PROTECTION OF PERSONAL DATA
IN ORDER TO PROTECT THE FUNDAMENTAL RIGHTS AND FREEDOMS OF THE NATURAL PERSONS AF-FECTED BY THE VARIOUS PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT UNDER THE AUTHORITY OF BHAVE S.R.L
1. PURPOSE
2. DESCRIPTION
3. SCOPE OF APPLICATION
4. BASICS OF PROCESSING PERSONAL DATA
5. GENERAL RULES FOR THE PROCESSING OF PERSONAL DATA
6. INFORMATION SECURITY POLICY
7. INFORMATION SECURITY POLICY RESPONSIBILITIES
1. PURPOSE
BHAVE s.r.l. (hereinafter referred to as “BHAVE” or “the Company”) undertakes to comply with the national and supranational regulatory provisions governing the protection of personal data in Italy.
This Company Policy establishes the basic principles with which BHAVE processes the personal data of custo-mers, suppliers, business partners, employees, Professionals, the Partner, as well as subjects who intend to be included in the Master Data contained in BHAVE’s databases, participate in interviews or market research, be involved in events, initiatives or projects, or intend to register for webinars, mailing lists, newsletters or other services,.
BHAVE hereby provides essential guidelines that must be complied with by all employees and collaborators of BHAVE, as well as all those who carry out personal data processing activities under the authority of BHAVE, when, in the performance of their duties, they carry out operations involving the processing of personal data.
The recipients of this document are therefore all employees, permanent or temporary, and all collaborators who work on behalf of the Company.
The purpose of this document is to describe the general principles of security and confidentiality obligations of information and personal data defined by the Data Controller and ensures to all subjects involved in the field of data processing, in order to develop an efficient and secure management system of procedures and processes for the security of personal data in compliance with the fundamental rights and freedoms of individuals, in com-pliance with European Regulation 2016/679, hereinafter GDPR.
2. DESCRIPTION
BHAVE intends to pursue objectives of security of information, personal data, technological, physical, logical and organizational structure and their management, through the structuring of a management system for all the busi-ness processes involved.
To achieve a “secure information management system”, it is first necessary that the principles set out in Articles 5 and 6 of the GDPR are respected, and in particular: Lawfulness, fairness, transparency; guarantee with respect to the management and collection of data for the sole contractual, determined, explicit and legitimate purposes, and subsequently processed in such a way that it is not incompatible with these purposes.
The individual persons in charge are, by law, authorized to use and process personal data only for the purposes expressly authorized by BHAVE: which means that any use of the data that exceeds the limits set by BHAVE will be considered unauthorized, and therefore illegal, with the consequence that the indi-vidual operator will be held personally responsible.
3. SCOPE OF APPLICATION
These guidelines are applicable to all employees, permanent or temporary, and all collaborators who work on behalf of the Company, inside or outside the administrative and/or operational premises in which the company’s activities are carried out. Particular and specific measures are aimed at further detailing the case of “agile” or “remote” work, where applicable.
4. BASICS OF THE PROCESSING OF PERSONAL DATA
For the purposes of this Company Policy and, more generally, of the Compliance activities carried out by the Company, the terminology and concepts will be borrowed from EU Regulation 679/2016. Especially:
PERSONAL DATA: Personal data is information that identifies or makes identifiable, directly or indirectly, a na-tural person and that can provide information about his or her characteristics, habits, lifestyle, personal relation-ships, state of health, economic situation, etc.
Particularly important are:
• data that allow direct identification – such as personal data (e.g. name and surname), images, etc. – and data that allow indirect identification, such as an identification number (e.g. tax code, IP address, license plate number);
• data falling into particular categories: these are the so-called “sensitive” data, i.e. those that reveal racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, relating to health or sex life. Regulation (EU) 2016/679 (Article 9) has also included in the notion genetic data, biometric data and those relating to sexual orientation;
DATA SUBJECT: is the natural person to whom the personal data refer. Therefore, if a processing concerns, for example, the address, tax code, etc. of John Smith, this person is the data subject (Article 4, paragraph 1, point 1), of EU Regulation 2016/679);
DATA CONTROLLER: is the natural person, public authority, company, public or private body, association, etc., which adopts decisions on the purposes and methods of processing (Article 4, paragraph 1, point 7) of EU Regu-lation 2016/679);
DATA PROCESSOR: is the natural or legal person to whom the data controller requests to perform specific and defined management and control tasks on its behalf of the data processor (Article 4, paragraph 1, point 8), of EU Regulation 2016/679). The Regulation itself introduced the possibility that a processor may, in turn and under certain conditions, designate another so-called “sub-processor” (Article 28, paragraph 2).
DATA PROCESSOR: natural person authorised by the data controller or processor to carry out processing ope-rations. The Data Processor, to whom this Policy is addressed, is a figure of the highest importance in the privacy organization chart of any structure since, under the direct authority of the Data Controller and the Data Processor (if appointed), he is the one who, with specific authorization, physically carries out the processing operations on personal data.
AUTHORIZATION FOR PROCESSING: the person in charge of the processing receives from the Company a “letter of appointment”, i.e. a document through which he is formally and officially entrusted with the task of car-rying out some specific processing operations on certain personal data. The letter of appointment does not entail any change for the person in charge with respect to the tasks he is called upon to perform: it is in fact a document prepared because it is imposed by the new legislation on the protection of personal data, which specifies the obligations that the law itself imposes on the Company or directly on the person in charge. The letter of appoint-ment can be supplemented, even subsequently, by “company guidelines” (or “instructions for data proces-sing”) on the processing of personal data: these guidelines, which must be scrupulously followed by all the per-sons in charge, list the practices that by law must be followed by the recipients during the processing of personal data.
DATA BREACH: “data breach” means any breach or incident that involves, or could involve, a loss, tampering or dispersion of data. Despite the Company’s commitment to prepare and periodically update all procedures for the processing of personal data, it is not possible to exclude a priori that an incident may still occur: in this case, it is necessary to apply the reaction procedures that are listed and specified in a specific annex to this Company Policy, including a facsimile for the communication of a data breach.
5. GENERAL RULES FOR THE PROCESSING OF PERSONAL DATA.
In application of EU Regulation 679/2016 and the “Privacy Code”, as updated and amended by Legislative Decree no. 101/2018, as well as taking into account the guidelines issued by the WP29 and the Italian Data Protection Authority, all operators, employees, collaborators and – more generally – all those who act in the processing of personal data under the authority of BHAVE, are required to comply with the following general rules, whenever they process personal data:
(i) Obligations regarding the collection of personal data of Professionals, partners, subjects involved in any personal data collection activity, including in particular the creation/modification of personal data and/or mailing lists, the collection of subscriptions for events (including conferences and/or webinars), the administration of interviews and/or surveys and the processing of responses.
A- Only operators whose duties include this activity are authorised to collect personal data on behalf of BHAVE, i.e. operators whose duties require the collection or modification of personal data of the Professional, Partner, Supplier or Customer, as well as of the person who intends to be included in the Master Data contained in BHAVE’s databases, participate in interviews or market research, be in-volved in events, initiatives or projects, or intend to subscribe to webinars, mailing lists, newsletters or other services. These operators, in any case, are authorized to collect only the data strictly necessary with respect to the purpose for which they are collected. For this reason, only the templates and forms
B-In all cases in which BHAVE receives the personal data of a natural person or Professional, the Ope-rator, Collaborator or the competent Resource must submit to the attention of the data subject the ap-propriate information on the processing of personal data. Consequently, all the persons in charge whose duties include the registration, acquisition, modification of personal data, must bring to the attention of the interested party a paper or digital copy of the information on the processing of personal data. They must also take care to demonstrate that they have fulfilled this obligation.
C- Once the data of the Data Subjects have been collected, they may be used only for the purposes expressly authorized, i.e., as the case may be, for the purposes strictly related to the insertion of the personal data, modification of data (where required), booking, activation of training services, webinars, etc., or other procedures initiated and/or authorized by the Data Subject. It is expressly forbidden to produce or extract copies of personal data, to save them on personal devices, to use the information acquired for purposes other than those authorized, to modify the data without prior, express authoriza-tion, as well as to delete, delete or destroy them.
(ii) Obligations regarding the collection of candidates’ data during personnel selection procedures:
A- during the personnel selection procedures, it is necessary to collect personal data functional to the performance of these procedures. The operator in charge of collecting such data will be subject to all the provisions on the data processing of the Professional, Partner, Supplier or Customer, as well as of the subject who intends to be included in the Master Data contained in the BHAVE databases, participate in interviews or market research, be involved in events, initiatives or projects, or intend to register for webi-nars, mailing lists, newsletters or other services, where applicable. In particular, the provisions of para-graphs A, B, C of point (i) above also apply to the management of Candidates’ data.
B- In the event that the candidate is not hired, his/her personal data collected during the personnel selection procedures (e.g. the data contained in the CV) may be kept in the appropriate archives for a period not exceeding 2 years from the date of registration.
(iii) Prohibition of duplication, transfer or transmission of personal data:
Under no circumstances may the operator, employee or other person acting under the authority of BHAVE record, save, duplicate, transmit or copy the data processed on behalf of BHAVE, for example by transferring it or copying its content into databases or registers (physical or digital) unrelated to those expressly authorized by BHAVE.
