PERSONAL DATA SECURITY POLICY OF THE COMPANY
The Policy herein is drawn up in compliance with art. 24, paragraph 2, of Regulation (EU) no. 2016/679 (hereinafter referred to for brevity as the “Regulation”) which governs the aspects concerning the protection of natural persons with regard to the processing of personal data and to their free circulation. The Policy defines:
- the general principles applicable to DELTAFLUID S.a.s. di Pampaloni Vasco & C., in its capacity of personal Data Controller and the general measures adopted in order to comply with said principles;
- responsibilities and duties of the persons operating on behalf of our company.
The personal Data Processor shall review the Policy, at least annually, and evaluate any changes to be made.
Any changes resulting from:
- organisational changes,
- enactment or amendment of the relevant regulation (e.g. measures by the Privacy Authority)
are approved, on a proposal of the Data Processor, by the Legal Representative.
2. General principles and measures concerning the processing of personal data
The Policy identifies the main measures identified by DELTAFLUID S.a.s. di Pampaloni Vasco & C. in order to ensure compliance with the general principles contained in the Regulation, with particular regard to:
- lawfulness of the processing;
- rights of data subjects;
- register of processing operations and impact assessment on data protection;
- security of processing;
- management of data breach events.
In this regard DELTAFLUID S.a.s. di Pampaloni Vasco & C.:
- adopts proper processes, tools and controls, which allow full compliance with the general principles on the processing of personal data;
- guarantees adequate information flows to and from the persons in charge, the control and operational structures;
- ensures personnel training activities in the field of personal data protection, in order to guarantee compliance with the applicable law by anyone who performs personal data processing activities within the organisational structure under the authority of the Data Controller.
The processing of personal data of the various categories of data subjects (e.g. customers, employees, suppliers) performed by DELTAFLUID S.a.s. di Pampaloni Vasco & C. are based on the principles below:
- lawfulness, fairness and transparency: personal data are collected and processed in a lawful, fair and transparent manner towards the data subject;
- purpose limitation: personal data are collected and processed for determined, express and legitimate purposes;
- data minimisation: personal data are adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed;
- accuracy: personal data are kept accurate and updated and reasonable measures are taken to promptly delete or rectify inaccurate or outdated data;
- data retention: personal data are stored for a period of time not exceeding that necessary to achieve the purposes for which they were collected;
- integrity and confidentiality: personal data are processed in such a way as to ensure proper security, through the adoption of appropriate technical and organisational measures;
- privacy by design and privacy by default: any aspects concerning the protection of personal data must be taken into consideration right from the design, implementation and configuration stages of all the technologies used for the processing operations. DELTAFLUID S.a.s. di Pampaloni Vasco & C. must process, by default, only those data that are necessary for the pursuit of the purposes of the processing;
- accountability: the processing of personal data is implemented according to the principles above and compliance therewith is properly documented.
2.1. Lawfulness of the processing
The processing of personal data within DELTAFLUID S.a.s. di Pampaloni Vasco & C. can be performed only if based on one or more of the conditions below:
- contract of which the data subject is a party;
- legal obligation to which DELTAFLUID S.a.s. di Pampaloni Vasco & C. is subject;
- protection of the vital interests of the data subject;
- express consent of the data subject;
- pursuit of a legitimate interest of DELTAFLUID S.a.s. di Pampaloni Vasco & C.
2.1.2. Consent request
Where the processing of personal data is based on the consent of the data subject, the consent is obtained by means of a written declaration or, in special cases characterised by lower risk levels, in oral form documented in writing. In case other issues are dealt with in the form used to collect consent, the request for consent shall be presented in a clearly distinguishable manner, in an understandable and easily accessible way, by using clear and simple language so that the will of the data subject can be freely expressed. The consent can be withdrawn at any time and its revocation does not affect the lawfulness of the processing performed up to that moment.
2.1.3. Legitimate interest
In some cases (such as in direct marketing), the procedures of DELTAFLUID S.a.s. di Pampaloni Vasco & C. must envisage that the processing of personal data can be performed in order to pursue a legitimate interest of DELTAFLUID S.a.s. di Pampaloni Vasco & C.
In compliance with the accountability principle, in such cases, the procedures must envisage that the assessment of the proper balancing between the interests of DELTAFLUID S.a.s. di Pampaloni Vasco & C. and the data subject’s rights is adequately documented.
2.1.4. Trasferimento di dati all’estero
Il trasferimento di dati personali verso un paese terzo (non appartenente all’Unione Europea) o un’organizzazione internazionale può avere luogo senza autorizzazioni specifiche solo se la Commissione Europea ha deciso che il paese terzo o l’organizzazione internazionale garantisce un livello di protezione adeguato, sulla base di una serie di elementi (tra cui il rispetto dei diritti umani e delle libertà fondamentali, l’esistenza e l’effettivo funzionamento delle Autorità di controllo). In mancanza di una decisione di adeguatezza, l’azienda può trasferire i dati personali solo se ha fornito garanzie adeguate e a condizione che gli interessati dispongano di diritti azionabili e mezzi di ricorso effettivi.
