POLICY ON THE PROTECTION OF PERSONAL DATA
Essemec S.r.l. actively engages in the protection of personal data entrusted, with regard to the management of the data of their employees and their suppliers.
Essemec S.r.l. asks all the companies that cooperate with it that the personal data were handled with the same fairly and lawfully to guarantee their protection.
Essemec S.r.l. is committed to respecting and respecting its employees and external collaborators the principles illustrated in this document.
Essemec S.r.l. in accordance with the principles presented above:
– communicates and disseminates its own policy regarding the protection of personal data;
– shall provide all the necessary information to allow the personal data access and revision from the owner .
– processes personal data:
- in a lawful, correct and transparent manner in line with the constitutional principles and with the legislation in this area;
- only for the time strictly necessary for the planned purposes, including those for complying with legal obligations;
– collects personal data limiting itself to those indispensable to carry out the activities (pertinent and limited personal data);
– processes personal data according to the principles of institutional transparency only for the purposes connected with:
- the employment relationship;
- compliance with legislative and regulatory requirements;
– adopts processes for updating and correcting the personal data processed to ensure that personal data is, as far as possible, correct and up to date;
– it preserves and protects the personal data in its possession with the best possible technologies and undertakes to guarantee continuous updating of its systems.
– Train your staff so that there is a correct use of the personal data collected and there is the correct awareness towards the treatment of the most sensitive data.
– complies with the laws and regulations applicable to the protection of personal data – prevents and minimizes, compatibly with available company resources, the impact of potential violations or unlawful and / or harmful processing of personal data, whether they are violations or treatments of an accidental or malicious nature.
To guarantee the above, the Data Controller of Essemec S.r.l., periodically updates its staff and its systems to ensure better protection and efficiency in the processing of the same. The following policy was brought to the attention of all the individuals who make up the staff of Essemec S.r.l. so that they can actively participate in it.
according to the GDPR 2016/679 with adaptation after the Legislative Decree 101/2018
Dear Mr/ Ms. ……………………………………….. In implementation of EU Regulation 2016/679 (hereinafter « GDPR ») and of Legislative Decree 101/2018, relating to data protection, the company shall provide the following information.
Identity and contact details of the data controller
The Controller is Essemec S.r.l. – Contacts: firstname.lastname@example.org
Purpose of processing and legal basis
Personal data is processed in order to fulfill the obligations deriving from the contractual relationship between Essemec S.r.l. and its customers and suppliers. The provision of data is optional but necessary to provide the service. Refusal to provide the same will not allow provision of the service speciefied in the agreement.
Moreover, personal data , only for marketing pourpouse are processed with the express consent, pursuant to art. 7 GDPR, (submitting via e-mail, post and telephone, newsletters, advertising material and advertising material on products and services offered by the owner, reports the degree of satisfaction with the quality of the services, forwarded by mail, mail and telephone, commercial or promotional services of third parties.) The provision of data for marketing purposes and for further purpouse processing is optional. Failure to provide such data may make it impossible to pursue these additional purposes.
The processing of personal data is carried out, pursuant to art. 4 paragraph 2 GDPR, through the collection, registration, organization, structuring, storage, tailoring or change, extraction , consultation, the use , communication by broadcast dissemination or other form of provision, comparison or interconnection, limitation, cancellation or destruction. Personal data is subject to paper and electronic processing. The processing operations are managed by specially trained and previously appointed personnel or by the Processor. Specific security measures are observed to prevent the loss of data, illicit or incorrect use and access not indicated.
Data retention period
The Data Controller will process your personal data for the time necessary for the aforementioned purposes and in any case for not more than 10 years from the termination of employement for service purposes and for no more than 10 years from the collection for marketing purposes.
As data subject, pursuant to art. 15 GDPR, has the following rights:
– ask the data controller to access personal data and to correct or delete them, or limit the processing of data concerning them or oppose their processing, in addition to the right to data portability;
– to obtain the data in structured format of common use and readable by an automatic device to transmit them to another data controller without impediment from another Controller;
– revoke the consent to the processing, without prejudice to the lawfulness of the processing based on the consent acquired before the revocation;
– make a complaint to the Authority for the Protection of Personal Data.
To exercise these rights, you can send a communication to the Controller at the address of the registered office indicated by registered letter with return receipt or by mail to the address email@example.com
DATA STORAGE POLICY according to the GDPR 2016/679 with adaptation after the Legislative Decree 101/018
1. Applicability, purpose and recipients
This policy establishes the retention periods required for certain categories of personal data and establishes the minimum standards to be applied when certain information is destroyed within the company Essemec S.r.l. (from now on « The Company »). This policy applies to all business units, processes and data processing systems of the Company. This Policy applies to all employees, collaborators, consultants or suppliers of the Company who may collect, process or access data (including personal data and / or sensitive personal data). It is the responsibility of all the aforementioned subjects to become familiar with this Policy and to ensure adequate compliance with it.
This policy applies to all information used at the Company. Examples of documents include:
- E-mail messages •
- Paper documents
- Digital documents
- Data generated by physical access control systems
2. Reference documents
The EU GDPR 2016/679 (Regulation (EU) 2016/679 issued by the European Parliament and issued by the European Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and repealing Directive 95/46 / EC)
- Personal Data Protection Policy (GDPR 2016/673)
- Legislative Decree 101/2018 and related adjustments
3. Data Retention Regulations
3.1. General Principle of Storage. In the event that, for any category of document not specifically defined elsewhere in this Policy (and in particular in the Data Retention Program) and unless otherwise provided by applicable law, the retention period required for this document will be considered ten years from the document creation date.
3.2. General Data Storage Program
The Processor defines the period of time in which electronic documents and records must be kept through the data retention program.
In the following exceptional cases storage periods inside the Data Retention Program may be extended:
- Investigations in progress by the authorities of the Member States, if the possibility exists that the personal data are necessary for the Company to demonstrate compliance with the legal requirements;
- In the exercise of legal rights in the event of similar lawsuits or legal proceedings pursuant to local law.
3.3. Data Protection during the Storage Period
The Data are stored in the administration PC in Via Ghebo, 24-26 / B – 35017 Piombino Dese (PD) and on paper support duly protected. The possibility that the data carriers used for archiving are exhausted is considered. If electronic recording media are chosen, all the procedures and systems that guarantee access to the information during the storage period (both for information support and for the readability of the formats) must also be kept in order to safeguard information from the loss as a result of future technological changes. The Administrator assume the data retention’s responsibility.
3.4. Data destroy
The Company and its employees, regulary , review all data, whether held electronically on their device or on paper, to decide whether to destroy or delete any data once the purpose for which these documents were created is no longer relevant. See the Annex for the Data Retention Program. The general responsibility for data destruction lies with the Data Controller. Once the decision has been taken to dispose of them in accordance with the Storage Program, the data should be deleted, shredded or otherwise destroyed to an extent equivalent to their value to others and to their level of confidentiality.
The method of disposal varies and depends on the nature of the document. For example, all documents that contain sensitive or confidential information (and particularly sensitive personal data) must be disposed of as confidential waste and subject to secure electronic cancellation; some expired or replaced contracts only require internal destruction with the paper shredder.
The Schedule of documents disposal section below defines the disposal method. In this context, the employee must perform the tasks and assume the relevant responsibilities for the destruction of the information in an appropriate manner.
The specific process of cancellation or destruction can be carried out by an employee or by the owner. All applicable general provisions pursuant to the data protection laws and the Personal Data Protection Policy of the Company must be complied with. Adequate controls must be put in place to prevent the permanent loss of essential Company information following intentional or unintentional destruction of the information.
4. Disposal of documents
4.1. Routine Disposal Program
Documents that can be regularly destroyed, unless they are the subject of a legal or regulatory inquiry currently underway, are the following:
- Announcements and communications of daily meetings and other events, including acceptance and apology;
- Requests for ordinary information such as travel directions;
- Reservations for internal meetings without external charges / costs;
- Transmission of documents such as letters, fax covers, e-mail messages, circulation books, tickets for accompaniment and similar elements that accompany the documents but do not add any value;
- Message forms;
- List of addresses, replaced distribution lists, etc. ;
- Duplicate documents such as copies sent for information or forwarded for information, unaltered drafts, prints of snapshots or extracts from databases and temporary files;
In all cases, disposal is subject to any disclosure obligations that may exist in the context of a dispute.
4.2. Method of destruction
Level I documents are those that contain maximum security and confidentiality information and those that include personal data. These documents must be disposed of as private waste (destroyed with a paper shredder and incinerated) and must be subjected to secure electronic deletion. The disposal of the documents must include proof of destruction.
Level II documents are proprietary documents that contain confidential information such as names, signatures and addresses of the parties or that could be used by third parties to commit fraud, but which do not contain personal data. The documents must be shredded and then placed in garbage bins closed to be collected by an authorized disposal company, and the electronic documents will be subject to secure electronic cancellation.
Level III documents are those that do not contain confidential information or personal data and are published business documents. These should be cut into strips from a paper shredder or eliminated through a recycling company and include, among other things, advertisements, catalogs, flyers and newsletters. These can be disposed of without a control chain.
The Company only deals with level III data, therefore there is no need for a chain of disposal with a control chain.
5. Management of records based on this document
5. Validity and document management
This document is effective from 12/19/18 The person responsible for this document is the Data Controller, who must check and, if necessary, update the document at least annually.