INFORMATION ON THE PROTECTION OF PERSONAL DATA
OF THE WEBSITE WWW.EXSAFE.IT AND OF THE EXSAFE PLATFORM
(Article 13 REG. (EU) 2016/679)

INFORMATION WEBSITES MOD. 1 - 24 SEPTEMBER 2019
For any clarification, information, exercise of the rights listed in this information, please contact:
HELLO@EXSAFE.IT
The information may undergo changes following the introduction of new rules or following changes to the website, so we invite you to periodically visit this section for updating.
GENERAL INFORMATION ON THE "GDPR". The REG. EU 2016/679 (or "GDPR") establishes the rules to protect and safeguard natural persons with regard to the processing of their personal data and this information is prepared in accordance with the new regulatory provisions. This information is exclusively referable to the websites indicated in the epigraph (www.exsafe.it and site relating to the exsafe platform); the websites that can be accessed through this site are not covered by this information: the Data Controller declines any responsibility regarding them. In particular, the categories of cookies used and the type of processing of personal data by these companies (third parties) are regulated in accordance with the information provided by these companies (see, for example, the links referring to the information of the third parties indicated in the Cookie Policy).

According to the law, the processing of personal data is based on principles of correctness, lawfulness, transparency, protection of the user's privacy as well as protection of the rights of the interested party: the Data Controller undertakes to observe the aforementioned principles and, also for this purpose , immediately informs the interested party that, except for those treatments for which the law provides for his explicit consent, by browsing this website, uploading or providing personal data, the interested party accepts and agrees to be bound by the conditions and terms referred to in this information.
HOLDER OF THE TREATMENT
art. 24 GDPR
The Data Controller (or just "Data Controller") is the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of processing personal data. Moreover, he is the one who takes care of the safety profiles. With regard to the processing of the personal data of the interested party, the Data Controller is the company
EXSAFE S.R.L.
with registered office in P.zza Marconi n. 25/1 in 45014 Porto Viro (RO) and with VAT number 01394280299.
For any clarification or exercise of the rights that belong to the interested party, the addresses already indicated can be contacted.
RESPONSIBLE FOR THE TREATMENT
art. 28 GDPR
The Data Processor is, on the other hand, the natural or legal person, public authority, service or other body that processes the personal data of the data subject "on behalf" of the Data Controller. With regard to the processing of the personal data of the interested party, the Data Controller, in case of need, could appoint the following subjects as external Data Processor:
- Accountant, who could process personal data of the interested party for tax and accounting purposes:
- IT company, which may process personal data of the interested party at the time of assistance, maintenance and updating of IT systems;
- Company that provides the CRM, which could process the personal data of the interested party when stored in the aforementioned software;
- Company that deals with marketing, which may process the data of the interested party at the time of the execution of the email marketing service;
- Software house that manages the institutional website and the EXSAFE platform, which could process the data at the time of assistance, maintenance and / or updating of the system.
- the company that provides the navigation space (Hosting),
and finally
- the company that provides the email marketing service.
For any information regarding the company name of the same, the data they process, the methods of treatment, please contact the addresses indicated in the epigraph. In any case, the appointment of the aforementioned subjects, as well as their perimeter of responsibility, are limited to the areas of treatment already mentioned. Over time, the Data Controller may update the list of Data Processors (adding new Managers or revoking previously assigned tasks); the interested party may request more information by contacting the addresses already indicated.
COMMUNICATION TO OTHER SUBJECTS
art. 13 par. 2 lett. e) GDPR
Except for what has already been said regarding the Managers and the Persons in charge of processing, the Data Controller undertakes not to communicate the data of the interested party to third parties, unless this depends on a legal or contractual obligation or that the communication does not fall between the necessary requirements for the conclusion of a contract. The following subjects could be disclosed the data to comply with contractual or legal obligations: to banking institutions (for example) for the fulfillment of payment obligations arising from the contract; to insurance institutions in the event of accidents / claims; to public bodies where required by law; to lawyers, law enforcement agencies, judicial authorities (for example) in the case of the fulfillment of offenses, contractual breaches, other legally relevant fact caused by the interested party
DATA OF MINORS UNDER 14 YEARS
art. 8 GDPR
This website does not offer direct services to individuals under the age of fourteen. The Data Controller is not responsible for any collection of data from these subjects, since this responsibility remains with the holders of parental responsibility for lack of supervision. In any case, if the Data Controller considers that some data involuntarily collected refer to natural persons under the age of fourteen, it will proceed without delay to the destruction of the same.
