The company, within the scope of its business activities and in order to provide the products and services requested by the market, collects and processes personal information. The subjects to whom these data refer are: employees, customers, suppliers, potential candidates. These data include but are not limited to: name, address, phone number, email address, date of birth, possible identification numbers, sensitive and banking information.
<
The company is protected by an anti-theft system and is equipped with a closed-circuit video surveillance system (external area). There is no video surveillance system inside the building. The images are recorded and saved on hard disks and stored for up to 24 hours, after which they are automatically deleted. In case of intrusion, the person responsible for viewing the images is Mr. Massimo Tartaro. To prevent accidental natural events such as floods and short circuits, all precautions required by safety regulations for technological systems, such as an electrical system equipped with life-saving devices, have been adopted.
The company is committed to collecting, processing, storing, and destroying all personal information in compliance with current privacy regulations.
In particular, the company has implemented policies, procedures, technical-organizational measures, and controls, including staff training, to ensure compliance with Legislative Decree 196/2003 and Regulation (EU) 2016/679 (GDPR).
Ensuring the security of personal data of people the company interacts with is fundamental to the company’s philosophy. This privacy policy outlines how the company processes personal data and the protection policies aimed at ensuring compliance with the GDPR, the approach to data protection based on the principles of "privacy by design" and "privacy by default," and the ability for data subjects to exercise their rights.
This privacy policy aims to ensure the company's compliance with current privacy regulations and to illustrate the policies followed to minimize the risk of violations and ensure the protection of personal data.
The principles and provisions of this privacy policy are binding on all company employees (permanent, temporary, temporary workers, interns), including third parties or subcontractors who process data on behalf of the company. These subjects undertake to carry out their activities in full compliance with this privacy policy.
The company is committed to maximizing the dissemination of this privacy policy by providing updates and informing and training all employees to raise awareness about the correct processing of personal data in line with the General Regulation (EU).
- **GDPR:** General Data Protection Regulation (EU) and for the purposes of this document, the acronym includes all data protection laws to which the company is subject.
- **Personal data:** Any information relating to an identified or identifiable natural person ("data subject"). A person is considered identifiable if they can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
- **Processing:** Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- **Data subject:** The person to whom the processed personal data refers.
- **Data controller:** The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- **Data processor:** A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.
- **Third party:** A natural or legal person, public authority, agency, or body other than the data subject, data controller, data processor, and persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.
- **Profiling:** Any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- **Recipient:** A natural or legal person, public authority, agency, or other body to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the context of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
- **Consent of the data subject:** Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- **Genetic data:** Personal data relating to the inherited or acquired genetic characteristics of a natural person that give unique information about the physiology or health of that natural person and that result, in particular, from an analysis of a biological sample from the natural person in question.
- **Biometric data:** Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
- **Representative:** A natural or legal person established in the Union who, designated by the data controller or processor in writing, represents them with regard to their respective obligations under the Regulation (EU).
- **Supervisory authority:** An independent public authority established by a Member State.
The Directive 95/46/EC of the European Parliament, adopted in 1995, served as the reference text at the European level regarding data protection until the entry into force of the General Data Protection Regulation (EU) for personal data protection. It led to the adoption of Legislative Decree 30 June 2003 No. 196 (“Privacy Code”) in Italy.
This Directive defined a regulatory framework aimed at establishing a balance between a high level of privacy protection for individuals and the free movement of personal data within the European Union.
Over the past twenty years, there has been a significant increase in cross-border operations, highlighting the critical issues of data protection laws adopted by individual Member States.
For this reason, in January 2012, the European Commission proposed a new Regulation to be applied uniformly in all EU Member States for personal data protection.
The General Data Protection Regulation (GDPR) 2016/679 was approved by the European Commission in April 2016 and applies in all EU Member States from May 25, 2018. The directives contained in it apply directly to the Member States, replacing existing local data protection laws and repealing and replacing Directive 95/46/EC and its implementing legislation in the Member State.
The company processes personal data. In compliance with the General Data Protection Regulation (GDPR) and its principles, the company has implemented a series of procedures, measures, and controls regarding the collection, use, transmission, dissemination, storage, destruction of personal data.
The GDPR regulation establishes that personal data must be:
a) Processed lawfully, fairly, and transparently in relation to the data subject (“lawfulness, fairness, and transparency”);
b) Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes (“purpose limitation”);
c) Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of the appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”). The company, as the data controller, is responsible for ensuring that personal data are processed according to the provisions of the cited regulation.
The principles that the company follows to implement procedures, measures, and controls in compliance with the GDPR are as follows:
- The rights of individuals whose personal data are collected and processed by the company are protected.
- Policies, procedures, audit plans, and training activities are adopted and implemented to comply with the GDPR.
- Only necessary data are collected, processed, and stored for specific, explicit, and legitimate purposes.
- Where required, the company seeks explicit consent.
- All employees are well informed and trained about the obligations and requirements provided by the GDPR.
- A monitoring, review, and improvement program is in place to ensure compliance with the GDPR, identify any gaps, and take appropriate measures to avoid or minimize risks.
- The current privacy legislation, documents issued by the national Data Protection Authority, and the European Data Protection Board (EDPB) are constantly monitored for updates.
- Strict procedures, measures, and controls are adopted and applied to ensure continuous compliance with privacy regulations.
- A procedure for handling complaints and data breach incidents is in place.
- An "Internal Privacy Officer" is appointed, responsible for the overall supervision and implementation of the GDPR and its principles concerning the company's reality.
- A specific monitoring program is in place to carry out checks and assessments on how the personal data we process are obtained, used, stored, shared, and destroyed.
- All personal data are recorded, stored, and destroyed in accordance with the GDPR’s timescales and purposes of processing.
- Any information transmitted to data subjects about their personal data held by the company is provided concisely, transparently, intelligibly, and easily accessible, using clear and simple language.
- Employees aware of their rights under the GDPR are provided with the notices under Articles 13 and 14 of the Regulation (EU).
The company has appointed an Internal Privacy Officer designated based on professional qualities, knowledge of the law, and data protection measures, and the ability to fulfill the duties.
The company provides the Internal Privacy Officer with the resources necessary to perform the tasks required by the current privacy regulations. The Internal Privacy Officer reports to senior management and provides information on the company’s compliance with privacy regulations, identifies any gaps, and proposes improvement plans and actions.
The Internal Privacy Officer is fully aware that their role in personal data protection is bound by confidentiality and secrecy, and for this purpose, a confidentiality agreement has been signed with the company.
The Internal Privacy Officer is required to:
- Inform and advise the company, the Data Controller, and all employees/contractors who process data about their obligations under the Regulation, the guidelines of the Data Protection Authority, and any other applicable data protection law;
- Monitor compliance with the Regulation and the data controller’s/processor’s policies, including assigning responsibilities, raising awareness, and training staff involved in processing operations;
- Monitor audit activities regarding policies, procedures, employee duties, and training programs related to personal data processing;
- Cooperate with the Data Protection Authority when requested;
- Serve as a point of contact for the Data Protection Authority (e.g., in cases of prior consultation as per Article 36 of the Regulation);
- Provide advice on data protection impact assessments and oversee their execution if requested.
In performing their duties, the Internal Privacy Officer considers the risks associated with processing, taking into account the nature, scope, context, and purposes of processing.
Within the GDPR regulation, the principle of “accountability” has been strengthened, entrusting the Data Controller and Processor with greater “responsibility” concerning the application of the regulation. The Data Controller is tasked with autonomously deciding the methods, guarantees, and limits of personal data processing in compliance with the regulatory provisions and considering specific criteria (e.g., “privacy by design” and “privacy by default,” impact assessment).
The Data Controller and Processor adopt policies and implement appropriate measures to ensure and demonstrate that the data processing carried out complies with the regulation.
A risk mapping of the personal data processed by the company has been conducted, following which the company has implemented appropriate technical and organizational measures, internal procedures, and control systems to ensure the protection of personal data and compliance with the GDPR.
The company believes that compliance by all employees, collaborators, customers, and suppliers with the transparency and confidentiality rules contained in this document is a necessary condition for achieving the goals of compliance with current privacy regulations.
The main actions to be taken are:
- Informing company managers and employees about the content and requirements of the GDPR and the possible risks and impacts of non-compliance;
- Implementing a dedicated and effective data protection training program for all staff;
- Identifying and involving key senior figures to support the data protection compliance program;
- Assigning appropriate responsibilities for data protection compliance and ensuring that designated individuals have sufficient support and resources to perform their role;
- Identifying, creating, and disseminating reporting lines within the data protection organizational structure.
To mitigate the risks associated with personal data processing, data protection by the company is carried out according to the “privacy by design” and “privacy by default” philosophies.
This implies the need to configure the processing from the design stage (i.e., before processing begins) (privacy by design) and the need for data to be processed by default solely for the intended purposes and for the strictly necessary period (privacy by default).
To ensure compliance with these principles, further measures provided by the regulation are adopted, including:
- Data minimization: The GDPR requires that data collection be “limited to what is necessary.” The objective is to process only data deemed essential for providing services and retain them for the necessary period.
- Systems, processes, and activities of the company, including employees, are geared towards collecting only the personal information deemed relevant and necessary to achieve the specific purpose. Data minimization helps reduce data protection risks and possible violations, ensuring the company’s compliance with the GDPR.
Examples of measures that ensure the collection of only necessary data are:
- Electronic collection (website, etc.): presents only the necessary fields for the purpose of collection and subsequent processing.
- Physical collection: uses forms that provide predefined fields for collecting necessary data.
- If personal information is provided in excess of what is deemed necessary, appropriate destruction procedures are in place.
- Access limitation: Activities involving personal data processing are carried out through processes and systems that allow only authorized persons to access personal information. The details of authorized persons for personal data processing are kept by the company.
Impact assessment precedes data processing and aims to compensate for particular probabilities and severity of risk. It allows for identifying problems at the source and anticipating adequate measures, reducing costs, violations, and risks. It is required for large-scale processing with an impact on a large number of data subjects, with high risk related to the introduction of new or particular technologies, the implementation of profiling or surveillance processes, or the use of specific data (biometric or judicial).
The impact assessment must contain at least:
- A systematic description of the planned processing operations, the purposes, and the possible occurrence of a legitimate interest;
- An evaluation of the necessity and proportionality of the processing concerning the predefined purposes;
- An assessment of the risks to the rights and freedoms of data subjects;
- The organizational and technical measures planned (including security measures) and any mechanism deemed useful to protect the rights of the data subjects.
When the assessment indicates a high risk for data processing, the Data Controller is required to consult the Supervisory Authority.
Impact assessments are carried out by the data controller in collaboration with the Internal Privacy Officer, who provides advice and support to ensure process compliance with GDPR standards.
Impact assessments and supporting documentation are retained for an appropriate period from the date they are conducted and are made available to the Supervisory Authority upon request.
To assess the need for an impact assessment, it is useful to consider questions such as: If the answer to one or more questions is affirmative, the assessment is carried out.
Some example questions are:
- Does the processing require a systematic and/or global assessment (by automated means) of personal aspects relating to natural persons?
- Is the processing on a large scale and involves specific categories of data?
- Is the processing on a large scale and involves data related to criminal convictions and offenses?
- Does the processing involve the systematic monitoring of a publicly accessible area on a large scale?
- Will personal information be communicated to organizations or individuals without adequate safeguards?
- Does the processing involve the use of new technologies or systems that might be perceived as intrusive to privacy?
Through the preparation of this policy and, where existing, integration with the Code of Ethics, the company aims to contribute to the correct application of legislative provisions regarding privacy.
