PRIVACY POLICY

PREMISE

This Model collects the technical and organizational measures  that GLOBALTECH SOLUTIONS SAGL  in its capacity as Data Controller of your personal data,  implements to ensure – and be able to demonstrate – compliance with  EU Regulation 2016/679  of the processing activities of  and personal data of natural persons, European Citizens and residents of the European Union, that the Company  carries out directly or that third parties carry out on its behalf. The Regulation of 27 April 2016, so-called  “General Data Protection Regulation” (hereinafter “GDPR”), published inthe Official Journal of the European Union on 4 May 2016,  has definitively operational and applicable directly in all member countries of the European Union starting from 25 May 2018  and pursues the aim of strengthening the protection of personal data of natural persons, both inside and  outside the European borders, therefore regardless of the principle of territoriality, harmonizing the privacy rules of all member states. Together with  the EU Directive 2016/680 of the same day, concerning  the processing of personal data in the sole context of the repression of crimes, the Regulation in question constitutes  the so-called “personal data protection package”.  

The adoption of the appropriate technical and organizational measures is imposed by Articles 24 et seq. of the GDPR, according to which the  internal policies and measures to be implemented  to meet the principles of data protection by design and data protection by default, must take into account,  in practice, the nature,   the scope, context and purposes of processing, as well as the risk to the rights and freedom of natural persons.

In order to comply with this requirement, therefore, the elaboration of this model required the prior execution of a careful and critical audit activity, which allowed the examination of the individual company reality  and the impact assessment on the protection of personal data.

DEFINITIONS

For the purposes of the GDPR and in relation to the concepts specifically involved in the processing activities carried out, directly and indirectly by  GLOBALTECH SOLUTIONS SAGL  pursuant to Article 4  GDPR,  the following are defined:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical identity;  physiological, genetic, psychic, economic, cultural or social;

2. ‘processing’ means any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available,  comparison or interconnection, limitation, cancellation or destruction;

3. ‘restriction of processing’ means the marking of stored personal data with the aim of restricting their processing in the future;

4. ‘profiling’ means any form of automated processing of personal data consisting in the use of such personal data to assess certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person;

5. ‘pseudonymisation’ means the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organisational measures to ensure that such personal data are not attributed to an identified or identifiable natural person;

6. ‘repository’ means any structured set of personal data accessible according to specified criteria, regardless of whether that set is centralised, decentralised or functionally or geographically distributed;

7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to its designation may be laid down by Union or Member State law;

8. ‘processor’ means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9. ‘recipient’ means the natural or legal person, public authority, agency or other body which receives communication of personal data, whether or not they are third parties. However, public authorities which may receive communication of personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities complies with the applicable data protection rules according to the purposes of the processing;

10. ‘third party’ means the natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct authority of the controller or processor;

11. ‘consent of the data subject’ means any free, specific, informed and unequivocal expression of the data subject’s wishes by which the data subject expresses his or her consent, by means of an unequivocal declaration or positive action, that personal data concerning him or her should be processed;

12. ‘personal data breach’ means a breach of security which accidentally or unlawfully involves the destruction, loss, modification, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

13. ‘genetic data’ means personal data relating to the hereditary or acquired genetic characteristics of a natural person which provide unambiguous information on the physiology or health of that natural person, and which result in particular from the analysis of a biological sample of the natural person concerned;

14. ‘biometric data’ means personal data obtained from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm his or her unique identification, such as facial image or datyloscopic data;

15. ‘health data’ means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information relating to his or her state of health;

16. ‘main establishment’ means:

1. in the case of a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to order the enforcement of those decisions, in which case the establishment which has taken such decisions shall be deemed to be the main establishment;
2. with regard to a controller with establishments in more than one Member State, the place where its central administration is established in the Union or, where the controller does not have a central administration in the Union, the establishment of the controller in the Union where the main processing activities are carried out in the context of the activities of an establishment of the controller to the extent that that controller is subject to specific obligations under this Regulation;

17. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing in accordance with Article 27, represents them with regard to their respective obligations under this Regulation;

18. ‘undertaking’ means a natural or legal person, whatever its legal form, who pursues an economic activity, including partnerships or associations which regularly pursue an economic activity;

19. ‘group of undertakings’ means a group consisting of a controlling undertaking and the undertakings controlled by that undertaking;

