On 25/05/2018 the EU Regulation 679/2016 (GDPR) on the processing of personal data comes into force.
- we inform you that under the new GDPR, GUARRACINO TRADE COMPANY S.R.L. has adjusted its policies and have attached our information form;
- that the company, GUARRACINO TRADE COMPANY S.R.L. is authorized to process your personal data exclusively for the purposes set forth in the information form;
The company, GUARRACINO TRADE COMPANY S.R.L. is committed to protecting the privacy of those interested in adhering to and declares responsibility for the security of customer data. We will be clear and transparent about the information we collect and what we will do with that information.
This information sets out the following:
- Data Administrator;
- The list of personal data processing (Article 30 letter C of the GDPR Regulation);
- The indication of the purposes for which the data is processed (Article 30 letter b) GDPR);
- Processing methods and communications;
- Areas and instruments with which processing is carried out;
- The analysis of the risk incumbent on the data as well as the measures already adopted and/or possibly to be adopted to guarantee the integrity and availability of the data;
- The supervisory criteria towards any external managers;
- Rights of the interested party;
- Declaration of commitment and signature.
The Data Administrator is the company GUARRACINO TRADE COMPANY S.R.L. in the person of the sole Chief Executive Officer or of another subject delegated the necessary authorization of representation..
GUARRACINO TRADE COMPANY S.R.L. is based in Zona Industriale ASI Aversa Nord Centro SINE 81032 Carinaro (CE), VAT no. IT06237151219.
Its duties and responsibilities are defined by Legislative Decree 196/2003 (Privacy Code) and EU Regulation 679/2016
In particular, the Data Administrator is responsible for identifying the process necessary to carry out company procedures, defining the purposes, methods and nature of the data processed. The Data Administrator is also responsible, based on the Code and the EU Regulation, for the observance of all legal regulations concerning personal data.
The Data Administrator is responsible for defining the implemented security and supervise the application to guarantee, and demonstrate that the processing is carried out in a manner consistent with the Code and Regulations. The Data Administrator provides - if necessary - for the appointment of Processing Managers, defining their duties.
The Data Administrator, moreover, in accordance with the combined provisions of Articles 33 et seq. of the GDPR, and art. 55 of the European Regulation which states that in case of violation of personal data, to notify the competent supervisory authority of the violation pursuant without delay and, if possible, within 72 hours of becoming aware of the violation unless it constitutes a risk to the rights and freedoms of individuals.
The updated list of data administrator and data processors is kept at the registered office of the Data Administrator.
List of Personal Data Processing
GUARRACINO TRADE COMPANY S.R.L GUARRACINO TRADE COMPANY S.R.L. treats the data provided in the context of commercial relationships. The company also deals with data legitimately supplied by information agencies, creditors protection associations, publicly accessible sources (for example, company registers, associations registers, land registry, media), as well as - possibly - other companies with which maintains a permanent commercial relationship.
Personal data includes:
The main data/contact details, more precisely:
- as a private customer: name and surname, address, contact details (for example, e-mail address, telephone number, fax), date of birth,
- as a corporate customer or supplier: name of the company’s, legal representative, VAT number, company code, address, contact details of the contact person (e-mail address, telephone number, fax), bank details.
The additional data processed is:
- Information relating to the nature and content of business relationships, more precisely information relating to contracts, assignments, sales and receipts, histories of customers and suppliers, consultation documents,
- advertising and sales data,
- documentation data (for example, consultation protocols), images,
- information deriving from electronic transactions with GUARRACINO TRADE COMPANY S.R.L. (for example, IP address, login data),
- any other data received in the context of our commercial relationship (for example, customer interviews),
- data generated based on the main data/contact data and other data analyzing, for example, the needs or potential of customers.
- Documentation of your consent statement to receive, for example, newsletters.
Common data of customers, suppliers, employees, consultants and third parties necessary for the employment relationship and the pursuit of legitimate business interests as provided for by art. 6 GDPR and by Recital n. 47:
- Sensitive and/or judicial data of the employees resulting from the employment relationship and inherent to the relationships with social security and assistance institutions, for which consent was expressly given;
- Subject to express consent, sensitive data of customers, suppliers and third parties
Purpose of the Treatment
The personal data is processed:
a) without express consent (art. 24 letters a), b), c) Privacy Code and art. 6 lett. b), e) GDPR), for the following Service Purposes:
- conclude the contracts for the Data Administrator services;
- fulfil the pre-contractual, contractual and fiscal obligations deriving from existing relationships with you;
- to fulfil the obligations provided for by the law, by regulations, by EU legislation or by an order of the Authority (such as in the field of anti-money laundering);
- exercise the rights of the Data Administrator, for example, the right to court hearing;
b) Only with specific and separate consent (Articles 23 and 130 of the Privacy Code and Article 7 of the GDPR), for the following Marketing Purposes:
- sending by e-mail, post and/or text message and/or telephone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Data Administrator and detection of the degree of satisfaction with the quality of the services;
- sending by e-mail, post and/or text message and/or telephone contacts commercial and/or promotional communications from third parties (for example, business partners, insurance companies)...
- Furthermore, the company already reserves the right to send commercial communications relating to services and products of the Data Administrator similar to those it has already received, subject to disagreement (Article 130 c. 4 of the Privacy Code).
-Product recommendations by e-mail: In compliance with the provisions of law provided for by national and international legislation in force, the GUARRACINO TRADE COMPANY S.R.L. has the right to use the e-mail address provided when ordering a product or service as a direct advertising channel for similar items or services. In the event that, subsequently, you no longer wish to receive our advice by e-mail, you can revoke your consent to the use of your address at any time without incurring transmission costs other than those provided for according to the basic rates. To do this, please send a communication to the contacts indicated in point 1. Naturally, each e-mail also contains a link to proceed with the cancellation.
-Newsletter: To send the newsletter, the company uses the so-called "double opt-in" procedure, meaning that a newsletter will be sent via e-mail only if the intention to activate the newsletter service was previously requested during the registration procedure. It will therefore be the concern of the company to send a notification e-mail, through which it is possible to confirm that you wish to receive our newsletters by clicking on the appropriate link contained in the text of the same.
-In the event that, subsequently, you no longer wish to receive our e-mail newsletters, your consent may be revoked at any time without incurring transmission costs other than those provided for under the basic rates. A written notification to GUARRACINO TRADE COMPANY S.R.L. is sufficient.
Processing Method and Communication
The data will be processed for purposes related to the reciprocal obligations deriving from the contract with the GUARRACINO TRADE COMPANY S.R.L. as well as for compliance with the law and regulations, including secondary ones. The data will be processed using instruments that guarantee security and confidentiality and can also be carried out using automated tools to store, manage and transmit the data in a lawful and correct manner, collected and recorded for specific, explicit and legitimate purposes; exact and, if necessary, updated; relevant, complete and not excessive in relation to the purposes of the processing.
We also inform you that the aforementioned processing of personal data concerning, connected and/or instrumental to the employment relationship with the GUARRACINO TRADE COMPANY S.R.L., may be carried out and/or communicated by the following subjects:
- from/to Public Administrations, public and private social security institutions, trade union associations of bilateral bodies, joint commissions and supplementary pension funds with compulsory or optional membership;
- - from companies to organizations or associations, professionals who provide consulting services and/or processing services to the writer or perform activities instrumental to that of the company and in particular to lawyers and consultants in general;
- from/to insurance companies, brokers, experts and airlines and railways, travel agencies, leasing or car rental companies, credit card issuers and meal vouchers, client banks and suppliers and in general to third parties for whom the processing is necessary during the course of his normal working activity;
- from/to subjects to whom the right to access your personal data is recognized by provisions of law or secondary community legislation, as well as collective and company bargaining;
- from/to subjects to whom the communication of your personal data is necessary or is in any case functional to the management of the employment relationship.
- Mandatory communication of the authorization to the Provincial Labor Office (articles 39 and 40 of Legislative Decree 112/2008, converted by Law No. 133/2008).
The subjects belonging to the categories to which the data may be communicated will treat them as "Data Administrator” pursuant to the law, in full autonomy, being outside the original agreement carried out at the company. Again for the purposes related to the company's economic activity and the employment relationship, it may also be necessary to process personal data that falls within the category of sensitive data, for example, data suitable for detecting racial or ethnic origin, religious and philosophical beliefs or of any other kind, the adherence to parties, trade unions, associations and organizations of a religious, philosophical, political or trade union nature, as well as the personal data suitable for detecting the state of health and sexual life or those relating to a criminal record.
We also inform you that, in relation to the aforementioned treatments, the data subject may exercise the rights referred to in art. 7 of Legislative Decree No. 196/2003 and art. 15 G.D.P.R. According to the art. 13 of Legislative Decree 196/2003, it is also noted that "any refusal to respond", at the time of collection of the information, or the possible denial of data processing could lead to the objective impossibility of observing part of the legal and/or contract related to the employment relationship; which, therefore, cannot be established or continued.
The Data Administrator will process the personal data for the time necessary to fulfil the aforementioned purposes and in any case for not more than 10 years from the termination of the relationship for the Service Purposes and for no more than 2 years from the collection of data for the Marketing Purposes.
Personal data is stored on servers located within the European Union. In any case, it is understood that the owner, if necessary, will have the right to move the servers even outside the EU.
In this case, the Data Administrator ensures from now on that the extra-EU data will be transferred in compliance with the applicable legal provisions, subject to the stipulation of the standard contractual clauses envisaged by the European Commission.
Areas and Tools with which the Processing is Carried Out
The Guarracino Trade Company S.R.L. Information Technology infrastructures are characterized by on central server.
Guarracino Trade Company S.R.L. is equipped with the following IT Management systems:
Mozilla Thunderbird Client Posta elettronica
Ad hoc document for the detection of staff attendance
LAN is used for internal connections; connectivity towards the outside "internet" is dedicated, exploits Fiber Optic / ADSL technology, managed by external suppliers and protected by a double internal firewall present in-house, which covers any transfers of data to the outside. Access by suppliers and maintenance personnel is always and in any case with the prior authorization of the Data Administrator.
The only paper documentation is represented by the invoice printouts at the conclusion of the contracts signed with the company.
The paper documents are normally stored in cabinets (or equivalent) equipped with a lock supplied to the personnel in charge of the Agreement. Where compatible with the purposes and structure of the documents, specific documents containing sensitive data are stored separately. In the hypotheses in which they are produced centrally, the specific security procedures defined in this model are applied.
Risk Analysis on Data
- For personal data (c.d. common) of employees, customers, suppliers, consultants and possibly third parties: the risk linked to their management can be defined as low
- For sensitive data of employees, customers, suppliers, consultants and possibly third parties for whom consent has been expressly given: the risk associated with their management can be defined as medium/low.
- The risk of access to the company's headquarters can be defined as low: Access is controlled by a private security service.
There is a suitable security alarm system with an attached video surveillance service.
The risk of tampering and/or failure of data processing management equipment can be defined as low: The Structures are in fact equipped with an anti-theft (alarm) system. Staff is trained on how to use and manage the equipment. The hardware used is from leading manufacturers and recent. The machinery is managed internally and covered by warranty contracts.
-The risk of installing unauthorized software and unauthorized access to application programs can be defined as low: All users access company resources with a standard profile, to which administration functions are locked. The installation of uncontrolled programs is therefore disabled.
- The management of the session lockout is automatic, in case of prolonged non-use of the workstation.
- The risk related to data processing (unauthorized access to the archives; incorrect modification or deletion of data; loss (accidental or malicious) of data; Interception of transmissions; Inability to restore data after an event that has damaged them) can be defined as low: Access to company resources is via an authorized profile.
- The paper documentation is kept in locked rooms
- The LAN network is protected from external access by a Firewall system
Security Measures for the Integrity and Availability of Data
To protect personal data from the risks referred to in the previous paragraph, the following security measures are taken.
1. Physical Security Measures
To ensure the physical security of the premises where personal data is processed, in addition to the measures provided for by law (for example, Legislative Decree 81/2008) or by internal company rules (seat protection), the following controls are applied:
- The IT equipment critical for information security (network server, file server, database server, router, switch and firewall) are installed in closed rooms.
- Access to these areas is granted only to maintenance personnel or authorized personnel.
- Personnel outside the company can access the premises and remain there for the time necessary to complete the requested activity (for example, cleaning or maintenance), only after explicit approval by the employees and with their constant presence.
- Data backups - possibly even sensitive ones - are performed on a physically secured hard disk by the designated subject, whose access is allowed to the authorized subjects for their custody, maintenance and to those authorized to process that data.
- The premises used for archives, are managed directly by the Data Administrator, as for sensitive data, they are closed in special cabinets, while all other data in paper form, are protected by the office and by the employees who work there.
2. Measurers for Logic (analytical)Security
To ensure the logical (analytical) security of the information the following manoeuvres are placed in effect:
- In order to use the workstations (PC, desktop computer) and access the applications for the processing of personal data, the staff members must provide authentication User-ID and password. .
- The accounts are individual and are created by the Systems Administrator upon request of the Data Administrator. Once the account is created the interested party (user) will be asked to create a password according to the rules that will follow.
- The account will not be reassigned to another user for any reason to another staff member. When a staff member leaves the company, his/her account cannot be reassigned or reused.
- Periodically, the company will check for any accounts that have not been used within the six months and will proceed to deactivate them. Before cancelling an account, check with the Data Controller whether the need that led to its creation remains and, with its agreement, takes the appropriate actions (cancellation or maintenance).
- When the reasons for which an account has been created cease to exist (resignation, change of activity, technological changes) the system administrator immediately deactivates the account. The account can be kept in place (but deactivated) until the activities of handover between the previous and the new appointee have been completed; everything must be documented. At this point, it is deleted, along with all the accompanying authorizations.
- Account authentication is carried out by means of a password. This is secret and must not be communicated to others or left unattended, for example by writing it on diaries or on notes. Unlawful processing made by obtaining a password of a user is in any case attributable to the personal user who did not maintain it correctly.
- When a password is forgotten, the system administrator verifies that the applicant is the person in charge who is the rightful owner and proceeds to set a new one together with the applicant according to the rules defined above.
- To surpass emergency situations or to respond to legitimate access requests, the Data Administrator can reset the password of a user for temporary access. The activity must be documented and the legitimate owner of the password must be informed as soon as possible. It will be his care at this point to change the password used for the emergency situation and set a new one, known only to him.
- Each person in charge has the obligation not to leave the workstation unattended while a work session is activated. If you have to leave the workstation, you must close the session and, in the case of PCs, prevent access to others, using the PC blocking function where possible or alternatively provide a screen-saver program with a password, if neither of them is applicable the user will have to stop the active session.
- User name and password administrate the right of a person in charge to use a workstation and to access an application. Data processing takes place according to an authorized profile issued according to the effective operational needs of the appointee and in line with the relevant authorizations.
- The access profile is set up by the Systems Administrator according to the authorizations set forth by the Data Administrator. A copy of the activation request is and the authorization is scanned and later registered in the computer system of the company..
- Once a year the list of active users and their active profiles are issued to the Data Administrator. He verifies the accuracy of the authorization and the need for it to remain. Therefore, they are confirmed or requested that they be updated, the documentation object of verification will be archived for eventual verification
3. Security Measures of Communication
To ensure the security of communications, the following control measures are provided:
- An antivirus program is installed on all workstations connected to the Internet, managed by the server component, the updates are automatic and occur at least once a year for the software and daily for the virus.
- Access for the outside "Internet" is controlled by a firewall, management is remitted to internal personnel who periodically verify that the access and control policies are always current and compliant.
- Any transmission of data to the outside must be authorized by the Data Administrator and must take place through the official system identified, this system must include a communication encryption system.
- The e-mail service is run on the Mobile Thunderbird "hosting" service; the use is however previously authorized. The exchange of personal data through this channel must take place only when strictly necessary, explicitly requested and authorized, in any case, the information exchanged must not contain sensitive data the eventual sending of such data can be implemented are following the application of appropriate tools acts to make communications secure.
4. Communication and Data Connection
The Communication of Data relating to processing for which the External Company is responsible is permitted only if the recipient of the communication has been duly identified and authorized by the Data Administrator; in all other cases, the Communication cannot take place.
If the recipients of the Communication are identified by means of generic indications, the Organizational Manager of the Processing holds a register in which the specific recipient subjects are promptly indicated.
In the event of a positive response, the Communication and/or the Transfer of Data to Third Parties may take place with the restriction of compliance with the purpose object of the Information, specified in writing to the recipient of the Communication or Transfer.
If the recipients of the Communication are identified and Information by means of generic indications, the Organizational Manager of the processing holds a register in which the specific recipient subjects are promptly indicated.
The Communication of Data relating to processing for which the Company is the External Responsible is permitted only if the recipient of the communication has been duly identified and authorized by the Data Administrator; in all other cases, the Communication cannot take place.
5. Management and Storage of Paper Documents
All authorized staff members that include the use of paper documents are equipped with lockable cabinets or containers for the appropriate protection and conservation of documents containing personal data.
If it is compatible with their physical structure, documents containing special data are kept separately from documents containing only common data and access is further limited to those in charge who carry out tasks that require their use.
Documents that no longer have operational value are subject to preservation only if this is due to legal obligations or for legal, historical and in any case specified reasons, identified by the Data Administrator and documented by the Organizational Manager. Storage usually takes place in special storage rooms, whose access is controlled.
6. Use and Storage of Electronic Equipment
The IT tools are protected against the risks of intrusion and the action of programs pursuant to art. 615 quinines of the criminal code by activating appropriate electronic tools. The updating of these tools, as well as more generally, the periodic updates of the programs aimed at preventing the vulnerability of electronic instruments and at correcting defects are carried out at least every six months.
The work stations made available to employees are equipped with the appropriate protection instruments and the safety functions are activated in accordance with the technical specifications of the individual devices. Distributors are unable (or, if not technically possible, instructed) to change these pre-configured settings.
7. Relationship with Suppliers.
In relations with its suppliers, the Company adopts appropriate contractual clauses aimed at safeguarding its rights and its responsibilities regarding the processing of personal data.
For this purpose, in accordance with the different types of standard contracts used by the company, specific clauses have been developed to safeguard and precisely define the role and tasks of the Suppliers.
8. Limitation of Access to Database
The use of generic tools, reporting and extracting of data is limited to a few subjects specifically authorized, in all other cases the implementation of predefined tools is applied.
Surveillance Criteria in Regards for External Managers
In the hypothesis that the Guarracino Trade Company S.R.L grants the handling of personal data which the company owns, to external sources (appointed External Responsible Data Managers) adhere to the following security criteria.
When appointing an external subject as Manager, consistently with the requested service, detailed instructions are provided on the safety requirements to be followed. The supervision performed by the Company is carried out on an organizational, logical (analytical) and physical level.
1. Organizational supervision
A specific declaration is required from the External Manager regarding the implementation of the Minimum-Security Measures conceived by the Technical Regulations.
The Company reserves the right to verify both the punctual appointment of the personnel that is used by the supplier for the performance of the services entrusted and the successful training. A copy of the incident reporting procedures is also requested in the following cases:
- presence of viruses
- recovery of data from backup copies
- accidental loss or destruction of data
2. Logical (Analytical) supervision
The manager is required to produce up-to-date information on a six-monthly basis, limited to the processing for which the Company is the owner, regarding:
- complete list of defined User-IDs
- User-ID not used in the period
- description of password re-initialization cases
- detection of actual frequent password change
Furthermore, all the events that gave rise to incident reporting related to the Company's Processing must be properly communicated and documented within 15 days of their occurrence.
At intervals of not less than one year, the supplier is required to simulate the restoration procedures in the presence of Company personnel.
3. Physical supervision
The identification and description of the places where the backup data and/or computer programs are kept are requested. A complete copy of the archives must be provided quarterly to the Company for autonomous custody in its own premises
Rights of the interested party
The interested party pursuant to and for the purposes of art. 7 Privacy Code and art. 15 GDPR has the right to obtain confirmation of the existence or not of personal data concerning themselves, even if not yet recorded, and their communication in clear form and precisely the rights to:
1. obtain confirmation of the existence or not of personal data concerning you, even if not yet recorded, and their communication in a clear form;
2. obtain the indication:
- the origin of personal data;
- the purposes and methods of the processing;
- della logica applicata in caso di trattamento effettuato con l'ausilio di strumenti elettronici;
- the logic applied in the case of processing carried out with the aid of electronic instruments;
- the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the State, managers or appointees;
- updating, rectification or, when interested, integration of data
- the deletion, anonymous transformation into form or blocking of data processed in violation of the law, including data which does not need to be kept for the purposes for which the data was collected or subsequently processed;
- the attestation that the operations referred to in letters a) and b) have been brought to the attention, also with regard to their content, of those to whom the data have been communicated or disseminated, except in the event that such fulfilment occurs it proves impossible or involves a manifestly disproportionate use of resources with respect to the protected right;
4. object, in whole or in part:
- for legitimate reasons, to the processing of personal data concerning you, even though they are relevant to the purpose of the collection;
- to the processing of personal data concerning you for the purpose of sending advertising materials or direct sales or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by e-mail and/or through traditional marketing methods by phone and/or mail.
It should be noted that the right of opposition of the interested party, previously exposed, for direct marketing purposes through automated methods extends to the traditional ones and that in any case, the possibility remains open for the interested party to exercise the right of opposition even only in part. Therefore, the interested party can decide to receive only communications using traditional methods or only automated communications or none of the two types of communication. Where applicable, it also has the rights set forth in Articles 16-21 GDPR (Right of rectification, right to be forgotten, right to limitation of processing, right to data portability, right to object), as well as the right to complain to the Guarantor Authority.
Concluding remarks, declaration of commitment and signature
This document is deriving from the analysis of the problems relating to the entry into force of the EU Regulation 679/2016 mentioned in the introduction.
A copy of this document is attached to the recipients of previous communications to act as instructions about the tasks and rules to be observed in the context of the activity carried out by the company, GUARRACINO TRADE COMPANY S.R.L.
This document is signed at the bottom by SIMONE GUARRACINO as SINGLE ADMINISTRATOR of the GUARRACINO TRADE COMPANY S.R.L.
The original of the document is kept at the GUARRACINO TRADE COMPANY S.R.L., based in the Industrial Area of ASI Aversa Nord near the SINE ’Center -81032 Carinaro (CE) to be exhibited in case of checks.
A copy will be delivered:
- to anyone who requests it in relation to the establishment of a relationship that involves the processing of personal data