The objective is to help the company:
- Improve transparency and accountability;
- Demonstrate to the Supervisory Authority compliance with data protection laws;
- Limit the risks of violations;
- Improve the quality of company policies and procedures;
- Ensure fair and transparent processing;
- Provide adequate guarantees even in the context of possible transfers of personal data to third countries or international organizations.
Before conducting any personal information processing activity, it is always necessary to identify and establish the legal basis beforehand.
The legal basis is documented in the processing register and is included in the information to be provided under the notice obligations.
The legal basis exists when:
- The data subject has given consent to the processing of their personal data for one or more specific purposes;
- The processing of personal data is necessary for the performance of a contract to which the data subject is a party or to take pre-contractual measures requested by the data subject;
- The processing is necessary to comply with a legal obligation to which the Data Controller is subject;
- The processing is necessary to protect the vital interests of the data subject or another natural person;
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
- The processing is necessary for the legitimate interests pursued by the Data Controller or by a third party, provided that the interests or fundamental rights and freedoms of the data subject which require protection of personal data do not override them, particularly if the data subject is a minor.
The company that outsources the processing of personal data must enter into a contract detailing the tasks and responsibilities of the various external parties who will handle the various aspects of processing.
Such a contract (or other legal act) must include, in particular, the following:
- The type of personal data processed and the categories of data subjects;
- The nature and purpose of the processing;
- The duration of processing and the objectives;
- The rights of data subjects;
- The processing of personal data by the external processor is carried out only based on documented instructions from the Data Controller;
- Persons authorized to process personal data are subject to confidentiality obligations;
- The external processor provides guarantees regarding the application of appropriate technical and organizational measures for data security;
- The external processor deletes personal data at the request of the Data Controller;
- The external processor makes available to the Data Controller all the information necessary to demonstrate compliance with the obligations provided in the agreement;
- Authorization from the company is mandatory for any transfer of personal data to a third country or an international organization (unless required by law);
- The external processor immediately informs the company of any violations, non-compliance, or inability to perform their duties.
- External processors cannot further delegate the activities entrusted to them by the company to sub-processors without the company’s express authorization.
The GDPR requires the protection of the rights and privacy of data subjects both during the processing phase by the company (limiting data retention to the time deemed necessary for the purpose) and in the final phase of disposal of media containing personal data.
The company has defined procedures to establish the retention periods of the personal data processed and the disposal methods of devices and media containing personal data (e.g., shredding, secure electronic deletion).
The Regulation provides six legal bases that make the processing of personal data lawful, among which, where necessary, is the consent of the data subject.
“Consent” means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of personal data relating to them by a statement or by a clear affirmative action.
The Regulation stipulates that consent:
- Does not necessarily have to be "documented in writing" nor requires the "written form," although this is suitable for configuring the unequivocalness of consent and its being "explicit";
- Consent of minors is valid from the age of 16. Before this age, parental consent or that of a legal guardian is required;
- Can be withdrawn at any time, and the data subject must always be informed of this right;
- Tacit or presumed consent is not allowed (no pre-ticked boxes on a form);
- Must be explicit if the processing concerns sensitive data (also for consent to decisions based on automated processing, including profiling):
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Data concerning health;
- Data concerning a person's sex life or sexual orientation;
- Genetic and biometric data intended to uniquely identify a natural person.
If data processing is based on consent, the Data Controller must be able to demonstrate that the data subject has given their consent. This proof or demonstration can be provided by showing forms or documents signed specifically for this purpose.
Where the data subject’s consent is contained in a written declaration that also concerns other matters, the request for consent is presented in a way that is clearly distinguishable from the other matters, in an intelligible form using clear and simple language. All these written declarations are reviewed and authorized by the Internal Privacy Officer before being distributed.
If consent is requested through electronic means, the request must be clear and concise.
Records related to obtained consent are kept for an appropriate period from the date of authorization unless there is a legal obligation requiring a longer period.
