This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Privacy Policy
The Company undertakes to comply with applicable laws and regulations relating to the protection of personal data in the countries in which the Company operates. This Policy sets out the basic principles by which the Company treats the personal data of consumers, customers, suppliers, business partners, employees and other persons and indicates the responsibilities of its business departments and employees when processing personal data. This policy applies to the Company and the companies it controls, directly or indirectly, that carry out activities within the European Economic Area (EEA) or that process the personal data of data subjects within the EEA. The recipients of this document are all employees, permanent or temporary, and all collaborators who work on behalf of the Company. The GDPR lays down rules for the protection of natural persons with regard to the processing of personal data, as well as rules for the free movement of such data (Article 1). The material scope of the Regulation includes: Outside the material scope are: The Regulation applies: With respect to the Privacy Code (Legislative Decree no. 196 of 30/06/2003), the definition of sensitive data and judicial data has been eliminated; Now we refer to: The following definitions of terms used in this document are taken from the European Union’s General Data Protection Regulation (GDPR): The principles applicable to data protection outline the responsibilities of organizations in the management of personal data. The Data Controller is responsible for compliance with the principles, and must be able to prove it. Lawfulness, fairness and transparency Personal data must be processed in a lawful, fair and transparent manner with regard to the data subject. Processing is lawful only if and to the extent that at least ONE of the following conditions is met: Personal data must be collected for specified, explicit and legitimate purposes, and subsequently processed in a way that is not incompatible with those purposes. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The company should apply anonymization or pseudonymization to personal data, if possible, to reduce the risk to data subjects. Personal data must be accurate and, if necessary, kept up to date; all reasonable steps must be taken to promptly erase or rectify data that is inaccurate in relation to the purposes for which it is processed. Limitation of the retention period The data must be stored in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed. Taking into account available technologies and other security measures, the costs of implementation, and the likelihood and severity of risks to personal data, the Company has put in place technical and organizational measures to ensure an adequate level of security for personal data, including protection against accidental or unlawful destruction, loss, unauthorized modification, disclosure or access. The Data Controller is responsible for compliance with the principles described above and is able to prove this through the correct application and observation of this policy. The Company has implemented the principles of data protection in its privacy management system, ensuring regulatory compliance in the various operational phases, from collection to processing. (See the chapter Guidelines on Proper Treatment.) Data Subject’s Choice and Consent (See the chapter Guidelines on Proper Treatment.) The Company’s goal is to adopt and constantly improve its organizational and operational processes to collect as little personal data as possible. If personal data is collected by a third party, the controller must ensure that the personal data is lawfully collected. Manual of the Privacy Organizational Model pursuant to Regulation (EU) 2016/679 Rev. 01 of 14/09/2018 DOCUMENT FOR INTERNAL USE Pag. 13 of 44 The purposes, methods, recording limit and retention period of personal data must be consistent with the information contained in the Privacy Policy. The company must maintain the accuracy, integrity, confidentiality and relevance of the personal data according to the purpose of the processing. You must use appropriate security mechanisms designed to protect your personal data to prevent it from being stolen, misused, or misused and prevent personal data breaches. The Data Controller is responsible for compliance with the requirements listed in this section. Whenever the Company uses a third-party vendor or business partner to process personal data on its behalf, it is necessary to obtain assurances that this provides security measures to safeguard personal data appropriate to the associated risks (e.g. inappropriate use of personal data, unauthorized disclosure, etc.). The Company undertakes to contractually require the supplier or business partner to provide an adequate level of data protection (GDPR-NRET Form Appointment of External Data Processor). Suppliers or business partners must only process personal data to fulfil their contractual obligations to the Company or on the instructions of the Company and not for any other purpose. When the Company processes personal data jointly with an independent third party, it must explicitly specify its own responsibilities and those of the third party in the relevant contract or any other legally binding document. Cross-border transfer of personal data The Company does not carry out transfers of personal data abroad, however, appropriate safeguards must be used before transferring personal data from the European Economic Area (EEA), including the signing of a data transfer agreement, as required by the European Union and, if necessary, the authorization of the relevant Data Protection Authority must be obtained. Right of access by data subjects The company is responsible for providing data subjects with a reasonable access mechanism to enable them to access their personal data and must enable them to update, rectify, erase or transmit their personal data, where appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure. Data subjects have the right to receive, upon request, a copy of the data they have provided to us in a structured format and to transmit this data to another Data Controller, free of charge. We are responsible for ensuring that such requests are processed within one month, are not excessive, and do not affect your rights in relation to other people’s personal data. Upon request, data subjects have the right to obtain from the Company the erasure of their personal data if one of the following reasons exists: Personal data must be processed only if explicitly authorized by the Data Controller. The Data Controller determines whether to perform the Data Protection Impact Assessment for each data processing activity according to the Data Protection Impact Assessment Guidelines. Communications to data subjects At the time of collection or prior to the collection of personal data for any type of processing activity, but not limited to the sale of products, services or marketing activities, the Data Controller is responsible for adequately informing data subjects of the following: This information is provided through the Privacy Policy (GDPR-IC Model for Customers; GDPR-IF for Suppliers). Furthermore, in compliance with the principle of accountability, the company must obtain confirmation from the data subject that he/she has read and understood the content of the information by means of a specific declaration on the copy of the same. Whenever the processing of personal data is based on the consent of the data subject, or on other legitimate grounds, the Data Controller is responsible for: Where the collection of personal data relates to a child under the age of 16, the Data Controller must ensure that the consent of the holder of parental responsibility is provided prior to collection using the specific form. When requesting to correct, amend or destroy records of personal data, the Controller must ensure that such requests are handled within a reasonable timeframe and must also record the requests and keep a record of