Privacy Policy

PRIVACY POLICY

The www.in20.com of Inventi In20 Srl (hereafter referred to as the “Controller”) is the exclusive data Controller under the privacy legislation (Legislative Decree no. 196/2003, Privacy Guarantor Provisions, Best Practices) and subsequent amendments and EU Data Protection Regulation no. 2016/679. This Privacy Policy may be subject to additions and changes due to regulatory, technological developments, best practices and the need for internal restructuring of the digital architecture. Any changes will be reported online.

 

Our privacy rules show:

  • The data subject;
  • Data Controller, Data Processors, Privacy Contact Point;
  • Data collected and purposes;
  • Data Processing;
  • Processing Methods and privacy principles;
  • Data classification;
  • Data retention and criteria;
  • Communication and dissemination for legal and/or contractual purposes;
  • Communication to the data subject by email, newsletter, sms, mms and apps;
  • Data transfer to non-EU countries and international Organisations;
  • Profiling;
  • Data portability;
  • Data Breach;
  • Data subject rights;
  • Consent;
  • Consent to receive communications;
  • Consent to communications and/or dissemination;
  • Consent to non-EU data transfer;
  • Consent to profiling;
  • Refusal to provide personal data;
  • Refusal to receive communications;
  • Refusal to authorise non-EU data transfer;
  • Refusal to authorise profiling;
  • Withdrawal of consent and consequences;
  • Data portability;
  • Withdrawal of consent to receive communications from the data controller;
  • Consent and specific policies
  • Cookies policy;
  • Amendments and/or additions.

 

THE DATA SUBJECT

Data subjects of our processing may include the following: users who visit our website, company legal representatives, guests of meetings or promotional events, employees, banks or financial companies’ contact persons, customers, suppliers, prospective customers and cloud users. Data can be collected directly from the data subject or via cookies.

 

DATA CONTROLLER

The Data Controller is Inventi In20 srl in the person of its pro tempore legal representative. In20 srl registered office is in Via Sandro Pertini, 7 – Loc.  Antella 50012 Bagno a Ripoli (FI). Contacts are: Tel.: +39 055 5381062 email: comunicazione@in20.com

 

INTERNAL PRIVACY POINT

In20 srl has set up an Internal Privacy Contact Point which is accessible via email and to where the data subject’s privacy requests can be forwarded. Internal Privacy Point email: privacy@in20.com

Requests will have a positive or negative feedback within a month from the request or in the most complex cases within three months.

 

DATA PROCESSING

the Controller has identified the data processing carried out in the following key areas i.e. the Administrative-Accounting-Litigation-Compliance Departments (hereafter:  Administrative Department), Commercial and IT Departments. These departments use data processing to pursue their aims (purposes marked according to the type of activity and consequent information management).

The data controller uses your data for the purposes set out below.

 

ADMINISTRATIVE DEPARTMENT

The Data subject may be: those requesting information, website users, company legal representatives, guest of meetings or promotional events, employees, banks or financial companies’ contact persons, individual customers, a company CEO and suppliers, who can act as the company’s legal representative.

Consent basis: legal obligations or expressed consent by using flags on the website or by other means such as a contract.

Purposes:

Management of Salaries, Bonuses, Job Certificates, Trade Unions;

Contract Management with Customers and Suppliers;

Bank document management;

Management of Legal Matters;

Social Media Content Management;

Event organisation.

 

COMMERCIAL DEPARTMENT

Data subject is: a prospective customer and the customer.

Consent basis: previous contract or consent.

Purposes:

Marketing and Telemarketing management

 

INFORMATION TECHNOLOGY DEPARTMENT

Data subject is: the cloud user or a user acting as a company legal representative.

Consent basis: signing a contract.

Data processing exclusively in electronic format, without content relating to the users/customers of the Cloud Computing services as per the contract.

Purposes

Management and maintenance of processing systems or their components;

Digital archive Management;

Network and security system management;

Software system Management.

 

PROCESSING METHODS

The Controller performs the necessary processing under the national privacy legislation (Legislative Decree no. 196/2003, Privacy Guarantor Provisions, Best Practices) and EU Data Protection Regulation 2016/679 to fulfil a legitimate interest related to a signed contract or in compliance with legal provisions.

The Data Controller guarantees the data subject that for any processing, data minimisation principle is assumed. This means that personal data will be used only when it is indispensable to carry out activities that cannot be performed using anonymous data or personal data of a different nature.

