INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA
OF THE INTERESTED PARTY PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 ("GDPR").

General Privacy Notice Mod. 1 - 24 SEPTEMBER 2019
For any information and / or exercise of rights, please contact: HELLO@EXSAFE.IT


This information may be subject to changes following the introduction of new rules or following new treatments that the Data Controller could put in place. We therefore ask you to periodically visit the website www.exsafe.it in the "General privacy information" section for updates.

HOLDER OF THE TREATMENT
art. 24 GDPR
The following subject is the one who determines the purposes and means of the processing, monitors the security of the data and responds to requests for clarification and / or exercise of the rights of the interested party:
EXSAFE S.R.L.
with registered office in P.zza Marconi n. 25/1 in 45014 Porto Viro (RO), with VAT number 01394280299 (hereinafter "Data Controller" or "Owner"). For any information and / or exercise of rights, please contact the email address indicated in the epigraph or send a registered letter with return receipt to the address of the registered office.
RESPONSIBLE FOR THE TREATMENT
art. 28 GDPR
The following subjects are those who carry out, on behalf of the Data Controller, certain treatments:
- Accountant, who could process personal data of the interested party for tax and accounting purposes:
- IT company, which may process personal data of the interested party at the time of assistance, maintenance and updating of IT systems;
- Company that provides the CRM, which could process the personal data of the interested party when stored in the aforementioned software;
- Company that deals with marketing, which may process the data of the interested party at the time of the execution of the email marketing service;
- Software house that manages the EXSAFE platform, which could process the data at the time of assistance, maintenance and / or updating of the system.
All the aforementioned subjects have guaranteed adequate security measures for data protection. The updated list of data processors can be requested at any time by contacting the email address indicated in the epigraph.
PERSONS IN CHARGE / AUTHORIZED
art. 29 GDPR
The following subjects are disclosed the data as they carry out, under the direction and control of the Data Controller, certain treatments: employees of the company in charge of managing the EXSAFE platform. of the administrative and commercial sector; external collaborators (such as engineers). These subjects have received adequate instructions to correctly process the data of natural persons. For more information on these subjects, please contact the email address indicated in the epigraph.
COMMUNICATION TO OTHER SUBJECTS
art. 13 par. 2 lett. e) GDPR
The following subjects could be disclosed the data to comply with contractual or legal obligations: to banking institutions (for example) for the fulfillment of payment obligations arising from the contract; to insurance institutions in the event of accidents / claims; to public bodies where required by law; to lawyers, law enforcement agencies, judicial authorities (for example) in the case of the fulfillment of offenses, contractual breaches, other legally relevant fact caused by the interested party In any case, the data provided will be communicated to the employees of the Data Controller or to subjects formally appointed as Data Processors.
PURPOSE OF THE TREATMENT
art. 13 par. 1 letter c) GDPR
LEGAL BASIS OF THE PROCESSING
art. 13 par. 1 letter c) GDPR
DATA RETENTION PERIOD
art. 13 par. 2 lett. a) GDPR
For what reasons / purposes does the Data Controller process the data of the interested party? What justifies this treatment? How long will the Data Controller keep the data of the interested party?
TREATMENTS TOWARDS CUSTOMERS OR PARTNERS
Estimates, stipulation and execution of the contract.
The data provided by the Customer will be used for the preparation of the estimate, for the drafting of the contracts, for the execution of the same, for the insertion of personal data in the computer databases, for the issuance of tax documents, as well as for the compliance and fulfillment of any other aspect relating to the contractual relationship. For example, the data provided by the Customer will be processed to contact the Customer via telephone / email / pec, to prepare all the documentation necessary for the execution of the contract, to carry out any other fulfillment connected to the pre-contractual or contractual relationship in place.
The data provided by the Customer (such as name, surname, telephone, email, company name, registered office, VAT number, other than the "sensitive" data listed in art. 9 par. 1 of the GDPR) will be treated on the basis of art . 6 par. 1 letter b) of the GDPR, i.e. for the execution of pre-contractual or contractual measures adopted at the request of the interested party. In the case of not accepted estimates, the data will be immediately deleted only in the case of objective disinterest of the interested party regarding the continuation of the relationship; in other cases, the data will be kept until the interested party expresses an interest in staying in contact with the Data Controller, for the stipulation of any future contracts.
Instead, except for what will be said regarding the treatment for the purpose of "Verification, exercise or defense of rights", in the case of stipulation of the contract, the Data Controller retains the data provided for a maximum period of 10 years from the termination of the contract with the Customer. and this for fiscal, accounting and legal needs to which the Owner is subject by law.
TREATMENTS TOWARDS SUPPLIERS
Estimates, stipulation and execution of the contract.
The data provided by the Supplier will be processed to evaluate the opportunity of stipulating the contract or for the stipulation of the service supply contract. The Data Controller will use the data provided to contact the supplier by telephone, to send him messages via email or through another system, to carry out any other fulfillment / activity related to the contract.
The data provided by the Supplier (such as name, surname, address, professional domicile, tax code, company name, VAT number, registered office, other other than the "sensitive" data listed in art. 9 par. 1 of the GDPR) will be processed on basis of art. 6 par. 1 letter b) GDPR, i.e. for the execution of pre-contractual or contractual measures adopted at the request of the interested party. In case of non-acceptance of the quote presented by the supplier, your data will be kept by the Data Controller for a maximum period of one year and this to evaluate the opportunity to stipulate the contract at a later time.
Instead, in the case of stipulation of the contract, the data will be kept for a maximum period of 10 years from the termination of the effects of the contract and this for fiscal, accounting and legal needs to which the Data Controller is subject by law.
TREATMENTS TO CUSTOMERS, PARTNERS AND SUPPLIERS.
Legislative obligations.
The data provided by the interested party will be used for the fulfillment of legislative obligations (for example of a fiscal and / or accounting nature) provided for by national, European or supranational legislation.
What legitimizes this data processing is the fulfillment of a legal obligation to which the Data Controller is subject (Article 6 paragraph 1 letter c) of the GDPR). The terms of conservation dependent on the standard applied by the Data Controller at the time of processing.
TREATMENTS AGAINST CUSTOMERS, PARTNERS, POTENTIAL CUSTOMERS AND SUPPLIERS.
Establishment, exercise or defense of rights.
The data provided by the interested party will be processed, if necessary, also for the assessment, exercise or defense of the rights of the Data Controller in court.
What legitimizes this processing is the legitimate interest of the Data Controller (Article 6 par.1 letter f) of the GDPR). In fact, if a dispute / litigation / dispute arises between the interested party and the Data Controller, the latter will be entitled to process the data of the interested party to assert his reasons. The Data Controller keeps the data of the interested party for this purpose only if there is a reasonable probability of having to take legal action.
Sending of "Newsletters" or communications on "Marketing".
The data provided will also be processed for sending advertising material or commercial communications, offers and promotions, direct sales, or for carrying out market research or opinion polls (hereinafter defined as a whole, as communications for "Marketing"), or for sending news and updates relating to the Data Controller's work sector (hereinafter referred to as a whole as "Newsletter").
The legal basis is:
1) in the consent (optional) pursuant to art. 6 par. 1 letter a) GDPR of the interested party. It should be noted that the consent collected for carrying out the processing with "automated systems" legitimizes the Data Controller to use the same data also for carrying out communications using the "traditional systems" (see "Processing methods"). In any case, the interested party has the right to oppose any unwanted processing method (for example, by expressing his will to only receive communications via email);
2) in art. 130 paragraph 4 new Privacy Code, but only in the case of processing via e-mail and for sending communications relating to services similar to those already "sold" to the Customer;
3) in the legitimate interest pursuant to art. 6 par. 1 letter f) (in combination with Recital n.47 GDPR) when the interested party expects such processing by the Data Controller and this does not affect his rights and freedoms.
4) in the case of processing of communications carried out with a telephone operator, such processing is precluded from the interested party who was registered in the Register of Oppositions.
