The protection of personal data is an important commitment for Things Mobile Srl (hereinafter "Things Mobile" or the "Company").
The entry into force of Regulation (EU) 2016/679 "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data" (hereinafter "GDPR") has provided the opportunity to further adapt the activities carried out by the Company to the principles of transparency and protection of personal data, in compliance with the fundamental rights and freedoms of all those concerned, whether employees, contractors, customers, suppliers or third parties interested in receiving information.
Things Mobile has thus implemented a "Privacy Compliance Program" (PCP) that is described here in general terms, aimed at analyzing all data processing, organizing it in a functional way and managing it in safe and transparent manner. This section of the website also contains information on the rights of the data subject and the procedures for exercising them vis-à-vis the Data Controller.
1 - GDPR PRIVACY COMPLIANCE PROGRAM
1.1 - DATA SUBJECTS
1.2 - RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
2 - TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
2.1 - PERSONAL DATA PROTECTION RIGHTS
2.2 - EXERCISING RIGHTS
2.3 - FORMS AND INFORMATION STATEMENTS
1 - GDPR PRIVACY COMPLIANCE PROGRAM
1.1 - DATA SUBJECTS
The Data Controller is:
Things Mobile Srl (hereinafter also the “DATA CONTROLLER”)
Piazza Luigi di Savoia, 22 ,20124 - Milano (MI)
Tel. +39 02.0283595427
VAT no. and Tax Code: 09882960967
DATA PROTECTION OFFICER
The Data Protection Officer is Laura Zanella (hereinafter also the “DPO”)
The DATA CONTROLLER has decided to appoint an internal "Privacy Team" made up of persons, including from outside the company, with organizational, technical and computer skills.
The Privacy Team has the function of supporting the activities of the DATA CONTROLLER.
DATA PROTECTION OFFICER (DPO)
The DATA CONTROLLER has decided to appoint a Data Protection Officer (DPO) pursuant to article 37 of EU Regulation 2016/679, who acts in synergy with the internal privacy team. The DPO is domiciled at DATA CONTROLLER’s premises and can be contacted for any need related to the processing of personal data of all data subjects.
PERSONS AUTHORIZED TO PROCESS DATA (article 29 GDPR)
The PCP provides that each employee/collaborator of the DATA CONTROLLER processes only the data necessary to discharge their duties, in accordance with the internal organization and especially the purposes indicated and proposed to the data subject (principle of so-called "purpose limitation and data minimization", article 5, paragraph 1, letters b) and c) of the GDPR). A breakdown of processing by homogeneous areas of persons authorized to process data has therefore been prepared, linking employees/collaborators in charge of each area to a specific field of processing. Each authorized person has received specific instructions from the DATA CONTROLLER regarding personal data processing. For this purpose, by design, the information system also consists of 'sealed compartments'. The employee/collaborator may only access the data necessary to discharge their duties from their own IT workstation. Designation to specific processing areas takes place after careful analysis of the company's structure and organization as well as the data flow inside and outside the company, and is summarized in a special internal matrix that specifically identifies the processing scope of each area.
The employee/collaborator has also received internal regulations on the use of IT tools and the rules of conduct on all the information that he/she accesses by virtue of his/her specific duties.
In order to effectively ensure compliance with the principles regarding personal data processing, the DATA CONTROLLER has also provided training and refresher courses on the subject to its employees/collaborators who, by virtue of their duties, carry out processing of personal data.
SYSTEM ADMINISTRATORS (INTERNAL AND EXTERNAL)
The DATA CONTROLLER uses information systems to manage and organize its activities. For this reason, attention to the construction of software, the way of using it and data security have always been the basis of the activities of the DATA CONTROLLER. Persons with "administrator" privileges within the company are specifically appointed and trained. Other external specialized companies that have access to company data are also specifically appointed as External Processors and/or External System Administrators pursuant to article 28 of the GDPR.
The suppliers of external IT services are chosen with particular attention to their professionalism, not only technical, but also in relation to the respect and protection of data, giving priority to certified companies.
DATA PROCESSORS (article 28 GDPR)
In principle, the DATA CONTOLLER manages almost all processing activities in-house. Cases of outsourcing to third parties of some activities that involve data processing on behalf of the DATA CONTROLLER are appropriately indicated within the individual information statements. In these cases, the relationship with the third party is governed by a contract of appointment as "Data Processor" pursuant to article 28 of the GDPR.
The DATA CONTROLLER entrusts this processing activity to external entities with sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR and to ensure the protection of data subjects' rights.
1.2 RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
According to the principles of "accountability,” the DATA CONTROLLER is responsible for implementing a series of measures - organizational, physical, legal, technical and IT - aimed at preventing the risk of violation of the rights and personal freedoms of the data subjects. In order to achieve this objective, a constant risk analysis is carried out, depending on the processing, the equipment used, the type and the amount of processed data.