 

DATA CLASSIFICATION

Data classification is important. The data subject and the Controller must know which data and its quantity is being hosted by the facility. They must identify the information streams which contain such data, the types of data subjects involved and to what extent. A good data mapping allows the Controller to intervene quickly and precisely if there is a Data Breach. The impact of any accident on affected positions depends on the data type (personal, special, sensitive, medical-health, judicial); the amount of information involved; the digital location (at rest or active archive or a data stream circulating through the internal and external facility networks); the type and quantity of damaged data subjects; and the possibility of containment. For all these reasons the classification of the affected data is important as allows an immediate criticality and risk assessment.

Data categories.

General or non-personal data (GD).

Information intended for public use or information that may be made public with no negative impact on the data subject.

Personal data (PD).

Information concerning the identification of data subjects such as name, surname, address, email address, telephone numbers and / or other contacts or methods of identification.

Special or sensitive data (SD).

Sensitive data which can reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, genetic data, biometric data intended to uniquely identify an individual, data relating to sex life or orientation.

Medical or health data (MD).

Information relating to the data subject’s health and their medical and health certification and documentation.

Judicial data (JD).

Information concerning the data subject’s  judicial records or proceedings.

Data at rest (X), active (XX), circulating (XXX).

Personal, special-sensitive, medical-health, and judicial data may be “at rest”, “active”, “circulating”, depending on whether it is permanent in an archive, used, or circulates in the internal and external facility networks.

Paper (Y) and digital data (@).

“at rest”, “active”, “circulating” personal, sensitive, medical-health, judicial data can be stored in paper and/or digital formats.

 

STORAGE

The storage of personal, sensitive, judicial and health data takes place only if the processing purpose is unachievable by other means. Personal, sensitive, judicial and health data will be deleted as soon as the purpose is fulfilled. Currently the data is kept according to the following times.

 

ADMINISTRATIVE DEPARTMENT

ten years – ex lege regardless of the data subject’s consent.

 

COMMERCIAL DEPARTMENT

Marketing

For Customers: duration of the contract and related guarantees.

For non or prospective customers: five years – upon express authorisation of the non-customer.

Data processing for the above purposes is optional and the data subject can decide whether to give their consent for the use of their data for these additional purposes that do not concern the contract (see Guarantor Privacy, “Retention of personal data concerning customers for profiling and marketing activities” – 30 June 2016).

 

INFORMATION TECHNOLOGY DEPARTMENT

Contract Term

 

COMMUNICATION AND DISSEMINATION FOR LEGAL AND CONTRACTUAL PURPOSES

Except when the law establishes that consent is not mandatory, the Data Controller is obligated to obtain data subject consent if data is passed to third parties and or otherwise disseminated.  For this purpose and with the utmost transparency towards the data subject, the Data Controller shall detail the processing for which Communication and /or Dissemination is planned.

 

ADMINISTRATIVE DEPARTMENT

COMMUNICATION TO THIRD PARTIES for legal and contractual obligation purposes.

THE RECIPIENTS are the following:

  • INPS and INAIL

Data subject: employee

Digital processing. Personal, sensitive, judicial and health data.

  • Trade unions

Data subject: employee

Digital processing. Personal, sensitive, judicial and health data.

  • Revenue Agency

Data subject: employee

Digital processing. Personal, sensitive, judicial and health data.

  • Court and Telematic Civil Proceedings

Data subject: employee, supplier, customer

Digital processing. Personal, sensitive, judicial and health data.

  • Social Media Provider

Data subject: employee, supplier, customer

Digital processing. Personal data (e.g. photo).

DISSEMINATION: personal data of employees, guests of events or other subjects on online spaces including social media only upon the data subject’s authorisation.

 

COMMERCIAL DEPARTMENT

COMMUNICATION TO THIRD PARTIES for legal and contractual obligation purposes.
.

THE RECIPIENTS are the following:

  • ONLINE COLLECTION AGENCIES

Data subject: CUSTOMERS

Digital processing. Personal data.

THERE IS NO DISSEMINATION

 

INFORMATION TECHNOLOGY DEPARTMENT

THERE ARE NO COMMUNICATIONS TO THIRD PARTIES.

THERE IS NO DISSEMINATION.

 

COMMUNICATION TO THE DATA SUBJECT BY EMAIL, NEWSLETTER, SMS, MMS AND APPS. In these cases, communication is not performed to third parties but to the data subject. This type of communication can only take place if the data subject gives express consent. In these cases, the Data Controller is obliged to inform the data subject and obtain their consent.

The data subject may receive communications via mobile phone and Internet (particularly: email, newsletters, sms, mms, social network and apps) on behalf of the Data Controller to promote initiatives related to the purposes referred to in the “DATA PROCESSING” section).

An example of this type of activity could be sending an electronic communication for an event or a service.

Refusal to provide consent to receive these communications could:

  • make it impossible to send communications, news, circulars or to correctly manage the employer and employee’s relationship;
  • result in the lack of certain benefits, such as the use of agreements.

 

DATA TRANSFER TO NON-EU COUNTRIES AND INTERNATIONAL ORGANISATIONS

Currently no foreign data transfer is planned.

if processed data was transferred to NON-EU countries or international organisations, it would only be done with the express authorisation of the data subject and only when at least one of the following conditions is met:

  • there is an adequacy decision of the EU Commission published in the EU Gazette;
  • the NON-EU country or the international organisation has proven that they have adopted adequate privacy guarantees;
  • there are binding corporate rules;
  • there is the legitimate interest of the data controller.

If there is a data transfer outside the EU, the Controller undertakes to provide the data subject with the means to obtain a copy of the data communicated abroad or to facilitate access to the physical or digital location where it has been made available.

 

PROFILING

The Controller declares that no personal data profiling is carried out.

In the IT Department there is “computer application profiling” which is different from profiling data subjects. This is the management of user profiles on the system or network (networks).  If data profiling is carried out, this would be done only with the express authorisation of the data subject

 

DATA PORTABILITY

The data controller grants the data subject the data portability to another operator in an interoperable format and without burdens or expenses for the data subject.  The data subject has the right to request the Controller to certify that the requested operations and content have been brought to the attention of those to whom the data were communicated. This does not apply if this requirement proves impossible or involves the use of means manifestly disproportionate to the protected right.

 

DATA BREACH

If there is a loss of data (Data Breach), the Data Controller will immediately proceed according to the established Data Breach Procedure.  Where necessary, it will provide notification to the relevant Authorities and the data subject.

 

DATA SUBJECT RIGHTS

To guarantee the exercise of data subject rights under art. 7 of Legislative Decree  196/2003 and in compliance with the EU Data Protection Regulation 2016/679, the Data Controller has established an Internal Privacy Contact Point which can be accessed by email and to which the data subject’s privacy requests can be forwarded. Internal Privacy Point email: privacy@in20.com The Internal Privacy Point provides positive or negative feedback to the data subject within a month from the request.  The deadline for replying to the data subject can be extended up to three months in complex cases.

The data subject has the right to know the retention period or, if this is not possible, the criteria used to define this period.

The transfer of data to third party countries is subject to the data subject’s express consent. The data subject has the right to know the relevant logic of any data profiling and this shall be subject to the data subject’s express consent.

Under internal regulations and the EU Data Protection Regulation 2016/679 the data subject is entitled to ten types of actions: information, access, correction-updating-blocking, deletion-to be forgotten, processing limitation, opposition, portability, revocation, complaint and appeal.

Below are all the data subject rights

  • Privacy policy
    • Right to obtain privacy information from the data controller.
  • Access
    • Right to access their data located at the data controller premises or servers.
  • Correction, Updating, Blocking
    • Right to request the correction of their data when if it is incorrect;
    • Right to request the updating and/or integration of their data when it has changed;
    • Right to request the Controller to transform it into an anonymous format or block it.
  • Deletion-To be forgotten
    • Right to request the Controller for deletion or to be forgotten, depending on the case.
  • Processing limitation
    • Right to request the Controller to limit the processing because some data is excessive for the purposes.
  • Opposition
    • Right to oppose processing for legitimate reasons.
  • Portability
    • Right to request that the Controller transfer their data to another Controller in an interoperable format and without any burdens or expenses for the data subject;
    • Right to request the Controller to certify that the requested operations and content have been brought to the attention of those to whom the data were communicated. This does not apply if this requirement proves impossible or involves the use of means manifestly disproportionate to the protected right.
  • Withdrawal
    • Right to withdraw the consent at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation.
  • Complaint
    • Right to lodge a formal complaint with the Privacy Guarantor.
  • Appeal
    • Right to a judicial remedy against a supervisory Authority decision.
    • Right to a judicial remedy against the Data Controller or Processor if there is a violation of protected rights.

