The protection of personal data represents for Nateeo S.r.l. (hereinafter “Nateeo” or “Company”) an important commitment.
The entry into force of Regulation (EU) 2016/679 “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data” (hereinafter “GDPR”) has provided the opportunity to further adapt the activities carried out by the Company to the principles of transparency and protection of personal data, while respecting the fundamental rights and freedoms of all data subjects, whether they are employees, collaborators, customers, suppliers or third parties interested in receiving information. Nateeo has thus implemented a “Privacy Organizational Model” (PMO) which is described here in its general lines, aimed at analyzing all data processing, organizing them in a functional way and managing them in security and transparency. This section of the site also contains information on the rights of the person concerned and the manner in which they may be exercised by the Data Controller.
1 – GDPR PRIVACY ORGANIZATIONAL MODEL 1.1 – SUBJECTS 1.2 – RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS 2 – TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT 2.1 – PERSONAL DATA PROTECTION RIGHTS 2.2 – EXERCISE OF RIGHTS 2.3 – FORMS AND INFORMATION
1 – GDPR PRIVACY ORGANIZATIONAL MODEL
1.1 – SUBJECTS
The Data Controller is:
Nateeo S.r.l. (hereinafter also “CONTROLLER”)
Via dell’Innovazione, 1, 36043 – Camisano Vicentino (VI) Tel. +39 0444 419472
Certified E-mail: email@example.com
VAT N. and tax identification code: 03804370249
DATA PROTECTION OFFICER
The Data Protection Officer is TZ&A Studio Associato (hereinafter also referred to as “DPO”) email: firstname.lastname@example.org
Nateeo S.r.l. and other companies of the ‘Cereal Docks Group’ have decided to make use of the option provided for by Art. 37, paragraph 2, of the RGPD to proceed with the shared appointment of the same Personal Data Protection Officer, who acts in synergy with the internal privacy team.
The DPO is based at the Controller and can be contacted for any requirement related to the processing of personal data of all concerned.
The Controller has decided to appoint an internal “Privacy Team” made up of subjects with organizational, technical and IT skills.
The Privacy Team supports the activities of the Controller and the DPO.
AUTHORIZED SUBJECTS TO TREATMENT (ex art. 29 GDPR)
The PMO provides that each employee/collaborator of the DATA CONTROLLER shall process only the data necessary to carry out their duties, in accordance with the internal organization and especially the purposes indicated and proposed to the person concerned (so-called principle of “purpose limitation and minimization of data”, Art. 5, paragraph 1, letter. b) and c) of the GDPR). Therefore, a segmentation of the treatments has been prepared, by homogeneous areas of subjects authorized to the treatment, binding the employees/collaborators in charge of each area to a specific area of treatment. Each authorized person has received specific instructions from the Controller regarding the processing of personal data. To this purpose the information system has been divided into “watertight compartments”. The employee/collaborator will be able to access only the data necessary to carry out his/her duties from his/her computer workstation. Designation to the specific treatment areas is made after careful analysis of the company structure and organization as well as the flow of internal and external data to the Company, and is summarized in a specific internal matrix that precisely identifies the scope of treatment of each area.
The employee/collaborator has also received internal regulations on the use of IT tools and rules of conduct, including ethical ones, on all the information to which he has access by reason of his specific duties.
In order to effectively ensure compliance with the principles on the processing of personal data, the Controller has also provided training and refresher courses on the subject to its employees / collaborators who, by reason of their duties, process personal data.
(INTERNAL AND EXTERNAL) SYSTEM ADMINISTRATORS
The CONTROLLER uses computer systems to manage and organize his business. For this reason, the attention to the construction of the software, the way in which it is used and the security of the data have always been the basis of the activity of the CONTROLLER. Persons with internal “administrator” access are specifically appointed and trained. Other specialized external companies that access company data are also specifically appointed as External Managers and/or External System Administrators pursuant to Art. 28 of the GDPR.
The suppliers of external IT services are chosen with particular attention to their professionalism, which is not limited to their technical knowledge but also include the respect and protection of data, giving priority to certified companies.
DATA PROCESSOR (ex Art. 28 GDPR)
In principle, the CONTROLLER manages almost all treatment activities internally. The cases in which certain activities involving the processing of data on behalf of the CONTROLLER are outsourced to third parties are indicated in the individual information forms. In these cases, the relationship with the third party is regulated by a specific contract for appointment as “Data Processor” pursuant to Art. 28 of the GDPR.
The CONTROLLER shall entrust this processing activity to external parties with sufficient guarantees to put in place adequate technical and organisational measures to meet the requirements of the GDPR and to ensure the protection of data subjects’ rights.
1.2 RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS According to the principles of the so-called “accountability” the CONTROLLER must implement a series of measures – organisational, physical, legal, technical and IT – aimed at preventing the risk of violation of the rights and personal freedoms of the persons concerned. In order to achieve this objective, a constant risk analysis is carried out, depending on the treatments, the instruments used, the type and the amount of data processed.