RECORD OF PROCESSING ACTIVITIES (article 30 GDPR) AND DATA PROTECTION IMPACT ANALYSIS (article 35 GDPR)
The PCP provides for a careful and constant analysis of the risks for personal data processing, identified for each activity or service provided through a Record of Processing Activities in accordance with Article 30(1) of the GDPR.
Having analyzed the processing activity carried out by DATA CONTROLLER, it is believed that as of today there are no activities at risk such as to require a specific impact assessment pursuant to article 35 of the GDPR (the so-called "DPIA").
The analysis on IT risks and on company hardware and software infrastructures and on IT adaptation measures was carried out both by our System Administrator using specific tools and checklists and by an external company specialized in IT security, which carried out an in-depth audit with security tests. The results of the audit have allowed our experts to further improve the measures to protect against cyber attacks and cyber threats, gradually and proportionately to the risk to the rights and freedoms of data subjects.
2 - TRANSPARENCY AND RIGHTS OF THE DATA SUBJECT
2.1 PERSONAL DATA PROTECTION RIGHTS
The DATA CONTROLLER also deems it fundamental to inform data subjects of the existence of certain rights regarding personal data protection, listed below.
Right to be informed (transparency in data processing)
Data subjects have the right to be informed about how the DATA CONTROLLER processes their personal data, the purposes and other information provided for by article 13 of the GDPR. To this end, the DATA CONTROLLER has set up organizational processes that allow, when acquiring or requesting personal data, the issue of an information form created "ad hoc" according to the category of the data subjects to which the person belongs (employee, customer, supplier, etc.). This document makes it possible to adequately inform all data subjects to whom the data refer on how processing by the DATA CONTROLLER is carried out. The information form can be requested with a special request addressed to DATA CONTROLLER.
- Right to withdraw consent (Article 13)
You have the right to withdraw your consent at any time for all processing operations in which the prerequisite for lawfulness is your expression of consent. Withdrawal of consent shall not affect the lawfulness of prior processing.
- Right to access data (Article 15)
You may request: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organizations; d) when possible, the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing; f) the right to lodge a complaint with a supervisory authority; g) where the data are not collected from the data subject, all available information as to their origin; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. You have the right to request a copy of the personal data subject to processing.
- Right to rectification (Article 16)
You have the right to request rectification of incorrect personal data concerning you and to have incomplete personal data completed.
- Right to be forgotten (Article 17)
You have the right to obtain from the data controller the erasure of personal data concerning you if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, if you withdraw your consent, if there is no overriding legitimate reason for proceeding profiling, if the data were processed unlawfully, if there is a legal obligation to erase them; if the data relate to web services provided to minors without your consent. Erasure may occur unless the right to freedom of expression and information prevails, they are retained for the fulfilment of a legal duty or for the performance of a task carried out in the public interest or in the exercise of official authority, for reasons of public interest in the field of health, for purposes of public record keeping, scientific or historical research or for statistical purposes, or for the establishment, exercise or defence of a right in legal proceedings.
- Right to restriction of processing (Article 18)
You have the right to obtain from the Data Controller the restriction of processing if you have contested the accuracy of personal data (for a period enabling the Data Controller to verify the accuracy of the personal data) or if the processing is unlawful, but you object to the erasure of personal data and ask instead for its use to be restricted or if they are required by you for the establishment, exercise or defense of legal claims, while the Data Controller no longer needs them.
- Right to data portability (Article 20)
You have the right to receive the personal data you provide us with in a structured, commonly used and machine-readable format and to pass them on to another person if the processing was carried out on the basis of consent or a contract and if the processing was carried out by automatic means, unless the processing was necessary for the performance of a task carried out in the public interest or in the exercise of official authority, and the rights of third parties were not violated by such transmission.
- Right to object (Article 21)
You have the right at any time to object, in whole or in part, to the processing of your personal data if the processing is carried out for the pursuit of a legitimate interest of the Data Controller or for purposes of direct marketing.
Right to apply to the Authority for the Protection of Personal Data (Article 77)
Without prejudice to any other administrative or judicial remedy, if you consider that the processing relating to you is in breach of the Regulation on the protection of personal data, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you have your habitual residence, employment or the place where the alleged breach occurred.
2.2 EXERCISING RIGHTS
For the effective exercise of your rights, you may request information from the DATA CONTROLLER, or fill out the access forms that we provide below.
2.3 FORMS AND INFORMATION STATEMENTS
1) Below is a draft document to be filled in for the concrete exercise of the rights of the data subject. The form can then be sent to the DATA CONTROLLER, to the above addresses, in accordance with current legislation.
Form to be printed and filled out specifying the right applied for
Form to exercise rights
2) Information statements: