This policy is intended to provide maximum transparency regarding the methods of processing personal data of visitors / users acquired by La Sia Srl with sole shareholder (hereinafter also simply La Sia) through the site www.lasia.it (hereinafter also simply the Site).
La Sia is aware of the importance of the protection of personal data and, therefore, processes all the information acquired with extreme care, guaranteeing its security and confidentiality during their processing.
By “processing” of personal data is meant any type of collection, recording, storage, consultation, modification, extraction, printing, use, dissemination, communication, cancellation or destruction of personal data.
The Data Controller (ie the subject that determines the purposes and means of processing the personal data collected) is “La Sia Srl with sole shareholder”, based in Rome, Via Luigi Schiavonetti n. 286 (00141), in the person of the Sole Managing Director.
This policy is drafted in accordance with Legislative Decree June 30, 2003, n. 196, Code regarding the protection of personal data (so-called “Privacy Code”) as modified and integrated by the European Regulation n. 2016/679 and the subsequent implementation of Legislative Decree 101/2018.
The European Regulation n. 2016/679, better known as “GDPR”, is a European regulation on the processing of personal data with which the European Commission wanted to strengthen and make more homogeneous the protection of personal data of citizens and residents of the Union European Union (EU), both within and outside European borders.
La Sia, wanting to implement the fundamental principles established in the aforementioned legislation, informs the users of its website (hereinafter also “data subjects”, as defined by the GDPR and the Privacy Code) of the following general profiles, valid for all the areas of processing :
the collected data is processed in a lawful, correct and transparent way towards the data subject;
the data is collected and processed only for the purposes indicated in this Policy and with the consent of the data subjects if required by current legislation;
the data collected are adequate and pertinent with the purpose and are not collected to a greater extent than necessary according to the so-called minimization principle;
the data are collected and processed for the time strictly necessary to pursue the purposes described and for a predetermined time, beyond which they will be deleted, destroyed or anonymised;
specific security measures are observed to prevent unauthorized access, prevent the loss of data or their illegal or incorrect use;
the personal data collected will not be shared, sold, made available or communicated to subjects other than those indicated in this Policy.
Browsing data and data collected in order to verify the correct functioning of the Website
During their normal operation, computer systems and software procedures used to operate this website acquire personal data, the transmission of which is implicit in the use of internet communication protocols. As a result, mere access to the site implies the acquisition by the web servers of information and data relating to the user.
This category of data includes:
System logs such as the User IP address, the type of browser used and the name of the Internet service provider (ISP),
This category includes IP addresses or domain names of the computers used to connect to the website, URI (Uniform Resource Identifier) addresses of the requested resources, timestamp of the request, method used to submit the request to the server, size of the file obtained in response, numerical code indicating the server response status (successful, error etc.) and other parameters pertaining to the user’s operating system and IT environment.
Data submitted voluntarily by users
The optional, explicit and voluntary sending of emails to the addresses indicated on this website entails the subsequent acquisition of the sender’s address, which is necessary to reply to requests, as well as any other personal data included in the messages.
The optional and voluntary compilation of the Form inserted in the Careers section and aimed at the collection of CVs, involves the acquisition of the name and e-mail address of the data subject as well as the additional personal data included in the CV.
The data processing may have the following purposes:
execution by the data controller of activities aimed at satisfying requests made, from time to time, by the user through this website and/or by e-mail;
carrying out of personnel evaluation, selection and recruitment activities;
purposes related to the obligations established by applicable laws or regulations, as well as by provisions imparted by the competent supervisory and control authorities , as well as purposes related to the right of the owner to exercise his right of defense.
purposes connected, instrumental and necessary for the provision of the Website (operation and maintenance), for the purpose of statistical analysis and site security in order to identify anomalies and / or abuses. In this regard, we inform users that the navigation data and the correct functioning of the web pages of our Site will be used to establish responsibility in the event of cyber crimes.
With reference to the purposes referred to in point 5, letters a) and b) above, the legal basis of the processing is the legitimate interest of the Data Controller to respond to spontaneous contact / information requests sent by users or carry out the evaluation activity of curriculum vitae, selection and professional recruitment. There is therefore no obligation to provide data but failure to provide it may make it impossible to receive the service.
With reference to the purposes referred to in point 5, letter c) above, consent to the processing of data is not required since the provision of data is necessary to fulfill a legal obligation to which the Data Controller is subject, or for the execution of a task of public interest or for the exercise of public powers with which it is invested.
