SOLUTIONS 30 GENERAL PRIVACY NOTICE

Purpose

This privacy notice explains how Solutions30 collects and uses personal data and describes the rights you have with respect to your personal data.

It also expresses the strong commitment of Solutions30 Group to respect and protect your privacy and Personal Data, whether you are part of our employees, suppliers, customers, business partners, Clients or their respective end customers.

In line with the dispositions of the GDPR and privacy and data protection laws and regulations applicable in EEA countries, this Policy also constitutes a legal mechanism enabling international data transfers within the Group, whenever Solutions30 acts either as a Data Controller or a Data Processor, including when it transfers such Personal Data on behalf of a Client.

Definitions

Adequate Country” means any country, territory or one or more specified sectors within that country, or organization that is located outside of the EEA and is recognized by the European Commission as ensuring an adequate level of protection of Personal Data.

BCR” means Binding Corporate Rules and constitutes a legal mechanism enabling transfers of Personal Data originating from or processed in the EEA within the Group.

Client” means a third party to whom Solutions30 provides services described in a contract signed between Solutions30 and such Client. In this situation, the Client acts as a Data Controller in relation to the Processing of your Personal Data by Solutions30, which in turn acts as a Data Processor on behalf of such Client.

Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data (where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law)

Data Processor” means the natural or legal person, public authority, agency or other body which Processes your Personal Data on behalf of the Data Controller.

DPO” means a data privacy expert appointed by the respective companies belonging to Solutions30, who is accountable that the relevant company belonging to the Group is following policies and procedures set out to protect Personal Data.

Data Subject” an identifiable natural person to which Personal Data relates.

EEA” means the European Economic Area and includes all member states of the European Union, as well as Iceland, Liechtenstein, and Norway.

‘’GDPR’’ means General Data Protection Regulation.

Group” or ‘’Solutions30’’ means Solutions30 SE and any subsidiary that is wholly or partially owned, whether directly or indirectly, by Solutions30.

Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (e.g., IP-address, cookie tag) or location data. The term Personal Data is very broad under the GDPR. To qualify as Personal Data it is not necessary to combine the name of a natural person with other identifiers of the natural person.

Processing”, means any use or operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, transfer or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing can include asking a person for information, capturing information on call details (including call recording), logging and analyzing network traffic and accessing a customer’s CRM system or other external database, if applicable.

Profiling” means any form of automated processing of your Personal Data consisting of the use of your Personal Data to evaluate certain personal aspects relating to you, in particular to analyze or predict aspects concerning your performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

‘’Security Incident’’ means any actual, potential or suspected incident, action, failure, or other occurrence leading to the accidental, deliberate or unlawful destruction, loss, alteration, or unauthorized acquisition, disclosure or access to, hardcopy or electronic data and information, irrespective of whether it is personal data or confidential information or not, which is owned, controlled or maintained by the Solutions30 Group directly or indirectly (e.g., it is hosted by a vendor or other service provider to the Solutions30 Group) A Security Incident specifically be present if one or more of the following conditions are met:

● Any potential or actual violation of any law or regulation or any violation of one or more company procedure involving an information technology asset.

● A breach, attempted breach or other unauthorized access of an information technology asset. The incident may originate from the Company’s network or an outside person or entity.

● Any malicious code.

● Any potential or actual violation of one or more company policy that occurs using an information technology asset, in whole or in part etc.

Special Categories Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health, sex life or sexual orientation.

Sub-processor” means a company belonging to Solutions30 contracted by another company belonging to the Group, acting as a Data Processor, to Process Personal Data.

Supervisory authority’ means an independent public authority which is established by a Member State (e.g. CNPD in Luxembourg, CNIL in France, Garante della Privacy in Italy etc.)

Third-Party Data Processor” means a non-Solutions30 company contracted by Solutions30 to process Personal Data.

Scope

The Group collects and uses certain data of people, be they customers, suppliers, salespeople, employees and other people the Group is related to and to all equipment owned or leased by the Group.

The present policy describes how this data are collected, managed and stored in order to meet the data protection standards outlined in the Regulation (EU) 2016/679 (GDPR) and the reference norms.

The Policy applies globally to all Solutions30.

Who is the Data Controller?

The Data Controller is Solutions30, because the organization determines the purposes and means of the processing of Personal Data.

What Personal Data we process?

The categories of Data Subjects and Personal Data and the purposes of Processing include, but are not limited to, the following:

Employees, independent contractors, and trainees, for the purposes of human resources and personnel management processes, which may cover any type of Processing. Such Processing covers, but is not limited to:

  • basic personal details (e.g., full name; age and date of birth);
  • education, professional experience and affiliations (e.g., education and training history; languages; trade union membership);
  • family, lifestyle and social circumstances (e.g., marital status; emergency contact details; religion or religious beliefs);
  • health, welfare and absence related (e.g., reason for absence; disability, access, special requirements details); employee training and performance related (e.g., disciplinary action, performance rating; call recording);
  • financial details (e.g., bank account information; national insurance number; bonus payments);
  • photographic, video and location information (e.g., ID Cards images; tracking data); identification checks and background vetting (e.g., results of criminal checks; proof of eligibility to work);
  • system access (e.g. access logs, tracking information);
  • account credentials (e.g., username, password, security questions).

Clients, for the purposes of client relationship management, which may cover any type of Processing, including, but not limited to:

  • basic personal details (e.g., full name, address, email etc.);
  • photographic, video and location information (e.g., ID Card images);
  • system access (e.g. access logs, tracking information);
  • account credentials (e.g., username, password, security questions).

Any other party, for the purposes of ensuring any other business operations, which may cover any type and regulatory obligations. Such Processing covers third-party Personal Data including, but not limited to:

  • basic personal details (e.g., full name);
  • business activities (e.g., goods or services provided);
  • financial details (e.g., bank account information);
  • photographic, video and location information (e.g., ID Card images);
  • system access (e.g. access logs, tracking information); account credentials (e.g., username, password, security questions).

What are the purposes of the Personal Data Processing?

Solutions30 ensures that Personal Data is obtained only for one or more specified purposes and is not further processed in any manner incompatible with those purposes.

In particular, the Personal Data collected for specified purposes will not be used for another purpose, unless:

  • a relevant exemption from the legislation applies; or
  • the natural persons whose personal information is to be processed for the new purpose have consented to the processing for this new purpose.
  • any consent for any incompatible purpose is freely given and informed.

Solutions30 has identified the legal basis for the processing of all Personal Data, which shall be selected from one or more of the following (ex art. 6 – GDPR):

  • the appropriate natural person’s unambiguous consent for specific purposes;
  • necessary for the performance of a contract to which the natural person is a party, or to take steps to enter into a contract;
  • necessary for compliance with a legal obligation to which the organization is subject;
  • necessary for protecting the vital interests of the natural person;
  • necessary to perform a task carried out in the public interest or exercise of official authority of the organization;
  • necessary for the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the natural person (not applicable to processing carried out by public bodies in the performance of their tasks)
  • additional provisions for processing of a kind introduced by national laws.

In particular, Solutions30 processes your Personal Data principally because it is:

  • necessary for the performance of a contract to which the natural person is a party, or to take steps to enter into a contract
  • we have the appropriate natural person’s unambiguous consent for specific purpose
  • necessary for compliance with a legal obligation to which the organization is subject

Particular safeguards are applied when special categories of Personal Data are being processed. In this case, Solutions30 has identified the additional legal basis for the processing of special categories of Personal Data, which shall be selected from one or more of the following:

  • natural person’s explicit consent for specific purposes;
  • necessary for employment rights or obligations;
  • necessary for protecting the vital interests of the natural person;
  • necessary for legitimate activities of a foundation, association, or any other non-profit making body for a political, philosophical, religious or trade union aim, with appropriate safeguards;
  • information deliberately made public by the natural person;
  • necessary for the establishment, exercise or defence of legal claims;
  • necessary for reasons of substantial public interest;
  • necessary for preventive or occupational medicine, assessment of the working capacity of an employee, medical diagnosis, provision of health or social care systems and services;
  • necessary for reasons of public health or professional secrecy;
  • additional provisions for processing of a kind introduced by national laws with regard to the processing of genetic, biometric or health data.

In particular, Solutions30 can process your Personal Data principally because it is:

  • necessary for employment rights or obligations;
  • necessary for preventive or occupational medicine, assessment of the working capacity of an employee, medical diagnosis, provision of health or social care systems and services;
  • necessary for reasons of public health or professional secrecy;

How we process the Personal Data?

GDPR indicates how organizations shall collect, manage and store Personal Data. The rules it contains apply regardless of whether data is stored digitally, on paper or in any other way.

To comply with the GDPR and any other applicable law, Personal Data shall be correctly collected and used, safely stored and not illicitly disclosed.

Solutions30 follows these important principles pertaining to Personal Data processing namely Personal Data:

  1. Shall be processed fairly and legally;
  2. Shall be obtained only for specific and legal purposes; (Purpose limitation)
  3. Shall be adequate, relevant, accurate, up-to-date and not in excess of what they are processed for; (Data minimization)
  4. Shall not be stored for longer than needed; (Storage limitation)
  5. Shall be processed while respecting the rights of data subjects;
  6. Shall be adequately protected;
  7. Shall not be processed outside of the European Economic Area (EEA), unless such state or territory guarantees an adequate protection level, there are standard data protection clauses adopted by the European Commission or the BCR put in place or other appropriate safeguards

At Solutions30 we appointed a DPO in each country we operate in order to secure the appropriate treatment of privacy matters per each respective jurisdiction.

With whom do we share your Personal Data?

Solutions30 ensures that, where the organization shares Personal Data with another organization, the responsibilities of both parties with regard to the Personal Data are formally documented in a written agreement or contract as appropriate.

Wherever it is possible, any new Processing which involves the sharing of Personal Data with third parties is compatible with the terms of the information provided to the natural person.

Where this is not possible, Solutions30 shall ensure that it has:

  • legal basis for the data sharing;
  • provided appropriate notice of sharing to the natural person, if applicable;
  • assessed compliance with the purpose limitation principle; and
  • if required, the natural person’s consent to the data sharing.

Where data sharing with third parties is allowed without the consent of the natural person, because for example it is required by the applicable law, Solutions30 ensures that an auditable record of the protocols and controls for this data sharing is documented.

Transfers of Personal Data

Transfers within the EEA or from the EEA to an Adequate Country

This section describes a situation when a Solutions30 based in the EEA transfers your Personal Data to one of the following:

  • To another Solutions30 company or third party also based in the EEA. An example would be a transfer of your Personal Data by a Solutions30 branch in France to a Solutions30 in Italy; or
  • To another Solutions30 company or third party based in an Adequate Country. An example would be a transfer of your Personal Data by a Solutions30 branch in Spain to a third party in Switzerland.

Laws and regulations applicable in EEA countries authorize transfers of your Personal Data between organizations based in the EEA, or from an organization based in the EEA to another organization based in an Adequate Country. Therefore, Solutions30 does not need to implement any additional measures in such cases.

Transfers from the EEA to a non-Adequate Country

This section describes a situation when a Solutions30 branch based in the EEA transfers your Personal Data to another Solutions30 company or a third party located in a non-Adequate Country. An example would be a transfer of your Personal Data by a Solutions30 branch in Italy to a Solutions30 branch in Tunisia, or a Solutions30 branch in Italy being serviced by a third party in the Philippines.

When an EEA Solutions30 transfers your Personal Data to another Solutions30 located in a non-Adequate Country not providing an adequate level of data protection, we will base the transfer on appropriate safeguards, such as BCRs (Art. 46(2)(b), 47 GDPR), standard data protection clauses adopted by the European Commission or by a supervisory authority (Art. 46(2)(c) or (d) GDPR), approved codes of conduct together with binding and enforceable commitments of the recipient (Art. 46(2)(e) GDPR), or approved certification mechanisms together with binding and enforceable commitments of the recipient (Art. 46(2)(f) GDPR).

Transfers from non-EEA countries to other countries

This section describes the transfer of your Personal Data by a non-EEA Solutions30 branch to another Solutions30 branch or third party based in another country. An example would be a transfer of your Personal Data by a Solutions30 in Tunisia to a Solutions30 in US, or a Solutions30 in Morocco being serviced by a third party in Spain.

Any transfer of your Personal Data from a non-EEA country to any other country shall be done with appropriate and reasonable protection, and in compliance with the laws and regulations applicable to the Solutions30 at the origin of the transfer, in particular, but not limited to, any legal requirement on transfers of your Personal Data or pertaining to security.

How do we manage the risks?

Solutions30 has implemented a specific Security Incident Response Procedure (the Procedure) to ensure that the company reacts appropriately to any type of security incidents relating to data protection.

The organization is responsible for monitoring all incidents that occur internally that may violate the security and/or confidentiality of data. The main objective of the Procedure is not to search for the culprit, but to manage and limit problems and learn from error, in a perspective of continuous improvement.

This Procedure applies to all employees, collaborators, consultants and temporary workers within Solutions30.

The Procedure is intended to provide direction for responding to the Security Incident (i) for rapid detection, minimize loss and destruction, and mitigating the weaknesses that were exploited, and (ii) to comply with Security Incident and/or data breach notification obligations under the GDPR.

What are your rights?

Right to withdraw your consent: If you have given your consent regarding certain types of Processing activities (in particular regarding the receipt of certain direct marketing communications), you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. You can withdraw your consent by writing to dpo@solutions30.com

Tag

 

 

  • INLINE ELEMENTS

Additional data privacy rights: Pursuant to applicable data protection law and the GDPR, you have the right to: (i) request access to your Personal Data; (ii) request rectification of your Personal Data; (iii) request erasure of your Personal Data; (iv) request restriction of processing of your Personal Data; (v) request data portability; and/or (vi) object to the processing of your Personal Data. Please note that these rights might be limited under the applicable (local) data protection law.

(i) Right to request access to your Personal Data: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is processed, and, where that is the case, to request access to the Personal Data. The access information includes – inter alia – the purposes of the processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access.

You also have the right to obtain a copy of the Personal Data undergoing processing free of charge. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

(ii) Right to request rectification: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you. Depending on the purposes of the processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

(iii) Right to request erasure (right to be forgotten): you have the right to obtain from us the erasure of your Personal Data and we may be obliged to erase such Personal Data.

(iv) Right to request restriction of processing: you have the right to obtain from us and we may be obliged to restrict the processing of your Personal Data. In this case, the respective Personal Data will be marked and may only be processed by us for certain purposes.

(v) Right to request data portability: you have the right to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those Personal Data to another entity without hindrance from us, where the processing is carried out by automated means and is based on consent pursuant to Art. 6(1)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR.

(vi) Right to object: Under certain circumstances, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data by us and we are required to no longer process your personal data. Such right to object especially applies if we collect and process your Personal Data for profiling purposes in order to better understand your interests in our products and services or for certain types of direct marketing. If you have a right to object and if you exercise this right, your Personal Data will no longer be processed for such purposes by us.

How do you exercise them?

To exercise your rights, please contact us as at dpo@solutions30.com.

1. IDENTITY VERIFICATION

To prevent Personal Data relating to one individual being sent to another, accidentally or as a result of deception, we need to be sure of the identity of the applicant.

Solutions30 shall collect the information necessary to judge whether the person making the request is the individual to whom the Personal Data relates (or a person authorized to make a request on their behalf).

The level of checks to be carried out depends on the possible damage that inappropriate disclosure of data could cause to the data subject.

2. INFORMATION FOR THE REQUEST TO EXERCISE THE RIGHTS OF THE DATA SUBJECT

The interested party provides the information necessary for managing the request.

Before responding to a request, it is possible to ask the applicant for additional information, which is reasonably needed, to identify the Personal Data subject to the request.

It is not possible to ask the interested party to limit the scope of the request, but only to provide further details that allow identifying the information requested (e.g. information on the context in which the information about them may have been processed, information on the probable dates in which the discussion took place).

3. REVIEW OF INFORMATION

After collecting all the necessary information, the DPO, or a specifically appointed officer, reviews it. Documents or files may contain a multitude of information in addition to the applicant’s Personal Data; this means it may be necessary to consider each document separately to evaluate the information contained therein.

4. RESPONSE TO THE REQUEST FOR EXERCISE

Once the data relevant to the request has been identified and retrieved, these are communicated by the DPO, or by the appointed officer, to the applicant, in an intelligible form and accompanied by a report of the operations carried out. If the organization no longer holds the requested data, a declaration certifying this is sent within 30 days of the request.

EXCEPTIONS

Repeated or unreasonable requests

Solutions30 is not obliged to satisfy a request identical or similar to that already addressed, unless a reasonable interval has elapsed between the first request and the following ones, also taking into account:

  • the nature of the data, especially for those that are particularly sensitive.
  • the purposes of the processing, especially if it can cause damage to the applicant.
  • how often the data is changed: If it is unlikely that information has changed between requests, you may not need to respond to the same request twice.

Respect for the freedoms of others

The right to obtain a copy must not affect the rights and freedoms of others. For example, it is not necessary to comply with a request to exercise the rights of the interested party if this would involve the disclosure of information about another individual who can be identified by such information, except in cases where:

  • the other person has consented to the disclosure;
  • It is reasonable in all circumstances to comply with the request, without that person’s consent.

5. QUESTIONS AND CONTACT INFORMATION

For any questions about this General Privacy Notice or if you wish to exercise your rights as stated above, you may send an email to the following address: dpo@solutions30.com

 

 

 

Data Privacy Policy