 

DATA PROCESSING CONSENT

The provision of personal data necessary for the purposes indicated above is not mandatory, however a refusal to provide it makes it impossible to stipulate contacts and establish relationships with the data controller.

 

CONSENT TO RECEIVE COMMUNICATIONS

via email, newsletter, sms, mms, social network and apps.

The consent to receive communications via email, newsletter, sms, mms, social network and apps is independent from personal data processing consent. This means that the data subject can give consent to the data processing but not the receipt of the Newsletter, which is optional. If the user does not give consent for the newsletter they are still entitled to stipulate contacts with the data controller.

 

CONSENT TO COMMUNICATIONS AND DISSEMINATION

The Data Controller as described above in the “Communication and Dissemination” section does not send any communication to third parties or disclose personal data provided by the data subject except in the cases provided for by law or the publication of data on social media only upon the data subject’s express authorisation.

 

CONSENT TO NON-EU DATA TRANSFER

The consent to transfer data to non-EU countries is independent from personal data processing consent. This means that the data subject maintains the relationship with the Controller regardless of the authorisation to transfer data to non-EU countries. This is without prejudice to different contractual conditions.

 

CONSENT TO PROFILING

The consent to data profiling is independent from personal data processing consent.  This means that the data subject maintains the relationship with the Controller regardless of data profiling authorisation.

 

REFUSAL TO PROVIDE PERSONAL DATA

The refusal to provide personal data implies the impossibility of fulfilling contractual and/or legal obligations. A refusal to provide personal data makes it impossible to complete any relationship between the controller and the data subject.

 

REFUSAL TO RECEIVE COMMUNICATIONS

Refusal to give consent to receive communications via email, newsletter, sms, mms, social network and apps is optional and does not prejudice the Controller and the data subject’s relationship. However, it could:

  • make it impossible to send certain communications such as news, circulars or to correctly manage the controller and the data subject’s relationship;
  • result in the lack of certain benefits, such as the use of agreements.

 

REFUSAL TO AUTHORISE COMMUNICATION AND/OR DISSEMINATION

Except in cases where the communication is established ex lege, the data subject’s refusal to authorise the communication of data to third parties is optional and does not prejudice the Controller and the data subject’s relationship.

Except in cases where the communication is established ex lege, the data subject’s refusal to authorise the communication of data to third parties is optional and does not prejudice the Controller and the data subject’s relationship.

 

REFUSAL TO AUTHORISE DATA TRANSFER TO NON-EU COUNTRIES

The data subject’s refusal to provide authorisation to transfer data to countries outside the EU is optional and does not affect the Controller and the data subject’s relationship.

 

REFUSAL TO AUTHORISE PROFILING

The data subject’s refusal to provide authorisation for data profiling is optional and does not prejudice the Controller and the data subject’s relationship.

 

WITHDRAWAL OF DATA PROCESSING CONSENT

The consent to the processing of data may be withdrawn by writing an email to the Internal Privacy Point privacy@in20.com which states that consent to data processing has been revoked. The withdrawal makes it impossible to continue the relationship with the Controller and this can have negative contractual consequences.

The consent withdrawal does not invalidate processing carried out beforehand.

Following the withdrawal, the data subject may request their information be returned in an interoperable format for its transfer to another controller.

 

DATA PORTABILITY

Once the withdrawal right has been exercised, the data subject has:

  • Right to request that the Controller transfer their data to another Controller in an interoperable format and without any burdens or expenses for the data subject;
  • The right to request the Controller to certify that the requested operations and content have been brought to the attention of those to whom the data were communicated. This does not apply if this requirement proves impossible or involves the use of means manifestly disproportionate to the protected right.

 

WITHDRAWING CONSENT TO RECEIVE DATA CONTROLLER COMMUNICATIONS

Consent can be withdrawn at any time without any penalty or bureaucratic complication. It is sufficient for the data subject to write an email to the Internal Privacy Point privacy@in20.com in which they declare that they withdraw their consent to receive data controller communications. The consent withdrawal does not invalidate processing carried out beforehand.

 

CONSENT AND SPECIFIC POLICIES

On-line and/or hard copy policies which will require consent are submitted to the data subject for specific data processing purposes or certain types of data.

 

AMENDMENTS AND/OR ADDITIONS

This Privacy Policy may be subject to additions and changes due to regulatory, technological developments, best practices and the need for internal restructuring of the digital architecture. Any changes will be reported online. These changes will be deemed accepted if the user does not oppose them and continues to browse the website.