Privacy Policy
(pursuant to EU Regulation 679/16 – GDPR and Legislative Decree 196/2003 as amended by Legislative Decree 10 August 2018, n. 101)
- PURPOSE
This privacy policy describes the organizational model adopted both when data are processed as data controller and as data processor for the purpose of adequate management of the acquisition of consent, prevention and protection of all personal data . The types of interested parties are therefore described, the type of data processed, the actions undertaken as Data Controller and as Data Processor, the management of authorized persons, the management of appointed data processors and how all the tools of prevention and protection (see article 32 of EU Reg. 679/16 - GDPR). All treatments carried out (defined in article 4 of the GDPR) are carried out according to the principles established by art. 5 (lawfulness, correctness and transparency) and are listed in the respective file of the treatment register (see general file). Furthermore, the same data must be adequate and pertinent and their treatment must be limited to the time strictly necessary as reported in the purposes indicated in the specific information (e.g. customer or employee information, see related operational envelopes). This document also explains the importance of census and identifying all archives, both paper (e.g. cabinets, chests of drawers) and electronic (e.g. websites, individual PCs, local servers, clouds, databases managed on software house servers, email). All the archives of the privacy documentation are present at the address indicated in "Box A" of this document and in the specific information.
- POLICY OF PREVENTION AND PROTECTION OF THE ARCHIVES IN THE CAPACITY OF BOTH OWNER AND MANAGER OF THE TREATMENTO
- Prevention
Our prevention and protection policy provides that the location of personal data processed and stored is monitored at least once a year, in order to protect them based on the surrounding environment.
The 3 prevention measures adopted by this structure are:
2.1.1. training - the first step in prevention is to periodically train all the figures involved in data processing.
2.1.2. minimization - all the staff of the data controller (e.g. authorized persons) are trained to store only the data strictly necessary for the purpose for which they are processed.
2.1.3. pseudonymisation (where technically and legally possible) - all the staff of the data controller (e.g. authorized persons) are trained to encode personal data, both on paper and electronically, so that they can no longer be attributed to a specific data subject without the use of additional information. In fact, two archives are created: one in which there are identification data (e.g. name and surname) with the relative assigned code and the other in which there are more delicate data such as particular ones (e.g. data on health) where transcribed only the code created in the first archive. These two archives (the one containing the code and the identification data and the one containing the particular data associated with the code only) are stored in separate environments which can be accessed by a limited number of people.
2.2. Protection
The 7 protective measures that the structure chooses to implement based on the level of risk are:
2.2.1. Yes☒ No ☐ controlled access to archives containing personal data;
2.2.2. Yes☒ No ☐ access limited to a minimum number of authorized persons;
2.2.3. Yes☒ No ☐ data stored in rooms with locked doors, cabinets and drawers;
2.2.4. Yes☐ No ☒ grates on the windows (on the lower floors) to reduce the risk of theft;
2.2.5. Yes☒ No ☐ alarm system to reduce intrusion by malicious people;
2.2.6. Yes☒ No ☐ fire protection devices to reduce the probability of damage to the archives;
2.2.7. Yes☒ No ☐ Periodic audit for authorized persons and data controllers.
For the specific protective measures relating to the workplace, please refer to the general package.
- Paper archives
For paper archives based on the level of risk, the data controller chooses to apply, under his own responsibility, part or all of the prevention and protection measures listed above.
2.4. Electronic archives
The same prevention and protection policy implemented for paper archives applies to electronic archives located in hardware devices (e.g. smartphones, PCs, local servers). The prevention and protection methods implemented in addition to those described above are illustrated below for each type of archive. A prevention common to all electronic archives is related to backups which will have to be periodic, archived one on a local server and the other on a remote server in separate places with respect to the database or hard disk, this in order to avoid the loss of data due to extraordinary events (e.g. fires, floods, etc.) – for more details, see letter of appointment as system administrator.
