Current legislation in force regarding the processing1 of personal data as defined in accordance with the provisions of EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data (General Regulations on Data Protection, hereinafter referred to as “EU Privacy Regulations”) includes provisions to ensure that the processing of personal complies with rights and fundamental freedoms of natural persons, with particular regard to the right to the protection of personal data.
Purpose of the processing and legal basis of the processing
In fulfilment of the obligations provided for by the legislation in force, we hereby inform you that the Data Controller (hereinafter also referred to as the “Controller), performs the processing of your personal data for the purpose of controlling access to the premises of the companies of A2A Group. This processing serves, in particular, to verify the identity of persons accessing corporate areas and to have immediate information on who is on company premises daily, including for reasons of safety. We also wish to inform you that, for reasons of safety and protection of company assets, a video surveillance system with closed-circuit television cameras is in operation on company premises. The images taken are processed by authorized personnel only.
Processing of data may have as its legal basis the pursuit of a legitimate interest by the Data Controller (e.g. protection of corporate assets or defending a right in court) or the eventual fulfilment of an legal obligation (e.g. data communications to the authorities) to which the Data Controller is subject.
Processing methods and data retention period
Processing will be performed with or without the aid of electronic tools, according to the principles of fairness, lawfulness and transparency, in order to protect at all times the confidentiality and rights of the person concerned in compliance with the provisions of the legislation in force.
Personal data will not be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or that in a similar way affect you significantly.
Your data will be retained, in accordance with the regulations in force, for no longer than is necessary to fulfil the purposes for which it is processed.
The retention period of the images taken by the video surveillance systems is a maximum of seven days except for any requests by the police or judicial authorities.
Nature of the provision and possible consequences of refusal
All the data collected within the scope of this processing is used for the declared purposes and for the fulfilment of legal requirements, including those on personal safety. The provision of the personal data required is optional, but the refusal to provide such data precludes access to the premises of the companies of A2A Group, given the urgent need to identify anyone who enters company areas.
Persons authorised to process personal data - Disclosure and dissemination of data
The personal data and images collected are processed by authorized personnel who need to have knowledge of such data in order to perform their duties and by external parties who may act as joint controllers or data processors, as required.
Your personal data may be disclosed to third parties who are responsible for the execution of related activities that are instrumental to this processing, to national authorities, public administrations, other companies of the A2A Group and third parties, in fulfilment of legal obligations.
Your data will not be disseminated.
Data Controller and Processor and Data Protection Officer
The Data Controller is A2A S.p.A., with registered office in Via Lamarmora 230 - Brescia. The role of Data Processor has be assigned to certain companies that provide the Controller with specific processing services or perform activities related to, instrumental. Any queries may be sent in writing to the Data Protection Officer at the following address dpo.privacy@a2a.eu, indicating the Company of the A2A Group (Data controller) intended to receive the request.
Rights of the interested party
According to the EU Privacy Regulations, you have the right to obtain from the Data Controller:
- confirmation as to whether or not your personal data is being processed, and, where that is the case, access to the personal data (right of access).
- rectification of inaccurate personal data, or to have incomplete personal data completed (right of rectification).
- the cancellation of personal data, where one of the grounds provided for by Regulations applies (right of cancellation).
- the restriction of processing where one of the grounds provided for by the Regulations applies (right of restriction).
- to receive your personal data, which you provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit it to another data controller (right to portability).
- to oppose at any time the processing performed in the pursuit of a legitimate interest of the Controller (right of opposition).
To exercise these rights, you can send an email to securitycontrolroom@a2a.eu or written communication to the Controller.
Without prejudice to any other administrative appeal or judicial review, you have the right to lodge a complaint with a Supervisory Authority if you believe that the processing of your data violates the EU Privacy Regulations.
1) Processing: any operation or set of operations, performed with or without the use of automated processes and applied to personal data or sets of personal data, such as the collection, recording, organization, structuring, retention, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, deletion or destruction.
The current applicable data-processing regulations (1) defined in accordance with the provisions of EU Regulation no. 2016/679 of 27 April 2016 regarding the protection of natural persons with respect to personal-data processing, as well as the free circulation of such data (General Regulation on Data Protection or “GDPR”), contain provisions aimed ensuring personal-data processing takes place in a manner respecting the rights and fundamental liberties of natural persons, with specific reference to the protection of personal data.
Categories of Personal Data
Personal data processed by Data Controller shall include but not be limited to:
- Biographical data and other identifiers (e.g. name, surname, Tax ID number, address, place and date of birth);
- Contact information (e.g. telephone numbers - landline and mobile - email address);
- Data relating to the supply agreement (e.g. supply type, POD);
- Voice recordings
- Other data falling under the aforementioned categories
Data Controller may request the processing of its own customers’ data to carry out specific requests
Recipients of Personal Data
Your personal data shall be processed by authorised staff who need to access the data in the performance of their job duties, and by third parties taking action as independent Data Controllers and Data Supervisors.
Your personal data may be disclosed to:
- Parties charged with carrying out of operations connected and relating to processing (archival-services companies, IT service providers, social-media-management firms, marketing firms, credit-collection companies, professional firms, default-services operators, brokerages, insurance companies);
- Other companies in the A2A Group, to the authorities, to research institutions or universities;
- Entities of the public administration, and other parties in the discharge of statutory duties;
- Other parties holding a legitimate interest.
Your data shall not be disseminated.
Data Transfer to Non-EU Countries
Data Controller shall reserve the right to transfer your personal data to any country based on adequacy decisions of the European Commission, pursuant to those adequacy guarantees contemplated by applicable law.
Personal-Data Retention Period
Your data shall be retained in accordance with the provisions of applicable privacy regulations for no longer than strictly necessary to pursue those purposes for which they were processed, or as statutory / regulatory duties demand.
Data from recorded calls shall be retained for thirty (30) days.
Should any request be made by the relevant authorities, the aforementioned retention periods shall be extended, whereas in instances of any dispute, the personal data shall be retained until the dispute has been resolved.
Processing Method
The processing shall be carried out with or without the assistance of electronic tools, according to the tenets of ethics, lawfulness, transparency, in order to protect the data-subject's rights and privacy at all times in accordance with applicable law.
Rights of the Data Subject
The GDPR grants you the ability to exercise certain rights, including the right to ask the Data Controller to:
- Confirm whether any processing is being conducted on your personal data, and in such cases, to access the same (access rights);
- Correct any inaccurate personal data, or to supplement incomplete personal data (correction rights);
- Delete the data themselves if one of the reasons contemplated under the GDPR applies (right to be forgotten);
- Limit processing when one of the situations contemplated under the GDPR applies (limitation rights);
- Receive the personal data you supplied to the Data Controller in a structured, commonly used, and machine-readable format, and to transmit such data to another Data Controller (portability rights);
- Object at any time to processing carried out to pursue a Data Controller legitimate interest, and for marketing- and profiling-related purposes (right of objection);
- Revoke consent, if provided, on the processing of your data, at any time, without thereby prejudicing the lawfulness of any processing predicated on your consent prior to such revocation.
To exercise your rights, you may send a written request to Data Controller or Data Protection Officer.
Without prejudice to any administrative or legal petition or appeal, you have the right to lodge a complaint to any authority, should you believe your processing to have violated the GDPR.
Source of the Personal Data
All personal data supplied by you, observed by the Data Controller, or lawfully collected through any third party (e.g. companies providing lists), shall be strictly functional to the purposes described above.
Automated Decision-Making Processes
Your data shall not be subject to decisions based solely on automated processing, including profiling, which produce legal effects on the data subject, or which in any other way significantly impact your person.
(1) Processing: Any operation or set of operations carried out with or without the assistance of automated processes and applied to personal data, or to a set of personal data, such as collection, recording, organisation, structuring, retention, adaptation, modification, extraction, consultation, use, disclosure by transmission, dissemination, or any other method of making the data available, comparison, or interconnection, limitation, deletion, or destruction.