POLICY PRIVACY

(To the sense of Regulation UE 2016/679 - GDPR and D.Lgs. 196/2003 as modified with D.Lgs. 10 of August 2018, n.101)

1. SCOPO

This policy privacy describes the organisational model adopted by this company when processing data as Data Controller or as DPO, to have the right management of consent acquisition, of prevention and protection of personal data. Therefore, the types of data subjects, the type of data processed, the actions taken as a Data Controller and Processor, the management of authorised people, the management of appointed data processors, and how all prevention and protection tools are applied (see Art. 32 of EU Regulation 2016/679-GDPR) are described. All processing activities carried out (defined in Art. 4 of the GDPR) are executed according to the principles dictated by Art. 5 (lawfulness, fairness, and transparency) and are listed in the respective sheet of the processing register (see general folder). Furthermore, the same data must be adequate and relevant, and their processing must be limited to the time strictly necessary, as indicated in the specific information (e.g., customer or employee information, see respective operational folders). This document also explains the importance of census and identification of all archives, both paper (e.g., cabinets, drawers) and electronic (e.g., websites, individual PCs, local servers, cloud, databases managed on the software house servers, email accounts). For both archives, all documentation has been divided into 8 folders, including 1 general and 7 operational ones.

2.POLICY ON PREVENTING AND PROTECTING ARCHIVES AS DATA CONTROLLER

2.1. Prevention

Our prevention and protection politics provides that treated and archived personal data are supervised once a year, to protect them in relation to the. The 3 prevention measures adopted by this company are: 2.1.1 Training - the first passage is to train, periodically, all the individuals involved in data processing. 2.1.2 Minimization - all the controller’s staff (e.g., authorised people) is trained to storage only data strictly necessary for the purpose for which they are processed. 2.1.3 Pseudonymization (where technically and legally possible) - all the controller’s staff (e.g., authorised people) are trained to codify personal data, paper or electronic, so that they cannot be related to a specific individual without other information. In fact, 2 archives are created: one with identification data (e.g., name and surname) with its assigned code and the other with more sensitive data, such as particular data (e.g., health data) where the only code created in the first archive is transcribed. These 2 archives (the one containing the code and the identification data and the one in which there are the particular data related with the code only), were stored in separate rooms in which a limited number of people can enter.

2.2. Protection

The 7 protection measures chosen by the company in relation with the risk level are: 2.2.1 controlled and limited access - the number of authorised people accessing the data is reduced. 2.2.2 Door the keys – rooms are isolated in the structure, where we have more sensitive data. 2.2.3 Grates at the windows (in the lower floors) - theft risk by malevolent people is reduced. 2.2.4 Alert system – break-in by malevolent people out of working hours is reduced. 2.2.5 Video security – to control people who have access to paper or electronic archives is possible. 2.2.6 Fire protection devices – damage probability to archives in the event of a fire is reduced. 2.2.7 Cabinets and chests of drawers with key – in this way, more sensitive data are further protected. For specific protection measures relating to workplaces, see the general package.

2.3. Paper-based archives

For paper-based archives, depending on the level of risk, the data controller chooses to apply, under their own responsibility, some or all the prevention and protection measures listed above. However, the following protection measures are always applied: 1) locking cabinets and drawers; 2) closing doors for more sensitive data; 3) fire prevention devices; 4) controlled and limited access. In cases considered to have a higher risk, the remaining security measures listed above are implemented.

2.4. Electronic archives

The same policy of prevention and protection applied for paper archives applies to electronic archives located in hardware devices (e.g., smartphones, PCs, local servers). Below, for each type of archive, is illustrated how to prevent and protect implemented in addition to those described above.

2.4.1. Web site. For the archives of the Internet sites, prevention takes place through the minimization of data by storing only name, phone, mail and province, when giving information, archiving even surname, tax number and address when selling and shipping products to the customer (with prior consent). The protection takes place using the HTTPS protocol, the annual analysis of the site, the letter of appointment to an authorised person or person responsible for processing the person who manages the site and the server where the site resides with the relative declaration of compliance with the GDPR. For each single section of the site are loaded all the information where you can find all the technical specifications with the relevant specific flags for each purpose always leaving the possibility to give or deny consent (e.g. cookie policy, contact collection information). In particular, regarding the management of cookies, the site has been uploaded and made available to visitors the cookie policy, and the cookie banner has been implemented so that the visitor can, before starting browsing, choose which cookie to consent to. The consents of all information are stored and made available to the supervisory authority (also in paper format where possible). Whenever the data subject enters his data on the website to ask for information, register or make purchases, he must consent to the purposes of the specific information, in addition, the system will automatically send a verification email that the interested party must validate to access the requested service. Only after validation the data controller will provide the requested service and simultaneously store the personal data of the data subject. In this way, the data controller can process, and therefore store personal data having a greater guarantee that it was the data subject who requested the service on his website. The policy to be implemented, where possible, is to delegate a single provider both to the management of the website (database) and to that of the server on which the site relies, for which the provider will be appointed both system administrator and data processor.

2.4.2. PC. Prevention measures are mainly based on training of authorised persons using these devices. Among the security measures that could be taken are: 1) PC analysis carried out at least once a year; 2) different account for each user and well distinguished from the administrator account; 3) use of Firewall; 4) use of antivirus; 5) password access, replaced every 3 months, of at least 8 alphanumeric characters and with special characters; 6) access by fingerprint, iris recognition and Smart card; 7) encryption of the hard disk through the operating system; 8) screen saver (screensaver) with password request on PC reactivation; 9) disabling USB ports to prevent viruses and data theft; 10) updating of the operating system; 11) appointing a properly trained system administrator to manage and protect individual PCs; 12) backup (see company backup policy document).

Smartphone/tablet. Prevention measures are mainly based on training of authorised persons using such devices. Among the security measures that could be taken are: 1) password access, replaced every 3 months and consists of at least 8 alphanumeric characters and special characters; 2) update of the operating system; 3) use of antivirus; 4) encryption of devices; 5) backup.

Individual management software (with database). At the level of prevention, both minimisation and pseudonymisation are implemented where technically and legally possible. Among the protection measures that could be taken we find: 1) use of a password of access robust and different from that of the PC; 2) logs that track the accesses to the program; 3) use of the double factor in the case in which sensitive data are processed. When management systems are used as data controller, the policy is to obtain at least once a year a declaration of responsibility on the maintenance of compliance with the GDPR by the software house. In addition, it is appointed data controller as it stores data on behalf of the data controller. If the data are stored on the local server, the protection measures implemented are those described for individual PCs and local servers, if the local server is managed by an external provider, the latter is appointed as data controller. If the management are managed by virtue of a service offered to the data controller this structure, as a data processor (software house), implements all the preventive measures described in paragraph 2 and all the information that may be provided by the Data Controller.

2.4.5. Local servers. The security measures, in addition to those implemented for PCs, are: 1) use of hardware firewalls; 2) log tracking accesses; 3) password access, replaced every 3 months, at least 10 alphanumeric characters and with special characters; 4) use of only one administrator account, however, providing a double solution in the event of an unexpected absence of the same; 5) automated update Copyright Giuseppe Langellotti Rev1.5 Pag. 3 of 6 of the operating system; 6) appointment of the properly trained system administrator for the management and protection of local servers; 7) Encryption of the hard disk; 8) periodic backups.

2.4.6. Remote server. In this case, the policy is to obtain at least once a year a statement of responsibility on the maintenance of compliance with the GDPR by the company that manages the server, which is also appointed as data controller as it stores data on behalf of the data controller.

2.4.7. Individual email accounts. In terms of prevention, the structure uses the training of authorised persons, minimization and preferably pseudonymisation for files containing personal data. In terms of protection, files containing personal data received and sent via e-mail can be password protected or encrypted and saved to a folder located on the server (local or in the cloud), avoiding saves on the individual device.