REGISTER OF TREATMENTS (ex Art. 30 GDPR) AND ANALYSIS OF THE IMPACT ON THE PROTECTION OF DATA (ex Art. 35 GDPR) The PMO provides for a careful and constant analysis of the risks for the processing of personal data, identified for each activity or service provided through a Register of Treatments pursuant to Art. 30 paragraph 1 of the GDPR.
After analysing the treatment activity carried out by the CONTROLLER, it is considered that to date there are no activities at risk that require a specific impact assessment pursuant to Article 35 of the GDPR (so-called “DPIA”).
The analysis of IT risks and the company’s hardware and software infrastructures and IT adaptation measures was carried out both by our System Administrator with special tools and checklists and by an external company specialising in IT security, which carried out an in-depth audit with security tests. The results of the survey enabled the technicians to further improve their measures to protect against cyber attacks and cyber threats, gradually and in proportion to the risk to the rights and freedoms of the persons concerned.
2 – TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
2.1 PERSONAL DATA PROTECTION RIGHTS
The DATA CONTROLLER, also herein, considers it essential to inform the interested parties of the existence of certain rights regarding the protection of personal data, listed below.
Right to be informed (transparency in data processing)
You have the right to be informed about how the DATA CONTROLLER processes your personal data, for what purposes and about other information required by Art. 13 of the GDPR. To this purpose, the CONTROLLER has prepared organizational processes that allow, at the time of acquisition or request of personal data, the release of a disclosure model created “ad hoc” according to the category of persons to whom the person concerned belongs (employee, customer, supplier, etc..). This document allows to inform adequately all the subjects to whom the data refer about how the processing is carried out by the Controller. The information form can be requested by sending a specific request to the Controller.
Right of revocation of consent (Art. 13)
You have the right to revoke your consent at any time for all processing operations whose legitimacy is conditional on your consent. The revocation of consent does not affect the lawfulness of the previous processing.
Right of access to data (Art. 15)
You may request a) the purposes of the processing; b) the categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular for recipients from third countries or international organizations; d) where possible, the period of retention of personal data provided for or, if this is not possible, the criteria used to determine that period; e) the existence of the right of the person concerned to request the controller to correct or delete the data or the restriction of the processing of personal data concerning him or to object to their processing; (f) the right to lodge a complaint with a control authority; (g) all available information on the origin of data, if they are not collected from the data subject (h) the existence of an automated decision-making process, including profiling as referred to in Article 22, paragraph 1 and 4, and, at least in such cases, significant information on the logic used, and the importance of and the anticipated consequences of such processing for the data subject. You have the right to request a copy of the personal data being processed.
Right of rectification (art. 16)
You have the right to request the rectification of inaccurate personal data concerning you and to obtain the integration of incomplete personal data.
Right to be forgotten (Article 17)
You have the right to obtain from the data controller the deletion of personal data concerning you if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, if you withdraw your consent, if there is no overriding legitimate reason to proceed with profiling, if the data were processed unlawfully, if there is a legal obligation to delete them; if the data relate to web services provided to minors without their consent. Cancellation may take place unless the right to freedom of expression and information prevails, unless it is retained for the fulfilment of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority, for reasons of public interest in the health sector, for the purpose of filing in the public interest, for scientific or historical research or for statistical purposes or for the establishment, exercise or defense of a right in court.
Right to limitation of treatment (Art. 18)
You have the right to obtain from the data controller the restriction of the processing when you have complained about the accuracy of the personal data (for the period necessary for the data controller to verify the accuracy of such personal data) or when the processing is unlawful, but you object to the deletion of personal data and instead request that it be restricted in its use or when the data are necessary for the establishment, exercise or defense of a right in court, while the Controller does not need them anymore.
Right to portability (Article 20)
You have the right to receive in a structured format, commonly used and readable by an automatic device, the personal data that you provide us with and you have the right to transmit them to another Controller if the processing is based on consent, on the contract and if the processing is carried out by automated means, unless the processing is necessary for the performance of a task in the public interest or related to the exercise of official authority and that such transmission does not infringe the right of third parties.
Right of opposition (Article 21)
You have the right at any time to object, in whole or in part, to the processing of your personal data if the processing is carried out for the pursuit of a legitimate interest of the Controller or for direct marketing purposes.
Right to apply to the Guarantor Authority for the protection of personal data (art. 77).
Without prejudice to any other administrative or judicial proceedings, if you consider that the processing operations concerning you are in breach of the Regulation on the protection of personal data, you have the right to lodge a complaint with a control authority, in particular in the Member State where you have your residence, work or the place where the alleged breach has occurred.
2.2 EXERCISE OF RIGHTS For the effective exercise of your rights, you can ask the Controller for information, or fill out the access form that we provide below.
2.3 FORMS AND INFORMATION
1) Below is a draft document to be completed for the exercise of the rights of the data subject. The form can then be sent to the Controller, to the above addresses, in accordance with the regulations in force.
3) Data breach policy: