PREMISE
OMV Machinery srl, Data Controller, (hereinafter, “the Data Controller”), gives great importance to the protection of personal data and undertakes to safeguard them by applying the European and national provisions in force. The European legislation on the protection of personal data is the Regulation of the European Parliament no. 2016/679/EU of 27/04/2016 (hereinafter, GDPR); The national legislation is the so-called “Privacy Code”, Legislative Decree no. 196/2003. The content of the information to data subjects is indicated in Articles 13 and 14 of the GDPR.
Personal data is any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to data such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In addition to personally identifiable data, the GDPR indicates special categories of personal data, capable of revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, data relating to health or data relating to a person’s sex life or sexual orientation.
PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
The Data Controller processes personal data in compliance with the principles established by the GDPR: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity, confidentiality and lawfulness. The processing takes place only if at least one of the conditions of lawfulness is met:
- the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the data subject is a party or for the execution of pre-contractual measures adopted at the request of the same;
- the processing is necessary for compliance with a legal obligation to which the controller is subject;
- the processing is necessary for the protection of the vital interests of the data subject or of another natural person;
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular if the data subject is a child, are not overridden.
The lawfulness of the processing of special categories of personal data includes cases where:
- the data subject has given his/her explicit consent to the processing of such personal data for a more specific purpose;
- the processing is necessary for the fulfilment of the obligations and exercise the specific rights of the controller or the data subject in the field of labour and social security law and social protection.
CHARACTERISTICS OF THE PROCESSING OF PERSONAL DATA
The Data Controller may process personal data according to the characteristics indicated below:
CATEGORY OF DATA SUBJECTS |
PURPOSE OF THE PROCESSING |
DATA PROCESSED |
LEGAL BASIS OF THE PROCESSING |
OBLIGATION OR RIGHT TO COMMUNICATE DATA |
CONSEQUENCES OF FAILURE TO PROVIDE DATA |
MAXIMUM RETENTION PERIOD |
Employee Candidates | Management of the obligations related to the hiring of the employee candidate | Identifiers and details | Pre-contractual measures (employment contract) | Obligation | Failure to continue pre-contractual activities | Time strictly necessary to fulfil the purposes of the processing |
Potential customers | Management of commercial promotion activities (communications, newsletters, etc.) | Identification | Legitimate interest | Faculty | Failure to treat | Withdrawal of consent |
Potential customers; Customers | Fulfilments relating to the management of pre-contractual and contractual activities | Identification | Execution of contractual and pre-contractual measures | Obligation | Failure to treat | Validity of the contract; additional period to deal with tax commitments and any litigation |
Potential Suppliers | Management of commercial promotion activities (communications, newsletters, etc.) | Identification | Legitimate interest | Faculty | Failure to treat | Withdrawal of consent |
potential suppliers; Suppliers | Fulfilments relating to the management of pre-contractual and contractual activities | Identification | Execution of contractual and pre-contractual measures | Obligation | Failure to treat | Validity of the contract; additional period to deal with tax commitments and any litigation |
Customers; Suppliers | Fulfilments relating to: bookkeeping; preparation of the financial statements; Tax Compliance | Identification; Details | Legal Obligation | Obligation | Failure to treat | Deadlines for keeping accounting and tax documentation. |
Website users | Analyze requests and provide appropriate feedback | Identification | Legitimate interest | Faculty | Failure to treat | Time strictly necessary to fulfil the purposes of the processing |
If the processing is based on consent, the data subject has the right to withdraw the same at any time without affecting the lawfulness of the processing based on the consent given before its withdrawal.
AUTHORIZED TO PROCESS PERSONAL DATA
AUTHORIZED TO PROCESS |
PURPOSE OF THE PROCESSING |
Employees of the Data Controller or any third parties formally appointed by the Data Controller (external data processors authorised to process data) | Management of pre-contractual, contractual or legal obligations on behalf of the Data Controller |
Third parties formally appointed by the Data Controller (external data processors authorised to process data) | Installation, updating and maintenance of management systems, computer programs, company website |
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
The Data Controller, directly or through formally authorised third parties (e.g. cloud platform providers), may transfer personal data to recipients in countries outside the EU, only if they ensure an adequate level of protection or there are standard contractual clauses or other bases of legitimacy, in accordance with the provisions of the GDPR. The interested party who, through the Data Controller’s website, decides to access external sites (e.g., social networking sites), is subject to the guarantees and data processing methods of the managers of these sites.
RIGHTS OF THE DATA SUBJECT
With regard to the Data Controller, the interested party has the right to obtain:
- access to one’s own data (art. 15);
- the rectification of their data (art. 16);
- the erasure of one’s own data (so-called “right to be forgotten”) (art. 17);
- restriction of processing (art. 18);
- the controller notifies each of the recipients to whom the personal data have been transmitted of any rectification or erasure or restriction of processing carried out, unless this proves impossible or involves a disproportionate effort. The Data Controller shall notify the data subject of these recipients if the data subject so requests (Article 19);
- data portability (art. 20);
- objection to the processing of their data (art. 21);
- know whether the processing is subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (Article 22);
- receive notification of a personal data breach (art. 34).
To exercise your rights, you may send an e-mail to privacy@omvtechnologies.com, or send a registered letter to: . Click or tap here to enter your text. Click or tap here to enter your text.
The Data Controller shall provide the data subject with information relating to the action taken with regard to a request without undue delay and, in any case, at the latest within one month of receipt of the request. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests. The Data Controller shall inform the data subject of such extension, and of the reasons for the delay, within one month of receipt of the request.
You have the right to lodge a complaint with a Union Supervisory Authority (see the references of the European Supervisory Authorities in https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm).
References of the Italian Data Protection Authority: Piazza di Monte Citorio, 121, 00186 Rome.
Tel. +39 06 69677 1; fax +39 06 69677 785.
e-mail: garante@garanteprivacy.it; website: http://www.garanteprivacy.it
Data Controller: OMV Machinery srl. Email: privacy@omvtechnologies.com