20. ‘binding corporate rules’ means the personal data protection policies applied by a controller or processor established in the territory of a Member State to the transfer or set of transfers of personal data to a controller or processor in one or more third countries, within a group of undertakings or a group of undertakings carrying out a common economic activity;

21. ‘supervisory authority’ means an independent public authority established by a Member State in accordance with Article 51;

22. ‘supervisory authority concerned’means a supervisory authority concerned by the processing of personal data because:

1. the controller or processor is established on the territory of the Member State of that supervisory authority;
2. data subjects residing in the Member State of the supervisory authority are or are likely to be substantially affected by the processing; or
3. a complaint has been lodged with that supervisory authority;

23. ‘cross-border processing’ means:

(a) processing of personal data which takes place in the course of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State;

24. ‘relevant and reasoned objection’ means an objection to the draft decision as to whether or not there is an infringement of this Regulation, or whether the action envisaged in relation to the controller or processor complies with this Regulation, the objection of which clearly demonstrates the relevance of the risks posed by the draft decision with regard to the fundamental rights and freedoms of data subjects and,  where applicable, the free movement of personal data within the Union;

25. ‘information society service’ means the service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;

26. ‘international organisation’ means an organisation and bodies governed by public international law subordinate to it or any other body set up by or on the basis of an agreement between two or more States.

1) GENERAL DATA PROTECTION REGULATION (GDPR)

As mentioned, as of 25 May 2018, the GDPR has become  mandatory in all its elements and directly applicable in all Member States and, at the same time, the Direttiva 95/46/EC that currently regulates, at Community level, the processing of data.

At the national level, the Privacy Code is currently in force in our country, introduced by Legislative Decree no. 196/2003, which transposed the aforementioned directive and that on e-privacy (ie Directive  58/2002 / EC).

Although the Regulation prevails over domestic national law, the GDPR does not entail the automatic repeal of the state law regulating the same matter but the  concrete disapplication of the provisions of the internal law in contrast with the new European regulatory provisions, in favor of the new discipline.

Moreover, recital 10 of the  GDPR expressly providesfor “a marginand maneuver of the Member States to specify their rules, also with regard to the processing of special categories of personal data”.

The GDPR consists of  three inspiring principles, that permeate and support the entire regulatory system  and  whose compliance is protected by a sanctioning system, outlined by articles 83 et ses., characterized by the relevant figures that come to hit Data Controllers and Data Processors with administrative penalties up to 20   million euro or up to 4 % of the total annual worldwide turnover, plus the criminal penalties  provided for by national law.

These essential principles are those of:

• accountability, i.e. the principle of accountability: the Regulation does not carry out a precise typing of technical and organizational measures, expressing itself solely in terms of their adequacy  to the risk  “taking into account the state of the art and the costs of implementation, as well as the  nature, object, context and purposes of the processing, as well as the risk of various   probability and severity for the rights and freedoms  of natural persons”  (art. 32 GDPR). This is a  profound innovation as it is attributed to the Data Controllers the task of independently deciding the methods,  guarantees and limits of the processing of personal data in compliance with the regulatory provisions and in the light of some specific criteria indicated in the Regulation. This requires an  integrated approach, which affects all business areas, concrete and  risk-based and which give rise to proactive behavior;
• privacy by design, which requires the adoption of protective measures from the design phase of the treatment;
• privacy by default, which prescribes a use that is limited, by default, only to the data necessary to respond to the specific purposes of data management.

Basic inspiring principles that are reflected on the so-called “pillars” of the GDPR, i.e. on the main operational innovations  such as:

A) The designation of the Data Protection Officer (Art.37-39)

understood as a fundamental figure who must gather in himself regulatory, technical, communicative skills and deep knowledge of the company structure and organization;

B) The establishment of the Register of processing activities (art.30 and cons. 171) which constitutes the starting point for the preparation of the entire document system, responsible for collecting the evidence, controls and processes that allow to satisfy the accountability of the privacy system;

C) The data breach process, (art. 33 and 34) that is the notification of any personal data breaches, which requires careful analysis and knowledge of the information managed, but above all technological investments in the methods of monitoring, securing and compartmentalization  of the damages that may result.

