This policy is issued to employees of the Company, as defined hereunder, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (hereinafter, the “GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
In detail, GEMAR S.r.l., with registered office in Casalvieri (FR), at Via Colle Marracone (hereinafter, the “Company”), as the Controller, in order to satisfy its obligations according to the GDPR, is required to inform you of the methods and purposes of processing any personal data, including sensitive data, that may come into the Controller’s possession when the employment relationship with you is started and/or during its continuation.
Source of the data and legal basis of processing
The personal data, including sensitive data, that is acquired by the Controller will normally be provided by you directly, when the employment relationship with you is started and/or during its continuation.
It is necessary to process your personal data in order to satisfy legal obligations and the legal basis of processing is the contract you have signed with the Company.
Purposes of processing
Your personal data will be processed by the Company for the following purposes:
- purposes connected with and/or instrumental to the employment relationship to which you are a party, also in relation to health and safety, social security and pensions and any otherobligation strictly associated with it;
- purposes connected with and/or instrumental to the fulfilment of legal, administrative, accounting, statutory and fiscal obligations, and also European regulations and standards;
- purposes connected with and/or instrumental to the fulfilment of insurance obligations for coverage of risks associated with employer’s liability for health and safety, occupational illnesses and damage caused to third parties;
- purposes connected with and/or instrumental to management of disputes with employees.
Although it is not obligatory for the data subject to provide the data needed to pursue the purposes of points a), b), c) and d) above, this is essential and indispensable for the correct and efficient management of the employment relationship, as well as for the fulfilment of legal obligations; refusal to provide such data will therefore make it impossible for the Company to carry out said activities.
If the Company intends to use the personal data collected for another purpose incompatible with the purposes for which the personal data was originally collected or authorised, the Company will inform the data subject beforehand.
In order to satisfy specific obligations relating to management of the employment relationship, including aspects relating to health and safety, social security and pensions, the Company might also process “sensitive” data, meaning data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership” and also “genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” on the basis of what is envisaged by Art. 9 of the GDPR.
The data will only be processed in cases where this is strictly necessary to achieve the aforementioned purposes and, in any case, in compliance with the GDPR. For processing of such data, please note that your consent is not required by law if the processing is necessary tosatisfy specific European laws, rules and regulations.
Data processing methods
In relation to the above purposes, the personal data is processed in full compliance with the principles of lawfulness, fairness and transparency, using manual, IT and ICT tools which store, manage and transmit the data, solely for the purposes for which it has been collected and, in any case, in a manner to guarantee its security and confidentiality.
In performance of processing activities, the Company undertakes to:
- ensure that the data processed is precise and up-to-date, and immediately to incorporate any corrections and/or supplements requested by the data subject;
- inform the data subject of any personal data breaches, in the times and in the cases contemplated by current regulations;
- guarantee that processing operations comply with applicable laws.
Categories of parties to whom the data may be disclosed
The personal data provided will not be disclosed, or at least not made known to unspecified parties, in any possible form, including by making it available to them or simply allowing them to consult it. The data may be communicated to clearly defined parties, in full compliance with the law, for purposes strictly related to satisfying our contractual obligations.
In detail, based on the positions held and the duties performed, employees and collaborators, including external collaborators, and also internal and external personnel, who perform technical activities, supporting services (such as legal services, IT services, shipment services) and auditing services for the Company, are authorised to process the data within the limits of their duties and in accordance with the Controller’s instructions.
In addition to the communication required to satisfy its legal obligations, the Company may also, with your prior consent, communicate your personal data to the following categories of external parties:
- parties which perform distribution activities for the Company and also partners of the Company;
- companies supplying marketing consultancy services.
The parties in the above categories may be appointed as processors or may operate totally independently as separate Controllers. Further information on communication of the data to the above parties and on the methods for obtaining copies of the data may be requested at firstname.lastname@example.org.
Personal data storage policy
The Company keeps the personal data acquired in its systems in a form that allows identification of the data subjects only for the period of time it takes to achieve the purposes for which it is processed or to satisfy specific regulatory or contractual obligations, including those imposed by current statutory and fiscal laws. The Company will not, under any circumstances, store your data for a period exceeding ten years from the end of the employment relationship with you.
Rights of the person concerned
We also inform you that, pursuant to the GDPR and, in particular, arts. 15-22 of Regulation EU 2016/679, the data subject may exercise specific rights by contacting the Controller, including:
- Right of access: right to obtain from the Controller confirmation of whether or not processing of the personal data is taking place and, in that case, to obtain access to the personal data and to further information on the origin, purposes, categories of data processed, the recipients and/or transfer of the data, etc.
- Right of rectification: right to obtain from the Controllerthe correction of imprecise personal data without unjustified delay, and also supplementing of incomplete personal data, also providing a supplementary declaration.
- Right of erasure: the right to obtain from the Controller the erasure of the personal datawithout unjustified delay, if:
- the personal data is no longer necessary for the purposes of processing;
- the consent on which processing was based has been withdrawn and no other legal basis for processing exists;
- the personal data has been processed illegally;
- the personal data must be erased to satisfy a legal obligation.
- Right to object to processing: the right to object at any time to processing of personal data for which the legal basis is a legitimate interest of the Controller.
- Right to limit processing: the right to obtain from the Controller limitation of processing, in cases in which the preciseness of the personal data is disputed (for the period necessary to the data processor to check preciseness of said personal data), if processing is performed illegally and/or the data subject has objected to processing.
- Right to data portability: the right to receive the personal data in a structured, commonly used and machine-readable format and to transmit said data to another controller, only in cases in which processing is based on consent and solely data processed using electronic instruments.
- Right to submit complaints to a supervisory authority: without prejudice to any other administrative or jurisdictional recourse, a data subject who believes that processing of his/her data breaches the Privacy Regulation is entitled to submit a complaint to the supervisory authority of the Member State in which they reside or habitually work, or the State in which the alleged breach has occurred.
If processing is based on consent, the data subject may withdraw the consent given at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
A data subject wishing to obtain further information on processing of his/her data, or to exercise the right indicated here above, may send a registered letter with acknowledgement of receipt to: GEMAR S.r.l. –Casalvieri (FR) –Via Colle Marracone. For any further information required, contact email@example.com .