globaltech solutions transparent logo

Privacy Policy

FOREWORD

This Model brings together the technical and organizational measures that GLOBALTECH SOLUTION SAGL in its capacity as Data Controller of your personal data, implements to ensure - and be able to demonstrate - compliance with EU Regulation 2016/679 of the activities of processing of personal data of natural persons, European Citizens and residents of the European Union, that the Company carries out directly or that third parties carry out on its behalf. The Regulation of April 27, 2016, so-called "General Data Protection Regulation"(hereinafter referred to briefly as "GDPR"), published in the Official Journal of the European Union on May 4, 2016, has become definitively operational and directly applicable in all member countries of the European Union as of May 25, 2018, and pursues the goal of strengthening the protection of personal data of natural persons, both within and outside European borders, thus regardless of the principle of territoriality, by harmonizing the privacy rules of all member states. Together with the EU Directive 2016/680 of the same day, which is inherent to the processing of personal data in the context of crime suppression only, this Regulation constitutes the so-called " personal data protectionpackage."

The adoption of appropriate technical and organisational measures is imposed by Articles 24 et seq. of the GDPR, under which internal policies and measures to be implemented to satisfy the principles of data protection by design and data protection by default, must take into account, in concrete terms, the nature, scope, context and purposes of processing, as well as the risk to the rights and freedoms of natural persons.

In order to comply with this requirement, therefore, the drafting of this model required the prior execution of a careful and critical auditingactivity, which allowed the examination of the individual company situation and of the impact assessment on the protection of personal data.

DEFINITIONS

For the purposes of the GDPR and in relation to the concepts specifically involved in the processing activities carried out, directly and indirectly, by GLOBALTECH SOLUTIONS SAGL pursuant to art. 4 GDPR are understood to be:

personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

2) 'processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3) 'restriction of processing' means the marking of personal data stored with the aim of limiting their processing in the future;

(4) 'profiling' means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of that person's professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

5. 'pseudonymisation' means the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organisational measures to ensure that such personal data cannot be attributed to an identified or identifiable natural person;

6. 'filingsystem' means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

(7) 'controller' means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to its designation may be established by Union or Member State law;

8) 'controller' shall mean the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(9) 'recipient' means a natural or legal person, public authority, agency or other body that receives communication of personal data, whether a third party or not. However, public authorities which may receive communication of personal data in the framework of a specific investigation in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall be in accordance with the applicable data protection rules according to the purposes of the processing;

third party' means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process personal data;

11. 'thedata subject's consent' means any freely given specific, informed and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement, by way of a statement or an unambiguous affirmative action, to personal data relating to him or her being processed;

personal databreach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

(13) 'genetic data' means personal data relating to inherited or acquired genetic characteristics of a natural person which provide unambiguous information about the physiology or health of that natural person, and which result in particular from the analysis of a biological sample from that natural person;

(14) 'biometric data' means personal data obtained by specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm their unambiguous identification, such as facial image or dactyloscopic data;

(15) 'health data' means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health;

(16) 'main establishment' means

  1. in the case of a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to order the implementation of those decisions, in which case the establishment which has taken such decisions is deemed to be the main establishment;
  2. in relation to a controller with establishments in more than one Member State, the place where its central administration in the Union is located or, where the controller does not have a central administration in the Union, the establishment of the controller in the Union where the main processing activities are carried out in the context of the activities of an establishment of the controller in so far as that controller is subject to specific obligations under this Regulation;

(17) 'representative' means the natural or legal person established in the Union who, designated by the controller or the processor in writing pursuant to Article 27, represents them in relation to their respective obligations under this Regulation;

(18) 'undertaking' means any natural or legal person, regardless of its legal form, engaged in an economic activity, including partnerships or associations regularly engaged in an economic activity;

(19) 'Enterprise group' means a group consisting of a parent undertaking and its controlled undertakings;

(20) 'binding corporate rules' means the personal data protection policies applied by a controller or processor established on the territory of a Member State to the transfer or set of transfers of personal data to a controller or processor in one or more third countries, in the context of a corporate group or a group of undertakings carrying out a joint economic activity;