A direct corollary of the above-mentioned general principles of accountability,  privacy by design  and privacy by default,  is that full compliance with the  GDPR requires that the processing of personal data takes place according to the principles  of  lawfulness, correctness and transparency.

As in the previous legislation, the processing is lawful when it is based on a legal basis  which, without prejudice in any case to the obligation to provide information on the Part Controller, may consist of the following:

• consent of the interested party that must be free, specific, informed and unequivocal, not being allowed tacit or presumed consent: it must, in other words, be manifested through an “unequivocal positive statement oraction“. In addition, for  “sensitive”data referred to in art. 9, it must also be “explicit”, not necessarily “documented in writing”  nor to be lent in “written form”, although this method is the most suitable to demonstrate its performance, its  unequivocality and its being “explicit”;
• fulfilment of contractual obligations, e. the processing is lawful and is necessary for the execution of a contract of which the interested party is a party or for the execution of pre-contractual measures to be adopted at the request of the same;
• legal obligations to which the data controller is subject, in which case the purpose is specified by law;
• vital interests of the person concerned or of third parties: i.e. if it is necessary for the protection of the vital interests of the data subject or of another natural person; however, it can be used as a legal basis only if none of the other conditions of lawfulness can be concretely applied;
• overriding legitimate interest of the data controller or third parties to whom the data are communicated, e. when the processing is necessary for the pursuit of the legitimate interests of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail, in particular if the data subject is a minor;
• public interest or exercise of public authority, or necessary  for the performance of a task of public interest or connected to the exercise of  public powers vested in the Data Controller (through state or Union law) and also in this case the purpose must be specified by law.

The processing of personal data is correct  if  transparent towards the interested parties, ie the personal data must be and processed for specific, explicit and legitimate purposes, and without impropriety or deception towards the interested parties (being therefore prohibited confusing or partial information). Transparency is not only a fundamental principle of processing, but also a real right of the interested party:  that is, the methods of collecting and using the data must be transparent and correct.

The interested parties must be informed about the  purposes of the processing, the methods  of processing or  and  the address of the data controller, before the processing itself is there. The methods of  processing must be explained in an understandable manner so that the interested parties are able to understand what will happen to their data.

The data subject must have at his disposal an effective and accessible procedure  to allow him to obtain access to his data in a reasonable time, and therefore to know if and what data are held by the owner.

Any hidden or secret processing must, therefore, be considered unlawful. The owners and managers must guarantee to the interested parties that the data will be processed according to lawfulness and correctness and in such a way as to comply, as far as possible, with the will of the interested parties.

2) OBJECTIVE AND STRUCTURE OF THE MODEL

The objective of this Privacy Organizational Model is to guarantee and demonstrate that the processing of personal data  by  GLOBALTECH SOLUTIONS SAGL takes place in a lawful, correct and transparent manner according to the definition given above, to be achieved through the realization of a well-structured internal management that promotes the culture of privacy and security of personal data, consolidating the principles of conduct suitable to guarantee  the transparency, security and correctness of the treatments, increasing its reliability towards its shareholders, customers, partners,  consultants and employees.

With the further consequence of avoiding the possible disbursement of the administrative  pecuniary sanctions referred to in Article 83 GDPR as well as the criminal penalties referred to in national legislation as far as still in force being able, with its adoption, demonstrated the concrete, efficient and effective implementation of the technical and organizational measures appropriate to the protection of personal data processed by it,  directly or through subjects the third parties who carry them out on its behalf.

This Organizational Model consists of ten sections aimed at providing an overview of the overall system of  technical and organizational measures that, on the basis of the concrete systematic and operational needs of  GLOBALTECH SOLUTIONS SAGL, are considered  adequate,  containing the principles, organizational rules and control tools to ensure the lawful, correct and transparent processing of personal data .

Especially:

• Section 1, containing some general notes on the inspiring principles of the GDPR;
• Section 2, illustrative of the structure of this Model;
• Section 3, dedicated to the corporate policy, e. the exposition of the general principles of conduct adopted by  GLOBALTECH SOLUTIONS SAGL  in the processing of personal data in relation to their type;
• Section 4, illustrative of the privacy figures involved;
• Section 5, dedicated to the illustration of the results of the risk assessment;
• Section 6, containing the listing of company databases and the illustration of how data are archiving;
• Section 7, of deepening the methods  and tools of data processing,  also from a spatial point of view;
• Section 8, concerning security measures to protect the risks as noted above;
• Section 9, containing brief notes on the institutions of information  and  consent as valid legal bases of legitimacy of the processing.

