Data privacy policy

This document contains the information to the data processing carried out by Tubitex and the general policy applied to data processing.

1. Disclosure and request for consent under Art. 13 of European Regulation no. 2016/679 (GDPR)

Pursuant to Art. 13 of the GDPR We inform you that the data that are in our files will be processed by Tubitex S.p.A., the Data Controller. The updated list of data controllers is available from the Data Controller.
The data will be processed, using electronic and/or automated means and will be for the purpose of managing the business relationship and obligations arising from tax regulations. Authorizations for the above purposes are mandatory, without such processing it is not possible to carry out the requested activities.
Your data may be disclosed to entities that are functional in the pursuit of the purposes described above.
The legal basis for processing is related to the management of legal obligations and the execution of the business relationship.
At any time you may exercise your rights under articles 15 – 22 of the GDPR, including deletion of data or opposition to their use, by contacting: Tubitex S.p.A. with headquarters in Viale del Lavoro 31, 36048 Barbarano Mossano (VI), through the mailbox privacy@tubitex.com.
The data will be kept in our files for the periods required by legal obligations or until a legitimate request for deletion.
Complaints may be made in relation to the processing to the competent authority: Garante sulla Protezione dei Dati Personali, Piazza di Monte Citorio no. 121 00186 ROME, Fax: (+39) 06.69677.3785, Switchboard: (+39) 06.696771, E-mail: garante@gpdp.it.

2. Purpose of the policy

Tubitex S.p.A., henceforth referred to as the “Company,” is committed to being in compliance with applicable laws and regulations regarding the protection of personal data in the countries where it operates.
This procedure defines the basic principles according to which the Company handles personal data of customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its departments and employees in handling personal data.

3. Normative references

GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC)
National laws or regulations relevant to the implementation of the Regulations

4. Definitions

The definitions used in this document are taken from Article 4 of the European Regulation:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier, or to one or more characteristic elements of his or her physical, physiological, genetic, mental, economic, cultural or social identity;

Sensitive data: personal data that, by their nature, are particularly sensitive in relation to fundamental rights and freedoms and deserve specific protection because the context of their processing could create significant risks to fundamental rights and freedoms. These personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data that uniquely identify a natural person, health data, or data relating to a person’s sexual orientation.

Data controller: the natural or legal person, public authority, service or other body which, individually or jointly with others, determines the purposes and means of the processing of personal data;

Data controller: the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller;

Processing means any operation or set of operations, whether or not by automated means, applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction;

Anonymization: irreversible de-identification of personal data in such a way that the person cannot be identified by technology and within a reasonable time and cost by either the owner or another person. The principles of processing personal data do not apply to anonymized data as these are not considered personal data.

Pseudonymization: the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organizational measures designed to ensure that such personal data is not attributed to an identified or identifiable natural person; pseudonymization reduces, but does not entirely eliminate, the possibility of linking personal data to a data subject. Keeping in mind that data that have undergone the pseudonymization process are still personal data, this process must be in accordance with the principles of personal data processing.

Cross-border processing: processing of personal data that takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or processing of personal data that takes place in the context of the activities of a single establishment of a controller or processor in the Union, but affects or is likely to affect substantially data subjects in more than one Member State;

Supervisory authority: the independent public authority established by a member state under Article 51;

Primary supervisory authority: the supervisory authority with primary responsibility for dealing with a cross-border data processing activity, such as when a data subject files a complaint about the processing of his or her personal data; it is responsible for, among other things, receiving data breach notifications, being informed about risky processing activities, and will have full authority regarding its obligations to ensure compliance with the provisions of the GDPR;

Each “local supervisory authority” will still maintain its activity in its own territory and monitor any processing of data locally that affects data subjects or is carried out by an EU or non-EU data controller or supervisor when their processing targets data subjects residing on its territory. Their duties and powers include conducting investigations and enforcing administrative measures and sanctions, promoting general awareness of risks, regulations, security, and rights in relation to the processing of personal data, and providing access to any premises of the data controller and data processor, including any tools and means for data processing.

Principal establishment: in respect of a data controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are made in another establishment of the data controller in the Union and the latter establishment has the power to order the execution of such decisions, in which case the establishment that has made such decisions is deemed to be the principal establishment;

Principal Establishment: with respect to a controller with establishments in more than one Member State, the place where its central administration in the Union is located or, if the controller does not have a central administration in the Union, the establishment of the controller in the Union where the principal processing activities are conducted in the context of the activities of an establishment of the controller to the extent that such controller is subject to specific obligations under this Regulation;

Business group means a group consisting of a parent company and the companies controlled by it;

5. Basic principles of personal data processing

The data protection principles outline basic responsibilities for organizations involved in the processing of personal data. Article 5(2) of the Regulation states that “the controller is responsible for and must demonstrate compliance with these principles.”

5.1. Legality, fairness and transparency

Personal data must be processed lawfully, fairly and transparently in relation to the data subject.

5.2. Purpose limitation

Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

5.3. Data minimization

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. If possible to reduce risks to data subjects, the Society should apply anonymization or pseudonymization to personal data.

5.4. Accuracy

Personal data must be accurate and, where necessary, updated; reasonable steps must be taken to ensure that personal data that are inaccurate, in relation to the purposes for which they are processed, are deleted or rectified in a timely manner.

5.5. Limitation of storage period

Personal data must be kept for a period no longer than is necessary for the purposes for which the personal data are processed.

5.6. Integrity and confidentiality

Taking into account the state of technology and other available security measures, implementation costs, and the likelihood and severity of personal data risks, the Company shall use appropriate technical or organizational measures to process personal data in a manner that ensures adequate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, or disclosure or unauthorized access.

5.7. Responsibility

Data controllers are responsible for demonstrating compliance with the principles described above.

6. Integrating data protection into business activities

In order to demonstrate compliance with data protection principles, the organization must integrate data protection into business activities.

6.1. Information to interested parties

(See the section Guidelines on proper treatment)

6.2. Choice and consent of the data subject

(See the section Guidelines on proper treatment)

6.3. Collection

The Society must try to collect as little personal data as possible. If personal data is collected by a third party, the Owner must ensure that the personal data is collected in accordance with legal requirements.

6.4. Use, storage and disposal

The purposes, methods, storage limits, and retention period of personal data must be consistent with the information in the general data protection notice.

The Company must maintain the accuracy, integrity, confidentiality and relevance of personal data according to the purpose of processing. Appropriate security mechanisms should be used to protect personal data to prevent theft or misuse and prevent personal data breaches. the Holder is responsible for compliance with the requirements listed in this section.

6.5. Disclosure to third parties

Whenever the Company uses a third-party vendor or business partner to process personal data on its behalf, the privacy contact person must ensure that this processor provides security measures to safeguard personal data appropriate to the associated risks. For this purpose, it is necessary to use appropriate compliance questionnaire.

The Company must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must process personal data only to fulfill its contractual obligations to the Company or on the Company’s instructions and not for any other purpose. When the Company processes personal data jointly with an independent third party, the Company must explicitly specify the respective responsibilities and the third party in the respective contract or any other legally binding document, such as the Provider Data Processing Agreement.

6.6. Cross-border transfer of personal data

Appropriate safeguards must be used before transferring personal data from the European Economic Area (EEA), including the signing of a data transfer agreement as required by the European Union and, if necessary, permission from the data protection authority must be obtained. The entity receiving personal data must comply with the principles of personal data processing set forth in the Cross-Border Data Transfer Procedure.

6.7. Rights of access for data subjects

When acting as a data controller, the company is required to provide data subjects with a reasonable access mechanism that allows them to access their personal data and must allow them to update, correct, delete, or transmit their personal data, if appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.

6.8. Data portability

Data subjects have the right to receive, upon request, a copy of the data they have provided in a structured format and to transmit such data to another data controller free of charge. the Controller is responsible for ensuring that such requests are processed within one month, are not excessive, and do not affect the personal data rights of others.

6.9. Right to be forgotten

Upon request, the data subject has the right to obtain from the company the deletion of his or her personal data. When the company acts as a data controller, the privacy contact person must take the necessary actions (including technical measures) to inform third parties who use or process that data to comply with the request.

7. Guidelines on proper treatment

Personal data can only be processed if explicitly authorized by the owner.
The company must decide whether to conduct a data protection impact assessment for each data processing activity as defined by the Data Protection Impact Assessment Guidelines.

7.1. Information to interested parties

At the time of or prior to the collection of personal data for any type of processing activities including but not limited to the sale of products, services or marketing activities, the Data Controller is responsible for adequately informing data subjects of the following: the type of personal data collected, the purposes of processing, the methods of processing, the rights of data subjects in relation to their personal data, the retention period, potential international data transfers, whether data will be shared with third parties, and the Company’s security measures to protect personal data. This information is provided through a general data protection notice.

If the company has multiple data-processing activities, different notices will need to be developed that will be different depending on the processing activity and the categories of personal data collected, e.g., one notice might be written for mailings by mail and a different one for mailings by regular mail.

Where personal data are shared with third parties, the Controller must ensure that data subjects have been informed of this through a general data protection notice.

Where personal data are transferred to a third country under the cross-border data transfer policy, the general data protection notice should specify this, clearly stating where and to which entity the personal data are being transferred.

Where sensitive personal data are collected, the Privacy Contact Person must ensure that the general data protection notice expressly clarifies the purpose for which such sensitive data are collected.

7.2. Obtaining consents

Whenever the processing of personal data is based on the consent of the data subject, or other legitimate grounds, the Controller is responsible for keeping a record of that consent. The Controller is responsible for presenting data subjects with different options for providing consent and must inform and ensure that their consent (whenever it is used as a legal basis for processing) can be withdrawn at any time.

When requested to correct, amend, or destroy personal data records, the Privacy Contact must ensure that such requests are handled within a reasonable time frame. The Privacy Contact Person must also record requests and keep an appropriate log.

Personal data should be processed only for the purpose for which it was originally collected. In the event that the Company wishes to process personal data collected for another purpose, the Company must request the consent of its data subjects in clear and concise written form. Any such request should include the original purpose for which the data were collected and also any new or additional purposes. The request must also include the reason for the change in purpose(s). The Privacy Contact Person is responsible for compliance with the rules in this section.

Now and in the future, the Privacy Contact Person must ensure that collection methods comply with the law, good practices, and relevant industry standards.

The Privacy Contact Person is responsible for creating and maintaining a register of general data protection notices.

8. Response to data breach incidents

When the company becomes aware of a suspected or actual personal data breach, The Privacy Contact shall conduct an internal investigation and take appropriate action in a timely manner in accordance with the data breach procedure. If there are any threats to the rights and freedoms of data subjects, the company must notify the data protection authorities without any delay, and if possible, within 72 hours.