My Cart

Close

Happy Stationery
Find out more

Craftsmanship

Find out more

Made Just For You
Find out more

Full Privacy Policy

Explore

Home Orange Mood OranJoux Fresh off the press Made on Purpose Resale Gift Card Near

Full information on the processing of personal data of www.orangioia.it

European Regulation 679/2016 (hereinafter also “Regulation” and/or “GDPR”) governs the protection of natural persons with regard to the processing of personal data in compliance with the principles of correctness, lawfulness, as well as for the protection of human dignity, legitimate interests and fundamental rights of the interested parties, in particular with regard to the transparency of the processing.

This explanatory document must be considered an integral part of the simplified information communicated to the user on the website www.orangioia.it.

This document reports in a detailed and more thorough manner the mandatory information required by art. 13 (“Information to be provided when personal data is collected from the Data Subject”).

At the bottom of the information, the following articles of the GDPR are reported in full:

  1. art. 4, “Definitions”;
  2. art. 7 “Conditions for consent”;
  3. art. 12 “Information, communications and transparent methods for exercising the rights of the interested party”;
  4. art. 15 “Right of access by the interested party”;
  5. art. 16 “Right of rectification”;
  6. art. 17 “Right to erasure; so-called right to be forgotten”;
  7. art. 18 “Right to limit processing”;
  8. art. 20 “Right to data portability”;
  9. art. 21 “Right to object”;
  10. art. 22 “Automated decision-making concerning natural persons, including profiling”
  11. art. 77 “Right to lodge a complaint with the supervisory authority”;
  12. art. 78 “Right to an effective judicial remedy against a supervisory authority”;
  13. art. 79 “Right to an effective judicial remedy against a controller or processor”;
  14. art. 82 “Right to compensation and liability”

1. Data controller

1.1 The Data Controller is Gioia Miccio, owner of the company Orangioia di Gioia Miccio (hereinafter also referred to as “Data Controller” and/or “Orangioia”), , Tax Code _________________/VAT Number and Registration in the Rome Companies Register: _______________.

1.2 The Data Controller can be contacted at:

  1. the registered office in via Siciolante n. 5, 04100 Latina;
  2. at number _____________;
  3. to the ordinary email address info@orangioia.it;
  4. to the pec address orangioia@legalmail.it.

1.3 Currently, the Data Controller is not obliged to appoint a Data Protection Officer.

1.4 . For the exercise of rights, Orangioia has predetermined the appropriate procedures that will be communicated to the Interested Party following each legitimate request of the same to one of the contacts listed above.

2. Purpose and obligation of the processing

2.1 Personal data are processed for the purposes of:

  1. website and e-commerce account registration;
  2. forwarding communications of various kinds and with different means of communication (telephone, mobile phone, text message, email, fax, paper mail) for the purposes of processing requests received;
  3. newsletter;
  4. exchange of information aimed at the execution of the contractual relationship, including pre- and post-contractual and invoicing activities;
  5. fiscal, tax and accounting obligations.

3. Details of data and/or categories of personal data processed, legal basis of processing and retention period.

3.1. The following table contains a list of the data processed by the Data Controller on the basis of the information provided directly by the Data Subject, as well as the legal basis (i.e. the legal justification for the processing) and the retention period.

3.2. The processing pursuant to Article 6, paragraph 1, letter f) of the Regulation, relating to the legitimate interests pursued by the Data Controller, is based on the need for Orangioia to process said personal data in order to pursue the corporate purpose of the company, as well as to defend its rights in court in the event of disputes.

4. Automated decision-making processes, including profiling

4.1 The processing of personal and particular data of the interested parties, by Orangioia, does not foresee the existence of automated decision-making processes (i.e. choices determined in the absence of human intervention), including profiling (i.e. the identification of a natural person's habits), which may entail legal effects concerning the data subjects or which significantly affect them.

5. Communication of personal data and recipients

5.1 Personal data, including those of special categories, will be communicated, strictly in relation to the purposes indicated above, also to the following subjects or categories of subjects:

  • the partners to whom the company has entrusted the technical and IT management of the website www.orangioia.it;
  • internal offices of Orangioia, duly authorised to process;
  • the consultants used by Orangioia for the running of the business (lawyers, accountants, etc.);
  • the subjects authorised to access it by virtue of provisions of law, regulations, community legislation.

5.2 The above-mentioned subjects have been appointed, depending on the case, as “authorised data processing personnel” or “data controller”.

5.3 Orangioia does not transfer personal data to non-EU countries, however the use of certain payment systems may involve such transfer. The user is therefore invited to view the relevant privacy policies.

5.4 The data will not be disclosed

5.5 In the event of transfer of data to third countries, Orangioia will duly communicate this by providing the appropriate information pursuant to art. 13, 1st paragraph, letter “f)” and, where necessary, requesting the necessary consent.

THE RIGHTS OF THE INTERESTED PARTY

6. Right to withdraw consent

6.1 In cases where the processing is based on consent, the interested party, if the legal requirements exist, has the right to revoke it at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation.

7. Right of access

7.1 The interested party may ask the Data Controller:

  1. confirmation as to whether or not personal data concerning him or her is being processed;
  2. access to your personal data listed in articles 12 and 15 below.

7.2 This right is free of charge except for the exceptions provided for in the Regulation.

7.3 The use of the right of access may not harm the rights and freedoms of others.

8. Right of rectification or integration

8.1 The interested party has the right to obtain from the Data Controller the rectification of inaccurate personal data and, taking into account the purposes of the processing, has the right to obtain the integration of incomplete personal data.

8.2 The rights of access or rectification are governed by articles 12, 15 and 19 reported below.

9. Right to erasure

9.1 The interested party has the right to obtain from the data controller the deletion of personal data if one of the specific reasons provided for in art. 16 reported below exists.

9.2 The interested party may request the cancellation of his/her personal data according to the methods set out in articles 12, 16 and 19 reported below.

10. Right to restriction of processing

10.1 The interested party has the right that his/her personal data are not further processed, but not deleted if one of the specific reasons provided for in art. 17 reported below exists.

10.2 Excluding storage, any other processing of the data for which limitation is requested is prohibited, except in cases of: consent of the interested party, ascertainment of rights in court, protection of the rights of another natural or legal person, significant public interest.

10.3 The interested party may request the cancellation of his/her personal data according to the methods set out in articles 12, 17 and 19 reported below.

11. Right to object

11.1 The interested party has the right to object at any time, for reasons relating to his particular situation, to the processing of personal data concerning him, including profiling.

11.2 The interested party may exercise the right to object on the basis of the conditions and in the manner set out in art. 21 below.

12. Right to portability

12.1 The interested party has the right to receive personal data, in a structured, commonly used and machine-readable format.

12.2 The Data Subject has the right to store personal data on a device at his/her disposal for personal purposes, without transferring them to a different owner.

12.3 The Data Subject shall have the right to transmit his or her personal data from one controller to another without hindrance.

12.4 The right to portability may be exercised within the terms and limits established in art. 20 reported below.

13. Right to lodge a complaint

13.1 In order to assert his/her rights, the interested party may contact, in the manner and within the terms set out in articles 77, 78, 79 and 82 reported below, the Judicial Authority or the Data Protection Authority whose contact details are given below:

  • Piazza Venezia n. 11 - 00187 Rome;
  • Fax: (+39) 06.69677.3785 - Switchboard: (+39) 06.696771;
  • E-mail: garante@gpdp.it;
  • Certified mail: protocollo@pec.gpdp.it.

ARTICLES OF THE EUROPEAN GENERAL REGULATION ON THE PROCESSING OF PERSONAL DATA OF NATURAL PERSONS REFERRED TO IN THE INFORMATION NOTICE

Article 4 Definitions

For the purposes of this Regulation, the following definitions shall apply:

  1. «personal data» : any information relating to an identified or identifiable natural person («Data Subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. «processing» : any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  3. «restriction of processing» : the marking of stored personal data with the aim of limiting their processing in the future;
  4. «profiling» means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  5. «pseudonymisation» means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  6. "filing system" means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  7. «controller» means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  8. “processor” : a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  9. «recipient» means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  10. «third party» : a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  11. «consent of the interested party» : any manifestation of free, specific, informed and unequivocal will of the interested party, with which he or she signifies his or her agreement, through a declaration or by a clear affirmative action, that the personal data relating to him or her be processed;
  12. «personal data breach» means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  13. «genetic data» : personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person, and which result in particular from the analysis of a biological sample from the natural person in question;
  14. «biometric data» : personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial image or dactyloscopic data;
  15. “health data” : personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
  16. «main establishment» :  (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and that latter establishment has the power to have such decisions implemented, in which case the establishment which has taken such decisions shall be considered to be the main establishment; (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that that processor is subject to specific obligations under this Regulation;
  17. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
  18. "enterprise" means a natural or legal person, regardless of its legal form, carrying out an economic activity, including partnerships or associations regularly carrying out an economic activity;
  19. «business group» : a group consisting of a controlling undertaking and the undertakings controlled by it;
  20. 'binding corporate rules' means personal data protection policies which are followed by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or a group of enterprises engaged in a joint economic activity;
  21. 'supervisory authority' means an independent public authority established by a Member State pursuant to Article 51;
  22. 'supervisory authority concerned' means a supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of the supervisory authority are or are likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority;
  23. ‘cross-border processing’ means: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
  24. ‘relevant and reasoned objection’ means an objection to the draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
  25. ‘information society service’ means a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
  26. "international organisation" means an organisation and its subordinate bodies governed by public international law or any other body established by or under an agreement between two or more States.

Art. 7 Conditions for consent

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has given consent to the processing of his or her personal data.

2. Where the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The interested party has the right to withdraw his/her consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

Before giving consent, the data subject is informed of this. Consent is revoked as easily as it is given.

4. In assessing whether consent has been freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Article 12 Information, communications and transparent methods for exercising the rights of the interested party

1. The controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and the communications referred to in Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular where any information is addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. Where requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

2. The controller shall facilitate the exercise of the rights of the Data Subject under Articles 15 to 22. In the cases referred to in Article 11, paragraph 2, the controller shall not refuse to act on the request of the Data Subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the Data Subject.

3. The controller shall provide the data subject with information on action taken on a request under Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. That period may be extended by two more months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

4. If the controller does not comply with the request of the interested party, the data controller shall inform the interested party without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. The information provided pursuant to Articles 13 and 14 and any communications and actions taken pursuant to Articles 15 to 22 and Article 34 shall be free of charge. Where requests from the Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may:

  1. charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
  2. refuse to comply with the request.

The burden of demonstrating the manifestly unfounded or excessive nature of the request lies with the data controller.

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardized icons to give, in an easily visible, intelligible and clearly legible manner, an overall picture of the intended processing. Where presented electronically, the icons shall be machine-readable.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 in order to establish the information to be presented in the form of icons and the procedures for providing standardised icons.

Article 15 Right of access by the interested party

1. The interested party has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, to obtain access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right of the interested party to request from the data controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her or to object to their processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the data are not collected from the data subject, all available information as to their source;

h) the existence of an automated decision-making process, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the existence of appropriate safeguards pursuant to Article 46 relating to the transfer.

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Article 16 Right of rectification

The interested party has the right to obtain from the data controller the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.

Article 17 Right to erasure ("right to be forgotten")

1. The interested party shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the Data Subject withdraws consent on which the processing is based according to Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), and where there is no other legal ground for the processing;

c) the Data Subject objects to the processing pursuant to Article 21, paragraph 1, and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21, paragraph 2;

d) the personal data have been unlawfully processed;

e) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8, paragraph 1.

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase them, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

a) for the exercise of the right to freedom of expression and information;

b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of ​​public health in accordance with Article 9(2)(h) and (i) and Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) for the establishment, exercise or defence of legal claims.

Article 18 Right to restriction of processing

1. The interested party has the right to obtain from the data controller the limitation of processing when one of the following hypotheses occurs:

a) the accuracy of the personal data is contested by the interested party, for a period enabling the controller to verify the accuracy of the personal data;

b) the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests instead that their use be limited;

c) although the data controller no longer needs them for the purposes of the processing, the personal data are necessary for the interested party to ascertain, exercise or defend a right in court;

d) the interested party has objected to the processing pursuant to Article 21, paragraph 1, pending the verification whether the legitimate grounds of the controller override those of the interested party.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3. The data subject who has obtained the restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Article 19 Notification obligation in case of rectification or erasure of personal data or restriction of processing

The controller shall communicate to each recipient to whom the personal data have been disclosed any rectification or erasure or restriction of processing carried out pursuant to Article 16, Article 17(1) and Article 18, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject of those recipients if the data subject requests it.

Article 20 Right to data portability

1. The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b); and

b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Article 21 Right to object

1. The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6, paragraph 1, letters e) or f), including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. If the interested party objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the Data Subject and shall be presented clearly and separately from any other information at the latest at the time of the first communication with the Data Subject.

5. In the context of the use of information society services, and without prejudice to Directive 2002/58/EC, the Data Subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89, paragraph 1, the Data Subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Article 22 Automated individual decision-making, including profiling

1. The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2. Paragraph 1 shall not apply where the decision:

a) is necessary for the conclusion or performance of a contract between the Data Subject and a data controller;

(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests;

c) is based on the explicit consent of the interested party.

3. In the cases referred to in paragraph 2 , letters a) and c), the controller shall implement suitable measures to safeguard the data subject's rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

Article 77 Right to lodge a complaint with a supervisory authority

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. The supervisory authority to which the complaint has been lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78.

Article 78 Right to an effective judicial remedy against a supervisory authority

1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

2. Without prejudice to any other administrative or non-judicial remedy, each Data Subject shall have the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the Data Subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or decision of the Board in the consistency mechanism, the supervisory authority shall transmit that opinion or decision to the judicial authority.

Article 79 Right to an effective judicial remedy against a controller or a processor

1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each Data Subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing.

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject habitually resides, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

Article 82 Right to compensation and liability

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. A controller involved in processing shall be liable for the damage caused by its processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or has acted outside or contrary to lawful instructions of the controller.

3. The controller or processor shall be exempted from liability under paragraph 2 if he proves that he is not in any way responsible for the damage.

4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, pursuant to paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be jointly and severally liable for the entire damage in order to ensure effective compensation of the data subject.

5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions laid down in paragraph 2.

6. Legal proceedings for the exercise of the right to obtain compensation for damage shall be brought before the competent courts under the law of the Member State referred to in Article 79(2).

----------------------------- end quote ----------------------------------