TREATMENTS CARRIED OUT THROUGH THIS WEBSITE TO USERS
General informations.
In carrying out the treatments, the Data Controller uses only the strictly necessary data, which are indicated with the asterisk symbol (*) in the appropriate compiling spaces on the website. The data provided will be used only and exclusively to achieve the purposes referred to in the following points (by way of example: the data provided to request information on the activity carried out by the Data Controller will be used only to check the request and not for other purposes, except for the consent of the interested party or legitimate interest of the Data Controller to use the data for different purposes).
PURPOSE OF THE TREATMENT
art. 13 par. 1 letter c) GDPR
LEGAL BASIS OF THE PROCESSING
art. 13 par. 1 letter c) GDPR
DATA RETENTION PERIOD
art. 13 par. 2 lett. a) GDPR
For what reasons / purposes does the Data Controller process the data of the interested party? What justifies this treatment? How long will the Data Controller keep the data of the interested party?
To allow navigation on the website.

By simply browsing, no identification data will be collected. However, for the purposes of the normal operation of the website it is possible that the computer system acquires some information whose transmission is implicit in the internet communication protocols (eg log files). Furthermore, through the use of cookies, information will be collected that the user does not provide directly (see the Cookie Policy). In any case, this is information that is not collected in order to make an association with identified interested parties, but which despite this, given their very nature, could still allow third parties to identify the user, through processing and associations with other data already in their possession.
Depending on the case, the legal basis could lie in the consent pursuant to art. 22 GDPR (see Information on cookies) or on legal obligations and / or legitimate interest of third parties (Article 6 paragraph 1 letter b) and f) GDPR). Except for what will be said about cookies, this Owner does not keep any data provided by the user through simple navigation.
To fulfill legislative obligations.
The data provided by the interested party will be used for the fulfillment of legislative obligations (for example of a fiscal and / or accounting nature) provided for by national, European or supranational legislation.
The legal basis of this data processing lies in the fulfillment of a legal obligation to which the Data Controller is subject (Article 6 paragraph 1 letter c) of the GDPR). The terms of conservation dependent on the standard applied by the Data Controller at the time of processing.
For the purposes of ascertaining, exercising or defending rights.
The data provided by the interested party will be processed, if necessary, also for the assessment, exercise or defense of the rights of the Data Controller in court.
What legitimizes this processing is the legitimate interest of the Data Controller (Article 6 par.1 letter f) of the GDPR). In fact, if a dispute / litigation / dispute arises between the interested party and the Data Controller, the latter will be entitled to process the data of the interested party to assert his reasons. The Data Controller keeps the data of the interested party for this purpose only if there is a reasonable probability of having to take legal action. In the event of a dispute, the data will be kept until the final decision.
To provide general information on the Data Controller's activity and / or for technical support needs, or to respond to partner requests.
By filling out the "Contacts" form on the website (in particular under: "Request Information", "Request technical support", "Request to become a partner"), the user provides his / her personal data, which will be processed by this Data Controller to respond to requests for information from the interested party or to provide the technical support always requested by the interested party.
The legal basis lies in the execution of pre-contractual measures adopted at the request of the interested party (Article 6 paragraph 1 letter b) GDPR). The data of the interested party will be kept for the time necessary to carry out the information release service: after this deadline, the data will be immediately deleted.
The Data Controller immediately warns the interested party that - in the case of stipulation of the contract - the company will keep the data for a maximum period of 10 years from the termination of the contractual relationship and this for legal, fiscal and accounting protection needs to which the Data Controller is subject to law.
To send the user advertising communications following the request and making the eBook available.
