Pursuant to the EU Reg. 679/2016, we hereby provide you with the necessary information regarding the purposes and methods of processing personal data of those who consult the pages of the EMERSON S.r.l. as data controller.

This privacy and cookie statement has been drawn up solely for the www.progea.com website and not for any other website that can be consulted by means of links published on this website; the data controller cannot be held responsible in any way whatsoever for links to third party websites.

We inform Users that the website is hosted on the Progea S.r.l. web servers located within the territory of the European Union.

Contents

1. DATA CONTROLLER IDENTITY AND CONTACT

The data controller of your personal data is:

Progea S.r.l.

Via D’Annunzio 295, 41123 Modena

C.F. 01997840366

PEC: [email protected], email [email protected]

The Data Controller has not designated the D.P.O. (art. 37 EU Reg. 679/2016 and WP Guidelines art. 29 of 13.12.2016), as deemed unnecessary within the structure given that the data processing characteristics do not fall within the cases referred to in the aforementioned art. 37.

2. THE PURPOSES AND LAWFULNESS OF PROCESSING

The purposes and relative lawfulness of data processing depend on the activity performed by the website visitor.

The website can automatically collect data solely as the result of navigation behavior, while other types of processing may be done as a result of specific activities performed by the user. In this latter case, specific information is available for each form provided on the website in relation to processing personal data in connection with the specific purpose they are intended for.

In reference to the aforementioned, the data processing types and relative purposes are cited below in this here policy.

2.1. Metadata

With regard to technical aspects and protocols only, we wish to inform you that:

• • • • Computer systems and software procedures used to operate this website may acquire, during their normal operation, some personal data of whose transmission is implicit in the use of internet communication protocols.

      • This information is not collected with the intent to be associated to the data subject, but, by their very nature, the identity of the data subject might be disclosed through the processing and association of data in the possession of third parties.

      • This data category includes the use of IP addresses or names of computer domains used by users connecting to the website, the Uniform Resource Identifiers (URI) of the requested resources, the time request was made, the method used to submit request to the server, the size of the file obtained in reply, the numerical code indicating the status of the reply provided by the server (successful, error or other) and other parameters regarding the operating system and the user’s computer environment.

      • These data may be used to ascertain any liability in the event of hypothetical computer crimes against the website.

2.2. Automatically collected navigation data and cookies

Cookies are very small text files sent from the websites visited by users to their devices (usually to the browser), where they are stored so that the device can be recognized on subsequent visits. The cookies are re-sent from the user’s device to the website on each subsequent visit.

Each cookie generally contains: the name of the server from which the cookie was sent, the expiry date and a value, which is usually a number generated at random by the computer. The server of the website that transfers the cookie uses this number to identify the User with when they revisit a site or navigate from one page to another.

Cookies can be installed not only by the same operator of the site visited by the user, (henceforth referred to as first-party cookies) but also by a different site that installs cookies (henceforth referred to as third-party cookies) through using the first-party website and is able to identify them. This happens when the site visited has elements, (such as images, maps, sounds, links to web pages of other domains, etc.) that reside on different servers in addition to that of the site being visited. In general, cookies are classified in different types according to:

A. Duration:

• Session cookies (temporary) automatically deleted when user closes the browser;

• Persistent cookies active up to the expiry date or up to the cancellation by the user beforehand.

B. Source:

• First-party cookies sent to web browsers directly from the website being visited;

• Third-party cookies sent to web browsers from other websites and not from the website being visited.

C. Purposes

• Technical cookies

• Navigation / strictly necessary / performance / process / security cookies contribute to the functioning of the website, for example, the possibility to navigate between different pages or access protected areas. If they are blocked, the website will not be able to function correctly;

• Functionality / preference / localization of session status cookies permit to store information that modify the behavior or appearance of the website (preferred language, text and character size, geographical area in which user is located). If they are blocked, the user experience is less functional but not compromised;

• Statistics / analytics cookies of a) first-party or b) third party with IP mask, without cross-reference data like technical cookies do for specific purposes, are used to collect information and generate statistics on website usage to ascertain how visitors interact with sites.

• Non-tecnical cookies

• Third-party statistics / analytics cookies without IP mask and without cross-reference data, are used to collect information to generate statistics on website use, with the possible user identification and tracking, in order to ascertain how visitors interact when using website;

• Profiling / publicity / advertising / tracking / conversion cookies for selecting advertisement based on what is relevant to the user (personalized ads). The profiling cookies are used to create user profiles and they are used to send advertising messages according to their preferences expressed in the same field over time when browsing the internet.

2.2.1. First Party Technical Cookies

Technical cookies are those cookies that are indispensable to allow the identification of the user to be carried out and maintained during the session when performing some operations that would otherwise not be possible or too complex and/or less secure to perform, for example to continue browsing reserved areas once logged in. The processing performed as a result of these cookies do not require user consent and the relative information is provided here in this policy in accordance with the current legislation.

First Party Technical Cookies used by the website are:

2.2.2. Analytical cookies similar to technical cookies

Analytical cookies can be similar to technical cookies when used to optimize the website directly by website owner. They can be used as aggregated web analysis tools to gather information on how many users visit and how they use the website (ref. provision of the Guarantor for the protection of personal data of 8 May 2014). We inform you that tools have been adopted to reduce the identification power of cookies (by masking significant portions of the IP address) and the third party does not cross-reference collected information with those it already has. These cookies do not require user consent, however, in compliance with the information and transparency obligations, the analytical cookies which are similar to the technical cookies used, the names of third parties that handle them, and the link to the page in which the user can obtain information on data processing and express their consent are listed below.

Furthermore and in order to constantly improve its website, Emerson uses Smartlook which is a service that allows them to obtain a deep understanding of user interaction experiences with the website during user navigation sessions:

2.2.3. Widgets and Social network buttons

The Social Buttons are those on the website that represent the icons of social networks, such as Facebook, Twitter and others, and allow Users who are navigating to interact with the social platforms directly with a click.

Facebook Button (Facebook Inc.)
This button functions as an interaction service with the Facebook social network provided by Facebook Inc.
Data Processing Location: USA

Privacy Policy: https://www.facebook.com/privacy/explanation

• Google Maps Widget (Google Inc.) The Google Maps Widget provides customizable interactive maps that come included within the website pages that use this service. The site incorporates the Google Maps Widget to permit Users to display the location of the EMERSON Headquarters, Via Gabriele D’Annunzio n. 295 in Modena, on the map. This service might involve the installation of cookies including profiling cookies, by Google as third party. No information is shared by the www.progea.com website in which the Widget is incorporated.

Data Processing Location: USA

Privacy Policy: https://www.google.it/intl/it/policies/privacy/

2.2.5. Cookie management and consent

EMERSON S.R.L. complies to the obligations and provisions established by the Italian Data Protection Authority, “Individuazione delle modalità semplificate per l’informativa e l’acquisizione del consenso per l’uso dei cookie – 8 maggio 2014 (Published in the Gazzetta Ufficiale issue no. 126 on 3rd June 2014)”, and subsequent amendments enforced by the Authority concerning “cookies”.

In compliance with the current legislation, EMERSON S.r.l. requests user consent of those analytical cookies that are not similar to technical cookies as well as profiling cookies by using the appropriate banner that appears when first visiting the www.progea.com website.

In general, apart from the type of cookies adopted by this website, we wish to inform Users that, in addition to the protection provided by current legislation, there are other available options to use when browsing the internet without receiving cookies, such as:

• Blocking third-party cookies: cookies from third-parties are not necessary for browsing, therefore you can choose to disable them for default using the appropriate functions provided by your browser.

• Activating the Do Not Track (DNT) option: most browsers of the latest generation provide users with Do Not Track (DNT) option. Websites designed to respect this option, when activated, should automatically stop collecting your browsing data. As mentioned beforehand, not all websites are designed to respect this option and therefore must be used as your discretion. Activating the anonymous web browsing mode: by using this function you can browse the web in incognito mode leaving no trace of information of your navigation activities in the browser. The websites will not remember you, the pages you visit will not be stored in the browser history and any new cookies will be deleted. However, the anonymous web browsing function does not warrant anonymity on the Internet, it only impedes the storage of your navigation data in the browser. Your navigation data shall, nevertheless, continue to be available to website managers and connectivity providers.

• Deleting cookies directly: there are specific functions that you can use to do this in all browsers. However, please be reminded that new cookies are downloaded upon each Internet connection, so the deleting action should be performed periodically. Alternatively, some browsers do offer the use of automated systems that will periodically do this for you.

For further information on other issues concerning cookies, please refer to: http://www.garanteprivacy.it/cookie

Moreover, if you wish to know how to limit, block and/or remove cookies saved in your device, please visit: http://www.aboutcookies.org

As mentioned beforehand, the User can manage their own cookie preferences in their own browser. To find out which browser type and version you are using, click on ‘Help’ at the top of your browser window to access all the information you need.

If you already know your browser type and version, simply click on the link corresponding to the browser you are using to access the relevant cookie management pages.

