Data Protection Policy

Purpose and scope

VIMCO SRL and hereinafter referred to as the “Organization”, is committed to being compliant with the applicable laws and regulations relating to the protection of personal data in the countries where it operates, in this case under the European GDPR regulation

This policy sets out the fundamental principles according to which the organization processes the personal data of customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its services and employees in the processing of personal data.

This policy applies to the organization and its subsidiaries (directly or indirectly) that carry out their activities in Italy and the European Economic Area or process personal data of data subjects in that area.

The recipients of this procedure are all employees, temporary or permanent

The principles of the GDPR regulation

The Data Protection Principles outline the basic responsibilities (accountability) for organizations that deal with the processing of personal data. “The controller is competent to comply with these principles and must be able to demonstrate the compliance of its processing operations with these principles“.

Lawfulness, fairness and transparency

Personal data must be processed lawfully, fairly and transparently in relation to the data subject.

Purpose limitation

Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data Minimization

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. If possible, to reduce the risks to data subjects, the organization should apply anonymization or pseudonymization to personal data.

Accuracy

Personal data must be accurate and, where necessary, kept up to date; Reasonable steps must be taken to ensure that personal data that is inaccurate, in relation to the purposes for which it is processed, is erased or rectified in a timely manner.

Limitation of the retention period

Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality

Taking into account the state of technology and other available security measures, the costs of implementation, and the likelihood and severity of risks to personal data, the organization shall use appropriate technical or organizational measures to process personal data in such a way as to ensure adequate security of personal data, including protection, by means of appropriate technical and organizational measures, from unauthorized or unlawful processing and from accidental loss, destruction or damage.

Responsibility

The controller is responsible for compliance with these principles and must be able to demonstrate that its processing operations comply with these principles.

Collection

The organization should try to collect as little personal data as possible. If personal data is collected by a third party, the Owner must ensure that personal data is collected in accordance with the provisions of the law.

Use, storage and disposal

The organization must maintain the accuracy, integrity, confidentiality, and relevance of personal data according to the purpose of the processing. Appropriate security mechanisms must be used to protect personal data to prevent it from being stolen or misused and to prevent personal data breaches. the Owner is responsible for compliance with the requirements listed in this section.

Disclosure to third parties

Whenever the organization uses a third-party vendor or business partner to process personal data on its behalf, the Controller must ensure that this entity provides adequate security measures to safeguard the personal data in relation to the associated risks. To do this, you must use a compliance questionnaire.

The supplier or business partner must only process personal data to fulfil its contractual obligations to the organisation or on the instructions of the organisation and not for any other purpose. When the organization processes personal data jointly with an independent third party, the organization must explicitly specify the respective responsibilities in the respective contract or any other legally binding document, such as the Provider’s Data Processing Agreement.

Cross-border transfer of personal data

Before transferring personal data

from the European Economic Area (EEA) appropriate safeguards must be used, including the signing of a data transfer agreement, as required by the European Union and, if necessary, authorisation from the data protection authority must be obtained. The entity receiving the personal data must comply with the principles of personal data processing set out in the Cross-Border Data Transfer Procedure.

Rights of access of data subjects

When acting as a data controller, the organization is required to provide data subjects with a reasonable access mechanism that allows them to access their personal data and must allow them to update, correct, delete, or transmit their personal data, as appropriate or required by law. The access mechanism will be further detailed in the Data Subject Data Access Request Procedure.

Data portability

Data subjects have the right to receive, upon request, a copy of the data they have provided, in a structured format and to transmit these data free of charge to another controller. the Data Controller is responsible for ensuring that such requests are processed within one month, are not excessive and do not affect the rights to personal data of other persons.

Right to be forgotten

Upon request, the data subject has the right to obtain from the organization the erasure of his or her personal data. When the organization acts as a data controller, the Data Controller must take the necessary actions (including technical measures) to inform the third parties who use or process that data to comply with the request.

Organization and responsibility

Responsibility for ensuring the appropriate processing of personal data lies with anyone who works within or on behalf of the organization and has access to the personal data it processes.

The Board of Directors makes decisions and approves the organization’s overall strategies regarding the protection of personal data.

The DPO Data Protection Consultant (interned or externally appointed) or any other employee identified as the contact person for the PIMS Privacy Management System, is responsible for managing the personal data protection program and developing and promoting end-to-end personal data protection procedures.

The person responsible for this document is the Data Controller, who has the task of checking it and, if necessary, updating it, at least annually.