This Model brings together the technical and organizational measures that GLOBALTECH SOLUTION SAGL in its capacity as Data Controller of your personal data, implements to ensure - and be able to demonstrate - compliance with EU Regulation 2016/679 of the activities of processing of personal data of natural persons, European Citizens and residents of the European Union, that the Company carries out directly or that third parties carry out on its behalf. The Regulation of April 27, 2016, so-called "General Data Protection Regulation"(hereinafter referred to briefly as "GDPR"), published in the Official Journal of the European Union on May 4, 2016, has become definitively operational and directly applicable in all member countries of the European Union as of May 25, 2018, and pursues the goal of strengthening the protection of personal data of natural persons, both within and outside European borders, thus regardless of the principle of territoriality, by harmonizing the privacy rules of all member states. Together with the EU Directive 2016/680 of the same day, which is inherent to the processing of personal data in the context of crime suppression only, this Regulation constitutes the so-called " personal data protectionpackage."
The adoption of appropriate technical and organisational measures is imposed by Articles 24 et seq. of the GDPR, under which internal policies and measures to be implemented to satisfy the principles of data protection by design and data protection by default, must take into account, in concrete terms, the nature, scope, context and purposes of processing, as well as the risk to the rights and freedoms of natural persons.
In order to comply with this requirement, therefore, the drafting of this model required the prior execution of a careful and critical auditingactivity, which allowed the examination of the individual company situation and of the impact assessment on the protection of personal data.
For the purposes of the GDPR and in relation to the concepts specifically involved in the processing activities carried out, directly and indirectly, by GLOBALTECH SOLUTIONS SAGL pursuant to art. 4 GDPR are understood to be:
personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
2) 'processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3) 'restriction of processing' means the marking of personal data stored with the aim of limiting their processing in the future;
(4) 'profiling' means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of that person's professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. 'pseudonymisation' means the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organisational measures to ensure that such personal data cannot be attributed to an identified or identifiable natural person;
6. 'filingsystem' means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
(7) 'controller' means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to its designation may be established by Union or Member State law;
8) 'controller' shall mean the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(9) 'recipient' means a natural or legal person, public authority, agency or other body that receives communication of personal data, whether a third party or not. However, public authorities which may receive communication of personal data in the framework of a specific investigation in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall be in accordance with the applicable data protection rules according to the purposes of the processing;
third party' means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process personal data;
11. 'thedata subject's consent' means any freely given specific, informed and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement, by way of a statement or an unambiguous affirmative action, to personal data relating to him or her being processed;
personal databreach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
(13) 'genetic data' means personal data relating to inherited or acquired genetic characteristics of a natural person which provide unambiguous information about the physiology or health of that natural person, and which result in particular from the analysis of a biological sample from that natural person;
(14) 'biometric data' means personal data obtained by specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm their unambiguous identification, such as facial image or dactyloscopic data;
(15) 'health data' means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health;
(16) 'main establishment' means
(17) 'representative' means the natural or legal person established in the Union who, designated by the controller or the processor in writing pursuant to Article 27, represents them in relation to their respective obligations under this Regulation;
(18) 'undertaking' means any natural or legal person, regardless of its legal form, engaged in an economic activity, including partnerships or associations regularly engaged in an economic activity;
(19) 'Enterprise group' means a group consisting of a parent undertaking and its controlled undertakings;
(20) 'binding corporate rules' means the personal data protection policies applied by a controller or processor established on the territory of a Member State to the transfer or set of transfers of personal data to a controller or processor in one or more third countries, in the context of a corporate group or a group of undertakings carrying out a joint economic activity;
(21) 'supervisory authority' means the independent public authority established by a Member State in accordance with Article 51;
(22) 'supervisoryauthority concerned' means a supervisory authority concerned by the processing of personal data because:
(23) 'cross-border processing':
(24) 'relevant and reasoned objection' means an objection to the draft decision as to whether or not there is an infringement of this Regulation, or whether or not the envisaged action in relation to the controller or processor complies with this Regulation, which objection clearly demonstrates the significance of the risks posed by the draft decision with regard to the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union;
(25) 'information society service' means a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council;
(26) 'international organisation' means an organisation and its subordinate bodies governed by public international law or any other body established by or on the basis of an agreement between two or more States.
As mentioned, as of 25 May 2018, the GDPR became mandatory in all its elements as well as directly applicable in each of the Member States and, at the same time, Directive 95/46/EC, which currently governs, was repealed,
at Community level, data processing.
At national level, the Privacy Code is currently in force in our country, introduced by Legislative Decree No. 196/2003, which transposed the above-mentioned directive and the directive on e-privacy (i.e. Directive 58/2002/EC).
Despite the fact that the Regulation takes precedence over domestic national law, the GDPR does not entail the automaticrepealof the state law governing the same matter, but the concrete disapplication of the provisions of domestic law that conflict with the new European regulatory provisions, in favour of the new discipline.
Moreover, recital 10 of the GDPR expressly provides for 'a margin of manoeuvre for the Member States to specify the rules, also with regard to the processing of special categories of personal data'.
The GDPR consists of three guiding principleswhich permeate and support theentire regulatory framework and compliance with which is protected by a system of sanctions, outlined in Articles 83 et seq., characterised by the significant figures that can hit data controllers and data processors with administrative sanctions of up to €20 million or up to 4% of the total annual worldwide turnover, in addition to the criminal sanctions provided for by national legislation.
These essential principles are those of:
Basic inspiring principles reflected in the so-called "pillars"of the GDPR, namely on main operational innovations which:
understood as a fundamental figure who must combine regulatory, technical and communication skills and a deep knowledge of the company's structure and organisation;
A direct corollary of the above-mentioned general principles of accountability, privacy by design and privacy by default, is that full compliance with the GDPR requires that personal data be processed in accordance with the principles of lawfulness, fairness and transparency. principles of lawfulness, correctness and transparency.
As in the previous legislation, processing is lawful when it is based on a legal basis which, without prejudice in any event to the obligation to provide the data controller with information, may consist of the following:
The processing of personal data is correct if transparent towards the data subjects, i.e. personal data must be processed for specified, explicit and legitimate purposes, and without any impropriety or deception towards the data subjects (i.e. confused or partial information is prohibited). Transparency is not only a fundamental principle of data processing, but also a real right of the data subject, i.e. the way in which data are collected and used must be transparent and correct.
Data subjects must be informed about the purposes of the processing, the modalities of the processing and theaddress of the controller before the processing is carried out. The modalities of the processing must be made explicit in a comprehensible manner so that data subjects are able to understand what will happen to their data.
The data subject must have at his disposal an effective and accessible procedure to enable him to obtain access to his data within a reasonable time, and thus to know whether and which data are held by the data controller.
Any concealed or secret processing must therefore be considered unlawful. Data controllers and data processors must guarantee the data subjects that the data will be processed lawfully and fairly and in such a way as to comply as far as possible with the wishes of the data subjects.
The objective of the present Organisational Model Privacy is to guarantee and demonstrate that the processing of personal data by GLOBALTECH SOLUTIONS SAGL takes place in a lawful, correct and transparent manner according to the definition given above, to be achieved through the implementation of a well-structured internal management that promotes the culture of privacy and security of personal data, consolidating the behavioural principles suitable to guarantee the transparency, security and correctness of the processing, increasing its reliability towards its shareholders, customers, partners, consultants and employees.
With the further consequence of avoiding the possible disbursement of the pecuniary administrative sanctions referred to in Article 83 GDPR as well as the criminal sanctions referred to in the national legislation insofar as they are still in force, being able, by its adoption, to demonstrate the concrete, efficient and effective implementation of the appropriate technical and organisational measures for the protection of the personal data processed by it, either directly or through third parties carrying them out on its behalf.
This Organisational Model is made up of ten sections aimed at providing an overview of the overall system of technical and organisational measures which, on the basis of the concrete systematic andd operational requirements of GLOBALTECH SOLUTIONS SAGL, are considered appropriate, containing the principles, organisational rules and control tools to guarantee the lawful, correct and transparent processing of personal data.
