With the present the writing company, as Data Controller, whereas:
Pursuant to art. 29 of Reg. (EU) 2016/679, authorizes access to / processing of personal data and provides you with adequate instructions to ensure an adequate level of security. 1. REFERENCES OF LAW, DEFINITIONS This document (required by law) concerns all employees / collaborators. This is because the legislation in question for “personal data” means any information relating to a natural person and for “processing” any operation performed on such data, including simple access or consultation. (Example: it is therefore sufficient that you temporarily consult a document that shows the name of a person, or you access a phone book -some-containing names, to be considered subjects who in the conduct of their business within the company treat personal data). The regulation defines “data subject” the natural person to whom the data refers (eg: a customer, a supplier, a visitor, a colleague, etc.) 2. AUTHORIZATION SCOPE
3. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA (GDPR – Art.5) 1. Personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 4. INFORMATION, CONSENT AND RIGHTS OF DATA SUBJECT (GDPR – Art.12-22) The GDPR provides that the data subjects receive adequate informations regarding the processing of their data, expressing, if necessary, a specific, free and informed consent. In addition, the need to secure the rights referred to in Chapter III of the GDPR is acknowledged, including the right of access, rectification, forgetting / cancellation, limitation, portability and opposition. The company has implemented adequate internal procedures aimed at guaranteeing the aforementioned rights, therefore it is required, should it be addressed by any subject, a request in the field of privacy, to promptly report it to the privacy team, referred to in paragraph 5 of here I’m. 5. PRIVACY TEAM The company has defined a specific internal organization to guarantee an effective application of the privacy compliance requirements. For any information / clarification or to report any profiles referred to in these instructions (eg: safety incident, new treatment activity, requests of the data subjects, etc.) it is possible to contact, without particular formalities, to: • Data Protection Officer – Dr. Gregorio Galli – Mob. 329.0516409 – gregorio@gallidataservice.com 6. PRIVACY BY DEFAULT AND PRIVACY BY DESIGN (GDPR – Art.25) The GDPR provides that any business activity / process, before being implemented, is subject to appropriate assessments on the number of data collected, the security measures, the storage time, etc. In order to correctly activate the persons responsible for carrying out these assessments, you are asked to report to the privacy team any initiative or project that intends to carry out (software purchase, website opening, video surveillance activation, etc.) that has implications with the processing of personal data. 7. SAFETY OF PROCESSING AND OPERATING INSTRUCTIONS (GDPR – Art.32) The GDPR provides that adequate technical and organizational measures are put in place to guarantee the interested parties a suitable level of security in the processing of data. In addition to the logical, physical and IT security measures implemented by the company, the following instructions are therefore issued: 7.1. INSTRUCTIONS FOR DATA MANAGEMENT IN PAPER FORMAT
7.2. INSTRUCTIONS FOR DATA MANAGEMENT IN DIGITAL FORMAT The electronic devices and business applications, as well as the contents generated by the users, are work tools, to be used exclusively for professional purposes (on which the company can lawfully have management / verification activities). Users with electronic company tools are required to comply with the provisions contained in the specific Company Computer Regulations, which summarize the main concepts:
General instructions In general it is forbidden to any subject, except for activities expressly connected to their duties, to disclose information concerning personal data, make copies of any kind (on paper, computer, etc.) and destroy, steal or manipulate the contents of the databases if not expressly authorized by the Data Controller. 9. DATA BREACH (GDPR – Art.33,34) The GDPR provides that the Controller manages any event that could pose a security risk for personal data (data breach, violation of personal data). There is a “violation of personal data” when accidentally (culpably) or unlawfully (maliciously) an event causes the destruction, loss, modification, unauthorized disclosure, access to personal data transmitted, stored or otherwise processed (eg: theft devices / documents, loss of devices / documents, attack / computer virus, deletion or unintentional sending of data, etc.). In order to correctly activate the persons responsible for handling such events, you are asked to report to the privacy team any circumstances that he believes can be considered a “data breach”. 10. INSTRUCTIONS UPDATE MODE
11. INTEGRATION D.LGS. 196/2003, DURATION AND VIOLATION
FORNAROLI POLYMERS S.P.A. Registered Office: Via Archimede, 57 – 20129 Milano (MI) – I LOCAL UNIT: Via Trebbia, 71 – 29121 Piacenza (PC) – ITALY Tel. +39/0523/484944 – Fax +39/0523/482660 VAT No. 09301380961 – Share capital Euro 2.000.000,00 fully paid-up Tax Registration No. and Registration number at the Milan Chamber of Commerce: 01338080334 Economic and Administrative Index of Milan no. 09301380961 Web Site: www.fornarolipolymers.com E-mail: info@fornarolipolymers.com PEC (certified email): fornarolipolymers@tmcert.it PEC: fornarolipolymers@tmcert.it