(21) 'supervisory authority' means the independent public authority established by a Member State in accordance with Article 51;

(22) 'supervisoryauthority concerned' means a supervisory authority concerned by the processing of personal data because:

  1. the controller or processor is established on the territory of the Member State of that supervisory authority;
  2. data subjects residing in the Member State of the supervisory authority are or are likely to be substantially affected by the processing; or
  3. a complaint has been lodged with that supervisory authority;

(23) 'cross-border processing':

  1. (a) processing of personal data which takes place in the course of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
  2. (b) processing of personal data which takes place in the course of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to affect data subjects in more than one Member State;

(24) 'relevant and reasoned objection' means an objection to the draft decision as to whether or not there is an infringement of this Regulation, or whether or not the envisaged action in relation to the controller or processor complies with this Regulation, which objection clearly demonstrates the significance of the risks posed by the draft decision with regard to the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union;

(25) 'information society service' means a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council;

(26) 'international organisation' means an organisation and its subordinate bodies governed by public international law or any other body established by or on the basis of an agreement between two or more States.

  1. GENERAL DATA PROTECTION REGULATION (GDPR)

As mentioned, as of 25 May 2018, the GDPR became mandatory in all its elements as well as directly applicable in each of the Member States and, at the same time, Directive 95/46/EC, which currently governs, was repealed,

at Community level, data processing.

At national level, the Privacy Code is currently in force in our country, introduced by Legislative Decree No. 196/2003, which transposed the above-mentioned directive and the directive on e-privacy (i.e. Directive 58/2002/EC).

Despite the fact that the Regulation takes precedence over domestic national law, the GDPR does not entail the automaticrepealof the state law governing the same matter, but the concrete disapplication of the provisions of domestic law that conflict with the new European regulatory provisions, in favour of the new discipline.

Moreover, recital 10 of the GDPR expressly provides for 'a margin of manoeuvre for the Member States to specify the rules, also with regard to the processing of special categories of personal data'.

The GDPR consists of three guiding principleswhich permeate and support theentire regulatory framework and compliance with which is protected by a system of sanctions, outlined in Articles 83 et seq., characterised by the significant figures that can hit data controllers and data processors with administrative sanctions of up to €20 million or up to 4% of the total annual worldwide turnover, in addition to the criminal sanctions provided for by national legislation.

These essential principles are those of:

  • accountabilitythe principle of accountability: the Regulation does not make a precise typification of the technical and organisational measures, but only expresses them in terms of their effectiveness. technical and organisational measuresand is expressed only in terms of their adequacy the risk "taking into account the state of the art and the cost of its implementation, as well as the nature, subject-matter, context and purposes of the processing, and the risk of varyingdegrees of likelihood and severity to the rights and freedoms ofnatural persons" (Art. 32 GDPR). This is a profound innovation in that Data Controllers are given the task of deciding autonomously on the methods, guarantees and limits of personal data processing in compliance with the legal provisions and in the light of certain specific criteria set out in the Regulation. This calls for an integrated approach, involving all corporate areas, which is concrete and risk-based and results in proactive behaviour;
  • privacy by designwhich requires the adoption of protection measures from the design phase of processing;
  • privacy by defaultwhich prescribes use that is limited by default to only the data necessary to meet the specific purposes of data management.

Basic inspiring principles reflected in the so-called "pillars"of the GDPR, namely on main operational innovations which:

  1. the designation of the Data Protection Officer(Data Protection Officer, Art. 37-39)

understood as a fundamental figure who must combine regulatory, technical and communication skills and a deep knowledge of the company's structure and organisation;

  1. the establishment of the Register of processing activities (Art. 30 and Cons. 171), which constitutes the starting point for the preparation of the entire documentary system, designed to collect the evidence, controls and processes that make it possible to satisfy theaccountability of the privacy system;
  1. The data breach process, (Art. 33 and 34), i.e. the notification of possible personal data breaches, which requires a careful analysis and knowledge of the information managed, but above all technological investments in the ways of monitoring, securing and compartmentalising the damage that may result.

