Customer: investors and applicants and more generally any person to whom the Company provides one or more services;
Applicant (s): subject (s) presenting/submitting an Offer on the Portal:
- small and medium-sized enterprises, as defined by Article 2, paragraph 1, letter f), the first line of Regulation (EU) n. 2017/1129 of 14 June 2017;
- the innovative start-up company, including the start-up with a social vocation, as defined by article 25, paragraphs 2 and 4 of Legislative Decree no. 179, converted with amendments by the law of 17 December 2012 n. 221, and the tourism start-up envisaged by article 11- bis of Legislative Decree 31 May 2014, n. 83, converted with amendments by the law of 24 March 2015 n. 33;
- the small and medium-sized companies (“Innovative SMEs”), as defined by Article 4, paragraph 1 of the Legislative Decree of 24 January 2015 n. 3, converted with amendments by the law of 24 March 2015 n. 33;
- the collective investment organization that invests primarily in small and medium-sized enterprises, as defined by article 1, paragraph 2, letter e) of the decree of the Ministry of the Economy and Finance 30 January 2014;
- corporations that invest primarily in small and medium enterprises, as defined in article 1, paragraph 2, letter f) of the Decree of the Ministry of Finance on January 30, 2014;
Manager: the entity that professionally manages the Portal, in this case, Forcrowd Srl (also, the ” Company “);
Information: the information that the Operator provides to Investors concerning each Offer, according to Article 13, paragraph 1- quater of the Regulation.
Offer: the offer to the public for the raising of risk capital conducted through the Portal, in compliance with Article 100- ter, paragraph 1 of the TUF;
Portal: the online platform owned and managed by FORCROWD which has the exclusive purpose of facilitating the collection of risk capital by the Applicants, according to Article 2, paragraph 1, letter d) of the Regulation;
Offer Period: the period in which the Offer is published on the Portal and is entitled to collect risk capital, according to Article 1, paragraph 5 – novies, TUF.
Services: jointly, the Services for the Offer and the Consulting Services.
Consulting Services: the economic and financial consultancy services offered by the Company to companies in the field of strategic analysis, financial assessments, industrial strategy, and related issues, according to article 3 of the bylaws.
Services for the Offer: the activities and services provided by the Company to the Applicant or the potential Applicant for the collection of risk capital by small and medium-sized companies conducted through the Portal, according to article 1, paragraph 5 – novies, TUF.
Relevant subject: the subjects belonging to at least one of the following categories:
- the members of the statutory bodies;
- shareholders who hold a stake in the Manager’s capital of more than 20%;
- the executives of the Company;
- the staff of the Company;
- the members of the Scientific Committee;
- the person who directly participates in the provision of services to the Manager within the framework of an outsourcing agreement having as its object the provision of professional, legal, economic or financial consultancy services.
Subjects that receive and complete orders: the bank that receives and handles the completion of investor orders;
TUF: the legislative decree of February 24th, 1998, n. 58.
OBJECTIVES AND SCOPE OF APPLICATION
This policy is drafted according to art. 13 of the Regulation on the collection of risk capital through online portals adopted with CONSOB resolution no. 18592 of 26 June 2013 (the ” Regulation “), as subsequently amended, to ensure compliance with the obligation, imposed on the Operator, to operate with diligence, correctness, and transparency, avoiding that any conflicts of interest which may arise in the performance of the Portal’s management activity, negatively affect the interests of the Investors and the Applicants and ensuring the equal treatment of the recipients of the offers that are in identical conditions.
The Manager, as a subject that professes to use the portal management service, can find himself in actual and/or potential circumstances that constitute or could generate a conflict of interest that involves the risk of damage to the interests of his clients. In this regard, the Manager adopts all reasonable measures to identify conflicts of interest that may arise with Investors or Applicants and between Investors and Applicants and defines in this policy the procedures to be followed and the measures to be taken to prevent, manage and monitor such conflicts, even if they are potential.
- GENERAL PRINCIPLES AND MANAGEMENT OF CONFLICTS OF INTERESTIn general terms, a conflict of interest refers to the situation that occurs when the Manager or a Relevant Person or a person who has direct or indirect control with the Manager:
- can make a financial gain or avoid a financial loss to the customer;
- is the bearer of an opposite interest and/or different from that of the Client concerning the result of the Services performed by the Company;
- have an incentive to favour the interests of some customers over others;
- performs the same activity as the Customer;
- has performed or performs work services for the Customer;
- is bound by close relationships with a relevant subject of the Applicant.
