Data Retention Policy - Vismaravetro srl

Introduction

The processing of personal data (as well as categories of sensitive/special data) is governed by Italian Legislative Decree no. 196/03 (the Personal Data Protection Code), as amended, and, as of 25 May 2018, by European Regulation 2016/679 concerning the protection of natural persons with regard to the processing of personal data.

Pursuant to art. 11 of the Privacy Code and art. 5 of EU Regulation 2016/679, the personal data processed must be:

  • Processed in a lawful, proper and transparent manner;

  • Collected and recorded for specific, explicit, and legitimate purposes, and utilized in other data processing operations in a manner that is consistent with those purposes;

  • Accurate and, where necessary, updated;

  • Adequate, relevant, complete, and not excessive in relation to the purposes for which they have been collected or subsequently processed;

  • Retained in a format that allows the data subject to be identifiedfor a period of time no greater than that required for the purposes for which they have been collected or subsequently processed: the personal data may be processed for a longer period of time provided that they are used exclusively for purposes of archiving in the public interest, scientific or historical research, or for statistical purposes, without prejudice to the implementation of appropriate technical and organisational measures required by the GDPR;

  • Processed in such a way as to ensure the security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage through the implementation of appropriate technical and organisational measures ("integrity and confidentiality").

Purposes

This Data Retention Policy contains indications regarding the maximum time frames for the retention of the documents generated and/or held by Vismaravetro Srl containing the personal and/or special data regarding the data subjects (website users).

The procedure therefore constitutes a valuable tool for retaining the personal data processed in accordance with the principles indicated above, in order to ensure that the retention time is proportional to the achievement of the purposes for which the data in question have been collected; this allows for the retention of only the documentation that remains legally relevant or has taken on historical value, and the elimination of any documentation deemed to be no longer useful.

Criteria

The criteria for determining the maximum period of the data's retention have been defined. In determining the aforementioned period, the following were taken into account:

  • National and international legislation

  • Case law verdicts

  • Legal interpretations

In order to calculate the data retention period and compensate for the relative legislative shortcomings and loopholes, one of the criteria utilized consists of the analogous extension aimed at governing equivalent and unregulated cases by applying the legislation laid down for similar offences.

The time limit for bringing legal proceedings (legal defence) constituted an additional factor for evaluating the categories of actions with a greater likelihood of involvement in litigation.

The foreseen time frames apply to both documents on traditional media and electronic documents.

The maximum time period indicated is to be understood as applicable to all the documentation produced following the provision of the personal data and retained in the places of jurisdiction (in the case of data retained in paper form) or on the servers or IT devices (in the case of data retained in electronic form) that are only permitted to be accessed by the personnel authorised by the Data Controller (appointees or managers).

Control system

For each office/functional area, the designated subjects/delegates must periodically check whether there are any archived data whose Retention Times have expired and must therefore be deleted, in order to manage the archive in an orderly fashion, and to only retain the data considered necessary.

To this end, the appointees must do the following:

  • Ensure the constant updating of the documents produced and/or received, with the appropriate classification;

  • Schedule periodic audits with regard to the retention times;

  • Periodically eliminate/delete any unnecessary documents.

Deletion of the data

The deletion of the data is to be understood as physical or technical destruction sufficient to render the information contained within a document no longer recoverable using ordinary means available on the market.

The data controller has adopted destruction methods that have been agreed upon and approved by computer technicians, and that can be used for all kinds of information stored on electronic media, including CD-ROMs, DVDs, USB flash drives and other types of mobile media, as well as hard drives, mobile devices, portable drives, registered databases or backup files.

The paper documents will be securely shredded, and the relative stations will be closed within the office of the designated appointee. The waste materials will be periodically collected exclusively by the authorized waste disposal personnel.

Sanctions

Non-compliance with the measures may result in the suspension or revocation of the individual's access to the company's computer systems, as well as disciplinary proceedings, and, under certain circumstances, appropriate legal action.

Functional areas \ Types of data processed \ Retention time

 SPARE PARTS WEBSITE

Data processed

PERSONAL DATA: the names of legal entities, the names and surnames of a legal entities’ company contacts, the address of a legal entity’s registered offices, email addresses (generic and individual e.g. name.surname@xxx.it), telephone numbers (including the direct lines and mobile numbers of company contacts), and the personal data of natural persons, i.e. name, surname, residence, fiscal code, date of birth, email addresses, telephone numbers, and data regarding the use of Vismaravetro Srl websites.

SPECIAL DATA: not collected via the website.

