made in accordance with Article 13 of Regulation (EU) 2016/679 (GDPR) and Article 3.1 of the Provision of 8.4.2010 on Video Surveillance of the Italian Data Protection Authority - EDPB Guidelines 3/2019 on the Processing of Personal Data through Video Devices - Version 2. 0 - Adopted on 29/01/2020.
The Data Controller has installed a Video Surveillance system inside and outside the company in compliance with the regulations on the protection of personal data and the Workers' Statute. There are signs in the video surveillance area warning of the presence of the system, positioned in such a way as to inform the data subject before being filmed.
Data Controller
The Data Controller is CSI S.p.A. a single member, subject to the management and coordination of IMQ Group S.r.l., with registered office at Cascina Traversagna 21 - 20030 Senago (MI).
Contact details: 02 38330 1 - info@csi-spa.com
Data Protection Officer (DPO)
E-mail: dpo@imqgroup.it
Data Processed and Purpose of Processing
The personal data processed are images of people within the range of the cameras. These images are processed exclusively for crime prevention purposes and to protect the company's assets and the safety of workers, constituting a means of prevention with respect to the commission of unlawful acts and, possibly, a means of assisting Law Enforcement and/or Judicial Authorities in identifying those responsible for such acts. Images of workers may not, under any circumstances, be used to contest charges of a disciplinary nature.
Legal Basis for Processing
Pursuant to Article 6(1)(f) of the GDPR, the legal basis for processing is the LEGITIMATE INTEREST of the Data Controller aimed at the pursuit of the purposes set out above.
Method of Processing and Data Retention Period
The processing is carried out with the use of electronic tools. Data are stored on computer media for 96 hours or as long as strictly necessary as a result of holidays and company closures; at the end of the retention period, the images will be automatically deleted from the system.
Mandatory/voluntary nature of data provision
Signs have been posted indicating the presence of the cameras before their range: one can decide not to enter the range of the cameras, but, if one does enter, the provision of data (i.e., one's image taken by the cameras) is mandatory.
Data Communication
The data may be processed by duly trained and instructed internal personnel (authorized to process the data pursuant to Art. 29 of the GDPR or Art. 2 quaterdecies of Legislative Decree 101/2018) as well as by third parties, appointed as Data Processors pursuant to Art. 28 of the GDPR or System Administrators pursuant to the provision of the Data Protection Authority of 27.11.2008. The updated list of Data Processors and persons authorized to process data can be consulted by request to the email address: dpo@imqgroup.it
Data may be disclosed externally only at the request of the Judicial Authority and/or the Police.
Data Transfer
The management and storage of personal data will take place on servers of the Data Controller and/or third parties duly appointed as Data Processors, located within the European Union. The Data Controller, should it become necessary, will have the right to move the location of the servers to countries outside the EU, ensuring as of now that the transfer of data outside the EU will take place in accordance with Art. 44 ff. of the GDPR and the applicable legal provisions by entering into agreements, if necessary, that guarantee an adequate level of protection. In particular, it will have to ensure that adequate technical and organizational measures are in place so that the processing meets the requirements of the Privacy Code and the GDPR, that the protection of the rights of the Third Parties concerned is ensured, that data transfers can be tracked, and that the appropriate security measures can be documented.
Rights of the data subject
You may at any time exercise your rights vis-à-vis the Data Controller, pursuant to Articles 15-22 GDPR (including access, rectification, erasure, restriction, objection), where this does not conflict with legal regulations and is technically possible, by sending an email to: info@csi-spa.com or a written communication to the Data Controller's office. It is the option of the data subject to write to the data protection officer at: dpo@imqgroup.it. It will always be possible to lodge a complaint with the supervisory authority via the procedure available at www.garanteprivacy.it
Changes to this Policy
This Policy may be subject to change. The Data Controller undertakes to make the most up-to-date version available to the data subject. We therefore recommend that you check it regularly.