GDPR Compliance Guide for Dolce Reset

Introduction

The General Data Protection Regulation (GDPR), effective since May 25, 2018, governs the processing of personal data of individuals within the European Union (EU) and the European Economic Area (EEA), including Italy. As Dolce Reset, operating the marketplace at https://dolcereset.app/, you are subject to GDPR if you process personal data of EU/EEA residents, whether as a data controller or processor. This guide outlines key GDPR requirements to ensure compliance.

Key GDPR Obligations

1. Legal Basis for Processing – Process personal data only with a valid legal basis under Article 6, such as:
   • Consent: Freely given, specific, informed, and unambiguous.
   • Contract: Necessary for performing a contract with the data subject.
   • Legitimate Interests: Balanced against individual rights.
   • Legal Obligation: Required by EU or Italian law.
   For sensitive data (e.g., health data), Article 9 requires explicit consent.
2. Data Subject Rights – Ensure users can exercise rights under Articles 15–22, including access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.
3. Transparency and Privacy Policy – Maintain a clear, accessible Privacy Policy per Article 13–14, covering identity of controller, purposes, legal bases, categories, recipients, retention, and rights.
4. Data Protection by Design and Default – Implement measures such as data minimization, pseudonymization, encryption, and default privacy settings.
5. Security and Breach Notification – Safeguard data with encryption and servers; notify the Garante within 72 hours of breaches and inform users if high risk.
6. Data Protection Officer (DPO) – Appoint if large-scale sensitive data is processed. Publish contact info and ensure independence.
7. Data Transfers Outside the EU/EEA – Use SCCs or adequacy decisions for transfers. Document mechanisms.
8. Record-Keeping and Accountability – Maintain Article 30 records and conduct DPIAs for high-risk processing.
9. Processor Agreements – Contractually bind processors (Article 28) with obligations on security and cooperation.
10. Cooperation with Authorities – Cooperate with the Garante and comply with investigations.

Penalties

Non-compliance may lead to fines up to €20 million or 4% of annual global turnover (whichever is higher). The Garante may also issue warnings, bans, or corrective orders.

Italian-Specific Considerations

The Garante places special focus on health data. Explicit consent is critical. Italy’s Data Protection Code (Legislative Decree No. 196/2003) and Consumer Code impose further requirements, especially for e-commerce and health-related platforms.

Implementation Steps for Dolce Reset

• Update Privacy Policy and Terms to reflect GDPR obligations.
• Appoint a DPO if required and publish details.
• Conduct DPIAs for AI or health data usage.
• Train staff on GDPR practices.
• Audit processors for SCCs and security.
• Establish a breach response plan.

Contact

For GDPR-related queries, contact Dolce Reset at info@dolceresetmenopausa.orgor the Garante at garante@gpdp.it.