With the present guidelines Bio Valore World SPA (hereinafter, for the sake of brevity “BVW” or “Company“) intends to comply with the current legislation on Privacy and Protection of personal data, referred to the General Data Protection Regulation, which is the Regulation EU 679/2016 (hereafter, for brevity “GDPR” or “EU Regulation”), applicable from the 25th of May 2018 and referring to the individuals protection with regard to the processing of personal data, as well as the free movement of the same.
The GDPR aims at harmonizing all the privacy laws present within the European Union, strengthening the protection of the data subject’s rights and empowering the Data Controller and the Data Processor.
BVW, therefore, guarantees that the processing of the personal data of which it is the Owner takes place – in accordance with current legislation – in compliance with the fundamental rights and freedoms of the interested party and sensitizing all employees and collaborators.
2. Principles of Treatment
The processing of personal data by the Data Controller is based, pursuant to article 5 GDPR, on compliance with the principles of: lawfulness, accuracy and transparency of the processing towards the interested party; limitation of the purposes of the processing and minimization of data collection, or use of the data as strictly necessary for the pursuit of the purposes of BVW; accuracy of the data with respect to the purposes for which it is processed; temporal limitation of their conservation; integrity and confidentiality of the same; responsibility of the Owner.
In order to facilitate the understanding of these Guidelines, it is meant by:
- “Personal data”: any information concerning an identified or identifiable natural person. The natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity is considered identifiable physiological, genetic, psychic, economic, cultural or social;
- “Processing”: any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data such as the collection, registration, organization, structuring, conservation, storage adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction;
- “Data Controller”: the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of processing personal data;
- “Controller”: the natural or legal person, public authority, service or other body that processes personal data on behalf of the Data Controller;
- “Rrofiling”: any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, economic situation, health, the personal preferences, interests, reliability, behavior, location or movements of said natural person;
- “Pseudonymisation”: the processing of personal data in such a way that personal data can no longer be attributed to a specific interested party without the use of additional information, provided that such additional information is stored separately and subject to technical and organizational measures intended to ensure that such personal data are not attributed to an identified or identifiable natural person;
- “Supervisory authority”: the independent public authority established by a Member State pursuant to art. 51 GDPR;
- “Consent of the interested party”: any manifestation of free, specific, informed and unequivocal will of the interested party, with which the same expresses its consent, through unequivocal declaration or positive action, that the personal data concerning him are subject to treatment;
- “Personal data breach”: the security breach that accidentally or unlawfully involves the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
4. Subject of the treatment
These Guidelines identify the following subjects as subjects involved in the processing of personal data carried out by BVW.
4.1. Owner and registers of processing activities
The Data Controller is Bio Valore World S.p.A. Soc Benefit, based in Rome, via Flaminia 491 (00191 – RM), in the person of its pro tempore legal representative.
Pursuant to art. 24 of the GDPR, the Data Controller implements the appropriate technical-organizational measures to ensure compliance of the treatment with the principles referred to in paragraph 2 of these Guidelines. Article. 30, co. 1, of the GDPR requires that each Data Controller and each Data Processor keep a register of the processing activities carried out, specifically containing: the references of the Data Controller, the purposes, the categories of data subjects and the data processed, any recipients if they are communicated to third parties or transferred abroad, the times – where possible – of their conservation and, finally, a general description of the technical/organizational security measures adopted.
Pursuant to art. 30, co. 5 of the EU Regulation, the obligation to keep the aforementioned register does not apply to companies or organizations with fewer than 250 employees, unless the treatment they carry out may present a risk to the rights and freedoms of the interested party, the processing is not occasional or includes the processing of particular categories of data pursuant to art. 9, co. 1, or personal data relating to criminal convictions and offenses referred to in article 10 of the EU Regulation.
4.2. Responsible for the treatment
Pursuant to art. 28 GDPR, the Data Processors appointed by the Data Controller guarantee the adoption of adequate technical-organizational measures, so that the treatments they carry out on behalf of the Data Controller meet the legitimacy requirements set out in the EU Regulation. The Data Processor cannot process personal data except according to the instructions given by the Data Controller and in the case of particularly complex treatments, it can in turn appoint a sub-manager.
Particularly, BVW appoints the Lawyer Dario Castrichella as Internal Data Processor, with Study office in Rome, Street address Nicola Ricciotti, 11 (00195 – RM), e-mail: email@example.com.
It should be noted that all external subjects, not employees of the Owner, who carry out treatments on the databases of the same, on his behalf and/or in his interest, are external Data Processors.
The treatments by the Manager (internal or external) of the treatment are governed, pursuant to art. 28 GDPR, by a contract or other legal act that identifies the duration, nature, purpose of the processing, the type of personal data and the categories of data subjects, the responsibilities entrusted to the Manager, the obligations and rights of the Data Controller. The Data Processor (internal or external) keeps, like the Data Controller and where provided, the register of processing activities referred to in art. 30, co. 2, GDPR, carried out on behalf of the owner himself.
4.3. People authorized to data treatment
Pursuant to art. 29 GDPR, BVW as Data Controller or Data Processors referred to in paragraph 4.2. identify – with specific appointment documents and which people authorized to process them – all employees, collaborators, consultants, outsourcers who intervene, in relation to the exercise of their respective duties and competences, in carrying out the treatments.
Hence, people authorized to process personal data act under the authority of the Manager or the Data Controller.
5. Type of treatments and purposes
BVW processes personal data for the pursuit of the purposes related to the execution of the services and services requested by the website visitor and / or potential user of the services offered by the Company, as well as for the related legal and contractual obligations as well as for purposes commercial. With particular reference to internet browsing data, these data are used for the only purpose of obtaining anonymous statistical information regarding the use of the site and check its correct operation, plus these data are kept for a strictly necessary time. The data could also be used to verify responsibility just in case of hypothetical computer crimes against the website.
Among the Personal Data collected independently or through third parties, there are: Cookies, Usage Data, Zip Code, Email, Surname, Telephone number and District. Personal data can be entered voluntarily by the User, or collected automatically during the use of the services offered by the Company.
With these Guidelines BVW guarantees that the mentioned treatments are carried out for the purposes strictly connected to the performance of the activities mentioned above, as well as in compliance with the fundamental rights and freedoms of the members / users.
By database we intend a systematically and methodically organized collection of data, consisting of one or more units, located in one or more sites; In particular, BVW uses paper and IT databases.
7. Data Protection Officer (“DPO”)
The Owner designates, pursuant to art. 37 of the GDPR, a Data Protection Officer with proven knowledge of privacy, whose references are communicated to the supervisory authority. BVW appoints the lawyer Pasquale Liberatore as Data Protection Officer, with Study office in Rome, Street address Lucrezio Caro 50 (00193 – RM), e-mail: firstname.lastname@example.org PEC: email@example.com
Pursuant to art. 39 GDPR and, as Act of his Nomination, the designated DPO performs the following tasks:
- Informing and advising the Data Controller or Data Processor;
- Monitoring compliance with the legislation on the protection of personal data, including the attribution of responsibility, awareness and training of the figures participating in the treatments;
- Providing opinions if requested;
- Cooperating with the supervisory authority.
8. Rights of the interested party
The interested parties can exercise rights pursuant to art. 15-21 of the GDPR and, specifically: the right of access to data, rectification and the right to erasure (“right to be forgotten”), the right to limit their treatment, the right to their portability, as well as the right of opposition to the processing, to be enforced according to the methods indicated in the specific information provided by the Data Controller.
9. Security of treatments
The Data Controller and the Data Processor guarantee, pursuant to art. 32 GDPR, a level of security appropriate to the risk for the rights and freedoms of the data subjects, adopting technical-organizational measures, whcih include:
- Pseudonymisation and encryption of personal data;
- Ability to permanently ensure confidentiality, integrity, availability, as well as the resilience of systems and treatment services;
- Capacity to promptly restore the availability and access of personal data and, in general, the maintenance of IT systems;
- A procedure to regularly test the effectiveness of the measures taken to prevent and / or face the potential risks of treatment.
BVW, in order to ensure the protection of personal data subject to its processing and compliance with the provisions in force on the matter, with these Guidelines ,it adopts all the precautions and technical and organizational measures possible and proportionate to its reality and activities.
9.1. The Data Protection Impact Assessment (DPIA)
With the impact assessment on the protection of personal data – pursuant to art. 35 of the GDPR – the Data Controller intends to guarantee compliance with the Privacy compliance requirements set out in the EU Regulation.
The DPIA is aimed at assessing the impact that a treatment could have on the personal sphere of the interested parties and reduce risks related to it; Therefore, it aims to determine whether the treatments that BVW carries out can – and in what terms – affect the fundamental freedoms, rights and dignity of the data subject.
This is a codified and structured process in the following phases:
- Justification of the DPIA: or the reasons why the Data Controller considers an impact assessment on the personal data it intends to process necessary;
- Definition of the information flows: or of the categories of data being processed, of the users, of the sources and of the final recipients of the data;
- Risk identification: identification – in terms of probability and seriousness – of the threats that could materialize causing damage to the interested party;
- Selection and evaluation of solutions: in order to reduce risk to a so-called level. acceptable;
- DPIA report and integration of results.
In light of the Guidelines adopted in April 2017 by the Article 29 Working Group – the EU’s independent advisory body for the protection of personal data – and in compliance with the provision of art. 35 co. 3 EU Regulation, the Data Controller, if it deems it appropriate, carries out the impact assessment for large-scale treatments that affect a large number of data subjects and that involve a high risk connected i) to the introduction of new technologies, ii) to the implementation of profiling or surveillance treatments or iii) the use of particular categories of data. Pursuant to art. 35 co. 7 of the EU Regulation, the impact assessment carried out by the Data Controller involves:
- Systematic description of the treatments envisaged, the purposes and the possible occurrence of a legitimate interest pursued by the owner;
- An assessment of the need and proportionality of the treatments with respect to the predefined purposes;
- Risk assessment for the rights and freedoms of data subjects;
- The organizational and technical measures and any mechanism deemed useful for the protection of the rights of the interested parties;
- Responsibility for the DPIA process remains with the Data Controller, who – if necessary – could also involve company managers, external managers, consultants, outsourcers.
10. Consent of the interested party
Whenever the processing of personal data is not based on the assumptions referred to in art. 6 GDPR and, therefore, requires the express consent of the interested party pursuant to art. 7 GDPR, the holder must keep and register this authorization for processing.
The interested party must be able to know how to give consent and has the right to withdraw it at any time.
Where the collection of personal data refers to a minor under the age of 16, the Data Protection Officer must ensure, prior to the collection, that the operator’s consent is given parental responsibility.
BVW provides the interested party with the information pursuant to articles 13 and 14 GDPR, containing specific, clear and concise information – both in the case of data collected from the interested party and data collected from third parties – on the treatments that it intends to carry out.
12. Notification of a personal data breach to the supervisory authority
The Data Controller is required to notify, according to the methods set out in art. 33 co. 3 GDPR, any violation of personal data – of which it has become aware directly or upon information of the Data Controller – to the competent supervisory authority pursuant to art. 55 of the EU Regulation, unless the risk is assessed as unlikely for the data subject’s rights and freedoms.
In any case, the Data Controller, in compliance with the principle of accountability, documents any violation, so as to allow the supervisory authority to verify the compliance of the treatment with current legislation.
13. Communication of a violation to the interested party and transparency
BVW also communicates the violation of personal data to the interested party, if this presents high risks for the rights and freedoms of the same and unless the conditions set out in art. 34 co. 3 GDPR.
The communication can be contextual to the notification referred to in the preceding paragraph and must contain, at least, the following information:
- contacts of the Data Protection Officer;
- probable consequences of the violation in question;
- the measures taken or to be taken by the Data Controller to remedy the violation.
Failure to comply with the arrangements on the protection of personal data is punished with the application of administrative fines, imposed according to the criteria referred to in art. 83 GDPR and, in general, considering the nature of the seriousness and duration of the violation, the purposes of the treatment, the number of data subjects affected, the level of damage and the intentional or negligent aspect of the violation. The applicability of criminal sanctions remains, in accordance with the provisions of the relevant national legislation.
15. Final provisions
Although not expressly provided for in these guidelines, the provisions of Regulation (EU) 2016/679, as implemented in the law, as well as the provisions of the Guarantor for the protection of personal data apply.
These Guidelines are subject to changes and additions by virtue of any changes in the applicable legislation and based on documented organizational and functional needs of the Company.