GDPR

This document provides an overview of the GDPR, illustrating its regulatory context, scope of application, fundamental principles, data subject rights, and obligations related to the processing of personal data.

Ⅰ. Regulatory context and purpose

Since May 25, 2018, Regulation (EU) 2016/679 – GDPR is directly applicable in all Member States of the European Union.

In Italy, the regulation is implemented through the Personal Data Protection Code, under the supervision of the Italian Data Protection Authority (Garante per la protezione dei dati personali).

The main objectives of the GDPR include:

  • strengthening data subjects' control over their personal data;

  • ensuring transparency and security in data processing;

  • defining clear responsibilities and compliance obligations.

Ⅱ. Scope of application

The GDPR applies, among other things:

  • to entities established in the European Union, regardless of where data processing takes place;

  • to non-EU entities offering goods or services to users located in Italy or other Member States, or monitoring their online behavior, for example through Cookies or tracking technologies.

Processing carried out for exclusively personal or domestic purposes remains excluded.

Ⅲ. Fundamental principles of processing

All personal data processing must comply with the principles established by the GDPR, including:

  • lawfulness, fairness and transparency, based on a valid legal basis;

  • purpose limitation, with data used only for specific and legitimate purposes;

  • data minimization, limiting collection to what is necessary;

  • accuracy, with data updated when appropriate;

  • storage limitation, avoiding periods longer than necessary;

  • integrity and confidentiality, through appropriate technical and organizational measures.

Ⅳ. Rights of data subjects

Under the GDPR, data subjects can exercise, within the limits provided by law, the following rights:

  • right to information and access, to know the data processed and obtain a copy;

  • right to rectification, in case of inaccurate or incomplete data;

  • right to erasure (right to be forgotten), when the conditions are met;

  • right to restriction of processing, in specific situations;

  • right to data portability, in a structured and readable format;

  • right to object, in particular to processing based on legitimate interests.

For individuals under the age of 18, data processing requires the express consent of the holder of parental responsibility, where applicable.

Ⅴ. Obligations of data processors

Those who process personal data must comply with a series of obligations, including:

  • operate according to the documented instructions of the data controller;

  • adopt adequate security measures, such as encryption, access controls, and system protection;

  • respond to data subjects' requests within the prescribed deadlines;

  • notify personal data breaches to competent authorities and, if necessary, to data subjects;

  • maintain records of processing activities;

  • carry out, when required, a Data Protection Impact Assessment (DPIA);

  • designate and communicate a Data Protection Officer (DPO), where required.

Ⅵ. Data transfers to third countries

The transfer of personal data outside the European Economic Area (EEA) is permitted only in the presence of adequate safeguards, such as:

  • an adequacy decision adopted by the European Commission; or

  • the adoption of Standard Contractual Clauses (SCCs), possibly accompanied by supplementary security measures, such as encryption.

Ⅶ. Supervisory authority and sanctions

In Italy, the Garante per la protezione dei dati personali (Italian Data Protection Authority) is responsible for:

  • carrying out monitoring and inspection activities;

  • limiting or suspending non-compliant processing;

  • applying administrative fines that can amount to up to 20 million euros or 4% of the annual global turnover, if higher.

The GDPR also allows for instructions to be given regarding data processing after death; in the absence of instructions, these rights can be exercised by heirs according to applicable law.

Ⅷ. Relevance of the GDPR

The application of the GDPR contributes to:

  • improving user protection and transparency;

  • strengthening compliant data management in digital services;

  • promoting a more reliable digital ecosystem, in line with Google and Google Merchant Center policies.

Ⅸ. Contacts

For the exercise of the rights provided by the GDPR or for requests relating to the processing of personal data, you can contact the Data Protection Officer (DPO):

Store name: Arredamenti Giava

Phone: +39 0541 944805

E-mail: info@arredamentigiava.shop

Address: Via Enzo Ferrari 76/78, 47039 Savignano sul Rubicone, Italy

Hours: Monday to Friday, 9:00–12:30 / 14:00–18:00 (CET)

Requests are handled according to the circumstances and applicable regulations.