PRIVACY NOTICE REGARDING THE PROCESSING OF PERSONAL DATA ON THIS WEBSITE

In accordance with Regulation (EU) 2016/679 (hereinafter the “Regulation”), this document describes how the personal data of users visiting the ‘bifest.it’ website is processed.

This information does not apply to other websites, pages or online services accessible via hyperlinks that may be published on the site but which refer to resources outside the site’s domain.


Data Controller

The data controller is the Fondazione Apulia Film Commission, with registered office at Lungomare Starita, 1 – 70132 BARI.


Data Protection Officer

The Data Protection Officer (DPO) can be contacted at the email address gdpr@hsh.it.


Types of data processed, purposes of processing and legal basis

With reference solely to the personal data necessary for the use of the website and its related functions, the types of data subject to processing consist in particular of:

  1. browsing data: the IT systems and software procedures used to operate the website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This data is used solely for the purpose of deriving anonymous statistical information on the use of the website and to check its correct functioning, and is not, nor will it under any circumstances be used by the Data Controller to carry out profiling activities.

Such data is collected on the basis of the user’s consent, expressed through continued browsing of the website (implied consent).

  1. data provided voluntarily by the user, in particular:
  • email address for subscription to the newsletter service;
  • name, email address, telephone number, publication and sector, for requests for press accreditation for organised events;
  • email address and any other personal data provided by completing contact forms and information requests, in order to respond to the user’s enquiries.

This data is collected on the basis of the data subject’s explicit consent, which is given by completing the relevant request form.

  1. Cookies: please refer to the policy available here.


Methods of processing

Processing will be carried out primarily using IT tools, by authorised staff and employees, who act in accordance with the instructions provided by the Data Controller, using methods strictly related to the stated purposes and, in any case, in such a way as to ensure the security and confidentiality of the data processed.


Data retention period

The data being processed will be retained for a period not exceeding that necessary to achieve the purposes for which they were collected or subsequently processed and, in particular:

  • data provided by sending emails or completing the contact forms on the website will be retained for the time necessary to provide a response;
  • data provided for the purpose of participating in initiatives will be processed until the conclusion of those initiatives.

The Data Controller shall, upon expiry of the retention periods in accordance with the criteria indicated, take measures to delete or anonymise data that does not need to be retained due to specific regulatory obligations.

Categories of recipients

The data subject’s personal data may be disclosed to the providers of services offered via the Website (newsletters, event organisers and similar).

Apart from the cases mentioned above, personal data will not be disclosed, disseminated, transferred or otherwise passed on to third parties for unlawful purposes or purposes unrelated to the purposes of collection and, in any event, without providing appropriate information to the data subjects and obtaining their consent, where required by law. This is without prejudice to any disclosure of data at the request of the Judicial Authorities or Public Security Authorities, in the manner and in the cases provided for by law.

Personal data will not be transferred abroad to countries or international organisations outside the European Union that do not guarantee an adequate level of protection, recognised pursuant to Article 45 of the GDPR, on the basis of an adequacy decision by the European Commission. Should it become necessary for the provision of the Website’s services, the transfer of personal data to non-EU countries or international organisations, for which the Commission has not adopted an adequacy decision pursuant to Article 45 of the GDPR, shall take place only where adequate safeguards are provided by the recipient country or organisation, in accordance with Article 46 of the GDPR, and provided that data subjects have enforceable rights and effective remedies.

In the absence of an adequacy decision by the Commission, pursuant to Article 45 of the GDPR, or of appropriate safeguards, pursuant to Article 46 of the GDPR, including binding corporate rules, cross-border transfer shall take place only if one of the conditions set out in Article 49 of the GDPR is met.

In particular, it should be noted that, according to recent interpretations provided by certain European supervisory authorities, the use of Google Analytics may involve the transfer of the user’s personal data to the United States, whose legal regime does not guarantee a level of protection equivalent to that in force within the European Union in accordance with the GDPR. By accepting the placement of Google Analytics cookies, therefore, the user is aware of the possible risks of such a transfer – which is in any case neither requested nor authorised by the Data Controller – due to the absence of an adequacy decision pursuant to Article 45(3) of the GDPR, or of appropriate safeguards pursuant to Article 46 of the GDPR.

Rights of the data subject

The data subject has the right to access their personal data, to request its rectification, updating and erasure or restriction, if incomplete, incorrect or collected in breach of the law, as well as to object to processing on legitimate grounds or to obtain data portability.

In particular, pursuant to Articles 15–22 of Regulation (EU) No 679/2016, the data subject has the right to obtain confirmation as to whether or not personal data concerning them exist, even if not yet recorded, and to have such data communicated to them in an intelligible form.

The data subject also has the right to obtain information regarding:

  1. a) the purposes and methods of processing;
  2. b) the logic applied in the case of processing carried out with the aid of electronic tools;
  3. c) the identification details of the Data Controller, the Data Processor and the persons or categories of persons to whom the personal data may be discloses or who may become aware of it in their capacity as authorised processors.

The data subject has the right to obtain:

  1. a) the updating, rectification or completion of their data;
  2. b) the erasure, anonymisation or blocking of data processed in breach of the law, including data which need not be retained in relation to the purposes of the processing;
  3. c) the restriction of processing, where one of the circumstances referred to in Arcticle 18 of the GDPR applies;
  4. d) confirmation that the operations referred to in points (a), (b) and (c) have been brought to the attention of those to whom the data have been disclosed or disseminated, except where this proves impossible or involves a manifestly disproportionate effort compared to the right being protected;
  5. e) the transmission of data concerning him or her, provided to the Controller and processed on the basis of the data subject’s consent for one or more specific purposes, in a structured, commonly used and machine-readable format. Pursuant to Article 20 of the GDPR, the data subject also has the right to transmit such data to another data controller without hindrance and, where technically feasible, to obtain the direct transmission of personal data from one data controller to another.
  6. f) where processing is based on consent, to withdraw consent at any time (pursuant to Arcticle 7(3) of the GDPR)

The data subject has the right to object, in whole or in part:

  1. a) on leitimate grounds, to the processing of personal data concerning him or her, even if relevant to the purpose of collection;
  2. b) to automated decision-making processes that significantly affect him or her.

Without prejudice to any other administrative or judicial remedy, the data subject has the right to lodge a complaint and/or report with a supervisory authority, in particular in the Member State where they habitually reside, work or where the alleged infringement occurred.


Exercise of rights

The above rights may be exercised by submitting a request to the Data Controller, either directly or through an authorised representative, either verbally or by sending an email to email@apuliafilmcommission.it. The request may be made freely and without formalities by the data subject, who is entitled to receive an appropriate response within a reasonable timeframe, depending on the circumstances of the case.

The data subject may, for the exercise of their rights, make use of non-profit bodies, organisations or associations whose statutory objectives are in the public interest and which are active in the field of protecting the rights and freedoms of data subjects with regard to the protection of personal data, conferring, for this purpose, an appropriate mandate. The data subject may also be assisted by a trusted person.

Further information on the purposes and methods of processing personal data can be obtained by writing to the email address email@apuliafilmcommission.it