The company has specific measures in place to ensure compliance with the GDPR regarding the request, issuance, and withdrawal of consent.
The GDPR requires that the data subject always be provided with the information under Articles 13 and 14 of the regulation, indicating whether the data collection is directly from the data subject or from third-party sources. This information provides data subjects with all the necessary details about the purposes and methods of processing their personal data and informs them about their rights and obligations.
The information must:
- Be concise, transparent, intelligible for the data subject, and easily accessible;
- Be given in writing or by other means, including electronic means or orally if requested by the data subject when collecting the data.
If personal data are obtained directly from the data subject, the information must contain the following:
- The identity and contact details of the data controller and, where applicable, of their representative;
- The contact details of the data protection officer, if appointed;
- The purposes of the processing for which the data are intended;
- The legal basis for the processing;
- The legitimate interests pursued by the data controller or by third parties if this constitutes the legal basis for the processing;
- Any recipients or categories of recipients of the personal data;
- The intention of the Data Controller to transfer personal data to a third country or an international organization, the means to obtain a copy of such data, and the location where they are made available;
- The period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;
- The existence of the data subject's right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing, as well as the right to data portability;
- If the processing is based on consent, the existence of the right to withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal;
- The right to lodge a complaint with a supervisory authority;
- If the provision of personal data is a legal or contractual requirement or a necessary requirement for entering into a contract, and whether the data subject is obliged to provide the personal data, as well as the possible consequences of failure to provide such data;
- The existence of automated decision-making, including profiling, and, in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
If personal data are not obtained from the data subject, the information must be provided to the data subject:
- Within a reasonable period after obtaining the personal data, but at the latest within one month;
- If the data are to be communicated with the data subject, at the latest at the time of the first communication;
- If a communication to another recipient is envisaged, at the latest when the data are first disclosed.
In this case (data collected from third parties), the information must contain the information listed above (except for the reference to the provision of personal data as a legal or contractual obligation) and additionally:
- The categories of personal data processed;
- The source from which the personal data originate, and if applicable, whether it came from publicly accessible sources.
If the purposes of data processing change, the data subject must be informed before further processing.
The information is available in different formats depending on how the data are collected:
- Through the company website;
- At the bottom of emails;
- In agreements, contracts, forms, and other documentation where data are collected in written form;
- In employee contracts;
- Verbally (by phone or in person).
Consent is requested from employees as the legal basis for processing sensitive personal data (e.g., union membership and health data).
Employees are provided with adequate information on how their data are processed and for what purposes.
All employees are provided with the tools necessary to exercise their privacy rights under the GDPR.
The data subject has the right to obtain from the data controller a series of information:
1. Confirmation as to whether or not personal data concerning them are being processed, even if not yet recorded, and the source of the personal data;
2. The purposes and methods of processing;
3. Whether the data will be transferred to third countries and if adequate safeguards are provided;
4. The planned period for which the personal data will be stored;
5. Information on the origin of the data if not collected from the data subject;
6. The existence of automated decision-making processes, including profiling.
If the Data Controller to whom the request is addressed is processing the data subject’s data, they must provide a copy of it. If the data subject requests additional copies, the Data Controller may charge a fee.
The data subject has the right to object:
- On legitimate grounds, to the processing of personal data concerning them;
- To the processing of data concerning them for direct marketing purposes, including profiling related to such marketing.
Concerning the means of transmission, the data controller must provide means to submit requests electronically, especially if data processing was conducted digitally.
The Data Controller is obliged to verify the identity of the data subject making the request to prevent unauthorized third parties from accessing the data.
The right to data portability strengthens the control given to the data subject over their data and applies to data processed digitally.
The right to data portability allows the data subject to transfer their data from one electronic processing system to another without hindrance from the data controller.
The right to portability can be exercised in two distinct ways, allowing the data subject to:
1. Obtain and reuse the data provided by one data controller;
2. Transmit these data to another service provider.
Data portability includes the right of the data subject to receive a subset of personal data processed by a data controller and retain it for further personal use.
