Policy pursuant to Art. 13 of the EU General Regulation 679/2016 on the protection of personal data
The present policy has been drafted on the basis of the transparency principle and all elements as per Art. 13 of EU Regulation n. 679/2016 (GDPR) and has been divided into single sections, each dealing with a specific topic in order to make for a faster, easier and more understandable reading.
With this policy, the interested party is made aware of the appropriate information regarding the processing activities that are carried out by the Data Owner and their rights as an Interested.
OWNERSHIP OF DATA PROCESSING
The Data Owner and Processor is the Institute for Competitiveness (I-Com), VAT number 08678131007, with its registered office in Piazza dei Santi Apostoli n° 66, Rome (00187), tel.: (+39) 06 4740746, e-mail: daempoli@i-com.it, PEC: i-com@legalmail.it.
The Data Processor is supported by the company I-Com Servizi S.r.l., VAT number 13128851006, with itsregistered office in Piazza dei Santi Apostoli n° 66, Rome (00187), tel..: (+39) 06 4740746, e-mail: daempoli@i-com.it, PEC: icomservizi@legalmail.it, which acts as Joint Data Controller pursuant to Art. 26 of the GDPR (hereinafter jointly the “Owner/s” or jointly the “Joint Owners”).
The Joint Owners have stipulated, pursuant to Art. 26 of the GDPR, a joint ownership agreement being committed to regulating the relationship between them in reference to the processing of the personal data of the interested parties (“Interested”).
Interested parties can exercise their rights towards each of the Joint Owners by contacting them at the references indicated above.
The Joint Owners, in order to facilitate relations between the Interested and each Data Processing Owner, have designated a Privacy Contact in the person of Silvia Compagnucci, who can be contacted at the e-mail address: privacy@i-com.it.
The privacy contact provides support for all activities related to Personal Data Processing and for all activities dealing with the correct management of personal data???
CATEGORIES OF PROCESSED DATA
Joint Owners process, depending on the case, the following Personal Data relating to the Interested and/or the reference staff (employees or collaborators) and/or the suppliers to whom they are required to communicate this Policy:
- identification and personal data (name, surname, place and date of birth, address, composition of the family unit, bank details, registered office);
- contact details (landline and mobile phone number, personal and company e-mail);
- navigation data (for more information, refer to the Cookie Policy);
- data entered on the forms of the website and data sent via e-mail messages;
- images and audiovideo recordings collected during events/conferences/seminars;
- data contained in the curriculum vitae and any other data connected with the execution of the professional assignment;
- any other data connected with the carrying out of events and initiatives that the Joint Controllers organise or in which they participate.
PURPOSE OF THE PROCESSING
Personal data is used by the Joint Owners:
- Without the express consent of the Interested (Art. 6 B, e) GDPR), for the following purposes:
- fulfil precontractual and contractual obligations resulting from the granting of a professional appointment, both in judicial and extrajudicial matters;
- comply with provisions and regulations (national or EU, such as the requirements required by anti-money laundering and anti-terrorism legislation), or execute an order from a judicial authority and supervisory bodies to which the Joint Owners are subject;
- exercise the rights of the Joint Owners, in particular, that of defence in court in the event of any disputes;
- fulfil the obligations envisaged in the tax and accounting fields;
- obtain anonymous statistical information on the use of the website and check its correct functioning, identify anomalies and/or abuses (for more information, refer to the Cookie Policy);
- ensure compliance with the anti-contagion measures from COVID-19.
- B) Only if the Interested has given specific and distinct consent (Art. 7 GDPR), for the following purposes:
- to manage the organisation of events/conferences/seminars;
- to manage the registration for events/conferences/seminars;
- to disseminate the content of events/conferences/seminars through social networks and/or in the press;
- for internal reporting or for the client company;
- to send the newsletter;
- to share content on social networks (for more information, refer to the Cookie Policy);
- to send, by e-mail, the material relating to events and initiatives;
- to involve internal and external subjects in the planning of events and initiatives;
- to enlarge the customer and/or associate base;
- to manage the applications and the possible selection of personnel.