By filling out the "Contacts" form on the website (in particular under: "Request eBook"), the user provides his / her personal data to receive the chosen eBook. The user is immediately informed that the receipt of the eBook is subject to the subsequent receipt of advertising messages by this Owner (for more information on the concept of advertising, see the next section on "direct marketing", to be considered - where compatible - as an integral part of this processing activity).
The legal basis lies in the (optional) consent of the interested party, pursuant to art. 6 par. 1 letter a) of the GDPR. In the case of consent, the data will be kept - for sending advertising communications - until the withdrawal of the consent referred to in art. 7 GDPR. The withdrawal of consent does not affect the lawfulness of the processing based on consent before the withdrawal.
For sending advertising communications.
(so-called Direct Marketing).

The information provided in this section will be applied whenever, while browsing this website, the user is asked to provide their data and their consent for the receipt of advertising material or commercial communications, offers and promotions, sales. direct, or for carrying out market research or opinion polls (hereinafter, collectively defined as "direct marketing").
The legal basis is:
1) in the consent (optional) pursuant to art. 6 par. 1 letter a) GDPR of the interested party;
2) in art. 130 paragraph 4 new Privacy Code, but only in the case of processing via e-mail and for sending communications relating to services similar to those already "sold" to the Customer;
3) in the legitimate interest pursuant to art. 6 par. 1 letter f) (in combination with Recital n.47 GDPR) when the interested party expects such processing by the Data Controller and this does not affect his rights and freedoms.
4) in the case of processing of communications carried out with a telephone operator, such processing is precluded from the interested party who was registered in the Register of Oppositions.
1) In the case of consent, the data will be kept for this purpose until the consent pursuant to art. 7 GDPR. The withdrawal of consent does not affect the lawfulness of the processing based on consent before the withdrawal;
2) - 3) instead, in the case of processing carried out pursuant to art. 130 paragraph 4 new Privacy Code and art. 6 par. 1 letter f) GDPR the data will be kept for this purpose until the opposition pursuant to art. 21 GDPR by the interested party, to be asserted from the beginning of the treatment or during its protraction.
To review the job offer from the user
(see application form)

The following data will be processed by the Data Controller to examine the professional profile of the candidate in view of his hiring: name, surname, email, telephone, training course, tax code, other data also referable to minors if the candidate is under 18 years old. . The interested party is advised not to indicate data of a "sensitive nature" (those listed in Article 9 of EU Reg. 679/2016, such as, for example, health data, other), unless this is strictly necessary. Data of a judicial nature will not be processed in any way (Article 10 of the GDPR), therefore the interested party is obliged not to provide them.
If the candidate provides his "public social network profile" (such as that of Facebook, Instagram, Linkedin, other), the data entered will be processed by the Data Controller only where necessary and relevant for the execution of the work to which the candidate's question is addressed (example: if the candidate proposes himself as a social media manager and has a social-profile useful for promoting his aptitudes / abilities, then the Data Controller may lawfully process the aforementioned data). No social profile (not even public) used by the interested party for mere private purposes will be considered by the Data Controller, therefore the interested party is requested not to enter this information in his CV.
The processing is lawful as it is carried out for the execution of pre-contractual measures adopted at the request of the interested party (pursuant to Article 6 par. 1 letter b) GDPR). In fact, the sending of one's CV or other data relating to the professional / working sphere - and the subsequent screening of the profile by the Data Controller - has the purpose of determining whether or not the employment relationship is established. In any case, the consent at the bottom of the CV must be issued in the event that the interested party decides to provide the Data Controller also with data of a "sensitive nature". ("I give my explicit consent to the processing of" sensitive "data that I provide through this CV", with indication of the date and your signature). The retention period depends on whether or not the employment relationship is established. In fact, in the event that the Data Controller is not interested in the profile, he will immediately delete the candidate's data. On the other hand, in the case of interesting but not necessary profiles at the time of presentation, the Data Controller will keep the data for a maximum period of 15 months. Finally, in the case of stipulation of the employment contract with the candidate, the Data Controller will keep the data of the new employee in accordance with the provisions of the "Information for employees" that will be provided for this purpose.
For registration purposes on the EXSAFE Platform.
