Identity of the Holderstrong
The Holder of any processing carried out is CPL Concordia Soc. Coop., with registered and administrative office in Via A. Grandi 39 – 41033 Concordia sulla Secchia (MO), email address: gdpr@cpl.it.
The Data Controller guarantees the security, confidentiality and protection of the personal data in its possession, at any stage of the data processing process.
Data protection officer
The Data Controller has designated a Data Protection Officer under Article 37, domiciled for the purpose at the company’s registered office and reachable at dpo@cpl.it.
Transfer of data
under no circumstances does the Data Controller transfer personal data to third countries or international organizations.
In the case of using any cloud services, providers are selected from those with servers in Europe. In the event that it becomes necessary to transfer data outside the EU (e.g., in the case of a contract with a multinational company), CPL will verify that the suppliers provide adequate guarantees, as stipulated in Art. 46 GDPR 679/2016 and will update the disclosure.
Rights of the data subject
With reference to Articles 15 – right of access, 16 – right to rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to portability, 22 – right to object to automated decision making of GDPR 679/2016, data subjects – upon proof of identity – exercise their rights by writing to the Data Controller CPL Concordia Soc. Coop. to the above address, including by e-mail (gdpr@cpl.it), specifying the subject of the request, the right to be exercised.
Any useful information and forms are made available by the Data Controller at https://www.cpl.it/en/revocation-of-consent-and-exercise-of-data-subject-rights/
In particular, the Controller reminds that any data subject may exercise the right to object in the form and manner provided for in Art. 21 GDPR 679/2016.
Proposition of complaint
The data subject has the right to file a complaint with the supervisory authority of the state of residence. In the event that you believe that the processing has been carried out in violation of the legislation on the protection of personal data, you are granted the right to lodge a complaint with the Guarantor Authority for the Protection of Personal Data, Piazza Venezia, 11 – 00187 – Rome, through forms immediately available at the following link: https://www.garanteprivacy.it/modulistica-e-servizi-online/reclamo.
Automated decision-making processes
The Controller does not carry out processing that consists of automated decision-making on individuals’ data.
This information is provided to individuals acting on behalf of and for the customers of “CPL CONCORDIA Soc. Coop.” pursuant to Art. 13 e 14 GDPR 679/2016 “European Data Protection Regulation”.
Data source
The personal data processed are those provided by the data subject in connection with:
- public source, online contact retrieval;
- participation in events, seminars and conferences sponsored by CPL;
- consent of the data subject (explicit or by unequivocal positive act, e.g. in case of exchange of business cards);
- pre-contractual phase, requests for information and quotations, including by telephone and e-mail;
- placing of orders, conclusion of contracts and related extensions;
- performance of the contractual relationship and related activities;
- transmissions and commercial activities following the order;
- compliance with applicable regulations (e.g., on public procurement and health and safety in the workplace, data protection, tax, etc.);
- participation in tenders;
- receipt of communications via PEC;
- requests for information on previous business activities;
or, alternatively, may be contact data of potential customers obtained from parties other than the data subject.
Categories of data processed
The data processed may be:
- identifying biographical data, professional profile data, banking, economic data (property damages, compensation), salary data (compensation, remuneration), curricular data;
- judicial data, self-certifications and statements regarding convictions;
- other certifications, copies of identity documents;
- images and videos;
- all data contained in the company’s servers that are backed up;
- log data, computer traffic, user id, authentication credentials;
- data of family members (related parties).
With regard to processing carried out on the basis of the consent given by the data subject, it should be noted that the same is the subject of specific separate information.
Revocation of consent
With reference to Article 7 of GDPR 679/2016, the data subject may revoke any consent given at any time.
However, the processing operations covered by this notice that are based on a different legal basis are lawful and permitted even in the absence of consent, insofar as they are necessary for the performance of a contract to which the data subject is a party or for the fulfillment of his or her requests or from legal obligation.
Withdrawal of consent at any time does not affect the lawfulness of the processing based on the consent given before the withdrawal.
Refusal to provide data
Customers may not refuse to provide the Controller with personal data necessary to comply with legal regulations governing business activities and taxation.
The provision of further of their personal data may be necessary to improve the quality and efficiency of business activities.
Therefore, refusal to provide the data required by law or to execute the contract will prevent the fulfillment of orders; while failure to provide additional data may affect all or part of the fulfillment of other requests and the quality and efficiency of the business activity itself.
Recipients of the data
The personal data processed by the Data Controller will not be disseminated, i.e. they will not be disclosed to unspecified parties, in any possible form, including making them available or simple consultation. They may, on the other hand, be disclosed to the employees working in the employ of the Data Controller and to certain authorized external parties who collaborate with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees for the purpose expressly instructed and authorized to carry out specific processing operations.
They may also be communicated, to the extent strictly necessary, to parties who, for the purpose of fulfilling orders or other requests or services relating to the business activity or contractual relationship with the Data Controller, must supply goods and/or perform services or services on behalf of the Data Controller. Finally, they may be communicated to the Entities in charge in the case of fulfillments related to the regulations in force, as well as to subjects entitled to access them by virtue of provisions of the law, regulations, EU regulations.
This information is provided to individuals acting on behalf of the suppliers of “CPL CONCORDIA Soc. Coop.“, in accordance with Art. 13 and 14 GDPR 679/2016 “European Regulation on Personal Data Protection”.
Data source
The personal data processed are those provided by the data subject or his/her employer on the occasion of:
- public source, online contact retrieval;
- prequalification and/or qualification activities through a platform dedicated to the Supplier Qualification System;
- participation in events, seminars and conferences sponsored by CPL;
- consent of the data subject (explicit or by unequivocal positive act, e.g., in case of exchange of business cards);
- pre-contractual phase, requests for information and quotations, including by telephone and e-mail;
- placing of orders, conclusion of contracts and related extensions;
- performance of the contractual relationship and related activities;
- transmissions and commercial activities following the order;
- compliance with applicable regulations (e.g., on public procurement and health and safety in the workplace, data protection, tax, etc.);
- participation in tenders;
- receipt of communications via PEC;
- requests for information on previous business activities.
Categories of data processed
The data processed may be:
- personal identifying data, contact data, data on professional profile, qualifications, licenses, copy of ID, other certifications, training certificates (e.g. health safety), curriculum data;
- banking, economic data (property damage, compensation), salary data (compensation, salary, level, grading, contract date);
- health data (fitness for duty, injuries, medical certificates, etc.);
- judicial data, self-certifications and statements regarding criminal convictions and offenses;
- image on badge, other images and videos;
- geographic location data;
- any data in the company’s servers being backed up;
- any data on pc, telematics traffic data and user id, authentication credentials, log data, telematics traffic, user id.
Data Processors
For the prequalification and/or qualification activity of the Supplier, through a platform dedicated to the Supplier Qualification System, the Company Net4market – CSAmed s.r.l. was appointed as Data Processor.
Subsequently, in the pre-contractual phase, the Supplier’s data, are managed through a dedicated platform and the Company Zucchetti Spa has been appointed as the Data Processor.
With regard to processing carried out on the basis of the consent given by the data subject, it should be noted that the same is the subject of specific separate information.
Revocation of consent
With reference to Article 7 of GDPR 679/2016, the data subject may revoke any consent given at any time.
However, the processing operations covered by this notice that are based on a different legal basis are lawful and permitted even in the absence of consent, insofar as they are necessary for the performance of a contract to which the data subject is a party or for the fulfillment of his or her requests or from legal obligation.
Withdrawal of consent at any time does not affect the lawfulness of the processing based on the consent given before the withdrawal.
Refusal to provide data
Suppliers cannot refuse to provide the Controller with personal data necessary to comply with legal regulations governing business activities and taxation.
The provision of further of their personal data may be necessary to improve the quality and efficiency of business activities.
Therefore, refusal to provide the data required by law or to execute the contract will prevent the fulfillment of orders; while failure to provide additional data may affect all or part of the fulfillment of other requests and the quality and efficiency of the business activity itself.
Recipients of the data
The personal data processed by the Data Controller will not be disseminated, i.e. they will not be made known to unspecified parties, in any possible form, including making them available or simple consultation. They may, on the other hand, be communicated to the employees working in the employ of the Data Controller and to certain authorized external parties who collaborate with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees for this purpose expressly instructed and authorized to carry out specific processing operations.
They may also be communicated, to the extent strictly necessary, to parties who, for the purpose of fulfilling orders or other requests or services relating to the business activity or contractual relationship with the Data Controller, must supply goods and/or perform services or services on behalf of the Data Controller. Finally, they may be communicated to the Entities in charge in the case of fulfillments related to the regulations in force, as well as to subjects entitled to access them by virtue of provisions of the law, regulations, EU regulations.
This information is provided pursuant to Art. 13 GDPR 679/16 – “European Regulation on the Protection of Personal Data”, to guests and in general to all persons temporarily present at the headquarters of CPL CONCORDIA Soc. Coop. in via Grandi 39 – Concordia sulla Secchia, for visits, deliveries, maintenance work and for any other occasional or previously agreed events.
Data source
The personal data processed are provided by interested parties during:
- visits or interventions at the premises;
- interviews or work sessions at the premises;
- delivery or collection of goods, packages, correspondence.
Images of people and means of transportation collected through video surveillance system are also processed, in this regard see ad hoc information.
Categories of data processed
The data processed may be identifying personal data, professional profile and image for entry card, other images and videos.
With regard to the processing carried out on the basis of the consent expressed by the data subject, it should be noted that the same is the subject of specific separate information.
Recipients of the data
The personal data processed by the Data Controller will not be disseminated, i.e. they will not be disclosed to unspecified parties, in any possible form, including making them available or simple consultation. They may, on the other hand, be disclosed to the employees working in the employ of the Data Controller and to certain authorized external parties who collaborate with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees for this purpose expressly instructed and authorized to carry out specific processing operations.
They may also be communicated, to the extent strictly necessary, to the Entities in charge in the case of fulfillments related to the regulations in force, as well as to the subjects entitled to access them by virtue of provisions of the law, regulations, EU regulations such as, for example:
- Public Safety authorities;
- health personnel in case of injury or illness.
Revocation of consent
With reference to Article 7 of the GDPR 679/2016, the data subject may revoke any consent given at any time.
However, the processing operations covered by this notice that are based on a different legal basis are lawful and permitted even in the absence of consent, insofar as they are necessary for the performance of a contract to which the data subject is a party or for the fulfillment of his or her requests or from the legal obligation or the pursuit of a legitimate interest of the Data Controller.Withdrawal of consent at any time does not affect the lawfulness of the processing based on the consent given before it.
Refusal to provide data
Visitors cannot refuse to provide the Data Controller with the personal data necessary to access the site. Therefore, refusal to provide them will prevent access
This information is provided pursuant to Art. 13 and 14 GDPR 679/16 – “European Regulation on the Protection of Personal Data”, to all recipients of written communications from a person acting on behalf of CPL CONCORDIA Soc. Coop. in via Grandi 39 – Concordia sulla Secchia.
The contents of the e-mails are to be considered confidential. Therefore, the information contained in them, or included in any attachments, is confidential to the recipients only.
The authenticity of the sender and contents are not guaranteed.
Data source and legal basis
The personal data processed are those provided by data subjects or other recipients of messages originating from data subjects and forwarded, or reciprocally transmitted during the exchange of correspondence.
CPL’s databases include contacts and e-mail addresses of companies and entities, including those relating to contact individuals at legal entities:
(i) with whom previous communications have taken place by e-mail or other means of communication for pre-contractual or contractual reasons;
(ii) or who have spontaneously provided their e-mail address during direct contacts, giving consent;
(iii) or contacts that – based on the recipient’s role – were appropriate within its organization and such that CPL believed that the communication sent may respond to a common and legitimate interest.
This is always without prejudice to the possibility for the recipient to exercise the right to object to the processing resulting in immediate and free interruption of the processing. In general, in fact, all contacts and addresses are used by CPL in compliance with the will and willingness of the interested parties to receive communications by e-mail from the company.
Categories of data processed
The data processed may be all the data contained in the mail.
Retention of data
With regard to attachments contained in email messages received by the respective offices of jurisdiction, the retention periods are those provided for each type of data in relation to the purposes for which it will be processed.
Regarding mail messages, the retention periods are those provided for backups that follow data retention policies that do not exceed 6 months.
Recipients of the data
Persons or subjects other than the recipients and the persons who cooperate with them for the proper fulfillment of the purposes strictly related to the communication received, including under Article 616 of the Criminal Code, are not allowed to read, copy, modify, disseminate the message to third parties.
It is forbidden for those who receive, by mistake, a communication coming from CPL to use it and to bring it to the knowledge of third parties; while it is obligatory for those who receive it, to delete it from their box and to notify the sender.
Please note that all mailboxes in the domain “…@cpl.it” are business mailboxes and, as such, are used for business-related communications. Therefore, for business-related needs, any message, whether outgoing or incoming, could be read by parties other than the sender and/or recipient. The personal data processed by the Data Controller will not be disseminated, i.e. they will not be made known to unspecified parties, in any possible form, including making them available or simple consultation. They may, on the other hand, be communicated to the employees working in the employ of the Data Controller and to certain authorized external parties who collaborate with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees for this purpose expressly instructed and authorized to carry out specific processing operations.
They may also be communicated, to the extent strictly necessary, to parties who, for the purpose of fulfilling orders or other requests or providing services related to the business activity or contractual relationship with the Owner, must supply goods and/or perform on behalf of the Owner performances or services related to the communications that have taken place. Finally, they may be communicated to the Entities in charge in the case of fulfillments related to the regulations in force, as well as to the subjects entitled to access them by virtue of provisions of the law, regulations, EU regulations.
Revocation of consent
With reference to Article 7 of GDPR 679/2016, the data subject may revoke any consent given at any time.
However, the processing operations covered by this notice, which are based on the legal basis in letter b) of art 6 par 1 GDPR, are lawful and permitted even in the absence of consent, insofar as they are necessary for the performance of a contract to which the data subject is a party or for the fulfillment of his or her requests or from the legal obligation.
Withdrawal of consent at any time does not affect the lawfulness of the processing based on the consent given before the withdrawal.
Refusal to provide data
Individual contact persons of companies and entities legal persons, identified by their own organization, for the management of practices related to the execution of a contract or the fulfillment of obligations related to legal obligations, may not refuse to provide the Controller with personal (contact) data necessary to proceed with such activities.
Therefore, refusal to provide the data required by law or to execute the contract will prevent the fulfillment of orders; while failure to provide further data may affect in whole or in part the fulfillment of other requests and the quality and efficiency of the business activity itself.
This information is provided pursuant to Art. 13 GDPR 679/16 – “European Regulation on the Protection of Personal Data,” to guests and in general to all persons temporarily present at the headquarters of CPL CONCORDIA Soc. Coop. in via Grandi 39 – Concordia sulla Secchia, for visits, deliveries, maintenance work and for any other occasional or previously agreed event as they enter the perimeter subject to video surveillance systems.
Data source
Video surveillance system.
Data categories processed
Images and videos of people and vehicles collected through the video surveillance system.
Purpose of processing
The above personal data are processed for purposes of work safety and protection of company assets (including crime prevention).
The data are processed in accordance with the provisions of the various minutes of union agreements signed between the company and the territorially competent OO.SS. and in full compliance with the principles of lawfulness, necessity, proportionality, according to the purposes and requirements established by Article 4 of Law No. 300/70, the April 8, 2010 Deliberation of the Privacy Guarantor on video surveillance as well as Guidelines 3/2019 on the processing of personal data through video devices of the EDPB (European Data Protection Board).
Legal basis for processing
Guests’ personal data are lawfully processed to pursue the legitimate interest of the Data Controller.
Recipients of the data
The personal data processed by the Controller are not disclosed, i.e., they are not given to unspecified parties, in any possible form, including making them available or mere consultation. They may, on the other hand, be communicated to the employees working in the employ of the Data Controller and to certain authorized external parties who collaborate with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees for this purpose expressly instructed and authorized to carry out specific processing operations.
They may also be communicated, to the extent strictly necessary, to the Entities in charge in the case of fulfillments related to the regulations in force, as well as to the subjects entitled to access them by virtue of provisions of the law, regulations, community regulations such as, for example, Public Security Authorities.
Data Retention
Video-recorded images shall be retained for a maximum period of 7 (seven) days following the detection. In the case of events of special significance that may result in a specific investigative request from the judicial authority or judicial police, the retention period of the images shall be determined by the Authority itself, or shall be extended until the request is fulfilled and the investigation is concluded.
Refusal to provide data
The provision of personal data, insofar as it cannot be avoided in order to access the workplaces of CPL CONCORDIA Soc. Coop. is necessary for the pursuit of the legitimate interest of the Data Controller and has, for the data subject, a mandatory nature. Therefore, refusal to provide them will prevent access.
In addition, the data subject is required to comply with company procedures, regulations and practices.
This information is provided in accordance with Article 13 GDPR 679/16 – “European Regulation on the Protection of Personal Data”, to drivers and in general to all persons temporarily present at the “Safe Parking Bronze Level” Quadrante Europa in Verona, as they enter the perimeter subject to video surveillance systems.
Data source
Video surveillance system.
Data categories processed
Images and videos of people and vehicles collected through the video surveillance system.
Purpose of processing
The above personal data are processed for purposes of safe and secure parking areas as per Commission Delegated Regulation (EU) 2022/1012 of April 7, 2022 regarding the establishment of standards specifying the level of service and security of safe and secure parking areas and procedures for their certification.
Legal basis for processing
Guests’ personal data are lawfully processed to fulfill a legal obligation to which the Data Controller is subject under Article 8a(1) of Regulation (EC) No. 561/2006.
Recipients of the data
The personal data processed by the Data Controller are not disseminated, i.e., they are not given to unspecified subjects, in any possible form, including making them available or simple consultation. They may, on the other hand, be disclosed to the employees working in the employ of the Data Controller and to certain authorized external parties who work with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees for the purpose expressly instructed and authorized to carry out specific processing operations.
They may also be communicated, to the extent strictly necessary, to the Entities in charge in the case of fulfillments related to the regulations in force, as well as to the subjects entitled to access them by virtue of provisions of the law, regulations, community regulations such as, for example, Public Security Authorities.
Data Retention
Video-recorded images shall be retained for a maximum period of 30 (thirty) days following detection, as provided for in the requirements for “Bronze Level” certification expressed in Annex 1, Table 2 of Commission Delegated Regulation (EU) 2022/1012 of April 7, 2022.
In the case of events of special significance that may result in a specific investigative request from the judicial authority or judicial police, the retention period for the images shall be determined by the Authority itself, or shall be extended until the request is fulfilled and the investigation is concluded.
Refusal to provide data
The provision of personal data, as it cannot be avoided in order to access the sites, is necessary and has, for the person concerned, a mandatory nature. Therefore, refusal to provide them will prevent access.
In addition, the data subject is required to comply with the procedures and regulations of the “Safe Parking Bronze Level” Quadrante Europa of Verona.
This information is provided in accordance with Art. 13 GDPR 679/16 – “European Regulation on the Protection of Personal Data”, to guests and in general to all persons (non-employees) temporarily present at the premises of CPL CONCORDIA Soc. Coop. for visits, deliveries, maintenance work and for any additional occasional or previously agreed events:
(i) who fill out the declaration required during the epidemiological emergency phase by COVID-19 and are subjected to body temperature measurement in order to ensure compliance with the safety protocols CPL has in place, as well as those
(ii) who, carrying out a work activity in the private sector, are subject to the obligation to possess and exhibit the COVID-19 Green Certification for the purpose of access to workplaces where the said activity is carried out.
Background:
Decree Law No. 127 of 21/09/2021, published in the Official Gazette No. 226 of 21/09/2021, stipulates in Article 3, that anyone who carries out a work activity in the private sector is subject to the obligation to possess and exhibit the COVID-19 Green Certification for the purpose of access to workplaces where the said activity is carried out. CPL CONCORDIA Soc. Coop. therefore, has adopted the “Company Protocol COVID-19 phase 4 rev.0” and proceeds with the aforementioned checks in the manner contained therein. If the person refuses to produce the above Green Certification, or if it is found to be invalid, he or she will not be allowed to enter the workplace and persons in such a condition will be removed.
Data Source
The personal data processed are provided by the data subjects through the completion of the above statement during visits or interventions, interviews or work sessions, delivery or pickup of goods, packages, correspondence at the premises; through the exhibition of the green pass, as well as through the detection of body temperature.
Data processed
- green pass verified through the “VerificationC19” App (downloaded to mobile device or other suitable equipment provided by the Cooperative and set to “basic” verification) which will only show a graphic sign on the device (green light), without recording or storing the same. As of 02/28/2022, the medical certificate for exemption from vaccination (issued on the basis of Circular 0035309-04/08/2021 of the Ministry of Health) is verifiable only in digitized mode, in the same manner as the green pass;
- identifying details (in particular first name, last name and date of birth) of the person concerned;
- body temperature, without recording or storing it except that, in the case of a temperature above 37.5°, it is not necessary to demonstrate the reason for denial of access.
Purpose of processing
The above personal data are processed during the epidemiological emergency phase, for the prevention of COVID-19 infection as well as to fulfill a legal obligation introduced by L.D. 127/2021.
Legal basis for processing
Guests’ personal data are lawfully processed to fulfill a legal obligation to which the data controller is subject (Art. 6 lett c) ex L.D. 127/2021.
Recipients of the data
The personal data processed by the Data Controller are not disseminated, i.e. they are not given to unspecified parties, in any possible form, including making them available or simply consulting them. They may, on the other hand, be disclosed to the employees working in the employ of the Data Controller and to certain authorized external parties who collaborate with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work tasks performed, the processing of personal data will be carried out by employees for this purpose expressly instructed and authorized to carry out specific processing operations (such as RSPP and guest receptionists or goods receptionists). They may also be communicated, to the extent strictly necessary, to the Entities in charge in the case of fulfillments related to the regulations in force, as well as to subjects entitled to access them by virtue of provisions of the law, regulations, community regulations such as, for example, Public Security Authorities and/or Health Personnel.
Data Retention
The Data Controller retains and processes personal data for the time necessary to fulfill the stated purposes. In particular, the data released through declaration will be deleted two months after the end of the epidemiological emergency phase from COVID-19.
The Green Pass is not kept but will be verified throughout the period of validity of the above-mentioned DL.
Revocation of consent
With reference to Article 7 of GDPR 679/16, the data subject may revoke any consent given at any time. However, it should be noted that the processing of data conferred by declaration is lawful and permitted even in the absence of consent.
Refusal to provide data
The data subject may refuse to confer his or her personal data to the Data Controller since conferring such data is optional. However, your refusal to provide it means that you will not be able to access the offices of CPL CONCORDIA Soc. Coop.
This information is provided to individuals who access and consult the website of “CPL CONCORDIA Soc. Coop.“, pursuant to Article 13 GDPR 679/16 – “European Regulation on the Protection of Personal Data”.
Purposes of the processing
The computer systems and software procedures responsible for the operation of this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This information is not collected to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified.
This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error…) and other parameters relating to the user’s operating system and computer environment.
This data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct operation and is deleted immediately after processing.
The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site.
Legal basis for processing
The use of technical cookies is a processing carried out in the legitimate interest of the Data Controller; the use of analytical cookies is carried out with the consent of the data subject.
Recipients of the data
The Data Controller does not disclose any data or personally identifiable information to third parties except, if necessary and to the extent strictly necessary, to those who intervene as suppliers for the provision of services inherent to the management of the website and for the consequent management of the contractual relationship and related administrative requirements.
Transfer of data
The Data Controller does not transfer personal data to third countries or international organizations.
Data Retention
The Data Controller retains the data for as long as is necessary to obtain anonymous statistical information on the use of the site and to monitor its proper functioning. The data are deleted immediately after processing.
Rights of the data subject
With reference to articles 15 – right of access, 16 – right to rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to portability, 22 – right to object to automated decision making of the GDPR 679/16, the data subject exercises his/her rights by writing to the Data Controller at the above address, or by email, specifying the subject of his/her request, the right he/she intends to exercise and attaching a photocopy of an identity document attesting to the legitimacy of the request.
The Data Controller recalls in particular that any data subject may exercise the right to object in the forms and ways provided for in Article 21 GDPR 679/2016.
Revocation of consent
With reference to Article 7 of GDPR 679/16, the data subject may revoke consent at any time.
Proposition of complaint
The data subject has the right to lodge a complaint with the supervisory authority of the state of residence.
Refusal to provide data
The data subject may refuse to provide the Data Controller with his/her browsing data.
To do so, he or she must disable cookies by following the instructions provided by the browser in use.
Disabling cookies may worsen the navigation and enjoyment of the site’s functionalities.
Automated decision-making processes
The Data Controller does not carry out processing that consists of automated decision-making processes.
Types of Cookies
Cookies are information placed on your browser when you visit a website or use a social network with your pc, smartphone or tablet.
Each cookie contains various data such as, for example, the name of the server it came from, a numeric identifier, etc.
Cookies can remain in the system for the duration of a session (i.e., until you close the browser used for web browsing) or for long periods and may contain a unique identifier code.
Technical cookies
Some cookies are used to perform computer authentication, session tracking and storage of specific information about users accessing a web page.
These so-called technical cookies are often useful because they can make web browsing and enjoyment faster and quicker, as they intervene, for example, to facilitate certain procedures when you shop online, when you authenticate to restricted areas, or when a website automatically recognizes the language you usually use.
A particular type of cookies, called analytics, are then used by website operators to collect information, in aggregate form, on the number of users and how they visit the site itself, and thus to develop general statistics on the service and its use.