The processing shall take place on the basis of the data communicated by the Interested and in our possession with a commitment on their part to promptly communicate any corrections, additions and/or updates.
Personal Data shall be processed in strict compliance in order to meet the afore-mentioned purposes.
LEGAL BASIS OF THE PROCESSING
The Joint Owners shall lawfully process Personal Data where the treatment:
- is necessary for the execution of the professional assignment, of a contract of which the Interested is a party or for the execution of pre-contractual measures adopted upon request, necessary to fulfil a legal obligation incumbent on the Joint Owners or to pursue the legitimate interest of the Joint Owners or of third parties or for the other purposes referred to in A.1, A.2, A.3, A.4, A.5, A.6;
- is based on the consent expressed for the purposes referred to in letter B.
Therefore:
- the provision of Personal Data for the purposes referred to in points A.1, A.2, A.3, A.4, A.5, A.6 above is mandatory. The lack of data and/or any express refusal of the Processing shall make it impossible for the Joint Owners to carry out the assignment or the possible violation of requests from the competent authorities;
- the provision of Personal Data for the purposes referred to in Art. 6 B is optional, that consequently enables the Interested not to provide consent or to revoke it at any time.
METHODS OF DATA PROCESSING
The processing is done in a lawful, correct and transparent manner, respecting the principle of “minimisation”.
Personal data processing is to be carried out as per Art.5, n. 2 of the GDPR – executed without the help of informatic systems – and concerns the collection, registration, organisation, structuring, updating, conservation, adaptation or modification, extraction and analysis, consultation, use, communication by transmission, dissemination or any other form of making comparison, interconnection, limitation, cancellation or destruction available.
The security of Personal Data and, in general, the confidentiality of the processed Personal Data is guaranteed, adopting all the necessary technical and organisational measures to guarantee its safety.
DATA STORAGE
Personal Data shall be exclusively used for the above-mentioned purposes and, pursuant to Art. 5 of the GDPR, is kept for a limited period of time, which varies according to the purpose of the Processing. After this period, the data shall be permanently deleted.
Specifically, Personal Data shall be stored in compliance with the terms and criteria indicated below:
- for the management of the Interested’s requests, the Data shall be stored for a maximum period of 6 (six) months;
- for the fulfilment of legal obligations, the Data shall be stored for a maximum period of 10 (ten) years starting from the end of the calendar year in which the Data Owner fulfilled the legal obligation, in order to document and be able to demonstrate that they have correctly complied with the law;
- for a period of time not over the achievement of the purpose for which it was collected and processed, for the execution and fulfilment of the contractual purposes and, in any case, for no more than 10 (ten) years from the conclusion of the collaboration relationship;
- for the selection of personnel, the data shall be stored within the time necessary for the evaluation of the curriculum and the provision of the service and, in any case, no later than 5 (five) years from acquisition;
- the navigation data is stored for the technical time necessary to carry out the functions it was collected for;
- for a period of time not exceeding 5 (five) years from the collection of data for marketing purposes;
Personal Data is in any case stored for the time strictly necessary to carry out the activities as described and in compliance with the mandatory time limits established by law.
Exceptions to the above cases when storage for a period exceeding that described is required for any disputes, requested from the competent Authorities or in accordance with the applicable legislation.
The management and storage of Personal Data takes place on servers located within the I-Com offices or in third party data centres located in the European Union.
COMMUNICATION AND DISCLOSURE OF DATA
Personal Data may be disclosed and, therefore, known and used by:
- collaborators, employees and interns of I-Com, in their capacity as authorised data processing personnel (so-called Data Processors) or appointed as Data Processors. With reference to these persons there is a legal obligation of confidentiality;
- companies or professionals that I-Com relies on to fulfil its obligations for the performance of professional services or in order to protect one’s own rights;
- third parties who provide services to I-Com and also act as Data Processors, that are individuals, companies or professional firms that provide assistance or advice to I-Com on administrative, financial, tax or labour law issues, or delegated subjects carrying out management and technical maintenance activities (including maintenance of network equipment and electronic communication networks);
- subjects with whom it is necessary to interact for the organisation of or participation in events/conferences/seminars;
- judicial or supervisory authorities, public administrations, public bodies and other bodies (national and foreign), for the fulfilment of legal obligations or for the prevention of abuse or fraud or by order of such subjects.
The updated list of Data Processors is stored at the registered office of the Joint Data Controllers.
Personal Data shall not be disseminated or subject to any fully automated decision-making process, unless this is necessary to fulfil obligations established by law or regulations.
TRANSFER OF DATA
Personal Data shall not be transferred to third countries or international organisations unless this is necessary for obligations established by law or regulations.
If, for these reasons, it is necessary to transfer Personal Data to third countries or international organisations, the provisions of Chapter V of the GDPR shall be observed.
RIGHTS OF THE INTERESTED
According to the purposes of the processing, the Interested is entitled to exercise the rights provided by Articles 15 and following of the GDPR, in particular the right to:
- access, that is obtain confirmation of the existence or not of Personal Data concerning them, to know its origin, as well as the logic and purposes at the base of the Processing, the recipients or categories of recipients to whom the data refers to and where the determination of the retention period can be communicated if it is possible to define such;
- correct inaccurate data;
- cancel (so-called “right to be forgotten”), in the case where data is no longer necessary with respect to the purposes of the collection and subsequent processing, or in the case whereby the Interested has revoked their consent to the processing (where such consent is provided as optional or there is no other legal basis for the processing);
- limit, when one of the following hypotheses referred to in Art. 18 of the GDPR occurs when: a) the Interested has contested the accuracy of the Personal Data (the limitation will continue for the period necessary for the Joint Data Controllers to verify the accuracy of such Personal Data); b) the processing is unlawful but the interested party has opposed the cancellation of their personal data, requesting, instead, that its use should be limited; c) although the Joint Data Controllers no longer need the data for the purposes of the Processing, the Personal Data of the Interested is used to ascertain, exercise or defend a right in court; d) the Interested has opposed the processing according to Art 21, para. 1 of the GDPR, and is awaiting verification of the possible prevalence of the legitimate reasons of the Joint Data Controllers regarding them.
In case of restricted Processing, the Personal Data shall be treated, except for storage, only with consent of the Interested or for ascertaining, exercising or defending a right in court or to protect the rights of another natural or legal person, or for reasons of significant public interest. We shall inform the Interested, in any case, before this limitation is revoked;
- practise portability, that is the right to receive the Personal Data concerning the Interested in a structured and commonly used and machine-readable format, with the possibility of transmitting it to another Data Owner. This right does not apply to non-automated processing (e.g., archives or paper registers); furthermore, only processed Data with the consent of the interested party shall be subject to portability and only if the data has been provided by the Interested themselves;
- oppose, that is, the right to oppose the processing for reasons related to the particular situation of the user;
- complain pursuant to Art. 77 et seq. of the GDPR, to be sent to the Garante per la Protezione dei Dati Personali, Piazza Venezia n° 11 – 00187 Rome (garante@gpdp.it; telephone (+39) 06 696771; fax (+39) 06 696773785).
According to Art. 7, para. 3 of the GDPR, the right to withdraw consent is recognised at any time by sending an e-mail to the Data Owner at daempoli@i-com.it and/or to the Privacy Contact at privacy.@i-com.it. The withdrawal of consent does not affect the lawfulness of the processing based on consent before the withdrawal.
The above-mentioned rights may be exercised in the forms and terms set out in Art. 12 of the GDPR, by communication sent by e-mail to the Data Owner at daempoli@i-com.it and/or to the Privacy Contact at privacy@i-com.it. The request will be provided, without delay, with suitable feedback.
CHANGES TO THIS PRESENT POLICY
The Joint Owners reserve the right to make changes to this policy by explicitly indicating its updates.
Users are invited to periodically check the policy and, in the case of non-acceptance of the changes made to this policy, to request the Joint Owners to delete their Personal Data. Unless otherwise specified, the Privacy Policy published on the website continues to apply to the Processing of Personal Data collected until the time of its replacement.
The information was updated on 26/07/2022.