The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of Personal Data (the "Regulation") lays down a set of rules on the protection of natural persons with regard to the Processing of Personal Data and to the free movement of the latter, safeguarding the fundamental rights and freedoms of the Data Subjects.
Art. 4 para. 1 of the Regulation sets forth that "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
Pursuant to art. 4 para. 2 of the Regulation, the term "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Furthermore, according to art. 12 et seq. of the Regulation, the Data Subject has to be appropriately informed concerning (i) the Processing activities performed by the Company and (ii) the rights of Data Subjects.
The Data Controller pursuant to arts. 4 and 24 of the Regulation is the Company. The Data Controller may be contacted in writing at the above address of the Company or by sending an e-mail to: [email protected].
Without the consent by the Data Subject
The Personal Data provided by the Data Subject to the Company will be treated solely for the purposes regarding the performance of a prospective or existing professional assignment entrusted to the Company. Within the scope of these purposes, the Processing of Personal Data is also performed to comply with specific legal requirements concerning the contractual relationship and the fulfilment of the assignment. Finally, Personal Data will be processed in the presence of a Company's legitimate interest to perform and manage the activity, with the intent to deliver enhanced services, after considering and balancing any potential impact on the Data Subject's rights.
With the consent by the Data Subject
Upon express consent provided by the Data Subject, the Company will process Personal Data (name, surname, e-mail address, telephone number etc.) to convey communications containing information concerning the Company and its activities, which may include, among others: (i) events and meetings; (ii) various marketing activities and (iii) analysis of the Data Subject's preferences and areas of interest, to enhance the services provided by the Company and meet their specific requirements/needs (the so called "profiling activity").
Furthermore, when the Company will transfer Personal Data to other companies belonging to Poseidon Group for compliance requirements, such as the "Know Your Customer – KYC" process, or for other purposes regarding the performance of a prospective or existing professional assignment, it will ask and require an express consent from the Data Subject.
If the communication of Personal Data by the Data Subject and the consequent Processing by the Data Controller are required to establish or continue and appropriately carry out a pending relationship, such communication is mandatory. Refusal by the Data Subject to provide the Personal Data requested by the Data Controller may lead to the impossibility to execute and direct any contractual relationship with the Data Subject.
The disclosure of Personal Data for marketing purposes and profiling activities is optional but, if the Data Subject declines, the Company will be prevented from sending communications containing information about itself or about marketing or other promotional activities.
In accordance with art. 5 of the Regulation, Personal Data concerned by Processing are:
- processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
- collected and recorded for specified, explicit and legitimate purposes and subsequently processed in ways that are compatible with such purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, updated;
- kept in a form which allows identification of the Data Subject for no longer than is necessary for the purposes for which the Personal Data are processed; and
- processed in a manner that ensures appropriate security.
In relation with the purposes listed above, Personal Data may be processed using paper and electronic means and, in particular, by ordinary mail or e-mail, telephone (e.g. automated calls, text messages), fax and any other IT instruments (e.g. websites, mobile apps) merely in connection with such purposes and, in any case, ensuring data security and confidentiality, in compliance with what is envisaged by the Regulation.
Personal Data are processed and stored in cloud and on servers both within and outside the European Union, belonging or otherwise available to the Data Controller and/or to third-party companies in charge of the Processing, duly appointed as Data Processors.
The Personal Data concerned by Processing will be stored in compliance with the provisions set forth in art. 5 para. 1 lett. e of the Regulation in a form allowing the identification of the Data Subjects concerned for no longer than the time required to achieve the purposes indicated above, for which the Personal Data were originally collected and processed.
The Processing of Personal Data provided by the Data Subject will be performed by the professionals involved in the performance of the services, as well as by their supporting staff, through persons expressly and specifically appointed by the Data Controller, operating at the latter's office in their capacity as Data Processors (art. 28 of the Regulation) or as persons acting under the authority of the controller or of the processor (art. 29 of the Regulation) or even as officials expressly appointed for the Processing of Personal Data in accordance with the terms envisaged by the Regulation.
In order to enable the fulfilment of legal and contractual obligations Personal Data may be communicated to service providers with Data Processor functions providing IT and system administrator services, to post offices, to shipping agents and couriers when sending documents, as well as to banking institutions carrying out accounting aspects deriving from the execution of the assignment, as well as to the Public Administration pursuant to the laws in force, as well as to any third parties providing IT or filing services.
The Personal Data of the Data Subject will not be publicised by the Data Controller, which will never disclose them or make them otherwise available to undetermined parties.
In compliance with the provisions of the Regulation, the Data Subject may exercise the rights indicated therein and in particular:
- Right of access: the right to obtain confirmation as to whether or not Personal Data regarding the Data Subject are being processed, and, where that is the case, receive information, in particular on the purposes of the Processing, the categories of Personal Data being treated and the recipients to whom these may be disclosed,
- Right to rectification: the right to obtain the rectification of any inaccurate Personal Data regarding the Data Subject or the right to obtain the completion of any incomplete Personal Data,
- Right to be forgotten: the right to obtain the erasure of Personal Data regarding the Data Subject, in the cases envisaged by the Regulation,
- Right to restriction of Processing: the right to obtain from the Data Controller restriction of Processing, in the cases envisaged by the Regulation,
- Right to data portability: the right to receive Personal Data concerning the Data Subject, which the latter has provided to the Data Controller,
- Right to object: the right to object to the Processing of one's own Personal Data, unless legitimate grounds exist for the Data Controller to continue in their Processing.
Without prejudice for any other administrative or judicial remedy, the Data Subject who deems that the Processing concerning him- or herself is breaching the Regulation has the right to lodge a complaint with a supervisory authority, based in the Member State of his or her habitual residence, place of work or place of the alleged infringement, pursuant to art. 77 of the Regulation.
The exercise, at any time, of the right to withdraw his or her consent to the Processing of Personal Data is without prejudice for the lawfulness of the Processing performed by the Data Controller which is based upon the consent granted before the revocation.