Cardin

PRIVACY POLICY


INTRODUCTION

Data protection is an important commitment for Cardin Elettronica S.p.A. (hereinafter “Cardin Elettronica S.p.A.” or “company”).
The entry into force of Regulation (EU) 2016/679 “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (the “GDPR”) has provided the opportunity for the Company’s activities to be adapted further to the requirements for the transparency and protection of data protection, in accordance with the fundamental rights and freedoms of all data subjects whether they be employees, collaborators, customers, suppliers or third parties interested in receiving information.
Cardin Elettronica has therefore implemented an “Organisational Privacy Model) (OPM), which is outlined below, and the aim of which is to analyse all data processing operations, to organise them on a functional basis and to manage them securely and transparently. This section of the website also contains information about the rights of the data subject and the way in which these rights can be exercised towards the Data Controller.


CONTENTS

1) GDPR ORGANISATIONAL PRIVACY MODEL

1.1) PARTIES

DATA CONTROLLER
The Data Controller is:
Cardin Elettronica S.p.A. (hereinafter also “CONTROLLER”)
Z.I.Cimavilla Via del lavoro, 73 31013 Codognè (TV)
Tel. +39 0438/404011
email: (ITALY) sales.office.it@cardin.it – (EUROPE) sales.office@cardin.it
Certified email address: ammin.cardin@pec.it
VAT no. and tax code: 00681370268


DATA PROTECTION TEAM
The OWNER has decided to appoint an internal “Data Protection Team”, formed of people with organisational, technical and IT skills.
The function of the Privacy Team is to support the activity of the OWNER.


AUTHORISED DATA PROCESSORS (ex Art. 29 GDPR)
The OPM requires that every employee or person working on behalf of the DATA CONTROLLER only processes the data necessary to fulfil his or her duties based on the internal organisation and purposes indicated or proposed to the data subject ("limitation of purpose and minimisation of data”, Art. 5(1) b) and c) GDPR). The processing operations have thus been segmented into sections of authorised data processors, with the employees/collaborators responsible for each section being restricted to a specific area of processing. Each authorised data processor has received specific instructions from the DATA CONTROLLER pertaining to the processing of personal data. The information system is also formed “watertight compartments”, by design. Employees/collaborators may only access the data necessary to fulfil their duties, from their workstations. The allocation to specific data processing areas is based on a careful analysis of the company’s structure and organisation, and the flow of internal and external data.
Employees/collaborators also receive internal regulations on the use of IT tools and on the rules of conduct and ethics pertaining to all the information they access in relation to their roles.
To ensure the effective adaptation to requirements concerning the processing of personal data, the Data Controller has also provided adequate training to its employees/collaborators, who process personal data in connection with their duties.


INTERNAL AND EXTERNAL SYSTEM ADMINISTRATORS
The DATA CONTROLLER uses information tools to manage and organise its activity. For this reason, the DATA CONTROLLER’s activity is always underpinned by careful attention to the construction of software, the use of that software, and data security. Persons with “administrator” privileges within the company are specifically appointed and trained. The specialised external companies accessing internal data are also specifically appointed as External Data Processors and/or External System Administrators as defined in Article 28 of the GDPR.
Providers of external IT services are chosen with particular attention to their professionalism, not only in technical terms but also in relation to compliance with data protection requirements. Certified providers are preferred.


DATA PROCESSORS (ex Art. 28 GDPR)
In principle, the DATA CONTROLLER manages almost all the processing operations internally. The outsourcing to third parties of various activities that imply the processing of data on the DATA CONTROLLER’s behalf are indicated in the individual policies, as appropriate. In these cases, relations with the third-party provider are governed by a specific “Data Processor” contract, as required by Article 28 of the GDPR.
The DATA CONTROLLER entrusts the processing operations to external providers who can offer sufficient guarantees of technical and organisational measures, in order to satisfy the requirements of the GDPR and to protect the rights of the data subjects.




1.2) RISK ANALYSIS AND MEASURES TO PREVENT DATA PROTECTION RISKS

According to the principle of “accountability”, the DATA CONTROLLER is responsible for implementing a series of organisational, physical, legal, technical and information technology measures designed to prevent the risk of infringement of the data subject’ personal rights and freedoms. In order to meet this objective, a regular risk analysis is conducted based on the processing operations, the tools used, and the type and volume of data processed.

RECORDS OF PROCESSING ACTIVITIES (Art. 30 GDPR) AND ANALYSIS OF IMPACT ON DATA PROTECTION (Art. 35 GDPR)
The OPM provides for a thorough, regular risk analysis in relation to data processing, for each activity or service provided, through a Record of processing activities (Article 30 (1) of the GDPR).
After analysing the processing activity performed by the DATA CONTROLLER, we consider that there are currently no risky activities that would require a specific impact assessment as defined in Article 35 of the GDPR (“DPIA”).
The analysis of the information technology risks, and risks pertaining to company hardware and software, and the related adaptation measures, was carried out by our System Administrator using specific tools and checklists, and also by an external information security firm, which carried out an in-depth audit including security tests. The results of the audit enabled our technicians to further improve the measures used to protect against cyber attacks and threats to information security. These were scaled in proportion to the risk to the rights and freedoms of the data subjects.


2) TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT

2.1) RIGHTS PERTAINING TO DATA PROTECTION

Also in this area, the DATA CONTROLLER considers it essential to inform the data subjects of the existence of various rights pertaining to the protection of personal data. These are listed below.


2.2) EXERCISING DATA PROTECTION RIGHTS

In order to exercise your rights, you may request information from the DATA CONTROLLER or complete the contact form, which we have provided to you below.


2.3) FORMS AND POLICIES
  1. 1) Forms - Below is a draft document which you should print out and complete, in order to exercise your rights as data subject, stating which right you wish to exercise. The form may be sent to the DATA CONTROLLER at the above addresses, in accordance with the current laws.

    Exercising data protection rights

  2. 2) Policies:

    Information for customers and suppliers

    Contact form policy