2.4.1. Web sites. For the archives of websites, prevention takes place through the minimization of data by archiving only name, surname, telephone, email and province when information is given, also archiving the tax code and address when the products are sold and shipped to the customer (subject to consent). The protection takes place through the use of the HTTPS protocol, the annual analysis of the site, the letter of appointment to an authorized person or person in charge of the treatment towards whoever manages the site and the server where the site resides with the relative declaration of conformity to the GDPR. For each single section of the site, all the information is loaded where you can find all the technical specifications with the relative flags for each purpose, always leaving the possibility for the interested party to give or deny consent (e.g. cookie information, contact collection information, etc. .). In particular, as regards the management of cookies, the cookie information has been uploaded and made available to visitors on the site, and the cookie banner has been implemented so that the visitor can, before starting navigation, choose to which cookie to give your consent. The consents of all information are stored and made available to the supervisory authority. The consent or refusal must indicate the date, time, name and surname (or code) of the interested party and the version of the information present at the time of acceptance (also in paper format where possible). Whenever the interested party enters his data on the website to request information, register or make purchases, he will have to consent to the purposes of the specific information, furthermore the system will automatically send a verification email that the interested party will have to validate in order to access the service required (where technically possible). Only after validation will the data controller provide the requested service and at the same time archive the personal data of the interested party. In this way the data controller will be able to process, and therefore store, personal data having a greater guarantee that it was the interested party who requested the service on his site. The policy to be implemented is to delegate a single supplier both to manage the website (database) and that of the server on which the site is based, for which the supplier will be appointed both system administrator and data processor.
2.4.2 PC. The prevention measures are mostly based on the training of the authorized persons who use these devices. The protective measures adopted are instead: 1) analysis of the PC carried out at least once a year; 2) different account for each user and clearly distinct from the administrator account; 3) use of Firewalls; 4) use of antivirus; 5) access password, replaced at least every 3 months, of at least 8 alphanumeric characters and with special characters; 6) hard disk encryption through the operating system (where necessary); 7) screensaver (screensaver) with password request when the PC is reactivated; 8) disabling the USB ports to avoid viruses and data theft; 9) operating system update; 10) appointment of the system administrator adequately trained for the management and protection of individual PCs; 11) backups.
2.4.3. Tablet. The prevention measures are mostly based on the training of the authorized persons who use these devices. The protection measures adopted are instead: 1) access password, replaced at least every 3 months and made up of at least 8 alphanumeric characters and special characters; 2) operating system update; 3) use of antivirus; 4) device encryption; 5) backups.
2.4.4. Individual management software (with database). In terms of prevention, both minimization and pseudonymisation are implemented where technically and legally possible. The protection measures implemented are: 1) use of a robust access password different from that of the PC; 2) logs tracing accesses to the program; 3) use of the double factor in the case of particularly delicate data. When the management systems are used as data controller, the policy is to obtain a declaration of compliance with the GDPR (Audit) from the software house at least once a year. Furthermore, it is appointed responsible for the treatment as it archives the data on behalf of the data controller. If the data is stored on the local server, the protection measures implemented are those described for the individual PCs and local servers, if the local server is managed by an external supplier, the latter is appointed as data controller. If the management systems are managed by virtue of a service offered to the data controller, this company, as data controller (software house), implements all the prevention and protection measures described in paragraph 2 and all the indications that may be provided by the Data Controller of the treatment.
2.4.5. Local servers. The protection measures, in addition to all those implemented for PCs, are: 1) use of hardware firewall; 2) logs tracing accesses; 3) access password, replaced at least every 3 months, of at least 8 alphanumeric characters and with special characters; 4) use of only one administrator account; 5) operating system update; 6) appointment of an adequately trained system administrator for the management and protection of local servers; 7) Hard disk encryption; 8) periodic backups.
2.4.6. Cloud servers. In this case the policy is to obtain at least once a year a declaration of compliance with the GDPR (Audit) from the company that manages the server, which is also appointed as data controller as it stores the data on behalf of the data controller.
