INFORMATION ON THE PROCESSING OF PERSONAL AND SENSITIVE DATA OF EMPLOYEES, SUPPLIERS AND VISITORS FOR THE PURPOSE OF PREVENTING THE CONTAGION OF COVID-19
Pursuant to art. 13 and ss. of EU Regulation 2016/679 and in relation to your personal data of which Sofito S.r.l. will come into possession, we inform you of the following:
1. Data Controller
The data controller is SOFITO S.r.l. (VAT number 11177490015) with registered office in Via XX Settembre n. 31, 10121 – Turin (TO), in the person of its pro tempore legal representative.
2. Data processed
The Data Controller may process the following data of each employee and visitor who intends to access the company premises:
3. Purpose and legal basis of the processing
The purpose of the treatment is the prevention of the contagion of COVID-19.
The collection and processing of personal data of employees and any other visitor is carried out:
4. Place of processing
The data are processed and stored in the headquarters of the owner.
5. Processing methods
The treatment will be based on principles of correctness, lawfulness, transparency and protection of confidentiality and your rights.
The processing will be carried out in an automated and / or manual form, in compliance with the provisions of art. 32 of the GDPR 2016/679 on security measures, by specifically appointed persons, in compliance with the provisions of art. 29 GDPR 2016/679.
The data of a sensitive nature about the state of health of employees will also be processed in accordance with Legislative Decree 81/08 and other regulations relating to safety and hygiene at work by the competent doctor, who is the owner and autonomously responsible for the sensitive data processed.
6. Data communication
All the data collected may be communicated both in Italy and abroad for the specified purposes to the Health Authorities, the Police Forces, the National Civil Protection Service and public and private structures operating within the National Health Service, as well as to all other subjects institutionally authorized to process personal data that are necessary for the performance of the functions attributed to them in the context of the emergency caused by the spread of COVID-19.
7. Data retention times
We point out that, in compliance with the principles of lawfulness, purpose limitation and data minimization, pursuant to art. 5 GDPR 2016/679, your personal data will be kept for the period of time necessary to achieve the purpose of containing the spread of COVID-19, as well as for compliance with legal obligations and requirements.
8. Data provision and possible refusal
The provision of data is mandatory as required by legal obligations and therefore any refusal to provide them, in whole or in part, allows the Owner to deny access to the premises.
9. Transfer of data abroad
Personal data may be transferred outside the national territory to countries located in the European Union, or even outside the European Union, if required for reasons of public interest, or if it is necessary for the achievement of the purpose of preventing the contagion of the COVID-19, to fulfill legal obligations, as well as to safeguard vital interests. With reference to transfers outside the territory of the European Union to countries not considered adequate by the European Commission, the Data Controller adopts suitable and appropriate security measures to protect the personal data received, in accordance with the applicable legislation and in particular with Articles 45 and 46 of the GDPR.
RIGHTS OF THE INTERESTED PARTY
Right of access
The interested party has the right to ask the data controller for access to their personal data. Upon request, the data controller provides a copy of the personal data being processed. In case of further copies requested by the interested party, the data controller may charge a fee based on administrative costs. If the interested party submits the request by electronic means, and unless otherwise indicated by the interested party, the information is provided in a commonly used electronic format.
Right of rettification
The interested party has the right to obtain from the data controller the correction of inaccurate personal data concerning him without undue delay.
Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete personal data, also by providing an additional declaration.
Right to cancellation (“right to be forgotten”).
The interested party, with the exception of the cases provided for by Article 17, paragraph 3, of EU Regulation 2016/679, has the right to obtain from the data controller the cancellation of personal data concerning him without undue delay and the data controller has the obligation to delete personal data without undue delay, if there is one of the cases provided for in Article 17, paragraph 1, of EU Regulation 2016/679 pursuant to art. 5 Federal Data Protection Act (LPD).
Right to limitation of treatment.
The interested party has the right to obtain from the data controller the limitation of the processing using one of the hypotheses referred to in art. 18 of EU Regulation 2016/679.
Right to object to processing.
The interested party has the right to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him pursuant to Article 6, paragraph 1, letters e) or f) of EU Regulation 2016/679.
The data controller refrains from further processing personal data unless he demonstrates the existence of compelling legitimate reasons for proceeding with the processing that prevail over the interests, rights and freedoms of the data subject or for the assessment, exercise or the defense of a right in court.
Right to data portability.
The interested party has the right to receive in a structured format, commonly used and readable by an automatic device, the personal data concerning him provided to a data controller and has the right to transmit such data to another data controller without impediments from part of the data controller to whom it provided them only in the cases provided for by law and without affecting the rights and freedoms of others.
Revocation of consent.
If the processing is based on art. 6, paragraph 1, letter a), or on art. 9, paragraph 2, letter a) of EU Regulation 2016/679, the interested party has the right to withdraw the consent given at any time without prejudice to the lawfulness of the processing based on the consent given prior to the revocation.
Right of complaint.
The interested party has the right to lodge a complaint with the supervisory authority.
The interested party can exercise his rights with a written request sent by registered letter with return receipt to the registered office of the owner or by certified e-mail to firstname.lastname@example.org.
This information does not replace, but integrates, any information provided previously. In case of conflict, the provisions contained in this document prevail over the previous ones.