SOLUTIONS 30 GENERAL PRIVACY NOTICE
This privacy notice explains how Solutions30 collects and uses personal data and describes the rights you have with respect to your personal data.
It also expresses the strong commitment of Solutions30 Group to respect and protect your privacy and Personal Data, whether you are part of our employees, suppliers, customers, business partners, Clients or their respective end customers.
In line with the dispositions of the GDPR and privacy and data protection laws and regulations applicable in EEA countries, this Policy also constitutes a legal mechanism enabling international data transfers within the Group, whenever Solutions30 acts either as a Data Controller or a Data Processor, including when it transfers such Personal Data on behalf of a Client.
“Adequate Country” means any country, territory or one or more specified sectors within that country, or organization that is located outside of the EEA and is recognized by the European Commission as ensuring an adequate level of protection of Personal Data.
“BCR” means Binding Corporate Rules and constitutes a legal mechanism enabling transfers of Personal Data originating from or processed in the EEA within the Group.
“Client” means a third party to whom Solutions30 provides services described in a contract signed between Solutions30 and such Client. In this situation, the Client acts as a Data Controller in relation to the Processing of your Personal Data by Solutions30, which in turn acts as a Data Processor on behalf of such Client.
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data (where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law)
“Data Processor” means the natural or legal person, public authority, agency or other body which Processes your Personal Data on behalf of the Data Controller.
“DPO” means a data privacy expert appointed by the respective companies belonging to Solutions30, who is accountable that the relevant company belonging to the Group is following policies and procedures set out to protect Personal Data.
“Data Subject” an identifiable natural person to which Personal Data relates.
“EEA” means the European Economic Area and includes all member states of the European Union, as well as Iceland, Liechtenstein, and Norway.
‘’GDPR’’ means General Data Protection Regulation.
“Group” or ‘’Solutions30’’ means Solutions30 SE and any subsidiary that is wholly or partially owned, whether directly or indirectly, by Solutions30.
“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (e.g., IP-address, cookie tag) or location data. The term Personal Data is very broad under the GDPR. To qualify as Personal Data it is not necessary to combine the name of a natural person with other identifiers of the natural person.
“Processing”, means any use or operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, transfer or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing can include asking a person for information, capturing information on call details (including call recording), logging and analyzing network traffic and accessing a customer’s CRM system or other external database, if applicable.
“Profiling” means any form of automated processing of your Personal Data consisting of the use of your Personal Data to evaluate certain personal aspects relating to you, in particular to analyze or predict aspects concerning your performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
‘’Security Incident’’ means any actual, potential or suspected incident, action, failure, or other occurrence leading to the accidental, deliberate or unlawful destruction, loss, alteration, or unauthorized acquisition, disclosure or access to, hardcopy or electronic data and information, irrespective of whether it is personal data or confidential information or not, which is owned, controlled or maintained by the Solutions30 Group directly or indirectly (e.g., it is hosted by a vendor or other service provider to the Solutions30 Group) A Security Incident specifically be present if one or more of the following conditions are met:
“Special Categories Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health, sex life or sexual orientation.
“Sub-processor” means a company belonging to Solutions30 contracted by another company belonging to the Group, acting as a Data Processor, to Process Personal Data.
‘Supervisory authority’ means an independent public authority which is established by a Member State (e.g. CNPD in Luxembourg, CNIL in France, Garante della Privacy in Italy etc.)
“Third-Party Data Processor” means a non-Solutions30 company contracted by Solutions30 to process Personal Data.
The Group collects and uses certain data of people, be they customers, suppliers, salespeople, employees and other people the Group is related to and to all equipment owned or leased by the Group.
The present policy describes how this data are collected, managed and stored in order to meet the data protection standards outlined in the Regulation (EU) 2016/679 (GDPR) and the reference norms.
The Policy applies globally to all Solutions30.
Who is the Data Controller?
The Data Controller is Solutions30, because the organization determines the purposes and means of the processing of Personal Data.
What Personal Data we process?