Similarly, outside of the practices expressly authorized by the Company, under no circumstances is the operator authorized to transfer to third parties or copy on personal devices the data of Customers, po-tential Customers or, more generally, the personal data collected or processed on behalf of BHAVE, including the data of the Professional, the Partner, the Supplier or Customer, as well as the person who intends to be included in the Master Data contained in BHAVE’s databases, participate in interviews or market research, be involved in events, initiatives or projects, or intend to subscribe to webinars, mailing lists, newsletters or other services.
The printing or collection of personal data on paper or other physical media is always prohibited, unless expressly and otherwise documented by BHAVE.
(iv) Management of Data Subjects’ requests:
EU Regulation 679/2016 indicates precisely what the rights of data subjects are with respect to the pro-cessing of their personal data: access, erasure, limitations on processing, data portability. These rights can be exercised by the data subject at any time by contacting the Company, and the Company is re-quired by law to provide a prompt and timely response.
In the event that the operator, employee, collaborator or in any case the person operating under the authority of BHAVE receives a request for access, deletion, limitation or portability by a Data Subject, he must immediately notify the BHAVE Administration, forwarding such request within one working day of receipt; in the event of delayed submission, the operator must also provide the Administration with the reasons for the delay.
(v) Incident management:
A- In terms of incident management, it is essential that all operators are aware of the procedures in the event of a Data Breach, attached to this document.
B- In the event of an incident that may compromise the integrity, availability, veracity and confidentiality of personal data, operators not employed by the Administration are obliged to immediately inform the Administration, providing details of the incident, the visible and foreseeable effects, as well as the risks involved.
C- In the case referred to in point B above, the operators employed in the Administration will be obliged to implement the procedures in the event of a Data Breach, by contacting the legal representative of the Company, i.e. the person authorised to send the report.
(vi) Mandatory Security Measures:
The GDPR and the Privacy Code – which BHAVE is obliged to comply with – require the Company and individual operators to comply with a series of security measures. Failure to comply with the security measures listed here is a source of personal liability of the defaulting party:
A- Categories of Confidentiality:
Operators, employees, collaborators, or in any case all those who carry out personal data processing activities under the authority of BHAVE are required to process the information circulating within the Company according to the following general directives:
▪ Information marked as “confidential” or “private” is accessible only to those directly authorized. This means that it cannot be shared among the operators who receive it, unless there is an express indication of the group with which the information can be shared. For example, if information is received by email, it can only be shared between the sender, recipient and any other parties present in the Carbon Copy. “Private” or “confidential” is considered to be information relating to trade secrets, know-how and sensitive personal data processed by the company, as well as financial data of the company and its employees, as well as of Professionals, Partners, Suppliers or Custo-mers, as well as of the subjects who intend to be included in the Master Data contained in BHAVE’s databases, participate in interviews or market research, be involved in events, initiatives or pro-jects, or intend to subscribe to webinars, mailing lists, newsletters or other services; in addition to those expressly listed, all information that is defined as such by the Company must be considered “confidential” or “private”.
▪ Information marked as “internal” is commonly accessible to BHAVE employees and contractors. This information can be freely shared within the company and cannot be communicated externally.
▪ Information expressly designated as “public” may also be freely disclosed outside the company
In any case, the accessibility to the data by the persons in charge of the individual pieces of informa-tion or blocks of information is commensurate with what is strictly necessary for the performance of the function of each person in charge.
ACCESS CREDENTIALS: It is expressly forbidden to share your access credentials with other operators. Similarly, only persons with access credentials are authorised to access the relevant assets, programmes or platforms: it is forbidden to access programmes, platforms or assets of any kind using someone else’s access credentials; it is also forbidden to make one’s access credentials available to other subjects.
B- Security perimeter for physical documents containing personal data.
A- Data in paper format may only be processed and consulted within the offices and other areas used for the consultation of said documents (e.g. meeting room).
B- Paper documents may be kept and archived only in the areas expressly indicated by the Company; it is forbidden to extract unauthorized copies of paper documents (including photographs, scans, dupli-cations and any form of reproduction, even by synthesis, of their contents).
C- When leaving the workstation, even temporarily, – as well as when depositing or archiving paper documents – the operator is obliged to ensure that paper documents are safe (closed doors, closed cabinets).
D- Inside the offices, paper documents containing personal data must remain inaccessible to unautho-rized parties. For example, desks should not contain information relevant to data subjects other than those that may be present.
C- Digital document protection
Operators are obliged to implement the following safety procedures to protect equipment when it is unattended, i.e. in the event of the operator leaving the station:
o log-off at the end of the activity
o Use of the personal alphanumeric access password
o Change of personal alphanumeric password every 3 months
o Closing active sessions when the task is completed
o No use of equipment, information or software outside the authorized area
o Obligation, for each operator, to periodically check the protection and update status of the software in use on the company devices entrusted to him by BHAVE
o Obligation, for each operator, to use the company devices entrusted to him by BHAVE, for the sole purposes expressly provided for by the Company; any other purpose must be considered expressly prohibited.
o The company networks and services can only be used by expressly authorized personnel: it is for-bidden for all operators to share their access credentials to the network and company services with other parties
D- Clean Screen and Desk Policy:
Both a “clean desk” policy for documents and removable storage media and a “clean screen” policy for information processing services should be adopted.
In other words: there must be no removable storage media inside offices and premises accessible to the public and third parties must not be allowed to view unauthorized information from the screen of devices entrusted to authorized parties. Each operator is responsible for the application of these policies with reference to the premises in which it carries out its activity, as well as with reference to the devices and assets under its responsibility.
It is forbidden to copy, even in synthetic form, the information present in corporate software, devices and networks. It is not permitted to duplicate, print, photograph, disclose, transmit or transfer in any form the information and personal data contained in the company assets.
BHAVE does not authorize the use of operators’ personal portable mass storage units (including external hard drives, USB sticks, USB flash drives, or pen drives) within its premises and ex-pressly prohibits the use of any device or mechanism similar to them for the transfer or copying of information relating to company or personal data. Any operation carried out on personal data processed on behalf of BHAVE must be traceable at all times.
The mechanisms put in place by BHAVE are also aimed at ensuring that the data being processed are:
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of “data minimisation”);
• Accurate and, if necessary, updated; all reasonable steps must be taken to promptly erase or rectify data that are inaccurate in relation to the purposes for which they are processed (“accuracy”);
• Stored in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed;
• Processed in such a way as to ensure adequate security of personal data, including protection, by means of appropriate technical and organisational measures, against unauthorised or unlawful pro-cessing and against accidental loss, destruction or damage “principle of integrity and confidentiality”;
• Safeguard the consistency of information from unauthorized changes
• Ensure the reliability of the channels of origin of the information;
• To ensure the protection and control of personal data.
6. INFORMATION SECURITY POLICY
• KNOW THE PATH OF THE DATA: The personal data subject to processing are adequately mapped: it is necessary that the source and the path that the data follows within the company (e.g. competent department) can be traced. In addition, it is necessary to focus on the purpose of the processing of personal data, as well as the identification of the various types of data processed and the categories to which they belong. Informa-tion security includes verifying the purpose of each processing and the legal basis on which each of them is based, also in order to provide adequate information to the data subjects, as required by Articles 13 and 14 of the GDPR;
• TRANSPARENCY TOWARDS THE DATA SUBJECT: Information security is also transparency of informa-tion: the information on the processing of personal data must be brought to the attention of the data subjects in compliance with all the elements indicated in Articles 13 and 14 of the GDPR. In particular, data subjects must also be made aware of the rights that the Regulation grants them (right of access, right to be forgotten, right to rectification, right to limitation and opposition to processing, right to data portability);
• COMPLIANCE WITH THE PROCEDURE IN THE EVENT OF A DATA BREACH: A procedure has been set up to be adopted in the event of any data breaches (so-called “data breaches”). Data Breach referred to in Articles 33 and 34 of the GDPR), for example the occurrence of unauthorised disclosure, destruction, loss, modification or access to the personal data being processed, which may occur due to a cyber-attack, abusive access or accident. In fact, the GDPR provides for specific obligations in the event of a violation of this kind. In these cases, the GDPR imposes, as provided for by art. 33, the Data Controller is obliged to notify the supervisory authority of the violation within 72 hours (or in any case without delay). In the event that the violation that has occurred leads to the presumption that there is also a high and present danger to the rights and freedoms of the data subjects, the latter must also be directly informed of what has happened without delay;
7. INFORMATION SECURITY POLICY RESPONSIBILITIES
The Data Controller and, to the extent of their competence, the Data Processor are responsible for the secure information management system, in line with the evolution of the business and market context, evaluating any actions to be taken in the face of events such as:
· Significant business developments; · New threats compared to those considered in the risk analysis activity; · Significant security incidents; · Evolution of the regulatory or legislative environment regarding the secure processing of information.
A review must be carried out periodically to verify the efficiency and effectiveness, as well as the adequacy of the technical/organisational measures applied, in compliance with and for the ultimate purpose of data protection, the fundamental rights and freedoms of individuals.
It is understood that the unauthorized collection of data by BHAVE, as well as the processing or use of data for purposes other than or in ways that are not authorized by BHAVE, remain the sole responsibility of the person responsible for the prohibited behavior.