The protection of personal data represents for Grey Silo Ventures S.r.l. (hereinafter “GSV” or “Company”) an important commitment.
The Regulation (EU) 2016/679 “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data” (hereinafter “GDPR”) provides the opportunity to further adapt the activities carried out by the Company to the principles of transparency and protection of personal data, while respecting the fundamental rights and freedoms of all data subjects, whether they are employees, collaborators, customers, suppliers or third parties interested in receiving information. The Company has thus implemented a “Privacy Organizational Model” (PMO) which is described here in its general lines, aimed at analysing all data processing, organizing them in a functional way and managing them in security and transparency. This section of the site also contains information on the rights of the person concerned and the way they may be exercised by the Data Controller.
1 – GDPR PRIVACY ORGANIZATIONAL MODEL 1.1 – SUBJECTS 1.2 – RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS 2 – TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT 2.1 – PERSONAL DATA PROTECTION RIGHTS 2.2 – EXERCISE OF RIGHTS 2.3 – FORMS AND INFORMATION
1 – GDPR PRIVACY ORGANIZATIONAL MODEL
1.1 – SUBJECTS
The Data Controller is:
Grey Silo Ventures S.r.l. (hereinafter also “CONTROLLER”)
Via dell’Innovazione n. 1, 36043 – Camisano Vicentino (VI) Italy
Tel. +39 0444 419411
Certified E-mail: email@example.com
VAT N. and tax identification code: 04390380246
The CONTROLLER has decided to appoint an internal “Privacy Team” made up of subjects with organizational, technical and IT skills. The Privacy Team supports the activities of the CONTROLLER and the DPO.
AUTHORIZED SUBJECTS TO TREATMENT (ex art. 29 GDPR)
The PMO provides that each employee/collaborator of the CONTROLLER shall process only the data necessary to carry out their duties, in accordance with the internal organization and especially the purposes indicated and proposed to the person concerned (so-called principle of “purpose limitation and data minimisation”, Art. 5, paragraph 1, letter. b) and c) of the GDPR). Therefore, a segmentation of the treatments has been prepared, by homogeneous areas of subjects authorized to the treatment, binding the employees/collaborators in charge of each area to a specific area of treatment. Each authorized person has received specific instructions from the CONTROLLer regarding the processing of personal data. To this purpose the information system has been divided into “watertight compartments”. The employee/collaborator will be able to access only the data necessary to carry out his/her duties from his/her computer workstation. Designation to the specific treatment areas is made after careful analysis of the company structure and organization as well as the flow of internal and external data to the Company and is summarized in a specific internal matrix that precisely identifies the scope of treatment of each area.
The employee/collaborator has also received internal regulations on the use of IT tools and rules of conduct, including ethical ones, on all the information to which he has access by reason of his specific duties.
In order to effectively ensure compliance with the principles on the processing of personal data, the CONTROLLER has also provided training and refresher courses on the subject to its employees / collaborators who, by reason of their duties, process personal data.
(INTERNAL AND EXTERNAL) SYSTEM ADMINISTRATORS
The CONTROLLER uses computer systems to manage and organize his business. For this reason, the attention to the construction of the software, the way in which it is used and the security of the data have always been the basis of the activity of the CONTROLLER. Persons with internal “administrator” access are specifically appointed and trained. Other specialized external companies that access company data are also specifically appointed as External Managers and/or External System Administrators pursuant to Art. 28 of the GDPR.
The suppliers of external IT services are chosen with particular attention to their professionalism, which is not limited to their technical knowledge but also include the respect and protection of data, giving priority to certified companies.
DATA PROCESSOR (ex Art. 28 GDPR)
The cases in which certain activities involving the processing of data on behalf of the CONTROLLER are outsourced to third parties are indicated in the individual information forms. In these cases, the relationship with the third party is regulated by a specific contract for appointment as “Data Processor” pursuant to Art. 28 of the GDPR. The CONTROLLER shall entrust this processing activity to external parties with sufficient guarantees to put in place adequate technical and organisational measures to meet the requirements of the GDPR and to ensure the protection of data subjects’ rights.
1.2 RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
According to the principles of the so-called “accountability” the CONTROLLER must implement a series of measures – organisational, physical, legal, technical and IT – aimed at preventing the risk of violation of the rights and personal freedoms of the persons concerned. In order to achieve this objective, a constant risk analysis is carried out, depending on the treatments, the instruments used, the type and the amount of data processed.
Records of processing activities (ex Art. 30 GDPR) and Data protection impact assessment (ex Art. 35 GDPR)
The PMO provides for a careful and constant analysis of the risks for the processing of personal data, identified for each activity or service provided through a Records of processing activities pursuant to Art. 30 paragraph 1 of the GDPR.