A direct corollary of the above-mentioned general principles of accountability, privacy by design and privacy by default, is that full compliance with the GDPR requires that personal data be processed in accordance with the principles of lawfulness, fairness and transparency. principles of lawfulness, correctness and transparency.

As in the previous legislation, processing is lawful when it is based on a legal basis which, without prejudice in any event to the obligation to provide the data controller with information, may consist of the following:

  • consent of the person concerned which must be free, specific, informed and unambiguous, since tacit or presumed consent is not allowed: in other words, it must be manifested through an 'unambiguous statement or positive action'. Furthermore, for the "sensitive" data referred to in Article 9, it must also be "explicit", not necessarily "documented in writing" nor to be given in "written form", although this modality is the most suitable to demonstrate its performance, its unequivocalness and its being "explicit";
  • fulfilment of contractual obligationsi.e. the processing is lawful and necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject;
  • legal obligations to which the data controller is subject, in which case the purpose is specified by law;
  • vital interests of the data subject or of third partiesi.e. if it is necessary for the protection of the vital interests of the data subject or of another natural person; however, it can only be used as a legal basis if none of the other conditions for lawfulness can be applied in practice;
  • legitimate prevailing interests of the controller or of third parties to whom the data are disclosed, i.e. where processing is necessary for the purposes of pursuing the legitimate interests of the controller or a third party, provided that the interests or the fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail, in particular where the data subject is a child;
  • public interest or exercise of public authorityor necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (by State or Union law), and even in that case the purpose must be specified by law.

The processing of personal data is correct if transparent towards the data subjects, i.e. personal data must be processed for specified, explicit and legitimate purposes, and without any impropriety or deception towards the data subjects (i.e. confused or partial information is prohibited). Transparency is not only a fundamental principle of data processing, but also a real right of the data subject, i.e. the way in which data are collected and used must be transparent and correct.

Data subjects must be informed about the purposes of the processing, the modalities of the processing and theaddress of the controller before the processing is carried out. The modalities of the processing must be made explicit in a comprehensible manner so that data subjects are able to understand what will happen to their data.

The data subject must have at his disposal an effective and accessible procedure to enable him to obtain access to his data within a reasonable time, and thus to know whether and which data are held by the data controller.

Any concealed or secret processing must therefore be considered unlawful. Data controllers and data processors must guarantee the data subjects that the data will be processed lawfully and fairly and in such a way as to comply as far as possible with the wishes of the data subjects.

  1. OBJECTIVE AND STRUCTURE OF THE MODEL

The objective of the present Organisational Model Privacy is to guarantee and demonstrate that the processing of personal data by GLOBALTECH SOLUTIONS SAGL takes place in a lawful, correct and transparent manner according to the definition given above, to be achieved through the implementation of a well-structured internal management that promotes the culture of privacy and security of personal data, consolidating the behavioural principles suitable to guarantee the transparency, security and correctness of the processing, increasing its reliability towards its shareholders, customers, partners, consultants and employees.

With the further consequence of avoiding the possible disbursement of the pecuniary administrative sanctions referred to in Article 83 GDPR as well as the criminal sanctions referred to in the national legislation insofar as they are still in force, being able, by its adoption, to demonstrate the concrete, efficient and effective implementation of the appropriate technical and organisational measures for the protection of the personal data processed by it, either directly or through third parties carrying them out on its behalf.

This Organisational Model is made up of ten sections aimed at providing an overview of the overall system of technical and organisational measures which, on the basis of the concrete systematic andd operational requirements of GLOBALTECH SOLUTIONS SAGL, are considered appropriate, containing the principles, organisational rules and control tools to guarantee the lawful, correct and transparent processing of personal data.