The categories of Data Subjects and Personal Data and the purposes of Processing include, but are not limited to, the following:
Employees, independent contractors, and trainees, for the purposes of human resources and personnel management processes, which may cover any type of Processing. Such Processing covers, but is not limited to:
Clients, for the purposes of client relationship management, which may cover any type of Processing, including, but not limited to:
Any other party, for the purposes of ensuring any other business operations, which may cover any type and regulatory obligations. Such Processing covers third-party Personal Data including, but not limited to:
What are the purposes of the Personal Data Processing?
Solutions30 ensures that Personal Data is obtained only for one or more specified purposes and is not further processed in any manner incompatible with those purposes.
In particular, the Personal Data collected for specified purposes will not be used for another purpose, unless:
Solutions30 has identified the legal basis for the processing of all Personal Data, which shall be selected from one or more of the following (ex art. 6 – GDPR):
In particular, Solutions30 processes your Personal Data principally because it is:
Particular safeguards are applied when special categories of Personal Data are being processed. In this case, Solutions30 has identified the additional legal basis for the processing of special categories of Personal Data, which shall be selected from one or more of the following:
In particular, Solutions30 can process your Personal Data principally because it is:
How we process the Personal Data?
GDPR indicates how organizations shall collect, manage and store Personal Data. The rules it contains apply regardless of whether data is stored digitally, on paper or in any other way.
To comply with the GDPR and any other applicable law, Personal Data shall be correctly collected and used, safely stored and not illicitly disclosed.
Solutions30 follows these important principles pertaining to Personal Data processing namely Personal Data:
At Solutions30 we appointed a DPO in each country we operate in order to secure the appropriate treatment of privacy matters per each respective jurisdiction.
With whom do we share your Personal Data?
Solutions30 ensures that, where the organization shares Personal Data with another organization, the responsibilities of both parties with regard to the Personal Data are formally documented in a written agreement or contract as appropriate.
Wherever it is possible, any new Processing which involves the sharing of Personal Data with third parties is compatible with the terms of the information provided to the natural person.
Where this is not possible, Solutions30 shall ensure that it has:
Where data sharing with third parties is allowed without the consent of the natural person, because for example it is required by the applicable law, Solutions30 ensures that an auditable record of the protocols and controls for this data sharing is documented.
Transfers of Personal Data
Transfers within the EEA or from the EEA to an Adequate Country
This section describes a situation when a Solutions30 based in the EEA transfers your Personal Data to one of the following:
Laws and regulations applicable in EEA countries authorize transfers of your Personal Data between organizations based in the EEA, or from an organization based in the EEA to another organization based in an Adequate Country. Therefore, Solutions30 does not need to implement any additional measures in such cases.
Transfers from the EEA to a non-Adequate Country
This section describes a situation when a Solutions30 branch based in the EEA transfers your Personal Data to another Solutions30 company or a third party located in a non-Adequate Country. An example would be a transfer of your Personal Data by a Solutions30 branch in Italy to a Solutions30 branch in Tunisia, or a Solutions30 branch in Italy being serviced by a third party in the Philippines.
When an EEA Solutions30 transfers your Personal Data to another Solutions30 located in a non-Adequate Country not providing an adequate level of data protection, we will base the transfer on appropriate safeguards, such as BCRs (Art. 46(2)(b), 47 GDPR), standard data protection clauses adopted by the European Commission or by a supervisory authority (Art. 46(2)(c) or (d) GDPR), approved codes of conduct together with binding and enforceable commitments of the recipient (Art. 46(2)(e) GDPR), or approved certification mechanisms together with binding and enforceable commitments of the recipient (Art. 46(2)(f) GDPR).
Transfers from non-EEA countries to other countries
This section describes the transfer of your Personal Data by a non-EEA Solutions30 branch to another Solutions30 branch or third party based in another country. An example would be a transfer of your Personal Data by a Solutions30 in Tunisia to a Solutions30 in US, or a Solutions30 in Morocco being serviced by a third party in Spain.
Any transfer of your Personal Data from a non-EEA country to any other country shall be done with appropriate and reasonable protection, and in compliance with the laws and regulations applicable to the Solutions30 at the origin of the transfer, in particular, but not limited to, any legal requirement on transfers of your Personal Data or pertaining to security.
How do we manage the risks?
Solutions30 has implemented a specific Security Incident Response Procedure (the Procedure) to ensure that the company reacts appropriately to any type of security incidents relating to data protection.