After analysing the treatment activity carried out by the CONTROLLER, it is considered that to date there are no activities at risk that require a specific impact assessment pursuant to Article 35 of the GDPR (so-called “DPIA”).
The analysis of IT risks and the Company’s hardware and software infrastructures and IT adaptation measures was carried out both by the System Administrator with special tools and checklists and by external companies specialising in IT security, which carries out an in-depth audit with security tests. The results of the survey enables the technicians to further improve their measures to protect against cyber attacks and cyber threats, gradually and in proportion to the risk to the rights and freedoms of the data subjects.
2 – TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
2.1 PERSONAL DATA PROTECTION RIGHTS
The CONTROLLER, also herein, considers it essential to inform the data subjects of the existence of certain rights regarding the protection of personal data, listed below.
Right to be informed (transparency in data processing)
The data subject has the right to be informed about how the CONTROLLER processes his personal data, for what purposes and about other information required by Art. 13 of the GDPR. To this purpose, the CONTROLLER has prepared organizational processes that allow, at the time of acquisition or request of personal data, the release of a disclosure model created “ad hoc” according to the category of persons to whom the data subject belongs (employee, customer, supplier, etc..). This document allows to inform adequately all the subjects to whom the data refer about how the processing is carried out by the CONTROLLER. The information form can be requested by sending a specific request to the CONTROLLER.
Right of withdrawal of consent (Art. 13)
The data subject has the right to withdraw consent at any time for all processing operations whose legitimacy is conditional on his consent. The revocation of consent does not affect the lawfulness of the previous processing.
Right of access to data (Art. 15)
The data subject may request: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular where they are recipients from third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right of the data subject to request the CONTROLLER to correct or erase the personal data or to restrict the processing of personal data concerning him or to object to their processing; (f) the right to lodge a complaint; (g) all available information on the origin of data, when they are not collected from the data subject; (h) the existence of an automated decision-making process, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, relevant information on the logic used and the importance of and the anticipated consequences of such processing for the data subject. The data subject has the right to request a copy of the personal data being processed.
Right of rectification (Art. 16)
The data subject has the right to request the rectification of inaccurate personal data concerning him and to obtain the integration of incomplete personal data.
Right to be forgotten (Art. 17)
The data subject has the right to obtain from the CONTROLLER the deletion of personal data concerning him if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, if he withdraw his consent, if there is no overriding legitimate reason to proceed with profiling, if the data were processed unlawfully, if there is a legal obligation to delete them; if the data relate to web services provided to minors without their consent. Cancellation may take place unless the right to freedom of expression and information prevails, unless it is retained for the fulfilment of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority, for reasons of public interest in the health sector, for the purpose of filing in the public interest, for scientific or historical research or for statistical purposes or for the establishment, exercise or defense of a right in court.
Right to limitation of treatment (Art. 18)
The data subject has the right to obtain from the CONTROLLER the restriction of the processing when he has complained about the accuracy of the personal data (for the period necessary for the CONTROLLER to verify the accuracy of such personal data) or when the processing is unlawful, but he opposes the erasure of personal data and instead request that it be restricted in its use or when the data are necessary for the establishment, exercise or defence of a right in court, while the CONTROLLER does not need them anymore.
Right to portability (Art. 20)
The data subject has the right to receive in a structured format, commonly used and machine- readable, the personal data that he provided to the CONTROLLER and has the right to transmit them to another Controller if the processing is based on consent, on the contract and if the processing is carried out by automated means, unless the processing is necessary for the performance of a task in the public interest or related to the exercise of official authority and that such transmission does not infringe the right of third parties.
Right of object (Art. 21)
The data subject has the right at any time to object, in whole or in part, to the processing of his personal data if the processing is carried out for the pursuit of a legitimate interest of the CONTROLLER or for direct marketing purposes.
Right to apply to the Guarantor Authority for the protection of personal data (Art. 77)
Without prejudice to any other administrative or judicial proceedings, if the data subject considers that the processing operations concerning him are in breach of the GDPR, he has the right to complain to a control authority, in particular in the Member State where he has his residence, work or the place where the alleged breach has occurred.
2.2 EXERCISE OF RIGHTS
For the effective exercise of its rights, the data subject can ask the CONTROLLER for information, or fill out the access form below.
2.3 FORMS AND INFORMATION
Below is a draft document to be completed for the exercise of the rights of the data subject. The form can then be sent to the CONTROLLER, to the above addresses, in accordance with the regulations in force.