3) CORPORATE POLICY

For the pursuit of its purpose, GLOBALTECH SOLUTIONS SAGL carries out the activities  described below:

• the provision of services in the context of online marketing;
• the sale of online advertising space;
• the sale of digital content such as video courses/consultancy on marketing and entrepreneurship;
• the exercise of the e-commerce activity as an intermediary in online commerce;
• the examination of the specific situation of each Customer in order to formulate an offer calibrated ad hoc to the needs of the individual user;
• the company may carry out any further activity, similar or connected to the achievement of corporate purposes.

In carrying out these activities, GLOBALTECH SOLUTIONS SAGL  manages different types of personal data, namely:

1. personal data in the strict sense referable to the legal representatives of companies supplying goods and services as well as professionals and external consultants;
2. bank details of customers and suppliers.

In harmony with the perspective of accountability and risk of the GDPR, of primary importance – logical even before legal – is the right perception of the “significance” of personal data, that is, the fact that not all personal data are the same and that, therefore, not all must be protected in the same way: by way of example, a data relating to health is more delicate than others and,  consequently,  GLOBALTECH SOLUTIONS SAGL  in the person of the Data Controller, has designed and applied a more solid protection system.

From this point of view, data encryption  and  pseudonymization play a crucial role, two security measures that prove to be valuable especially in the event of an attack on archives or on the occasion of data breaches, loss or theft of devices and other unwanted leaks of information, which is in practice both when the processing takes place with paper tools and with IT tools.

The legal basis for the processing of such data by GLOBALTECH SOLUTIONS SAGL  is represented by:

• the fulfilment of contractual and pre-contractual obligations of which GLOBALTECH SOLUTIONS SAGL is a part;
• the fulfilment of the legal obligations to which it is bound;
• for administrative – accounting purposes;
• legitimate interest of the Data Controller.

Each function of GLOBALTECH SOLUTIONS SAGL  shall contain the personal data  listed within the same  time as its competence.

Managed in  paper form, all documents are kept in locked cabinets and/or files inside the Company’s premises,  also locked.   Any persons in charge shall be given precise instructions on the processing of paper data and paperwork, in particular electronic  duplication  by scanning of paper documents, in order to prevent their accidental total destruction and  pseudonymisation  by archiving documents.

When managed in electronic  form,  data and related documents are processed using  personal  computers, fixed and portable, as well as  smartphones. The computer devices are all protected by a double order of  passwords: the first request when the terminal is switched on and the second for access to the management IT platforms. Both  passwords  are knowable exclusively by the computer device administrator and the system administrator. In the case of using a PC other than your own,  the data controller  must, however, reconnect to the network with their credentials. All  electronic data management is managed independently by the data controller, therefore not incurring the risks related to a possible outsourcing assignment, and guarantees maximum technical capacity and attention to a correct and protected data management.

All access credentials are kept with the utmost care and, in case of their theft or loss, the immediate involvement of the Data Protection Officer pursuant to art. 37 of EU Regulation 679/2016 which, without delay, requires the immediate intervention of the System Administrator to block the credentials subject to theft and / or loss, verify the absence of any unauthorized access in the medium term and provide new authentication credentials that, at the first access by the person in charge, must be modified by him and under his sole responsibility.

In relation to the use of accounting software and for the detection of attendance of employees, there is also a situation of:

– Responsibility for  processing, as defined by Article 28 of the GDPR, regulated by a contract of appointment as Data Processor, in relation to the outsourcing of IT services.

If it is necessary or instrumental for the execution of the specific purposes, personal data, as well as by the internal staff of GLOBALTECH SOLUTIONS SAGL  are communicated to recipients appointed pursuant to Article 28 GDPR, who process them as Managers and / or as natural persons acting under the authority of the Data Controller and the Manager in order to comply with legal obligations,  to contracts or related purposes.

Precisely, the data may be communicated to recipients belonging to the following categories:

• Partner companies or joint controllers of the processing of personal data;
• Subjects that provide services for the management of the information system and communication networks of GLOBALTECH SOLUTIONS SAGL including e-mail;
• Professional firms or companies in the context of assistance and consultancy relationships;
• Competent authorities for the fulfilment of legal obligations and / or provisions of Public Bodies, upon request;
• Credit Institutions and Insurance Companies.

The list of designated data processors is constantly updated and available at the Company’s headquarters and on its IT portals.  In no case are the data collected by GLOBALTECH SOLUTIONS SAGL  subject to dissemination and / or transfer abroad, neither inside nor outside the European Union, except as strictly necessary to allow the fulfilment of the contractual relationship provided for by the online marketing activity.

In compliance with the provisions of art. 5, paragraph 1, letter e) of the GDPR, personal data are stored in a form that allows the identification of the interested party or for an extension of time not exceeding the fulfilment  of the purposes for which the data are processed or according to the deadlines provided for by law. The verification of the obsolescence of the data stored in relation to the purposes for which they were collected is carried out periodically, under the supervision of the Data Protection Officer.

4) DATA CONTROLLERS AND DATA PROCESSORS

The figures and functions involved in  GLOBALTECH SOLUTIONS SAGL  in the protection of individuals with regard to the processing of personal data are:

A) DATA CONTROLLER

As a rule, it is the same company GLOBALTECH SOLUTIONS SAGL  that performs this function and on which, consequently,  all the obligations and responsibilities that the Italian and European law imposes on it are incumbent. First of all, the obligation to implement, review and update the appropriate technical and organizational measures to ensure, and be able to demonstrate, that the processing is carried out by it in accordance with the GDPR.

With regard to the liability regime, GLOBALTECH SOLUTIONS SAGL  is liable as owner, exclusively, of the material or immaterial damage caused to any interested party by a violation of the GDPR, unless it proves that the harmful event is in no way attributable  to the Company. In addition,  GLOBALTECH SOLUTIONS SAGL is liable for the administrative pecuniary sanctions imposed by the Guarantor, whose maximum amount provided for by the GDPR for the most serious violations is equal to 20 million euros or up to 4% of the total annual turnover.

B) RESPONSIBLE OF DATA PROCESSING

The GDPR defines in Article 28 the Data Processor as the subject who carries out processing of personal data on behalf of the Data Controller, presenting guarantee sufficient to implement adequate technical and organizational measures in such a way that the treatments themselves meet the requirements of the GDPR and garantiscate the protection of the rights of the interested party.

As it is not prohibited and extremely appropriate in order to guarantee the effective application and supervision of the GDPR rules, in accordance with the prudential attitude aimed at maximum respect,  GLOBALTECH SOLUTIONS SAGL  assumes  the role of data controller for the Company, in relation to those situations in which  it carries out  intermediary activities in online commerce in the e-commerce sector.

The internal Data Processors identified are the referents of the following functions:

– purchases and contracts;

– administration, finance, human resources, general services and information systems.

Likewise, the contract for the appointment of “external” Data Processors is intended to take the form of an addendum for existing contracts, being integrated into the contractual text for new assignments. Without prejudice to the periodic review by the Data Protection Officer of the facsimile models of the related appointment contracts, attached to this Organizational Model.

As for the liability regime, the data processors are liable for the damage caused by the processing only if they have not fulfilled the obligations of the GDPR  specifically directed to them or if they have acted in a manner different from or contrary to the legitimate instructions of the Data Controller  GLOBALTECH SOLUTIONS SAGL

They are also exempt from liability for damages if they prove that the harmful event is in no way attributable to them. They are also liable for administrative pecuniary sanctions imposed by the Guarantor Authority according to the same terms and methods as the Data Controller.

5) RISK ASSESSMENT

In order to implement the actions aimed at adapting to the new EU Regulation 679/2016 on personal data, a survey of the current organization and the current documentation on privacy and technical measures used was carried out.

In particular, with the help of external consultants, the main organizational and procedural documentation was examined; in the light of this analysis, a specific questionnaire was prepared aimed at identifying the main risks of non-compliance with EU Regulation 679/2016.

This questionnaire was taken as a benchmark in the course of the hearing activity.  

On the basis of the information and assessments reported as well as the existing safeguards to mitigate the identified risks, an assessment was carried out on the level of probability  of the risk,  on the economic impact that may be derived, on the level of  detectability  of the risk in relation to the preventive controls carried out.

 For the assessment of these risks, a scale of values on 5 levels was used: