Company regulations on the protection and processing of personal data
Regulation 2016/679: GDPR (General Data Protection Regulation)
Last updated: 25 June 2020
This Regulation governs the general principles, roles and responsibilities regarding the protection and processing of personal data in accordance with the relevant legislation in force.
2. General Principles
2.1 Governance Model
The Group adopts a Governance model for the protection and processing of personal data which provides for the definition of roles and responsibilities, organisational and technical measures, and mechanisms aimed at ensuring compliance with the principles of protection and processing of personal data by design and by default commensurate with the nature, scope, context and purpose of the processing, pertaing to risk management and protection of the rights and freedoms of the individuals concerned.
3. Roles and Responsibilities
3.1 Data Controller
The Data Controller is the Legal Representative of each Group Company, without the right to delegate. The obligations of the Data Controller are governed by Article 24 of EU Regulation 2016/679.
3.2 Personnel in charge of the processing
The figure entrusted with the processing of personal data by the Data Controller are those persons within the Company who process the aforementioned data in order to carry out their functions.
The personnel in charge carries out the activities of personal data processing in compliance with the organizational and technical measures defined by the Controller, in accordance with company Regulations.
3.3 Data Processor
Where a processing operation is to be carried out on behalf of the Data Controller, the latter shall employ (internal or external) Data Processors who offer sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of this Regulation and ensures the protection of the rights of the data subject.
The Parent Company has appointed internal and external Data Processors. The appointment was made by signing a specific contract containing the elements expressly provided for by the Regulations. This appointment is also applied for the internal and external Data Processors of the other Group companies.
External and internal Data Processors, by signing this legal act, are bound to the Data Controller and are required to ensure compliance with all the elements identified by such.
Since there is no obligation to do so, it has not been considered necessary to appoint a Data Protection Officer (DPO) either for Epta S.p.A. or for the other Group Companies.
3.4 Companies belonging to the Group
The various corporate functions of the Group Companies are responsible, each according to their own competencies and within their respective realities, for the correct application of this Regulation and the Regulations to which it refers, and for promoting its integration within the scope of Group controls.
3.5 Other obligations and specific aspects
3.5.1 Register of Processing Activities
Each Group Company is required to prepare and update its own Register of Processing Activities.
3.5.2 Compliance with video surveillance requirements
For reasons of prevention, organisational security and protection of the company's assets, the Data Controller has set up a video surveillance system on certain premises.
3.6 Risk assessment and Data Protection Impact Assessment
3.6.1 Risk assessment
The Data Controller, in assessing the appropriateness of the measures adopted to ensure an adequate level of security for the protection of personal data, mainly takes into account the risks presented by the processing which derive in particular from the possible destruction, loss, alteration, unauthorised disclosure of or access, whether accidental or unlawful, to the personal data stored, transmitted or otherwise processed.
3.6.2 Personal Data Protection Impact Assessment (DPIA)
Before proceeding with the processing, the Controller shall carry out, as provided for in Article 35 of the EU Regulation 2016/679, an impact assessment (DPIA) in order to determine the necessity and proportionality of the intended processing operations, and the risks arising from them on the freedoms and rights of the data subjects; and in order to prepare appropriate measures to address them.
A DPIA may concern a single processing operation, or several processing operations that present similarities in terms of nature, scope, context, purpose and risks.
3.7 Protection and Safety Measures
The Controller adopts and coordinates measures that guarantee the security and protection of all data subject to company processing, both from a logical and physical point of view.
3.8 Minimum data retention and deletion
Personal data are kept in a form which permits identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed.
Hence, the Data Controller identifies specific criteria for the timing of storage of personal data, based on legal obligations and on the basis of specific organizational needs.
3.9 Data Breach
The Controller adopts organizational, protection and security measures to ensure the process of detection and management of a data breach that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the personal data of the data subject stored, transmitted, or otherwise processed.
The Data Controller will promptly notify the breach to the competent Control Authority and, if the need arises, to the subject(s) concerned.
In the case of External Processors, the latter shall ensure that the Data Controller is notified, without undue delay, of any incident or breach of personal data.
All employees are required to promptly report cases of personal data breaches to the e-mail address firstname.lastname@example.org.
3.10 Rights of the Data Subjects
The procedures for the exercise of their rights by the data subjects are set out, in a general way, in Articles 11 and 12 of the EU Regulation 2016/679.
The Data Controller must facilitate the exercise of the rights by the data subject, as prescribed by Articles 15-22 of the EU Regulations 2016/679, adopting all appropriate measures; in this supported by the Data Processor, as provided for by Article 28(3)(e) of the EU Regulations 2016/679.
3.11 Information and Consent to the Processing
3.11.1 Informative duty
The Data Controller is required to inform in advance in writing the data subject or the person from whom the data is collected about the identity and contact details of the Data Controller and, where applicable, its Processor; and the purposes of the processing for which the personal data are intended, as well as the legal basis of the processing.
The consent of the interested party is acquired in compliance with the law on the protection and processing of personal data.
3.12 Training activities
The Controller ensures the adequate training of its staff.