- SCOPE, PURPOSE AND TARGET AUDIENCE
The Company undertakes to comply with applicable laws and regulations relating to the protection of personal data in the countries in which the Company operates. This Policy sets out the basic principles by which the Company treats the personal data of consumers, customers, suppliers, business partners, employees and other persons and indicates the responsibilities of its business departments and employees when processing personal data. This policy applies to the Company and the companies it controls, directly or indirectly, that carry out activities within the European Economic Area (EEA) or that process the personal data of data subjects within the EEA.
The recipients of this document are all employees, permanent or temporary, and all collaborators who work on behalf of the Company.
- REFERENCE DOCUMENTS
- Regulation (EU) 2016/679 of 27 April 2016 (hereinafter GDPR);
- Legislative Decree no. 196 of 30 June 2003 (Privacy Code) and subsequent amendments;
- Data Retention Policy;
- Guidelines for the list of data and the mapping of processing activities;
- Description of the Role of the Data Protection Officer;
- Procedure for requesting access to data by the data subject;
- Data Protection Impact Assessment Methodology;
- Procedure for reporting a data breach.
- OBJECT AND PURPOSE
The GDPR lays down rules for the protection of natural persons with regard to the processing of personal data, as well as rules for the free movement of such data (Article 1).
- MATERIAL SCOPE
The material scope of the Regulation includes:
- Personal data subject to wholly or partially automated processing;
- Personal data contained in or intended to be placed in a file.
Outside the material scope are:
- Personal data used in the course of activities that fall outside the scope of EU law;
- Personal data used in customs controls and for asylum and immigration procedures;
- Personal data used in connection with purely personal activities;
- Personal data used for crime prevention purposes, etc.
- TERRITORIAL SCOPE
The Regulation applies:
- Personal data used in the course of activities that fall outside the scope of EU law;
- Personal data used in customs controls and for asylum and immigration procedures;
- Personal data used in connection with purely personal activities;
- Personal data used for crime prevention purposes, etc.
- DEFINITIONS
With respect to the Privacy Code (Legislative Decree no. 196 of 30/06/2003), the definition of sensitive data and judicial data has been eliminated; Now we refer to:
- Controllers and processors in the Union, regardless of where the processing takes place;
- Controllers and processors who are not resident in the Union when the processing activities relate to Goods or services, regardless of whether or not a payment is required. – Monitoring the behaviour of data subjects within the EU;
- Controllers not established in the Union, but in a place where the law of a Member State applies;
- Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;
- Health-related data: personal data relating to the physical or mental health of a natural person, including the provision of health care services, revealing information relating to his or her state of health;
- Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;
- Genetic data: personal data relating to the hereditary or acquired genetic characteristics of a natural person which provide unambiguous information about the physiology or health of that natural person, and which result in particular from the analysis of a biological sample of that natural person;
- Biometric data: personal data obtained from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person that allow or confirm the unique identification of that natural person, such as facial image or dactyloscopic data.
The following definitions of terms used in this document are taken from the European Union’s General Data Protection Regulation (GDPR):
- Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Data Controller (Data Controller): the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- Data Processor (DP): the natural or legal person, public authority, agency or other body that processes personal data on behalf of the Data Controller;
- Data Protection Officer (DPO): the natural person, company, public or private body, association or body to which the Data Protection Officer entrusts, even outside its organizational structure, specific and defined tasks of management and control of data processing. The designation of a DPO is mandatory:
- if the processing is carried out by a public authority or a public body;
- if the main activities of the controller or processor consist of processing operations that require the regular and systematic monitoring of data subjects on a large scale;
- if the main activities of the controller or processor consist of the large-scale processing of special categories of data or personal data relating to criminal convictions and criminal offences. The mandatory designation of a DPO may also be provided for in additional cases under national law or EU law. If a DPO is appointed on a voluntary basis, the same requirements apply – in terms of criteria for appointment, position and tasks – as for mandatory designated DPOs (Art. 37 GDPR).
- Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or interconnection, restriction, erasure or destruction;
- Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies his or her consent, by a statement or by an unambiguous affirmative action, to the processing of personal data relating to him or her;
- Personal data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- Anonymization: Irreversible de-identification of personal data in such a way that the person cannot be identified using reasonable time, cost and technology by the Data Controller or any other person to identify the data subject. Data protection principles should therefore not apply to anonymous information, i.e. information that does not relate to an identified or identifiable natural person;
- Pseudonymization: the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organizational measures designed to ensure that such personal data is not attributed to an identified or identifiable natural person. Pseudonymisation reduces, but does not completely eliminate, the possibility of linking personal data to the data subject. Since pseudonymised data is still personal data, the processing of pseudonymised data should comply with the principles of personal data processing;
- Cross-border processing: processing of personal data that takes place in the context of the activities of establishments in more than one Member State of a Data Controller or DP in the Union where the Data Controller or DP is established in more than one Member State; or the processing of personal data that takes place in the context of the activities of a single establishment of a Data Controller or DP in the Union, but which affects or is likely to substantially affect data subjects in more than one Member State;
- Supervisory Authority: the independent public authority established by a Member State pursuant to Article 51 of the EU GDPR; for Italy it is the Guarantor for the protection of personal data (GARANTE) with registered office in Piazza di Monte Citorio n. 121 – 00186 Roma – gpdp.it – www.garanteprivacy.it E-mail: garante@gsdp.it Fax: (+39) 06.69677.3785 Telephone switchboard: (+39) 06.69677.1
- PRINCIPLES APPLICABLE TO DATA PROCESSING
The principles applicable to data protection outline the responsibilities of organizations in the management of personal data. The Data Controller is responsible for compliance with the principles, and must be able to prove it.
Lawfulness, fairness and transparency
Personal data must be processed in a lawful, fair and transparent manner with regard to the data subject. Processing is lawful only if and to the extent that at least ONE of the following conditions is met:
- The data subject has given consent for one or more specific purposes;
- The processing is necessary for the performance of a contract to which the data subject is a party;
- The processing is necessary for compliance with a legal obligation of the controller;
- The processing is necessary for the protection of the vital interests of the data subject;
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of the powers vested in the controller;
- The processing is necessary for the purposes of the legitimate interest of the controller.
Purpose Limitation
Personal data must be collected for specified, explicit and legitimate purposes, and subsequently processed in a way that is not incompatible with those purposes.
Data minimization
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The company should apply anonymization or pseudonymization to personal data, if possible, to reduce the risk to data subjects.
Accuracy
Personal data must be accurate and, if necessary, kept up to date; all reasonable steps must be taken to promptly erase or rectify data that is inaccurate in relation to the purposes for which it is processed.
Limitation of the retention period
The data must be stored in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed.
Integrity and confidentiality
Taking into account available technologies and other security measures, the costs of implementation, and the likelihood and severity of risks to personal data, the Company has put in place technical and organizational measures to ensure an adequate level of security for personal data, including protection against accidental or unlawful destruction, loss, unauthorized modification, disclosure or access.
Empowerment
The Data Controller is responsible for compliance with the principles described above and is able to prove this through the correct application and observation of this policy.
- PRINCIPLES OF DATA PROTECTION IN BUSINESS ACTIVITIES
The Company has implemented the principles of data protection in its privacy management system, ensuring regulatory compliance in the various operational phases, from collection to processing.
Notification to data subjects
(See the chapter Guidelines on Proper Treatment.)
Data Subject’s Choice and Consent
(See the chapter Guidelines on Proper Treatment.)
Collection
The Company’s goal is to adopt and constantly improve its organizational and operational processes to collect as little personal data as possible. If personal data is collected by a third party, the controller must ensure that the personal data is lawfully collected. Manual of the Privacy Organizational Model pursuant to Regulation (EU) 2016/679 Rev. 01 of 14/09/2018 DOCUMENT FOR INTERNAL USE Pag. 13 of 44
Use, Storage and Disposal
The purposes, methods, recording limit and retention period of personal data must be consistent with the information contained in the Privacy Policy. The company must maintain the accuracy, integrity, confidentiality and relevance of the personal data according to the purpose of the processing. You must use appropriate security mechanisms designed to protect your personal data to prevent it from being stolen, misused, or misused and prevent personal data breaches. The Data Controller is responsible for compliance with the requirements listed in this section.
Disclosure to third parties
Whenever the Company uses a third-party vendor or business partner to process personal data on its behalf, it is necessary to obtain assurances that this provides security measures to safeguard personal data appropriate to the associated risks (e.g. inappropriate use of personal data, unauthorized disclosure, etc.). The Company undertakes to contractually require the supplier or business partner to provide an adequate level of data protection (GDPR-NRET Form Appointment of External Data Processor). Suppliers or business partners must only process personal data to fulfil their contractual obligations to the Company or on the instructions of the Company and not for any other purpose. When the Company processes personal data jointly with an independent third party, it must explicitly specify its own responsibilities and those of the third party in the relevant contract or any other legally binding document.
Cross-border transfer of personal data
The Company does not carry out transfers of personal data abroad, however, appropriate safeguards must be used before transferring personal data from the European Economic Area (EEA), including the signing of a data transfer agreement, as required by the European Union and, if necessary, the authorization of the relevant Data Protection Authority must be obtained.
Right of access by data subjects
The company is responsible for providing data subjects with a reasonable access mechanism to enable them to access their personal data and must enable them to update, rectify, erase or transmit their personal data, where appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.
Data portability
Data subjects have the right to receive, upon request, a copy of the data they have provided to us in a structured format and to transmit this data to another Data Controller, free of charge. We are responsible for ensuring that such requests are processed within one month, are not excessive, and do not affect your rights in relation to other people’s personal data.
Right to be forgotten
Upon request, data subjects have the right to obtain from the Company the erasure of their personal data if one of the following reasons exists:
- The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- The data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
- The data subject objects to the processing and there are no overriding legitimate grounds for proceeding with the processing;
- The personal data has been unlawfully processed;
- Personal data must be erased to comply with a legal obligation.
- GUIDELINES ON PROPER HANDLING
Personal data must be processed only if explicitly authorized by the Data Controller. The Data Controller determines whether to perform the Data Protection Impact Assessment for each data processing activity according to the Data Protection Impact Assessment Guidelines.
Communications to data subjects
At the time of collection or prior to the collection of personal data for any type of processing activity, but not limited to the sale of products, services or marketing activities, the Data Controller is responsible for adequately informing data subjects of the following:
- the identity and contact details of the Data Controller;
- if appointed, the identity and contact details of the Data Protection Officer (DPO);
- methods and purposes of data processing;
- legal basis for data processing;
- categories of recipients;
- potential data transfers (if any);
- the retention period;
- the rights of the data subject with regard to his or her personal data;
- whether the data will be shared with third parties and the security measures established by the Company to protect personal data;
- the consequences of not consenting to the processing.
This information is provided through the Privacy Policy (GDPR-IC Model for Customers; GDPR-IF for Suppliers). Furthermore, in compliance with the principle of accountability, the company must obtain confirmation from the data subject that he/she has read and understood the content of the information by means of a specific declaration on the copy of the same.
Obtaining consents
Whenever the processing of personal data is based on the consent of the data subject, or on other legitimate grounds, the Data Controller is responsible for:
- the storage of a record of such consent (by storing the information form signed by the data subject);
- to provide data subjects with options to give consent;
- to inform the data subjects and guarantee them how the consent given (whenever the consent is used as a legal basis for processing) can be revoked at any time.