In particular:

  • Section 1, containing some general remarks on the principles underlying the GDPR;
  • Section 2, illustrating the structure of this Model;
  • Section 3, dedicated to the company policy, that is to say the exposition of the general principles of conduct adopted by GLOBALTECH SOLUTIONS SAGL in the processing of personal data in relation to their type;
  • Section 4, illustrating the privacy figures involved;
  • Section 5, dedicated to explaining the findings of the risk assessment. risk assessment;
  • Section 6, containing a list of the company's databases and an explanation of how the data are stored;
  • Section 7, in-depth analysis of the methods and tools used to process data, including from a spatial perspective;
  • Section 8, concerning safety measures to protect against the risks as noted above;
  • Section 9, containing brief remarks on the institutions of information and consent as valid legal bases for the legitimacy of processing.
  1. COMPANY POLICY

In pursuit of its purpose, GLOBALTECH SOLUTIONS SAGL carries out the activities described below:

  • the provision of services in the field of online marketing;
  • the sale of online advertising space;
  • the sale of digital content such as video courses/advice on marketing and entrepreneurship;
  • the exercise of e-commerce activity as an intermediary in online commerce;
  • the examination of the specific situation of each client in order to formulate an offer tailored to the needs of the individual user;
  • the company may engage in any activity which is additional to, similar to or related to the achievement of the corporate purposes.

In carrying out these activities, GLOBALTECH SOLUTIONS SAGL handles different types of personal data, namely:

  1. personal data in the strict sense referring to legal representatives of companies supplying goods and services as well as professionals and external consultants;
  2. bank details of customers and suppliers.

In keeping with the GDPR's view of accountability and risk, of primary importance - logical before legal - is the correct perception of the 'weight' of personal data. "weight' of personal personal dataIn accordance with the GDPR's perspective of responsibility and risk, it is of primary importance - logical before legal - to correctly perceive that not all personal data are the same and that, therefore, not all of them must be protected in the same way: for example, health data is more delicate than others and, consequently, GLOBALTECH SOLUTIONS SAGL, as the Data Controller, has designed and applied a more robust protection system.

In this respect, data encryption and pseudonymisation play a crucial role. These two security measures are especially valuable in the event of an attack on the archives or in the event of data breaches, loss or theft of devices and other unintentional leakage of information, which is implemented both when processing is carried out using paper-based and IT tools.

The legal basis for the processing of such data by GLOBALTECH SOLUTIONS SAGL is:

  • the fulfilment of contractual and pre-contractual obligations to which GLOBALTECH SOLUTIONS SAGL is a party;
  • the fulfilment of its legal obligations;
  • for administrative and accounting purposes;
  • legitimate interest of the Controller.

Each function of GLOBALTECH SOLUTIONS SAGL processes the personal data listed above only within the scope of its competence.

When managed in paper formall documents are kept in locked cabinets and/or filing cabinets within the Company's premises, which are also locked. Precise instructions are given to those in charge on how to handle data and paper files, in particular the electronic duplication by scanning of paper documents in order to prevent their accidental total destruction and the pseudonymisation by archiving the documents.

When handled in electronic formdata and related documents are processed using personal computers, both fixed and portable, as well as smartphones. The IT devices are all protected by a double set of passwords: the first is required when switching on the terminal and the second for access to the management IT platforms. Both passwords are only known by the person in charge of the IT device and the system administrator. If a PC other than his own is used, the data controller must, in any case, reconnect to the network with his own credentials. All electronic data management is managed autonomously by the data controller, thus not incurring the risks associated with any outsourcing, and guarantees maximum technical capacity and attention to correct and protected data management.

All access credentials are kept with the utmost care and, in the event of their theft or loss, the Data Protection Officer shall be immediately involved in accordance with Article 37 of EU Regulation 679/2016 who shall, without delay, request the immediate intervention of the System Administrator in order to block the stolen and/or lost credentials, verify the absence of any unauthorised accesses in the meantime and provide new authentication credentials which, at the first access by the person in charge, shall be changed by him and under his sole responsibility.

In relation to the use of accounting software and the recording of employee attendance, there is also a situation of:

- Responsibilities of the processing, as defined in Article 28 of the GDPR, regulated by a contract of appointment as Data Processor, in relation to outsourcing of IT services.

If it is necessary or instrumental to the fulfilment of the specific purposes, the personal data, in addition to the internal staff of GLOBALTECH SOLUTIONS SAGL, are communicated to recipients appointed pursuant to art. 28 GDPR, who process them in their capacity as Data Processors

and/or as natural persons acting under the authority of the Controller and the Manager in order to comply with legal obligations, contracts or related purposes.

Specifically, the data may be communicated to recipients belonging to the following categories:

  • Partner companies or joint controllers of personal data;
  • Subjects who provide services for the management of the information system and communication networks of GLOBALTECH SOLUTIONS SAGL, including electronic mail;
  • Professional firms or companies in the context of assistance and consultancy relationships;
  • Competent authorities for the fulfilment of legal obligations and/or provisions of public bodies, upon request;
  • Credit institutions and insurance companies.

The list of designated data processors is constantly updated and available at the Company's registered office and on its computer portals. In no case will the data collected by GLOBALTECH SOLUTIONS SAGL be subject to dissemination and/or transfer abroad, either within or outside the European Union, except for what is strictly necessary to allow the fulfilment of the contractual relationship envisaged by the online marketing activity.

In compliance with the provisions of Article 5(1)(e) of the GDPR, personal data are stored in a form that allows the identification of the data subject or for a period of time not exceeding the fulfilment of the purposes for which the data are processed or according to the deadlines provided for by law. Verification of the obsolescence of the stored data in relation to the purposes for which they were collected is carried out periodically, under the supervision of the Data Protection Officer.

  1. OWNERSHIP AND RESPONSIBILITY FOR PERSONAL DATA PROCESSING

The figures and functions involved in GLOBALTECH SOLUTIONS SAGL in the activities of protection of individuals with regard to the processing of personal data are:

DATA CONTROLLER

As a rule, it is the company GLOBALTECH SOLUTIONS SAGL itself that performs this function and which, consequently, bears all the obligations and responsibilities that Italian and European law imposes on it. First and foremost, the obligation to put in place, review and update the appropriate technical and organizational measures to ensure, and be able to demonstrate, that the processing is carried out by it in accordance with the GDPR.

With regard to the liability regime, GLOBALTECH SOLUTIONS SAGL is liable as owner, on an exclusive basis, for material or immaterial damage caused to any interested party by a breach of the GDPR, unless it proves that the damaging event is in no way attributable to the Company. In addition, GLOBALTECH SOLUTIONS SAGL shall be liable for administrative fines imposed by the Guarantor, the maximum amount of which under the GDPR for the most serious violations is EUR 20 million or up to 4% of total annual turnover.

DATA CONTROLLER

Article 28 of the GDPR defines the Data Controller as the entity that carries out processing of personal data on behalf of the Controller, providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing operations meet the requirements of the GDPR and ensure the protection of the rights of the data subject.

Insofar as it is not forbidden and in order to guarantee the effective application and supervision of the GDPR regulations, in compliance with the prudential attitude aimed at maximum respect, GLOBALTECH SOLUTIONS SAGL assumes the role of data controller, in relation to those situations in which it carries out activities as an intermediary in e-commerce.

The internal controllers identified are the contact persons of the following functions:

- purchasing and contracting;

- administration, finance, human resources, general services and information systems.

Similarly, the contract for the appointment of "external" Data Processors is intended to take the form of an addendum to existing contracts, being integrated into the contractual text for new contracts. Without prejudice to the periodic review by the Data Protection Officer of the facsimile models of the relevant contracts of appointment, attached to this Organisational Model.

As regards the liability regime, data controllers shall only be liable for the damage caused by the processing if they have failed to comply with the GDPR obligations specifically addressed to them or if they have acted in a manner inconsistent with or contrary to the lawful instructions of the Data Controller GLOBALTECH SOLUTIONS SAGL

They are also exempt from liability for damages, if they prove that the damaging event is in no way attributable to them. They shall also be liable for the pecuniary administrative sanctions imposed by the Supervisory Authority under the same terms and conditions as the Data Controller.

  1. RISK ASSESSMENT

In order to implement the actions aimed at adapting to the new EU Regulation 679/2016 on personal data, a survey was carried out of the current organisation and documentation on privacy and technical measures used.

In particular, with the help of external consultants, the main organisational and procedural documentation was examined; in the light of this analysis, a specific questionnaire was prepared to identify the main risks of non-compliance with EU Regulation 679/2016.

This questionnaire was used as a benchmark during the audit.

On the basis of the information and evaluations reported, as well as the existing measures to mitigate the identified risks, an assessment was made of the level of risk, the economic impact that may derive, and the level of detectability of the risk in relation to the preventive controls carried out. probability of the risk, the economic impact that could be derived, the level of detectability ofthe risk in relation to the preventive controls carried out.

 

For the assessment of these risks, a 5-level value scale was used:

With regard to the assessment of risk detectability , the main elements that have been considered are related to

comprehensive and formalised procedures,

appropriate controls and traceability,

defined organisational responsibilities.

The risk analysis carried out was of a self-assessment type supported by acritical analysis of the evaluations expressed, carried out by external consultants, through whose contribution it was possible to carry out an analysis as close as possible to the company.

For each risk, a riskranking (RPI) was identified , calculated using the following variables:

Gross risk: the average of the probability of the risk and the economic impact that may be derived;

Net residual risk: gross risk net of risk detection level.

In order to summarise the results of the Risk Assessment carried out, a Risk Matrix has been drawn up, showing the risk assessments to which each corporate function of reference is exposed.

The colour of each cell is a function of the Gross/Net Residual Risk assessment, according to a scale of values from 1 to 5.

On the basis of the possible risks identified and the assessments carried out, the list of risks and their assessment is given below:

A total of 27 risks were mapped, resulting in an overall very low net risk .

The risk analysis activity also assessed the need to carry out an impact assessment with regard to data processing that 'is likely to present a high risk to the rights and freedoms of natural persons'.

The analysis carried out did not reveal the need to carry out a detailed impact assessment (so-called DPIA) in the strict sense of the term, since none of the conditions set out in paragraph 1 and letters a), b) and c), paragraph 2, of Article 25 of the GDPR were found: GLOBALTECH SOLUTIONS SAGL in fact makes use of new technologies to carry out types of processing characterised by a high risk for the rights and freedoms of natural persons and also carries out systematic and global assessment of personal aspects of natural persons based on automated processing.

Should any of the above-mentioned conditions arise over time, the analysis and assessment of such risks will be carried out again, with the cooperation of the DPO, and the need to carry out an impact assessment in the technical sense will be assessed.

 

  1. COMPANY DATABASES AND ARCHIVING METHODS

The IT management of GLOBALTECH SOLUTIONS SAGL is managed autonomously by the data controller. The management of the databases and, consequently, of the personal data contained therein, is entrusted to the same data controller, who bears all the burden of training and technological adaptation connected with them.

According to the authorisation profile assigned, the System Administrator operates on the IT infrastructure residing at the offices of 6900, Lugano (TI), Via Zurigo n. 35.  

The following table shows the databases managed and a description of their areas of operation:     

  1. TREATMENT AREAS, PREMISES, TOOLS

Data processing is carried out, in accordance with the procedures set out below, both at the registered office and operational headquarters, located in 6900, Lugano (TI), Via Zurigo n. 35, and in all operational offices that will open in the future.

Access to the building where the company's premises are located is also permitted to the public and is via a single entrance, located at the same address, which is subject to uninterrupted surveillance. No access is allowed without authorisation or at night.

The rooms and premises in which management secretarial and administrative activities are carried out are reserved; access to these premises is subject to uninterrupted surveillance, during working hours and office opening hours, and is allowed only to authorised persons. The server room is located within the premises delegated to administrative activity, with access restricted to authorised persons; the entrance is locked. The equipment it contains has been found to comply with safety regulations.

