POLICY CONCERNING THE CONFIDENTIALITY OF PERSONAL DATA PROCESSED FROM WITHIN Underline
The processing of personal data within Underline (“the Operator ” or “the Company “) is accomplished by respecting the confidentiality and integrity requirements of personal data as described below.
This policy is based on the requirements imposed by the General Data Protection Regulation of the European Union no. 679/2016 (” GDPR “), applicable to any operator who processes personal data.
The Operator also recognizes that local legislation may impose higher, stricter standards, or deviating from customary standards for the protection of personal data. Local legislation will apply and will always prevail over this policy if and to the extent that it exceeds the standards of this policy, and GDPR imposes stricter requirements and / or offers more legal protection to targeted individuals. If this policy offers more protection to targeted persons than applicable local law, or offers additional guarantees, rights, or remedies to the individuals concerned, then this policy will apply.
For the conduct of its activities, the Operator has to use personal data of certain categories of individuals. These may include personal data of the Operator’s employees, users, customers, suppliers, and other contractual partners (not limited to enumeration), processing by electronic means according to the usage instructions of the application.
This policy describes how this personal data must be collected, handled and stored in order to comply with the Operator’s standards on personal data protection, as well as compliance with GDPR.
This policy ensures the Operator’s activity with regard to:
● compliance with GDPR and good practice of processing personal data;
● protect the rights of the Operator’s employees, users, customers, suppliers and other contractual partners in their capacity as the data subject;
● protecting it against the risks of personal data breach.
PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA
The GDPR sets out the general principles under which personal data will be processed by each operator.
In this respect, the Operator and each member of the Operator’s personnel are responsible for observing the following principles in all processing of personal data made by the Company in its daily activity:
a) Legality, equity and transparency – this is an essential principle, closely linked to fundamental human rights. Personal data must be processed “legally, fairly and transparently to the data subject”.
Practically, the Operator and each staff member will have to verify, prior to the processing of certain types of personal data as the basis of processing, one of the following legal bases:
- the data subject has given his / her consent to the processing of his / her data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is a party or where the processing is necessary to perform the necessary steps to conclude a contract;
- processing is required to meet a legal obligation on the Operator;
- processing is necessary to protect the vital interests of the data subject or other natural person;
- processing is necessary in order to achieve the legitimate interests pursued by the Operator, except where the interests of the data subject prevail and require the protection of personal data, especially when the data subject is a child.
No Operator staff member will start processing personal data without prior verification if it can be based on one of the above legal bases.
b) Goal – related limitations – Personal data will be collected for well-defined, explicit and legitimate purposes, and subsequent processing should not be incompatible with these purposes.
c) Reducing to a minimum data – any personal data collection will be thoroughly analyzed before data is actually obtained. Thus, it is necessary to obtain and process the personal data that are most relevant and strictly limited to what is absolutely necessary for the purposes for which they are processed.
d) The accuracy of the information – The operator will take all measures to ensure the validity of the data and the proven ones inaccurate must be updated immediately or deleted in accordance with the purposes for which they are processed.
In this respect, the Operator will review periodically to the extent that it is necessary to delete or revise the personal data processed by the Operator.
e) Storage limitation – Personal data will be kept as long as necessary for each type of processing undertaken by the Operator.
f) Integrity and confidentiality – Personal data processing is done under the most proprietary safety conditions, including protection against unauthorized or illegal processing and against loss, destruction or accidental damage by taking appropriate technical or organizational measures in accordance with the provisions of the Company’s Privacy and Security Policy.
Each Operator staff member or any person working for him / her shall be responsible for ensuring that personal data is processed appropriately. Thus, individuals who manage personal data must ensure that these data are processed in accordance with the above principles and other provisions of this policy. In case of doubt, the Operator staff will not decide on their own whether or not to process personal data but will contact the Data Protection Officer within the Operator and follow closely the instructions of the Operator.
GENERAL RULES ON THE SOCIETY PERSONNEL
● the only persons authorized to access the personal data to which this policy refers should be those who need strictly and limitly the data to carry out their work;
● personal data should not be shared between Company staff members in any circumstance; when access to personal data is required, Operator personnel may request this from the hierarchical superior;
● The operator will provide through the Data Protection Officer guidance to all employees to help them understand their responsibilities when handling personal data;
● Operator staff must keep all secure personal data, taking precautions and following the instructions in this policy;
● personal data must be reviewed and updated on a regular basis; if it is found that they are no longer necessary, they must be removed;
● employees must seek assistance from the Data Protection Officer when they have some concerns about the protection of their personal data;
● Operator staff will work consistently and whenever needed with the Data Protection Officer.