• Internet Explorer 

http://windows.microsoft.com/en-us/windows-vista/block-or-allow-cookies

• Google Chrome 

https://support.google.com/accounts/answer/61416?hl=it 

• Mozilla Firefox 

http://support.mozilla.org/en-US/kb/Enabling%20and%20disabling%20cookies 

• Safari

http://www.apple.com/legal/privacy/ 

For further information on managing cookies please visit: http://www.youronlinechoices.eu, http://www.allaboutcookies.org, https://tools.google.com/dlpage/gaoptout, http://aboutads.info/choices, http://www.networkadvertising.org/choices

2.3 Data provided voluntarily by the user

Data relating to identified or identifiable persons may be processed following consultation of this website. Let it be specified that this processing may take place in relation to the personal data freely provided by Users who send their data to the Data Controller by means of using the contact details on the www.progea.com website, such as the company’s contact emails, and/or by filling in forms with personal data on the website. The optional, explicit and voluntary sending of emails to the addresses indicated on this website entails the subsequent acquisition of the sender’s address and any personal data included within the email content in order to respond to requests or queries adequately. Specific detailed information on processing personal data pursuant to art. 13 of EU Reg. 679/2016 is reported in each page containing forms for collecting data of the visitor. This information defines the limits, purpose and data processing methods of each data collection form and each user can freely express their consent and authorization to have their data collected and subsequently used.

The purpose of processing data and the corresponding lawful basis are specified according to the form used and may carry consent according to which form used (e.g. subscribing to the newsletter) for performing specific requests. Let it be specified that in no section of the website, nor for access to any website feature, should it be required to provide “special categories of personal data” and/or “personal data relating to criminal convictions and offences” as stipulated in art. 9 and 10 of the EU Reg. 679/2016: if the user spontaneously sends information of the aforementioned type to the Data Controller, the Data Controller will process these data in compliance with the current legislation on the protection of personal data (EU Reg. 679/2016) and within the limits of what is strictly necessary in relation to the requests made by the concerned User.

In general, as regards to data provided voluntarily by the User, we would like to inform Users that the EU Reg. 679/2016 (and the Italian Legislative Decree no. 196/2003 and subsequent amendments and integrations) provide for the protection of individuals with respect to the processing of personal data. According to this legislation, processing will be based on the principles of correctness, lawfulness and transparency to protect your privacy and rights.

Pursuant to articles 13-14 EU Reg. 679/2016 and the Italian Legislative Decree no. 196/2003, we therefore provide you with the following information:

1. The Data Controller shall use a computerized process and/or collected paper documentation to process data;

2. The User is free to provide their information by sending it to the Data Controller using the contacts cited on the website and/or by filling in specific forms on the website; in the latter case, any missing data may prevent the fulfillment of the activities requested by the User (for example, unfilled ‘mandatory fields’ marked by the asterisks symbol * on the form);

3. The User’s personal data may be processed by subjects specifically appointed by the Data Controller as data processors and/or by anyone acting under his authority and who has access to personal data; these subjects will process your data only when necessary in relation to the purposes for which your data was provided and only in the context of performing the tasks assigned to them by the data controller by only processing the data necessary to perform these tasks and to only carry out the operations needed to fulfill them. The complete and updated list of the data processors of the designated data can be consulted on request by the interested party. Furthermore, personal data may be communicated to third parties only if this is strictly necessary to provide specific services or information requested by the User. Finally, let it be specified that the data controller may make use of internal or external IT technicians for occasional maintenance, updating or assistance, in the event of malfunctions, of the website. However, no data deriving from the web service will be communicated or disseminated outside the company.

The aforementioned data communications shall be strictly connected to normal business operations within the context of managing relationships and shall be necessary solely for the purpose of which the data was provided;

c1) The Data Controller may transfer personal data to third party countries or international organizations; in such cases, the Data Controller will undertake this procedure in the presence of appropriate guarantors;

c2) data shall not be disclosed to third party subjects, prior to or without your permission or consent;.

c3) Your personal data will not be subjected to disclosure.

4. Your data shall be stored for the time necessary to fulfill the purpose for which they were provided for; the data shall be stored in a way that is identifiable to the User for a period of time that does not exceed the time needed to fulfill the purposes for which they were collected or subsequently processed for. If not expressly re-confirmed by you, the data subject, once processed your data shall be deleted, except when made anonymous.

5. personal data provided by you shall not be processed for automated decision-making processes (such as profiling);

6. The Data Controller shall inform you in the event of processing your data for purposes other than those indicated above, together with any other relevant information supporting their actions for doing so.

3. DATA PROCESSING METHODS AND PROTECTION

Your data shall be processed using methods and tools suitable to guarantee its security (art. 24, 25 and 32 EU Reg. 679/2016) and shall be carried out using IT tools and paper documents applying all the appropriate technical and organizational measures to guarantee their protection in order to ensure their confidentiality, integrity, availability and resilience to processing systems and services on a permanent basis.

The Data Controller, taking into account the state of the art and the implementation costs as well as the nature, scope of application, context and purposes of processing your data, both when determining the means of processing them and at the time of their actual processing (so-called risk analysis – accountability), shall implement adequate technical and organizational measures aimed at effectively implementing the data protection principles and integrate the necessary guarantees while processing your data in order to meet the requirements of the EU Reg. 679/2016 and to protect your rights as the data subject.