The organization is responsible for monitoring all incidents that occur internally that may violate the security and/or confidentiality of data. The main objective of the Procedure is not to search for the culprit, but to manage and limit problems and learn from error, in a perspective of continuous improvement.
This Procedure applies to all employees, collaborators, consultants and temporary workers within Solutions30.
The Procedure is intended to provide direction for responding to the Security Incident (i) for rapid detection, minimize loss and destruction, and mitigating the weaknesses that were exploited, and (ii) to comply with Security Incident and/or data breach notification obligations under the GDPR.
What are your rights?
Right to withdraw your consent: If you have given your consent regarding certain types of Processing activities (in particular regarding the receipt of certain direct marketing communications), you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. You can withdraw your consent by writing to email@example.com
Additional data privacy rights: Pursuant to applicable data protection law and the GDPR, you have the right to: (i) request access to your Personal Data; (ii) request rectification of your Personal Data; (iii) request erasure of your Personal Data; (iv) request restriction of processing of your Personal Data; (v) request data portability; and/or (vi) object to the processing of your Personal Data. Please note that these rights might be limited under the applicable (local) data protection law.
(i) Right to request access to your Personal Data: you have the right to obtain from us confirmation as to whether or not Personal Data concerning you is processed, and, where that is the case, to request access to the Personal Data. The access information includes – inter alia – the purposes of the processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access.
You also have the right to obtain a copy of the Personal Data undergoing processing free of charge. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
(ii) Right to request rectification: you have the right to obtain from us the rectification of inaccurate Personal Data concerning you. Depending on the purposes of the processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
(iii) Right to request erasure (right to be forgotten): you have the right to obtain from us the erasure of your Personal Data and we may be obliged to erase such Personal Data.
(iv) Right to request restriction of processing: you have the right to obtain from us and we may be obliged to restrict the processing of your Personal Data. In this case, the respective Personal Data will be marked and may only be processed by us for certain purposes.
(v) Right to request data portability: you have the right to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those Personal Data to another entity without hindrance from us, where the processing is carried out by automated means and is based on consent pursuant to Art. 6(1)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR.
(vi) Right to object: Under certain circumstances, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data by us and we are required to no longer process your personal data. Such right to object especially applies if we collect and process your Personal Data for profiling purposes in order to better understand your interests in our products and services or for certain types of direct marketing. If you have a right to object and if you exercise this right, your Personal Data will no longer be processed for such purposes by us.
How do you exercise them?
To exercise your rights, please contact us as at firstname.lastname@example.org.
To prevent Personal Data relating to one individual being sent to another, accidentally or as a result of deception, we need to be sure of the identity of the applicant.
Solutions30 shall collect the information necessary to judge whether the person making the request is the individual to whom the Personal Data relates (or a person authorized to make a request on their behalf).
The level of checks to be carried out depends on the possible damage that inappropriate disclosure of data could cause to the data subject.
The interested party provides the information necessary for managing the request.
Before responding to a request, it is possible to ask the applicant for additional information, which is reasonably needed, to identify the Personal Data subject to the request.
It is not possible to ask the interested party to limit the scope of the request, but only to provide further details that allow identifying the information requested (e.g. information on the context in which the information about them may have been processed, information on the probable dates in which the discussion took place).
After collecting all the necessary information, the DPO, or a specifically appointed officer, reviews it. Documents or files may contain a multitude of information in addition to the applicant’s Personal Data; this means it may be necessary to consider each document separately to evaluate the information contained therein.
Once the data relevant to the request has been identified and retrieved, these are communicated by the DPO, or by the appointed officer, to the applicant, in an intelligible form and accompanied by a report of the operations carried out. If the organization no longer holds the requested data, a declaration certifying this is sent within 30 days of the request.
Repeated or unreasonable requests
Solutions30 is not obliged to satisfy a request identical or similar to that already addressed, unless a reasonable interval has elapsed between the first request and the following ones, also taking into account:
Respect for the freedoms of others
The right to obtain a copy must not affect the rights and freedoms of others. For example, it is not necessary to comply with a request to exercise the rights of the interested party if this would involve the disclosure of information about another individual who can be identified by such information, except in cases where:
For any questions about this General Privacy Notice or if you wish to exercise your rights as stated above, you may send an email to the following address: email@example.com