The protection of personal data represents for V.T.N. EUROPE S.p.A. an important commitment.
The entry into force of Regulation (EU) 2016/679 “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”(hereinafter “GDPR”) has provided the opportunity to further adapt the activities carried out by the Company to the principles of transparency and protection of personal data, in compliance with the fundamental rights and freedoms of all those involved, whether they be employees, cooperators, customers, suppliers or third parties interested in receiving information.
VTN has thus implemented a “Privacy Organisational Model” (MOP) that is described here in its general lines, aimed at analysing all data processing, organising them in a functional way and managing them in safety and transparency. This section of the site also contains information on the rights of the data subject and the procedures for exercising them towards the Data Controller.
VTN EUROPE S.p.A.
Via Dell’Artigianato, 41-43
Cagnano di Poiana Maggiore, Vicenza, Italy.
VAT Code 02366720247
The CONTROLLER has decided to appoint an internal “Privacy Team” made up of persons with organizational, technical and computer skills.
The Privacy Team has the function of supporting the activities of the CONTROLLER.
PERSONS AUTHORISED TO DATA PROCESSING (pursuant to the provisions of Art. 29 GDPR)
The MOP provides that each employee / collaborator of the CONTROLLER processes only the data necessary to perform their duties, in accordance with the internal organization and especially the purposes indicated and proposed to the data subject (principle of so-called “purpose limitation and data minimization”, Art. 5, paragraph 1, letters b) and c) of the GDPR). A segmentation of the treatment has therefore been prepared, by homogeneous areas of persons authorised to the treatment, linking the employees/collaborators in charge of each area to a specific area of processing. Each data subject authorised has received specific instructions from the CONTROLLER regarding the processing of personal data. For this purpose, by design, the information system also consists of ‘watertight compartments’. The employee/cooperator may only access the data necessary to carry out their duties from their own IT workstation. Designation to specific processing areas takes place after careful analysis of the company’s structure and organisation as well as the flow of data inside and outside the Company, and is summarised in a special internal matrix that punctually identifies the scope of treatment of each area.
The employee/cooperator has also received internal regulations on the use of IT tools and rules of conduct, including ethical ones, on all the information that he accesses by virtue of his specific duties.
In order to effectively ensure compliance with the principles regarding the processing of personal data, the CONTROLLER has also provided training and refresher courses on the subject to its employees/cooperators who, by virtue of their duties, carry out processing of personal data.
SYSTEM ADMINISTRATORS (INTERNAL AND EXTERNAL)
The CONTROLLER uses information systems to manage and organize his activities. For this reason, attention to the construction of software, the way of using it and the security of data have always been the basis of the activities of the CONTROLLER. Persons with “administrator” privileges within the company are specifically appointed and trained. Other external specialized companies that have access to company data are also specifically appointed as External Managers and/or External System Administrators pursuant to art. 28 of the GDPR.
The suppliers of external IT services are chosen with particular attention to their professionalism, not only technical, but also in relation to respect and protection of data, giving priority to certified companies.
DATA PROCESSORS (Art. 28 GDPR)
As a rule, the CONTROLLER manages almost all treatment activities internally. The cases of outsourcing to third parties of some activities that involve the processing of data on behalf of the CONTROLLER are appropriately indicated within the individual information. In these cases, the relationship with the third party is governed by a contract of appointment as “Data Processor” pursuant to art. 28 of the GDPR.
The CONTROLLER entrusts this processing activity to external entities with sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR and to ensure the protection of data subjects’ rights.
RISK ANALYSIS AND PREVENTIVE MEASURES FOR PRIVACY RISKS
According to the principles of the so-called “accountability” is the responsibility of CONTROLLER to implement a series of measures – organizational, physical, legal, technical and computer processing – aimed at preventing the risk of violation of the rights and personal liberties of the data subjects. In order to achieve this objective, a constant risk analysis is carried out, depending on the treatments, the instruments used, the type and the amount of data processed.
RECORDS OF PROCESSING ACTIVITIES (pursuant to Art. 30 GDPR) AND ASSESSMENT ON THE IMPACT ON DATA PROTECTION (pursuant to Art. 35 GDPR)
The MOP provides for a careful and constant analysis of the risks for the processing of personal data, identified for each activity or service provided through a Record of Processing Activities pursuant to the provisions of Art. 30, paragraph 1 of the GDPR.
Once the treatment activity carried out by CONTROLLER has been analysed, it is believed that as of today there are no activities at risk such as to require a specific impact assessment pursuant to art. 35 of the GDPR (the so-called “DPIA”).
