INTRODUCTION

The protection of personal data is an important commitment for RISCO S.p.A. (hereinafter "RISCO" or "Company"). The entry into force of Regulation (EU) 2016/679 "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data" (hereinafter "GDPR") has provided the opportunity to further adapt the activities carried out by the Company to the principles of transparency and protection of personal data, respecting the fundamental rights and freedoms of all data subjects, whether they are employees, collaborators, customers, suppliers or third parties interested in receiving information. RISCO has thus implemented an "Organisational Privacy Model" (MOP) the general guidelines of which are herein described, aimed at analysing all data processing, organising them in a functional way and managing them in security and transparency. This section of the site also contains information on the rights of the data subject and the modalities to exercise them against the Controller.

INDEX

1 - ORGANISATIONAL GDPR PRIVACY MODEL
1.1 - SUBJECTS
1.2 - RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
2 - TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
2.1 - PERSONAL DATA PROTECTION RIGHTS
2.2 - EXERCISE OF RIGHTS
2.3 - FORMS AND INFORMATION NOTICES

1 - ORGANISATIONAL GDPR PRIVACY MODEL

1.1 - SUBJECTS
DATA CONTROLLER
The Data Controller is:
RISCO S.p.A. (hereinafter also referred to as “CONTROLLER”)
Via della Statistica, n. 2 - 36016 Thiene (VI)
Tel. +39 0445 385911 – fax +39 0445 385900
email: risco@risco.it
Posta Elettronica Certificata: risco@cert.assind.vi.it
P. IVA e Codice Fiscale: 02162540245

PRIVACY TEAM

The DATA CONTROLLER has deemed it appropriate to appoint an internal "Privacy Team" formed by subjects with legal, organisational and IT skills. The Privacy Team has the task of providing support to the activities of the CONTROLLER.

PARTIES AUTHORISED FOR THE PROCESSING (pursuant to art. 29 GDPR)

The MOP states that each employee/collaborator of the CONTROLLER processes only the data necessary to perform their duties, depending on the internal organisation and in particular on the purposes indicated and proposed to the data subject (so-called "purpose limitation and data minimisation", art. 5 paragraph 1, letters b) and c) of the GDPR). Therefore a segmentation of the processing has been prepared, per homogeneous areas of subjects authorised for the processing, binding the employees/collaborators in charge of each area to a specific area of processing. Each authorised subject has received specific instructions from the CONTROLLER regarding the processing of personal data. To this end, by design, the information system is also made up of "watertight compartments". The employee/collaborator will be able to access only the data necessary to perform their duties from their computer workstation. The designation to the specific processing areas occurs following the careful analysis of the company structure and organisation, as well as the flow of internal and external data to the Company, and is summarised in a specific internal matrix that precisely identifies the scope of processing of each area. The employee/collaborator has also received internal regulations on the use of IT tools and rules of conduct, including ethical, on all the information accessed by virtue of his/her specific task. To effectively ensure compliance with the principles regarding the processing of personal data, the CONTROLLER has also foreseen the provision of training and refresher courses on the subject to its employees/collaborators who, by virtue of their duties, carry out the processing of personal data.

SYSTEM ADMINISTRATORS (INTERNAL AND EXTERNAL)

The CONTROLLER uses computer systems to manage and organise its business. For this reason, attention to the construction of software, the methods of use thereof and the security of data have always been the basis of the activity of the CONTROLLER. Individuals with "administrator" privileges within the company are specifically appointed and trained. Also the other specialised external companies that access company data are specifically appointed External Data Processors and/or External System Administrators pursuant to art. 28 of the GDPR. The suppliers of external IT services are chosen with particular attention to their professional skills, not only technical but also in relation to the compliance with the protection of data, favouring certified companies.

DATA PROCESSORS (pursuant to art. 28 GDPR)

In principle, the CONTROLLER manages almost all processing activities internally. Cases where some activities that involve processing of data on behalf of the CONTROLLER are outsourced to third parties are duly indicated in the individual information notices. In these cases, the relationship with the third party is governed by a specific contract of appointment as "Data Processor" pursuant to art. 28 of the GDPR. The CONTROLLER entrusts this processing to external parties who offer sufficient guarantees to put in place suitable technical and organisational measures to meet the requirements of the GDPR and to guarantee the protection of the rights of the data subjects.
1.2 - RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS According to the so-called "accountability" principles, the CONTROLLER must implement a series of measures - organisational, physical, legal, technical and IT-related - aimed at preventing the risk of violation of the rights and personal freedoms of the data subjects. To achieve this goal a constant risk assessment is carried out, depending on the processing, the tools used, the type and the volume of data processed.

