INTRODUCTION
The protection of personal data processed within Roncadin Spa (company subject to management and coordination by KANADA Srl) is a major commitment. The entry into force of Reg. 679/16, the ‘General Data Protection Regulation’ (GDPR), represented an opportunity to make adjustments to the activities conducted by the company, bringing them more closely in line with the principles of transparency and the protection of personal data, in accordance with the rights and fundamental freedoms of all the data subjects, whether employees, agents, customers, subscribers, users or suppliers. The company has thus implemented a ‘privacy organisational model’ (POM), a general outline of which is illustrated here, aimed at analysing all data processing operations, organising them in functional fashion and managing them securely and transparently. This section of the website also contains information about the rights of the data subject and the procedures for exercising them vis-à-vis the Data Controller.
CONTENTS
- 1 - GDPR PRIVACY ORGANISATIONAL MODEL
- 1.1 - PARTIES
- 1.2 - RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
- 2 - TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
- 2.1 - RIGHTS CONCERNING THE PROTECTION OF PERSONAL DATA
- 2.2 - EXERCISING RIGHTS
- 2.3 - FORM
1.1 - PARTIES
DATA CONTROLLER
The Data Controller is
- - RONCADIN SpA (hereinafter also referred to as the “DATA CONTROLLER”)
- - registered office: Via Monteli, 3 - 33092 Meduno (PN)
- - contact: +39 0427 844111
- - VAT registration no.: 01610130930
The information is also provided in accordance with art. 7 of Italian Legislative Decree 70/03 ‘Implementation of Directive 2000/31/EC on certain legal aspects of information society services in the internal market, in particular electronic commerce’.
The DATA CONTROLLER has decided to appoint a Data Protection Officer (DPO) in accordance with art. 37 of Reg. 679/16, who will act in conjunction with the internal ‘privacy’ team, a body formed of legal, organisational and IT experts. The DPO is the legal firm of Paolo Vicenzotto, domiciled at the DATA CONTROLLER, and may be contacted for any requirement related to the processing of the personal data of all the data subjects.
The POM requires each employee/agent of the DATA CONTROLLER to process only the data essential for his/her specific duties, according to the internal organisation and, above all, the purposes indicated and proposed to the data subject (so-called ‘purpose limitation and data minimisation’ principle, art. 5 paragraph 1, letters B and C of Reg. 679/16). Therefore, the data will be segmented into corresponding ‘Data processing’ areas, with the employees/agents assigned to each area restricted to a specific aspect of the processing operations. To this end, by design, the information system is also composed of ‘self-contained compartments’. Employees/agents may access from their workstation only the data essential for carrying out the duties assigned to them. Appointment to specific areas of processing is made through the Record of Processing Activities, an internal document which identifies the exact scope of the processing and confers the relevant authorisations on the employees assigned to that area. Employees/agents shall also have received internal regulations on the use of computer equipment and rules of conduct, including ethics, with regard to all the information accessed through the performance of specific duties.
In order to ensure effective alignment with personal data processing guidelines, the DATA CONTROLLER provides frequent training and refresher courses to employees/agents who process personal data as part of their duties.
The DATA CONTROLLER uses advanced information systems to manage and organise its activities. For this reason, focusing on the development of software and the use and security of data have always formed the basis of the DATA CONTROLLER’s primary activities. Persons inside the company with ‘administrator’ privileges are specifically appointed and trained. Any other external specialised companies that access company data are specifically appointed as External Data Processors or External System Administrators in accordance with art. 28 of Reg. 679/16.
The providers of external IT services are chosen with particular focus on professionalism, not only technical but also in terms of respect and protection of data, preferably ISO 27001 certified companies.
EXTERNAL DATA PROCESSORS (art. 28 of Reg. 679/16)
In principle, the DATA CONTROLLER manages all processing activities internally. Any activities involving data processing that are outsourced to third parties are logged in the Record of Processing Activities and noted in the individual briefings. In these cases, the relationship with the third party is governed through an ‘External Data Processor’ contract, in accordance with art. 28 of Reg. 679/16.