3. MAIN TASKS AS CONTROLLER

Regarding the website, our company works as data controller. The main tasks are: 1) understand, precisely, which are the purposes of their processing to be communicated to the data subject; 2) inform the subject and obtain the consent for the specific purposes through the information they must contain, as treated data, the destination, subject rights, data controller and DPO contacts (if appointed); 3) train, every year, all people who handle data (e.g., authorised people, data controller), to make data protected in the right way; 4) draw up all the necessary documents (e.g., information, DPIA, treatment registers); 5) verify, periodically, personal data protection (assisted by the DPO where appointed)..

3.1 MAIN TYPES OF USERS

The following are the types of data subjects that the Data Controller manages: 1) potential customer YES ☒ NO ☐; 2) customer YES ☒ NO ☐; 3) potential employee (curriculum) YES ☐ NO ☒; 4) employee YES ☒ NO ☐; 5) supplier (only if individual firms) YES ☐ NO ☒;

3.2. TYPE OF IDENTIFICATION DATA PROCESSED (data retention times are those reported on the information)

It is the most requested data and the ones that can cause the least damage from the point of view of privacy. For these data, the data controller uses a medium level of high protection, based on prevention (e.g., pseudonymisation if necessary) and protection measures (e.g., closing drawers, hard disk encryption) better specified in point 2 of this policy and described in the relevant DPIA (if drawn up) and in the processing register. The identification data that are processed as data controller with your consent are: 1) name YES ☒ NO ☐; 2) surname YES ☒ NO ☐; 3) date of birth YES ☒ NO; ☐; 4) place of birth YES ☒ NO ☐; 5) tax code YES ☒ NO ☐; 6) address YES ☒ NO ☐ 7) IBAN YES ☒ NO ☐; 8) YES ☒ credentials ☒ NO ☐; 9) YES ☒ NO ☐; 10) YES ☒ NO ☐; 11) YES ☐ NO ☒; 12) YES ☐ NO ☒;

3.3. TYPE OF PARTICULAR DATA PROCESSED (data retention times are those reported on the information)

Their protection is of utmost importance because their violation could have strong impacts on the person. For this reason, the level of protection of these data is high, and is based on more restrictive measures of prevention and protection where pseudonymisation is the most implemented and necessary measure (see point 2 of this document, the relevant DPIA and the register of processing). 1) racial or ethnic origin YES ☐ NO☒; 2) political opinions YES ☐ NO ☒; 3) religious beliefs YES ☐ NO ☒; 4) union membership YES ☐ NO ☒; 5) genetic data (e.g. DNA) YES ☐ NO ☒; 6) biometric data (e.g. dental records) YES ☐ NO ☒; 7) health data YES ☐ NO ☒; 8) sexual orientation YES ☐ NO ☒.

3.4. TYPE OF JUDICIAL DATA PROCESSED (data retention times are those reported in the information)

This data may reveal the existence of certain judicial measures subject to registration in the criminal record (for example, final convictions, probation, prohibition or obligation of residence, alternative measures to detention) or the status of accused or suspected person. This company do not process, in any way, judicial data unless they are relevant to the assessment of the condition of moral fitness of those who intend to participate in tenders, in compliance with the provisions of procurement law; in this case the legal bases of the processing operations are attributable to Articles. 10 Reg. EU n. 2016/679, and 2-octies, co. 1 and 3, lett. i), D.Lgs. 196/03, as amended by D.Lgs. 101/2018. In these cases, the data is processed only on paper and, since the protection of such data is of utmost importance as their breach could have strong impacts on the person, more restrictive prevention and protection measures such as drawers and lockable cabinets and limited access to duly trained personnel are implemented (see point 2 of this document, the relevant DPIA and the treatment register). In the cases described above the judicial data processed as data controller with prior consent are: 1) criminal convictions YES ☐ NO ☒; 2) crimes YES ☐ NO ☒; 3) criminal record YES ☐ NO ☒; 4) pending loads YES ☐ NO ☒.

3.5. TYPE OF PROFILING CARRIED OUT (data retention times are those reported on the information)

Profiling is any form of automated processing of personal data that uses such data to evaluate, analyse or predict certain aspects relating to a natural person. The aspects evaluated with consent (profiling) by the data controller are listed below and marked with the "YES": 1) Professional performance YES ☐ NO ☒; 2) Economic situation YES ☐ NO ☒; 3) Health YES ☐ NO ☒; 4) Interests YES ☐ NO ☒ 5) Personal preferences YES ☐ NO ☒; 6) Financial reliability YES ☐ NO ☒; 7) Behaviour YES ☐ NO ☒; 8) Location/Travel YES ☐ NO ☒; Their protection is of utmost importance because their violation could have strong impacts on the physical person. At the level of prevention pseudonymisation is the most implemented and necessary measure (where legally and technically possible). The level of protection in this case is very high with even more restrictive measures (see point 2 of this document, the relevant DPIA and the processing register).

4. MAIN TASKS AS CONTROLLER

For all those treatments in which the structure processes and stores data on behalf of the Data Controller it is configured as a Data Controller whose obligations are governed by the appointment document described in point 5.2. Since the same prevention and protection policy is implemented both as Data Controller and as Data Processor, the processing is carried out with the same prevention and protection measures (see point 2) and the contents of the documents drawn up (DPIA, Data Processing Register, Appointments and Data Management Breach) are the same, only changing the nature of the data subjects (customers and employees in the case of Data Controller, users in the case of Data Controller). The Data Controller may appoint the Data Controller at 2 levels upon authorization of the Data Controller.

4.1. TYPES OF USERS

Following, the main types of data subjects managed by the data controller are: 1) pot. Customer account YES ☐ NO ☒; 2) Customer account YES ☐ NO ☒; 3) pot. dip. Customer YES ☐ NO ☒; 4) customer employee YES ☒ NO ☐; 5) supplier employee YES ☐ NO ☒; 6) customer supplier YES ☐ NO ☒.

4.2. TYPES OF PROCESSED IDENTIFICATION DATA: (data retention times are those reported on the information):

Data processed by data controller are: 1) name YES ☒NO ☐; 2) surname YES ☒ NO ☐; 3) date of birth YES ☐ NO ☒; 4) place of birth YES ☐ NO ☒; 5) fiscal code YES ☐ NO ☒; 6) address YES ☐ NO ☒; 7) IBAN YES ☐ NO ☒; 8) login details YES ☒NO ☐; 9) telephone number YES ☒NO ☐ YES ☒NO ☐; 10) mail YES ☒NO ☐ 11) economics data YES ☐ NO ☒; 12) financial data YES ☐ NO ☒; 13) images YES ☒NO ☐; 13) IP address YES ☒NO ☐.

4.3. TYPES OF PARTICULAR DATA PROCESSED: (data retention times are those reported on the engagement letter):

The data processed as Responsible are: 1) racial or ethnic origin YES ☐ NO ☒; 2) political opinions YES ☐ NO ☒; 3) religious beliefs YES ☐ NO ☒; 4) union membership YES ☐ NO ☒; 5) genetic data (e.g. DNA) YES ☐ NO ☒ ; 6) biometric data (e.g. dental records) YES ☐ NO ☒; 7) health data YES ☒ NO ☐; 8) sexuality YES ☐ NO ☒.

4.4. TYPES OF JUDICIAL DATA PROCESSED (data retention times are those reported on the engagement letter):

The data processed as Responsible are: 1) criminal convictions YES ☐ NO ☒; 2) crimes YES ☐ NO ☒; 3) criminal record YES ☐ NO ☒; 4) pending charges YES ☐ NO ☒.

