In order to facilitate the exercise of the data subject’s rights of access to the processing in a timely manner and with a view to greater respect for the data subject’s rights, as provided for in Articles 15 et seq. of the GDPR, the following guidelines are adopted.

1. Data subjects may submit their requests for access to the Data Controller, asking for confirmation as to whether or not their personal data are being processed and, if so, obtain an updated and complete list of the data available to the Data Controller, specifying the categories of data processed, the purposes of the processing, the recipients (or categories of recipients) to whom the data have been or may be disclosed, the storage period, the rectification, erasure or restriction of the data or the right to object to the processing, the right to lodge a complaint with the Data Protection Authority, the origin of the data, the existence of automated decision-making (including profiling).
2. The request of the data subject may be submitted in writing by completing the form below.
3. The request must be accepted in accordance with Article 15 of the GDPR, without the data subject being required to provide reasons, but simply specifying clearly the personal data to which the request relates.
4. The request may also be made by a natural person other than the data subject, provided that they have a proxy.
5. The identity of the data subject must be verified to ensure that the data is sent only to the data subject and not to unauthorised third parties.
6. The Data Controller must respond to requests without delay.
7. As a rule, the data subject will receive a response within 30 days of submitting the request.
8. The request of the data subject will be ineffective until all the requested information has been received.
9. The request of the data subject is free of charge.
10. When the communication of the data subject’s personal data in an intelligible form is requested for the exercise of the right to portability, it should be noted that this can be done by any means; however, this must not involve any action that is not provided for by law, forcing the Data Controller to undertake burdensome tasks, both in terms of resources and time. Therefore, transfer via digital means is preferable.
11. The Data Controller shall notify the data subject in the event of rectification or erasure of their personal data or restriction of processing, unless this proves impossible or involves disproportionate effort.