AIMS AND TARGETS
The management has defined, divulged and commits to maintaining the current policy for Privacy Management active at all levels of its organisation.
The aim of the current policy is:
to guarantee the safeguarding and protection of the information and data handled within its activities from all internal and external, intentional or accidental threats in accordance with provisions in D.Lgs. 196/03 and EU Reg. 679/2016.
SCOPE OF APPLICATION
The present policy applies without distinction to all the Company's bodies and levels.
Execution of the present policy is mandatory for all staff and has to be inserted in the regulation of agreements with any external subject who, with any function, may be involved in the the handling of data within the scope of application of the Data Privacy Management System.
The company allows for the communication and diffusion of information outwards only for the correct implementation of company activities which have to be carried out in compliance with binding rules and regulations.
OUR POLICY FOR DATA SECURITY
The legacy of information to be protected is made up of the entirety of information handled through the services provided and located in all the company's offices.
What needs to be guaranteed is:
• confidentiality of the information: i.e. information has to be accessible only to those authorised.
• integrity of information: i.e. protecting precision and completeness of information and methods for its processing.
• availability of information: i.e. authorised users can actually access information and the related goods whenever they require to.
Lack of suitable security levels may imply damage to the corporate image, lack of satisfaction of the customer, the risk of facing sanctions connected to breaching laws and regulations in force as well as economic and financial damage.
Suitable security levels are also essential for sharing information.
A dedicated register of the data used is established and kept by each person in charge of Handling and where applicable by the Data controller, under their responsibility.
Furthermore the company singles out security needs by means of the evaluation of impact on data protection which allows for gaining awareness on the level of exposure to threats of its own systems for data handling.
Risk assessment allows to evaluate potential consequences and damage which can arise from lack of application of security measures for the information system and assess the actual likeliness of occurrence of the identified threats.
The results of this evaluation determine the necessary actions to single out correct and suitable security measures and mechanisms to guarantee personal data protection.
The general principles of handling information security cover many aspects:
- A constantly updated catalogue of relevant corporate assets needs to exist for the aim of handling information and for each, a person in charge must be nominated. Information must be classified according to its level of criticality.
- To guarantee security of the information, each access to the systems must undergo an identification and authentication procedure. Authorisations to access information must be differentiated according to the role and the assignments performed by the single individuals, so that each user can access only the information they necessitate, and must be subject to regular review.
- Procedures for safe usage of corporate assets, information and management systems must be defined.
- Full knowledge of issues related to information security must be encouraged among all staff (employees and collaborators) starting from the moment of selection throughout the entire duration of the business collaboration.
- In order to deal with incidents in a timely manner, everybody must notify any issues related to security. Each incident must be dealt with according to procedures.
- Preventing unathourised access to offices and the single corporate spaces where information is handled and security of machinery must be guaranteed.
- Conformity with legal requirements must be guaranteed and with principles related to information security in agreements with third parties.
- A continuity plan must be laid out which allows the company to face unexpected occurrencies effectively, guaranteeing restoration of critical services in times and manners which limit negative consequences on the company's mission.
- Security aspects must be included in all planning stages, development, exercise, maintenance, assistance and decommissioning of systems and IT services.
- Compliance with legal provisions of statutes, regulations or contractual obligations and any requirement related to information security must be guaranteed, minimising the risk of legal or administrative sanctions, relevant losses or damage to its reputation.
COMPLIANCE AND EXECUTION RESPONSIBILITY
Compliance and execution of the policy are the responsibility of:
1-All staff who, covering any title, collaborate with the company and are somehow involved in the handling of information within the scope of application of the Privacy Management System. All staff are also responsible for reporting all anomalies and violations they should gain knowledge of.
2-All external subjects having relationships and collaborating with the company. They must guarantee compliance with the contents of the present policy.
The Privacy Officer who, within the Management System and by means of suitable regulations and procedures is responsible for:
• conducting a risk analysis with suitable methodologies and adopting all necessary measures for risk management;
• establishing all necessary rules for a safe implementation of all corporate activities;
• verifying security violations and adopting the necessary counter measures while checking the company's exposure to its main threats and risks;
• organising training and promoting staff awareness in relation to security and information security;
• regularly verifying efficiency and efficacy of the Privacy Management System.
Should anyone from employees to consultants and/or external collaborators of the Company, not meet the security rules established intentionally or due to negligence, and thus cause damage to the company, they may be pursued in the appropriate fora in full compliance with law and contractual binds.
The management shall verify regularly and at least annually or in conjunction with significant changes the effectiveness and efficiency of the Privacy Management System, so as to ensure suitable support to the introduction of all the necessary improvements so as to favour the activation of a continual process, through which control and adjustment of the policy is guaranteed in response to changes in the corporate environment, the business and legal conditions.
It shall take into account all the changes which may affect the company's approach to the management of information security, including organisational changes, the technical environment, availability of resources, legal, regulatory or contractual conditions or results from previous reviews.
The review outcome will include all the decisions and related actions aimed at improving the company's approach to the management of information security.
COMMITMENT ON THE PART OF MANAGEMENT
The management supports the activities related to the management of corporate privacy by means of a clear direction, evident commitment of expressed appointments and acknowledgement of responsibilities related to the security of information.
The commitment on the part of the management is carried out by means of a facility whose tasks are:
- to ensure that all goals related to information security have been singled out and meet corporate requirements;
- to establish corporate roles and responsibilities for the development and maintenance of the Privacy Management System (PMS);
- to provide sufficient resources for planning, implementing, organising, controlling, reviewing, managing and constantly improving the PMS;
-to check the PMS has been integrated in all corporate processes and that procedures and checks are developed effectively;
- to approve and support all the initiatives aimed at improving information security;
- to activate plans for the diffusion of awareness and culture of information security.
We acknowledge our responsibility and commit to protecting personal data that users entrust our company with, from loss, improper use or unauthorised access. For the protection of user personal data, our company relies on a series of technologies and corporate procedures for protection. For instance, we use checks on accesses, firewalls and protected servers and use cryptography on a few types of data such as financial information and other sensitive data.