CIRCULAR LETTER ON THE PROCESSING OF DATA OF WORKERS OF CLIENTS’ OR SUPPLIERS’ COMPANIES

CLIVET SPA – during the performance of a contract with its own clients and suppliers, or upon carrying out controls, verifications or audits – may acquire personal data concerning the workers of the clients’ or suppliers’ companies. Pursuant to the norm in force, CLIVET SPA is hereby issuing the following circular letter to the data subjects, pursuant to Articles 13 and 14 of EU Reg. No. 679/2016 and the Privacy Code, as amended by L. Decree No. 101/2018.

 

Identity and contact details of the data controller
CLIVET SPA
Sede Legale: Via Camp Lonc, 25
32032 Z.I. Villapaiera, Feltre (BL)
Reg. Imp. Belluno, VAT n. 00708410253 REA n. 66577

Identity and contact data of the Data Protection Officer (DPO)  
Clivet SpA has appointed as its DPO, Atty. Susanna Greggio, e-mail: dpo@clivet.it, tel. 0444.547317

Purposes for which personal data is processed 
CLIVET SPA’s processing of the personal data of the workers of client companies or those of suppliers, aims at the performance of the contract signed with the employer or in the performance of verification, control activities or audits before and after the execution of the contract. 

Legal basis of the processing 
The processing of data of the workers who are employees of third-party companies is necessary for the pursuance of the legitimate interests of Clivet and precisely to fulfil a contract signed between CLIVET SPA and the organisation to which the worker belongs or in the scope of the transactions for which the contract was signed, during verifications, controls or audits.

Categories of personal data subject to processing 
The processing concerns common types of personal data (relating to employment relationships, the tasks assigned and personal and fiscal data, contact data, etc.). The processing may also concern health and biometric data, within the limits in which the processing is strictly necessary for the purposes indicated. The processing does not concern juridical data.

Possible recipients or possible categories of recipients of personal data 
The personal data may be disclosed to the employees of CLIVET SPA, its independent collaborators, associated companies, subsidiaries and parent companies within the limits in which such knowledge is necessary for the purposes indicated.

Transfer of data to third Countries 
CLIVET SPA does not intend, at present, to transfer the personal data to third Countries with respect to the European Union. 
In every case, should it occur, CLIVET SPA guarantees that such data will be transferred to:

  • companies that are part of the CLIVET SPA group and that adopt the same procedures in matters of personal data processing (Corporate Binding Rules approved by the competent Supervisory Authority)
  • non-EU Countries in which the European Commission has decided that the Third Country in question ensures an adequate level of protection (Art. 45 GDPR) or after the stipulation of standard contract clauses approved by the European Commission. 
  • Any derogations to the above may take place only in compliance with Art. 49 of the GDPR.

The retention period of personal data, or if not possible, the standards used to determine such period 
The personal data shall be retained by the Clivet company for the entire duration of the contract with the organisation that is the employer in the work contract and for 10 years subsequent to the termination of contract efficacy itself and/or however in conformity with the provisions of the current laws in civil, fiscal and administrative matters regarding data retention. A more or less long personal data retention period may possibly be determined by requests from the Public Administration or any other Juridical, governmental or ruling Body or by the participation of this Company in judicial procedures entailing personal data processing.  
The personal data processed by CLIVET SPA in the pre-signing phase of a contract with the worker’s employer, will be retained for the time necessary for the transactions and drawing up of the contract, and in the pursuance of verification, control and auditing activities. 

Rights of the data subject
The data subjects are entitled to obtain from the data controller, free of charge and without impinging the rights and liberties of third parties, the access to their personal data. In particular, they are entitled to obtain the confirmation whether processing of his or her data is underway, and the following information: a) the origin of the personal data if the data was not obtained from the data subject himself; b) the category of personal data; c) the processing purposes and methods; d) the existence of an automated process, including profiling, and in such case, the logic applied, as well as the importance and consequences of such processing foreseen for the data subject; e) the update or rectification; f) erasure or the restriction of his/her data (transformation in anonymous form, blocking of the data processed in breach of law, including those for which retention is not necessary in relation to the objectives for which the data were gathered or subsequently processed); g) the recipients or categories of recipients to which the personal data were or will be disclosed, in particular if these are international organisations or third-party countries (in this last case, the data subject is entitled to be informed of the existence of adequate warranties pursuant to Art. 46 regarding transfer); h) when possible, the retention period of personal data provided, or if not possible, the criteria used to determine such period. 
The data subject moreover has the right to withdraw the consent given to the processing of personal data and object to the processing. In every case, the withdrawal of consent given to the processing does not jeopardize the lawfulness of the processing based on the consent given before the withdrawal. 
The data subject moreover has the right of data portability.

Right to lodge a complaint
The Data Subject has the right to lodge a complaint to the Data Protection Authority, represented in Italy by the Italian Data Protection Authority, based in Rome, Piazza Monte Citorio, 121. The complaint may be submitted by the interested party in the manner deemed most appropriate: by hand, by registered letter a.r., by fax or by mail. For information the interested party is invited to consult the website of the Guarantor at www.garanteprivacy.it

Sources from which personal data originated and, if the case, the possibility that the data originated from sources accessible to the public 
The personal data was furnished by the organisation to which the worker belongs.

Inexistence of an automated decision-making process.
This Company does not use automated decision-making processes that produce important juridical effects on the data subject.