The following definitions of terms used in this document are taken from art. 4 of the General Data Protection Regulation (GDPR) and from Italian legislation on the subject (Legislative Decree no. 196 of 30 June 2003):
Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of Personal Data: these data are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. These data categories should include personal data that reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Anonymisation: means an irreversible de-identification of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymisation on the other hand reduces but does not completely eliminate the possibility of connecting the personal data to the data subject. Since pseudonymised data are still personal data, the processing of pseudonymised data must take place in compliance with principles for the Processing of Personal Data.
Cross-border processing: means the processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a Controller or Processor in the Union where the Controller or Processor is established in more than one Member State; or the processing of personal data which takes place in the context of the activities of a single establishment of a Controller or Processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Supervisory Authority: means an independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR;
Lead Supervisory Authority: means the supervisory authority ultimately responsible for managing a cross-border processing operation, for example when a data subject files a complaint regarding the processing of his or her personal data. The Lead Supervisory Authority is also responsible for receiving reports of data breaches and risky processing activities, and has full authority with regard to its functions to ensure compliance with the EU GDPR;
Each “local supervisory authority” in any case retains jurisdiction in its territory and monitors the processing of any local data that affects data subjects or that is performed by a Controller or a Processor within the European Union or outside the European Union if their processing concerns data subjects resident in its own territory. Their duties and powers include carrying out investigations and applying administrative measures and penalties, promoting awareness amongst the public of risks, rules, security and rights connected to the processing of personal data, and accessing any premises of the Controller or Processor of the data, including any processing tools or means.
“Main establishment of a Controller” with establishments in more than one Member State, means the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the Controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
“Main establishment of a Processor” with establishments in more than one Member State, means the place of its central administration in the Union, or, if the Processor has no central administration in the Union, the establishment of the Processor in the Union where the main processing activities in the context of the activities of an establishment of the Processor take place to the extent that the Processor is subject to specific obligations under this Regulation;
“Group of undertakings”: means a group consisting of a controlling undertaking and its controlled undertakings.
1. Group objective
Consistently with the fundamental principles and codes of conduct laid down in its internal regulations, and the policies and practices in force (as amended, implemented and supplemented over the years, particularly since the Group’s current shareholders took control), Fedrigoni Group intends to maintain its commitment to safeguarding the principles of protection, confidentiality and defence of human individuality and dignity in relation to the processing and protection of personal data. To this end, Fedrigoni Group specifically undertakes to continue to:
▪ protect and safeguard the personal data of every individual;
▪ ensure confidentiality in the personal and private lives of every individual;
▪ respect constitutionally-guaranteed fundamental freedoms;
▪ respect the identity, personality and dignity of every human being;
▪ protect the confidentiality of information concerning employees, clients, suppliers, all third parties operating as individuals and all those engaged in relations with individual Group companies.
2. Group Commitment
Fedrigoni Group undertakes, in full compliance with the appropriate regulations, to continuously improve the protection of personal data by:
a) increasing awareness amongst employees, suppliers, clients and all interested parties of the commitments undertaken in relation to the protection of personal data and security of information;
b) identifying representatives with the necessary requirements, expertise and powers to ensure the correct functioning of the data processing system;
c) adopting an integrated, organically-managed document system (uniform and standardized procedures, operating instructions and models throughout the organization);
d) where the processing of personal data occurs, fully integrating the definition, integration, adjustment and revision of company processes in line with the legislative principles that regulate such processing;
e) defining an organisational model for privacy1 that provides effective and preventative protection in the processing of personal data relating to the various company processes.
f) adopting the best available techniques, taking into account their economic sustainability, to minimise damages in the event of mishaps or negative events in the processing of personal data, including adopting appropriate methods for repair in the event of accidental damage and/or loss;
g) promoting dialogue and discussion, based on mutual transparency, with all stakeholders, such as clients and external collaborators, taking due account of their requests and expectations with regard to personal data processing, in accordance with the means of participation and communication adopted by the Group.
Fedrigoni Group companies undertake to protect personal data processed for any reason, adopting actions that comply with the general principles illustrated below, the Regulations on Use of IT and Internet Systems at Work and any other internal policy or regulation that directly or indirectly governs matters relating to personal data protection.
3.1 Processing principles and policies
Fedrigoni Group undertakes to process data in accordance with the appropriate principles and in full compliance with current legislation.
Data is always processed in accordance with the following principles:
1. collect data for specified, explicit and legitimate purposes, and subsequently process the data in a manner that is not incompatible with those purposes;
Ref.: principle of purpose limitation
2. collect and process data in line with adequate security and prevention measures designed on the basis of a risk assessment and implemented before starting the processing, performing all the necessary actions to ensure the data are protected by organisational and technical measures that guarantee their confidentiality and integrity;
Ref.: principle of security
3. process data lawfully, fairly and in a transparent manner in relation to the data subject, providing him or her with appropriate information on how the data will be used and obtaining his or her consent for unnecessary processing or for the processing of particular types of data, for example data that may reveal the data subject’s health status, racial origin, religious convictions, etc.
Rif.: principles of lawfulness, fairness and transparency
4. ensure the methods used to process data are relevant and limited to what is necessary for the purposes for which they are processed;
Ref.: principle of data minimisation, relevance, proportionality and privacy by default
5. where necessary, take every reasonable step to ensure that data which are inaccurate with regard to the purposes for which they were processed are promptly erased or rectified;
Ref.: principles of accuracy, necessity, non-excessiveness and essentiality
6. keep data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
Ref.: principle of storage limitation and the right to be forgotten
7. process data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
Ref.: principles of integrity and confidentiality
8. ensure data subjects are given the opportunity to request all the data provided by him or her;
Ref. principle of data portability
9. ensure that every new form of data processing is designed in such a way as to guarantee the necessary security based on the risks to which it is exposed before being implemented. IT systems must therefore also be designed according to this principle;
Ref.: principle of privacy by design
10. ensure that, following processing, the data can no longer be attributed to a specific individual without using additional information, provided such additional information is kept separately and subject to technical and organisational measures designed to ensure that such personal data are not attributed to an identified or identifiable natural person;
11. manage data processing in such a way that any breach of security that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data, regardless of the reason for it, is notified to the competent authorities and, in serious cases, to the data subject, within the timeframes established by law.
Ref.: principle of data breach
3.2 Collection and processing of information
All Group companies adopt measures and precautions to verify that information containing personal data is relevant, accurate, complete and current, as required for the purposes for which it will be used. Personal data is processed in compliance with the principle of data minimisation as required under art. 5, par. 1, lett. c), of the Regulation and Italian legislation on the subject (Legislative Decree 30 June 2003, no. 196), which state that the collection and subsequent processing of personal data must take place in such a way as to reduce to a minimum the use of personal data that may identify a data subject.
Where certain processing operations, or processes or stages of a process, do not require a clear display of the personal and identification data of data subjects, these processing operations must be performed using data that have been rendered anonymous or at least encoded.
To better understand the spirit of the GDPR from this perspective, we must consider the fundamental principle of the Regulation and of Italian legislation on the subject (Legislative Decree 30 June 2003, no. 196), i.e. the principle of accountability: all Group companies that are required to adopt and comply with the rules and principles of the GDPR must firstly be fully informed in relation to the context in which they operate, the equipment they have access to and the contents of their activities. Only by carrying out this internal investigation to get to know their structure is it possible to really appreciate the company’s “privacy” status.
In practical terms, to ensure compliance with the principle of accountability, Group companies must always be able to justify the decisions they make on the basis of the Regulation, particularly in view of inspections.
3.3 Integrity of data
In accordance with art. 5 of the European Regulation and based on Italian legislation on the subject (Legislative Decree 30 June 2003, no. 196), Fedrigoni Group processes personal data in line with the following general criteria:
• processing operations must be performed in a lawful, transparent and correct manner;
• the data processed must be collected and recorded for specific, explicit and legitimate purposes, and used in a manner that is not incompatible with those purposes;
• the data processed must be accurate and, where necessary, kept up to date;
• the data processed must be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
• the data processed must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• the data must be processed in such a way as to ensure adequate security of personal data, including protection from loss, destruction or accidental damage, via technical and organisational measures appropriate to protect them from unauthorised or unlawful processing («integrity and confidentiality»).
3.4 Choice and consent
Group companies undertake to comply with the obligation to obtain consent as laid down in art. 6 and art. 7 of the Regulation and in Italian legislation on the subject (Legislative Decree 30 June 2003, no. 196). The Group ensures consent is given validly by guaranteeing the following:
• correct and complete privacy information is provided prior to consent;
• consent is given freely and unequivocally;
• consent refers solely to a specific processing operation;
• consent is documented in writing also with regard to the type of data collected (e.g., use of sensitive data).
In accordance with art. 6, par. 1, lett. b) - f) of the Regulation and Italian legislation on the subject (Legislative Decree 30 June 2003, no. 196) consent is not required when:
• the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures adopted on request by him or her;
• the processing is necessary in order to comply with a legal obligation to which the Controller is subject;
• the processing is necessary to protect the vital interests of the data subject or another natural person.
3.5 Privacy information
Fedrigoni Group works to ensure all processing operations take place in accordance with art. 13 and art. 14 of the Regulation (Information) and with Italian legislation on the subject (Legislative Decree 30 June 2003, no. 196). Data subjects must always be given adequate information when their data are collected; where this is not possible because the personal data are collected from third parties, the data subject must receive information as soon as possible, or in any case within one month of collection of the data or at the time of first contact with the data subject.
The contents of the information to be provided are listed in art. 13, par. 1, and art. 14, par. 1, of the Regulation and Italian legislation on the subject (Legislative Decree 30 June 2003, no. 196), as indicated below, and must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The Group includes the following in the information it provides to data subjects:
• the identity and the contact details of the controller and, where applicable, of the controller's representative;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• a description of the legitimate interests pursued by the controller or by third parties, where the processing operation has this legal basis;
• the recipients or categories of recipients of the personal data;
• where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the data protection safeguards connected to this transfer;
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• how to exercise their rights as provided for by the GDPR;
• the right to lodge a complaint with a supervisory authority;
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
• the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The Group does not permit tacit or presumed consent.
3.6 Access to personal data and other rights of the data subject
Fedrigoni Group guarantees every data subject whose personal data are processed the free exercise of the rights provided for under articles 15-22 of the Regulation and Italian legislation on the subject (Legislative Decree 30 June 2003, no. 196).
More specifically, the data subject has the right to:
• obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data;
• object to a specific personal data processing operation for legitimate reasons to cause the processing to definitively cease;
• withdraw his or her consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed, including by means of providing a supplementary statement;
• request that his or her data be processed solely for storage purposes, excluding any other processing operation;
• obtain the erasure of his or her personal data where the appropriate grounds exist.
3.7 Transfers of personal data
All Group companies undertake to adopt the measures necessary to ensure that transfers of personal data take place in compliance with the applicable laws, even where this is carried out by third parties acting as sub-contractors. In accordance with the principle of free movement of personal data, the Regulation regulates the transfer of data between European Union Member States and the European Economic Area (Norway, Iceland, Lichtenstein).
For transfers of data to countries not belonging to the EU/EEA, one or more of the following conditions must exist:
• the legal system of the country of destination or of transit of the data guarantees a level of protection of persons considered “adequate” by the European Commission
• contractual instruments providing adequate guarantees (standard contractual clauses, binding corporate rules, etc.) have been adopted;
• the data subject has explicitly expressed his or her consent to the transfer (in writing for specific data) proposed, after having been informed of the possible risks of such transfers for the data subject, due to the absence of an adequacy decision and appropriate safeguards;
• the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request;
• the transfer is necessary for the conclusion or performance of a contract concluded between the controller and a third party in the interest of the data subject;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims;
• the transfer is necessary to protect the vital interests of the data subject or of another person, where he or she is physically or legally incapable of giving his or her consent.
4. Administrative penalties
Failure to comply with the provisions of the Regulation and Italian legislation on the subject (Legislative Decree 30 June 2003, no. 196) leads to the application of administrative penalties of up to Euro 20,000 for the Controller.
Art. 83 of the GDPR provides for two types of administrative financial penalties for all breaches of the Regulation - less serious breaches and more serious breaches.
For example, according to art. 83, lett. a), par. 4, a Controller or Processor’s failure to comply with obligations leads to an administrative penalty of Euro 10 million or, for companies, 2% of total annual global turnover for the previous FY, if greater.
Letter b), par. 5 of art. 83 of the GDPR states that a breach of data subjects’ rights, as laid down in articles 15-22, is considered a more serious breach and is subject to penalties of up to Euro 20 million or, for companies, up to 4% of total annual global turnover for the previous FY, if greater.
5. Oversight and Audits
GROUP COMPLIANCE OFFICER