them. Personal data should only be processed for the purposes for which it was originally collected. In the event that the Company wishes to process the personal data collected for another purpose, the Company must obtain the consent of the data subjects in a clear and concise written form. Any such request should include the original purpose for which the data was collected and also the new or additional purposes. The request must also include the reason for the change of purpose. Now and in the future, the Owner must ensure that collection methods comply with the law, good practices and relevant industry standards. The Data Controller is responsible for creating and maintaining a record of Privacy Policies. Processing of special categories of personal data It is forbidden to process personal data that reveals: Exceptions: the data subject has given his/her explicit consent; The lawfulness of the processing is a prerequisite. Any processing of employees’ personal data by departments and individuals within the Company must be for a legitimate purpose and must meet the following requirements. For the purposes of transparency in the processing of employees’ personal data, when a department or individual within the Company collects an employee’s personal data, the employee must be informed of the types of data collected, the purposes and types of processing, the employee’s rights, and the security measures taken to protect the personal data. This information is provided by a specific Information on the processing of personal data (GDPR-ID Form). The same transparency guaranteed for the processing of employees’ personal data is also ensured for the collection of a candidate’s personal data during the interview phase for a possible recruitment. The candidate must be informed of the types of data collected, the purposes and types of processing, his rights and the security measures taken to protect the personal data. This information is provided by a specific Information on the processing of personal data (GDPR-ICL form). In principle, the Company may process employees’ personal data for legitimate purposes as an employer and may generally do so without obtaining the employee’s consent, to improve the efficiency of internal operations. Security and human resource management activities such as interviews, hiring, termination of employment, attendance, compensation and benefits, employee services, occupational health and safety may involve the processing of sensitive personal data. Company departments and individuals must collect employees’ personal data for legitimate purposes and must comply with the principle of Data Minimization. If a job applicant’s or employee’s personal data is collected by a third party (e.g. temporary employment agencies), the Company must make reasonable efforts to ensure that this third party obtains the personal data by lawful means. No company department or individual may collect the personal data of candidates or employees in a manner that is inconsistent with the law or business ethics. Company departments and individuals must use, store, and dispose of employees’ personal data in a manner consistent with the employee’s communication. They must also ensure its accuracy, integrity, and relevance. The company has put in place appropriate security measures to protect employees’ personal data from accidental or unlawful destruction, loss, modification, unauthorized access or disclosure, in accordance with the information security policy and other documents describing data security. Company departments and individuals must not unlawfully destroy or modify employees’ personal data. You must not unlawfully or unauthoriously access, sell, or provide Employee Personal Data to any third party. In the course of business operations, the Data Controller will decide whether employees’ personal data will be processed in the following ways to minimize the risk to data protection: employees’ personal data may be anonymized for the purpose of irreversible de-identification; or the data can be aggregated into statistical or search results. (The Principles of Processing Personal Data do not apply to anonymized data and aggregated data as it is not personal data). When business departments and individuals need to disclose employees’ personal data to a vendor, business partner, or third party, they must seek to ensure that the vendor, business partner, or other third party provides security measures to safeguard employees’ personal data that are appropriate to the associated risks. They should also require the third party to provide the same level of data protection that they provide to the Company by contract or other agreement (GDPR-NRET Form). In addition, when company departments and individuals disclose employees’ personal data in response to a request from law enforcement or a judicial authority, they must first notify the Data Protection Officer (DPO) who is authorized by the Company to make a coordinated effort to handle the request. Cross-border transfer of employees’ personal data We do not make cross-border data transfers, but if it is necessary to do so, company departments and individuals should consult the Data Protection Officer (DPO) or Data Controller to determine whether the cross-border transfer is necessary and lawful before transferring personal data. Company departments must provide reasonable means for employees to access personal data held about them and allow employees to update, correct, delete, or transmit their personal data if necessary or required by law. When responding to an employee’s access request, company departments may not provide any personal data until they have verified the employee’s identity. The company must ensure that it knows the identity of the person making the request before it can send the personal data to the person. The Human Resources Department is responsible for managing the protection of employees’ personal data. The GDPR introduces new organizational obligations. It is the responsibility to ensure that personal data is properly processed by anyone who works for or with the Company and has access to the personal data processed by the Company; to this end, the Company is implementing its own Privacy organization chart. In the absence of a specific document relating to the Privacy organization chart and fully until it is issued, the Data Controller will be the company’s Legal Manager. The main areas of responsibility can be identified in the following organizational roles: The Data Controller, makes decisions and approves the Company’s general strategies regarding the protection of personal data. This role is held by the pro-tempore legal representative. The Data Protection Officer (DPO), is responsible for managing the personal data protection program and is responsible for developing and promoting personal data protection policies from start to finish, as defined in the Data Protection Officer Role Description. The System Administrator is responsible for: Internal Audit is responsible for internal audits aimed at compliance with procedures and policies on the protection of personal data. Authorised Persons, employees formally authorised to carry out processing operations by the Data Controller. Records of processing activities The Data Controller shall keep a record of processing activities containing the following information: Responding to Personal Data Breach Incidents When the Company becomes aware of an alleged or actual personal data breach, the Data Controller assisted by the DPO must perform an internal investigation and take appropriate corrective action in a timely manner, according to the Data Breach Response and Communication Procedure. Internal Audit is responsible for verifying how the company’s departments implement this policy. Any employee who violates this Policy will be subject to disciplinary action and may also be subject to civil or criminal liability if their conduct violates any law or regulation.
This policy is intended to comply with the laws and regulations of the place of establishment and the countries in which the Company operates.