The circumstance that at a later time after the close of the Offer, the Manager or a Relevant Person provides services or holds economic relations with the Applicant, provided that he/she has not known them at the time of the publication of the Offer, does not represent a conflict of interest.
To control the risk of potential conflicts of interest, the Manager checks for each Offer if the conditions for a potential conflict of interest exist, both in the preliminary investigation phase and in the subsequent phase and up to the conclusion of the Offer (i.e. placement).
In the case of transactions subject to a situation of potential conflict of interest, the Manager evaluates the nature and extent of the conflict of interest according to the principles of:
- compliance with professional secrecy and confidentiality;
- compliance with the regulations in force and the provisions issued by the supervisory authorities.
To define such potential conflicts of interest, the Manager adopts measures based on the principle of separateness and functional independence, as described below.
Conflict of interest in the Services
While performing the Services, the Manager assesses the actual or potential existence of one or more conflicts of interest.
In the event of conflicts of interest, the Company assesses the compatibility of the conflict of interest with the correct and impartial performance of the Services.
The Company refuses the assignment if, following the assessment of the compatibility of the conflict of interest, it becomes impossible to carry out the Services correctly and impartially.
Relevant parties who find themselves in a situation of conflict of interest, even if only potential, provide information regarding the existence or otherwise of the conflict of interest and, where noted, the nature of the same. The information is provided through a communication sent via e-mail to the Secretariat and General Affairs Office.
In the event of the existence of real or potential conflicts of interest of one or more Relevant Parties, the latter:
- refrain from deciding on the selection of Offers, if they are entitled;
- refrain from any action that could influence the decision-making process of the Company regarding the Customer.
In the cases in which the Company decides, at the end of the aforementioned assessments, to admit the publication of an Offer on which there is a conflict of interest or to perform a consultancy, the Information must contain an indication regarding the existence of the conflict of interest, a description of the type of the same, as well as an indication of the correct application of this procedure and any other information deemed useful to investors. More details on conflicts of interest are contained in a specific warning that is easily identifiable and understandable in the Information.
If conflicts of interest arise, the Company promptly informs the public utilizing a piece of specific information to be made available on the Portal through a separate document that is easily identifiable within the documentation relating to the Offer. The information must contain an indication regarding the existence of a conflict of interest, a description of the nature of the same, as well as an indication of the correct application of this procedure and any other information deemed useful to investors.
Notice to investors
If the application of this Policy and the measures developed to manage conflicts of interest are not sufficient to avoid the risk of harming the interests of Investors, the Company must inform investors of the general nature and/or sources of such conflicts and the measures taken to mitigate the related risks.
ROLES AND RESPONSIBILITIES
The management body of the Manager defines and approves the organizational measures and the procedures for the management of conflicts of interest contained in this procedure. The Manager also checks the effectiveness of this policy at least once a year, making sure that the information flow system is adequate, complete and timely and updates it where necessary.
The Manager has implemented in a special section of the Portal a complaint management system designed to ensure that the assessment of any claims submitted by the Customers is carried out by personnel unrelated to the activities involved in the operations of potential conflict of interest, ensuring so an independent judgment.
Policy for fraud prevention
Below is the policy for fraud prevention adopted by FORCROWD.
Customer: investors and bidders and more generally any person to whom the Company provides one or more services;
Applicant(s): subject(s) presenting/submitting an Offer on the Portal:
- small and medium-sized enterprises, as defined by Article 2, paragraph 1, letter f), the first line of Regulation (EU) n. 2017/1129 of 14 June 2017;
- the innovative start-up company, including the start-up with a social vocation, as defined by Article 25, paragraphs 2 and 4 of Legislative Decree October 18, 2012, n. 179, converted with amendments by the law of 17 December 2012 n. 221, and the start-up tourism provided for by article 11-bis of the DL 31st May 201 4, n. 83, converted with amendments by the law of 24 March 2015 n. 33;
- Innovative small and medium enterprises (“Innovative SMEs”), as defined by article 4, paragraph 1 of the Legislative Decree of 24 January 2015 n. 3, converted with amendments by the law of 24 March 2015 n. 33;
- the collective investment savings organization that invests primarily in small and medium-sized enterprises, as defined by article 1, paragraph 2, letter e) of the decree of the Ministry of the Economy and Finance 30 January 2014;
- The joint-stock companies that invest mainly in small and medium-sized companies, as defined by article 1, paragraph 2, letter f) of the decree of the Ministry of the Economy and Finance 30 January 2014;
Manager: the entity who professionally manages the Portal, in this case, the Forcrowd Srl (also, the ” Company “) portal;
Offer: the offer to the public for the collection of risk capital conducted through the Portal, according to Article 100- ter, paragraph 1 of the TUF;
Portal: the online platform owned and managed by FORCROWD which has the exclusive purpose of facilitating the collection of risk capital by the Applicants, under Article 2, paragraph 1, letter d) of the Regulations;
Subjects that receive and complete orders: the bank that receives and handles the completion of investor orders.
FRAUD PREVENTION MEASURES
This policy, available on the website of the Manager is drafted in compliance with the provisions of art. 14, paragraph 1, lett. e) of the Consob Regulation adopted with Resolution no. 18592 of 26 June 2013 and subsequent amendments (hereinafter also the ” Regulation “), to provide for measures to reduce and manage the risks of fraud.
In particular, the measures prepared by the Company are designed to prevent:
- fraud related to any intrusion on the Portal of unauthorized third parties;
- fraud linked to information published on the Portal;
- fraud related to financial transactions;
- fraud related to the improper use by the Manager of the funds raised by the Applicants
- Fraud related to any intrusion on the Portal of unauthorized third partiesThe integrity of the communications and data published on the Portal are guaranteed through the security system and by the competence of the company that developed the site.In particular, the Operator prepares adequate IT security systems to prevent access by unauthorized third parties, through the use of firewall devices that allow detecting any attempted access.To this end, the Company:
- proceeds with the identification of the Applicants, before the publication of any information on the Portal;
- assigns to the Applicants personalized credentials for access to the Portal, to be kept confidential under their direct responsibility;
- evaluates the individual projects submitted by the Applicants, before publication on the Offer Portal.
- Fraud related to information published on the Portal
Without prejudice to the exclusive responsibility of the Applicants concerning the relevance and truthfulness of the information provided on the Portal by the same, the Manager carries out a preliminary check on the requirements envisaged by the Regulations for the admissibility of the individual Offers on the Portal and a subsequent one on the correspondence between the information entered in the information document and those made available by the Applicant through the documentation produced to support the individual project.
- Fraud related to financial transactions
Given that each transaction is encrypted with a digital certificate, the Manager uses the partner bank as the entity in charge of receiving and finalizing the orders placed by investors through the Portal. Therefore, for the reduction and management of fraud risks associated with financial transactions, please refer to the controls implemented by the entity in charge of receiving and finalizing orders as well as, generally, of the banking system.
- Fraud related to the improper use by the Applicant of the funds raised from investorsThe activity of managing the funds collected by the investors is the sole responsibility of the Applicant.Under art. 13 paragraph 4 of the Regulation, the Manager ensures that the information on the use of the collected funds is accessible for at least 12 months following the closing of the Offers.
Policy for the protection of privacy
For an easier understanding of this procedure, the following definitions are given per article 4 GDPR:
- Data controller: the natural or legal person, public authority, service or other bodies which, individually or together with others, determines the purposes and means of processing personal data; in this case, the Data Controller is Forcrowd Srl.
- Personal data: any information concerning an identified or identifiable natural person (hereinafter the ” Interested Party “); the identifiable natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social. In Forcrowd Srl, in addition to the personal data of external employees and suppliers, the personal data of individuals who use the services offered through online risk capital collection portals are processed.
- Particular categories of data (e. “sensitive data”): personal data capable of revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to unambiguously identify a natural person, data relating to health or sexual life or sexual orientation;
- Data processor: the natural or legal person, public authority, service or other bodies that process personal data on behalf of the data controller;
- Authorized person: the natural person who, according to recital (29) and Article 28 paragraph 3 letter b) of the GDPR, is authorized to carry out processing operations by the Data Controller or by a Data Processor;
- Consent of the interested party: any manifestation of free will, specific, informed and unambiguous of the interested party, with which the same expresses his / her assent, through unequivocal positive declaration or action, that the personal data concerning him/her are subject to processing;
- Consignee: the natural or legal person, public authority, service or other bodies that receive communication of personal data, whether or not they are third parties;
- Third: the natural or legal person, the public authority, the service or other bodies that are not the interested party, the data controller, the data controller and the persons authorized to process personal data under the direct authority of the owner or the manager.
OBECTIVES AND SCOPE
This Policy is drafted according to art. 13 of the Regulation on the collection of risk capital through online portals adopted with CONSOB resolution no. 18592 of 26 June 2013 (the ” Regulation “), as subsequently amended.
The scope of this document is to represent the rules and principles, which Forcrowd Srl (hereinafter also the ” Company ” or ” Forcrowd “) adapts in compliance with the provisions established:
- by EU Regulation no. 679/2016 General Regulation on Data Protection (hereinafter also ” Regulation ” or ” GDPR “);
- by Legislative Decree n. 196/2003 “Code regarding the protection of personal data” (hereinafter ” Privacy Code “), as amended by Legislative Decree n. 101/2018;
- from the Provisions, from the Guidelines to and from the Opinions issued by the Guarantor Authority for the protection of personal data (hereinafter ” Privacy Guarantor “), from the WG according to art. 29 and by the European Data Protection Supervisor (EDPS).
- The purpose of this Policy is to describe the Company’s commitment to:
- protect and safeguard personal and confidential data;
- regulate the processing of personal and confidential data;
- establish the principles of good management for personal and confidential data;
- to guarantee that all the treatments take place respecting the rights, fundamental freedoms and dignity of natural persons;
- to ensure the confidentiality of information relating to suppliers and customers and to all those who have relations with the Company.
- The Policy applies to all personal, confidential, risky, sensitive and judicial data processing carried out for any reason by Forcrowd (as better identified below) as Owner.
- EU Regulation n. 679/2016 concerning the protection of individuals in the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC ;
- Legislative Decree n. 196/03 Code regarding the protection of personal data, as amended by Legislative Decree n. 101/2018 ;
- Document WP 243 – Guidelines on Data Protection Officers (DPOs) of 13 December 2016 ;
- Document WP 248 rev.01 – Guidelines on impact assessment on data protection and determination of the possibility that the treatment “may present a high risk”
- Document WP 250 rev.01 – Guidelines on Personal data breach notification.
POLICY FOR THE PROTECTION OF PERSONAL DATA
The Company undertakes to protect personal and confidential data, processed in any capacity, adapting its actions to the general principles indicated below.
Collection and processing of information
Forcrowd adopts the necessary measures and precautions to verify that the information containing personal data is relevant, accurate, complete and current as is necessary for the purposes for which it is to be used.
Data processing is carried out in compliance with the principle of data minimization according to art. 5) of the Regulation, according to which the collection and subsequent processing take place in such a way as to minimize the use of personal identification data of the interested parties.
If some processing operations, or processes or process phases, do not require the clear display of personal and identification data of the Interested, the same processing operations must be carried out using data made anonymous or, in some cases, coded.
The obligation to provide the information to the interested party meets the need to recognize the latter the right to know the circulation of his / her data, to be able to proceed to an aware exercise of the powers recognized to him (i.e. express or deny consent, oppose the processing).
In compliance with the provisions of article 13 of the GDPR, the information must contain, in simple and clear language, the following information:
- the identity and contact details of the Data Controller;
- the contact details of the Data Processor;
- how the data are processed;
- the purposes of the processing for which the personal data are intended, as well as the legal basis of the processing;
- where applicable, the legitimate interests pursued by the Data Controller or by third parties;
- recipients or categories of recipients of personal data;
- the owner’s intention to transfer personal data to a third country or an international organization;
- the period of storage of personal data or, if this is not possible, the criteria used to determine this period;
- the possibility of exercising the rights granted to the interested party by the GDPR, including the right to revoke the consent at any time without compromising the lawfulness of the processing and the right to complain to a supervisory authority;
- the mandatory or optional nature of providing data.
The Company is committed to providing a periodic update and / or a review of various paper and electronic information.
Choice and consent
Forcrowd undertakes to comply with the obligation to collect the Consent as established by articles 6 and 7 of the Regulations.
The Consent is validly given when:
- it is preceded by a piece of correct and complete information;
- it is freely expressed;
- it refers uniquely to a given treatment;
- it is documented in writing concerning the type of data collected.
Under art. 6 of the Regulation the Consent is not due when:
- the Processing is necessary for the execution of a contract of which the interested party is a party or for the execution of pre-contractual measures adopted at the request of the same;
- the Treatment is necessary to fulfil a legal obligation to which the Owner is subject;
- the Treatment is necessary for the safeguard of the vital interests of the Interested or another natural person;
- the Processing is necessary for the execution of a task of public interest or connected to the exercise of public authority with which the Owner is invested;
- Processing is necessary for the pursuit of the legitimate interest of the Data Controller or third parties, provided that the interests or the fundamental rights and freedom of the interested party, which require the protection of personal data, do not prevail, in particular, if the Interested party is a minor.
