Organizational Privacy
The protection of personal data is a key commitment for Italtower S.r.l. (hereinafter “Italtower” or “the Company”).
The entry into force of Regulation (EU) 2016/679 “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (hereinafter “GDPR”) has provided an opportunity to further align the Company’s activities with the principles of transparency and personal data protection, while respecting the fundamental rights and freedoms of all data subjects, whether they are employees, contractors, customers, suppliers, or third parties interested in receiving information.
Italtower has therefore implemented a “Privacy Organizational Model” (MOP), the general outline of which is described here, designed to analyze all data processing activities, organize them in a functional manner, and manage them securely and transparently. This section of the website also provides information on the rights of data subjects and how to exercise those rights with respect to the Data Controller.
TABLE OF CONTENTS
1 - GDPR PRIVACY POLICY
1.1 - SUBJECTS
1.2 - RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
2 - TRANSPARENCY AND DATA SUBJECT RIGHTS
2.1 - RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA
2.2 - EXERCISING YOUR RIGHTS
2.3 - FORMS AND NOTICES
1 - GDPR PRIVACY POLICY
1.1 - SUBJECTS
Data Controller
The Data Controller is:
Italtower S.r.l. (hereinafter also referred to as the “Data Controller”)
Piove di Sacco (PD) Via A. Meucci n. 5/11
VAT Number and Tax ID: 04725890281
Tel. +39 0495840542
e-mail: info@italtower.com
Certified Email: semtrade@lamiapec.it
PARTIES AUTHORIZED TO PROCESS DATA (ex art. 29 GDPR)
The MOP stipulates that each employee or contractor of the Data Controller may process only the data necessary to perform their duties, in accordance with the internal organization and, above all, the purposes indicated and communicated to the data subject (the so-called “purpose limitation and data minimization” principle, Article 5(1)(b) and (c) of the GDPR). Each person authorized to process personal data has received specific instructions from the Data Controller regarding such processing.
The information system is designed with “separate compartments.” Employees and contractors may access from their workstations only the data necessary to perform their duties. Access to specific data processing areas is granted only after a careful analysis of the company’s structure and organization, as well as the flow of data both within and outside the Company.
The employee/contractor has also received internal regulations regarding the use of IT tools and rules of conduct concerning all information to which they have access by virtue of their specific role.
SYSTEM ADMINISTRATORS
The Data Controller uses IT systems to manage and organize its operations. For this reason, the Data Controller has always placed a strong emphasis on software development, usage procedures, and data security as the foundation of its operations. Individuals with “administrator” privileges within the company are specifically designated and trained. External specialized companies that access company data are also specifically designated as External Data Processors and/or External System Administrators pursuant to Article 28 of the GDPR.
External IT service providers are selected with particular attention to their professionalism not only technical expertise but also in terms of data compliance and protection with a preference for certified companies.
DATA CONTROLLERS (ex art. 28 GDPR)
As a general rule, the Data Controller handles nearly all processing activities internally. Any instances where certain activities involving data processing on behalf of the Data Controller are outsourced to third parties are clearly indicated in the individual privacy notices. In such cases, the relationship with the third party is governed by a specific contract appointing the third party as a “Data Processor” pursuant to Article 28 of the GDPR.
The Data Controller entrusts such processing activities to external parties that provide sufficient guarantees to implement technical and organizational measures adequate to meet the requirements of the GDPR and ensure the protection of the rights of data subjects.
1.2 RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
In accordance with the principles of accountability, it is the Data Controller’s responsibility to implement a series of measures organizational, physical, legal, technical, and IT-related designed to prevent the risk of infringing upon the personal rights and freedoms of data subjects. To achieve this objective, a continuous risk assessment is conducted, taking into account the nature of the processing activities, the tools used, and the type and volume of data processed.
RECORD OF PROCESSING ACTIVITIES (ex art. 30 GDPR) AND DATA PROTECTION IMPACT ASSESSMENT (ex art. 35 GDPR)
The MOP provides for a careful and ongoing analysis of the risks associated with the processing of personal data, identified for each activity or service provided through a Record of Processing Activities pursuant to Article 30(1) of the GDPR.
The Data Controller periodically verifies whether there are any high-risk activities that require a specific data protection impact assessment pursuant to Article 35 of the GDPR (the so-called “DPIA”).
2 - TRANSPARENCY AND DATA SUBJECT RIGHTS
2.1 RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA
The Data Controller considers it essential, including in this context, to inform data subjects of their rights regarding the protection of personal data, as listed below.
Right to be informed (transparency in data processing)
The data subject has the right to be informed about how the Data Controller processes their personal data, for what purposes, and regarding other information provided for in Article 13 of the GDPR. To this end, the Data Controller has established organizational processes that allow, upon the collection or request of personal data, the issuance of a privacy notice template created “ad hoc” depending on the category of data subjects to which the data subject belongs (employee, customer, supplier, etc.). This document ensures that all data subjects are adequately informed about how the Data Controller processes their data. The privacy notice template may be requested by submitting a specific request to the Data Controller.
Right to withdraw consent (art. 13)
You have the right to withdraw your consent at any time for any processing activities that are based on your consent. Withdrawing your consent does not affect the lawfulness of any processing carried out prior to the withdrawal.
Right of access to data (art. 15)
You may request: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organizations; d) where possible, the envisaged period for which the personal data will be stored, or, if this is not possible, the criteria used to determine that period; e) the existence of the data subject’s right to request from the Data Controller the rectification or erasure of personal data or the restriction of processing of personal data concerning him or her or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. You have the right to request a copy of the personal data being processed.
Right of correction (art. 16)
You have the right to request the correction of inaccurate personal data concerning you and to have incomplete personal data completed.
Right to be forgotten (art. 17)
You have the right to request that the Data Controller erase your personal data if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, if you withdraw your consent, if there is no legitimate ground for profiling, if the data has been processed unlawfully, or if there is a legal obligation to erase it; if the data relates to web services provided to minors without their consent. Erasure may take place unless the right to freedom of expression and information prevails, or the data is retained for the fulfillment of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority, for reasons of public interest in the field of public health, for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, or for the establishment, the exercise or defense of a legal claim in court.
Right to restriction of processing (art. 18)
You have the right to obtain from the Data Controller the restriction of processing when you have contested the accuracy of the personal data (for the period necessary for the Data Controller to verify the accuracy of such personal data) or if the processing is unlawful, but you oppose the erasure of the personal data and request instead that its use be restricted, or if you need the data for the establishment, exercise, or defense of a legal claim, even though the Data Controller no longer needs them.
Right to data portability (art. 20)
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, and you have the right to transmit that data to another controller if the processing was based on consent, on a contract, and if the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, and such transmission does not infringe upon the rights of third parties.
Right to object (art. 21)
You have the right at any time to object, in whole or in part, to the processing of your personal data if such processing is carried out to pursue a legitimate interest of the Data Controller or for direct marketing purposes.
Right to contact the Data Protection Authority (art. 77)
Without prejudice to any other administrative or judicial remedy, if you believe that the processing of your personal data violates the General Data Protection Regulation, you have the right to lodge a complaint with a supervisory authority, specifically in the Member State where you habitually reside, work, or where the alleged violation occurred.
2.2 EXERCISING YOUR RIGHTS
To exercise your rights, please send an email to info@italtower.com, attaching, if applicable, the access forms provided below.
2.3 FORMS AND NOTICES
1) Below is a draft form to be completed in order to exercise your rights. The form may then be sent to the Data Controller at the addresses listed above, in accordance with applicable law.
Form to print and complete, specifying the right you wish to exercise
Form for exercising your rights
Privacy notices: