Information notice on the processing of personal data visitors
Dear Sir/Madam,
With this document, drafted pursuant to Article 13 of EU Regulation No. 679/2016 (hereinafter also "Regulation"), Fincantieri S.p.A. informs you, as a visitor ("Visitor") and data subject, of the following.
1. Data Controller
The Data Controller of the personal data requested from you (e.g., name, surname, email address, tax code) is Fincantieri S.p.A. (hereinafter also referred to as the "Controller" or the "Company"), with registered office in Trieste, Via Genova 1, VAT No. 00629440322, email privacy@fincantieri.it, tel. +39 040 3193111, fax +39 040 3192305.
The Data Protection Officer ("DPO") of Fincantieri S.p.A. can be contacted at the following email address: privacy@fincantieri.it.
2. Purposes and Legal Basis of the Processing of Personal Data
Due to your access to the Company's areas ("Sites") such as, for example, offices, plants, shipyards, docks, your personal data will be processed, with the support of IT and/or paper means, limited to the following purposes and based on the following legal bases:
a) purposes related to the authorization, management, and control of access to the Sites by the Controller: the processing, where not attributable to the execution of contractual and/or legal obligations on the part of the Controller, will be based on the legitimate interest of the Controller aimed at authorizing, managing, and controlling access to the Sites;
b) purposes of audit and/or regulatory compliance: the processing is necessary for the execution of legal obligations on the part of the Controller and to ensure compliance with the mandatory or voluntary company procedures adopted by the Company. The processing, where not attributable to the execution of contractual and/or legal obligations on the part of the Controller, will be based on the legitimate interest of the Controller aimed at verifying the processes and activities carried out by the Company;
c) purposes of litigation management: the processing is necessary for the management of complaints and/or disputes, for the prevention and repression of unlawful acts, and, in general, for the protection of the rights and legitimate interests of the Controller and/or third parties, including in court. The legal basis of the processing is the legitimate interest (the interest of the Controller corresponds to the right of action and defense enshrined in Article 24 of the Constitution);
d) investigative purposes, personnel and third-party security, and protection of the Company's assets (including information): the processing is necessary to protect the Company against any non-compliance and/or violations of the law and/or events that may negatively impact the safety of personnel or third parties and/or negatively affect the company's image or assets. For these purposes, the Controller also records images and sounds in the ways and terms described in the following paragraph 3. The processing, where not attributable to the execution of contractual and/or legal obligations on the part of the Controller, will be based on the legitimate interest of the Controller founded on the constitutionally guaranteed right of property (Article 42 of the Constitution).
It is also noted that your data will be communicated and processed within the Company by personnel duly appointed and instructed by the Controller.
3. Surveillance Areas
We inform you that surveillance systems are present for the purposes mentioned in the previous paragraph 2, for example, in reception areas, perimeter areas, access areas to the Controller's premises; you will also find a simplified information notice, prepared in compliance with the general provisions of the Data Protection Authority (sign with camera image) and placed near the range of the various cameras.
4. Recipients of Personal Data
Your personal data will not be disseminated or communicated to third parties except for any communication to judicial police bodies or the judiciary upon their express request or in the event of the need to defend the Controller's interests. Your personal data may also be communicated to the Controller's suppliers (e.g., law firms), who may act as autonomous controllers or processors, duly appointed pursuant to Article 28 GDPR, or to third parties acting as autonomous controllers (e.g., Fincantieri Group companies). Finally, they may be communicated to subjects authorized to access them by law, regulations, or community norms.
5. Transfer of Personal Data to a Third Country or International Organization
The Controller does not usually transfer your personal data outside the European Economic Area ("EEA"). Should this occur, the Controller will adopt appropriate safeguards to protect your personal data in the context of international transfers, such as adequacy decisions by the European Commission pursuant to Article 45 of the Regulation, standard contractual clauses approved by the European Commission, and contractual instruments that provide adequate safeguards (Article 46 of the Regulation); alternatively, transfers will take place in the presence of the derogations provided for by Article 49 of the Regulation (i.e., consent of the data subject, necessity of the transfer for contractual/pre-contractual measures, overriding public interest, right of defense in court, vital interests of the data subject or other persons, data included in a public register).
6. Retention Period of Personal Data
Your data will be retained, depending on the purposes pursued, for the following periods:
- 13 months from the last access for the related purposes of managing entries and up to a maximum of 5 years for the Controller's security needs;
- 7 days from detection with specific reference to images recorded for the purposes of personnel and third-party security and the protection of company assets through surveillance systems, without prejudice to the possibility of retaining them: (i) in case of holidays or non-working days, until the resumption of work activities; (ii) for a period longer than that indicated in case of unlawful acts and/or ongoing investigations by the Judicial or Police Authorities.
7. Rights of the Data Subject
We inform you that, as a data subject, you have the right to obtain from the Data Controller:
Right of access: (art. 15 of the Regulation) |
or confirm whether or not personal data concerning you are being processed and, if so, the right to obtain, inter alia, access to your personal data and information regarding the purposes of the processing, the categories of personal data in question, the recipients or categories of recipients to whom the personal data have been or will be disclosed. |
Right to rectification: (art. 16 of the Regulation)
|
(i) rectification of inaccurate personal data concerning you without undue delay and (ii) completion of your personal data, if incomplete. |
Right to erasure ('right to be forgotten'): (art. 17 of the Regulation) |
deletion of personal data concerning you without undue delay. |
Right to restriction of processing: (art. 18 of the Regulation) |
limitation of processing in the cases referred to in Article 18 of the Regulation. |
Right to data portability: (art. 20 of the Regulation) |
receipt in a structured, commonly used and machine-readable format of the personal data concerning you and in our possession; the right to transmit such data to another data controller without hindrance from the data controller to whom they have been provided in the cases referred to in Article 20 of the Regulation. |
Right to object to processing carried out pursuant to Article 6(1)(e) or (f): (art. 21 of the Regulation) |
object, at any time, on grounds relating to your particular situation, to the processing of personal data concerning you pursuant to Article 6(1)(e) or (f), including profiling on the basis of these provisions. |
At any time, you will have the opportunity to exercise the aforementioned rights by sending a request to the email address: privacy@fincantieri.it.
You also have the right to lodge a complaint with the Data Protection Authority if you believe that the processing concerning you violates the provisions of EU Regulation No. 679/2016.
8. Nature of data provision and consequences in case of failure to provide data
The provision of data is necessary to allow you access to the Sites and therefore the failure, partial, or inaccurate provision of the requested personal data will result in the objective impossibility for the Data Controller to allow you access to the Sites.