4. DATA SUBJECT RIGHTS

The Data Controller also informs you as the data subject that:

• The data subject has the right to ask the Data Controller to access their personal data and rectify or delete them or restrict or oppose the manner in which they are being processed, in addition to the right of data portability (art. 15, art. 16, art. 17, art. 18, art. 20 of the EU Reg. 679/2016); by exercising your right to access, you the data subject have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed. By exercising your right to portability allows you to obtain from the Data Controller your personal data in a structured, commonly used and legible structure or the transfer of such data from the original Data Controller to another (cfr. WP 242 of 13.12.2016);

• In cases where your data is processed based on art. 6, paragraph 1, no. a), you as data subject have the right to withdraw your consent at any time whatsoever without prejudice to the lawfulness of their processing based on your consent before you withdrew it.;

• You the data subject have the right to lodge a complaint to the data control authorities;

• You the data subject have the right to be made aware immediately by the Data Controller without undue delay in the event of any breach to your personal data which may result in a high risk to the rights and freedoms of natural persons (art. 34 EU Reg. 679/2016).

The integral text of the articles stipulated in the EU Reg. 679/2016 relating to your rights (articles 15 to 22 and 34) are reported in full in this here policy or and can be obtained from the Data Controller on request by using the aforementioned contact details.

5. “PRIVACY & COOKIES POLICY” DOCUMENT AMENDMENTS

The Data Controller reserves the right to make changes to this Privacy & Cookies Policy, at any time whatsoever, by announcing them to Users on this page. We therefore invite Users to consult this page frequently by referring to the last update indicated at the bottom.

Users are completely free to evaluate and understand why any updates or changes have been made to this document by comparing them with previous versions drawn up over time and of which will always be available for users to view on the website.

If the User finds any changes made to this privacy policy unacceptable, they are required to cease using this website and send a request to the Data Controller to erace their personal data by means of using the aforemented contact details.

Unless otherwise specified, this Privacy & Cookies Policy shall continue to apply to personal data up to the point of collection.

We kindly ask Users to contact us using the below contact details for any queries, comments and requests relating to this privacy policy:

EMAIL [email protected] – PEC: [email protected]

Furthermore, we invite Users to report any difficulties in viewing this Privacy & Cookies Policy, so that alternative means can be sort in providing the user with this information.

Modena

EMERSON S.r.l.

Last Updated: Jgiugno 2020

* * *

DATA SUBJECT RIGHTS EU REG. 679/2016 (extract)

Art. 15 GDPR

Right of access by data subject

(Suitable Recitals: 63 right of access, 64 identify verification)

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

   1. the purposes of the processing;

   2. the categories of personal data concerned;

   3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

   4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

   5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

   6. the right to lodge a complaint with a supervisory authority;

   7. where the personal data are not collected from the data subject, any available information as to their source;

   8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3. ¹The controller shall provide a copy of the personal data undergoing processing. ²For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. ³Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others

Art. 16 GDPR

Right to rectification

(Suitable Recitals: 65 Right of rectification and erasure)

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. ²Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Art. 17 GDPR

Right to erasure (‘right to be forgotten’)

(Suitable Recitals: 65 Right of rectification and erasure, 66 Right to be forgotten)

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

   1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

   2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

   3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

   4. the personal data have been unlawfully processed;

   5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

   6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

   1. for exercising the right of freedom of expression and information;

   2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

   3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

   4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

   5. for the establishment, exercise or defense of legal claims.

Art. 18 GDPR

Right to restriction of processing

(Suitable Recital: 67 Restriction of processing)

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

   1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

   2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

   3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;

   4. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Art. 19 GDPR

Notification obligation regarding rectification or erasure of personal data or restriction of processing

(Suitable Recital: 66 Right to be forgotten)

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. ²The controller shall inform the data subject about those recipients if the data subject requests it.

Art. 20 GDPR

Right to data portability

(Suitable Recital: 68 Right of data portability)

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

   1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

   2. the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. ²That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Art. 21 GDPR

Right to object

(Suitable Recitals: 69 Right to object, 70 right to object to direct marketing)

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. ²The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Art. 22 GDPR

Automated individual decision-making, including profiling

(Suitable Recitals: 71 Profiling 72 Guidance of the European Data Protection regarding profiling, 91 Necessity of a data protection impact assessment)

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2. Paragraph 1 shall not apply if the decision:

   1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;

   2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

   3. is based on the data subject’s explicit consent.

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(2)1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

Art. 34 GDPR

Communication of a personal data breach to the data subject

(Suitable Recitals: 68 Notification of data subjects in case of data breaches, 87 Promptness of reporting/notification, 88 Format and procedures of the notification)

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

   1. the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;

   2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize;

   3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.