1) In the case of consent, the data will be kept for this purpose until the consent pursuant to art. 7 GDPR. The withdrawal of consent does not affect the lawfulness of the processing based on consent before the withdrawal;
2) - 3) instead, in the case of processing carried out pursuant to art. 130 paragraph 4 new Privacy Code and art. 6 par. 1 letter f) the data will be kept for this purpose until the opposition pursuant to art. 21 GDPR by the interested party, to be asserted from the beginning of the treatment or during its protraction.
TREATMENTS AGAINST USERS OF THE INSTITUTIONAL WEBSITE AND THE RISK MANAGEMENT PLATFORM
The Data Controller has an institutional website (with e-commerce) and a special platform for the provision of the Risk Management service. The website, like the platform, could provide for the use of data collection forms, embed systems, cookies that determine the processing of the personal data of the interested parties. For more information on the treatments that are carried out using the aforementioned tools, click on the link called PRIVACY WEBSITES published on the website www.exsafe.it and within the Risk Management platform.
TREATMENTS TOWARDS CANDIDATES
Screening of professional profile for recruitment purposes. The following data will be processed by the Data Controller to examine the professional profile of the candidate in view of his hiring: name, surname, email, telephone, training course, tax code, other data also referable to minors if the candidate is under 18 years old. . The interested party is advised not to indicate data of a "sensitive nature" (those listed in Article 9 of EU Reg. 679/2016, such as, for example, health data, data relating to political orientation, criminal convictions, etc.), unless this is not strictly necessary. Data of a judicial nature will not be processed in any way (Article 10 of the GDPR), therefore the interested party is obliged not to provide them.
If the candidate provides his "public social network profile" (such as that of Facebook, Instagram, Linkedin, other), the data entered will be processed by the Data Controller only where necessary and relevant for the execution of the work to which the candidate's question is addressed (example: if the candidate proposes himself as a social media manager and has a social-profile useful for promoting his aptitudes / abilities, then the Data Controller may lawfully process the aforementioned data). No social profile (not even public) used by the interested party for mere private purposes will be considered by the Data Controller, therefore the interested party is requested not to enter this information in his CV.
The processing is lawful as it is carried out for the execution of pre-contractual measures adopted at the request of the interested party (pursuant to Article 6 par. 1 letter b) GDPR). In fact, the sending of one's CV or other data relating to the professional / working sphere - and the subsequent screening of the profile by the Data Controller - has the purpose of determining whether or not the employment relationship is established. In any case, the consent at the bottom of the CV must be issued in the event that the interested party decides to provide the Data Controller also with data of a "sensitive nature". ("I give my explicit consent to the processing of" sensitive "data that I provide through this CV", with indication of the date and your signature).

In addition to the general rules on communications to third parties: if the CV is sent spontaneously by the interested party, then his personal data will not be disclosed to third parties.
On the other hand, in the event that the CV was sent by the interested party following the response to a job advertisement published by the Data Controller through the website of a third company or through the help of employment agencies, then such third-party companies could process the data of the candidate. If necessary, these third parties will be instructed and instructed to treat the candidate's data with care.
The retention period depends on whether or not the employment relationship is established. In fact, in the event that the Data Controller is not interested in the profile, he will immediately delete the candidate's data. On the other hand, in the case of interesting but not necessary profiles at the time of presentation, the Data Controller will keep the data for a maximum period of 15 months. Finally, in the case of stipulation of the employment contract with the candidate, the Data Controller will keep the data of the new employee in accordance with the provisions of the "Information for employees" that will be provided for this purpose.
LIST OF TREATMENTS METHOD OF TREATMENT
art. 13 GDPR
COMPULSORY CONFERENCE
art. 13 par. 2 lett. is)
With what systems does the Data Controller carry out this treatment? Is the interested party obliged to provide their data to the Data Controller? Consequences in case of failure to provide.
Estimates, stipulation and execution of the contract. Processing carried out using IT systems (for example with the use of email, pec, telematic platform, management systems, other) and paper systems (for example, by printing documents, paper mail, other). The interested party is not obliged to provide the data, however failure to provide it makes it impossible to stipulate the contract with the Data Controller.
Legislative obligations. The system depends on legal obligations; in fact, it is sometimes the legislative discipline that provides for the methods of carrying out the processing (see, for example, on electronic invoicing). No relief.
Establishment, exercise or defense of rights. Processing carried out using IT systems (for example with the use of email, pec, telematic platform, management systems, other) and paper systems (for example, by printing documents, paper mail, other). Sometimes, the system depends on legal obligations (see PCT). No relief.
Sending communications on "Marketing" or "Newsletter". Communications relating to "Marketing" or the "Newsletter" are made through "automated" systems (such as, for example, by email, fax, text message, telephone calls without the aid of an operator, social networks, interactive applications, notifications push, messages via WhatsApp or other similar messaging tools) and through "traditional" systems (such as, for example, by paper mail and / or calls with an operator). It should be noted that the consent collected for the processing with "automated systems" legitimizes the Data Controller to use the same data also for carrying out communications using "traditional systems". In any case, the interested party has the right to oppose any unwanted processing method (for example, by expressing their desire to only receive communications via email). The provision of personal data for this purpose is not mandatory, however: in the event of failure to provide data to receive marketing communications, the interested party will not be able to collect more information on the activity and services performed by the Data Controller, other; on the other hand, in the event of failure to provide data to receive newsletters, the interested party will not be able to know news and information regarding the Data Controller's sector of work.
Screening of professional profile for recruitment purposes. This treatment is carried out with computer systems (email, use of personal computers and other management systems, other) and paper (with printing of the CV). The provision of such data is not mandatory, however the omission of all or even only some of the aforementioned data does not allow the Data Controller to evaluate the proposal coming from the candidate.
DIFFUSION AND TRANSFER OF DATA TO COUNTRIES NOT BELONGING TO THE EUROPEAN UNION OR TO INTERNATIONAL ORGANIZATIONS
art. 13 par. 1 lett. f).') }}
The Data Controller does not disclose the data of the interested party but could transfer them to non-EU countries. In the case of transfers, the Data Controller guarantees the application of the rules referred to in articles 44 and following of the GDPR. For any information, please contact the email address already reported.
RIGHTS OF THE INTERESTED PARTY - COMPLAINT TO THE SUPERVISORY AUTHORITY
What are the rights of the interested party who has given their data to the Data Controller?
The interested party - i.e. the person who makes his / her personal data available to the Data Controller - is the owner of the following rights:
- the right of the interested party to ask the owner for access to personal data, ie to know which data the owner processes (Article 15 of the GDPR);
- the right to obtain rectification , i.e. the right to have their data modified if they have changed (Article 16 of the GDPR);
- the right to limit the processing that concerns him, i.e. to limit the use of data by the data controller (Article 18 of the GDPR);
- the right to object , for legitimate reasons, to their treatment (Article 21 of the GDPR);
- the right to data portability, i.e. the right to receive all personal data processed by the owner in a structured and readable format on an IT support (Article 20 of the GDPR);
- the right to request the cancellation of their data from the owner (Article 17 of the GDPR);
- the right to revoke the explicit consent previously given at any time, without prejudice to the lawfulness of the processing carried out up to that moment (Article 7 - 13 GDPR);
- the right to lodge a complaint with the Guarantor for the protection of personal data in the event of violations of the law (Article 77 of the GDPR).
Requests can be addressed to the Data Controller, without formalities, at the following address: HELLO@EXSAFE.IT
SIGNATURE COLLECTION FORM
Data controller: EXSAFE SRL with registered office in P.zza Marconi n. 25/1 in 45014 Porto Viro (RO), with VAT number 01394280299
General Privacy Notice Mod. 1/20 JUNE 2019 MAY
For any information and / or exercise of rights, please contact: HELLO@EXSAFE.IT
This information may be subject to changes following the introduction of new rules or following new treatments that the Data Controller could put in place. We therefore ask you to periodically visit the WWW.EXSAFE.IT website in the "General privacy information" section for updates.