PRIVACY POLICY
1. Introduction
The controller of your personal data (the “Controller”, “we”, “us”, “our”), as below defined, pursuant to article 13 of the General Data Protection Regulation (EU) no. 2016/679 (the “Regulation”), informs you that your personal data will be processed through the mobile application “My Assistant Hr Tech Suite” (the “App”) for the purposes and with the modalities described in this privacy policy (“Policy”).
This Policy supplements and does not replace the other information notices on data processing previously provided to you by the Controller (the “Information Notices”). Therefore, before interacting with the App, we invite you to carefully read this Policy as well as the Information Notices which may include further details on the processing of your personal data by the Controller.
The Controller reserves the right to modify or update, wholly or partly, the content of this Policy (also following changes in applicable legislation). The changes will be communicated to you through the App and/or by email.
2. The Controller
The Controller is your direct employer entity. Therefore, depending on the entity signing your employment contract, the Controller will be one of the following:
Please refer to the Controller and/or the Human Resources Department of the Controller for any questions or clarifications concerning the processing of your personal data or the use of the App.
3. Purposes of the processing
The Controller performs the processing of your personal data through the App for the following purposes.
|
No. |
Purposes |
Legal basis |
|
1 |
To execute our obligations pursuant to the employment contract (e.g., to process overtime/holiday/leave requests, to manage sick leaves, to communicate with you in case of emergency, for payroll purposes). |
Article 6.1(b) and article 9.2(b) of the Regulation. |
|
2 |
To comply with our legal obligations (e.g., fiscal and tax obligations) pursuant to the applicable law. |
Article 6.1(c) of the Regulation. |
|
3 |
To pursue our legitimate interests in transmitting your personal data within the group for internal administrative/organisational purposes, or to protect our assets/employees, or to enforce our rights. |
Article 6.1(f) of the Regulation. |
The provision of personal data for the above-mentioned purposes is necessary to allow the Controller to perform the employment contract or comply with the applicable law. In case of failure to provide such data, the Controller cannot perform the obligations required by the employment contract and/or comply with the above-mentioned legal obligations.
4. Categories of personal data processed and data retention period
The Controller collects the following personal data that you may provide through the App.
|
No. |
Personal data |
Retention Period |
|
1 |
Name, surname, job title, professional contact details.
|
Stored for the entire duration of your employment relationship with the Controller. Depending on the local law applicable to the Controller, the Controller may retain your personal data for a period of up to 10 years after the termination of the employment relationship to protect and enforce Controller’s rights. For further details, please refer to the additional details provided by the Controller in the Information Notices. |
|
2 |
Working hours, workplace details (including work-from-home mode), leave requests and leave details (e.g., sick, maternity and/or parental leaves), business travels’ details (e.g., flight tickets and restaurant expenses).
|
|
|
3 |
Meeting room reservations (date and hour). |
120 days following the days of the scheduled meeting. |
|
4 |
Data generated through the use of the App (e.g., information on the browser and on the device; IP address; data on the use of the App and the services). |
Erased immediately after being processed.
|
At the end of the retention period, the personal data will be deleted or made anonymous unless further processing is necessary to pursue other legitimate purposes of the Controller (for example: the resolution of pre-litigation or litigation disputes, the need to follow up investigations of the judicial or competent authorities initiated before the expiry of the retention period). In the latter, such data will be stored and, if necessary, kept in blocked manner, in accordance with the applicable laws.
Informative systems used for the functioning of the App may collect, during their normal activity, data whose transmission is necessary for the use of Internet communication protocols. This data (e.g., IP address) is not collected to identify you, but it may identify you where it is combined with data held by third parties. We use this data only to check the correct functioning of the App and we erase this immediately after being processed.
5. Collection and communication of data
The personal data held by the Controller is collected directly from you. In order to pursue the above purposes, your personal data is accessible and/or communicated to the Controller's employees duly authorised and trained in the processing of personal data, other companies of the Controller's group for internal administrative purposes, as well as to third parties (for example: consultants or suppliers of technical, management or organizational services to which the Controller has outsourced some activities for efficiency reasons) who have signed an agreement with the Controller and act as data processors. In any case, data access is granted only on a need-to-know basis and data communication is assessed on a case-by-case basis, which includes the assessment of the necessity and proportionality of such a need. These recipients are provided only with the personal data necessary to carry out the relevant functions and they undertake to use the personal data received only for the processing purposes indicated above, to keep them confidential and secure and to act in compliance with the applicable legislation. You may request the updated list of data processors and recipients by contacting the Controller. The Controller specifies that some of the recipients indicated above are located abroad, including outside the European Union, in countries that do not guarantee an adequate level of personal data protection. In this case, the Controller allows access to personal data for the above-mentioned purposes only after the adoption of the security measures required by the Regulation for a legitimate transfer (for example, prior execution of the standard contractual clauses of the European Commission for the transfer of personal data abroad). You have the right to obtain a copy of the applicable security measures by contacting the Controller.
6. Your rights
You have the following rights with regard to the personal data we process:
- to request access to your personal data, including the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed;
- to request rectification of your personal data;
- to request erasure of your personal data;
- to request restriction of processing of your personal data;
- to request data portability;
- to object to the processing of your personal data.
The Controller reminds you that:
- you can always lodge a complaint with the local data protection supervisory authority (you can find contact details of your local authority here if you are located in the EU or EEA or here if you are located in the UK);
- the exercise of these rights is free of charge but they may be subject to limitations provided by the applicable law;
- to exercise these rights or for any request relating to the processing of personal data by the Controller, you may contact the Controller at the contact details listed above.
7. Additional information on measures adopted to contain COVID-19
This paragraph applies only if you are an employee of one of the following:
In the context of the measures taken by the Controller to contain and mitigate COVID-19 (the “Measures”), the App allows you to perform the following actions.
|
No. |
Action |
Details |
|
1 |
To verify the outcome of the mandatory temperature checks at the entrance of Controller’s premises and to scan Green Passes. |
By default, verification does not allow the direct identification of an employee. The code is randomly generated and does not contain any information that identifies employees or its device. The terminal only shows the result of the temperature scanning and is limited to the following: “temperature threshold exceeded” – “temperature threshold not exceeded” (i.e. skin temperature is not recorded). The validity rules provide that, for a positive outcome of the check, the green certification, in addition to being valid, must also be of the type provided for by the regulations currently in force for the age of the user (the age is inferred from the information encoded in the QR code, as well as the type of certification) - please note that the app does not display details such as the type of green certification but the outcome of the check. The app does not transmit to the web dashboard the name data associated with the check but only the location, date/time of the check and the summary result OK/KO |
Although the App does not record, store or keep track of the scanned QR-Code, in case of temperature threshold exceeded, the Controller will become aware of said result and will prevent you from accessing the relevant premises to comply with the Measures and the applicable legal obligations. Therefore, the Controller informs you that, in the context of the Measures, it will perform the processing of your personal data for the following purposes.
|
No. |
Purposes |
Legal basis |
|
1 |
To pursue our legitimate interests in adopting appropriate measures aimed at ensuring employees’ health and safety. |
Article 6.1(f) of the Regulation. |
|
2 |
To comply with our legal obligations imposed on the employer to adopt appropriate measures aimed at ensuring employees' health and safety (e.g. obligations relating to health and safety at the workplace such as temperature checks). |
Article 6.1(c) and article 9.2(b) of the Regulation.
|
For further details, please refer to the Information Notices provided to you in the context of the Measures.
* * *
Acceptance form
|
|X| I confirm that I have read and understood the privacy policy on the processing of my personal data [hyperlink] |