed

- the data subject withdraws his or her consent, and there is no other legal basis for the processing

- the data subject objects to the processing, and there is no overriding legitimate ground for the processing.

- the personal data have been unlawfully processed

- the personal data must be erased in order to comply with a legal obligation         

Persons entitled to erasure, amendment, or restriction of processing of personal data:

Agnes Lorincz Phone: + 39 351 891 2539; Email: creature@ricreature.eu

Contact the Data Protection Officer in case of prejudice to the rights of the data subject in the processing of personal data:

- Garante per la protezione dei dati personali (GPDP), Piazza Venezia, 11, 00187, Roma, Email: rpd@gpdp.it, web: garanteprivacy.it.

- The Tribunal of Oristano is competent for the place of establishment of the Entrepreneur as data controller, or the Tribunal is competent for the place of residence of the data subject, or the Tribunal is competent for the place of stay of the data subject.