GDPR

PERSONAL DATA PROCESSING POLICY

pursuant to Article 13 of the European Data Protection Regulation, No. 679/2016

Data Subject Policy – Customers and Suppliers

 

Pursuant to Article 13 of the European Regulation No. 679/16, referred to as the “General Data Protection Regulation” or “GDPR” or “Regulation”: the company M.G.M. S.P.A., (hereinafter “Company” or “Controller”), as the “Data Controller”, is required to provide you with certain information regarding the processing of your personal data, which you have provided and freely disclosed.

 

1. Data Controller

The Data Controller is the company M.G.M. S.p.a.

As of today’s date, any information pertaining to the Controller, together with the updated list of designated processors and system administrators, is available at the registered office in:

• Via Trento e Trieste, 112/C, 31050, VEDELAGO (TV), Italy

 

2. Processing methods

Personal data in the possession of the Company is usually collected directly from you and only occasionally may come from third parties.

The data provided by you will be processed in compliance with the principles of integrity, lawfulness and transparency, respecting your confidentiality and rights. Processing will take place at the offices of the Controller or, should it be necessary, at the entities indicated in paragraph 5, by means of tools suitable for guaranteeing the security and confidentiality of personal data required by law, in compliance with which it may be carried out, in addition to manually by means of filing on paper, also by means of electronic tools suitable for storing, managing and transmitting personal data.

Processing is carried out in such a way as to minimise the risk of destruction and loss, unauthorised access, and processing not in accordance with the purposes of collection of such data. Data is processed in accordance with the principle of minimisation, pursuant to Arts. E(1)(c) and 25(2) of the Regulation. Data is processed lawfully and with integrity, is collected for specified explicit and legitimate purposes, is accurate and if necessary updated, pertinent, complete, and not excessive in relation to the processing purposes.

 

3. Nature of collection and consequences of not providing personal data

The provision of personal data is mandatory for the purposes of signing and executing the contract for the provision of goods and services (including negotiations and pre-contractual activities). We hereby inform you that failure to provide your data will result in the impossibility to establish and continue the contractual relationship and to properly fulfil any legal obligations.

Provision of consent to the processing of personal data for direct marketing purposes is optional, and failure to do so will not affect the establishment and continuation of the contractual relationship and the proper performance thereof.

 

4. Purpose and Legal Basis of personal data processing

The processing of your data, (personal details, traditional postal addresses, telephone numbers, e-mail addresses, tax code) will be carried out by the Controller according to the following purposes:

1. inclusion of personal details in the Controller’s IT databases;
2. management of quotations, bids, orders, order confirmations, signing and execution of contracts;
3. administrative, accounting and tax management (invoicing, collections and payments and more generally the obligations required by laws related to the contractual relationship);
4. management of correspondence, transportation, shipping and receiving goods;
5. development of internal statistics;
6. fulfil specific requests of the data subject;

only after obtaining your specific written consent will the data you provide also be processed for the following purposes:

7. sending – by email, post and/or text message and/or telephone contact, newsletters – commercial communications and/or advertising material on products or services offered by the Controller.

The lawfulness of processing of personal data arises from the performance of a contract to which the data subject is a party or the execution of pre-contractual measures taken at the request of the data subject and the need to comply with a legal obligation (state laws and regulations, EU legislation) to which the controller is subject (Art. 6 (1)(b) and (c) of the Regulation).

You have the option to authorise the controller in writing (consent) to process your data for the direct marketing purposes mentioned in (g) above. The lawfulness of processing personal data for this specific purpose is based on the free, express and explicit written consent of the data subject.

 

5. Categories of parties to which the data may be disclosed and disseminated

In order to carry out certain of the activities related to the processing of personal data, the Company may communicate your data to the following categories of external parties:

• to parties whose right of access to data is recognised by provisions of national law, that of the European Union, and collective bargaining;
• to parties to which the communication of personal data is necessary or otherwise instrumental for management of the contractual relationship (by way of example but not limited to, forwarding agents and to couriers for the delivery of goods, professional consulting firms, insurance companies) in the manner and for the purposes outlined above;
• to collaborators and employees of the controller within the scope of their respective duties and/or of any contractual obligations, including data processors and persons in charge of processing appointed pursuant to the Regulation;
• banking institutions for the management of receipts and payments deriving from the execution of contracts;

Specific and express consent will be requested if there is a need for the communication of data to third parties not expressly indicated. Under no circumstances is personal data disseminated, by which term is meant giving knowledge in any way to unspecified persons, with the exception of photographs and films made for promotional and advertising purposes related to the controller’s business if the data subject has given written consent.

Your personal data, without prejudice to its free movement among the member states of the European Union, may not be transferred to a country outside the European Union, except to parent companies, subsidiaries, affiliates of the Company or otherwise belonging to the same group, with reference to the Controller’s subsidiary located in China. Transfer will take place only where necessary for the purposes described in this policy and in accordance with all the principles and measures mentioned therein.

 

6. Data transfer to a Third Countries or International Organisations

The European Data Protection Regulation stipulates the obligation to inform data subjects in case of transfer of data concerning them to Third Countries (not belonging to the EU or the European Economic Area) or International Organisations.

The Company hereby informs you of the fact that it may transfer the data concerning you to Third Countries such as China, exclusively with reference to subsidiary companies of the Controller through electronic means in accordance with the security measures and in compliance with the principles and guarantees set forth in this policy and within the limits pursuant to Arts. 44, 45, 46, 47, 48, 49, 50 of the Regulation.

 

7. Data retention period

Your personal data subject to processing will be retained for the period necessary to comply with the retention periods established by law and in any case no longer than those necessary for management of the work relationship and for the management of any complaints/disputes.

Data used for direct marketing will be retained until the data subject withdraws consent for use for such purposes.

 

8. Rights of data subjects

Notice is hereby given that, at any time, you may exercise the:

• right to ask the Data Controller (pursuant to Art. 15 of Reg. 679/2016) to be able to access your

personal data;

• right to ask the Data Controller (pursuant to Art. 16 of Reg. 679/2016) to be able to rectify your personal data, where the latter does not conflict with current legislation on data retention and the need to protect in the event of litigation in court;
• right to ask the Data Controller (pursuant to Art. 17 of Reg. 679/2016) to be able to erase your personal data, where the latter does not conflict with current legislation on data retention and the need to protect the health professionals who processed it in the event of litigation in court;
• right to ask the Data Controller (pursuant to Art. 18 of Reg. 679/2016) to be able to restrict the processing of your personal data;
• right to object to processing (pursuant to Art. 21 of Reg. 679/2016);
• right to request the Data Controller, only in the cases provided for in Art. 20 of Reg. 679/2016, that your personal data is transmitted to another health care operator in a readable format;
• right to withdraw consent to the processing of your personal data at any time without affecting the lawfulness of the processing based on the consent provided prior to withdrawal.

You may exercise the above rights by making a request addressed without any formalities to the Data Controller, which will provide a timely response. Your request can also be sent to the Controller by post, registered letter or by certified email.

In order to exercise these rights, you may directly contact our Company having its registered office in Via Trento e Trieste, 112/C, 31050, VEDELAGO (TV), Italy, certified email: m.g.m.spa@legalmail.it.

 

9. Right to lodge a complaint

You always have the right to lodge a complaint with the Personal Data Protection Authority to exercise your rights or any other matter related to the processing of your personal data.

You may exercise the above rights by making a request addressed without any formalities to the Data Controller, which will provide a timely response. You can assert your rights by completing and sending your request using the corresponding form (template for contacting the Controller), which can be accessed and downloaded from the Privacy Authority’s website.

 

---

 

PERSONAL DATA PROCESSING POLICY

pursuant to Article 13 of the European Data Protection Regulation, No. 679/2016

Data Subject Policy – Personnel Selection

 

Pursuant to Article 13 of the European Regulation No. 679/16, referred to as the “General Data Protection Regulation” or “GDPR” or “Regulation”: the company M.G.M. S.P.A., (hereinafter “Company” or “Controller”), as the “Data Controller”, is required to provide you with certain information regarding the processing of your personal data, which you have provided and freely disclosed.

 

1. Data Controller

The Data Controller is the company M.G.M. S.p.a.

As of today’s date, any information pertaining to the Controller, together with the updated list of designated processors and system administrators, is available at the registered office in:

• Via Trento e Trieste, 112/C, 31050, VEDELAGO (TV), Italy

 

2. Processing methods

Personal data in the possession of the Company is usually collected directly from you and only occasionally may come from third parties.

The data provided by you, both common and special, including that relating to your family members, or otherwise acquired in advance and in the course of the employment relationship, will be processed in compliance with the principles of integrity, lawfulness and transparency, respecting your confidentiality and rights. Processing will take place at the offices of the Controller or, should it be necessary, at the entities indicated in paragraph 5, by means of tools suitable for guaranteeing the security and confidentiality of personal data required by law, in compliance with which it may be carried out, in addition to manually by means of filing on paper, also by means of electronic tools suitable for storing, managing and transmitting personal data.

Processing is carried out in such a way as to minimise the risk of destruction and loss, unauthorised access, and processing not in accordance with the purposes of collection of such data. Data is processed in accordance with the principle of minimisation, pursuant to Arts. E(1)(c) and 25(2) of the Regulation. Data is processed lawfully and with integrity, is collected for specified explicit and legitimate purposes, is accurate and if necessary updated, pertinent, complete, and not excessive in relation to the processing purposes.

 

3. Nature of collection and consequences of not providing personal data

The provision of personal data is optional. Failure to do so will make it impossible to take the selection interview.

 

4. Purpose and Legal Basis of personal data processing

All of your personal data (personal details, traditional postal addresses, telephone numbers, e-mail addresses, tax code, data belonging to special categories revealing racial and ethnic origin as well as data related to health limited to those belonging to protected categories)

• spontaneously communicated by the data subject through any means (paper and electronic) to the Company;
• communicated through a questionnaire also sent electronically based on a template predefined by the Company;

is processed for the activity of research, selection and evaluation of the data subject for the purpose of the possible establishment of an employment or professional collaboration relationship with the Company and, if necessary, to ascertain, exercise and/or defend the Company’s rights in court.

The lawfulness of processing of common personal identification data arises from the performance of a contract to which the data subject is a party or the execution of pre-contractual measures taken at the request of the data subject and the need to comply with a legal obligation to which the Company is subject (Art. 6(2)(b) and c) of the Regulation) or arises from the need to pursue a legitimate interest of the Company (Art. 6(1)(f) of the Regulation).

The lawfulness of processing of personal data belonging to special categories (data revealing racial and ethnic origin as well as data relating to health limited to those belonging to protected categories) is based on the need to fulfil the obligations and exercise the specific rights of the Company or the data subject in the field of employment and social security law and social protection, insofar as it is authorised by the law of the Union or the Member States or by a collective agreement under the law of the Member States, in the presence of appropriate guarantees for the fundamental rights and interests of the data subject (Art. 9(2)(b) of the Regulation).

In the case in which the documentation

• spontaneously sent by the data subject through any means (paper and electronic) to the Company;
• sent through a questionnaire also electronically based on a template predefined by the Company;

contains personal data belonging to special categories (data revealing political, trade union, religious opinions) and more generally data and facts that are not relevant and pertinent to the search, selection and evaluation of the candidate for possible recruitment, the Company will refrain from its use and ensure its deletion.

 

5. Categories of parties to which the data may be disclosed and disseminated

In order to carry out certain of the activities related to the processing of personal data, the Company may communicate your data to the following categories of external parties:

• to parties whose right of access to data is recognised by provisions of national law, that of the European Union, and collective bargaining;
• to collaborators and employees of the Company within the scope of their respective duties and/or of any contractual obligations, including data processors and persons in charge of processing appointed pursuant to the Regulation.

Specific and express consent will be requested if there is a need for the communication of data to third parties not expressly indicated. Under no circumstances is personal data disseminated, by which term is meant giving knowledge in any way to unspecified persons, with the exception of photographs and films made for promotional and advertising purposes related to the controller’s business if the data subject has given written consent.

Your personal data, without prejudice to its free movement among the member states of the European Union, may not be transferred to a country outside the European Union, except to parent companies, subsidiaries, affiliates of the Company or otherwise belonging to the same group, with reference to the Controller’s subsidiary located in China. Transfer will take place only where necessary for the purposes described in this policy and in accordance with all the principles and measures mentioned therein.

 

6. Data transfer to a Third Countries or International Organisations

The European Data Protection Regulation stipulates the obligation to inform data subjects in case of transfer of data concerning them to Third Countries (not belonging to the EU or the European Economic Area) or International Organisations.

The Company hereby informs you of the fact that it may transfer the data concerning you to Third Countries such as China, exclusively with reference to subsidiary companies of the Controller through electronic means in accordance with the security measures and in compliance with the principles and guarantees set forth in this policy and within the limits pursuant to Arts. 44, 45, 46, 47, 48, 49, 50 of the Regulation.

 

7. Data retention period

The personal data of the data subject subject to processing will be retained for the period necessary to comply with the retention periods established by law and in any case no longer than those necessary for management of the activities and procedures for selection of candidates to obtain an employment contract.

 

8. Rights of data subjects

Notice is hereby given that, at any time, you may exercise the:

• right to ask the Data Controller (pursuant to Art. 15 of Reg. 679/2016) to be able to access your

personal data;

• right to ask the Data Controller (pursuant to Art. 16 of Reg. 679/2016) to be able to rectify your personal data, where the latter does not conflict with current legislation on data retention and the need to protect in the event of litigation in court;
• right to ask the Data Controller (pursuant to Art. 17 of Reg. 679/2016) to be able to erase your personal data, where the latter does not conflict with current legislation on data retention and the need to protect the health professionals who processed it in the event of litigation in court;
• right to ask the Data Controller (pursuant to Art. 18 of Reg. 679/2016) to be able to restrict the processing of your personal data;
• right to object to processing (pursuant to Art. 21 of Reg. 679/2016);
• right to request the Data Controller, only in the cases provided for in Art. 20 of Reg. 679/2016, that your personal data is transmitted to another health care operator in a readable format.

You may exercise the above rights by making a request addressed without any formalities to the Data Controller, which will provide a timely response. Your request can also be sent to the Controller by post, registered letter or by certified email.

In order to exercise these rights, you may directly contact our Company having its registered office in Via Trento e Trieste, 112/C, 31050, VEDELAGO (TV), Italy, certified email: m.g.m.spa@legalmail.it.

 

9. Right to lodge a complaint

You always have the right to lodge a complaint with the Personal Data Protection Authority to exercise your rights or any other matter related to the processing of your personal data.

You may exercise the above rights by making a request addressed without any formalities to the Data Controller, which will provide a timely response. You can assert your rights by completing and sending your request using the corresponding form (template for contacting the Controller), which can be accessed and downloaded from the Privacy Authority’s website.