REGULATION FOR THE PROCESSING OF PERSONAL DATA

 

Introduction

 

Based on the approval, dated May 25, 2016, of the new EU Regulation n. 679/2016 which aims to guarantee a uniform and homogeneous discipline on the protection of personal data throughout the European Union; noted that Community standard constitutes a higher source than national standard and that, as far as Italy is concerned, it constitutes the reference standard and legitimacy parameter of the national legislation in force and, therefore, of the "Privacy Code in force since 01 January 2004 , d. 196/2003, with the changes introduced by the law d.lgs. 101/2018, in force since 19.09.2018, (adaptation of Italian legislation to EU Regulation 679/2016) this regulation aims to bring the processing of personal data into compliance with the new legislation, which is performed by "Olisails s.r.l.".

 

It is clarified that the innovations introduced by the EU Regulation translate into organizational, documentary and technical obligations that all the owners of the processing of personal data must consider in order to allow the full and conscious application of the new regulatory framework on Privacy, and for these reasons, this data controller ("Olisails srl", hereafter so called or also, for brevity, the "Owner" or "Olisails") intended to adopt a general procedure for implementing the Regulation (hereinafter referred to as "GDPR"), in order to comply with the obligations envisaged and to prove compliance with the legislation.

 

INTRODUCTION

 

1. Object

 

2. Purpose

 

3. Awareness

 

4. Data controller

 

5. Responsible for the treatment

 

6. Internal persons in charge of the treatment

 

7. Processed data

 

8. Principles applicable to the processing of personal data

 

9. The processing of personal data

 

10. The processing of “particular” (sensitive) data

 

11. The processing of personal data of the company staff

 

12. Register of processing activities

 

13. Impact assessment on data protection

 

14. Informative

 

15. Consent to data processing

 

16. Rights of the interested party

 

17. Exercise of rights by the interested party

 

18. Description of the activity - Physical and virtual environments - Video surveillance

 

19. Security measures

 

20. Staff training

 

21. Forms

 

22. Liability in case of violation of the Privacy provisions

 

23. Communication of the breach of personal data (“Data Breach”)

 

24. Conclusion

 

 

INTRODUCTION

 

This privacy regulation is an application tool of Legislative Decree 30 June 2003, n.196 ("Privacy Code") as amended and integrated by Legislative Decree 101/2018 and EU Regulation 2016/679, in the context of the organization of the owner "Olisails srl"; the same will be periodically updated, in line with the regulatory, jurisprudential news and with the pronouncements and addressing acts of the Privacy Guarantor.

An examination of the matter shows that a change of mentality that leads to full protection of Privacy is now natural, to be considered not only as a bureaucratic burden but above all as a guarantee of substantial confidentiality. The policy on the matter, therefore, is to be read both as a function of protecting the rights of the interested parties and implementation of correct corporate procedures, considering the delicacy of the underlying interests.

 

The right to privacy is in fact a real inviolable right of the person who does not limit himself to the protection of confidentiality or data protection but extends - instrumentally - to the full realization of other fundamental rights and freedoms.

It should be noted that the owner Olisails s.r.l. previously, before the new European legislation entered into force, it already appeared to have complied with the provisions in force at the time and had, among other formalities, the related implementation documents (information and assignment documents).

Within the framework of the new legislation, as resulting from the entry into force of the EU Regulation and from the harmonization of the Italian Privacy Code made by Legislative Decree 101/2018, today's intervention is therefore oriented towards further simplification, intended as a better implementation tool regulatory objectives and as a compliance parameter.

 

1. OBJECT

This regulation regulates (within the structure of the owner "Olisails srl") the protection of people and other subjects in relation to the processing of personal data, in compliance with and in accordance with the provisions of the new supranational legislation, the EU Regulation n . 679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as to the free movement of such data, taking into account Legislative Decree 101/2018.

 

2. PURPOSE

The Owner "Olisails s.r.l." guarantees that the data processing, for the protection of individuals, takes place in compliance with the fundamental rights and freedoms, as well as the dignity of the interested party, with particular reference to confidentiality, personal identity and the right to protection of personal data, regardless of their nationality or residence.

The protection of individuals with regard to the processing of personal data is a fundamental right: "Everyone has the right to the protection of personal data concerning him" (art. 8, paragraph 1, Charter of Fundamental Rights of the EU).