Profiling cookies
Other cookies, on the other hand, can be used to monitor and profile users while they are browsing, studying their movements and web browsing or consumption habits (what they buy, what they read, etc.), including for the purpose of sending targeted and personalized service advertisements (so-called Behavioural Advertising). We speak in this case of profiling cookies.
It may happen that a web page contains cookies from other sites and contained in various elements hosted on the page itself, such as advertising banners, images, videos, etc. These are so-called third-party cookies, which are usually used for profiling purposes.
Given the particular invasiveness that profiling cookies (especially third-party cookies) can have within the private sphere of users, European and Italian regulations provide that the user must be adequately informed about their use and express his or her valid consent to the insertion of cookies on his or her terminal.
Cookies used
The www.cpl.it website uses cookies to make the website services easier and more efficient for the user viewing the web pages. Users accessing the site will receive some very small amount of information in their devices in use, whether computers or mobile devices, in the form of small text files, “cookies” precisely, stored in directories used by their browsers.
The cookies used www.cpl.it make it possible to:
- store browsing preferences;
- avoid re-entering the same information multiple times;
- analyze the use of services and content provided by the site to optimize the browsing experience.
This notice is provided pursuant to Article 13 GDPR 679/16 – “European Regulation on the Protection of Personal Data,” to participants in videoconferences conducted – and sometimes recorded – through the platforms used by CPL CONCORDIA.
During the call and/or before accessing the platform, the organizer will warn of the possibility that the videoconference will be video-recorded.
In the case of videoconferences involving parties outside the organization.
During accreditation, if identification of participants is not required, those who wish to do so have the option of using a pseudonym during registration, as well as disabling the video camera and/or microphone.
In any case, the organizer will warn before the start of the recording that it is about to start, inviting those who do not wish to be filmed to turn off their camera and/or microphone.
Space will be provided for questions, which can be addressed to the speaker verbally or, for those who do not wish to be recorded, with written questions on the chat.
The video material will be made available through the tools provided by company policies to participants in the videoconference, or to those invited but absent, and in any case, depending on the type of event, CPL CONCORDIA Soc. Coop. reserves the right to publish photographs and videos on its websites or other media.
Data source
The personal data processed are provided by the data subjects when participating in the videoconference on the platforms used by CPL CONCORDIA Soc. Coop.
In addition, the platform used may generate logs related to the data subject’s accesses.
Purposes of the processing
The personal and contact data of the participants in the videoconference are processed for purposes of detecting access and participation and for the possible activity of sending material related to the event.
The processing of any recorded images and audio, involving the interested parties, is done for the eventual follow up or training activity, as well as for the promotion of company initiatives and the image of CPL CONCORDIA Soc. Coop.
Legal basis of the processing
Depending on the types of events, guests’ personal data are lawfully processed for:
- Execution of a contract or pre-contractual measure with regard to platform access control and participation detection, registration and image and audio processing;
- legitimate interest of the Data Controller with regard to platform access control and participation detection;
- consent of the interested party for the accreditation or not with pseudonym (where possible) and for the recording and for the processing of images and audio, given through behavior that clearly indicates that in this context the interested party – forewarned of the start of the recording – accepts the proposed processing by keeping the webcam and/or microphone in operation as an unequivocal positive act.
The platform used may generate logs related to the data subject’s accesses kept for the legitimate interest of the Data Controller.
Recipients of the data
The personal data conferred by the data subject and processed by the Data Controller may be communicated to workers employed by the Data Controller and to certain authorized external parties who work with them and/or who must supply goods and/or perform services or services on behalf of the Data Controller, who are identified as Data Processors.
In particular, on the basis of the roles and work tasks performed, the processing of personal data will be carried out by employees for this purpose expressly instructed and authorized to carry out specific processing operations.
Finally, they may be communicated to the Entities in charge in the case of fulfillments related to the regulations in force, as well as to the subjects entitled to access them by virtue of provisions of the law, regulations, EU regulations.
Depending on the type of event, the photographs and videos taken during the videoconference may be published on the company intranet or other internal platforms, or on the websites of CPL CONCORDIA Soc. Coop. and other media.
Data Retention
The Data Controller retains and processes personal data for as long as necessary to fulfill the stated purposes. In particular:
In the case of consent-based processing, data are retained until consent is revoked. From the moment of the eventual online dissemination of audiovisual material, it is likely no longer possible to manage its deletion. However, if the right to be forgotten is exercised, taking into account available technology and implementation costs, CPL takes reasonable measures to ensure the deletion of any link, copy or reproduction of personal data.
In the case of processing based on performance of a contract, data are retained for 10 years after termination of the contractual relationship.
In case of processing based on legitimate interest, the term is diversified according to the purpose.
Refusal to provide data
Except for the types of events in which the processing of personal data is carried out exclusively on the basis of consent, refusal to provide the personal data necessary to control access to the platform during accreditation and the detection of participation, as well as video recording results in the inability to access the event.
Consent of the interested party to the processing of their data during accreditation and/or their images and/or audio related to the videoconference
Prior to the start of the recording, the organizer will inform with regard to the fact that the videoconference will be video-recorded in order to allow participants to enter a pseudonym (where possible, if desired) and keep the camera and/or microphone turned off in case they do not intend to be filmed.
In such a case, the voluntary accreditation with one’s own name and surname or the voluntary switching on of the camera and/or microphone by the interested parties will authorize the carrying out of the aforementioned filming for the promotion of the event in full freedom and autonomy, without conditions or reservations and completely free of charge.
The consent of the interested party for the processing of identification data and images and/or audio is therefore given by means of behavior that clearly indicates that in this context the interested party – forewarned of the start of the recording – accepts the proposed treatment, that is, by entering his/her name and surname and/or keeping the webcam and/or microphone running as an unequivocal positive act.
It is always without prejudice to the data subject’s right to revoke consent at any time without affecting the lawfulness of the processing based on the consent given before revocation.
Revocation of consent
With reference to art. 7 of GDPR 679/2016, the data subject may revoke any consent given at any time, however, depending on the type of event, the processing of the data covered by this information notice could be lawful and permitted even in the absence of consent as it is necessary to verify access control and attendance detection during the videoconference, as well as to allow the subsequent sending of material related to the event.
For certain types of events, CPL CONCORDIA Soc. Coop. reserves the right to publish photographs and videos on its websites or other media, always respecting the right to report, the right to image and the right to privacy. For this reason, anyone who considers his or her presence within photographs or videos published Internet sites or in other media under the control of CPL CONCORDIA Soc. Coop. inappropriate or undesirable. – always without prejudice to the right to keep the camera off during the event – may request that his or her image be obscured, or, where justifiable reasons exist, that the material concerning him or her be removed. Such requests should be addressed, by e-mail, to: gdpr@cpl.it. If after the aforementioned publication, the material is downloaded onto smartphones, tablets and personal computers, or published and disseminated on the Internet (personal sites, blogs, social networks, etc.) by third parties other than CPL CONCORDIA Soc. Coop., the latter will not be responsible for the transmission of such content on any other site over which it has no control and will therefore not be responsible for the abuse that third parties may possibly make of others’ images. Any such content shall not be considered in any way sponsored, shared or supported by CPL CONCORDIA Soc. Coop. However, if the right to be forgotten is exercised, taking into account the available technology and the costs of implementation, CPL CONCORDIA takes reasonable measures to ensure the deletion of any link, copy or reproduction of personal data.
This information is provided in accordance with Art. 13 GDPR 679/16 – “European Regulation on the Protection of Personal Data”, to the individuals immortalized during the execution of filming through smart glasses and in general to all persons temporarily present at the places/facilities subject to remote inspection or assistance by CPL CONCORDIA Soc. Coop. (subject to agreement with those who hold the ownership of the places subject to filming). The processing concerns the collection of images and audio, but for preservation purposes, as far as images are concerned, the faces of individuals are obscured.
Data processed
Audio and video footage (henceforth, generically, “Footage”) of people and any means of transportation collected through the use of smart glasses.
Data source
Filming through smart glasses.
Purpose of processing
The above personal data are processed for the following purposes: to provide remote technical assistance with respect to the operation of facilities or the performance of inspections.
Legal basis for processing
Guests’ personal data are lawfully processed to pursue the legitimate interest of the Data Controller, i.e. to effectively facilitate remote technical assistance with respect to the operation of facilities or the performance of inspections.
Recipients of the data
The personal data processed by the Data Controller are not disseminated, i.e., they are not given to unspecified subjects, in any possible form, including making them available or simple consultation. They may, on the other hand, be disclosed to the employees working in the employ of the Data Controller and to certain authorized external parties who work with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees for the purpose expressly instructed and authorized to carry out specific processing operations.