4.5. TYPE OF PROFILING CARRIED OUT (data retention times are those reported on the engagement letter)

The aspects of evaluation (profiling - prior consent) as Data Controller are listed below and marked with the "YES": Copyright Giuseppe Langellotti Rev1.5 Pag. 5 of 6 1) professional performance YES ☐ NO ☒; 2) economic situation YES ☐ NO ☒; 3) health YES ☐ NO ☒; 4) interests YES ☐ NO ☒; 5) personal preferences YES ☐ NO ☒; 6) financial reliability YES ☐ NO ☒; 7) behaviour YES ☐ NO ☐; 8) location/travel SI ☒ NO ☐.

5. COMPLIANCE

5.1. APPOINTMENT OF AUTHORISED PERSONS

The authorised people are the people inside the company, properly instructed to process personal data, based on a specific assignment given by the data controller (e.g. employees or collaborators in VAT). Each person shall be trained and made aware of data protection and shall receive and sign the appointment document detailing the instructions given by the controller to protect the data it processes on behalf of the controller.

5.2. APPOINTMENT OF DATA CONTROLLERAPPOINTMENT OF DATA CONTROLLER

This company, when the data controller processes the data, appoints all controllers, who process and storage all personal data on his behalf (e.g., the accountant) and tutoring them on how to process personal data. If a controller needs to appoint additional sub-managers (2 at the level) this structure will assess their feasibility on a case-by-case basis. If this company should process data on behalf of a data controller, it will be appointed Data Processor. As data controller, if authorised by the controller, you may appoint 2-level data processors, who in turn may appoint 3-level data processors (if further authorised). This structure, being responsible at 1 level, still retains full responsibility towards the data controller for the fulfilment of the obligations of the sub-processors. The document appointing the controller (both when submitted as the controller and when received as the processor) is always in writing and describes the categories of personal data processed, the nature, purpose and duration of the processing and instructions to the controller by the controller.

5.3. APPOINTMENT OF DATA PROTECTION RESPONSIBLE (DPO/RPD)

The DPO is a figure who must be designed by the data controller to perform support or control functions, as well as advisory, formative and informative relating to GDPR application. The company, relating to processes carried out and in accordance with the principle of accountability, has decided to appoint by a special written contract its data protection officer whose contact details are indicated in the relevant box at the bottom of this document..

5.4. DPIA (Data Protection Impact Assessment))

The DPIA is a document written by the process head or the process holder with the aim of assessing the risk (damage), of showing the prevention and protection measures, of describing the data flow with the respective recipients. The politics, both in the head person and in the hold person, is that of draw up all the DPIA set out in the annex 1 of the measure n.467 of the 11 of October 2018 by the Guarantee (following annex 1) and to draw up also those not expressly indicated in Annex 1 but deemed necessary for the greater protection of the person concerned (see general package). The DPIA drafted are therefore the following: 1) management of payroll YES☒ NO☐; 2) personnel selection management YES☒ NO☐; 3) video surveillance management YES☐ NO☒; 4) geolocation management YES☒ NO☐; 5) management of medical records YES☐ NO☒ 6) Management of professional skills questionnaires YES☐ NO☒; 7) judicial data management YES☐ NO☒.

5.5. REGISTER OF PROCESSING ACTIVITIES

Art. 30 of the GDPR provides among the main obligations of the data controller and the data controller the maintenance of the register of processing activities (e.g. companies with more than 250 employees, processing of particular data). The register has been drawn up both as Data Controller and as Data Processor and through the drafting and periodic review of this document is provided an updated picture of the treatments in place within this organisation. For each type of processing, a form has been drawn up describing the contact details of the DPO and the Data Controller, of the data processors (as data controller) of the sub-processors (as data controller), the recipients and any joint proprietors. In addition, the data retention times, security measures and the description of the electronic and paper archives are reported. The activities carried out and listed in the register are: 1) contact collection management YES ☒ NO ☐; 2) switchboard management YES ☒ NO ☐; 3) staff selection management YES ☒ NO ☐; 4) handling evaluate questionnaires of professional aptitude YES ☐ NO ☒; 5) pay slips management YES ☒ NO ☐; 6) medical examinations management YES ☒ NO ☐; Copyright Giuseppe Langellotti Rev1.5 Pag. 6 of 6 7) training management YES ☒ NO ☐; 8) estimates/ contracts management YES☒ NO☐; 9) billing management YES☒ NO☐; 10) medical records management YES☐ NO☒; 11) credit recovery management YES ☒ NO ☐; 12) business systems and accounts management YES ☒ NO ☐; 13) video surveillance management YES ☐ NO ☒ 14) geolocation management YES ☒ NO ☐; 15) measurement device management YES ☐ NO ☒.

5.6. DATA SUBJECT’S RIGHTS MANAGEMENT

This company, when it is the data controller, adopts precise procedures to provide the data subject with all the communications referred to in Articles 15 to 22 relating to the rights of the data subject expressly indicated in the information sheets drawn up and submitted to the data subject. In particular, as regards the right to be forgotten (Art.17 GDPR) in case of receipt of the request by a data subject, the procedure provides for the following steps: 1) control of the actual presence of the requested person in their own archives or in their own data processors; 2) sending a cancellation model to the data subject with verification of the data subject’s identity (as indicated in recital 64 of the GDPR); 3) erasure of the data of the data subject from its archives with encoding of the request for deletion (anonymization) and request of deletion to all data processors who have the data stored; 4) verification of the effective cancellation of the data of its data processors and communication of the cancellation to the data subject with delivery of the cancellation request code; 5) at this point there will no longer exist any personal data of the data subject other than an anonymous deletion code.

5.7. DATA BREACH

The term "data Breach" means a security breach that involves, accidentally or unlawfully, destruction, loss, modification, unauthorised disclosure or access to the personal data transmitted, stored or otherwise processed both as head controller and data controller. To avoid data breach events, all prevention and protection strategies described in the previous paragraphs of this document, both for processing carried out as data controller and data controller, are carried out. When the structure processes the data as data controller in the case of Data Breach for, particularly, sensitive data, 72 hours are required to make the communication to the Guarantee and the data subject. For the management of a possible Breach data the documents drawn up are: 1) alert procedure; 2) internal violation register 3) Breach data communication model to the data subject; 4) Breach data communication model to the Data Protection Authority. When the company processes data as a data controller, in the case of data Breach, it shall inform the head controller without undue delay and cooperate with the data controller as far as its competence is concerned.

6. EXPLANATORY NOTES

As Head Controller, the processed data are only identification data (e.g. name, surname, telephone number, e-mail, etc.) their processing will take place for the purpose of managing the contractual relationship between the parties. As data controller, the relationship is between the supplier (aGesic srl) and the client (employer) and the processed data will be identified data (e.g., name, surname, telephone number, mail address, etc.), particular data related to the health (only when the alert is activated) and data related to the geolocation (log retention time on the position is 24 hours). These data will be provided through aGesic app, available for mobile devices, and the Dashboard (that’s the platform available through the website www.agesic.com). Specifically, the data that aGesic srl processes as data controller, in addition to those listed in Section 4 of this document, are: username, password, access to your phone data (GPS, file, SMS, sensors, microphone, photo camera, Bluetooth). If the application, in its operation, triggers the alarm, the range of action of the people who will have to intervene will be settable by the employer depending on the perimeter and the type of construction site/workplace.



DATA SUBJECT’S RIGHTS MANAGEMENT

aGesic s.r.l.s.
Lionello Matteucci 82 - 02100 Rieti (RI)
C.F./P.IVA 01135860573 -
Tel: 0746-257060
PEC: agesic@arubapec.it



DPO'S DATA

DPO Srls
Via Cantalupo 1/A 02100 Rieti
Tel. 0746/484287 -
PEC: dpo@arubapec.it
Referente: Sig. Giuseppe Langellotti




Scarica il documento in PDF



Copyright Giuseppe Langellotti Rev 1.5