Privacy Policy on the processing of personal data
FAPIM S.p.A., as Data Controller of your personal data, in the person of its legal representative, pursuant to and for the purposes of Regulation (EU) 2016/679 (GDPR), hereby informs you that the aforementioned legislation provides for the protection of persons and other subjects with respect to the processing of personal data and that such processing will be based on the principles of correctness, lawfulness, transparency and protection of your privacy and your rights.
Your personal data will be processed in accordance with the legislative provisions of the above-mentioned legislation and the confidentiality obligations provided for therein.
Purpose of processing: in particular, your data will be processed for purposes related to the implementation of the following obligations, relating to legislative or contractual obligations:
• Access register:
o Services for the organization of guided tours at the premises used as museums, at production plants or at company offices;
o In the case of registers of minor participants, these are compiled and provided by the teaching staff responsible for the school group or by their parents;
o Control services for security purposes and legal or contractual obligations;
o Security reasons in order to be able to verify, at any time, the presence of external persons within the company structure.
• Video surveillance:
o Control services for security purposes and protection of company assets;
o Complementary measure aimed at improving company security and facilitating the possible exercise, in civil or criminal proceedings, of the right of defense of the data controller or third parties on the basis of images useful in the event of unlawful acts;
o The cameras are positioned outside the company buildings and indicated by suitable signage;
o Such data will be consulted by the Data Controller in the event of investigations following a crime.
• Internet network for visitors:
o The Internet network has been divided to allow company guests to surf online, without interfering with the activities carried out by other workers. This network is protected and can be accessed with your own device after entering a password, provided by company staff;
o The processing of personal data, relating to network access or navigation logs (e.g.: sites visited via IP address), will be carried out only in the event of anomalies in connectivity and any danger to the company’s IT security, and will be communicated to the interested party.
The processing of functional data for the fulfillment of these obligations is necessary for the correct management of the relationship and their provision is mandatory to implement the purposes indicated above. The Data Controller also informs that any failure to communicate, or incorrect communication, of one of the mandatory information, may cause the Data Controller to be unable to guarantee the appropriateness of the processing itself.
For the purposes of the indicated processing, the Data Controller may become aware of data defined as special, or sensitive or judicial in accordance with privacy legislation, when necessary for the purposes specified above, and in particular:
• Photographs or recordings, which could reveal the behavior and habits of the interested party;
• Health data, relating to the correct management of the pandemic.
Your personal data may also, with your consent, be used for the following purposes:
• Sharing on the company website, social page of personal data, photos and/or videos. The collection and sharing of this data will only occur following the expression of explicit consent.
The provision of data is optional for you with regard to the aforementioned purposes, and any refusal on your part to allow processing does not compromise the continuation of the relationship or the appropriateness of the processing.
Methods of processing: your personal data may be processed in the following ways:
• Assignment to third parties in the event of investigations by the competent authorities;
• Processing by means of paper archives (attendance registers and self-certifications);
• Processing by means of electronic devices (consultation of video recordings or system logs).
All processing takes place in compliance with the methods set out in Chapter II of Regulation (EU) 2016/679.
Communication: your data will be stored at our headquarters and will be communicated exclusively to the competent subjects for the performance of the services necessary for the correct management of the relationship, with a guarantee of protection of the rights of the interested party.
Your data will be processed only by personnel expressly authorized by the Data Controller and, in particular, by the following categories of persons in charge:
• Management and secretariat;
• Reception Manager;
• Reception and switchboard staff;
• IT managers and staff;
• other dependent personnel within the limits of the tasks received and as provided for by company procedures.
Your data may be communicated to third parties, in particular to:
• Firefighters and other competent bodies in the event of an emergency within the premises;
• Company responsible for the maintenance of the video surveillance system;
• Company responsible for the supervision and protection of company assets;
• ASL and competent authorities in matters of management of health emergencies;
• Other third-party subjects and entities, authorized by the company, for the management of the personal data described.
The personal data will not be processed by third-party companies, appointed and verified as External Data Processors, except for particular technical needs. The Data Controller assumes responsibility for verifying the compliance of the aforementioned subjects with national and European legislation on the processing of personal data.
Dissemination: the data, without prejudice to the absolute prohibition on disseminating data suitable for revealing the state of health, following the collection of explicit consent, may be disseminated to:
• Publication on the internet or advertising material (personal data and any photograph/video).
Conservation: the registers relating to school groups or other users visiting the museum will be compiled by the teacher/manager and delivered to the staff present at the time of entry; the attendance registers are kept daily at the concierge and reception, for 12 months in the company archives. The conservation of the video surveillance recording is limited to a few hours or, at most, to the forty-eight hours following the detection, except for special needs for further conservation in relation to holidays or closure of offices or businesses, as well as in the case in which it is necessary to comply with a specific investigative request from the judicial authority or judicial police. The access logs of the devices connected to the company networks are deleted every 6 months. The COVID-19 risk management forms are stored in a dedicated office for 14 days, as required by law.
Your special data (formerly sensitive) that are processed are only those strictly relevant to the obligations, tasks or purposes described above and will be processed in compliance with the indications contained in the relevant General Authorizations of the Guarantor.
Rights of the interested party
You have the right to obtain from the owner the cancellation, communication, updating, rectification, integration of personal data concerning you, as well as in general you can exercise all the rights provided for in Chapter III of the GDPR, Articles 15 to 22, including the right to lodge a complaint with the supervisory authority.
1. The interested party has the right to obtain confirmation of the existence or otherwise of personal data concerning him or her, even if not yet recorded, their communication in an intelligible form and the possibility of filing a complaint with the Supervisory Authority.
2. The interested party has the right to obtain the indication:
a. of the origin of the personal data;
b. of the purposes and methods of the processing;
c. of the logic applied in case of processing carried out with the aid of electronic instruments;
d. of the identification details of the owner, managers and representative pursuant to art. 5, paragraph 2;
e. of the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as designated representative in the territory of the State, managers or persons in charge.
3. The interested party has the right to obtain:
a. the updating, rectification or, when interested, the integration of data;
b. the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
c. certification that the operations referred to in letters a) and b) have been brought to the attention, also with regard to their content, of those to whom the data were communicated or disseminated, except in the case in which such fulfillment proves impossible or involves the use of means manifestly disproportionate to the right protected;
d. data portability.
4. The interested party has the right to object, in whole or in part:
a. for legitimate reasons to the processing of personal data concerning him/her, even if pertinent to the purpose of the collection;
b. to the processing of personal data concerning him/her for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication.
download information “Visitors to company premises”