They may also be communicated, to the extent strictly necessary, to the Entities in charge in the case of fulfillments related to the regulations in force, as well as to the subjects entitled to access them by virtue of provisions of the law, regulations, community regulations such as, for example, Public Security Authorities.
Data Retention
The Footage is kept for a maximum period of one year following the detection, applying security measures to obscure the faces of individuals for the preservation of the video.
Refusal to provide data
The provision of personal data is not mandatory, and those who do not wish to be immortalized may report this to the operator who, wearing the smart glasses, is conducting the filming. Any requests after that time, can still be addressed, by e-mail, to: gdpr@cpl.it.
In any case, thereafter, for preservation purposes, the faces of individuals are obscured
“Whistleblowing” means any communication received by CPL pertaining to the internal control system and concerning violations of national or European Union regulatory provisions that harm the public interest or the integrity of the public administration or CPL including conduct carried out in violation of the Code of Ethics, laws, regulations, measures of the Authorities, internal regulations, Model 231 however likely to cause damage or harm, even if only in terms of image, to CPL.
Due to the above, pursuant to Article 13 of the GDPR 2016/679, the following information on the processing of personal data is provided.
Identity of the Data Controller
The Data Controller of any processing carried out is CPL CONCORDIA Soc. Coop. with registered and administrative office in Via A. Grandi 39 – 41033 Concordia sulla Secchia (MO), e-mail address: gdpr@cpl.it.
The Data Controller guarantees the security, confidentiality and protection of the personal data in its possession, at any stage of the data processing process.
Data Protection Officer
The Data Controller has designated a Data Protection Officer pursuant to Article 37, domiciled for the purpose at the company’s registered office and reachable at dpo@cpl.it.
Data Source
Information may possibly be provided in the Report by the reporter;
Information may possibly be acquired during the necessary investigative activities (e.g., public sources, third-party interviewees, etc.);
Information may possibly be provided during the process of handling the Report;
Other information concerns traffic LOGs [1] regarding connections to the whistleblowing platform recorded on CPL’s corporate systems.
IMPORTANT:
The whistleblowing platform adopted (WhistleTech) guarantees the protection of the whistleblower’s anonymity.
In fact, it does not record the IP address of the whistleblower, nor information about the browser used by the whistleblower or regarding the computer or operating system. In addition, the application does not incorporate any third-party content, nor does it provide persistent cookies to the browser.
The logs recorded by the platform never contain any IP addresses related to the reporters.
CPL has implemented in-house IT security systems that detect traffic logs of web-based connections. The Company has taken measures to anonymize traffic logs regarding connections to the whistleblowing platform wherever technically possible.
However, when using company PCs and/or smartphones connected to the Internet (via any connection), some company IT protection and security systems record traffic logs regarding connections to the whistleblowing platform.
This involves recording on some systems, within the log, the indication of user and IP address that made the connection to the Whistletech platform.
It is understood that the activity that is carried out by the whistleblower after accessing the platform (which, moreover, may concern distinct types of reports) is not detected in any way, but only the “call” to the platform, that is, the connection to it.
Specifically, such logs are collected by:
- Web filter;
- Antivirus/ Antimalware/ EDR agent systems installed on all machines.
These logs are kept, depending on the system involved, for a minimum period of 30 days up to a maximum period of 100 days.
In such cases, where it is technically impossible to exclude logging or anonymize the logs, the following organizational mitigation measures are implemented:
- consultation of such traffic logs can only and exclusively take place by a limited number of figures identified among the System Administrators;
- a specific approval process has been established regarding the possibility of consultation of these types of logs only and exclusively for purposes of computer incident resolution. The process requires that the DPO be informed with respect to this circumstance;
- administrative logs, i.e., traces indicating System Administrators’ access to platforms for consulting all user logs on corporate systems, are always recorded. Administrative logs are checked periodically by DPOffice.
To ensure complete anonymity for the reporter, it is recommended that the report be made from a personal device via a non-company private network.
Data processed
- generalities of the reporter, if stated;
- generalities of the reporter;
- all data provided by the reporter in order to represent the alleged illegal conduct of which he/she has become aware by reason of his/her relationship with CPL;
- all data that may emerge from subsequent investigative activities or otherwise during the process of handling the Report;
- Traffic LOGs regarding connections to the Whistleblowing platform recorded on company systems.
Personal data will also be processed by electronic means, recorded in special databases, and used strictly and exclusively for the purposes indicated. Where appropriate, with respect to the purposes outlined, processing will be carried out in aggregate/anonymous form.
Data Subjects
- if the reporting parties do not intend to remain anonymous and thus enter their personal details: subjects internal to CPL, Stakeholders and other third parties, witnesses of an offence or irregularity referable to CPL subjects (as provided for by Legislative Decree 231/2001);
- subjects reported as perpetrators of an offence or irregularity pursuant to Legislative Decree 231 of 2001 and/or violations of a wilful or fraudulent nature of Model 231;
- subjects informed about the facts-
Purpose and Legal Basis of Processing
The Controller will process your personal data for:
- Purposes of compliance with regulatory obligations, laws and provisions of Authorities legitimized by law. That is, to effectively prevent and combat fraudulent behavior and illegal or irregular conduct committed in violation of national or European Union regulatory provisions that harm the public interest or the integrity of the public administration or private entity, and to support the effective application and operation of the Organization, Management and Control Model ex D. Lgs. 231/2001 (so-called “Model 231”), as well as to manage and organize the Reports received, including activities of assessment and internal investigations related to the verification of the conduct subject to Reporting and establishment of proceedings, including disciplinary proceedings, to the extent required by applicable regulations. In addition, personal data may be processed to follow up on requests from the competent administrative or judicial authority and, more generally, public subjects in compliance with legal formalities. For the purposes described above, personal data will possibly be processed for the fulfillment of legal obligations to which the Controller is subject.
- Further processing based on the legitimate interest of the Controller or a third party, such as:
- Holder’s internal control and business risk monitoring needs, as well as for the optimization and streamlining of internal business and administrative management processes;
- ascertaining, exercising or defending a right or legitimate interest of the Controller or a third party (including other companies of the CPL CONCORDIA Group) in any competent forum. The legal basis for the processing is represented by the pursuit of the legitimate interest of the Data Controller or third parties, represented by the right of defense and the interest in ensuring the effectiveness and efficiency of the internal control system, concerning conduct referable to CPL’s subjects (as provided for by Legislative Decree 231/2001) also in order to effectively prevent and counter fraudulent conduct and illegal or irregular conduct. This legitimate interest has been appropriately assessed by the Data Controller;
- needs for IT security management and asset protection and data security, user support and systems maintenance, security and perimeter protection regarding traffic logs regarding connections to the Whistleblowing platform recorded on company systems.
Recipients and scope of data communication
The personal data processed by the Data Controller will not be disseminated, i.e. they will not be disclosed to unspecified subjects, in any possible form, including making them available or simple consultation. They may, on the other hand, be communicated to workers employed by the Data Controller and to certain authorized external parties who work with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees for this purpose expressly instructed and authorized to carry out specific processing operations and in charge of the management of the Report.
In those cases where it is technically impossible to exclude logging or anonymize the logs, their possible consultation can take place only and exclusively by the figures identified as System Administrators subject to a specific approval process regarding the possibility of consultation of these types of logs only and exclusively for purposes of computer incident resolution. The process requires that the DPO be informed with respect to this circumstance.
In addition, administrative logs (i.e., traces indicating System Administrators’ access to the platforms for consulting all user logs on company systems) are always recorded and periodically checked by DPOffice.
The Data Controller may also communicate, as long as it is necessary for the pursuit of the purposes of the processing and on the basis of the same prerequisites of lawfulness indicated, the personal data collected to third parties belonging to the following categories:
- Risk & Complance Managers;
- members of the SB;
- police forces, competent authorities and other public administrations. These parties will act as autonomous data controllers;
- subsidiaries or affiliated companies pursuant to Article 2359 of the Italian Civil Code, i.e., consortia, networks of companies and to entities belonging to temporary associations of companies, limited to the aspects within their competence (e.g., in the event that the Reporting also concerns their employees). Unless otherwise indicated, these entities will act as autonomous data controllers;
- auditing/auditing companies and other companies contractually linked to the Data Controller that perform, by way of example, consulting activities, support for the provision of services, etc., which will act, as the case may be, as autonomous data controllers, or as data processors on the basis of a specific agreement on the processing of personal data concluded pursuant to Article 28 GDPR.
Transfer of data
The Data Controller does not transfer personal data to third countries or to international organizations.
In the case of using any cloud services, the providers are selected from those who have servers in Europe. In case it becomes necessary to transfer data outside the EU (e.g., in case of a contract with a multinational company), CPL will verify that the providers provide adequate guarantees, as required by Art. 46 GDPR 679/2016 and will update the notice.