Where the collection of personal data relates to a child under the age of 16, the Data Controller must ensure that the consent of the holder of parental responsibility is provided prior to collection using the specific form. When requesting to correct, amend or destroy records of personal data, the Controller must ensure that such requests are handled within a reasonable timeframe and must also record the requests and keep a record of them. Personal data should only be processed for the purposes for which it was originally collected. In the event that the Company wishes to process the personal data collected for another purpose, the Company must obtain the consent of the data subjects in a clear and concise written form. Any such request should include the original purpose for which the data was collected and also the new or additional purposes. The request must also include the reason for the change of purpose. Now and in the future, the Owner must ensure that collection methods comply with the law, good practices and relevant industry standards. The Data Controller is responsible for creating and maintaining a record of Privacy Policies.
Processing of special categories of personal data
It is forbidden to process personal data that reveals:
- race;
- Ethnicity;
- political opinions;
- religious beliefs;
- philosophical beliefs;
- trade union membership;
- genetic data;
- Biometrics;
- health-related data;
- a person’s sex life;
- sexual orientation.
Exceptions: the data subject has given his/her explicit consent;
- Processing is necessary for the fulfilment of the obligations and exercise the specific rights of the controller or the data subject in the field of labour and social security law and social protection, insofar as it is authorised by Union or Member State law or by a collective agreement under the law of the Member States, in the presence of appropriate safeguards for the fundamental rights and interests of the data subject;
- processing is necessary for the protection of a vital interest of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- The processing is carried out, within the framework of its legitimate activities and with appropriate safeguards, by a foundation, association or other non-profit body that pursues political, philosophical, religious or trade union purposes, provided that the processing concerns only members, former members or persons who have regular contact with the Foundation, association or body by reason of its purposes and that the personal data are not disclosed externally without the consent of the Foundation. consent of the data subject;
- the personal data are manifestly made public by the data subject;
- processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- processing is necessary for reasons of important public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject;
- the processing is necessary for the purposes of preventive or occupational medicine, assessment of the employee’s ability to work, diagnosis, health or social care or treatment, or management of health or social systems and services on the basis of Union or Member State law or in accordance with a contract with a health professional;
- the processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicinal products and medical devices, on the basis of Union or Member State law providing for appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy;
- processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes
The lawfulness of the processing is a prerequisite.
- REQUIREMENTS FOR THE PROCESSING OF EMPLOYEES’ PERSONAL DATA
Any processing of employees’ personal data by departments and individuals within the Company must be for a legitimate purpose and must meet the following requirements.
Communication to employees
For the purposes of transparency in the processing of employees’ personal data, when a department or individual within the Company collects an employee’s personal data, the employee must be informed of the types of data collected, the purposes and types of processing, the employee’s rights, and the security measures taken to protect the personal data. This information is provided by a specific Information on the processing of personal data (GDPR-ID Form).
Communication to candidates
The same transparency guaranteed for the processing of employees’ personal data is also ensured for the collection of a candidate’s personal data during the interview phase for a possible recruitment. The candidate must be informed of the types of data collected, the purposes and types of processing, his rights and the security measures taken to protect the personal data. This information is provided by a specific Information on the processing of personal data (GDPR-ICL form).
Employee Choice and Consent
In principle, the Company may process employees’ personal data for legitimate purposes as an employer and may generally do so without obtaining the employee’s consent, to improve the efficiency of internal operations. Security and human resource management activities such as interviews, hiring, termination of employment, attendance, compensation and benefits, employee services, occupational health and safety may involve the processing of sensitive personal data.
Collection
Company departments and individuals must collect employees’ personal data for legitimate purposes and must comply with the principle of Data Minimization. If a job applicant’s or employee’s personal data is collected by a third party (e.g. temporary employment agencies), the Company must make reasonable efforts to ensure that this third party obtains the personal data by lawful means. No company department or individual may collect the personal data of candidates or employees in a manner that is inconsistent with the law or business ethics.
Use, Storage and Disposal
Company departments and individuals must use, store, and dispose of employees’ personal data in a manner consistent with the employee’s communication. They must also ensure its accuracy, integrity, and relevance. The company has put in place appropriate security measures to protect employees’ personal data from accidental or unlawful destruction, loss, modification, unauthorized access or disclosure, in accordance with the information security policy and other documents describing data security. Company departments and individuals must not unlawfully destroy or modify employees’ personal data. You must not unlawfully or unauthoriously access, sell, or provide Employee Personal Data to any third party. In the course of business operations, the Data Controller will decide whether employees’ personal data will be processed in the following ways to minimize the risk to data protection: employees’ personal data may be anonymized for the purpose of irreversible de-identification; or the data can be aggregated into statistical or search results. (The Principles of Processing Personal Data do not apply to anonymized data and aggregated data as it is not personal data).
Disclosure to third parties
When business departments and individuals need to disclose employees’ personal data to a vendor, business partner, or third party, they must seek to ensure that the vendor, business partner, or other third party provides security measures to safeguard employees’ personal data that are appropriate to the associated risks. They should also require the third party to provide the same level of data protection that they provide to the Company by contract or other agreement (GDPR-NRET Form). In addition, when company departments and individuals disclose employees’ personal data in response to a request from law enforcement or a judicial authority, they must first notify the Data Protection Officer (DPO) who is authorized by the Company to make a coordinated effort to handle the request.
Cross-border transfer of employees’ personal data
We do not make cross-border data transfers, but if it is necessary to do so, company departments and individuals should consult the Data Protection Officer (DPO) or Data Controller to determine whether the cross-border transfer is necessary and lawful before transferring personal data.
Employee access
Company departments must provide reasonable means for employees to access personal data held about them and allow employees to update, correct, delete, or transmit their personal data if necessary or required by law. When responding to an employee’s access request, company departments may not provide any personal data until they have verified the employee’s identity. The company must ensure that it knows the identity of the person making the request before it can send the personal data to the person.
Responsibility
The Human Resources Department is responsible for managing the protection of employees’ personal data.
- BUSINESS ORGANIZATION
The GDPR introduces new organizational obligations. It is the responsibility to ensure that personal data is properly processed by anyone who works for or with the Company and has access to the personal data processed by the Company; to this end, the Company is implementing its own Privacy organization chart.
In the absence of a specific document relating to the Privacy organization chart and fully until it is issued, the Data Controller will be the company’s Legal Manager.
The main areas of responsibility can be identified in the following organizational roles: The Data Controller, makes decisions and approves the Company’s general strategies regarding the protection of personal data. This role is held by the pro-tempore legal representative. The Data Protection Officer (DPO), is responsible for managing the personal data protection program and is responsible for developing and promoting personal data protection policies from start to finish, as defined in the Data Protection Officer Role Description. The System Administrator is responsible for:
- ensure that all systems, services and equipment used for data recording meet acceptable security standards;
- Conduct regular audits and scans to ensure that security hardware and software are working properly.
Internal Audit is responsible for internal audits aimed at compliance with procedures and policies on the protection of personal data. Authorised Persons, employees formally authorised to carry out processing operations by the Data Controller.
- GENERAL OBLIGATIONS
Records of processing activities
The Data Controller shall keep a record of processing activities containing the following information:
- contact details of the Data Controller and, where applicable, of the Joint Data Controller and the Data Protection Officer;
- purpose of the processing;
- categories of data subjects;
- categories of personal data processed;
- categories of recipients to whom the personal data have been or will be disclosed;
- where applicable, transfers of personal data to a third country or an international organisation;
- where possible, the deadlines for the deletion of the different categories of data;
- where possible, a general description of the technical and organisational security measures.
Responding to Personal Data Breach Incidents
When the Company becomes aware of an alleged or actual personal data breach, the Data Controller assisted by the DPO must perform an internal investigation and take appropriate corrective action in a timely manner, according to the Data Breach Response and Communication Procedure.
Audit & Accountability
Internal Audit is responsible for verifying how the company’s departments implement this policy. Any employee who violates this Policy will be subject to disciplinary action and may also be subject to civil or criminal liability if their conduct violates any law or regulation.
Conflicts with the Law
This policy is intended to comply with the laws and regulations of the place of establishment and the countries in which the Company operates.