Access to personal data and other rights of the interested party
The Company guarantees each interested party the free exercise of the rights provided for in articles 15 – 22 of the GDPR.
In particular, the interested party has the right to:
- obtain confirmation that processing of personal data concerning him or her is in progress and, in this case, obtain access to it;
- oppose a specific Treatment for legitimate reasons to do it definitely;
- revoke your consent at any time, without prejudice to the lawfulness of the processing based on consent before the revocation;
- obtain from the Data Controller the rectification of inaccurate personal data concerning him, without unjustified delay and the integration of incomplete personal data, also through a specific supplementary declaration;
- request that your data be processed solely for conservation, with the exclusion of any other processing operation;
- obtain the cancellation of personal data when the conditions are met.
The procedures for exercising the rights are specified in chapter 4.
Transfer of personal data
The Company undertakes to take the necessary measures to ensure that transfers of personal data comply with the applicable legislation, even if this should occur by third parties acting as sub-contractors.
In compliance with the principle of the free circulation of personal data, the Regulation regulates the transfer of data between the Member States of the European Union or in the European Economic Area (Norway, Iceland, Liechtenstein).
For the transfer of data to a country that does not belong to the EU/EE, however, one or more of the following conditions must exist:
- the organization of the destination or data transit country has ensured a level of protection of persons deemed “adequate” by the European Commission;
- contractual instruments have been adopted that offer adequate guarantees (standard contractual clauses, binding corporate rules, etc.);
- the interested party has explicitly expressed his consent (in writing, in the case of sensitive data) to the proposed transfer, after having been informed of the possible risks of such transfers for the interested party, due to the lack of a decision of adequacy and guarantees adequate;
- the transfer is necessary for the execution of a contract concluded between the interested party and the Data Controller or the execution of pre-contractual measures adopted at the request of the interested party;
- the transfer is necessary for the conclusion or execution of a contract stipulated between the Data Controller and another natural or legal person in favour of the Data Subject;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary to ascertain, exercise or defend a right in court;
- the transfer is necessary to protect the vital interests of the interested party or other persons if the interested party is in the physical or juridical incapacity to give his Consent.
Forcrowd, according to art. 5 of the Regulation, carries out the processing of personal data, adapting their work to the following general criteria:
- each processing must take place in a lawful, transparent and correct manner;
- the processed data must be collected and recorded for specific, explicit and legitimate purposes and used in other processing operations in terms that are not incompatible with these purposes;
- the processed data must be exact and, if necessary, updated;
- the processed data must be adequate, relevant and limited to what is necessary concerning the purposes for which they are processed;
- the processed data must be kept in a form that allows the identification of the parties concerned for a period not exceeding the achievement of the purposes for which they are processed;
- the data must be processed in such a way as to ensure adequate security of personal data, including protection, through appropriate technical and organizational measures, from unauthorized or unlawful processing and accidental loss, destruction or damage (« integrity and confidentiality »).
The Company undertakes to adopt, to the extent possible, the necessary and adequate security measures so that personal data and information are protected from loss, misuse, unauthorized access, disclosure, alteration or destruction, as well as reasonable checks to ensure that these measures are constantly updated.
Based on the provisions of articles 24 and 32 of the Regulation, the Company adopts measures in line with the following principles:
- ensure that personal data is processed, by default, necessary for each specific purpose of the processing (Security and Privacy by Default);
- effectively implement data protection principles and integrate the necessary guarantees into the processing, right from the design stage, to protect the rights of the data subjects (Security and Privacy by Design);
- to ensure, in the event of a violation of personal data, the communication to the interested parties and the Privacy Guarantor in the manner and in the time frame of the Regulation;
- to carry out impact assessment for those treatments that present high risks for the rights and freedom of the interested parties in the manner and within the time frame established by the Regulation;
- to guarantee adequate specialized training on IT security issues;
- adopt techniques of encryption of personal data when necessary.
Forcrowd adopts the measures to keep personal information only for the time necessary to satisfy the purposes for which it was collected and, in any case, not above what is required by law.
The storage times will be communicated to the interested parties by specific information and according to the indications contained in the Provisions of the Guarantor or indicated by the legislation in force.
Control and compliance
It is the responsibility of all Company personnel to understand and comply with this Policy and its contents.