Storage Period
The data will be processed in the paper and computer archives of the Data Controller and protected by appropriate security measures for the period of time not exceeding that which is indispensable to achieve the purposes for which they are collected and for the greater period of time that may be necessary to comply with legal provisions and/or for the purposes of judicial protection, in compliance with ordinary prescriptive terms. In detail, except for possible cases that imply and require a longer retention of Reports than that related to the mere management and resolution of the same, as a liability profile is identified, personal data will be retained for 2 years. At the end of the retention period, your personal data will be deleted or irreversibly anonymized.
Traffic logs are retained, depending on the system involved, for a minimum period of 30 days up to a maximum period of 100 days.
Rights of the data subject
In general, with reference to Articles 15 – right of access, 16 – right to rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to portability, 22 – right to object to automated decision making of the GDPR 679/2016, data subjects – subject to proof of identity – exercise their rights by writing to the Data Controller CPL CONCORDIA Soc. Coop. at the above address, also by e-mail (gdpr@cpl.it), specifying the subject of the request, the right to be exercised.
The Data Controller recalls in particular that any data subject may exercise the right to object in the forms and ways provided for in Article 21 GDPR 679/2016.
All useful information and forms are made available by the Data Controller at https://www.cpl.it/en/revocation-of-consent-and-exercise-of-data-subject-rights/
In the specific case, however, according to art 2-undecies and 2-duodecies “Privacy Code” and article 23 GDPR:
The Holder reserves the right to limit or delay the exercise of these rights, within the limits set by the applicable provisions of law, particularly where there is a risk that actual, concrete and not otherwise justified prejudice to the confidentiality of the identity of the Reporting Person may result and that the ability to effectively verify the merits of the Reporting or to gather the necessary evidence may be compromised.
In particular, the exercise of these rights:
- will be carried out in accordance with the provisions of the law or regulations governing the field (including Legislative Decree No. 231/2001 as amended by Law No. 179/2017);
- may be delayed, limited or excluded by reasoned communication made without delay to the data subject, unless the communication may compromise the purpose of the limitation, for the time and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the identity of the reporter.
Proposition of complaint
The data subject has the right to lodge a complaint with the supervisory authority of the state of residence.
In the event that it is believed that the processing has been carried out in violation of the legislation on the protection of personal data, it is recognized the right to lodge a complaint to the Guarantor Authority for the Protection of Personal Data, Piazza Venezia, 11 – 00187 – Rome through forms immediately available at the following link www.garanteprivacy.it/diritti/come-agire-per-tutelare-i-tuoi-dati-personali/reclamo.
Nature of data provision and consequences in case of refusal
With regard to the information provided, the provision of personal data is not mandatory, however, failure to provide the necessary data will prevent the execution of the activity.
Automated decision-making processes
The Controller does not carry out processing that consists of automated decision-making processes.
[1] In general, logs are files that record-and thus allow reconstruction of-the entire “history” of operations performed by a user or machine. Through logs, in fact, all the operations, in chronological order, performed in the normal use of a software, an application or more simply a computer are recorded. The log also records all operations that a computer performs on its own, without the need for human intervention. Enterprise-wide log management makes it possible to monitor a range of activities including system accesses made in a given time frame (including those outside working hours, those that failed, or those via VPN), failed transactions, any anomalies (both software and hardware), and possible malware threats. Such information is necessary to understand the state of corporate IT security: both in the case of normal machine operation but, more importantly, records of errors and problems as well as possible hacker attacks, thus enabling the IT function to investigate the causes and resolve the problems, preventing or blocking detrimental situations in a timely manner.
“Whistleblowing” means any communication received by CPL pertaining to the internal control system and concerning activities, processes and behaviors referable to subjects of CPL, which impact on issues related to the conditions of workers (human rights, development, valorization, training and professional growth of people, health and safety of workers, prevention and management of discrimination and harassment, work of minors and youth).
Due to the above, pursuant to Article 13 of GDPR 2016/679, the following information on the processing of personal data is provided.
Identity of the Data Controller
The Data Controller of any processing carried out is CPL Concordia Soc. Coop. with registered and administrative office in Via A. Grandi 39 – 41033 Concordia sulla Secchia (MO), e-mail address: gdpr@cpl.it.
The Data Controller guarantees the security, confidentiality and protection of the personal data in its possession, at any stage of the data processing process.
Data Protection Officer
The Data Controller has designated a Data Protection Officer pursuant to Article 37, domiciled for the purpose at the company’s registered office and reachable at dpo@cpl.it.
Data Source
Information may possibly be provided in the Report by the reporter;
Information may possibly be provided during the process of handling the Report;
Other information relates to traffic LOGs[1] regarding connections to the reporting collection platform recorded on CPL’s business systems.
IMPORTANT:
The reporting collection platform adopted (WhistleTech) guarantees the protection of the reporter’s anonymity.
It, in fact, does not record the IP address of the reporter, nor information about the browser used by the reporter or regarding the computer or operating system. In addition, the application does not incorporate any third-party content, nor does it provide persistent cookies to the browser.
The logs recorded by the platform never contain any IP addresses related to the reporters.
CPL has implemented in-house IT security systems that detect traffic logs of web-based connections. The Company has taken measures to anonymize traffic logs regarding connections to the report collection platform wherever technically possible.
However, when using company PCs and/or smartphones connected to the Internet (via any connection), some company IT protection and security systems record traffic logs regarding connections to the report collection platform.
This involves recording on some systems, within the log, the indication of user and IP address that made the connection to the Whistletech platform.
It is understood that the activity that is carried out by the reporter after accessing the platform (which, moreover, may concern distinct types of reports) is not detected in any way, but only the “call” to the platform, that is, the connection to it.
Specifically, such logs are collected by:
- Web Filter
- Antivirus/ Antimalware/ EDR agent systems installed on all machines.
These logs are kept, depending on the system involved, for a minimum period of 30 days up to a maximum period of 100 days.
In such cases, where it is technically impossible to exclude logging or anonymize the logs, the following organizational mitigation measures are implemented:
- consultation of such traffic logs may only and exclusively take place by a limited number of figures identified among the System Administrators;
- a specific approval process has been established regarding the possibility of consultation of these types of logs only and exclusively for purposes of computer incident resolution. The process requires that the DPO be informed with respect to this circumstance;
- administrative logs, i.e., traces indicating System Administrators’ access to platforms for consulting all user logs on corporate systems, are always recorded. Administrative logs are checked periodically by DPOffice.
To ensure complete anonymity for the reporter, it is recommended that the report be made from a personal PC via a private, non-company network.
Data processed
Generalities of the reporter, if stated
Generalities of the reporter, if any
All data provided by the reporter in order to represent the incident related to the employment relationship. All data that may emerge during the process of handling the Report. Traffic LOGs regarding connections to the reporting collection platform, recorded on company systems.
Personal data will also be processed by electronic means, recorded in special databases, and used strictly and exclusively for the stated purposes. Where appropriate, with respect to the purposes outlined, processing will be carried out in aggregate/anonymous form.
Data Subjects
- Whistleblowers, if they do not wish to remain anonymous and thus enter their personal details;
- Reported Subjects;
- As appropriate, if permitted and necessary, subjects informed about the facts.
Purpose and Legal Basis for Processing
The Data Controller will process personal data arising from Reports for the purpose of obtaining and maintaining SA8000:2014, ISO 30415, and UNI 125 certification.
In addition, with regard to traffic logs regarding connections to the reporting collection platform recorded on the company’s systems, for the needs of IT security management and asset protection and data security, user support and system maintenance, security and perimeter protection.
For both processing of personal data described above, the legal basis is the Owner’s Legitimate Interest.
The processing of any special data arising from Reports is done pursuant to Article 9 par 2 lett b) (labor and social security law), which the data subject voluntarily provides with the Report.
If a dispute with the Company arises, the Controller may process the data pursuant to Article 9 par 2 letter f) to establish, exercise or defend a right in court.
Recipients and scope of data communication
The personal data processed by the Data Controller will not be disseminated, i.e. they will not be disclosed to unspecified subjects, in any possible form, including making them available or simple consultation. They may, on the other hand, be communicated to workers employed by the Data Controller and to certain authorized external parties who work with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees for this purpose expressly instructed and authorized to carry out specific processing operations and in charge of the management of the Report.
In those cases where it is technically impossible to exclude logging or anonymize the logs, their possible consultation can take place only and exclusively by the figures identified as System Administrators subject to a specific approval process regarding the possibility of consultation of these types of logs only and exclusively for purposes of computer incident resolution. The process requires that the DPO be informed with respect to this circumstance.