 

3. AWARENESS

The Owner "Olisails s.r.l." it supports and promotes internally every awareness tool that can consolidate full respect for the right to privacy and improve the quality of its work: one of the essential tools for raising awareness is the training of staff. To ensure real knowledge of the provisions of this regulation, at the time of hiring, each employee is given a copy of this documentation and he undertakes to read it and comply with its requirements.

 

4. DATA CONTROLLER

In general, the "owner" of the processing of personal data is the natural person, legal entity, the PA and any other body, association or body responsible for decisions regarding the purposes, methods of processing personal data and the tools used, including the security profile.

 

The "treatment" is any operation carried out with or without the aid of electronic instruments concerning the collection, registration, organization, storage, consultation, the processing, extraction, use, communication, dissemination, cancellation, destruction of data (GDPR, art.4).

 

The owner of the processing of personal data pursuant to and for the purposes of the GDPR is "Olisails s.r.l.", in the person of the pro tempore legal representative, with registered office in Strada delle Saline n. 11, zip code 34015, Muggia, Trieste; C.F. and VAT number 01266590320: web: www.olisails.it; mail: admin@olisails.it; pec olisails-srl@pec.it; Tel: +39 040/232363; Fax: +39 040/232482.

 

5. RESPONSIBLE FOR THE TREATMENT

For the purposes of this regulation, the term "Manager" means the natural, legal person, the PA and any other Body, Association and Body appointed by the owner to process personal data.

In consideration of the complexity and multiplicity of the Company's functions, the owner designates as Personal Data Processors only those subjects who have sufficient guarantees to implement adequate technical and organizational measures so that the treatment meets the requirements of the these regulations and guarantees the protection of the rights of the interested party (GDPR art.28).

All external subjects who carry out processing operations on the data of the Owner "Olisails srl", on behalf and in the interest of the same, for purposes related to the exercise of the functions, are appointed "External Managers" of the treatment, if they are in possession of the requirements of experience, ability and reliability, for having already operated adequately in previous experiences or for belonging to specific professional categories or registration in registers and registers.

 

External data processors are required to:

 

• Treat the data lawfully, correctly and in full compliance with current privacy laws;
• Respect the security measures and take all measures that are suitable to prevent and / or avoid the communication or dissemination of data, the risk of destruction or loss, even accidental, of unauthorized access or unauthorized treatment or not in compliance with purpose of the collection;
• Treat personal data exclusively for the purposes set out in the contract or legal obligations;
• Follow the instructions given by the data controller.

 

In the event of non-compliance with the above-mentioned provisions, the external data processor is directly responsible to the Company.

 

The designation of the external manager is carried out by means of a "nomination act" by the data controller (Annex 1. - Letter of appointment of the external manager to the processing of personal data) and through any operating instructions included therein, to be attached to the agreements, conventions or contracts that provide for the processing of personal data externally to the Data Controller.

 

Acceptance of the appointment is a necessary condition for the establishment of the legal relationship between the parties.

 

6. INTERNAL PERSONS IN CHARGE OF THE TREATMENT

The "Persons in charge" of the processing are the natural persons, directly employees of the "Olisails s.r.l.", responsible for carrying out the personal data processing operations within their competence with the indication of the tasks, the scope of treatment allowed and the methods. All those who, even occasionally, may find themselves processing personal data on behalf of the Data Controller (for example, collaborators, interns) are possibly appointed.

 

Each employee or other subject possibly in charge of a specific service and required to carry out technical processing operations is to be considered "Appointee". The designation of the person in charge of the processing of personal data is the responsibility of the data controller and the appointment is made in writing, so as to promptly identify the tasks due to the person in charge and the methods that must be followed for the performance of the same and the scope of the allowed treatment (Annex 2. - Letter of appointment of the person in charge of the processing of personal data).

 

The appointee operates according to the instructions received and collaborates with the owner by reporting any risk situations in the processing of data and providing any information necessary for the performance of the control functions.

In particular, the appointee must ensure that, during the processing, the data are:

 

• Treated in a lawful, correct and transparent way towards the interested party;
• Collected and recorded for specific, explicit and legitimate purposes and, subsequently, treated in a manner compatible with these purposes;
• Adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed;
• Accurate and, if necessary, updated: all reasonable measures must be taken to promptly delete or correct inaccurate data with respect to the purposes for which they are processed;
• Stored in a form that allows the identification of the interested parties for a period of time not exceeding that necessary for the achievement of the purposes;
• Treated in such a way that adequate data security is guaranteed, including protection by means of appropriate organizational and technical measures, from unauthorized or illegal processing and from loss, destruction or accidental damage.

 

The appointee is required to have complete confidentiality of the data which he became aware of when carrying out his business, undertaking to communicate the data exclusively to the subjects indicated by the owner and only in the cases provided for by law.

 

Those in charge must receive suitable and analytical instructions, also for homogeneous groups of functions, regarding the activities on the data entrusted and the obligations to which they are required.

 

Reference structure	Carried out activities	Category of involved people	Data processed type
Board of directions President	Administrative	Customers, employees, coworkers, suppliers	Common/particular
Chief Executive Officer	Administrative	Customers, employees, coworkers, suppliers	Common/particular
Administration and Secretariat	Administrative	Customers, employees, coworkers, suppliers	Common/particular
Production	Administrative and operative	Customers, coworkers, suppliers, third party	Common/particular

 

 

7. PROCESSED DATA

 

In the exercise of its functions, the Data Controller processes data, also in an automated way (totally or partially), of the following categories of interested parties:

 

• Data of employees (and collaborators)
• Supplier data
• Directors' data
• Data of customers, users, third parties.

 

The data that are or can be processed by the owner "Olisails s.r.l." fall into the following categories of data:

 

• Common personal data: represent any information relating to the natural person, identified or identifiable.

 

• Sensitive data: these are personal data suitable for revealing racial and ethnic origin, religious, philosophical or other beliefs, political opinions, adherence to parties, unions, associations or organizations of a religious, philosophical or political nature or trade union as well as personal data suitable to reveal the health status of the interested party.

 

 

 

Data type Subjects	Purpose of the treatment	Common	Particular
Employees, coworkers, adimistators, clients	Work relationship management (economic, insurance and social security management)	X	X
Suppliers	Management of the requested supply services and the consequent administrative, accounting and tax obligations	X
Customers	Management of assistance, supply and administration services and the consequent administrative, accounting and tax obligations	X
External consultants (labor consultant, accountant)	Consulting and / or service assignments (drafting of pay slips, tax returns, ..)	X	X

 

 

8. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

 

Personal data are:

 

• Treated in a lawful, correct and transparent way towards the interested party;
• Collected for specific, explicit and legitimate purposes;
• Adequate, relevant and not exceeding (limited) to what is necessary with respect to the purposes pursued ("data minimization principle");
• Exact and, if necessary, updated;
• Processing is lawful only if and to the extent that at least one of the following conditions is met (GDPR art. 5 and 6):

 

• The interested party has given consent to the processing of their personal data for one or more specific purposes;
• Processing is necessary for the execution of a contract of which the interested party is a part or for the execution of pre-contractual measures adopted at the request of the same;
• The treatment is necessary for the protection of the vital interests of the interested party or of another natural person;
• The processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests and freedoms of the interested party that require the protection of personal data do not prevail

 

 

9. THE PROCESSING OF PERSONAL DATA

 

The term "treatment" means all operations or complex of operations, carried out with or without the aid of automated processes applied to personal data or to the set of personal data, concerning the types indicated in art. 4 of the GDPR.

 

The data processing can only be exercised by the owner, managers and agents. Processing by unauthorized persons is not permitted.

 

10. THE PROCESSING OF SENSITIVE DATA

 

The Owner "Olisails s.r.l." can process sensitive data only when the treatment is authorized by express provision of the law and in execution of contractual clauses.

In any case of processing sensitive data, it is necessary to verify, beforehand and during processing, that the data processed are essential for carrying out the permitted activity and that it is not sufficient to use anonymous data.

This treatment must be carried out with methods aimed at preventing the violation of the rights of fundamental freedoms and the dignity of the interested party.

 

11. THE PROCESSING OF PERSONAL DATA OF THE COMPANY STAFF

 

The Owner "Olisails s.r.l." processes the data, even of a sensitive nature, of its employees for the purposes of establishing and managing employment relationships of any kind.

 

For the processing of data connected to the management of the employment relationship (or of an internship or of another type) with employees, specific information has been prepared (Annex 3 - Information for the treatment of employee data).

 

According to the legislation, the Data Controller adopts the utmost caution in the treatment of personal information of its employee that is suitable to reveal the state of health, sexual habits, political, union, religious, philosophical or other convictions and the origin racial and ethnic. The processing of the employee's sensitive data must take place according to the principles of necessity and indispensability that require to minimize the use of personal and sensitive data and, when it cannot be ignored, to process only the information that proves indispensable for the management of the employment relationship.

 

The Data Controller respects the principles of necessity and indispensability in the processing of sensitive data relating to the health of its employees.

 

The Owner Olisails s.r.l. will take care of the implementation in its privacy policy of the sectoral code of conduct which will be adopted on the impetus of the Guarantor Authority pursuant to current art. 111 of the Privacy Code (Legislative Decree 196/2003 and subsequent amendments and additions, most recently with Legislative Decree 101/2018).

 

12. REGISTER OF PROCESSING ACTIVITIES

 

The data controller Olisails s.r.l., although not being held pursuant to point 5) of art. 30 of the European Regulation, chooses to establish a register, also in electronic form, of the processing activities carried out under its own responsibility, which it will keep updated.

 

This register contains the following information:

 

• The name and contact details of the data controller;
• The purposes of the treatment;
• The description of the categories of data subjects and the categories of personal data;
• The categories of treatments carried out;
• The categories of recipients to whom the personal data are or will be communicated;
• An indication of the security measures applied;
• Possible possibility of data transfers abroad;
• Indication of the deadlines for deleting the various categories of data processed.

 

13. IMPACT ASSESSMENT ON DATA PROTECTION

 

The assessment of the impact of the processing on the protection of personal data must be carried out by the owner when a type of treatment, given the nature, the context, the purposes, can present a risk for the rights and freedoms of natural persons.

 

The evaluation must contain at least:

 

• A systematic description of the treatments envisaged and the purposes of the treatment, including, where applicable, the legitimate interest pursued by the owner;
• An assessment of the necessity and proportionality of the treatments in relation to the purposes;
• An assessment of the risks to the rights and freedoms of the data subjects;
• The measures envisaged to deal with risks, including guarantees, security measures and mechanisms for data protection and to demonstrate compliance with this regulation and the legislation in force.

 

When there are changes in the risk represented by the activities related to the processing, the data controller, if necessary, proceeds to a review of the impact assessment on data protection.

The owner "Olisails s.r.l.", although not being held pursuant to art. 35 of the European Regulation, chooses to draw up and update the impact assessment, combining it in a single document together with the aforementioned Treatment Register: this pursuing the fundamental choice of simplification underlying the entire privacy system of the association.

The Treatment Register and the Impact Assessment form a unit attached to this regulation.

 

14. INFORMATIVE

At the time of personal data collection, the data controller is required to provide the interested party, using the staff in charge, the information required, written in writing, using suitable tools:

 

• Through specific forms to be delivered to the interested parties;
• Notices easily visible to the public, through publication e.g. on any website.

 

The information contains:

 

• The purposes and methods of treatment;
• The indication of the optional nature of the data provision;
• The indication of the owner;
• The processing of data in special cases;
• The indication of the rights of the user, patient, customer;
• The area of ​​communication and dissemination of data.

 

(Annex No.3, employee/collaborator information; Annex No.4: supplier information; Annex No.5: customer information)

 

15. CONSENT TO DATA PROCESSING

 

In the processing of personal or sensitive data carried out for the pursuit of purposes other than mandatory ones (therefore in implementation of legal obligations or execution of contracts), the Data Controller organizes methods to facilitate the expression of consent by the interested party ( GDPR art.81 and 82).

 

Consent must be made by the interested party by filling in the appropriate form (Annex no. 6 - Form for expressing consent), subject to delivery and acknowledgment of the specific information.

The manifestation of the consent will be valid and effective until the revocation of the same: the consent is validly given when certain characteristics are used, or is freely and specifically given in reference to a clearly identified treatment and if it is documented in writing.

 

The interested party has the right to withdraw his consent at any time, with the same ease with which he expressed it. The withdrawal of consent does not affect the lawfulness of the treatment based on consent before the revocation.

 

16. RIGHTS OF THE INTERESTED PARTY

 

The "interested party" is the individual, a natural person, to whom the data being processed refers. The owner "Olisails s.r.l." implement any necessary measures to facilitate the exercise of the data subject's rights pursuant to art. 12-22 of the GDPR.

 

To this end, European legislation provides that the interested party has the right to obtain from the data controller:

 

• Confirmation of the existence or not of personal data concerning him;
• Origin of the data;
• Purposes and methods of treatment;
• The logic applied and the criteria used in the electronic data processing;
• The identity of the owner and manager;
• The subjects and categories of subjects to whom the data can be communicated;
• Data retention period and the criteria used to determine this period;
• Data communication;
• Correction, updating or integration of data;
• Deletion of data ("right to be forgotten");
• Transformation into anonymous form or block if they are treated in violation of the law;
• Limitation of treatment pursuant to art. 18, letter a), b), c) and d) of the GDPR;
• Receiving personal data concerning him in a structured, commonly used and legible format;
• Proposition of opposition to data processing;
• Copy of personal data being processed.

 

Following the entry into force of Legislative Decree 101/18, the Owner, in guaranteeing the exercise of the above rights, must take into account the limits to the same places in art. 2 undecies of the Privacy Code, Legislative Decree 196/2003 and its subsequent amendments and additions; in the event that the Data Controller deems it to have to disregard the data subject's question, he must respond to the same, explaining the reasons for the refusal and informing him that he can make the request through the Guarantor.

 

17. EXERCISE OF RIGHTS BY THE INTERESTED PARTY

 

The request for the exercise of the rights referred to in art.16 of this regulation can be sent:

 

• Directly from the interested party;
• Through another natural person or association to which he has conferred a proxy or power of attorney in writing;
• Through those who exercise power or guardianship.

 

The interested party can submit or send the request to exercise the rights using the forms provided (Annex 7 - Form for the exercise of the rights of the interested party).

 

The subject responsible for evaluating the application is the Data Controller, who decides on the admissibility of the access request.

The request must be acknowledged within 30 days from the date of receipt of the same (except for what is said regarding art. 2 undecies of the Privacy Code).

 

18. DESCRIPTION OF THE ACTIVITY - PHYSICAL AND VIRTUAL ENVIRONMENTS - VIDEO SURVEILLANCE

 

Olisails s.r.l. is a capital company registered in the ordinary section of the Trieste Chamber of Commerce, operating in the sector of the production of sails and products related to boating and leisure and of any instrumental activity to the same. In consideration of the activity carried out, the data processing carried out by the Data Controller can be said to be essentially limited:

to its customers and suppliers (natural and legal persons), due to contractual/commercial relationships,

to its employees and collaborators, for various reasons, due to the employment relationship, all in any case within the strict limits of those necessary for the fulfillment of specific contractual and/or legal obligations.

To its customers, due to the contractual relationship or the specific service that binds them to each.

 

In the exercise of its functions, the Data Controller therefore processes both common data and particular data (formerly "sensitive data"), the latter however exclusively in relation to its employees and collaborators, for the purposes set out above and, obviously, in relation to customers.

To any third parties (e.g. accountant, employment consultant, lawyer, IT system manager, surveillance company, lawyer) the Data Controller transmits data for carrying out activities aimed at fulfilling specific legal and/or contractual obligations, by virtue of assignments formally conferred to them in compliance with the provisions of the EU Regulation, attached to this document as reference models.

 

Olisails s.r.l. has its legal and operational headquarters in Trieste, Muggia, Strada delle Saline n. 11; it is an industrial warehouse built on the P.C.N. 126/204 of the Civil Code of Muggia, of large size and substantially composed of a laboratory/sailmaker area, a sales area and offices and instrumental environments, as per the map attached to this regulation.

 

Access is protected by a door with a lock, according to the detail that is provided in the body of the Treatment Register and contextual impact assessment

 

Olisails s.r.l. observe the following timetable:

March-October: Monday to Friday 8.30 a.m. - 1.30 p.m. and 2.30 p.m. – 6.30 p.m.

November-February: from Monday to Friday 8.30 a.m. - 1.30 p.m. and 2.30 p.m. – 5.30 p.m.

 

The cleaning of the premises is carried out by employees and/or collaborators of the owner. Each of the subjects carrying out the operations is expressly prohibited from consulting/accessing any document, paper archive and/or electronic database. In any case, to guarantee the confidentiality of the data processed, the Owner Olisails srl has appointed each person "in charge of the processing" of the data that he occasionally or casually became aware of (processing a data, in fact, is already simple to see or read it).