Failure to comply could result in significant risks for the Company and may expose each individual to possible disciplinary actions, up to the dismissal or termination of the professional relationship. In this sense, Forcrowd periodically carries out checks to verify the measures put in place and also ensures the collection of any reports of non-compliance by monitoring the actual resolution.
Questions or doubts regarding the interpretation or application of this Policy can be addressed by writing to the dedicated email address.
THE RIGHTS OF THE INTERESTED PARTY
The Regulation recognizes the subject to whom the data is processed (for example the client, the shareholder, the employee, etc.) certain rights aimed at guaranteeing adequate and direct control over the Company’s compliance with the limits and the conditions set for the processing of personal data.
Forcrowd undertakes to guarantee the effective execution of the processes necessary for the exercise of the rights of the interested parties.
The following paragraphs contain the guidelines and types of requests that each interested party has the right to exercise with particular reference to:
- Right of access to data by the interested party
- Right of rectification
- Right of cancellation
- Right to the limitation of processing
- Right to data portability
- Right of opposition
Exercise of the rights of the interested party and Times of Response
The interested party has the right to exercise his / her rights in the manner and within the limits established by the Regulation. The Company undertakes to provide the Data Subject with information relating to the action taken regarding a specific request without justified delay and, in any case, at the latest within 30 days of receipt of the request. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests. In any case, Forcrowd will undertake to inform the interested party of such extension, and the reasons for the delay, within one month of receiving the request. If the request of the interested party is submitted by electronic means, the information will be provided, where possible, by electronic means, unless otherwise indicated by the interested party.
These rights may be exercised by sending an email to the dedicated address or by written notice, specifying the subject of the request, to the attention of the Data Controller or the subjects authorized by the latter and / or delegated, to the headquarters of the Company, located in Via Vincenzo Monti n. 52, 00152 Milan.
Once the request is received, the Data Controller, Data Processor and / or Authorized Persons cannot refuse to comply with the request of the Data Subject, unless the Company proves that it is unable to identify the interested party. If the interested party is identifiable, the Owner or the aforementioned subjects must send an email or, if received in paper form, deliver it to the person in charge of the specific Treatment within two days from the date of receipt.
Those responsible for the specific Treatment will have to assess whether the requests will be manifestly founded and / or require an economic effort not proportionate to the request, in particular for their repetitive nature. In this case, the Company may evaluate the possibility of:
- charge the administrative costs incurred in providing information, communication or taking the action requested from the Data Subject;
- refuse to fulfil the request, informing and motivating the decision to the interested party.
If the request is deemed unfounded and therefore does not comply with the request of the interested party, Forcrowd informs the interested party without delay (and in any case within one month of receipt of the request) of the reasons for the non-compliance and the possibility of proposing a complaint to a supervisory authority with attached judicial appeal.
When the request is deemed to be founded, the individual responsible for the specific treatment or the authorized persons will take care of the same for its area of competence.
Treatment activity register
The GDPR requires the Data Controller and Data Processors, with limited exceptions, to keep a record of the processing activities carried out under their responsibility (the ” Register “).
According to Article 30 of the GDPR, the Registry must contain, at least, the following information:
- the name and contact details of the Data Controller and the joint data controller (where applicable), as well as the Data Processor and any authorized persons;
- the purposes of the processing;
- a description of the categories of interested parties and the categories of personal data processed;
- the categories of recipients to whom the personal data have been or will be communicated;
- any transfers of personal data to a third country;
- the deadlines set for the cancellation of the different categories of personal data;
- a general description of the technical and organizational security measures adopted.
The Register is kept in an electronic format at the Company’s head office, under the responsibility of the Data Supervisor, who is responsible for updating it. In this regard, the Registry must always represent a timely picture of the processing activities performed by the Data Controller.
The Data Processor is responsible for updating the Registry based on the information that it is aware of or by indicating any changes in the processing by the Authorized Persons.
The latest version of the Register must be made available to all authorized Personnel and any internal Data Processors.
The process of verifying and updating the Registry must involve all the subjects who deal with personal data within the company organization.
In particular, it is the responsibility of each Manager, where appointed, and Authorized Person to promptly notify the Owner of any initiative that has an impact on the processing of personal data and, in particular, of any changes concerning the following aspects:
- purpose of the processing;
- categories of data subjects or categories of personal data processed;
- categories of recipients to whom personal data will be communicated (e.g. modification of a supplier);
- transfers of personal data to a third country;
- expiry of the deadlines set for the cancellation of personal data;
- adopted technical and organizational measures;
- the video surveillance system at the offices of the Company.