 

Data subjects

 

Website users

Processing methods

Data processing carried out by electronic means, i.e. contact via e-mail and archiving of data on the company CRM, processing carried out via websites

Purposes

Data processing carried out for e-commerce purchases and related administrative and accounting activities, or otherwise associated with the performance of organizational activities necessary for the fulfilment of the contractual and pre-contractual obligations in relation to the data subject.

Data processing carried out for direct marketing purposes, for sending advertising or direct sales materials, for conducting market research, or for sending commercial communications via e-mail.

Retention times

Data processing carried out for administrative and accounting purposes: 10 years

Data processing carried out for direct marketing purposes: 2 years from the time of authorization, with subsequent data updating and renewal of the authorization granted.

Processing of the data of potential customers: following the conclusion of the negotiation phase, if the “potential” customer does not become an “actual” customer, the personal data shall be immediately deleted or processed in an anonymous form, provided that their retention is not otherwise justified.

Regulatory references

  • Art. 2220 of the Italian Civil Code “therecords must be retained for ten years from the date of the last entry. Invoices, letters and telegrams received, and copies of invoices, letters and telegrams sent, must be retained for the same period of time. The records and documents referred to under this article may be retained in the form of files on imaging media, provided that the files are consistent with the documents and can be rendered legible at any time using the means at he disposal of the subject who uses the media in question”;
  • Provision concerning electrical and electronic waste management in relation to the security measures of 13 October 2008, which defines the measures to be taken in order to delete data processed using storage media;
  • Art. 5 of Regulation 2016/679 – Principles relating to processing of personal data;
  • Art. 13 of Regulation 2016/679 – Information to be provided where personal data are collected from the data subject;
  • Paragraph 39 of Regulation 2016/679 “. …. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review……”.

Destruction methods

The data processed using IT tools must be erased by eliminating the system files (DELETE function) and by following the rules below based on the computer media utilized for the processing activities:

  • Secure deletion of the information, which can be obtained using computer programs (such as wiping programs or file shredders), through “low level” formatting of hard disk type devices (low-level formatting – LLF), or the demagnetization (degaussing) of memory devices based on magnetic or magneto-optical media.
  • In the case of the disposal of the media themselves, these must be destroyed using one of the following systems:
    • punching or mechanical deformation systems;
    • physical destruction or disintegration (used for optical media such as CD-ROMs and DVDs);
    • high intensity demagnetization.

 

Introduction

The processing of personal data (as well as categories of sensitive/special data) is governed by Italian Legislative Decree no. 196/03 (the Personal Data Protection Code), as amended, and, as of 25 May 2018, by European Regulation 2016/679 concerning the protection of natural persons with regard to the processing of personal data.

Pursuant to art. 11 of the Privacy Code and art. 5 of EU Regulation 2016/679, the personal data processed must be:

  • Processed in a lawful, proper and transparent manner;

  • Collected and recorded for specific, explicit, and legitimate purposes, and utilized in other data processing operations in a manner that is consistent with those purposes;

  • Accurate and, where necessary, updated;

  • Adequate, relevant, complete, and not excessive in relation to the purposes for which they have been collected or subsequently processed;

  • Retained in a format that allows the data subject to be identifiedfor a period of time no greater than that required for the purposes for which they have been collected or subsequently processed: the personal data may be processed for a longer period of time provided that they are used exclusively for purposes of archiving in the public interest, scientific or historical research, or for statistical purposes, without prejudice to the implementation of appropriate technical and organisational measures required by the GDPR;

  • Processed in such a way as to ensure the security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage through the implementation of appropriate technical and organisational measures ("integrity and confidentiality").

Purposes

This Data Retention Policy contains indications regarding the maximum time frames for the retention of the documents generated and/or held by Vismaravetro Srl containing the personal and/or special data regarding the data subjects (website users).

The procedure therefore constitutes a valuable tool for retaining the personal data processed in accordance with the principles indicated above, in order to ensure that the retention time is proportional to the achievement of the purposes for which the data in question have been collected; this allows for the retention of only the documentation that remains legally relevant or has taken on historical value, and the elimination of any documentation deemed to be no longer useful.

Criteria

The criteria for determining the maximum period of the data's retention have been defined. In determining the aforementioned period, the following were taken into account:

  • National and international legislation

  • Case law verdicts

  • Legal interpretations

In order to calculate the data retention period and compensate for the relative legislative shortcomings and loopholes, one of the criteria utilized consists of the analogous extension aimed at governing equivalent and unregulated cases by applying the legislation laid down for similar offences.

The time limit for bringing legal proceedings (legal defence) constituted an additional factor for evaluating the categories of actions with a greater likelihood of involvement in litigation.

The foreseen time frames apply to both documents on traditional media and electronic documents.

The maximum time period indicated is to be understood as applicable to all the documentation produced following the provision of the personal data and retained in the places of jurisdiction (in the case of data retained in paper form) or on the servers or IT devices (in the case of data retained in electronic form) that are only permitted to be accessed by the personnel authorised by the Data Controller (appointees or managers).

Control system

For each office/functional area, the designated subjects/delegates must periodically check whether there are any archived data whose Retention Times have expired and must therefore be deleted, in order to manage the archive in an orderly fashion, and to only retain the data considered necessary.

To this end, the appointees must do the following:

  • Ensure the constant updating of the documents produced and/or received, with the appropriate classification;

  • Schedule periodic audits with regard to the retention times;

  • Periodically eliminate/delete any unnecessary documents.

Deletion of the data

The deletion of the data is to be understood as physical or technical destruction sufficient to render the information contained within a document no longer recoverable using ordinary means available on the market.

The data controller has adopted destruction methods that have been agreed upon and approved by computer technicians, and that can be used for all kinds of information stored on electronic media, including CD-ROMs, DVDs, USB flash drives and other types of mobile media, as well as hard drives, mobile devices, portable drives, registered databases or backup files.

The paper documents will be securely shredded, and the relative stations will be closed within the office of the designated appointee. The waste materials will be periodically collected exclusively by the authorized waste disposal personnel.

Sanctions

Non-compliance with the measures may result in the suspension or revocation of the individual's access to the company's computer systems, as well as disciplinary proceedings, and, under certain circumstances, appropriate legal action.

Functional areas \ Types of data processed \ Retention time

 SPARE PARTS WEBSITE

Data processed

PERSONAL DATA: the names of legal entities, the names and surnames of a legal entities’ company contacts, the address of a legal entity’s registered offices, email addresses (generic and individual e.g. name.surname@xxx.it), telephone numbers (including the direct lines and mobile numbers of company contacts), and the personal data of natural persons, i.e. name, surname, residence, fiscal code, date of birth, email addresses, telephone numbers, and data regarding the use of Vismaravetro Srl websites.

SPECIAL DATA: not collected via the website.

 

Data subjects

 

Website users

Processing methods

Data processing carried out by electronic means, i.e. contact via e-mail and archiving of data on the company CRM, processing carried out via websites

Purposes

Data processing carried out for e-commerce purchases and related administrative and accounting activities, or otherwise associated with the performance of organizational activities necessary for the fulfilment of the contractual and pre-contractual obligations in relation to the data subject.

Data processing carried out for direct marketing purposes, for sending advertising or direct sales materials, for conducting market research, or for sending commercial communications via e-mail.

Retention times

Data processing carried out for administrative and accounting purposes: 10 years

Data processing carried out for direct marketing purposes: 2 years from the time of authorization, with subsequent data updating and renewal of the authorization granted.

Processing of the data of potential customers: following the conclusion of the negotiation phase, if the “potential” customer does not become an “actual” customer, the personal data shall be immediately deleted or processed in an anonymous form, provided that their retention is not otherwise justified.

Regulatory references

  • Art. 2220 of the Italian Civil Code “the records must be retained for ten years from the date of the last entry. Invoices, letters and telegrams received, and copies of invoices, letters and telegrams sent, must be retained for the same period of time. The records and documents referred to under this article may be retained in the form of files on imaging media, provided that the files are consistent with the documents and can be rendered legible at any time using the means at he disposal of the subject who uses the media in question”;
  • Provision concerning electrical and electronic waste management in relation to the security measures of 13 October 2008, which defines the measures to be taken in order to delete data processed using storage media;
  • Art. 5 of Regulation 2016/679 – Principles relating to processing of personal data;
  • Art. 13 of Regulation 2016/679 – Information to be provided where personal data are collected from the data subject;
  • Paragraph 39 of Regulation 2016/679 “. …. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review……”.

Destruction methods

The data processed using IT tools must be erased by eliminating the system files (DELETE function) and by following the rules below based on the computer media utilized for the processing activities:

  • Secure deletion of the information, which can be obtained using computer programs (such as wiping programs or file shredders), through “low level” formatting of hard disk type devices (low-level formatting – LLF), or the demagnetization (degaussing) of memory devices based on magnetic or magneto-optical media.
  • In the case of the disposal of the media themselves, these must be destroyed using one of the following systems:
    • punching or mechanical deformation systems;
    • physical destruction or disintegration (used for optical media such as CD-ROMs and DVDs);
    • high intensity demagnetization.