By clicking the "Register now" button, the user accesses the registration form. Filling out the form with the user's personal data allows the latter to access a first questionnaire on Risk Management or to purchase the product in the online store.
The processing is lawful as it is carried out on the basis of the execution of pre-contractual or contractual measures adopted at the request of the user (Article 6 paragraph 1 letter b) GDPR. In any case, the Data Controller requires the consent of the interested party pursuant to art. 6 par. 1 letter a) GDPR. The data provided for these purposes will be kept - in the case of mere compilation of a first test questionnaire - for 3 months, except in the case of subsequent purchase of the product, since - in the latter circumstance - the data will be kept for 10 years from the termination. of the contractual relationship.
To purchase the product through the online store
(cd Ecommerce)

After registering, the user - having chosen the product to purchase, must proceed with the payment by:
PayPal (see privacy policy below):
https://www.paypal.com/it/webapps/mpp/ua/privacy-full
Credit card: see the privacy policy of your credit institution.
Bank transfer: the Data Controller will process the data provided through the payment by bank transfer only for the purpose of executing the contract.
The processing is carried out on the basis of the execution of contractual measures adopted at the request of the interested party (Article 6 paragraph 1 letter B) GDPR). The data provided for this purpose will be kept for a maximum period of 10 years from the termination of the effects of the contract, for the purposes of legal, fiscal and accounting protection to which the Data Controller is subject by law.
To provide the Risk-Management service
(via Exsafe Platform)

Once the product has been purchased - through the online shop or "offline" (ie with traditional systems) - the interested party completes the questionnaire for the execution of the Risk Management service. The data entered will be used exclusively for the fulfillment of the aforementioned service.
In this platform, the data of natural persons who work in favor of the customer of ExSafe Srl may also be entered: the data of these persons will be used exclusively for the execution of the Risk Management service. In any case, when Exsafe Srl processes the data of these subjects, it operates as the data processor.
The processing is carried out for the execution of contractual measures (Article 6 paragraph 1 letter b) GDPR). The data provided for this purpose will be kept for a maximum period of 10 years from the termination of the effects of the contract, for the purposes of legal, fiscal and accounting protection to which the Data Controller is subject by law.
To provide information.
Using the email address, telephone number or other contact details that the Data Controller has published on its website, the user provides his / her personal data (for example - at the time of the telephone call - his / her name, surname , telephone number, other). The purpose of the processing is to respond to requests for information from the interested party.
The legal basis of the processing consists in the execution of pre-contractual measures adopted at the request of the interested party (Article 6 paragraph 1 letter b) GDPR), such as requests for information on the activity and services offered by the Data Controller, other; or in the user's consent (Article 6 letter a) GDPR), which by contacting the Data Controller will expressly declare; or in the legitimate interest of the Data Controller (Article 6 paragraph 1 letter f) GDPR). The data of the interested party will be kept for the time necessary to process the information service by the Data Controller, and will subsequently be deleted.
INFORMATION ON COOKIES
Information on cookies and automated systems similar to cookies are made available to the user by clicking on the appropriate link called "COOKIE POLICY" located in the footer of the website. For completeness, the Data Controller, at the conclusion of this Site Privacy Policy, also provides the aforementioned Cookie Policy.
LIST OF TREATMENTS METHOD OF TREATMENT
art. 13 GDPR
COMPULSORY CONFERENCE
art. 13 par. 2 lett. is)
With what systems does the Data Controller carry out this treatment? Is the interested party obliged to provide their data to the Data Controller? Consequences in case of failure to provide.
To allow navigation on the website. Processing carried out exclusively through IT systems. The interested party is not obliged to provide their data.
Failure to provide it does not allow navigation.
To fulfill legislative obligations. The system depends on legal obligations; in fact, it is sometimes the legislative discipline that provides for the methods of carrying out the processing (see, for example, on electronic invoicing). No relief.
For the purposes of ascertaining, exercising or defending rights. Processing carried out using IT systems (for example with the use of email, pec, telematic platform, management systems, other) and paper systems (for example, through the drafting of judicial documents, warnings, printing of documents, paper mail, other). Sometimes, the system depends on legal obligations (see PCT). No relief.
To provide general information on the Data Controller's activity and / or for technical support needs, or to respond to partner requests. Processing carried out using IT systems, for example by email or telephone. The interested party is not obliged to provide the data.
Failure to provide it does not allow the Data Controller to provide the data subject with the requested information.
To send the user advertising communications following the request and making the eBook available. The eBook sending processing is carried out by means of a computer system (sending an e-mail message).
As regards, however, the methods of sending advertising communications, see the next section on "direct marketing" (to be considered - where compatible - as an integral part of this processing activity).
The interested party is not obliged to provide the data.
Failure to provide, however, does not allow:
- to receive the eBook;
- to receive advertising communications.
For sending advertising communications.
(so-called Direct Marketing).
Communications relating to "Direct Marketing" are made through "automated" systems (such as, for example, by email, fax, text message, telephone calls without the aid of an operator, social networks, interactive applications, push notifications) and using "traditional" systems (such as, for example, by paper mail and / or calls with an operator). It should be noted that the consent collected for the processing with "automated systems" legitimizes the Data Controller to use the same data also for carrying out communications using "traditional systems". In any case, the interested party has the right to oppose any unwanted processing method (for example, by expressing their desire to only receive communications via email). The provision of personal data is not mandatory.
In case of failure to provide data to receive marketing communications, the interested party will not be able to collect more information on the activity and services that the Data Controller performs, other.
To review the job offer from the user
(see application form)
This treatment is carried out with computer systems (email, use of personal computers and other management systems, other) and paper (with printing of the CV). The provision of such data is not mandatory.
Failure to provide it does not allow the Owner to examine the candidate's professional profile and the latter to (at least potentially) become part of our team.
For registration purposes on the EXSAFE Platform. This treatment is carried out exclusively with IT systems (use of the Exsafe Platform and e-mail). The provision of data is not mandatory.
Failure to provide it does not allow the user to purchase the product.
To purchase the product through the online store
(cd Ecommerce)
This treatment is carried out exclusively with IT systems (use of the Exsafe Platform and e-mail). The provision of data is not mandatory.
Failure to provide it does not allow the user to purchase the product.
To provide the Risk Management service
(via EXSAFE Platform)
This treatment is carried out exclusively with IT systems (use of the Exsafe Platform and e-mail). The provision of data is not mandatory.
Failure to provide it does not allow the user to purchase the product.
DIFFUSION AND TRANSFER OF DATA TO COUNTRIES NOT BELONGING TO THE EUROPEAN UNION OR TO INTERNATIONAL ORGANIZATIONS
art. 13 par. 1 letter f).
The Owner undertakes not to disseminate or transfer user data to non-EU countries. In the case of transfers, the Data Controller guarantees the application of the rules referred to in articles 44 and following of the GDPR. For any information, please contact the email address already reported.
RIGHTS OF THE INTERESTED PARTY - COMPLAINT TO THE SUPERVISORY AUTHORITY
What are the rights of the interested party who has given their data to the Data Controller?
The interested party - i.e. the person who makes his / her personal data available to the Data Controller - is the owner of the following rights:
- the right of the interested party to ask the holder for access to personal data, i.e. to know which data the holder processes (Article 15 of the GDPR);
- the right to obtain rectification , i.e. the right to have their data modified if they have changed (Article 16 of the GDPR);
- the right to limit the processing that concerns him, i.e. to limit the use of data by the data controller (Article 18 of the GDPR);
- the right to object , for legitimate reasons, to their treatment (Article 21 of the GDPR);
- the right to data portability, i.e. the right to receive all personal data processed by the owner in a structured and readable format on an IT support (Article 20 of the GDPR);
- the right to request the cancellation of their data from the owner (Article 17 of the GDPR);
- the right to revoke the explicit consent previously given at any time, without prejudice to the lawfulness of the processing carried out up to that moment (Article 7 - 13 GDPR);
- the right to lodge a complaint with the Guarantor for the protection of personal data in the event of violations of the law (Article 77 of the GDPR).
Requests can be addressed to the Data Controller, without formalities, at the following address: HELLO@EXSAFE.IT