RECORD OF PROCESSING ACTIVITIES (pursuant to art. 30 GDPR) AND DATA PROTECTION IMPACT ASSESSMENT (pursuant to art. 35 GDPR)

The MOP provides a careful and constant analysis of the risks for the processing of personal data, identified for each activity or service provided through a Record of Processing Activities pursuant to art. 30, paragraph 1 of the GDPR. After analysing the processing performed by the CONTROLLER, it is believed that to date there are no activities at risk such as to require a specific impact assessment pursuant to art. 35 of the GDPR (so called "DPIA"). The analysis of IT risks and of the company's hardware and software infrastructures and of the measures of IT adaptation was carried out by our System Administrators with specific tools and check lists and by an external company specialised in IT security, which carried out a thorough audit with security tests. The outcomes of the survey have allowed our technicians to further improve the measures to protect against cyber attacks and cyber threats, gradually and in proportion to the risk for the rights and freedoms of those concerned.

2 - TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT

2.1 PERSONAL DATA PROTECTION RIGHTS
The CONTROLLER, in this notice, deems it essential to inform the data subjects of the existence of some rights regarding the protection of personal data, listed below.

  • Right to be informed (transparency in data processing)

    The data subject has the right to be informed on how the CONTROLLER processes your personal data, the purposes and with regard to other information envisaged by art. 13 of the GDPR. To this end, the CONTROLLER has set up organisational processes that allow, at the time of acquisition or request of the personal data, the release of an information model created "ad hoc" depending on the category of data subjects to which the data subject belongs (employee, customer, supplier, etc.). This document allows all parties to whom the data refer to be adequately informed on how the data is processed by the CONTROLLER. The information form can be requested by sending a specific application addressed to the CONTROLLER.

  • Right to withdraw consent (art. 13)
    You have the right to withdraw your consent at any time for all processing the legitimacy of which is an expression of your consent. The withdrawal of consent does not affect the lawfulness of the previous processing.
  • Right of access to the data (art. 15)
    You can request a) the purposes of the processing; b) the categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if recipients of third countries or international organisations; (d) where possible, the foreseen retention period of the personal data or, if not possible, the criteria used to determine this period; e) the existence of the right of the data subject to request that the data controller rectify or erase personal data or limit the processing of personal data concerning him/her or to object to their processing; f) the right to lodge a complaint with a supervisory authority; g) if the data are not collected from the data subject, all information available on their origin; (h) the existence of an automated decision-making process, including the profiling referred to in article 22, paragraphs 1 and 4 and, at least in such cases, significant information on the logic used and the importance and expected consequences of such processing for the data subject. You have the right to request a copy of the personal data being processed.
  • Right of rectification (art. 16)
    You have the right to request the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
  • Right to erasure (right to be forgotten) (art. 17)

    You have the right to obtain from the data controller the erasure of personal data concerning you if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, if you withdraw consent, where there are no overriding legitimate grounds for the processing, if the data are being processed unlawfully, if there is a legal obligation to erase them; if the data relate to web services provided to minors without the relative consent. The erasure can occur unless the right to freedom of expression and information prevails, if the data are kept for the fulfilment of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of public powers, for reasons of public interest in the health sector, for purposes of archiving in the public interest, for scientific or historical research or for statistical purposes or for the establishment, exercise or defence of a right in court.

  • Right to restriction of processing (art. 18)
    You shall have the right to obtain from the controller restriction of processing when you have contested the accuracy of the personal data (for a period enabling the controller to verify the accuracy of the personal data) or if the processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead, or the Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims.
  • Right to data portability (art. 20)
    You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller, if the processing is based on consent, on the contract and if the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in connection with the exercise of official powers and such transmission does not infringe the rights of third parties.
  • Right to object (art. 21)
    You have the right to object, in whole or in part, at any time to the processing of your personal data if the processing is carried out for the pursuit of a legitimate interest by the Controller or for the purposes of direct marketing.
  • Right to lodge a complaint to the Italian Personal Data Protection Authority (art. 77).
    Without prejudice to any other administrative or judicial remedy, if you deem that the processing regarding you infringes the regulation on the protection of personal data, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you habitually reside, work or where the alleged infringement occurred.

2.2 EXERCISE OF THE RIGHTS For the actual exercise of your rights you can ask the CONTROLLER for information, or fill out the access forms that we have made available below.

2.3 FORMS AND INFORMATION NOTICE 1) Below is a draft document to be completed for the practical exercise of the rights of the data subject. The form can be sent to the CONTROLLER to the addresses above, in accordance with current legislation. Form to be printed and filled in, specifying the requested right

2) Information notices: