The protection of personal data is an important commitment for Gabbiani & Associati s.r.l. (hereinafter "Gabbiani" or "Company").
The entry into force of "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data" (hereinafter "GDPR") represented the opportunity to further adapt the activities carried out by the Company to the principles of transparency and protection of personal data, in compliance with the fundamental rights and freedoms of all data subjects, whether employees, partners, customers, suppliers or third-parties interested in receiving information.
Gabbiani has thus implemented a "Privacy Governance Model" (PGM), as summarised herein, aimed at analysing all data processing operations, organising them functionally and managing them securely and transparently. This section of the site also contains information on the rights of data subjects and the methods by which they can exercise such rights with regards to the data controller.
1 - GDPR PRIVACY GOVERNANCE MODEL
1.1 - SUBJECTS
1.2 - RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
2 - TRANSPARENCY AND RIGHTS OF DATA SUBJECTS
2.1 - RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA
Gabbiani & Associati s.r.l. (hereinafter also the "Data Controller")
Contrà Sant'Ambrogio n. 5 - 36100 Vicenza
Tel. +39 0444323907
Tax code: 02390370241
PERSONS AUTHORISED TO PROCESS DATA (pursuant to article 29 of the GDPR)
The PGM requires all employees/members of the DATA CONTROLLER to only process such data that is essential to carry out their duties, in accordance with the Company's internal organisation and above all for the purposes specified and notified to the data subject ("purpose limitation and data minimisation" as per article 5 paragraph 1, letters b) and c) of the GDPR). Consequently, processing operations have been divided into uniform areas of persons authorised to process personal data, limiting employees/members in each area to a specific form of processing. Each authorised person has received specific instructions from the DATA CONTROLLER regarding the processing of personal data. The persons are assigned to specific processing areas after careful analysis of the structure and organisation of the Company, as well as the flow of data both inside and outside of the Company, and is summarized in a specific internal mould that accurately identifies the scope of treatment of each area.
The employee / collaborator has also received internal regulations on the use of IT tools and rules of conduct on all information accessed by virtue of his specific job. To effectively ensure compliance with the principles regarding the processing of personal data, the CONTROLLER has also provided training and refresher courses on the subject for its employees / collaborators who, by virtue of their duties, carry out processing of personal data.
SYSTEM ADMINISTRATORS (OUTSIDE AND INSIDE PARTIES)
The DATA CONTROLLER uses computer systems to manage and organise its activities. For this reason, attention to the construction of the software, to the methods by which it is used and to data security has always been the basis for the activities performed by the DATA CONTROLLER.
The specialist outside companies that access the Company's data are specifically appointed as External Processors and/or External System Administrators pursuant to article 28 of the GDPR. Suppliers of external IT services are chosen with particular attention to their professionalism, not only from a technical point of view, but also in relation to respect for and protection of data, using certified companies where possible.
DATA PROCESSORS (article 28, GDPR)
In principle, the DATA CONTROLLER manages almost all of the processing activities internally. Cases in which some data processing activities are outsourced to third parties on behalf of the DATA CONTROLLER are appropriately specified in the individual information notices. In these cases, the relationship with the third party is governed by a specific contract for the appointment of "Data Processor" pursuant to article 28 of the GDPR.
The DATA CONTROLLER entrusts such processing activities to outside parties that provide sufficient guarantees regarding the implementation of appropriate technical and organisational measures to meet the requirements of the GDPR and ensure the protection of data subjects' rights.
According to the principles of accountability, the on behalf of the DATA CONTROLLER is responsible for implementing a series of measures - organisational, physical, legal, technical and IT - aimed at preventing the risk of violation of the rights and personal freedoms of data subjects. To achieve this goal, continuous risk analysis is carried out, depending on the type of processing, the tools used and the type and amount of data processed.
PROCESSING RECORDS (pursuant to article 30 GDPR) AND DATA PROTECTION IMPACT ASSESSMENT (pursuant to article 35 GDPR)
The PGM establishes careful, constant assessment of the risks involved in the processing of personal data, identified for each activity or service provided, through records of processing activities, pursuant to article 30 paragraph 1 of the GDPR.
Having analysed the processing activities carried out by the DATA CONTROLLER, it is believed that to date there are no activities with risks such as to require a specific impact assessment pursuant to article 35 of the GDPR ("DPIA").
The DATA CONTROLLER, in this case too, considers it essential to inform data subjects of the existence of certain rights regarding the protection of their personal data, as listed below.
- Right to be informed (transparency of processing)
As a data subject you have the right to be informed on how the DATA CONTROLLER processes your personal data, for which purposes and on other information provided for by article 13 of the GDPR. In this regard, the DATA CONTROLLER has established organisational processes that allow, when personal data is acquired or requested, an information notice to be provided that has been created specifically for the category that the data subject belongs to (employee, customer, supplier, etc.). This document provides adequate information to all subjects that the data refer to on how processing is managed by the DATA CONTROLLER. The information notice is available on specific request sent to the DATA CONTROLLER.
- Right to withdraw consent (article 13)
You have the right to withdraw consent at any time for all processing activities for which your consent is legally required. The withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.
- Right of access to data (article 15)
You may request a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. You have the right to obtain a copy of the personal data being processed.
- Right to rectification (article 16)
You have the right to obtain the rectification of inaccurate personal data and the right to have incomplete personal data completed.
- Right to be forgotten (article 17)
You have the right to obtain from the data controller the erasure of your personal data if such personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if consent is withdrawn, if there are no overriding legitimate grounds for the processing, if the data have been unlawfully processed, if the data have been erased for compliance with a legal obligation, if the data relates to web services provided to children without the required consent. The data may be erased unless the right to freedom of expression and information prevails, and can be further retained for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
- Right to restriction of processing (article 18)
You have the right to obtain restriction of processing from the data controller when you have contested the accuracy of the personal data (for a period enabling the data controller to verify the accuracy of the personal data), or if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead, or if the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims.
- Right to data portability (article 20)
You have the right to receive your personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where the processing is based on consent, on the contract and if the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority and that such transmission does not adversely affect the rights and freedoms of others.
- Right to object (article 21)
You have the right at any time to object, in whole or in part, to the processing of your personal data, unless the controller demonstrates compelling legitimate grounds for the processing, or for direct marketing purposes.
- Right to lodge a complaint with the Data Protection Authority (article 77)
Without prejudice to any other administrative or judicial remedy, if you consider that the processing of your personal data infringes the Regulation, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.