2.1.3. Transfer of the data abroad
The transfer of personal data to a third country (not belonging to the European Union) or to an international organisation can take place without specific authorisations only if the European Commission determined that the third country or the international organisation guarantee an adequate level of protection, according to several aspects (including respect for human rights and fundamental freedoms, the existence and actual functioning of Supervisory Authorities). Failing a decision on adequacy, the company may transfer personal data only if it provided adequate guarantees and only on condition that the data subjects have enforceable rights and effective legal remedies.
2.2. Rights of data subjects
2.2.1. Information on personal data processing
In compliance with the principles of transparency, fairness, purpose limitation and data retention, the procedures must envisage that data subjects, when personal data are collected, are provided with clear information about:
- the identity of the personal Data Controller and Processo;
- the processing characteristics (e.g. purposes and legal basis of the processing, data retention period);
- the rights of the data subject.
Where the data were not obtained from the data subject, the information indicates the source of the personal data and whether the data were obtained from sources lawfully accessible to the public.
2.2.2. Rights of access, rectification, erasure, probability and objection
Procedures must guarantee compliance with the principle of accuracy and data retention, by providing that each data subject has the right to obtain:
- confirmation as to whether or not his/her personal data are being processed and information on the characteristics of the processing (e.g .purposes, categories of personal data, recipients of data communication, rights of the data subject);
- rectification of inaccurate personal data concerning him/her, as well as their integration in case they are incomplete;
- erasure, in case specific circumstances apply, for example in case data are no longer necessary to pursue the purposes for which they were collected, in case the data subject withdrew his/her consent or exercised the right to object to the processing, or in case personal data were unlawfully processed;
- portability of the processed data, in a structured format, commonly used and readable by an automatic device, in case the processing is based on legitimate consent and is performed by automated means;
- termination of data processing if the processing is performed on the basis of the data subject’s consent.
Procedures must envisage that, after each request, the data subject must be provided with the necessary information in a concise, accessible form, by using simple and clear language and within one month (extendable up to two months, in cases of particular complexity), even in case of rejection.
2.3. Register of processing operations, risk analysis, impact assessment and prior consultation
DELTAFLUID S.a.s. di Pampaloni Vasco & C. is required to periodically prepare and update a “Register of processing operations” which identifies the activities performed as Data Controller or Data Processor. The Register provides the mapping of all the processing operations performed and is periodically updated. The Register must be made available to the Supervisory Authority, upon request. The Register provides the basis for guaranteeing compliance with the general principles envisaged by the Regulation. In order to ensure the integrity and confidentiality of personal data, a risk analysis is performed for each processing operation identified in the Register. Should such analysis reveal that the processing may involve a high level of risk for the data subjects’ rights and freedoms, the procedures must envisage the performance of a data protection impact assessment (hereinafter “DPIA”), after consulting with the Data Processor.
Specifically, the procedures must envisage that, in assessing the need to carry out a DPIA on a specific processing, the following is taken into account:
- the level of risk for the data subjects’ rights and freedoms,
- existence of an automated processing (including profiling);
- the fact that the processing is performed on a large scale or
- may involve large-scale systematic monitoring of a publicly accessible area.
2.4. Security of processing
In order to guarantee a security level of the data processing that is appropriate to the risk, the procedures must define technical and organisational measures, considering the state of the art and the implementation costs with respect to the risks of processing and to the nature of the personal data, in compliance with principles of “privacy by design” and “privacy by default”.
These measures may include:
- pseudonymisation and encoding of personal data;
- confidentiality and integrity of the processing systems and services ensured on a permanent basis;
- mechanisms for assessing and evaluating their effectiveness.
Considering the risks involved in the processing, specifically deriving from the destruction, loss or unauthorised modification of personal data, the procedures must define the security measures that can ensure an adequate personal data protection level, by default and on a preventive basis, with respect to the processing of personal data itself.
2.5. Management of data breach events
Also in order to ensure compliance with the principles of integrity and confidentiality of personal data, should an accidental or unlawful security breach be identified, involving the destruction, loss, modification, unauthorised disclosure of data and compromising their confidentiality, availability or integrity, the procedures must ensure, after involvement of the Data Processor, that the event is reported to the Supervisory Authority within 72 hours from the time the breach was detected.
The aforementioned report contains:
- the nature of the breach of personal data including, where possible, the categories and approximate number of data subjects concerned;
- contact details of the Data Processor;
- the likely consequences of the breach;
- the measures implemented, or whose implementation is proposed, in order to remedy the breach and reduce any possible negative effects.
In case the breach is not reported within 72 hours, any causes of the delay must be indicated. Should the breach involve high risks for the data subjects’ rights and freedoms, the procedures must envisage that – after consultation with the Data Processor – the data subjects are provided with information on the breach without undue delay. Such communication is not necessary in case it involves a disproportionate effort or in case appropriate technical and organisational measures were implemented to protect the data (e.g. encryption).
The procedures must establish that:
- the choice of the communication method must consider the data subjects’ possibility to access different formats, and, if necessary, the linguistic diversity of the recipients; and
- each suspected or ascertained breach of personal data must be adequately recorded and documented in the register of breaches, in order to ensure compliance with the principle of accountability.