Extended Information on Recorded Images

In accordance with (i) EU Regulation 2016/679 on the “protection of natural persons with regard to the processing of personal data and on the free movement of such data,” the “GDPR,” (ii) Legislative Decree no. 196 of 30 June 2003, the “Privacy Code,” and as established by (iii) the General Provision on Video Surveillance of 8 April 2010 adopted by the Guarantor for the protection of personal data, rules jointly referred to as “Privacy Regulations,” a series of obligations are provided for those who process personal data relating to individuals (hereinafter “Processing”).

Valetudo S.r.l., headquartered in Presezzo (BG), via Ghiaie n.6 (hereinafter the “Company”), in addition to the information provided through the “short” informative signs, wishes to communicate the following:

Data Controller

The data controller is the subject who determines the purposes and means of processing personal data (the “Controller”) and is identified as Valetudo S.r.l. through its legal representative pro tempore.

The Data Controller can be contacted via email at: privacy@valetudo.com

Categories of Data Subject to Processing

The data processed by the Controller consist of images depicting employees / collaborators / suppliers / visitors – and in general anyone who has access to the company premises or is nearby – collected through the footage and recordings made by the cameras installed at the Company’s headquarters.

Purposes and Legal Basis of Processing

In accordance with the Privacy Regulations, the installation of the video surveillance system is aimed, alternatively or cumulatively, at:

  • Safeguarding and protecting the company’s assets.

The legal basis for processing is identified in the legitimate interest of the Data Controller (Art. 6 para. 1 lett. f of the GDPR), coinciding with the pursuit of the aforementioned purposes.

Processing Methods

The processing of personal data is carried out by magnetic means, operating 24 hours a day, with logic strictly related to the purpose itself and in any case in such a way as to guarantee the security and confidentiality of the data. The data are protected by appropriate and preventive security measures, minimizing the risks of unauthorized access or processing not allowed or not in accordance with the purposes of the collection.

Only data strictly necessary for the achievement of the pursued purposes are collected, recording only indispensable images, limiting the field of view of the shots, avoiding, when not necessary, detailed, enlarged, or irrelevant images.

Methods and Period of Data Retention

The retention of processed data will normally last for 72 (seventy-two) hours following detection, subject to special needs for further retention in relation to holidays or prolonged closures as well as upon request of the Judicial Authority.

The custody of the recordings will take place in protected and non-accessible premises except to personnel specifically appointed for this purpose. The system used has been programmed to perform, at the predetermined time – where possible – automatic deletion from every support, also through overwriting, in such a way as to make the deleted data unrecoverable.

Scope of Data Communication

Personal data are processed by specially appointed and trained personnel or by external companies possibly designated by the Controller as external Data Processors pursuant to Art. 28 of the GDPR. Furthermore, the data may be made available to the Judicial Authority and/or equally authorized subjects, upon specific request from them. The collected data are not subject to any form of dissemination.

Transfer of Data to a Third Country or International Organization

Personal data are processed within the European Union and stored on servers located there. It is understood, however, that the Data Controller, if necessary, shall have the right to transmit such data to a third country or to an international organization and/or move the servers outside the EU. In such a case, the Data Controller assures in advance that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, pursuant to Art. 44 and following of the GDPR.

Data Subject Rights

Finally, the Company informs you that, according to the Privacy Regulations (Art. 15-22 of the GDPR), you may exercise specific rights at any time, and in particular, you may ask the Controller:

  • the right of access, namely the possibility of obtaining from the Controller confirmation of whether or not personal data concerning you are being processed and, if so, to access your personal data;
  • the right to rectification, including the integration of incomplete personal data;
  • the right to erasure of data without undue delay at the request of the Data Subject and compulsorily if:
    • personal data are no longer necessary for the purposes of the Processing;
    • the consent upon which the Processing is based is revoked and there is no other legal basis for the Processing;
    • personal data have been unlawfully processed;
    • personal data must be erased to comply with a legal obligation under EU law or the law of a Member State;
    • the Data Subject objects to the Processing and there are no overriding legitimate grounds for the Processing, or when the Data Subject objects to the Processing in cases provided for in Art. 21, paragraph 2, of the GDPR (personal data processed for direct marketing purposes);
  • the right to restriction of Processing in cases where the accuracy of personal data is contested (for the period necessary for the Data Controller to verify the accuracy of such personal data) or the Processing is unlawful and/or the Data Subject has objected to the Processing requesting the restriction thereof;
  • the right to data portability as the right to receive personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used, and machine-readable format and to transmit those data to another controller, where the Processing is based on consent and carried out by automated means;
  • the right to object to the Processing of your personal data subject to the right of the Data Controller to demonstrate compelling legitimate grounds for the Processing;
  • the right to withdraw consent at any time, where the Processing is based on your explicit consent, without affecting the lawfulness of Processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority of the Member State in which you habitually reside or work or of the Member State in which the alleged infringement occurred, without prejudice to any other administrative or judicial remedy, in case of violations of the provisions of the aforementioned Regulation.

If you wish to have more information on the Processing of data and to exercise the aforementioned rights, you can send a written request using the contacts provided in the “Data Controller” section of this notice. In the event of a request from you for information regarding your data, the Controller will respond as soon as possible – unless this proves impossible or involves disproportionate effort – and in any case no later than thirty days from the request. Any impossibility or delays by the Controller in fulfilling requests will be adequately motivated.