Paper media, including those containing images, are collected in files located at the headquarters, in the respective offices, and placed in locked cabinets or rooms, to which only authorised persons have access. These archives store documents that are commonly and continuously used, as well as those that have reached the end of their operational cycle. All documents are archived by the protocol; it has been recommended that they be scanned and that a computer archive be set up.

With reference to the tools used and the types of data processed, it should be noted that:

  • Common data are systematically processed on paper and by processing;
  • The computers present are networked with others and only have an Internet connection, which is filtered by anti-intrusion systems(firewalls).

The following table summarises the structure responsible for data processing and its description:

  1. SECURITY MEASURES TAKEN

In the light of the risk factors and areas identified in this Model, measures are described to ensure:

- protection of the areas and premises where personal data are processed;

- the proper storage and safekeeping of acts, documents and media containing personal data;

- logical security, in the context of electronic instruments.

As regards the risk of data being damaged or lost as a result of destructive events, the premises where data processing takes place are protected by:

- fire-fighting equipment as required by current legislation;

- uninterruptible power supply unit;

- air-conditioning system.

The following measures are in place and operational for processing by electronic means:

  • implementation and management of a computer authentication system to ascertain the identity of persons who have access to electronic tools (access profile for the network and for application and management software );
  • the company's policies guarantee the security of all circulating data, through the control of authorisations and the definition of the types of data that those in charge can access and use according to their work tasks;
  • protection of tools and data from malfunctions and cyber attacks through centralised firewalls and antivirus software;
  • prescription of appropriate precautions for the storage and use of removable media containing personal data.

The following sheets show what measures have been taken to protect IT tools from the identified risks:

  1. INFORMATION AND CONSENT

The obligation to provide information is the main obligation imposed by the GDPR on the data controller, whose failure to do so, moreover, is sanctioned with the most severe penalties.

GLOBALTECH SOLUTIONS SAGL fulfils this obligation by making available to the persons concerned a privacy policy statement which, besides fully complying in its contents with the provisions of art. 13 GDPR, is also detailed beyond what is strictly necessary, having provided, alongside general information valid for every person concerned, also specific information diversified according to the categories of addressees. This is in order to ensure and guarantee that each data subject can actually benefit from a complete information framework.

In order for GLOBALTECH SOLUTIONS SAGL to achieve its goal of being fully GDPR-compliant , it must also comply with the lawfulness of data processing, i.e. with the assumption that all processing must be based on an appropriate legal basis.

The legal bases on which the lawfulness of the processing is based are indicated in Article 6 GDPR and roughly coincide with those currently provided for in the Privacy Code: express consent, fulfilment of contractual obligations, legal obligations to which the Controller is subject. The direct consequence is that obtaining and managing consent is not mandatory for all personal data processing activities, since it is one of the many tools for legitimising the processing of personal data. only one one of the many tools for legitimising processing activities.

Among the legal bases for the processing of data recognised by the GDPR and suitable for founding the processing of data by GLOBALTECH SOLUTIONS SAGL are:

1) legal obligations and legal compliancewhich represents the strictest, most precise, yet optimal basis for data processing, implying the existence of at least one legal provision requiring, and justifying, the processing of data;

2) contractual fulfilment, whether indispensable to perform the existing contract with the data subject or to enter into a new contract, with the specification that in relation to pre-contractual measures the start of the processing phases must be carried out on the initiative of the data subject;

3) Legitimate interests, which, although ambiguous, offers the possibility of developing a justification for the processing of data avoiding the management of data subjects' consent, but which is only valid in situations where the interests, rights or freedoms of the data subjects do not prevail over the interests of the Controller;

4) the consent of the data subjectwhich must reflect the discretionary action of the data subject by means of a structured and unambiguous positive response, freely given, to the processing of his or her personal data.

Also in this context, going beyond what is strictly necessary, GLOBALTECH SOLUTIONS SAGL has prepared diversified consent models depending on the category of interested parties and on the specific purposes for which the consent is given, in order to make it as aware and informed as possible.

This Privacy Organisation Model is subject to annual verification and possible updating.

The model was updated in December 2021.