“Space Booking Smart” App is part of a product called Space Booking developed by Durante S.p.A. .
The software was developed according to the principles of “Privacy By Design” and “Privacy By Default”.
The Mobile application does not contain or collect personal data.
The Data Controller is the legal representative,
or his delegate, of the company that
purchases and uses the
Space Booking product. The actual content
of the “Privacy Policy” statement is
established and published
by the company that uses
the product.
This
information is visible to
the end user of the Mobile App after its configuration and connection to the Data Controller’s Space Booking server.
Regulation (EU) 679/2016, also known by the
English acronym GDPR, is the evolution of the existing legislation for the
protection of personal data of individuals that now includes, for example, the
implementation of new principles for consent user, the explicit right to
oblivion and other requirements. Among the various innovations introduced two
are explicitly inherent to the software: the principles of Privacy by Design
and Privacy by Default. These principles, although not yet clearly defined, can
be understood as follows:
·
The Privacy by Design
principle commits to taking into account the protection of privacy from the
initial stages of design and during the entire process of developing new
products, processes or services that involve the processing of personal data;
·
The Privacy by Default
principle establishes that, by default, personal data must be processed only to
the extent necessary and sufficient for the intended purposes and for the
minimum period strictly necessary for these purposes.
A software provider that seriously applied the
aforementioned principles in its field of competence could at this point be
tempted to state that its own product is fully aligned with them, almost to the
point of releasing for it a sort of Declaration of Conformity; however, such a
Declaration is not applicable at the moment: neither formally, because it is
not provided for by the law, nor substantially, because it is not possible to
know in advance the real nature and use of the data by the Customer. In other words:Un Cliente che si occupa di
dati personali può essere conforme al
GDPR;
A
service provider that acts as a "data processor" can be GDPR
compliant (for its part of the system);
A
software application can provide the basis for its implementation at the Client
to be compliant with the GDPR.
That said, Durante SpA's Space Booking software was
actually designed from the early stages of its development to make it as easy
as possible to achieve compliance for its implementation to the Regulation in
question. The following will describe both the main measures introduced in the
design phase for data security, and the main recommendations for implementation
that will allow the customer, once implemented, to reach the status of
compliance with the desired legislation, including among these also the
necessary formal obligations.
To this end, it is appropriate to
recall some of the present concepts of the law, starting with a summary summary of the rights applicable to the specific case.
Pursuant to the GDPR, the Interested Person is the
identified or identifiable natural person, that is to say the natural person to
whom the personal data are connected, object of the protection measures. In
general, the adoption of these measures must be evaluated and contextualised taking into account the state of the art,
the implementation costs and the nature, the scope, the context and the
purposes of the processing, as well as the risk of variation of the probability
and of the gravity of the rights and freedoms of natural persons. In this
context, the protection of those that the legislation identifies as Particular
Categories of Data assumes primary importance, those usually called Sensitive
Data.
-
Right of Access: Users have the right to access any personal
data and to know and verify the legitimacy of the processing.
-
Right of Rectification: Users have the right to have data collected
rectified, in case these are inaccurate or incomplete.
-
Right to be Forgotten: Users have the right to obtain the
removal or deletion of their personal information, where there are no
compelling reasons that cause a company to continue processing this
information.
-
Right to Portability: Users have the right to obtain and
re-use their personal data for their own purposes through various services, to
move, copy or transfer personal data easily from one computer environment to
another in a secure manner, without obstacles to usability.
-
Right of Opposition: Users have the right to object to the
use of any personal data for the purposes of direct marketing, definition of
profiles or processing for research or statistical purposes.
-
The right not to be subject to decisions: Any wholly automated processing
activity that leads to decisions that have an impact on people in a
sufficiently significant manner is prohibited, unless such treatment cannot be
justified by the execution of a contract, authorized to terms of law, or
conducted after explicit consent.
It is recalled that based on a Provision of the
Guarantor for the Protection of Personal Data, inherent to the attribution of
technical functions properly corresponding or similar to those of system
administrator (system administrator) or database administrator (database
administrator), the appointment of this figure is necessary if these functions
are exercised in a context that makes it technically possible for them to have
access, even fortuitous, to personal data. This is certainly the case of the
server administrator where the product is installed, so it is required to
extend the related responsibilities also to the scope of the data managed by
the application.
With regards to the role of the Technical User, this
takes the form of Data Processor (full or external, if the management is
contractually entrusted to Durante S.p.A.), for which the legislation requires
the formalization of the related assignment. Please note that in the event of
significant breaches of personal data ("Data Breach"), it is up to
the Data Processors to report the event to the Guarantor Authority within 72
hours; if there is a high risk for the rights and freedoms of the persons
concerned, the Managers should also inform the persons concerned.