POLICY FOR THE PROCESSING OF PERSONAL DATA

This Policy defines how Davis & Morgan S.p.A., with registered office in Piazzetta Bossi 1, 20121, Milano (MI), (hereinafter “Data Controller”), collects personal data that may be acquired as a result of the consultation of its website www.davismorgan.it (the “Site), or by sending requests for information, curricula, etc., as well as through the use of “cookies”, processing then in compliance with the principles of protection of personal data as established with the entry into force of the EU Regulation 679/2016 and with the Legislative Decree 196/2003 in force today (hereinafter, the “GDPR”) and by the other regulations in force on the subject.

1. Type of information and data 

The Data Controller may collect and process the following types of information and data from the data subject (afterwards “Data Subject”):

  • General personal data: first and last name, e-mail address, gender, home address, telephone number, date of birth, nationality. 
  • Data disclosed by the Data Subject for potential job applications: in addition to general data, marital status, employment status, languages spoken, test results, criminal record information, work experience information, etc.
  • Data disclosed by the Data Subject, relating to personal opinions about the service and information received, as part of surveys offered by the Data Controller.

2.Purpose of processing

Except as already specified above, the personal data provided by users who forward, to the addresses published on the Site, requests for information material or applications for professional positions at our office, are used for the sole purpose of sending the requested information,evaluating the submitted applications, providing information and/or news and/or sending communications through newsletters. 

Only following the consent communicated by the interested party in the procedure of requesting information or sending his/her application, the Data Controller may process the personal data of the interested party for the purpose of sending marketing communications, invitations to participate in events, including virtual events and/or webinars or other activities of the Data Controller, as well as for the processing of surveys on the evaluation of the Site and the services rendered by the Data Controller. The Data Subject may always revoke his/her consent at any time, as described in Section 12 below.

In addiction, the personal data of the interested party will be processed for purpose related to the performance of any contractual obligation towards him/her, the obligations provided by the laws, regulations and EU legislation, as well as in compliance with the measures prescribed by the Privacy Guarantor, as well as for the exercise of the rights of the Controller, for example, the right of defense in court. 

In addition, the Data Controller assumes, collects and processes all the information and personal data of the assigned debtors in the credit assignment transactions of the Data Controller, who, by taking over the credit position, acquires all the rights and obligations arising therefrom, including the right to the processing of personal data to which the clients have consented in signing the economic relationship with the originating/assigning counterparty (assigning creditor). 

3. Legal basis of processing 

The Data Controller processes data lawfully, where the processing: 

  • is necessary for the management, development and execution of the requests received from the Data Controller; 
  • is necessary to fulfill obligations under the law, a regulation, EU legislation or an order of the Public Authority;
  • is based on express consent, where required. 

4. Modalities of processing 

The processing of personal data is carried out by means of the operations indicated in Article 4 No. 2) GDPR and precisely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. The Data Subject’s personal data are processed both in paper and electronic and/or automated form. 

5. Retention of Data 

The personal data collected by the Data Controller will be retained for the period necessary to fulfill the purpose for which it was collected or to satisfy the Data Subject’s requests, as well as for the period of one year if the Data Subject has provided data for the purpose of applying for job positions at our company. 

According to Article 7 paragraph 3 of the GDPR, the data subject has the right to obtain at any time the revocation of consent to the processing. For the request of cancellation of their personal data, the Data Subject may send a request to the e-mail address dpo@davismorgan.it

The Data Controller reserves the right to retain the data for a longer period of time due to requirements to comply with legal obligations or to protect the rights of the Data Controller or third parties in court. 

6. Data Security

The Data Controller adopts security measures and organizational techniques aimed at protecting data and ensuring a level of security appropriate to the risk of loss, misuse or alteration, as established under Article 32 et seq. of the GDPR. 

The Data Controller strives to protect the security of personal information during its transmission and storage by using encryption protocols and software. In addition, the Data Controller limits access to the Data Subject’s personal information to employees, consultants, and other third parties who have a need to know.

7. Access to data 

The personal data collected may be processed by individuals or categories of individuals who act as Data Processors according to Article 28 of the Regulation or who are authorized to process the data according to Article 29 of the Regulation. 

The data may be made accessible for the above purposes:

  • to employees and collaborators of the Data Controller in their capacity as co-owners and/or appointees and/or internal data processors, as well as to the Data Protection Officer (Data Protection Officer);
  • to third party companies or other entities (by way of example but not limited to: professional firms, consultants, insurance companies for the provision of insurance services, etc.) that perform outsourcing activities on behalf of Data Controller, in their capacity as external data processors, appointed for this purpose; 
  • to companies that collaborate or use the services of Data Controller, with the sole purpose of providing services requested by the Data Subject or for the execution of information activities towards the latter and/or newsletters and/or marketing activities. In these cases, the companies are autonomous owners, so the Data Controller is not responsible for the data processing by them. The Data Controller is also not responsible for the content and compliance with data protection regulations by sites not operated by the Data Controller; 
  • to Competent Authorities: the Data Controller may be required by law or a court to disclose certain information about the Data Subject or any commitment to the Data Subject to regulatory, law enforcement, and/or other competent authorities. Information regarding Data Subjects may be released to judicial authorities as required by law. 

8. Communication of data   

Without the need for express consent (ex art. 6 lett. b) and c) GDPR), the Data Collector may communicate the data of the Data Subject for the purpose referred to in art. 2 to supervisory bodies (such as Bank of Italy), judicial authorities, insurance companies for the provision of insurance services, as well as those subjects to whom the communication is mandatory by law for the  fulfillment of the said purposes. These subjects will process the data in their capacity as autonomous controllers.

In addition, the data may be made accessible, again for the above purpose: 

  • employees and collaborators of the Data Controller, in their capacity as co-owners and/or appointees and/or internal data processors and/or systems administrators;
  • to third parties who perform outsourcing activities on behalf of the Data Controller, in their capacity as external data processors and who will be, in this regard, appointed. 

The Data Subject’s data are not subject to disclosure or to any fully automated decision-making process, including profiling. 

9. Data transfer 

Personal data are stored on servers located within the European Union. It is in any case understood that the Data Controller, where necessary, will also have the right to move the servers outside the EU. In this case, the Data Controller assures as of now that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, upon stipulation of the standard contractual clauses provided by European Commision. 

10. Collection of navigation data 

The computer systems and the technical and software procedures underlying the operation of the Site acquire, in the course of their normal operations, certain personal data whose transmission is implicit in the access and operation mechanics and protocols in use on the Internet. 

Each time interested parties connect to the Site and each time they requested content, access data is stored at the Data Controller’s systems, in the form of tabular or linear data files. 

This category of data includes, for example, IP addresses the domain names of the computers used by the interested parties connecting to the site, the request from user’s browser, in the form of addresses in URI (Uniform Resource Identifier) notation, the date and time of request to the server, the method used in submitting the request to the server, the amount of data transmitted, the numerical code indicating the status of response given by the server and other parameters related to the operating system and the computer environment of the interested party. 

This data may be used by the Data Controller for the sole purpose of obtaining anonymous statistical information on the use of the Site in order to identify the pages preferred by the interested parties and provide increasingly appropriate content and to monitor its proper functioning. At the request of the Authority, the data could be used to verify the responsibility in case of hypothetical computer crimes against the Data Controller, the Site or the Data Subject. 

11. About cookies, search engines and location data

Cookies are intended to speed up the analysis of Internet traffic, make it easier for interested parties to access the services offered by the Site, and provide useful and relevant advertising to visitors. With the use of cookies, no personal data is transmitted or acquired and no systems are used to track interested parties. If the interested party does not want the information he provides to be collected through the use of cookies, he can implement a simple procedure present in his browser that allows him to refuse the cookies function. 

When the Site is used with the location tracking function enabled, it may collect and process real-time location information about the Data Subject. This data is processed anonymously, in a format that does not personally identify the Data Subject, and used for the sole purpose of facilitating the use of certain location-based features of the Site. Location services can be enabled or disabled by the Data Subjects at any time by accessing their device settings. 

For more information, please view the Use of Cookies Page. 

12. Rights of Data Subject

The Data Subject, according to Article 15 et seq. GDPR, may: 

i. obtain confirmation of the existence or otherwise of personal data relating to him, even if not yet registered, and their communication in intelligible form or that they be directly transmitted to third parties (“data portability”);

ii. obtain on indication of: a) the origin of personal data, b) the purpose and methods of processing, c) the logic applied in case of processing carried out with the aid of electronic instruments, d) the identification detail of the owner, managers and designated representative, e): the subjects or categories of subjects to whom the data may be communicated or who may become aware of them as designated representative in the territory of the State, managers or appointees;

iii. obtain: a) the updating, rectification or, when interested, the integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including those that do not need to be kept for the purpose for which the data were collected or subsequently processed; c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves manifestly disproportionate effort compared with the right that is to be protected; 

iv. object, in all or in part: a) on legitimate grounds, to the processing of personal data relating to him, even if pertinent to the purpose of collection; b) to lodge a complaint with the Data Protection Authority (www.garanteprivacy.it)

13. Contact details

The Data Controller is Davis & Morgan S.p.A., with registered office in Piazzetta Maurilio Bossi, 1 – 20121 Milan (MI). 

The Data Protection Officer can be contacted by the Data Subject at the following email address dpo@davismorgan.it 

The update list of any data controllers and data processors is stored at the register office of the Data Controller. 

14. Methods of exercising rights

You may at any time exercise your right as stated in section 10 above by sending: 

  • a registered letter with return receipt to Davis & Morgan S.p.A. – Registered office in Piazzetta Maurilio Bossi 1 – 20121 Milan (MI) or by pec: davismorgan@legalmail.it
  • an e-mail to dpo@davismorgan.it