2.4.7. Individual email accounts. In terms of prevention, the structure makes use of the training of authorized persons, minimization and preferably pseudonymisation for files containing personal data. In terms of protection, files containing personal data received and sent via e-mail can be protected by password or password encryption and are saved on a folder located on the server (local or in the cloud), avoiding saving on a single PC. N.B. Avoid entering sensitive data and use pseudonymisation if they need to be entered.
3. MAIN TASKS AS OWNER OF THE TREATMENT
The main duties of the Data Controller are: 1) to understand precisely what are the purposes of its treatments to be communicated to the interested party; 2) inform the interested party and obtain consent for the specific purposes through the information which must contain, in addition to the purposes, the type of data processed, the recipients, the rights of the interested parties, the contact details of the data controller and of the DPO (where appointed); 3) annually train all the people who process the data on your behalf (e.g. authorized persons, data controller) so that the data is adequately protected. To this end, specific audits are periodically administered for the correct management of privacy; 4) Draw up all the necessary documents (e.g. information, DPIA, treatment registers); 5) Periodically verify the protection of personal data (assisted by the DPO where appointed).
3.1. MAIN TYPES OF INTERESTED PARTIES
The types of interested parties that the Data Controller manages are marked below:
1) YES ☒ NO ☐ potential customer; 2) YES ☒ NO ☐ customer; 3) YES ☒ NO ☐ potential employee (curriculum)
4) YES ☒ NO ☐ employee; 5) YES ☒ NO ☐ supplier (only if sole proprietorship);
3.2. TYPE OF IDENTIFICATION DATA PROCESSED (data retention times are those indicated in the disclosure)
They are the most commonly requested data and also the ones that can cause the least damage from the point of view of privacy. For this type of data, the data controller uses a medium-high level of protection which is based on prevention measures (e.g. pseudonymisation if deemed necessary) and protection (e.g. closing drawers, hard disk encryption) better specified in point 2 of this policy and described in the related DPIA (where drafted) and in the treatment register.
The identification data that are processed as data controller with prior consent are:
1) YES ☒ NO ☐ name; 2) YES ☒ NO ☐ surname; 3) YES ☒ NO ☐ date of birth; 4) YES ☒ NO ☐ place of birth;
5) YES ☒ NO ☐ tax code; 6) YES ☒ NO ☐ address; 7) YES ☒ NO ☐ IBAN; 8) YES ☒ NO ☐ credentials;
9) YES ☒ NO ☐ telephone number; 10) YES ☒ NO ☐ email address; 11) YES ☐ NO ☒ economic data;
12) YES ☐ NO ☒ financial data; 13) YES ☒ NO ☐ pictures; 14) YES ☒ NO ☐ IP address.
3.3. TYPE OF PARTICULAR DATA PROCESSED (data retention times are those indicated in the disclosure)
Their protection is of the utmost importance because their violation could have strong impacts on the person. For this reason, the level of protection of this data is high and is based on more restrictive prevention and protection measures where pseudonymisation is the most implemented and necessary measure (see point 2 of this document, the related DPIAs and the processing register) . The particular data that are processed as data controller with prior consent are:
1) YES ☐ NO ☒ racial or ethnic origin; 2) YES ☐ NO ☒ political opinions; 3) YES ☐ NO ☒ religious convictions;
4) YES ☐ NO ☒ union membership; 5) YES ☐ NO ☒ genetic data (e.g. DNA); 6) YES ☐ NO ☒ biometric data (e.g. dental records); 7) YES ☒ NO ☐ health data; 8) YES ☐ NO ☒ sexual orientation.
3.4. TYPE OF JUDICIAL DATA PROCESSED (data retention times are those indicated in the disclosure)
These are data that can reveal the existence of certain judicial measures subject to entry in the criminal record (for example, final criminal convictions, conditional release, prohibition or obligation to stay, alternative measures to detention) or the quality of defendant or suspect. This structure does not process judicial data in any way unless they are functional to ascertaining the moral suitability requirement of those who intend to participate in tenders, in compliance with the provisions of the procurement legislation; in this case the legal bases of the processing operations are attributable to the articles 10 EU Reg. 679/16, and 2-octies, co. 1 and 3, lett. i), Legislative Decree 196/03, as amended by Legislative Decree 101/2018. In these cases, the data is processed only on paper and, since the protection of such data is of the utmost importance as their violation could have strong impacts on the person, more restrictive prevention and protection measures are implemented such as drawers and cabinets locked and access limited to duly trained personnel (see point 2 of this document, the related DPIAs and the treatment register). In the cases described above, the judicial data processed as data controller with prior consent are:
1) YES ☐ NO ☒ criminal convictions; 2) YES ☐ NO ☒ crimes; 3) YES ☐ NO ☒ criminal record; 4) YES ☐ NO ☒ pending charges
3.5. TYPE OF PROFILING CARRIED OUT (data retention times are those indicated in the disclosure)
Profiling is any form of automated processing of personal data that uses such data to evaluate, analyze or predict certain aspects relating to a natural person. The aspects evaluated with prior consent (profiling) by the data controller are listed below and marked with "YES":
1) YES ☐ NO ☒ Professional performance; 2) YES ☐ NO ☒ Economic situation; 3) YES ☐ NO ☒ Health;
4) YES ☐ NO ☒ Interest; 5) YES ☐ NO ☒ Personal preferences; 6) YES ☐ NO ☒ Reliability;
7) YES ☐ NO ☒ Behaviour; 8) YES ☐ NO ☐ Location/Travel.
Their protection is of the utmost importance because their violation could have strong impacts on the natural person. In terms of prevention, pseudonymisation is the most implemented and necessary measure (where legally and technically possible). The level of protection in this case is very high with even more restrictive measures (see point 2 of this document, the related DPIAs and the processing register).
4. MAIN TASKS AS RESPONSIBLE FOR TREATMENT
For all those treatments in which the structure processes and stores data on behalf of the Data Controller, it is configured as Data Processor whose obligations are governed by the appointment document described in point 5.2. Since the same prevention and protection policy is implemented both as Data Controller and as Data Processor, the treatment is carried out with the same prevention and protection measures (see point 2) and the contents of the documents drawn up (DPIA, Registry of treatment, Appointments and management of the data breach) are the same, only changing the nature of the interested parties (customers and employees in the case of owner, users in the case of data controller). The Data Processor may appoint the 2nd level Data Processor with prior authorization from the Data Controller.
4.1. TYPE OF INTERESTED (users) YES ☐ NO ☒
The main types of data subjects managed as data controller are identified below:
1) potential customer of the customer YES ☐ NO ☒; 2) YES ☐ NO ☒ customer of customer; 3) YES ☐ NO ☒ potential employee of the customer; 4) YES ☐ NO ☒ customer employee; 5) YES ☐ NO ☒ supplier employee;
6) YES ☐ NO ☒ Customer's supplier
4.2. TYPE OF IDENTIFICATION DATA PROCESSED: (data retention times are those indicated on the assignment letter) YES ☐ NO ☒
The data processed as Manager are:
1) YES ☐ NO ☒ name; 2) YES ☐ NO ☒ surname; 3) YES ☐ NO ☒ date of birth; 4) YES ☐ NO ☒ place of birth;
5) YES ☐ NO ☐ tax code; 6) YES ☐ NO ☐ address; 7) YES ☐ NO ☒ IBAN; 8) YES ☐ NO ☒ credentials;
9) YES ☐ NO ☒ telephone number; 10) YES ☐ NO ☒ email address; 11) YES ☐ NO ☒ economic data; 12) YES ☐ NO ☒ financial data; 13) YES ☐ NO ☒ images; 14) YES ☐ NO ☒ IP address.
