Privacy Policy pursuant to Art. 13 of EU Regulation 2016/679
In compliance with the above-mentioned information obligations of the European Data Protection Regulation 2016/679, whose aim is to protect the fundamental rights and freedoms of natural persons and in particular, their right to the protection of personal data, you should read some information that may help you to understand the reasons for which your personal data will be processed.
1- Data Controller
Wonder S.p.A., with registered office in via Boschetto, 10, 26100 Cremona, Tax Code and VAT no.00106500192, hereinafter referred to as "Data Controller", guarantees compliance with the regulations on the protection of personal data by providing the following information on the processing of data pursuant to Art. 13, EU Regulation 2016/679 (General Data Protection Regulation – GDPR) and subsequent amendments.
2- Data processed, purposes and legal bases of the processing
Your personal data, even of a particular type (concerning your state of health), will be processed by the Data Controller in order to ensure safe access to the structure by third parties, and will be subject to treatment based on the principles of correctness, lawfulness, transparency and protection of your privacy and your rights, so as to avoid the generation of health damage related to the spread of the sars-COV 19 virus.
The legal basis of the processing is the protection of vital interests of you or other natural persons (Art. 6, letter d of EU Regulation 679/2016 – GDPR).
3- Nature of data provision
The provision of the data specified above is optional but any refusal to provide them in whole or in part will make it impossible to access our structure for the performance of the requested activity.
4- Places and methods of data processing and retention times
Data collected by the site are processed at the Data Controller's headquarters and at AWS US-East-1 data centers in Virginia USA, US-West-1 data center in California USA, or USWest-2 data center in Oregon USA that are used by the visitor registration service provider Envoy Inc. (privacy policy https://envoy.com/privacypolicy/ – data security https://envoy.com/security-details/).
The processing will be carried out exclusively in digital form.
The data are kept for the time strictly necessary to manage the purposes for which the data are processed ("conservation limitation principle", Art. 5, EU Regulation 2016/679) and in any case no longer than 1 year after collection.
In any case, the Data Controller practices rules that prevent the retention of data for an indefinite period of time and therefore limits the retention time in compliance with the principle of minimising data processing.
The data may be further retained only in compliance with specific legal obligations.
5- Subjects authorised to process data, data processors and communication of data
Your data will be processed exclusively by the Data Controller through specially trained personnel.
Personal data of a particular type collected, within the limits pertinent to the processing purposes indicated and as necessary and/or instrumental to the execution of the same purposes, may be processed by third party medical personnel for the correct fulfilment of the purposes set out in point 2.
The data collected may be provided in case of legitimate request, only in the cases provided for by law, by the Judicial Authority.
Your personal data will in no case and for no reason whatsoever be disclosed.
6- Transfer of Data to Non-EU Countries
Data collected will be transferred outside the EU to AWS US-East-1 data centers in Virginia USA, US-West-1 data centers in California USA, or USWest-2 data centers in Oregon USA that are used by the visitor registration service provider Envoy Inc. (privacy policy https://envoy.com/privacypolicy/ – data security https://envoy.com/security-details/) which adheres to the agreement regulating the transfer of data between the European Union and the USA (so-called Privacy Shield https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/5306161).
7- Rights of the Data Subject
In relation to the Personal Data communicated, the Data Subject has the right to exercise the following rights:
- a. (Art. 7.3 EU Regulation 679/2016 – GDPR) withdrawal of consent;
- b. (Art. 15 EU Regulation 679/2016 – GDPR) access and request a copy;
- c. (Art. 16 EU Regulation 679/2016 – GDPR) request correction;
- d. (Art. 17 EU Regulation 679/2016 – GDPR) request cancellation ("right to be forgotten");
- e. (Art. 18 EU Regulation 679/2016 – GDPR) obtain the limitation of processing;
- f. (Art. 20 EU Regulation 679/2016 – GDPR) receive them in a structured, commonly used and machine-readable format for the purpose of exercising the right to portability;
- g. (Art. 21 EU Regulation 679/2016 – GDPR) oppose the processing.
The Data Subject may exercise his or her rights, as well as request further information regarding his or her Personal Data, by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it. specifying in the subject line the content of his or her request and attaching the relevant request form which may be downloaded from the links available in the list above.
Requests relating to the exercise of the user's rights will be processed without undue delay and, in any case, within one month of the request; only in cases of particular complexity and according to the number of requests may this period be extended by a further 2 (two) months.
We remind you that it is the right of the Data Subject (Art. 77 EU Regulation 679/2016 – GDPR) to lodge a complaint with the Data Protection Authority, located in Rome, Piazza Venezia 11, 00187, mail This email address is being protected from spambots. You need JavaScript enabled to view it..
***
Last updated: July 23, 2023