In addition, administrative logs (i.e., traces indicating System Administrators’ access to the platforms for consulting all user logs on corporate systems) are always recorded and periodically checked by the DPOffice.
Reports are received by two receiving parties:
- Social Performance Team (SPT) Coordinator;
- Diversity Equity & Inclusion Specialist (DEIS).
The recipients, depending on the type of Report received, may also disclose, as long as permitted by the regulations and if strictly necessary for the pursuit of the purposes of the processing and on the basis of the same prerequisites of lawfulness indicated, the personal data collected to individuals belonging to the following categories:
- Social Performance Team members;
- DSOC or other figures belonging to the Development, Organization and Skills function;
- police forces, competent authorities and other public administrations. These entities will act as autonomous data controllers;
- subsidiaries or affiliated companies pursuant to Article 2359 of the Italian Civil Code, i.e., consortia, networks of companies and to entities belonging to temporary associations of companies, limited to the aspects within their competence (e.g., in the event that the Reporting also involves their employees as reporters). Unless otherwise indicated, these entities will act as autonomous data controllers;
- auditing/auditing companies and other companies contractually linked to the Data Controller that perform, by way of example, consulting activities, support for the provision of services, etc., which will act, as the case may be, as autonomous data controllers, or as data processors on the basis of a specific agreement on the processing of personal data concluded pursuant to Article 28 GDPR.
Transfer of data
The Data Controller does not transfer personal data to third countries or to international organizations.
In the case of using any cloud services, the providers are selected from those who have servers in Europe. In case it becomes necessary to transfer data outside the EU (e.g. in the case of a contract with a multinational company), CPL will verify that the providers provide adequate guarantees, as required by Art. 46 GDPR 679/2016 and will update the disclosure.
Storage Period
The data will be processed in the paper and/or computer archives of the Data Controller and protected by appropriate security measures for the period of time not exceeding that which is indispensable to achieve the purposes for which they are collected and for the greater period of time that may be necessary to comply with legal provisions and/or for the purposes of judicial protection, in compliance with ordinary prescriptive terms. In detail, except for any cases that imply and require a longer retention of Reports than that related to the mere management and resolution of the same, personal data will be retained for 3 years from the report and/or for 10 years from the closure of any litigation. At the end of the retention period, your personal data will be deleted or irreversibly anonymized. Traffic logs are retained, depending on the system involved, for a minimum period of 30 days up to a maximum period of 100 days.
Rights of the data subject
In general, with reference to Articles 15 – right of access, 16 – right to rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to portability, 22 – right to object to automated decision making of the GDPR 679/2016, data subjects – subject to proof of identity – exercise their rights by writing to the Data Controller CPL Concordia Soc. Coop. at the above address, also by e-mail (gdpr@cpl.it), specifying the subject of the request, the right to be exercised.
The Data Controller recalls in particular that any data subject may exercise the right to object in the forms and ways provided for in Article 21 GDPR 679/2016.
All useful information and forms are made available by the Data Controller at https://www.cpl.it/en/revocation-of-consent-and-exercise-of-data-subject-rights/
Proposition of complaint
The data subject has the right to lodge a complaint with the supervisory authority of the state of residence.
In the event that it is believed that the processing has been carried out in violation of the legislation on the protection of personal data, it is recognized the right to lodge a complaint to the Guarantor Authority for the Protection of Personal Data, Piazza Venezia, 11 – 00187 – Rome through forms immediately available at the following link https://www.garanteprivacy.it/diritti/come-agire-per-tutelare-i-tuoi-dati-personali/ reclamo
Nature of data provision and consequences in case of refusal
With regard to the information provided, the provision of personal data is not mandatory, however, failure to provide the necessary data will prevent the management of the Report.
Automated decision-making processes
The Controller does not carry out processing that consists of automated decision-making processes.
[1] In general, logs are files that record-and thus allow reconstruction of-the entire “history” of operations performed by a user or machine.
Through logs, in fact, all the operations, in chronological order, carried out in the normal use of a software, an application or more simply a computer are recorded. The log also records all operations that a computer performs on its own, without the need for human intervention.
Enterprise-wide log management makes it possible to monitor a range of activities including system accesses made in a given time frame (including those outside working hours, those that failed, or those via VPN), failed transactions, any anomalies (both software and hardware), and possible malware threats. Such information is necessary to understand the state of corporate IT security: both in the case of normal machine operation but, more importantly, records of errors and problems as well as possible hacker attacks, thus enabling the IT function to investigate the causes and resolve the problems, preventing or blocking detrimental situations in a timely manner.
“Report” means any communication received by CPL pertaining to the internal control system and concerning activities, processes and behaviors referable to CPL subjects, which impact on operational issues or inappropriate behavior.
Due to the above, pursuant to Article 13 of GDPR 2016/679, the following information on the processing of personal data is provided.
Identity of the Data Controller
The Data Controller of any processing carried out is CPL CONCORDIA Soc. Coop. with registered and administrative office in Via A. Grandi 39 – 41033 Concordia sulla Secchia (MO), e-mail address: gdpr@cpl.it.
The Data Controller guarantees the security, confidentiality and protection of the personal data in its possession, at any stage of the data processing process.
Data Protection Officer
The Data Controller has designated a Data Protection Officer pursuant to Article 37, domiciled for the purpose at the company’s registered office and reachable at dpo@cpl.it.
Data Source
Information may possibly be provided in the Report by the reporter;
Information may possibly be acquired during the necessary investigative activities (e.g., public sources, third-party interviewees, etc.);
Information may possibly be provided during the process of handling the Report;
It should be noted that the identification of the reporting party is expressly required for this type of Reporting.
In any case, other information relates to traffic LOGs[1] regarding connections to the reporting collection platform recorded on CPL’s corporate systems.
CPL has implemented in-house IT security systems that detect traffic logs of web-based connections. These logs are collected by:
- Web filter;
- Antivirus/ Antimalware/ EDR agent systems installed on all machines.
And they are kept, depending on the system involved, for a minimum period of 30 days up to a maximum period of 100 days.
Data processed
Generalities of the reporter
Generalities of the reporter, if any
All data provided by the reporter in order to represent operational issues or inappropriate conduct of which he/she has become aware by reason of his/her relationship with CPL
All data that may emerge from subsequent investigative activities or otherwise during the process of handling the Report
Traffic LOGs regarding connections to the reporting collection platform, recorded on the company’s systems
Personal data will also be processed by electronic means, recorded in special databases, and used strictly and exclusively for the purposes indicated. Where appropriate, with respect to the purposes outlined, processing will be carried out in aggregate/anonymous form.
Data Subjects
- Whistleblowers: subjects internal to CPL;
- subjects reported;
- subjects informed of the facts.
Purpose and Legal Basis for Processing
The Controller will process your personal data for legitimate interest of the Controller, such as:
- Holder’s internal control and business risk monitoring needs, as well as for the optimization and streamlining of internal business and administrative management processes;
- ascertaining, exercising or defending a right or legitimate interest of the Data Controller or a third party (including other companies of the CPL CONCORDIA Group) in any competent forum;
- needs for information security management and asset protection and data security, user support and systems maintenance, security and perimeter protection regarding traffic logs concerning connections to the reporting collection platform recorded on company systems.
Recipients and scope of data communication
The personal data processed by the Data Controller will not be disseminated, i.e. they will not be disclosed to unspecified subjects, in any possible form, including making them available or simple consultation. They may, on the other hand, be communicated to workers employed by the Data Controller and to certain authorized external parties who work with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees for this purpose expressly instructed and authorized to carry out specific processing operations and in charge of the management of the Report.
In those cases where it is technically impossible to exclude logging or anonymize the logs, their possible consultation can take place only and exclusively by the figures identified as System Administrators subject to a specific approval process regarding the possibility of consultation of these types of logs only and exclusively for purposes of computer incident resolution. The process requires that the DPO be informed with respect to this circumstance.
In addition, administrative logs (i.e., traces indicating System Administrators’ access to the platforms for consulting all user logs on company systems) are always recorded and periodically checked by DPOffice.
The Data Controller may also disclose, provided that it is necessary for the pursuit of the purposes of the processing and on the basis of the same prerequisites of lawfulness indicated, the personal data collected to third parties belonging to the following categories:
- QSAE members;
- Operations Management.
Transfer of data
The Data Controller does not transfer personal data to third countries or international organizations.
In the case of using any cloud services, the providers are selected from those with servers in Europe. In case it becomes necessary to transfer data outside the EU (e.g. in the case of a contract with a multinational company), CPL will verify that the providers provide adequate guarantees, as required by Art. 46 GDPR 679/2016 and will update the disclosure.