1.2 RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
According to accountability principles, it is the responsibility of the DATA CONTROLLER to implement a series of measures (organisational, physical, legal, technical and IT-related) to prevent the risk of infringing the rights and personal freedoms of the data subjects. In order to achieve this objective, constant analysis is conducted of the risks, according to the processing operations, instruments used, and type and quantity of data processed.
The PRIVACY ORGANISATIONAL MODEL (POM) provides for careful and constant analysis of risks for the processing of personal data, identified for each activity or service provided through a Record of Processing Activities in accordance with art. 30 paragraph 1 of Reg. 679/16.
The Record of Processing Activities of the POM is an operating instrument which contains additional elements compared with those stipulated by art. 30 of Reg. 679/16, since it enables the conducting of an initial risk analysis for the rights and freedoms of the data subjects, connected with each processing operation (PRE-DPIA). Following analysis of the processing activity carried out by the Data Controller, the conclusion is that there are currently no activities posing a risk that require a specific impact assessment in accordance with art. 35 of Reg. 679/16 (DPIA).
The analysis of IT risks, of the company’s hardware and software infrastructure and of the IT adjustment measures was conducted both by our System Administrators with suitable tools and check-lists (e.g. Agid circular 2/2017) and by a specialised external company, which conducted an in-depth audit with a security test. The results of the investigation enabled our technicians to further improve the measures protecting from cyber-attacks and threats, gradually and in proportion to the risk to the rights and freedoms of the data subjects.
The measures (organisational, physical, legal, technical and IT-related) planned and implemented to tackle the privacy risks of the data subject are illustrated in the relevant section in the ‘Record of Processing Activities’ and the associated electronic annexes.
2 TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
2.1 RIGHTS CONCERNING THE PROTECTION OF PERSONAL DATA
The DATA CONTROLLER believes it is essential to inform the data subjects of the existence of certain rights concerning the protection of personal data, listed below.
The data subject is entitled to be informed of how the DATA CONTROLLER processes his/her personal data, for what purposes and the other information stipulated by art. 13 of Reg. 679/16. To this end, the DATA CONTROLLER has prepared organisational processes which enable, upon the acquisition or request of personal data, the issuing of a briefing template created on an ad hoc basis, depending on the category to which the data subject belongs (employee, customer, supplier, etc.). This document will enable the provision of adequate information to all parties to whom the data refer concerning how the processing is conducted by the DATA CONTROLLER. The briefing template may be requested by making a suitable request from the latter. In any case, the DPO shall provide any further explanation required concerning the content and procedures for exercising this right.
You are entitled to withdraw your consent at any time for any processing where the prerequisite for legitimacy is your consent. Withdrawal of consent will not jeopardise the lawfulness of any previous processing.
You shall have the right to request a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right for the data subject to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making procedure, including profiling, referred to in article 22 paragraphs 1 and 4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. You shall have the right to obtain a copy of the personal data undergoing processing.
You shall have the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
You shall have the right to obtain from the data controller the erasure of personal data concerning you if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if you withdraw consent, if there are no overriding legitimate grounds for the processing/profiling, if the personal data have been unlawfully processed, if there is a legal obligation to erase them, if the data concern web services for minors without the necessary consent. The data will be erased unless the processing is necessary for exercising the right of freedom of expression and information, the data are kept for compliance with a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority, for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or for the establishment, exercise or defence of legal claims.
You shall have the right to obtain from the data controller restriction of processing where you have contested the accuracy of the personal data (for a period enabling the data controller to verify the accuracy of the personal data) or if the processing is unlawful, but you oppose the erasure of the personal data and request the restriction of their use instead or if they are required for the establishment, exercise or defence of legal claims, while the Data Controller no longer needs them.
You shall have the right to receive the personal data concerning you, which you have provided to the data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another party, where the processing is based on consent or on a contract and if the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority and provided that any such transmission does not adversely affect the rights of others.
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes this Regulation.
2.2 EXERCISING RIGHTS
In order to exercise your rights, you may request information from the DATA CONTROLLER or DPO, or fill in the access form provided below.
2.3 FORM LINK
The following sets forth a draft document which the data subject should fill in to exercise his/her rights. The form may be sent to the Data Controller, to the addresses shown above, in accordance with the legislation in force.
Form for exercising rights