The analysis on IT risks and on company hardware and software infrastructures and on IT adaptation measures was carried out both by our System Administrator using specific tools and checklists and by an external company specialised in IT security, which carried out an in-depth audit with security tests. The results of the investigation allowed the technicians to further improve the measures to protect against cyber attacks and cyber threats, gradually and proportionately to the risk to the rights and freedoms of the data subjects.
TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
2.1 RIGHTS ON THE PROTECTION OF PERSONAL DATA
The CONTROLLER, also here, considers it fundamental to inform the data subjects of the existence of certain rights regarding the protection of personal data, listed below.
- Right to be informed (transparency in data processing)
The data subject has the right to be informed about how the CONTROLLER treats his own personal data, for what purposes and on other information provided by Art. 13 of the GDPR. To this end, the CONTROLLER has set up organizational processes that allow, when acquiring or requesting personal data, the release of a form of information letter created “ad hoc” according to the category of data subjects to which the person belongs (employee, customer, supplier, etc..). This document allows to adequately inform all the subjects to whom the data refer on how the treatment by the CONTROLLER is carried out. The information letter model can be requested with a special request addressed to the CONTROLLER.
- Right to revoke consent (Art. 13)
You have the right to revoke your consent at any time for all processing operations in which the prerequisite for lawfulness is your expression of consent. Withdrawal of consent shall not affect the lawfulness of the previous processing.
- Data access rights (Art. 15)
You can request it: a) the purpose of the processing; b) the categories of personal data in question; c) the consignees or the categories of consignees to which personal data have been or will be disclosed, in particular if living in foreign countries or coming from international organisations; d) where possible, the envisaged period for which the personal data will be kept or, if this is not possible, the criteria used to determine this period; e) the existence of the right to have the controller correct or erase the personal data or limit the processing of personal data relating to him or her or to object to their processing; f) the right to raise a claim at a control authority; g) if the data are not collected at the data subject, all the information available on their origin; h) the existence of an automated decision-making process, including profiling as provided for in Article 22, paragraphs 1 and 4, and, at least in such cases, meaningful information on the logic used, as well as the envisaged importance and consequences of such processing for the data subject. You have the right to request a copy of the personal data being processed.
- Right of rectification (Article 16)
You have the right to request the rectification of personal data relating to you which are inaccurate and to obtain the integration of incomplete personal data.
- Right to be forgotten (Art. 17)
You have the right to obtain from the data controller the erasure of personal data concerning you if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, if you withdraw your consent, if there is no prevailing legitimate reason for proceeding with the profiling processing, if the data were processed unlawfully, if there is a legal obligation to erase them; if the data relate to web services provided to minors without your consent. Deletion may occur unless the right to freedom of expression and information prevails, they are retained for the fulfilment of a legal duty or for the performance of a task carried out in the public interest or in the exercise of official authority, for reasons of public interest in the field of health, for purposes of public record keeping, scientific or historical research or for statistical purposes, or for the assessment, exercise or defence of a right in legal proceedings.
- Right to limitation of processing (Art. 18)
You have the right to obtain from the Data Controller the limitation of the processing when you have complained about the accuracy of personal data (for the period necessary for the Data Controller to verify the accuracy of such personal data) or if the processing is unlawful, but you object to the cancellation of personal data and instead request that its use be restricted or if it is necessary for the assessment, exercise or defence of a right in court, while for the Data Controller they are no longer necessary.
- Right to portability (Art. 20)
You have the right to receive the personal data you provide us with in a structured, commonly used and machine-readable format and to pass them on to another person if the processing was carried out on the basis of consent or a contract and if the processing was carried out by automatic means, unless the processing was necessary for the performance of a task carried out in the public interest or in the exercise of official authority, and the rights of third parties were not violated by such transmission.
- Right to object (Art. 21)
You have the right at any time to object, in whole or in part, to the processing of your personal data if the processing is carried out in pursuit of a legitimate interest of the Controller or for purposes of direct marketing.
- Right to access to the Supervisory authority for the personal data protection (Art. 77).
Without prejudice to any other administrative or judicial remedy, if you consider that the processing relating to you is in breach of the Regulation on the protection of personal data, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you have your habitual residence, employment or the place where the alleged breach occurred.
EXERCISE OF RIGHTS
For the effective exercise of your rights you can request information from the CONTROLLER, or fill out the access forms that we provide below.