This Model collects the technical and organizational measures that GLOBALTECH SOLUTIONS SAGL in its capacity as Data Controller of your personal data, implements to ensure – and be able to demonstrate – compliance with EU Regulation 2016/679 of the processing activities of and personal data of natural persons, European Citizens and residents of the European Union, that the Company carries out directly or that third parties carry out on its behalf. The Regulation of 27 April 2016, so-called “General Data Protection Regulation” (hereinafter “GDPR”), published inthe Official Journal of the European Union on 4 May 2016, has definitively operational and applicable directly in all member countries of the European Union starting from 25 May 2018 and pursues the aim of strengthening the protection of personal data of natural persons, both inside and outside the European borders, therefore regardless of the principle of territoriality, harmonizing the privacy rules of all member states. Together with the EU Directive 2016/680 of the same day, concerning the processing of personal data in the sole context of the repression of crimes, the Regulation in question constitutes the so-called “personal data protection package”.
The adoption of the appropriate technical and organizational measures is imposed by Articles 24 et seq. of the GDPR, according to which the internal policies and measures to be implemented to meet the principles of data protection by design and data protection by default, must take into account, in practice, the nature, the scope, context and purposes of processing, as well as the risk to the rights and freedom of natural persons.
In order to comply with this requirement, therefore, the elaboration of this model required the prior execution of a careful and critical audit activity, which allowed the examination of the individual company reality and the impact assessment on the protection of personal data.
For the purposes of the GDPR and in relation to the concepts specifically involved in the processing activities carried out, directly and indirectly by GLOBALTECH SOLUTIONS SAGL pursuant to Article 4 GDPR, the following are defined:
1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical identity; physiological, genetic, psychic, economic, cultural or social;
2. ‘processing’ means any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction;
3. ‘restriction of processing’ means the marking of stored personal data with the aim of restricting their processing in the future;
4. ‘profiling’ means any form of automated processing of personal data consisting in the use of such personal data to assess certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person;
5. ‘pseudonymisation’ means the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organisational measures to ensure that such personal data are not attributed to an identified or identifiable natural person;
6. ‘repository’ means any structured set of personal data accessible according to specified criteria, regardless of whether that set is centralised, decentralised or functionally or geographically distributed;
7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to its designation may be laid down by Union or Member State law;
8. ‘processor’ means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
9. ‘recipient’ means the natural or legal person, public authority, agency or other body which receives communication of personal data, whether or not they are third parties. However, public authorities which may receive communication of personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities complies with the applicable data protection rules according to the purposes of the processing;
10. ‘third party’ means the natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct authority of the controller or processor;
11. ‘consent of the data subject’ means any free, specific, informed and unequivocal expression of the data subject’s wishes by which the data subject expresses his or her consent, by means of an unequivocal declaration or positive action, that personal data concerning him or her should be processed;
12. ‘personal data breach’ means a breach of security which accidentally or unlawfully involves the destruction, loss, modification, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
13. ‘genetic data’ means personal data relating to the hereditary or acquired genetic characteristics of a natural person which provide unambiguous information on the physiology or health of that natural person, and which result in particular from the analysis of a biological sample of the natural person concerned;
14. ‘biometric data’ means personal data obtained from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm his or her unique identification, such as facial image or datyloscopic data;
15. ‘health data’ means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information relating to his or her state of health;
16. ‘main establishment’ means:
17. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing in accordance with Article 27, represents them with regard to their respective obligations under this Regulation;
18. ‘undertaking’ means a natural or legal person, whatever its legal form, who pursues an economic activity, including partnerships or associations which regularly pursue an economic activity;
19. ‘group of undertakings’ means a group consisting of a controlling undertaking and the undertakings controlled by that undertaking;
20. ‘binding corporate rules’ means the personal data protection policies applied by a controller or processor established in the territory of a Member State to the transfer or set of transfers of personal data to a controller or processor in one or more third countries, within a group of undertakings or a group of undertakings carrying out a common economic activity;
21. ‘supervisory authority’ means an independent public authority established by a Member State in accordance with Article 51;
22. ‘supervisory authority concerned’means a supervisory authority concerned by the processing of personal data because:
23. ‘cross-border processing’ means:
(a) processing of personal data which takes place in the course of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
24. ‘relevant and reasoned objection’ means an objection to the draft decision as to whether or not there is an infringement of this Regulation, or whether the action envisaged in relation to the controller or processor complies with this Regulation, the objection of which clearly demonstrates the relevance of the risks posed by the draft decision with regard to the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union;
25. ‘information society service’ means the service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;
26. ‘international organisation’ means an organisation and bodies governed by public international law subordinate to it or any other body set up by or on the basis of an agreement between two or more States.
1) GENERAL DATA PROTECTION REGULATION (GDPR)
As mentioned, as of 25 May 2018, the GDPR has become mandatory in all its elements and directly applicable in all Member States and, at the same time, the Direttiva 95/46/EC that currently regulates, at Community level, the processing of data.
At the national level, the Privacy Code is currently in force in our country, introduced by Legislative Decree no. 196/2003, which transposed the aforementioned directive and that on e-privacy (ie Directive 58/2002 / EC).
Although the Regulation prevails over domestic national law, the GDPR does not entail the automatic repeal of the state law regulating the same matter but the concrete disapplication of the provisions of the internal law in contrast with the new European regulatory provisions, in favor of the new discipline.
Moreover, recital 10 of the GDPR expressly providesfor “a marginand maneuver of the Member States to specify their rules, also with regard to the processing of special categories of personal data”.
The GDPR consists of three inspiring principles, that permeate and support the entire regulatory system and whose compliance is protected by a sanctioning system, outlined by articles 83 et ses., characterized by the relevant figures that come to hit Data Controllers and Data Processors with administrative penalties up to 20 million euro or up to 4 % of the total annual worldwide turnover, plus the criminal penalties provided for by national law.
These essential principles are those of:
Basic inspiring principles that are reflected on the so-called “pillars” of the GDPR, i.e. on the main operational innovations such as:
A) The designation of the Data Protection Officer (Art.37-39)
understood as a fundamental figure who must gather in himself regulatory, technical, communicative skills and deep knowledge of the company structure and organization;
B) The establishment of the Register of processing activities (art.30 and cons. 171) which constitutes the starting point for the preparation of the entire document system, responsible for collecting the evidence, controls and processes that allow to satisfy the accountability of the privacy system;
C) The data breach process, (art. 33 and 34) that is the notification of any personal data breaches, which requires careful analysis and knowledge of the information managed, but above all technological investments in the methods of monitoring, securing and compartmentalization of the damages that may result.
A direct corollary of the above-mentioned general principles of accountability, privacy by design and privacy by default, is that full compliance with the GDPR requires that the processing of personal data takes place according to the principles of lawfulness, correctness and transparency.
As in the previous legislation, the processing is lawful when it is based on a legal basis which, without prejudice in any case to the obligation to provide information on the Part Controller, may consist of the following:
The processing of personal data is correct if transparent towards the interested parties, ie the personal data must be and processed for specific, explicit and legitimate purposes, and without impropriety or deception towards the interested parties (being therefore prohibited confusing or partial information). Transparency is not only a fundamental principle of processing, but also a real right of the interested party: that is, the methods of collecting and using the data must be transparent and correct.
The interested parties must be informed about the purposes of the processing, the methods of processing or and the address of the data controller, before the processing itself is there. The methods of processing must be explained in an understandable manner so that the interested parties are able to understand what will happen to their data.
The data subject must have at his disposal an effective and accessible procedure to allow him to obtain access to his data in a reasonable time, and therefore to know if and what data are held by the owner.
Any hidden or secret processing must, therefore, be considered unlawful. The owners and managers must guarantee to the interested parties that the data will be processed according to lawfulness and correctness and in such a way as to comply, as far as possible, with the will of the interested parties.
2) OBJECTIVE AND STRUCTURE OF THE MODEL
The objective of this Privacy Organizational Model is to guarantee and demonstrate that the processing of personal data by GLOBALTECH SOLUTIONS SAGL takes place in a lawful, correct and transparent manner according to the definition given above, to be achieved through the realization of a well-structured internal management that promotes the culture of privacy and security of personal data, consolidating the principles of conduct suitable to guarantee the transparency, security and correctness of the treatments, increasing its reliability towards its shareholders, customers, partners, consultants and employees.
With the further consequence of avoiding the possible disbursement of the administrative pecuniary sanctions referred to in Article 83 GDPR as well as the criminal penalties referred to in national legislation as far as still in force being able, with its adoption, demonstrated the concrete, efficient and effective implementation of the technical and organizational measures appropriate to the protection of personal data processed by it, directly or through subjects the third parties who carry them out on its behalf.
This Organizational Model consists of ten sections aimed at providing an overview of the overall system of technical and organizational measures that, on the basis of the concrete systematic and operational needs of GLOBALTECH SOLUTIONS SAGL, are considered adequate, containing the principles, organizational rules and control tools to ensure the lawful, correct and transparent processing of personal data .
3) CORPORATE POLICY
For the pursuit of its purpose, GLOBALTECH SOLUTIONS SAGL carries out the activities described below:
In carrying out these activities, GLOBALTECH SOLUTIONS SAGL manages different types of personal data, namely:
In harmony with the perspective of accountability and risk of the GDPR, of primary importance – logical even before legal – is the right perception of the “significance” of personal data, that is, the fact that not all personal data are the same and that, therefore, not all must be protected in the same way: by way of example, a data relating to health is more delicate than others and, consequently, GLOBALTECH SOLUTIONS SAGL in the person of the Data Controller, has designed and applied a more solid protection system.
From this point of view, data encryption and pseudonymization play a crucial role, two security measures that prove to be valuable especially in the event of an attack on archives or on the occasion of data breaches, loss or theft of devices and other unwanted leaks of information, which is in practice both when the processing takes place with paper tools and with IT tools.
The legal basis for the processing of such data by GLOBALTECH SOLUTIONS SAGL is represented by:
Each function of GLOBALTECH SOLUTIONS SAGL shall contain the personal data listed within the same time as its competence.
Managed in paper form, all documents are kept in locked cabinets and/or files inside the Company’s premises, also locked. Any persons in charge shall be given precise instructions on the processing of paper data and paperwork, in particular electronic duplication by scanning of paper documents, in order to prevent their accidental total destruction and pseudonymisation by archiving documents.
When managed in electronic form, data and related documents are processed using personal computers, fixed and portable, as well as smartphones. The computer devices are all protected by a double order of passwords: the first request when the terminal is switched on and the second for access to the management IT platforms. Both passwords are knowable exclusively by the computer device administrator and the system administrator. In the case of using a PC other than your own, the data controller must, however, reconnect to the network with their credentials. All electronic data management is managed independently by the data controller, therefore not incurring the risks related to a possible outsourcing assignment, and guarantees maximum technical capacity and attention to a correct and protected data management.
All access credentials are kept with the utmost care and, in case of their theft or loss, the immediate involvement of the Data Protection Officer pursuant to art. 37 of EU Regulation 679/2016 which, without delay, requires the immediate intervention of the System Administrator to block the credentials subject to theft and / or loss, verify the absence of any unauthorized access in the medium term and provide new authentication credentials that, at the first access by the person in charge, must be modified by him and under his sole responsibility.
In relation to the use of accounting software and for the detection of attendance of employees, there is also a situation of:
– Responsibility for processing, as defined by Article 28 of the GDPR, regulated by a contract of appointment as Data Processor, in relation to the outsourcing of IT services.
If it is necessary or instrumental for the execution of the specific purposes, personal data, as well as by the internal staff of GLOBALTECH SOLUTIONS SAGL are communicated to recipients appointed pursuant to Article 28 GDPR, who process them as Managers and / or as natural persons acting under the authority of the Data Controller and the Manager in order to comply with legal obligations, to contracts or related purposes.
Precisely, the data may be communicated to recipients belonging to the following categories:
The list of designated data processors is constantly updated and available at the Company’s headquarters and on its IT portals. In no case are the data collected by GLOBALTECH SOLUTIONS SAGL subject to dissemination and / or transfer abroad, neither inside nor outside the European Union, except as strictly necessary to allow the fulfilment of the contractual relationship provided for by the online marketing activity.
In compliance with the provisions of art. 5, paragraph 1, letter e) of the GDPR, personal data are stored in a form that allows the identification of the interested party or for an extension of time not exceeding the fulfilment of the purposes for which the data are processed or according to the deadlines provided for by law. The verification of the obsolescence of the data stored in relation to the purposes for which they were collected is carried out periodically, under the supervision of the Data Protection Officer.
4) DATA CONTROLLERS AND DATA PROCESSORS
The figures and functions involved in GLOBALTECH SOLUTIONS SAGL in the protection of individuals with regard to the processing of personal data are:
A) DATA CONTROLLER
As a rule, it is the same company GLOBALTECH SOLUTIONS SAGL that performs this function and on which, consequently, all the obligations and responsibilities that the Italian and European law imposes on it are incumbent. First of all, the obligation to implement, review and update the appropriate technical and organizational measures to ensure, and be able to demonstrate, that the processing is carried out by it in accordance with the GDPR.
With regard to the liability regime, GLOBALTECH SOLUTIONS SAGL is liable as owner, exclusively, of the material or immaterial damage caused to any interested party by a violation of the GDPR, unless it proves that the harmful event is in no way attributable to the Company. In addition, GLOBALTECH SOLUTIONS SAGL is liable for the administrative pecuniary sanctions imposed by the Guarantor, whose maximum amount provided for by the GDPR for the most serious violations is equal to 20 million euros or up to 4% of the total annual turnover.
B) RESPONSIBLE OF DATA PROCESSING
The GDPR defines in Article 28 the Data Processor as the subject who carries out processing of personal data on behalf of the Data Controller, presenting guarantee sufficient to implement adequate technical and organizational measures in such a way that the treatments themselves meet the requirements of the GDPR and garantiscate the protection of the rights of the interested party.
As it is not prohibited and extremely appropriate in order to guarantee the effective application and supervision of the GDPR rules, in accordance with the prudential attitude aimed at maximum respect, GLOBALTECH SOLUTIONS SAGL assumes the role of data controller for the Company, in relation to those situations in which it carries out intermediary activities in online commerce in the e-commerce sector.
The internal Data Processors identified are the referents of the following functions:
– purchases and contracts;
– administration, finance, human resources, general services and information systems.
Likewise, the contract for the appointment of “external” Data Processors is intended to take the form of an addendum for existing contracts, being integrated into the contractual text for new assignments. Without prejudice to the periodic review by the Data Protection Officer of the facsimile models of the related appointment contracts, attached to this Organizational Model.
As for the liability regime, the data processors are liable for the damage caused by the processing only if they have not fulfilled the obligations of the GDPR specifically directed to them or if they have acted in a manner different from or contrary to the legitimate instructions of the Data Controller GLOBALTECH SOLUTIONS SAGL
They are also exempt from liability for damages if they prove that the harmful event is in no way attributable to them. They are also liable for administrative pecuniary sanctions imposed by the Guarantor Authority according to the same terms and methods as the Data Controller.
5) RISK ASSESSMENT
In order to implement the actions aimed at adapting to the new EU Regulation 679/2016 on personal data, a survey of the current organization and the current documentation on privacy and technical measures used was carried out.
In particular, with the help of external consultants, the main organizational and procedural documentation was examined; in the light of this analysis, a specific questionnaire was prepared aimed at identifying the main risks of non-compliance with EU Regulation 679/2016.
This questionnaire was taken as a benchmark in the course of the hearing activity.
On the basis of the information and assessments reported as well as the existing safeguards to mitigate the identified risks, an assessment was carried out on the level of probability of the risk, on the economic impact that may be derived, on the level of detectability of the risk in relation to the preventive controls carried out.
For the assessment of these risks, a scale of values on 5 levels was used:
With regard to the assessment of risk detectability, on the other hand, the main elements that have been considered are related to:
complete and formalised procedures,
adequate controls and traceability,
defined organizational responsibilities.
The risk analysis carried out was self-evaluative supported by a critical analysis of the evaluations expressed, carried out by external consultants, through whose contribution it was possible to carry out an analysis as close as possible to the company.
For each risk, the risk ranking (IPR) was identified, calculated on the basis of the following variables:
Gross risk: average between probability of risk and possible economic impact;
Net residual risk: gross risk net of the level of detectability of the risk.
In order to represent in a synthetic way the results of the Risk Assessment assessments carried out, the Risk Matrix was therefore built, which shows the assessments of the risks to which each reference company function is exposed.
The color of each cell is a function of the gross / net residual risk assessment, according to a scale of values ranging from 1 to 5.
On the basis of the possible risks identified and the assessments carried out, the following is the list of risks with the relative assessment:
From the analysis carried out, 27 risks were mapped, which shows an overall very low net risk.
In the risk analysis activity, the need to carry out an impact assessment with reference to the processing of data that “may present a high risk to the rights and freedoms of natural persons” was also assessed.
The analysis carried out did not reveal the need to carry out a detailed impact assessment (so-called DPIA) in the strict sense, as none of the conditions referred to in paragraph 1 as well as in letters a), b) and c), paragraph 2, of art. 25 of the GDPR: GLOBALTECH SOLUTIONS SAGL in fact, makes use of new technologies to carry out types of processing characterized by a high risk for the rights and freedoms of natural persons and also operates systematic and global evaluation of personal aspects of natural persons based on automated processing.
In the event that over time the existence of some of the aforementioned conditions occurs and occurs, with the collaboration of the DPO, the analysis and evaluation of these risks will be carried out again and the need to carry out an impact assessment in a technical sense will be assessed.
6) COMPANY DATABASES AND ARCHIVING METHODS
The IT management of GLOBALTECH SOLUTIONS SAGL is managed independently by the data controller. The management of the databases and, consequently, of the personal data contained therein is entrusted tothe same data controller, who takes on all the burden of training and technological adaptation related to them.
Based on the assigned authorization profile, the System Administrator operates on the IT infrastructure that resides at the offices of 6900, Lugano (TI), Via Zurigo n. 35.
The following table shows the databases managed and the description of the areas of operation:
7) AREAS, PREMISES, TREATMENT TOOLS
The processing of data takes place, in the manner set out below, both at the legal and operational site, located in 6900, Lugano (TI), Via Zurigo n. 35, and in all the operational offices that will open in the future.
Access to the building where the company premises are located is also allowed to the public and takes place from a single entrance, located in the same address, which is subject to uninterrupted supervision. Access is allowed in the absence of authorization, or at night.
The rooms and premises in which management secretarial activities are carried out, as well as administrative activities, are reserved; access to these premises is subject to ininterrot to supervision during working and office opening hours and is permitted only to authorized persons. The server room is located inside the rooms delegated to the administrative activity, with access limited to authorized persons; the entrance is equipped with a lock. The devices contained in it have emerged in compliance with safety regulations.
The paper supports, including those containing images, shall be collected in files located at the headquarters, in the respective offices of competence, and placed in cabinets or rooms with key locks, with access allowed or only to authorized persons. In these archives are kept the documents of common and continuous use, as well as those that have reached the end of the operating cycle. All documents are archived by the protocol; it has been advised to set up a scan of them, preparing an archive or computer.
With reference to the tools used and the types of data processed, it should be noted that:
Below is a summary table of the structure competent for data processing and the relative description of the treatment:
8) SECURITY MEASURES TAKEN
In the light of the risk factors and areas identified in this Model, the measures to ensure:
– the protection of the areas and premises where the processing of personal data takes place;
– the correct storage and custody of documents, documents and media containing personal data;
– logical security, in the field of electronic instruments.
With regard to the risk that data will be damaged or lost as a result of destructive events, the premises where the data processing takes place are protected by:
– fire-fighting devices required by current legislation;
– unsay supply supply;
– air conditioning system.
For the processing carried out with electronic instruments, the following measures are existing and operational:
The following sheets show what measures are taken to protect IT tools from the risks identified:
In addition, the company provides human resources with regular training and information on the topics covered by this Model, in order to raise the culture of correct and safe data management.
9) INFORMATION AND CONSENTS
The obligation to provide information is the main obligation imposed by the GDPR on the Data Controller, whose non-fulfillment, moreover, is sanctioned with the application of the most severe sanctions.
The achievement of the objective of GLOBALTECH SOLUTIONS SAGL to be fully compliant with the GDPR, moreover, necessarily passes through the foundations of lawfulness of data processing, ie compliance with the assumption for which each treatment must be based on an appropriate legal basis.
The legal bases on which to base the lawfulness of the processing are indicated in Article 6 of the GDPR and coincide, roughly, with those currently provided for by the Privacy Code: express consent, fulfilment of current obligations, obligations of thegge to which the Data Controller is subject. A direct consequence is that obtaining and managing consent is not mandatory for all personal data processing activities, as it is only one of the many tools for legitimizing processing activities.
Among the legal bases for the processing of data recognized by the GDPR and suitable to found the processing of data by GLOBALTECH SOLUTIONS SAGL are:
1) legal obligations and legal compliance, which represents the most severe, precise, but also optimal basis for the processing of data, implying the existence of at least one legal provision that requires, justifying it, the processing of the data;
2) contractual fulfilment, whether indispensable to execute the existing contract with the interested party or to stipulate a new contract, with the clarification that in relation to the pre-contractual measures the start of the processing phases must be carried out on the initiative of the interested party;
3) legitimate interests, which although ambiguous, offers the possibility of developing a justification for the processing of data avoiding the management of the consent of the interested parties but valid only in situations where the interests, rights or freedoms of the interested parties do not prevail over the interests of the Data Controller;
4) the consent of the interested party, which must reflect the discretionary action of the interested party through a structured and unambiguous positive response, given freely, to the processing of their personal data.
Also in this context, going beyond what is strictly indispensable, GLOBALTECH SOLUTIONS SAGL has prepared diversified consent models depending on the category of interested parties and the specific purposes for the realization of which consent is given and this, in order to make it as aware and informed as possible.
This Privacy Organizational Model is subject to verification and possible annual updating.
Document updated on December 12th 2021