In accordance with (i) EU Regulation 2016/679 on the “protection of natural persons with regard to the processing of personal data and on the free movement of such data,” the “GDPR,” (ii) Legislative Decree no. 196 of 30 June 2003, the “Privacy Code,” and as established by (iii) the General Provision on Video Surveillance of 8 April 2010 adopted by the Guarantor for the protection of personal data, rules jointly referred to as “Privacy Regulations,” a series of obligations are provided for those who process personal data relating to individuals (hereinafter “Processing”).
Valetudo S.r.l., headquartered in Presezzo (BG), via Ghiaie n.6 (hereinafter the “Company”), in addition to the information provided through the “short” informative signs, wishes to communicate the following:
Data Controller
The data controller is the subject who determines the purposes and means of processing personal data (the “Controller”) and is identified as Valetudo S.r.l. through its legal representative pro tempore.
The Data Controller can be contacted via email at: privacy@valetudo.com
Categories of Data Subject to Processing
The data processed by the Controller consist of images depicting employees / collaborators / suppliers / visitors – and in general anyone who has access to the company premises or is nearby – collected through the footage and recordings made by the cameras installed at the Company’s headquarters.
Purposes and Legal Basis of Processing
In accordance with the Privacy Regulations, the installation of the video surveillance system is aimed, alternatively or cumulatively, at:
The legal basis for processing is identified in the legitimate interest of the Data Controller (Art. 6 para. 1 lett. f of the GDPR), coinciding with the pursuit of the aforementioned purposes.
Processing Methods
The processing of personal data is carried out by magnetic means, operating 24 hours a day, with logic strictly related to the purpose itself and in any case in such a way as to guarantee the security and confidentiality of the data. The data are protected by appropriate and preventive security measures, minimizing the risks of unauthorized access or processing not allowed or not in accordance with the purposes of the collection.
Only data strictly necessary for the achievement of the pursued purposes are collected, recording only indispensable images, limiting the field of view of the shots, avoiding, when not necessary, detailed, enlarged, or irrelevant images.
Methods and Period of Data Retention
The retention of processed data will normally last for 72 (seventy-two) hours following detection, subject to special needs for further retention in relation to holidays or prolonged closures as well as upon request of the Judicial Authority.
The custody of the recordings will take place in protected and non-accessible premises except to personnel specifically appointed for this purpose. The system used has been programmed to perform, at the predetermined time – where possible – automatic deletion from every support, also through overwriting, in such a way as to make the deleted data unrecoverable.
Scope of Data Communication
Personal data are processed by specially appointed and trained personnel or by external companies possibly designated by the Controller as external Data Processors pursuant to Art. 28 of the GDPR. Furthermore, the data may be made available to the Judicial Authority and/or equally authorized subjects, upon specific request from them. The collected data are not subject to any form of dissemination.
Transfer of Data to a Third Country or International Organization
Personal data are processed within the European Union and stored on servers located there. It is understood, however, that the Data Controller, if necessary, shall have the right to transmit such data to a third country or to an international organization and/or move the servers outside the EU. In such a case, the Data Controller assures in advance that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, pursuant to Art. 44 and following of the GDPR.
Data Subject Rights
Finally, the Company informs you that, according to the Privacy Regulations (Art. 15-22 of the GDPR), you may exercise specific rights at any time, and in particular, you may ask the Controller:
If you wish to have more information on the Processing of data and to exercise the aforementioned rights, you can send a written request using the contacts provided in the “Data Controller” section of this notice. In the event of a request from you for information regarding your data, the Controller will respond as soon as possible – unless this proves impossible or involves disproportionate effort – and in any case no later than thirty days from the request. Any impossibility or delays by the Controller in fulfilling requests will be adequately motivated.