The processing of personal data will be carried out:
with organizational methods and with logic strictly related to the purposes indicated;
through the use of paper and electronic tools, including the use of e-mail or other remote communication techniques. The Data Controller will use the same methods in the case of communication of data to third parties, as better specified in the following point 9.
by categories of subjects authorized to perform these duties;
with the use of adequate security measures to guarantee the confidentiality and protection of data and to prevent unauthorized subjects from accessing them, disclosing, modifying or destroying them;
there will be no automated decision-making processes;
no data will be processed for scientific or historical research purposes and will not be profiled.
It should be noted that La Sia does not use automated decision-making processes, including profiling. This means that no data will be used to analyze or predict aspects of professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of a natural person.
The data will be stored in paper archives located at the headquarters of the Data Controller and in electronic archives located both at the same office and at the Data Center of the Aruba Spa Web Hosting. The web hosting is Data Processor for the processing and processes the data on behalf of the Data Controller . Both the Data Controller and the web Hosting are located in the European Economic Area and act in accordance with European standards (https://www.aruba.it/gdpr-regolazione-europeo-privacy.aspx);
As regards the purpose referred to in point 5, letter a) above, the data will be kept for the time strictly necessary to satisfy the requests made;
As regards the purpose referred to in point 5, letter b) above, the data for the selection and recruitment of personnel will be kept for 24 months from the sending of the CV;
With regard to the purposes referred to in point 5, letter c) above, the data will be kept for the period of time necessary for the fulfillment of any legal obligations and for the related protection needs;
As for the purpose referred to in point 5, letter d) above, the data collected by the website will be kept for the time strictly necessary for its operation and the activities connected to it.
At the end of the retention period the Personal Data will be erased. Therefore, upon expiry of that period, the right of access, deletion, rectification and the right to data portability, as described in point 10) below, can no longer be exercised.
The data collected and processed may be communicated:
for the purposes referred to in point 5, letters a), b) and c), or under specific legal obligations – to other subjects and in particular employees and collaborators of the Data Controller, in the context of their duties, or to consultants who assist the Data Controller in satisfying requests (for example, law, tax and / or labor consultancy firms);
La Sia does not disclose users’ personal data or transfer them to non-EU countries.
Pursuant to European Regulation 679/2016 (GDPR) and national legislation, in accordance with the procedures and within the limits established by current legislation, the data subjects may exercise the following rights:
Right of access (Article 15, GDPR)
The data subject has the right to obtain from the controller confirmation that personal data concerning him or her are being processed and, in this case, to obtain access to personal data and certain information specifically indicated in art. 15 of the GDPR.
Right of rectification (Article 16, GDPR)
The data subject has the right to obtain from the data controller the correction of inaccurate personal data, concerning him or her, without undue delay. Taking into account the purposes of the processing, the Data Subject has the right to have incomplete personal data completed, including by providing a supplementary statement.
Right to data erasure (Article 17, GDPR)
Data subjects have the right to obtain, from the Controller without undue delay, the erasure of personal data relating to them. The Controller is obliged to erase personal data without undue delay, unless there are grounds for not exercising that right.
Right to restriction of processing (Article 18, GDPR)
Data subjects have the right to obtain, where possible, limitation to the processing of their personal data.
Right to data portability (Article 20, GDPR)
The data subject, if the treatment is based on consent or on a contract and is carried out by automated means, has the right to receive the personal data that he has provided to the data controller in a structured, commonly used and machine-readable format and, where technically feasible, to obtain an unhindered transfer to another controller.
Right to object (Article 21, GDPR)
The data subject has the right to object at any time, for reasons related to his particular situation, to the processing of personal data based on the legitimate interest of the Data Controller or the consent of the data subject, including profiling, unless he proves that there are compelling legitimate reasons for processing which take precedence over the rights of the data subject.
Automated decision making on natural persons including profiling (Article 22, GDPR)
Data subjects have the right not to be subject to a decision based solely on automated processing, which produces legal effects concerning them or significantly affects them in a similar way.
Right to complain to the supervisory authority (Article 77, GDPR)
Without prejudice to any other administrative or judicial remedy,, the data subject who believes that the processing that concerns him / her violates the discipline regarding the protection of personal data has the right to lodge a complaint with the Data Protection Authority.
To exercise these rights, Users must fill in a specific request and send it, signed and accompanied by an identification document, to the e-mail address: firstname.lastname@example.org or by registered mail to the owner’s office indicated in the previous art. 2. The requests will be processed according to the times and methods indicated in art. 12 of the current European Regulation.
The Data Controller reserves the right to review privacy policies at any time,also by virtue of amendments and updates to the relevant legislation and jurisprudence. In the event of significant changes, appropriate evidence will be given in the home-page of the site for a suitable duration of time. However, data subjects are invited to periodically consult this document.