TYPE OF PARTICULAR DATA PROCESSED: (data retention times are those indicated on the letter of assignment) YES ☐ NO ☒
The data processed as Manager are:
1) YES ☐ NO ☒ racial or ethnic origin; 2) YES ☐ NO ☒ political opinions; 3) YES ☐ NO ☒ religious convictions;
4) YES ☐ NO ☒ union membership; 5) YES ☐ NO ☒ genetic data (e.g. DNA); 6) YES ☐ NO ☒ biometric data (e.g. dental records); 7) YES ☐ NO ☒ health data; 8) YES ☐ NO ☒ sexual orientation.
4.3. TYPE OF JUDICIAL DATA PROCESSED: (data retention times are those indicated on the letter of assignment) YES ☐ NO ☒
1) YES ☐ NO ☒ criminal convictions; 2) YES ☐ NO ☒ crimes; 3) YES ☐ NO ☒ criminal record; 4) YES ☐ NO ☒ pending charges
4.4. TYPE OF PROFILING CARRIED OUT (data retention times are those shown on the letter of assignment) YES ☐ NO ☒
The aspects evaluated (profiling - with prior consent) as Data Processor are listed below and marked with "YES":
1) YES ☐ NO ☒ Professional performance; 2) YES ☐ NO ☒ Economic situation; 3) YES ☐ NO ☒ Health;
4) YES ☐ NO ☒ Interest; 5) YES ☐ NO ☒ Personal preferences; 6) YES ☐ NO ☒ Reliability;
7) YES ☐ NO ☒ Behaviour; 8) YES ☐ NO ☒ Location/Travel.
5. FULFILLMENTS
5.1. APPOINTMENT OF AUTHORIZED PERSONS
The authorized persons are the people inside the structure, adequately trained to process personal data, on the basis of a specific assignment given by the data controller (e.g. employees or collaborators with a VAT number). Each person is trained and made aware of data protection and receives and signs the appointment document which describes in detail the instructions that the data controller gives in order to protect the data that he processes on behalf of the data controller.
5.2. APPOINTMENTS OF RESPONSIBLE FOR TREATMENT
This structure, when it processes the data as Data Controller, appoints all the data processors, who process and archive the personal data on its behalf (e.g. accountant) and instructs them on the methods of processing personal data. If a data processor needs to appoint further sub-processors (2nd level), this structure will evaluate the feasibility on a case-by-case basis.
If this structure were to process the data on behalf of a data controller, it will itself be appointed as Data Processor. As data processor, if authorized by the data controller, you may appoint 2nd level data processors, who in turn may appoint 3rd level data processors (if further authorised). This structure, as a 1st level manager, still retains full responsibility towards the data controller for the fulfillment of the obligations of the sub-managers. The document appointing the data processor (both when submitted as data controller and when received as data processor) is always in written form and describes the categories of personal data processed, the nature, purposes and duration of the processing as well as instructions to the data processor from the data controller.
5.3. APPOINTMENT OF THE DATA PROCTION MANAGER (DPO/RPD)
The DPO (if provided for by article 37), see box "B" is a figure who must be designated by the data controller or data processor to perform support and control functions, as well as consultancy, training and information, in relation to the application of the GDPR.
5.4. Data Protection Impact Assessment (DPIA)
The DPIA is a document drawn up by the Data Controller or Data Processor which has the purpose of assessing the risk (damage), indicating the prevention and protection measures, describing the data flow with the relative recipients. The policy, both as Data Controller and as Data Processor, is to draw up all the DPIAs provided for in Annex 1 of provision no. 467 of 11 October 2018 of the Guarantor and to draw up also those not expressly indicated in attachment 1 but deemed necessary for the purposes of greater protection of the interested party (see general envelope). The DPIAs, both as Data Controller and as Data Processor, can be viewed in the company by consulting envelope 5 in the dedicated section.
