Privacy Policy

Objectives and definitions

Data controller

WEDDINGITALY Srl (hereinafter also the "Data Controller" or the "Organization"), pursuant to EU Regulation 2016/679 and Legislative Decree 196/2003, Code for the Protection of Personal Data (hereinafter also the "Privacy Code"), is the data controller of the data relating to identified or identifiable natural persons that it must use in the exercise of its activities to pursue its institutional purposes.

This document contextualizes the Data Controller's personal data processing activities and describes the "Privacy Organizational Model" adopted by the Organization, i.e., the set of guidelines, operational provisions, and internal documentation aimed at regulating the Organization's personal data processing. 

The organizational structure consists of an office open to the public at Viale Venezia 6, 33100 Udine.

Definitions

Regulation : Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter also referred to as “GDPR” - General Data Protection Regulation), Legislative Decree 2003/196 (as amended by Legislative Decree 2018/101), hereinafter also “Privacy Code”.

Data Controller : The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor : A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Personal data : Information relating to an identified or identifiable natural person (the data subject).

Special categories of personal data : These are data that may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as processing genetic data, data biometric data intended to uniquely identify a natural person, data relating to health or sex life or sexual orientation of the person. As established by Legislative Decree 101/2028 in art. 22(2), they may also be referred to as “sensitive data”.

Biometric data : Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial image or dactyloscopic data.

Health data : Personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Data subject : The natural person to whom the personal data refers.

Authorized to process data : Natural person formally authorized to carry out processing operations by the Data Controller or the Data Processor (including designated persons ).

Processing : Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Third countries : Countries outside the European Economic Area (Norway, Iceland, Liechtenstein).

Scope of application

This privacy policy applies to the Organization as a whole, to all bodies and structures at all levels. 

Implementation of this privacy policy is mandatory for all internal personnel and external collaborators who process personal data. 

In agreements with external parties who may process personal data owned by the Organization, the Data Controller evaluates which sections of this policy to include as instructions or commitments undertaken by the third party. 

The Data Controller disseminates awareness of this privacy policy within the organization by maintaining relevant documentation available to recipients and by engaging in training activities for those involved, in various capacities, in personal data processing operations.

Principles

The Data Controller undertakes to ensure that personal data is processed in compliance with the provisions of the law and, in accordance with the principle of accountability , must always be able to demonstrate and justify the choices made regarding personal data security. 

The principles applicable to processing form the backbone of the entire GDPR and are outlined, in particular, in Articles 5 and 25 of the Regulation. Article 5 provides that personal data must be:

• collected for specific, explicit and legitimate purposes, and subsequently processed in a way that is not incompatible with those purposes (principle of purpose limitation);
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization);
• accurate and, where necessary, updated (accuracy);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality);
• Article 25 of the GDPR requires the Data Controller, before initiating any processing, to implement technical and organizational security measures to ensure data protection from the design stage of such activities and by default.

These guidelines apply not only to the processing of personal data for which the organization is the Data Controller, but also to all processing carried out on behalf of third-party controllers for which the Organization is appointed as Data Processor, unless more restrictive instructions are received from the Controllers themselves.

When entrusting parts of the processing to third parties (Data Processors), the Data Controller requires similar protection guarantees and the adoption of adequate security measures. In these cases, the relevant sections of this policy are made available to the Data Processors in the form of binding instructions pursuant to Art. 28 of the GDPR.

Context of the treatment

Type of personal data and data subjects

The Organization systematically processes the personal data of employees and collaborators, customer data, and supplier data. The clientele consists primarily of natural persons.

Where necessary, data pursuant to Art. 9 of the GDPR (special categories of personal data) may also be processed to guarantee the rights of data subjects and the Data Controller in matters relating to employment, social security, and social protection law.

The services provided involve the processing of personal data necessary to execute the contract with clients. When organizing weddings and events requested by clients, where necessary, sensitive data of data subjects may also be processed, particularly health data and data on religious or philosophical beliefs.

With the specific consent of the interested parties, it will be possible to collect images and audiovisual recordings depicting them during the ceremony or related events for the Data Controller's promotional purposes.

Personal data archives

The paper archives [1] are located at the Data Controller's headquarters, the computerized production archives are stored in the cloud spaces provided by Microsoft (Data Controller) with the "Microsoft 365" suite that the Organization uses.

Cloud service offers redundancies in terms of storage, in any case the Owner maintains a backup archive managed by the administrator.

For a list of safety measures adopted by the Organization, please refer to the final part of the risk assessments (section 09 of the MOP).

Safety of treatments

Risks of treatment

In compliance with the GDPR, the Data Controller has selected the security measures to be adopted after assessing the risks associated with the processing of employees' personal data. The risk assessment is conducted following the framework proposed by ENISA [1](European Cybersecurity Agency), which also proposes a series of security measures categorized by risk level. These measures are largely linked to the controls proposed in the ISO/IEC 27001:2022 certification framework for information security management systems. The overall risk level was found to be medium.

NB: If anomalies are detected in the use of IT services and systems, the Data Controller may initiate gradual checks. These checks, if the anomalies persist and there are documented needs, may also focus on individual users. These checks will be conducted in compliance with the Workers' Statute and their dignity. Staff are required to use company IT services and tools for work purposes, and not to use such services and tools to process their personal data, in order to protect their privacy and their rights and freedoms.

Lawfulness and correctness

In compliance with the principles of lawfulness and fairness, the data controller processes personal data by adequately informing data subjects through documents drafted pursuant to Articles 13 and 14 of the GDPR and implementing specific internal instructions to ensure that data subjects can exercise the rights provided for in Articles 15–22, 7, and 77 of the GDPR.

The so-called "information notices" and instructions for managing the exercise of data subjects' rights are reviewed at least annually.

Purpose limitation and data minimization

The purposes of the processing are clearly indicated in the information notices and are limited to what is necessary to execute the contracts between the Data Controller and the data subjects. At least annually, the Data Controller verifies that the information documentation for data subjects accurately describes the purposes pursued and that the volume of data processed does not exceed what is necessary.

Data accuracy and storage limitation

Data is collected and stored in a manner that ensures its accuracy until the end of its processing. Depending on the purposes for which it is stored, the Data Controller establishes a retention period (or a criterion for determining that period) and informs data subjects of this in the privacy notices. The retention periods established by the Data Controller are indicated in the Processing Records. Where necessary, the Data Controller also indicates in the same document the reasons for determining the retention period.

Integrity and confidentiality

The Organization is aware that staff data (or that of the data subjects' family members) and customer data may be sensitive and adopts appropriate technical and organizational security measures.

Persons authorized to process data or designated to specific privacy functions are committed to confidentiality and, at least annually, conduct training and awareness-raising sessions to raise awareness of security risks and how to address them, as well as knowledge of internal instructions.

Through specific data processor appointment agreements or other data protection agreements entered into with third parties, the Data Controller aims to ensure similar levels of security for the data to be processed by such third parties.

Implementation of internal rules

The rules for processing personal data under the authority of the Data Controller, WEDDINGITALY Srl, are set out in the MOP (Privacy Organizational Model) documentation, specifically in the following documents:

• Appointment of data processing authorities (section P04)
• Appointment of data controllers (section P08)
• Internal regulations (section P10).

Compliance and implementation of the rules is the responsibility of the following parties:

• The Data Controller, who, as such, establishes the methods for disseminating the content of the policies and internal regulations implementing the provisions contained in such documents. The Data Controller is also responsible for:
  - conduct risk analysis using appropriate methodologies and adopt risk management measures;
  - establish the rules of conduct necessary for the safe conduct of company activities;
  - verify security breaches, take necessary countermeasures, and control the company's exposure to major threats and risks;
  - organize training and promote staff awareness of all matters relating to quality, safety and information security;
  - periodically check the effectiveness and efficiency of security measures.
• All personnel who, in any capacity, collaborate with the company and are in any way involved in the processing of data and information falling within the scope of the Privacy Organizational Model. Personnel are responsible, each within their respective areas of responsibility, for processing in compliance with the instructions received and for reporting any anomalies and violations (even potential ones) of this policy of which they become aware. Failure to comply with the instructions received from the Data Controller regarding the processing of personal data exposes those authorized to process data to disciplinary sanctions and, in the most serious cases, civil and criminal liability.
• All external parties who maintain relationships and collaborate with the company and who must ensure compliance with the requirements contained in the privacy policy, such as, for example, external collaborators or suppliers who may process data on behalf of or under the authority of the Data Controller.

Monitoring the “privacy” organizational model

Company management reviews the effectiveness and efficiency of the Privacy Organizational Model (MOP) at least once a year to ensure it is updated correctly and to provide adequate support for the introduction of necessary improvements. This ongoing process takes into account regulatory and technological developments, management costs, and the Organization's evolving needs.

The Data Controller plans the review of this policy by involving the relevant company figures and, if necessary, by resorting to external consultants.

Review activities should include the status of preventive and corrective actions and the adherence of procedures to the provisions of this policy.

The outcome of the periodic review process includes all decisions taken and actions taken to improve the Privacy Organizational Model.

Information and training

The Data Controller can achieve the goal of data processing that is compliant with regulations [2] and consistent with the context only by paying particular attention to the training of its staff. To this end, the Privacy Organizational Model is made available to both existing staff and new hires upon their arrival.

Updates to the Privacy Organizational Model are communicated to staff using the methods deemed most effective from time to time. 

In order to create an environment conducive to data protection and adequately train staff who assume specific roles in the management of personal data, the Data Controller:

• adopts a training plan intended for all company personnel;
• provides for the provision of specific modules based on the role covered and upon job changes;
• adopts an annual training plan for privacy-related training provided to all company employees;
• retains the distributed documentation and forms certifying participation in training sessions and assessments of acquired knowledge.

The training of the subjects authorized to process data and, where deemed necessary, of other key figures in the Privacy Organizational Model, concerns in particular:

• the general aspects of personal data protection regulations;
• the threats, vulnerabilities, probability of occurrence and consequently the risks that threaten the data processed;
• the consequences arising from a personal data breach (Data Breach);the procedures to be followed in the event of a personal data breach;
• preventive measures to avoid or at least reduce the probability of violations occurring and measures to mitigate the damage should they occur;
• the specific aspects of the personal data protection regulations in the sector(s) relevant to the Data Controller;
• the safe use of IT tools and systems and any regulations defined by the Data Controller.

Training must be documented in compliance with the accountability principle set out in Article 5(2) of the GDPR and the results of this activity must always be available.

The governing bodies

Weddingitaly is a single-member limited liability company. The simplified organizational structure must, however, establish what is necessary to achieve the following obligations/objectives:

• ensure that all information security objectives are identified and that they are consistent with the operational context;
• establish the roles and related responsibilities for the implementation and maintenance of the Privacy Organizational Model;
• provide sufficient resources for the planning, implementation, organization, control, review, management and continuous improvement of the Privacy Organizational Model;
• ensure that data protection is integrated into all business processes by design;
• activate programs to spread awareness and information security culture.

The Data Controller acknowledges its responsibility under applicable law and undertakes to protect the personal data entrusted to it from loss, misuse, or unauthorized access.

Organizational chart and appointment system

Data controller

The Data Controller must ensure the precise identification of roles and responsibilities in the privacy area, both internally and externally to the organization, with particular reference to the nominations and designations of the following individuals:

Data controllers

Data Processors are natural or legal persons who process personal data on behalf of the Data Controller, who remains liable for any damages resulting from the processing to the data subjects. For this reason, the Data Controller selects Data Processors from among those who meet the necessary requirements and provide adequate guarantees to perform processing in compliance with the regulations. The Data Processor may engage another processor (sub-processor) only by imposing on that processor the same obligations that the Processor has towards the Data Controller. If the sub-processor fails to fulfill its data protection obligations, the Processor remains fully liable to the Data Controller for the sub-processor's fulfillment of the obligations. 

The Data Controller appoints Data Processors with a specific data protection agreement that contains at least all the elements required by Article 28 of the GDPR. Pursuant to Article 28 of the GDPR, the Data Processor retains full liability to the Data Controller for the sub-processor's fulfillment. 82(2) of the GDPR, “ A processor shall be liable for the damage caused by processing only where it has not fulfilled obligations of this Regulation specifically directed to processors or has acted outside or contrary to lawful instructions of the controller .”

Authorized for processing

The Data Controller formally appoints the individuals authorized to process data pursuant to Art. 29 of the GDPR and provides them with instructions for processing in compliance with internal regulations and procedures. 

The authorized individuals process personal data pertaining to their operational area and operate under the authority of the Data Controller, adhering to the instructions provided by the Data Controller, with particular regard to the procedures governing the use of the databases to which they have access. 

Those authorized to process data:

• report to the Data Controller any requests received from the interested party in relation to the exercise of their rights guaranteed by the GDPR;
• they notify the Data Controller if a processing operation does not comply with the instructions received;
• report to the Data Controller any unauthorized access or other incidents, even suspicious, to personal data, databases or IT systems that may compromise the confidentiality, integrity or availability of personal data;
• they follow the training events organized by the Data Controller on data protection matters;
• they undertake to maintain the confidentiality of the personal data they become aware of in the performance of their duties.

Designated for specific functions

The Data Controller, within its organizational structure, designates specific individuals to perform specific functions or tasks regarding the protection of personal data pursuant to Article 2-quaterdecies of the Code.

The system administrator

The professional figure who, in the IT field, maintains, configures and manages a data processing system or its components, including complex software systems (system administrator), or a database (database administrator), or networks and security telecommunications equipment (network administrator) is appointed as the person authorised to process data designated as System Administrator.

The assignment of System Administrator duties occurs after evaluating the experience, ability, and reliability of the designated individual, who provides adequate guarantees of full compliance with the applicable provisions, including those relating to security [3]. 

The appointment of a System Administrator must be individual, explicitly stated in writing, with a detailed description of the permitted scope of operations based on the assigned authorization profile.

The System Administrator may use authorized accounts to access one or more systems with higher privileges than those of the "ordinary" user. For example, the System Administrator has the power to create, modify, and delete users or entities authorized to access the Data Controller's IT services or tools and/or may grant or deny access to specific resources to certain users or entities.

If the administrator is external to the organization, the appointment of that individual as Data Processor will be considered.

General security measures

Responsibility for ensuring the protection of all processed data lies with the relevant roles within the Organization.

Particular attention must be paid to the use of IT services and devices due to their importance and pervasiveness, and the constant evolution of technology that poses new potential risks.

Systems must be protected both physically and logically.

Depending on the complexity of the IT systems in use, the Data Controller may establish specific internal regulations.

The guidelines guiding IT security decisions are, once again, the principles of the GDPR.

All measures proportionate to the processing context that can guarantee data confidentiality (primarily authentication and authorization measures), integrity, and availability (e.g., adequate backup systems, integrity checks, disaster recovery procedures) must be implemented.

In this specific context, the security measures adopted by the Data Controller are indicated in the final part of the Risk Assessments (section P.09).

Notes

[1] Handbook on Security of Personal Data Processing – ENISA – January 29, 2018.

[2] Art. 29 Regulation – “Processing under the authority of the controller or processor ” The processor and any person acting under the authority of the controller or the controller, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Art. 2 quaterdecies of the Privacy Code – “Assignment of functions and tasks to designated persons” The data controller or data processor may provide, under their own responsibility and within their organizational structure, that specific tasks and functions related to the processing of personal data be assigned to expressly designated natural persons who operate under their authority. 

[3] Provision of the Guarantor of 27 November 2008 regarding the attributions of the functions of system administrator.

[1] Make any necessary changes.