The right to data portability can be exercised if the processing is conducted by automated means and is based on the data subject’s explicit consent for one or more specific purposes or if the processing is necessary for the performance of a contract.
Therefore, the regulation does not provide a general right to data portability if the processing is not based on consent or a contract.
Under the GDPR, all data held and processed by the company are reviewed and verified periodically. If inconsistencies and/or inaccuracies are found, the necessary corrections must be made without delay.
Information is modified as indicated by the data subject, with the responsible person verifying that all related data are updated if incomplete or inaccurate.
If inaccurate data are notified by the data subject, the error must be corrected within 30 days, and any third parties holding such data must be informed of the change.
The data subject is informed in writing of the correction and, where applicable, of the third parties to whom the data were disclosed.
If, for any reason, it is not possible to respond to a request for rectification and/or completion, a written explanation of the reasons must always be provided, and the data subject must be informed of the right to lodge a complaint with the Supervisory Authority.
The so-called “right to erasure” ensures that personal data identifying a subject are not kept longer than necessary for the purposes for which the data are processed. Under the right to erasure, a person can request the deletion of personal data when there are no longer valid reasons for their continued processing.
Each processing activity is associated with a deletion date so that personal data can be destroyed when no longer needed.
The company has a dedicated process for handling erasure requests to ensure that all data subjects' rights are respected and that no data are kept longer than necessary.
The right to restriction of personal data processing can be exercised not only in the event of a violation of the lawfulness of the processing (as an alternative to the deletion of the data) but also if the data subject requests the rectification of data or opposes their processing pending evaluation by the data controller.
Apart from storage, any other processing of the data subject to restriction is prohibited unless certain circumstances apply (data subject's consent, legal claims, significant public interest).
Any account and/or system related to the data subject to restriction is updated to inform users of the existence and reason for the restriction.
The Internal Privacy Officer reviews and authorizes all requests and actions for restriction and retains copies of notifications to and from the data subjects and interested third parties. If the data were disclosed to third parties, the third party must be informed of the restriction.
The response time for data subjects' requests is one month for all rights, extendable to three months in cases of particular complexity. The Data Controller must still respond to the data subject within one month, even in the case of denial.
The Data Controller assesses the complexity of the response and determines the amount of any contribution to be requested from the data subject, but only if the requests are manifestly unfounded or excessive (including repetitive).
The response to the data subject must generally be in writing, including electronic means that facilitate accessibility. It can only be given orally if the data subject requests it.
The response provided to the data subject must be not only “intelligible” but also concise, transparent, and easily accessible, using clear and simple language.
Although it is the Data Controller's sole responsibility to respond to the exercise of rights, the processor is required to cooperate with the Data Controller in exercising the data subjects' rights.
The exercise of rights is, in principle, free for the data subject, but there may be exceptions.
The Data Controller has the right to request information necessary to identify the data subject, and the latter must provide it in an appropriate manner.
The information security policy and procedures provide precise measures and controls to protect personal data from collection to deletion, ensuring that personal data processing does not violate the rights of the data subject.
The GDPR requires that all Data Controllers notify the Supervisory Authority of any personal data breaches they become aware of within 72 hours and in any case “without undue delay,” but only if they consider it likely that the breach will result in risks to the rights and freedoms of data subjects. Therefore, notification to the Authority is not mandatory and is subject to the risk assessment by the Data Controller.
The notification must contain at least the following information:
a) Description of the nature of the breach, the violated categories, and the number of data subjects;
b) The name and contact details of the Internal Privacy Officer;
c) Description of the likely consequences of the breach;
d) Description of the measures taken or proposed to address the breach.
If the probability of such risk is high, data subjects must also be informed of the breaches "without undue delay." Communication to the data subject is not required if:
a) The Data Controller had used appropriate technical and organizational measures to protect the breached data (e.g., encryption), or
b) The Data Controller subsequently adopted measures to prevent a high risk to the rights of data subjects, or
c) Such communication would involve disproportionate effort. In this case, a public communication must be made.
The company has implemented measures to document any breaches, even if not notified to the Supervisory Authority or data subjects, the related circumstances and consequences, and the actions taken.
Such documentation is provided to the Supervisory Authority upon request.
Passwords are a fundamental means of protecting information and limiting access to systems. Passwords offer a high level of protection to resources and data and are mandatory for all employees and/or third parties who have access to any resource that requires a protection system. The company adopts IT security policies within which procedures and guidelines for managing passwords are provided.
Each company can, at its discretion, share all or part of its data on a network with limited access.
This mechanism avoids leaving personal data unguarded. Only authorized personnel have access to the data in compliance with internal company procedures.
Personal and confidential information processed with paper tools is archived to ensure the security and integrity of data based on specific internal procedures.
Where it is necessary to transfer data externally, a process ensuring the integrity and security of such data must be used. For example, if the transfer is carried out by electronic means, encryption measures should be used.
The same caution in safeguarding the integrity and security of data must also apply to transfers of personal data to third countries or international organizations.
In the latter case, appropriate measures must be taken to protect data during the transfer and while being processed in the third country or international organization.
The company limits the transfer of personal data to third countries only if it is essential and mandatory for the provision/purchase of services/products. In such cases, it adopts appropriate procedures to safeguard the security of personal information.
This policy and internal company procedures detail the measures and extent of controls implemented by the company to protect personal data, ensure the rights of data subjects, mitigate risks, minimize violations, and comply with the GDPR regarding privacy.
The Internal Privacy Officer has the overall responsibility to assess, review, and improve the processes, measures, and controls in place within the company and report any improvement action plans. All control and monitoring processes are recorded by the Internal Privacy Officer and made available upon request by the Supervisory Authority.
The objectives of internal audits on data protection are to:
- Ensure that the policies and procedures in place are adequate;
- Verify compliance with policies and procedures;
- Verify the adequacy and effectiveness of the measures and controls in place;
- Identify violations or potential compliance violations;
- Identify risks and assess actions to minimize those risks;
- Recommend solutions and action plans to senior management to improve the protection of data subjects and safeguard personal data;
- Monitor GDPR compliance and demonstrate adequate implementation.
All staff must be aware of the GDPR directives.
This is ensured by the company through a continuous training process of various levels for all employees, particularly those authorized to process personal data.
The company is aware of the obligations and responsibilities arising from the application of the GDPR and the severity of any violation of the regulation, as it can result in severe sanctions.
The Supervisory Authority has the power to impose administrative fines up to a predetermined monetary amount, considering the nature, gravity, and duration of the violation, whether it was intentional or negligent, and the measures taken by the Data Controller.
In particular, administrative fines are distinguished into the following categories:
- Violations of obligations imposed on companies
- Punishable by fines up to 2% of the total worldwide annual turnover of the previous fiscal year. Examples of violations are:
- Failure to keep the processing register
- Failure to conduct an impact assessment
- Failure to conduct a prior consultation with the Supervisory Authority
- Failure to notify data breaches
- Failure to appoint a Data Protection Officer (DPO)
- Failure to adopt adequate security measures.
- Violations of the principles of the regulation and the rights of data subjects
- Punishable by fines up to 4% of the total worldwide annual turnover of the previous fiscal year. Examples of violations are:
- The basic principles of processing, including conditions for consent
- The rights of data subjects
- Transfers of personal data to a recipient in a third country or international organization
- Non-compliance with an order, a provisional or definitive restriction of processing, or an order to suspend data flows issued by the Supervisory Authority.
The company has also informed employees about the severity and proportional nature of the sanctions to raise awareness about the correct processing of data in line with the GDPR directives and internal company procedures.
Via dei Pellegrini, 2
21050 Cairate (VA)
Italy
sales@csitrolley.com
+39 0331 311602