5.5. REGISTER OF PROCESSING ACTIVITIES
The art. 30 of the GDPR provides for the keeping of the register of processing activities (e.g. companies with more than 250 employees, processing of particular data) among the main obligations of the data controller and data processor. The register has been drawn up both as Data Controller and as Data Processor and through the drafting and periodic review of this document an updated picture of the treatments in place within this organization is provided. For each type of processing, a form has been drawn up which describes the contact details of the DPO and of the Data Controller, of the data processors (as data controller), of the sub-processors (as data processor), of the recipients and of any co-owners. Furthermore, the data retention times, the security measures and the description of the electronic and paper archives are reported. The Data Processing Registers, both as Owner and as Data Processor, can be viewed in the company by consulting envelope 5 in the dedicated section.
5.6. MANAGEMENT OF THE RIGHTS OF THE INTERESTED PARTY
This structure, when configured as data controller, adopts precise procedures to provide the interested party with all the communications referred to in articles 12 to 23 relating to the rights of the interested party expressly indicated in the information prepared and delivered to the interested party. In particular as regards the right to be forgotten (art.17 GDPR) in the event of receipt of the request by an interested party, the procedure includes the following phases: 1) control of the effective presence in its own archives or those of its managers of data of the person who made the request; 2) sending the cancellation form to the interested party with identity verification of the same (as indicated by recital 64 of the GDPR); 3) cancellation of the interested party's data from its archives with coding of the request for cancellation and request for cancellation to all managers who have the data in the archive; 4) verification of the effective cancellation of the data of its data processors and communication of the cancellation to the interested party with delivery of the cancellation request code.
5.7. DATA BREACH
The term "data breach" means a breach of security which involves, accidentally or unlawfully, the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed both in as owner and manager of the treatment. In order to avoid data breach events, all the prevention and protection strategies described in the previous paragraphs of this document are implemented both for the treatments carried out in the capacity of data controller and data processor. When the structure processes the data as data controller in the event of a data breach for particularly sensitive data, you have 72 hours to notify the Guarantor and the data subject. For the management of a possible data breach, the documents drawn up are: 1) alert procedure; 2) internal register of violations 3) data breach communication model to the interested party; 4) data breach communication form to the Privacy Guarantor. When the structure processes the data as data controller, in the event of a data breach, it informs the data controller for which it processes the data without unjustified delay and collaborates with it as far as it is concerned.
6. EXPLANATORY NOTES
This structure, both as data controller and as manager, has organized and archived personal data through the preparation of special envelopes which contain an attachment 0 which lists the documentation contained therein.
In Package 1, if the company has websites, all the documents relating to them are organized and archived. For each website, site analysis and all the information that the site requires (e.g. cookie information, data collection information, customer information, etc.) are periodically prepared and updated.
In Plico 2, all the privacy documentation needed to manage customer relations is organized and archived. In it we find the specific customer information for each treatment (e.g. contact collection info, audio video info, etc.). If the customer configures himself as Data Controller and appoints us as Manager, we find the appointments for the service we provide (e.g. accountant, job consultant) and the related treatment records.
In Folder 3, all the privacy documentation needed to manage relations with authorized persons (employees/collaborators) is organized and archived. In it we find the privacy instructions for the authorized persons, the appointments and information for each type of treatment and the audits that are updated at least once a year.
In Plico 3-bis, all the privacy documentation needed to manage relations with potential employees is organized and archived. In it we find a list of all the candidates whose data the company has collected and for each candidate the relative information submitted to it. There are also procedures for the correct management of the various types of CVs collected (e.g. CVs delivered on paper, delivered electronically, etc.).
In Plico 4, all the privacy documentation needed to manage relations with suppliers is organized and filed. In it we find the list of suppliers and for each supplier the appointment as Data Processor specific to the service offered (e.g. accountant, job consultant, etc.) and the information provided to them.
In Plico 5 all the general corporate privacy management documentation is organized and archived. We find fundamental documents such as privacy policies, appointment of the DPO, treatment registers and DPIA drawn up both as owner and manager, the procedures for managing any data breaches or requests for the rights of the interested party, as well as any authorizations for video surveillance systems and geolocation.