Regulation (EU) 2016/679 (the so-called GDPR) recognizes that the data subject has the right to withdraw his or her consent, previously given, at any time. Consent is revoked as easily as it is granted.
Withdrawal of consent does not affect the lawfulness of processing based on consent prior to withdrawal.
Regulation (EU) 2016/679 (so-called GDPR) recognizes in favor of individuals a number of rights related to the processing of their personal data and provides specific means of protection in this regard.
Under certain conditions, and subject to the limitations set forth in Art. 23 of the GDPR, the data subject has the right to:
- request access to the data being processed (Art. 15),
- request rectification of their data (art. 16),
- request the deletion of their data (Art. 17),
- request the restriction of the processing carried out (Art. 18),
- request portability of data processed informatically in
by virtue of the consent given by the person concerned or on the basis of a
contract entered into with the same (Art. 20), - object, on grounds related to his or her particular situation, to the
processing of personal data concerning him or her carried out for
purposes of public or private interest (including profiling),
for purposes of direct marketing, or scientific research or
historical, or even for statistical purposes (Art. 21).
Through this page, it is possible to know what rights may be exercised by the interested parties vis-à-vis CPL CONCORDIA Soc. Coop. and in what ways.
The data subject may submit a petition to the Data Controller, without special formalities, for example, using one of the two forms available here and sending it with:
- simple communication by e-mail to gdpr@cpl.it, or
- via PEC to cplconcordiasoccoop@pec.cpl.it, or
- by registered mail to the address CPL CONCORDIA Soc. Coop. via Achille Grandi 39, 41033 Concordia sulla Secchia (MO)
with only the caution to indicate in the SUBJECT, depending on the needs of the data subject, that it is either “Withdrawal of a GDPR consent” or “Exercise of GDPR rights.”
The application may refer, depending on the needs of the person concerned, to one or more specific processing operations, or, in the case of exercising rights to specific personal data, to categories of data or to a particular processing operation, or to all personal data concerning him or her, however processed.
The Controller informs that requests cannot be acted upon if conditions exist that prevent the correct or unique identification of the data subject.
Identity is considered certain or, in any case, proven if the interested party has shown a copy of his or her valid identity document or if he or she has indicated sufficient information in the request so that it can reasonably be assumed that it is exclusively available to the interested party (e.g., e-mail from an e-mail address that coincides with the one indicated by the interested party elsewhere in dealings with the Company).
If the Data Controller has reasonable doubts about the identity of the individual submitting the request for revocation of consent, the Data Controller may request additional information necessary to confirm the identity of the data subject (including a copy of a valid identity document, which will be deleted immediately after the identity of the data subject has been ascertained).
The Data Controller must provide the data subject with appropriate feedback, informing him or her of the action taken regarding the request received and whether or not he or she has acted on the request, specifying, if not, the reasons for not granting the request:
- without undue delay and, in any case, no later than 1
month after receiving the request; - in any case, within 2 months at most of receipt
of the application, taking into account the complexity and number of the
requests received.
In any case, within 1 month of receipt of the request, the Data Controller shall inform the data subject of any extension of the deadline (to 2 months) and the reasons for the delay.
The response to the data subject shall be provided through the same tool and channel used by the data subject, (e.g., e-mail), unless otherwise specified by the data subject as expressed in the application or otherwise inferable.
The Data Controller informs that requests cannot be acted upon if conditions exist that prevent the data subject from being correctly or uniquely identified.
Identity is considered certain or, in any case, proven if the interested party has shown a copy of his or her valid identity document or if he or she has indicated sufficient information in the request so that it can reasonably be assumed that it is exclusively available to the interested party (e.g., e-mail from an e-mail address that coincides with the one indicated by the interested party elsewhere in dealings with the Company).
If the Data Controller has reasonable doubts about the identity of the individual submitting the request to exercise his or her rights, the Data Controller may request additional information necessary to confirm the identity of the data subject (including a copy of a valid identity document, which will be deleted immediately after the identity of the data subject has been ascertained).
The data subject will be informed, in accordance with Art. 12 (4) of Regulation (EU) 2016/679, at the latest within one month of receipt of this request, of the conclusion of the process of evaluation/execution of the rights exercised, of any reasons preventing the holder from providing the information or carrying out the requested operations, and of the existence of any conditions preventing the holder from identifying as a data subject, pursuant to Art. 11(2) of Regulation (EU) 2016/679.