Storage period
The data will be processed in the paper and computer archives of the Data Controller and protected by appropriate security measures for the period of time not exceeding that which is indispensable to achieve the purposes for which they are collected and for the longer period of time that may be necessary to comply with legal provisions and/or for the purposes of judicial protection, in compliance with ordinary prescriptive terms. In detail, except for any cases that imply and require a longer retention of Reports than that related to the mere management and resolution of the same, personal data will be retained for 3 years from the report and/or for 10 years from the closure of any litigation. At the end of the retention period, your personal data will be deleted or irreversibly anonymized.
Traffic logs are retained, depending on the system involved, for a minimum period of 30 days up to a maximum period of 100 days.
Rights of the data subject
In general, with reference to Articles 15 – right of access, 16 – right to rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to portability, 22 – right to object to automated decision making of GDPR 679/2016, data subjects – subject to proof of their identity – exercise their rights by writing to the Data Controller CPL Concordia Soc. Coop. at the above address, also by e-mail (gdpr@cpl.it), specifying the subject of the request, the right to be exercised.
The Data Controller recalls in particular that any data subject may exercise the right to object in the forms and ways provided for in Article 21 GDPR 679/2016.
All useful information and forms are made available by the Data Controller at https://www.cpl.it/en/revocation-of-consent-and-exercise-of-data-subject-rights/
Proposition of complaint
The data subject has the right to lodge a complaint with the supervisory authority of the state of residence.
In the event that it is believed that the processing has been carried out in violation of the legislation on the protection of personal data, it is recognized the right to lodge a complaint to the Guarantor Authority for the Protection of Personal Data, Piazza Venezia, 11 – 00187 – Rome through forms immediately available at the following link: www.garanteprivacy.it/diritti/come-agire-per-tutelare-i-tuoi-dati-personali/reclamo.
Nature of data provision and consequences in case of refusal
With regard to the information provided, the provision of personal data is not mandatory, however, failure to provide the necessary data will prevent the execution of the activity.
Automated decision-making processes
The Controller does not carry out processing that consists of automated decision-making processes.
[1] In general, logs are files that record-and thus allow reconstruction of-the entire “history” of operations performed by a user or machine.
Through logs, in fact, all the operations, in chronological order, carried out in the normal use of a software, an application or more simply a computer are recorded. The log also records all operations that a computer performs on its own, without the need for human intervention. La gestione dei log a livello aziendale permette di monitorare una serie di attività tra cui gli accessi al sistema effettuati in un dato lasso temporale (anche quelli fuori dall’orario di lavoro, quelli non andati a buon fine o quelli tramite VPN), le transazioni fallite, eventuali anomalie (sia software che hardware) e possibili minacce malware. Tali informazioni sono necessarie per comprendere lo stato della sicurezza informatica aziendale: sia in caso di normale funzionamento della macchina ma, soprattutto, le registrazioni di errori e problemi così come di eventuali attacchi hacker, permettendo così alla funzione IT di indagarne le cause e risolvere i problemi, evitando o bloccando tempestivamente situazioni pregiudizievoli.
Purposes of the processing
This information is provided pursuant to Article 13 of GDPR 679/2016 -Information for the processing of personal data for commercial and marketing purposes with the following purposes:
- to guests and in general to all persons temporarily present at the premises where an event organized by CPL CONCORDIA is taking place, as before entering the premises, we inform that during the event photographic and video footage will be taken which may be published on the company intranet, our websites and other media. The processing of images involving data subjects is done for the promotion of corporate initiatives and the corporate image of CPL CONCORDIA.
In addition, personal data is processed for purposes of on-site access control and identification of those present for the management of emergency situations.
- for inclusion of the contact in the marketing database for sending Direct E-mail Marketing such as:
- promotion of solutions related to products and services of the CPL CONCORDIA group
- sending of commercial communications
- invitations to events
- for subscribing to the CPL CONCORDIA Newsletter.
Legal basis for processing
Personal data of data subjects are lawfully processed, for all purposes, with the consent of the data subject.
During events, those who do not wish to be immortalized are asked to notify the reception staff so that they can be given information to sit in the designated area, which will not be filmed by the operator, or they can report this directly to the operator in charge of filming.
Subsequently, anyone who considers their presence within the published photographs or videos inappropriate or undesirable may request that their image be obscured, by e-mail to: gdpr@cpl.it
During events, for the purpose of on-site access control and identification of those present for the management of emergency situations, the processing takes place in execution of a legal obligation (Legislative Decree 81/2008, emergency management).
Recipients of the data
The personal data may be communicated to the facility hosting the event, to the workers employed by the Owner or the facility itself, and to certain authorized external parties, including to organize or promote the Event (such as, for example, P.R. agencies), who collaborate with them and/or who are identified as Data Processors.
In particular, on the basis of the roles and work duties performed, the processing of personal data will be carried out by employees expressly instructed and authorized for this purpose to carry out specific processing operations.
Finally, they may be communicated to the Entities in charge in the case of fulfillments related to the regulations in force, as well as to the subjects entitled to access them by virtue of provisions of the law, regulations, EU regulations.
On the other hand, the photographs and videos taken during the Event may be published on the company Intranet, our websites and other media.
Transfer of data
The Data Controller does not transfer personal data to third countries or to international organizations. In the case of using any cloud services, the providers are selected from those with servers in Europe. In the event that a transfer of data outside the EU becomes necessary, CPL will verify that the providers provide adequate guarantees, as required by Article 46 GDPR 679/2016.
In this specific case, subscribing to the mailing list may require data sharing with the MailChimp platform, owned by “The Rocket Science Group LLC” (Atlanta, USA). MailChimp states that it takes appropriate and adequate security measures to protect personal data from loss, misuse, unauthorized access, unlawful disclosure, alteration and destruction; more information on security practices is available at the following link https://mailchimp.com/about/security. In addition, MailChimp incorporates EU standard contractual clauses into its Data Processing Addendum, which is automatically part of its Standard Terms of Use and applies to customer data protected by EU laws, as outlined at the following link https://mailchimp.com/gdpr/ and is certified with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), viewable at the following link https://www.dataprivacyframework.gov/list.
Retention of data
Personal data processed on the basis of consent will be retained and updated until the consent is revoked. The absence of opt-out from communications by the data subject, or the occasional phone call with the same will be considered as behavior that legitimizes the processing.
It should be noted that, with regard to the processing of images collected during events, from the moment of online dissemination of audiovisual material it is likely no longer possible to manage their deletion. However, if the right to be forgotten is exercised, taking into account available technology and implementation costs, CPL takes reasonable measures to ensure the deletion of any link, copy or reproduction of personal data.
Nature of data provision and consequences in case of refusal
The data subject may freely refuse to provide the Controller with any personal data processed on the legal basis of consent. Failure to provide consent inhibits the provision of the relevant service.
The data subject may not refuse to confer to the Controller the personal data necessary to comply with legal regulations.
Revocation of consentWith reference to Article 7 of GDPR 679/2016, the data subject may revoke any consent given at any time, however, processing performed with a legal basis other than consent is lawful and permitted even in its absence.
As part of the events organized or promoted by CPL CONCORDIA, it reserves the right to publish photographs and videos on its websites or other media, always in compliance with the right to report, the right to image and the right to privacy. For this reason, during events, those who do not wish to be immortalized are asked to notify the reception staff so that they can be given information to sit in the designated area, which will not be filmed by the operator, or they can report this directly to the operator in charge of filming. Thereafter, anyone who deems his or her presence within photographs or videos posted on Internet sites or other media under the control of CPL CONCORDIA inappropriate or undesirable may request that his or her image be obscured, or, where good cause exists, that the material about him or her not be used. Such requests should be addressed, by e-mail, to: gdpr@cpl.it
If after the aforementioned publication, the material is downloaded onto smartphones, tablets and personal computers, or published and disseminated on the Internet (personal sites, blogs, social networks, etc.) by third parties other than CPL CONCORDIA, the latter will not be responsible for the transmission of such content on any other site over which it has no control and will therefore not be responsible for the abuse that third parties may possibly make of others’ images. Such content, if any, shall not be considered in any way sponsored, shared or supported by CPL CONCORDIA. However, in the event that the right to be forgotten is exercised, taking into account available technology and the costs of implementation, CPL CONCORDIA shall take reasonable steps to ensure that any link, copy or reproduction of personal data is deleted. Should the interested party consider the presence of his or her personal data and contact information in CPL CONCORDIA’s marketing database undesirable, he or she may request the removal of his or her contact information by addressing the request by e-mail, to gdpr@cpl.it
In any case, should the interested party no longer wish to receive marketing communications and/or follow-up material, or the Newsletter, he/she will always have the option to opt-out.
All useful information and forms are made available by the Data Controller at https://www.cpl.it/en/revocation-of-consent-and-exercise-of-data-subject-rights/