RULES ON STORAGE OF PERSONAL DATA
These rules describe how to safely process personal data. Questions about safe storage of personal data can be directed to the IT manager or the Data Protection Officer.
When data is stored on paper and only when it is needed, it must be kept in a safe place where unauthorized persons do not have access to it. In this regard, the following rules must be observed:
● when not necessary for the conduct of the Company’s activities, paper documents must be kept in a safe place of storage, inaccessible to the public;
● employees must ensure that paper and printed matter are not left where unauthorized people could see them;
● paper-based documents must be framed and safely removed when they are no longer needed.
RULES ON DATA ACCURACY
GDPR requires operators to take reasonable steps to ensure that data is kept accurate and up-to-date, and the Company makes significant efforts to do so.
It is the responsibility of all employees who work with personal data to take reasonable steps to keep them accurate. In this respect, the following rules will be considered:
● the data will be kept in as few places as needed, and Company staff will not need to create additional datasets;
● Company staff must take every opportunity to ensure data updates; for example, by confirming a customer’s details when a call is made with the customer;
● data must be updated / deleted if discrepancies are found;
CONDITIONS CONCERNING THE CONSENT OF THE PERSON CONCERNED
There are situations in which data processing is carried out on the basis of the consent of the data subject. Whenever the processing of personal data is based on the consent of the data subject, the Operator must be able to demonstrate that he has obtained an informed consent in the electronic form from the data subject to process his or her personal data personal.
In order to be easily demonstrated to obtain the consent of the person concerned, it is advisable that all members of the Operator’s personnel who have attributions in this respect comply with the provisions below.
In particular, it is necessary to ensure that the data subject understands who the Operator is, for which purposes the personal data will be processed, how it will be processed, what is the length of the processing of its data (or, where this is not possible, what are the criteria used to determine this period), the identity of any person (or categories of person) to whom the data may be disclosed if personal data is transferred to or outside the country (and, if so, whether the location, the recipient and the appropriate transfer guarantees, if any) as well as its rights in relation to the personal data provided and how it can exercise it.
In all cases, the consent statement must be presented in an intelligible and easily accessible form, using clear and simple language.
All Operator staff members must keep in mind that the data subject has the right to withdraw his consent at any time, stating that such withdrawal of consent does not affect the lawfulness of the processing under consent prior to its withdrawal.Withdrawal of consent must be made as simple as granting it and all Operator members are responsible for complying with this legal requirement.
EXERCISE OF RIGHTS BY THE PERSON
The operator guarantees that the rights of the data subjects are respected, according to GDPR.
Any person whose data is processed by the Company benefits from the rights set forth below.
a) Transparency of information, communications and ways of exercising the rights of the data subject
The operator will take appropriate measures to provide the data subject with information about his or her personal data and personal data about the data subject, even if they have not been obtained from the data subject. Insofar as the Operator has reasonable doubts as to the identity of the data subject who makes such an application, it may require the Provider to provide additional documents and information to prove its identity.
The operator provides the information in a concise, transparent, intelligible and easily accessible manner, using clear and simple language. The information shall be provided in writing or by other means, including, where appropriate, electronically.
An operator shall not refuse to comply with the request of the data subject to exercise his right of access, the right to rectification, the right to wipe, the right to portability, and the right to object to personal data.
An operator shall provide the data subject with information on the action taken on an application having as its object the exercise of the rights set out in the preceding paragraph without undue delay and in any event no later than one month after receipt of the request. This period may be extended by two months when necessary, taking into account the complexity and number of requests the Operator faces at that time.
In such a case, the Operator shall inform the data subject of any such extension, within one month of receipt of the request, and shall also present the reasons for the delay. If the data subject enters an electronic application, the Operator will provide the information in electronic format where possible, unless the data subject requests a different format.
b) Right of access of the data subject
Upon request, the Operator shall provide the person concerned with a confirmation of the processing or non-processing of his or her personal data concerning him / her and, if so, the access to the data and the following information:
- the purposes of processing;
- the categories of targeted personal data;
- the recipients or categories of recipients to whom personal data has been or is to be disclosed, in particular recipients from third countries or international organizations;
- where possible, the period for which personal data is to be stored or, if that is not possible, the criteria used to establish that period;
- the existence of the right to require the Operator to rectify or erase personal data, or to restrict the processing of personal data relating to the data subject or the right to object to the processing;
- the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing;
- where personal data are not collected from the data subject, any available information on their source;
- the existence of an automated decision-making process including the creation of profiles and, at least in those cases, relevant information on the logic used and on the importance and expected consequences of such processing for the data subject.
If personal data is transferred to a third country or an international organization, the data subject will be informed of the appropriate safeguards for the data transfer.
If the data subject enters the application electronically and unless the data subject requests a different format, the information is provided in an electronic format that is currently used.
c) Right to rectification of personal data
Upon receipt of such a request from a data subject, the Operator shall, without undue delay, proceed with the rectification of inaccurate personal data concerning the data subject.
Taking into account the purposes for which the data was processed, the Operator will complete the personal data that is incomplete, including by providing the intended person with an additional statement, as appropriate.
d) The right to delete personal data
At the request of the data subject, the Operator will delete the personal data without undue delay if one of the following reasons applies:
- personal data is no longer required to meet the purposes for which it was collected or processed;
- the data subject withdraws the consent on the basis of which personal data are processed for the purpose for which they were collected;
- the data subject opposes processing and there are no legitimate reasons to prevail in the processing;
- personal data has been processed illegally;
- personal data must be deleted to comply with a legal obligation on the Operator.
e) The right to restrict the processing of personal data
Upon request, the Operator will restrict the processing of the personal data of the intended person in one of the following cases:
- the data subject challenges the accuracy of the data for a period that allows the Operator to verify the accuracy of the data;
- processing is illegal and the data subject opposes the deletion of personal data, but instead calls for restrictions on their use;
- The operator no longer requires personal data for processing, but the data subject requests them to find, exercise or defend a right in court; or
- the data subject opposed the processing of the data for the period of time to verify that the legitimate rights of the Operator prevail over those of the data subject.
If processing has been restricted as described above, such personal data may (with the exception of storage) be processed by the Operator only with the consent of the data subject or for the establishment, exercise or defense of a right in court; or for the protection of the rights of another natural or legal person or for reasons of public interest.
f) Notification requirement for rectification or deletion of personal data or restriction of processing
As appropriate, the Operator will disclose to any recipient to whom personal data has been disclosed any rectification or deletion of personal data or restriction of processing, unless this proves impossible or involves disproportionate efforts from the Operator’s part.
g) Right to data portability
Upon request, the Operator will provide the personal data of the data subject in a structured, commonly used and readable (e.g., email address of the person concerned or in a private cloud of the person concerned ), in case of:
- processing is based on the consent of the person concerned or on a contract; and
- processing is done by automatic means.
If the data subject requests this and is technically feasible, the Operator will transmit the personal data directly to another personal data operator.
h) Right to the opposition
To the extent that the data subject opposes the processing of personal data for reasons related to the particular situation in which he is located, the Operator will no longer process the data, unless he can prove that he has legitimate and compelling reasons justifying the processing and that prevails over the interests, rights and freedoms of the person concerned (for example, it is a legal obligation) or the purpose is to establish, exercise or defend a right in court.
i) Automated personalized decision making (including profile creation)
The person concerned has the right not to be the subject of a decision based exclusively on automatic processing, including the creation of profiles, which produces legal effects that concern the data subject or similarly affect it to a significant extent.
In such a case, the Operator will implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least its right to obtain human intervention from the Operator, to express its point of view and to contest the decision.
Prior to the entry of the Operator into contracts / agreements / partnerships involving personal data flows, it will take all necessary measures to ensure that the respective counterparties offer sufficient technical and organizational guarantees.
Thus, all contract partners will be carefully selected so as to ensure that the rights of the data subjects are respected.
PERSONAL DATA TRANSFERS
Personal data will be transferred to third parties outside of the European Union or the European Economic Area only if this data transfer complies with the other rules set out in this policy and, at the same time, the GDPR provisions. Practically, such a transfer can only take place if this is in line with the purpose for which personal data has been collected and if the transfer is necessary to accomplish that purpose.
The evaluation of the legality of the transfer of personal data outside the European Union or the European Economic Area is accomplished by following the two steps below:
a) Personal data may be transferred to a third party only if there is a legal justification for such a transfer; and
b) A transfer of personal data outside the European Union or the European Economic Area is only possible if it is made to a country on which the European Commission has determined the adequacy of data protection to the recipient (for example, Andorra, Argentina, Canada, Switzerland, etc.) or there is one of the following guarantees:
● Standard Contractual Rules; or
● Binding Corporate Rules; or
● Safe Shield; or
● The person concerned has expressed his consent to such a transfer.
To the extent that you have any concerns regarding the above, you may address [ * ], responsible for the protection of personal data, to the Operator at the email address [ * ].