In pursuit of its purpose, GLOBALTECH SOLUTIONS SAGL carries out the activities described below:
In carrying out these activities, GLOBALTECH SOLUTIONS SAGL handles different types of personal data, namely:
In keeping with the GDPR's view of accountability and risk, of primary importance - logical before legal - is the correct perception of the 'weight' of personal data. "weight' of personal personal dataIn accordance with the GDPR's perspective of responsibility and risk, it is of primary importance - logical before legal - to correctly perceive that not all personal data are the same and that, therefore, not all of them must be protected in the same way: for example, health data is more delicate than others and, consequently, GLOBALTECH SOLUTIONS SAGL, as the Data Controller, has designed and applied a more robust protection system.
In this respect, data encryption and pseudonymisation play a crucial role. These two security measures are especially valuable in the event of an attack on the archives or in the event of data breaches, loss or theft of devices and other unintentional leakage of information, which is implemented both when processing is carried out using paper-based and IT tools.
The legal basis for the processing of such data by GLOBALTECH SOLUTIONS SAGL is:
Each function of GLOBALTECH SOLUTIONS SAGL processes the personal data listed above only within the scope of its competence.
When managed in paper formall documents are kept in locked cabinets and/or filing cabinets within the Company's premises, which are also locked. Precise instructions are given to those in charge on how to handle data and paper files, in particular the electronic duplication by scanning of paper documents in order to prevent their accidental total destruction and the pseudonymisation by archiving the documents.
When handled in electronic formdata and related documents are processed using personal computers, both fixed and portable, as well as smartphones. The IT devices are all protected by a double set of passwords: the first is required when switching on the terminal and the second for access to the management IT platforms. Both passwords are only known by the person in charge of the IT device and the system administrator. If a PC other than his own is used, the data controller must, in any case, reconnect to the network with his own credentials. All electronic data management is managed autonomously by the data controller, thus not incurring the risks associated with any outsourcing, and guarantees maximum technical capacity and attention to correct and protected data management.
All access credentials are kept with the utmost care and, in the event of their theft or loss, the Data Protection Officer shall be immediately involved in accordance with Article 37 of EU Regulation 679/2016 who shall, without delay, request the immediate intervention of the System Administrator in order to block the stolen and/or lost credentials, verify the absence of any unauthorised accesses in the meantime and provide new authentication credentials which, at the first access by the person in charge, shall be changed by him and under his sole responsibility.
In relation to the use of accounting software and the recording of employee attendance, there is also a situation of:
- Responsibilities of the processing, as defined in Article 28 of the GDPR, regulated by a contract of appointment as Data Processor, in relation to outsourcing of IT services.
If it is necessary or instrumental to the fulfilment of the specific purposes, the personal data, in addition to the internal staff of GLOBALTECH SOLUTIONS SAGL, are communicated to recipients appointed pursuant to art. 28 GDPR, who process them in their capacity as Data Processors
and/or as natural persons acting under the authority of the Controller and the Manager in order to comply with legal obligations, contracts or related purposes.
Specifically, the data may be communicated to recipients belonging to the following categories:
The list of designated data processors is constantly updated and available at the Company's registered office and on its computer portals. In no case will the data collected by GLOBALTECH SOLUTIONS SAGL be subject to dissemination and/or transfer abroad, either within or outside the European Union, except for what is strictly necessary to allow the fulfilment of the contractual relationship envisaged by the online marketing activity.
In compliance with the provisions of Article 5(1)(e) of the GDPR, personal data are stored in a form that allows the identification of the data subject or for a period of time not exceeding the fulfilment of the purposes for which the data are processed or according to the deadlines provided for by law. Verification of the obsolescence of the stored data in relation to the purposes for which they were collected is carried out periodically, under the supervision of the Data Protection Officer.
The figures and functions involved in GLOBALTECH SOLUTIONS SAGL in the activities of protection of individuals with regard to the processing of personal data are:
As a rule, it is the company GLOBALTECH SOLUTIONS SAGL itself that performs this function and which, consequently, bears all the obligations and responsibilities that Italian and European law imposes on it. First and foremost, the obligation to put in place, review and update the appropriate technical and organizational measures to ensure, and be able to demonstrate, that the processing is carried out by it in accordance with the GDPR.
With regard to the liability regime, GLOBALTECH SOLUTIONS SAGL is liable as owner, on an exclusive basis, for material or immaterial damage caused to any interested party by a breach of the GDPR, unless it proves that the damaging event is in no way attributable to the Company. In addition, GLOBALTECH SOLUTIONS SAGL shall be liable for administrative fines imposed by the Guarantor, the maximum amount of which under the GDPR for the most serious violations is EUR 20 million or up to 4% of total annual turnover.
Article 28 of the GDPR defines the Data Controller as the entity that carries out processing of personal data on behalf of the Controller, providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing operations meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
Insofar as it is not forbidden and in order to guarantee the effective application and supervision of the GDPR regulations, in compliance with the prudential attitude aimed at maximum respect, GLOBALTECH SOLUTIONS SAGL assumes the role of data controller, in relation to those situations in which it carries out activities as an intermediary in e-commerce.
The internal controllers identified are the contact persons of the following functions:
- purchasing and contracting;
- administration, finance, human resources, general services and information systems.
Similarly, the contract for the appointment of "external" Data Processors is intended to take the form of an addendum to existing contracts, being integrated into the contractual text for new contracts. Without prejudice to the periodic review by the Data Protection Officer of the facsimile models of the relevant contracts of appointment, attached to this Organisational Model.
As regards the liability regime, data controllers shall only be liable for the damage caused by the processing if they have failed to comply with the GDPR obligations specifically addressed to them or if they have acted in a manner inconsistent with or contrary to the lawful instructions of the Data Controller GLOBALTECH SOLUTIONS SAGL
They are also exempt from liability for damages, if they prove that the damaging event is in no way attributable to them. They shall also be liable for the pecuniary administrative sanctions imposed by the Supervisory Authority under the same terms and conditions as the Data Controller.
In order to implement the actions aimed at adapting to the new EU Regulation 679/2016 on personal data, a survey was carried out of the current organisation and documentation on privacy and technical measures used.
In particular, with the help of external consultants, the main organisational and procedural documentation was examined; in the light of this analysis, a specific questionnaire was prepared to identify the main risks of non-compliance with EU Regulation 679/2016.
This questionnaire was used as a benchmark during the audit.
On the basis of the information and evaluations reported, as well as the existing measures to mitigate the identified risks, an assessment was made of the level of risk, the economic impact that may derive, and the level of detectability of the risk in relation to the preventive controls carried out. probability of the risk, the economic impact that could be derived, the level of detectability ofthe risk in relation to the preventive controls carried out.
For the assessment of these risks, a 5-level value scale was used:
With regard to the assessment of risk detectability , the main elements that have been considered are related to
comprehensive and formalised procedures,
appropriate controls and traceability,
defined organisational responsibilities.
The risk analysis carried out was of a self-assessment type supported by acritical analysis of the evaluations expressed, carried out by external consultants, through whose contribution it was possible to carry out an analysis as close as possible to the company.
For each risk, a riskranking (RPI) was identified , calculated using the following variables:
Gross risk: the average of the probability of the risk and the economic impact that may be derived;
Net residual risk: gross risk net of risk detection level.
In order to summarise the results of the Risk Assessment carried out, a Risk Matrix has been drawn up, showing the risk assessments to which each corporate function of reference is exposed.
The colour of each cell is a function of the Gross/Net Residual Risk assessment, according to a scale of values from 1 to 5.
On the basis of the possible risks identified and the assessments carried out, the list of risks and their assessment is given below:
A total of 27 risks were mapped, resulting in an overall very low net risk .
The risk analysis activity also assessed the need to carry out an impact assessment with regard to data processing that 'is likely to present a high risk to the rights and freedoms of natural persons'.
The analysis carried out did not reveal the need to carry out a detailed impact assessment (so-called DPIA) in the strict sense of the term, since none of the conditions set out in paragraph 1 and letters a), b) and c), paragraph 2, of Article 25 of the GDPR were found: GLOBALTECH SOLUTIONS SAGL in fact makes use of new technologies to carry out types of processing characterised by a high risk for the rights and freedoms of natural persons and also carries out systematic and global assessment of personal aspects of natural persons based on automated processing.
Should any of the above-mentioned conditions arise over time, the analysis and assessment of such risks will be carried out again, with the cooperation of the DPO, and the need to carry out an impact assessment in the technical sense will be assessed.
The IT management of GLOBALTECH SOLUTIONS SAGL is managed autonomously by the data controller. The management of the databases and, consequently, of the personal data contained therein, is entrusted to the same data controller, who bears all the burden of training and technological adaptation connected with them.
According to the authorisation profile assigned, the System Administrator operates on the IT infrastructure residing at the offices of 6900, Lugano (TI), Via Zurigo n. 35.
The following table shows the databases managed and a description of their areas of operation:
Data processing is carried out, in accordance with the procedures set out below, both at the registered office and operational headquarters, located in 6900, Lugano (TI), Via Zurigo n. 35, and in all operational offices that will open in the future.
Access to the building where the company's premises are located is also permitted to the public and is via a single entrance, located at the same address, which is subject to uninterrupted surveillance. No access is allowed without authorisation or at night.
The rooms and premises in which management secretarial and administrative activities are carried out are reserved; access to these premises is subject to uninterrupted surveillance, during working hours and office opening hours, and is allowed only to authorised persons. The server room is located within the premises delegated to administrative activity, with access restricted to authorised persons; the entrance is locked. The equipment it contains has been found to comply with safety regulations.
Paper media, including those containing images, are collected in files located at the headquarters, in the respective offices, and placed in locked cabinets or rooms, to which only authorised persons have access. These archives store documents that are commonly and continuously used, as well as those that have reached the end of their operational cycle. All documents are archived by the protocol; it has been recommended that they be scanned and that a computer archive be set up.
With reference to the tools used and the types of data processed, it should be noted that:
The following table summarises the structure responsible for data processing and its description:
In the light of the risk factors and areas identified in this Model, measures are described to ensure:
- protection of the areas and premises where personal data are processed;
- the proper storage and safekeeping of acts, documents and media containing personal data;
- logical security, in the context of electronic instruments.
As regards the risk of data being damaged or lost as a result of destructive events, the premises where data processing takes place are protected by:
- fire-fighting equipment as required by current legislation;
- uninterruptible power supply unit;
- air-conditioning system.
The following measures are in place and operational for processing by electronic means:
The following sheets show what measures have been taken to protect IT tools from the identified risks:
The obligation to provide information is the main obligation imposed by the GDPR on the data controller, whose failure to do so, moreover, is sanctioned with the most severe penalties.
In order for GLOBALTECH SOLUTIONS SAGL to achieve its goal of being fully GDPR-compliant , it must also comply with the lawfulness of data processing, i.e. with the assumption that all processing must be based on an appropriate legal basis.
The legal bases on which the lawfulness of the processing is based are indicated in Article 6 GDPR and roughly coincide with those currently provided for in the Privacy Code: express consent, fulfilment of contractual obligations, legal obligations to which the Controller is subject. The direct consequence is that obtaining and managing consent is not mandatory for all personal data processing activities, since it is one of the many tools for legitimising the processing of personal data. only one one of the many tools for legitimising processing activities.
Among the legal bases for the processing of data recognised by the GDPR and suitable for founding the processing of data by GLOBALTECH SOLUTIONS SAGL are:
1) legal obligations and legal compliancewhich represents the strictest, most precise, yet optimal basis for data processing, implying the existence of at least one legal provision requiring, and justifying, the processing of data;
2) contractual fulfilment, whether indispensable to perform the existing contract with the data subject or to enter into a new contract, with the specification that in relation to pre-contractual measures the start of the processing phases must be carried out on the initiative of the data subject;
3) Legitimate interests, which, although ambiguous, offers the possibility of developing a justification for the processing of data avoiding the management of data subjects' consent, but which is only valid in situations where the interests, rights or freedoms of the data subjects do not prevail over the interests of the Controller;
4) the consent of the data subjectwhich must reflect the discretionary action of the data subject by means of a structured and unambiguous positive response, freely given, to the processing of his or her personal data.
Also in this context, going beyond what is strictly necessary, GLOBALTECH SOLUTIONS SAGL has prepared diversified consent models depending on the category of interested parties and on the specific purposes for which the consent is given, in order to make it as aware and informed as possible.
This Privacy Organisation Model is subject to annual verification and possible updating.
The model was updated in December 2021.