 

The Data Controller enters into possession of the data by means of paper communications (letters, faxes, documents transmitted and/or delivered by hand by customers and supplier order estimates, curricula) or by e-mail.

The data controllers are required to observe a particular internal procedure for the collection of paper data: the data are in fact received only by specific agents; the active treatment for which they were collected, archived for the time required by law, are recorded and then exhausted.

With regard to the data of a particular nature (ex "sensitive") collected in paper form (eg receipts and/or indications of medical expenses, medical certificates, disability, accident, ..) the same can only be processed by persons in charge of this expressly authorized.

Once the active processing has been completed, the above-mentioned data are kept in separate archives and locked with a key, located in the respective offices and kept for the time required by law.

 

Part of the common data collected both in paper and electronic form are processed in a specific management program on the server; as regards instead the sensitive data collected in paper form, the latter are not transposed on electronic support, but are processed in the form on paper in which they were collected and then kept, as highlighted above, in special archives (drawers and/or closets) closed, located in their respective offices.

With regard to the data received by e-mail, these can also be collected and processed exclusively by those specifically authorized to do so, due to the exercise of the specific contractual duties assigned to each one.

 

The tools with which data are processed are the following:

Paper:

The paper supports are neatly collected in files (folders) relating to each activity; once the work cycle is over, the aforementioned folders are placed and kept in the company archive consisting of files, variously dedicated, locked; the data are instead destroyed if they are no longer useful or functional to the activity.

The "clean desk" rule is followed.

IT:

The owner's computer network is conceived as follows:

• Private network processors

By private network processors we mean those accessible by other processors or, more generally, by other electronic tools connected only through proprietary networks, on which only data relating to the company's activities can travel.

The Owner has a network, made up of internal connections, consisting of 2 servers that daily perform a nightly backup on an external hard disk (2 copies, used alternately). A server is the replica of the main server. The workstations of all the offices and technical rooms are connected to the server (4 PCs in Reception; 4 PCs in the designers area; 2PCs in the offices; 6 PCs in the production area). All with their own login credentials.

 

• Access to the public network

Access to the public network by PCs and servers is regulated by a firewall that excludes any access from the public network to the local network.

 

Active protection systems

UPS

Antivirus and antispam for email accounts

 

Passive protection systems

Password system complies with the minimum complexity criteria and is changed according to the expected regulatory cadences. There is the above-mentioned Back up system. There are also additional IT accessories (printer, fax, scanner).

The WiFi connection does not allow access to third parties without prior authentication. There is an Internet site of the Company, equipped with the characteristics of the law which offers privacy information, which are actually usable by the user.

A video camera operates inside the offices, authorized by the DTL, as detailed in the treatment log.

 

 

19. SECURITY MEASURES

 

The Data Controller guarantees the application of suitable and preventive security measures that allow to minimize the risks of destruction or loss, even accidental, of the data processed, of unauthorized access or of treatment not allowed or not in accordance with the purpose of the collection.

 

Security measures include:

 

• Possible anonymization and encryption of personal data;
• Procedures to ensure the confidentiality, integrity and availability of treatment systems and services;
• Ways to ensure timely recovery of access to personal data in the event of a physical or technical accident.

 

20. STAFF TRAINING

 

The owner organizes training and refresher courses on the protection of confidentiality and the protection of personal data, aimed at knowledge of the rules, the adoption of suitable behavioral models and treatment procedures, knowledge of the security measures for the treatment and data retention, identified risks and ways to prevent damage to the data.

 

21. FORMS

 

Uniform disclosure models are adopted within the Data Controller structures as per the annexes to this regulation which are periodically updated.

 

22. LIABILITY IN CASE OF VIOLATION OF THE PRIVACY PROVISIONS

 

Failure to comply with the provisions on the confidentiality of personal data with the penalties provided for by the new legislation; the data controller is liable for the damage caused by his treatment that violates this regulation.

The Data Controller is liable for the damage caused by the processing only if it has not fulfilled the obligations set out in this regulation and is specifically directed to it or has acted differently or contrary to the legitimate instructions given to it by the owner.

The owner or manager is exempted from liability only if they demonstrate that the harmful event is not attributable to him in any way.

 

23. COMMUNICATION OF THE BREACH OF PERSONAL DATA (“DATA BREACH”)

 

The communication of the violation of personal data is carried out by the owner to the Privacy Guarantor within 72 hours from the knowledge of the event.

The notification must:

 

• Describe the nature of the violation;
• Describe the likely consequences of the violation;
• Describe the measures taken or whose adoption is proposed.

 

When the data breach presents a high risk for the rights of individuals, the owner communicates the violation and the nature of the same to the interested party, in simple and clear language.

 

24. CONCLUSIONS

 

For anything not provided for in this regulation, the provisions set forth for the protection of personal data by the European Regulation 2016/679 of 27 April 2016 as well as the Privacy Code, as in force on the basis of changes and additions made with Legislative Decree 101/2018, in force since 19 September 2018.

 

These regulations will be updated following further changes to the current legislation on confidentiality and protection of personal data.

 

ATTACHMENTS

 

Below is a list of the forms prepared for the purpose of adapting to the provisions of this regulation and of the new European legislation in the context of the processing of personal data:

 

4. Letter of appointment of the external data processor

 

5. Appointment in charge of the treatment

 

6. Information for the processing of data for employees and collaborators

 

7. Information for the processing of data for other subjects - suppliers

 

8. Information for the treatment for other subjects - customers

 

9. Form for expressing consent

 

10. Form for exercising the rights of the interested party

 

11. Treatment register and impact assessment

 

 

 

 

Privacy information document pursuant to and in accordance with art. 13 of EU Reg. 2016/679

 

Olisails srl, based in Muggia (TS), Strada delle Saline 11, as owner of the processing of personal data, provides the following information to its customers as part of its Privacy Policy which, updated and complete, is always available on request. Essentially, this is a clear and brief indication of the reasons, purposes, and limits based on which the Data Controller processes your personal data.

 

Processed data

 

The data being processed relating to Customers and Clients (if they are natural persons or individual companies, given that only these subjects can play the role of "data subjects" pursuant to the legislation) consist of personal data, contact data and billing data of the subjects involved in commercial relations or the assignment of services, obtained and collected in the course of communications occurred for the establishment or execution of a contract, to fulfill legal obligations as well as for the pursuit of the legitimate interest of the Owner in providing for the protection of their rights and the management of the commercial network.

 

The data being processed relating to customers can be, in an abstract way, also of a particular nature (for example, of a health type, depending on specific supplies) and are collected and processed for the fulfillment of the contract entered into with the Company.

The data thus collected will be processed for the following purposes:

 

1. Execution of pre-contractual and contractual measures;
2. Provide for legal obligations;
3. For after-sales or post-service assistance
4. Archiving and conservation.
5. Providing data.

 

The provision of data, for these purposes, is mandatory for the pursuit of the stated purposes. Refusal to provide personal data in these circumstances would have the effect of preventing the Owner Company from concluding the contract, and if already concluded, from continuing its execution.

 

Method of treatment

 

The processing of the collected data is carried out with manual, IT and telematic tools, also by resorting to third parties specifically appointed as data processors. An automated decision-making process (such as profiling, for example) and the dissemination of data is excluded.

 

Categories of recipients. Transfers to third countries or international organizations.

 

The Company may communicate the personal data of the interested parties to its collaborators, employees and suppliers, in the context of their duties and/or any contractual obligations with them, concerning commercial relations with you; to legal, administrative and tax consultants who assist the Data Controller in carrying out the activities; to banks for the management of collections and payments deriving from the execution of the contract with the customer; to subcontractors and/or subcontractors engaged in activities related to the execution of the contract with the Data Controller, as external data processors; to public bodies and/or judicial and/or supervisory authorities, in case of their request, as independent data controllers; to cloud or IT service providers. The personal data of the interested parties will not be transferred to countries outside the European economic area.

 

Preservation period

 

The data collected and processed are kept as long as the commercial relations are in force, after which they will be deleted at the end of the ten-year limitation period of rights.

 

Rights of the interested party

 

It is the right of the natural person to whom the data processed refers to obtain access, rectification, cancellation of the data processed or otherwise request the limitation or oppose the processing, as well as request the portability of the data provided. It is also the right of the interested party to lodge a complaint with a supervisory authority such as the Guarantor Authority for the protection of personal data. The method dedicated to the exercise of these rights is a communication with a letter to the address corresponding to the registered office of Olisails or a pec to the address olisails-srl@pec.it.

 

The updated and complete Privacy Policy is always available at your request.

 

Muggia, November 19th 2019