GDPR
This document provides an overview of the GDPR, outlining its regulatory context, scope, fundamental principles, data subject rights, and obligations related to personal data processing.
Ⅰ. Regulatory Context and Purpose
Since May 25, 2018, Regulation (EU) 2016/679 – GDPR has been directly applicable in all European Union member states.
In Italy, the Regulation is implemented through the Personal Data Protection Code, under the supervision of the Italian Data Protection Authority (Garante per la protezione dei dati personali).
The main objectives of the GDPR include:
strengthening data subjects' control over their personal data;
ensuring transparency and security in processing operations;
defining clear responsibilities and compliance obligations.
Ⅱ. Scope of Application
The GDPR applies, among other things, to:
entities established in the European Union, regardless of where data processing takes place;
non-EU entities that offer goods or services to users located in Italy or other member states, or that monitor their online behavior, for example through cookies or tracking technologies.
Processing carried out for exclusively personal or household purposes remains excluded.
Ⅲ. Fundamental Principles of Processing
All processing of personal data must comply with the principles established by the GDPR, including:
lawfulness, fairness, and transparency, based on a valid legal basis;
purpose limitation, using data exclusively for specified and legitimate purposes;
data minimization, limiting collection to what is strictly necessary;
accuracy, updating data where appropriate;
storage limitation, avoiding periods longer than necessary;
integrity and confidentiality, through appropriate technical and organizational measures.
Ⅳ. Data Subject Rights
Under the GDPR, data subjects can exercise, within the limits provided by law, the following rights:
right to information and access, to know the data processed and obtain a copy;
right to rectification, in case of inaccurate or incomplete data;
right to erasure (right to be forgotten), when the conditions provided are met;
right to restriction of processing, in specific situations;
right to data portability, in a structured and readable format;
right to object, particularly to processing based on legitimate interests.
For individuals under 18 years of age, data processing requires the explicit consent of the holder of parental responsibility, where applicable. Ⅴ. Obligations of Data Processors
Those who process personal data are required to comply with a series of obligations, including:
operating in accordance with the documented instructions of the Data Controller;
adopting appropriate security measures, such as encryption, access controls, and system protection;
responding to data subjects' requests within the prescribed deadlines;
notifying personal data breaches to competent authorities and, where necessary, to data subjects;
keeping a record of processing activities;
conducting, when required, a Data Protection Impact Assessment (DPIA);
designating and communicating a Data Protection Officer (DPO), where applicable.
Ⅵ. Data Transfers to Third Countries
The transfer of personal data outside the European Economic Area (EEA) is permitted only in the presence of adequate safeguards, such as:
an adequacy decision adopted by the European Commission; or
the adoption of Standard Contractual Clauses (SCCs), possibly accompanied by supplementary security measures, such as encryption.
Ⅶ. Supervisory Authority and Sanctions
In Italy, the Garante per la protezione dei dati personali is the competent authority for:
carrying out control and inspection activities;
limiting or suspending non-compliant processing operations;
imposing administrative fines that can reach 20 million euros or 4% of global annual turnover, if higher.
The GDPR also allows for providing instructions regarding data processing after death; in the absence of specific indications, such rights can be exercised by heirs in accordance with current legislation.
Ⅷ. Relevance of GDPR
The application of the GDPR contributes to:
improving protection and transparency for users;
strengthening compliant data management within digital services;
promoting a more reliable digital ecosystem, in line with Google and Google Merchant Center policies.
Ⅸ. Contacts
To exercise the rights provided by the GDPR or for requests relating to the processing of personal data, you can contact the Data Protection Officer (DPO):
Email: info@officinelac.com
Requests are handled based on specific circumstances and applicable law.