The protection of personal data represents an important commitment for B.T.V. S.p.A. (hereinafter “BTV” or the “Company”).
The entry into force of EU Regulation 679/2016 “EU Regulation 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data” (hereinafter referred to as the “GDPR”) provided an opportunity to further adapt the Company’s activities to the principles of transparency and protection of personal data, respecting the fundamental rights and freedoms of all those concerned, whether employees, collaborators, customers, suppliers or third parties interested in receiving information.
BTV has thus implemented a “Privacy Organizational Model” (POM) that is described here in its general lines, aimed at analysing all the data processing, to organize them in a functional way and to manage them in safety and transparency. This section of the website also contains information on the rights of the Data Subject and the methods of exercising them against the Data Controller.
TABLE OF CONTENTS
1 – GDPR PRIVACY ORGANIZATIONAL MODEL
1.1 – SUBJECTS
1.2 – RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
2 – TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
2.1 – RIGHTS CONCERNING THE PROTECTION OF PERSONAL DATA
2.2 – EXERCISE OF RIGHTS
2.3 – FORMS AND INFORMATION STATEMENTS
1 – GDPR PRIVACY ORGANIZATIONAL MODEL
1.1 – SUBJECTS
The Data Controller is:
B.T.V. S.p.A. (hereinafter also referred to as the “DATA CONTROLLER”)
Via Luca della Robbia n. 25, 36100 Vicenza (VI)
Tel. +39 0444394600
Certified E-Mail: firstname.lastname@example.org
VAT and Tax ID Code: 03277970244
DATA PROTECTION OFFICER
The DATA CONTROLLER has deemed it appropriate to appoint a Data Protection Officer (DPO) pursuant to Art. 37 of the EU Regulation 679/2016, which acts in synergy with the internal privacy team. The DPO is TZ&A Studio Associate of Vicenza, which can be contacted at the e-mail address email@example.com
The DATA CONTROLLER considered it appropriate to appoint an internal “Privacy Team” made up of internal and external subjects, with organizational, technical and IT skills.
The Privacy Team has the function of supporting the activity of the DATA CONTROLLER.
SUBJECTS AUTHORISED TO PROCESS PERSONAL DATA (pursuant to Article 29 of the GDPR)
The POM stipulates that each employee/collaborator of the DATA CONTROLLER only processes the data necessary to perform his/her duties, according to the internal organization and above all the purposes indicated and proposed to the Data Subject (i.e. the principle of “Limitation of purpose and minimization of data”, Art. 5, paragraph 1, lett. b) and c) of the GDPR. Therefore, a segmentation of the processing has been carried out, for homogeneous areas of subjects authorized for processing, binding the employees/collaborators in each area to a specific field of processing. Each authorized subject has received specific instructions from the DATA CONTROLLER regarding the processing of personal data. For this purpose, by design, the information system is also made up of “sealed compartments”. The employee/collaborator can access only to the data necessary to carry out his/her duties from his/her computer workstation. The designation to the specific processing areas takes place after careful analysis of the company structure and organization as well as the flow of the internal and external data to the Company and is summarized in a specific internal matrix that promptly identifies the scope of the processing of each area.
The employee/collaborator has also received an internal regulation on the use of the IT tools and the rules of conduct on all the information which he/she accesses in connection with his/her specific task.
In order to ensure compliance with the principles regarding the processing of personal data, the DATA CONTROLLER has also provided training and updating courses on the subject for his/her employees who, in connection with their duties, carry out the processing of personal data.
SYSTEM ADMINISTRATORS (INTERNAL AND EXTERNAL)
The DATA CONTROLLER uses computer systems to manage and organize his business. For this reason, the attention to the construction of the software, the methods of use of the same and the safety of the data are always the basis of the activity of the DATA CONTROLLER. Individuals with “manager” privileges inside the company are specifically appointed and trained. Other specialised external companies that access company data are also specifically appointed as External Managers and/or External System Administrators pursuant to Art. 28 of the GDPR.
The suppliers of external IT services are chosen with particular attention to their professionalism, not only technical but also in relation to the respect and the protection of data, favouring certified companies.
DATA PROCESSORS (pursuant to Art. 28 of the GDPR)
As a general principle, the DATA CONTROLLER manages almost all processing activities internally. The cases of outsourcing to third parties of certain activities involving the processing of data on behalf of the DATA CONTROLLER are appropriately indicated within the individual information statements. In these cases, the relationship with the third party is governed by a specific contract of appointment as “Data Processor” pursuant to Art. 28 of the GDPR.
The DATA CONTROLLER entrusts such processing activities to external parties who offer sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR and to ensure the protection of the rights of the Data Subjects.
1.2 RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
According to the principles of “accountability”, it is up to the DATA CONTROLLER to implement a series of measures – organisational, physical, legal, technical and IT – aimed at preventing the risk of violation of the personal rights and freedoms of the Data Subjects. To achieve this objective, constant analysis of the risks is carried out, according to the processing, the tools used, the type and of the quantity of data processed.
DATA PROCESSING REGISTER (pursuant to Art. 30 of the GDPR) AND ANALYSIS OF THE IMPACT ON THE PROTECTION OF PERSONAL DATA (pursuant to Art. 35 of the GDPR)
The POM provides a careful and constant analysis of the risks for the processing of personal data, identified for each activity or service provided through a Data Processing Register pursuant to Art. 30, paragraph 1 of the GDPR.
Having analysed the processing activity carried out by the DATA CONTROLLER, it is believed that at present there are no activities at risk that require a specific impact assessment pursuant to Art. 35 of the GDPR (so-called “DPIA”).
The analysis on IT risks and on the company hardware and software infrastructures and on the IT adaptation measures has been carried out both by our System Administrator with specific tools and checklists and by an external company specialized in IT security, which carried out a detailed audit with security testing. The results of the audit enabled the technicians to further improve protection measures against cyber attacks and cyber threats, gradually and in proportion to the risk for the rights and freedoms of the Data Subjects.
2 – TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
2.1 RIGHTS CONCERNING THE PROTECTION OF PERSONAL DATA
The DATA CONTROLLER, also here, considers it essential to inform the Data Subjects of the existence of certain rights regarding the protection of personal data, listed below.
- Right to be informed (transparency in data processing)
The Data Subject has the right to be informed as to how the DATA CONTROLLER processes his/her personal data, for which purposes and any other information provided by Art. 13 of the GDPR. For this purpose, the DATA CONTROLLER has implemented organizational processes that allow, at the time of acquisition or request of personal data, the issue of an “ad hoc” Information form according to the category of Data Subjects to which the Data Subject belongs (employee, customer, supplier etc.). This document allows to adequately inform all the subjects to whom the data relates on how the processing is carried out by the DATA CONTROLLER. The information form may be requested with a specific application addressed to the DATA CONTROLLER.
- Right of withdrawal of consent (Art. 13)
You have the right to withdraw your consent at any time for all the processing whose lawfulness is a manifestation of your consent. The withdrawal of consent does not affect the lawfulness of the processing activities up to this point.
- Right of access to data (Art. 15)
You may request: a) the purpose of the processing; b) the categories of personal data in question; c) recipients or categories of recipients to whom personal data have been or will be communicated, in particular, if recipients of third countries or international organisations; d) where possible, the retention period of the personal data provided or, if not possible, the criteria used to determine that period; e) the existence of the right of the Data Subject to request the Data Controller for the rectification or deletion of personal data or the limitation of the processing of personal data concerning him or her or to oppose their processing; f) the right to lodge a complaint to a Supervisory Authority; g) if the data are not collected from the Data Subject, all information available on their origin; h) the existence of an automated decision-making process, including the profiling referred to in Article 22 paragraphs 1 and 4, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the Data Subject. You have the right to request a copy of the personal data being processed.
- Right of rectification (Art. 16)
You have the right to request the correction of any inaccurate personal data concerning you and to obtain the integration of the incomplete personal data.
- Right to be forgotten (Art. 17)
You have the right to obtain from the Data Controller the deletion of personal data concerning you if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, if you withdraw your consent, if there is no prevailing legitimate reason for proceeding with the processing of profiling, if the data has been processed unlawfully, if there is a legal obligation to delete them; if the data is related to Web services rendered to minors without relative consent. The deletion may be provided unless the right to freedom of expression and information prevails, whether they are retained for the fulfilment of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of public authorities, on the grounds of public interest in the health sector, for archiving purposes in the public interest, scientific or historical research or for statistical purposes or for the assessment, exercise or defence of a right in court.
- Right to limit the processing (Art. 18)
You have the right to obtain from the Data Controller the limitation of the processing when you have contested the accuracy of the personal data (for the period necessary for the Data Controller to verify the accuracy of such personal data) or if the processing is unlawful, but you oppose the deletion of the personal data and request the limitation of their use instead or if they are necessary for the assessment, exercise or the defence of a right in court, while they are no longer necessary to the Data Controller.
- Right to portability (Art. 20)
You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and you have the right to transmit them to another Data Controller if the processing is based on consent, on the contract and if the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or related to the exercise of public authorities and that such transmission does not infringe the right of third parties.
- Right to object (Art. 21)
You have the right to object at any time, in whole or in part, to the processing of your personal data if the processing is carried out for the pursuit of a legitimate interest of the Data Controller or for direct marketing purposes.
- Right to lodge a complaint with the Data Protection Authority (Art. 77)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you habitually reside, work or the place where the alleged infringement occurred, if you consider that the processing of personal data relating to you infringes the regulation on the protection of personal data.
2.2 EXERCISE OF RIGHTS
To effectively exercise your rights, you may request information from the DATA CONTROLLER, or fill in the access forms provided below.
2.3 FORMS AND INFORMATION STATEMENTS
1) Below is a draft document to be completed for the concrete exercise of the rights of the Data Subject. The form may be sent to the DATA CONTROLLER, to the addresses listed above, in accordance with the current legislation.
Form to be printed and filled in specifying the requested right:
Exercise of rights form
2) Information statements:
Contact form Information
Information statement on job opportunities
Customer Information Statement
Suppliers Information Statement