INTRODUCTION

Last update 22/06/2021

The protection of personal data processed within Mecme S.r.l. is an important commitment. The entry into force of the EU Regulation 679/16 "General Data Protection Regulation” (GDPR), provided the opportunity to further adapt the activities carried out by the company to the principles of transparency and personal data protection, while respecting rights and fundamental freedoms of the interested parties, whether they are employees, collaborators, customers, users or suppliers.
The company has implemented a privacy organizational model herein described, aimed at analyzing all data processing, functionally organizing and managing them in safety and transparency. This section of the site also contains information on the rights of the interested party and the conditions to exercise them towards the Data Controller.

INDEX

• 1 - GDPR PRIVACY ORGANIZATIONAL MODEL
• 1.1 - INTERESTED PARTIES
• 1.2 - RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS
• 2 - TRASPARENCY AND RIGHT OF THE INTERESTED PARTY
• 2.1 - PERSONAL DATA PROTECTION RIGHTS
• 2.2 - EXERCISE OF THE RIGHTS
• 2.3 - FORMS

1.1 - INTERESTED PARTIES

Data Controller

The Data Controller is Mecme S.r.l. (C.F. e P.IVA: 02139570283), with registered office in San Martino di Lupari (PD), via L. Da Vinci, 40.

Contacts:
T: +39 049 9461612
F: +39 049 9468931
info@mecme.it

DATA PROCESSORS

The privacy organizational model provides that each employee / collaborator working for the DATA CONTROLLER only treats the data necessary to perform his/her tasks, depending on the internal organization and especially the purposes indicated and proposed to the interested party (so-called " Purpose limitation and data minimisation ", Article 5 paragraph 1, letter B and C of Regulation 679/16).
Therefore a segmentation of the processing has been arranged based on homogeneous areas of "Persons authorized to process the data" or "Data Processors", by binding the employees / collaborators responsible of a specific area of processing.

The Data Controller has adopted the register of the processing operations, although not mandatory in this case, which is an internal document that precisely identifies the dealing of processing and confers authorization on the employees in charge of the area.
The employee / collaborator has also received internal regulations on the use of IT tools and rules of conduct, including ethics, on all the information accessed by virtue of his/her specific tasks. In order to effectively guarantee compliance with the principles regarding the processing of personal data, the Data Controller frequently provides appropriate training and updating courses to the employees / collaborators who, by virtue of their duties, carry out personal data.

SYSTEM ADMINISTRATORS ( INTERNAL OR EXTERNAL)

The Data Controller uses advanced computer systems to manage and organize the business. For this reason, focusing on the software development and also on the use and security of data has always been the basis of the activity of the DATA CONTROLLER.
Persons with "managerial" privileges are specifically appointed and trained. Also the specialized external companies that access company data are specifically appointed as External Processors or External System Administrators pursuant to Article 28 of Reg. 679 / 16.
The suppliers of external IT services are chosen with particular attention to the professionalism not only technical but also in respect and protection of data.

EXTERNAL DATA PROCESSORS (art. 28 Reg.679/16)

In principle, the Data Controller internally manages almost all processing activities. The cases of outsourcing to third parties of some activities involving data processing are duly defined in the Register of the processing operations and reported within the individual information.
In these cases the employment relationship with the third party is governed by an agreement as "External Data Processor" pursuant to Article 28 of Regulation 679/16.

1.2 RISK ANALYSIS AND MEASURES TO PREVENT PRIVACY RISKS

According to the principles of the "Accountability", the Data Controller must always implement a series of measures - organizational, physical, legal, technical and informatics ones- aimed to prevent the risk of violation of the rights and personal freedoms of the interested parties. To achieve this aim a constant risk analysis is carried out, depending on the processing, the tools used, the type and the amount of data processed.
The privacy organizational model provides a detailed and constant analysis of the personal data processing identified for each activity or service provided through the Register of the processing operations pursuant to art. 30 paragraph 1 Reg. 679/16.
The Register of the processing operations is an operational tool that contains elements other than those provided for by art. 30 of Reg. 679/16, as it allows to carry out a first risks analysis, concerning rights and freedom of the interested parties, connected to each processing. Having analyzed the processing activity carried out by the Data Controller, it is considered that there are no activities at risk such as to require a specific impact assessment pursuant to art. 35 Reg. 679/16 (DPIA).
The analysis of IT risks of the company's hardware and software infrastructures and of the IT adaptation measures is carried out both by our System Administrators and by a specialized external company: the results of the survey allowed our technicians to further improve their measures to protect against cyber-attacks and cyber threats, gradually and in proportion to the risk concerning rights and freedoms of the interested parties.
Specific organizational, physical, legal, technical and IT measures have been adopted and implemented to reduce the "privacy" risks of the interested party.

2.1 TRASPARENCY AND RIGHT OF THE INTERESTED PARTY

The Data Controller, also in this case, considers essential to inform the interested parties of the existence of some rights regarding the personal data protection, listed hereafter:

• Right to BE INFORMED (transparency in data processing)

The interested party has the right to be informed about how the Data Controller handles his/her personal data, for what purposes and about other information provided for by the art. 13 of Reg. 679/16. To this purpose, the Data Controller has set up organizational processes that allow, at the time of acquisition or request of personal data, "the issue of a " ad hoc " Model of Information created depending on the category the interested party belongs ( employee, customer, supplier etc.)”. This document allows to adequately inform all the interested parties to whom the data refer about how the data are processed by the Data Controller. The Model of Information can be requested with a specific request to the latter.

• Right to withdrawal the consent (Article 13)

You have the right to withdraw your consent at any time for all those processing whose legitimacy is a manifestation of your consent. The withdrawal of consent does not affect the lawfulness of the previous processing.

• Right to access personal data (Art. 15)

You may request a) the purposes of the processing; b) the categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations; (d) where possible, the retention period of the personal data provided or, if not possible, the criteria used to determine this period; e) the existence of the right of the interested party to request the Data Controller to rectify or delete personal data or limit the processing of personal data concerning him/her or to oppose their processing; f) the right to lodge a complaint with a supervisory authority; g) if the data have been not obtained from the interested party, you may request all information available about their origin; (h) the existence of an automated decision process, including the profiling referred to in Article 22 paragraphs 1 and 4 and, at least in these cases, significant information on the logic used, and the importance and expected consequences of such processing for the interested parties. You also have the right to request a copy of the personal data being processed.

• Right of rectification (Article 16)

You have the right to request the correction of inaccurate personal data concerning you and to obtain the integration of incomplete personal data.

• Right to be forgotten (Art. 17)

You have the right to obtain from the Data Controller the deletion of personal data concerning you if they are no longer necessary for the purposes for which they were collected or otherwise processed: if you revoke your consent, if there is no legitimate reason prevalent to proceed to the profiling processing, if the data were illicitly processed, if there is a legal obligation to delete them; if the data refer to web services provided to minors without the relative consent. The cancellation can occur unless the right to freedom of expression and information prevails, whether the data are kept for the fulfillment of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of public powers, for reasons of public interest in the healthcare sector, for purposes of archiving in the public interest, scientific or historical research or for statistical purposes or for the detection, or to exercise or defense a right before a court.

• Right to limitation of processing (Article 18)

You have the right to obtain from the Data Controller the limitation of processing when you have contested the accuracy of personal data (the period that the Data Controller takes to verify the accuracy of such personal data) or if the processing is unlawful but you oppose to the deletion of personal data asking instead that their use be limited or if you need them for the assessment, exercise or defense of a right before a court and Data Controller doesn’t need them.

• Right to portability (Article 20)

You have the right to receive, through a structured, commonly use and automatically readable form, your personal data provided and you also have the right to transmit them to someone else if the processing is based on consent, on a contract and if it is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in connection with the exercise of official authority and that such transmission does not infringe the rights of third parties.

• Right to contact the Guarantor for the protection of personal data (Article 77).

Without prejudice to any other administrative or judicial remedy, if you consider that the processing that concerns you is in breach of the personal data protection regulation, you have the right to lodge a complaint with a supervisory authority, in the Member State in which you are normally resident, you work or the place where the alleged breach occurred.

2.2 EXERCISE OF RIGHTS

For the effective exercise of your rights, you can ask the Data Controller for information, or fill out the forms of access provided below.

2.3 FORMS LINK

A draft document is provide below, to be completed for the concrete exercise of the interested party’ s right. The form can be sent to the Data Controller, writing to the above-mentioned addresses, in accordance with applicable regulations. Form.