GDPR


PERSONAL DATA PROCESSING DECLARATION (GENERAL STATEMENT)

(Pursuant to Art. 14 of Regulation (EU) 2016/679 and Articles 7 and 13 of Personal Data Protection Code)

Pursuant to Article 14 of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter also the "Regulation"), and Articles 7 and 13 of the Personal Data Protection Code, SYSTEM DATA CENTER S.P.A. - Registered and Corporate Office, in Rome, n.198 Acilia street, 00125, vat No.00963321005, provides the following "Information regarding the processing of personal data not obtained from the data subject."

Data Controller: SYSTEM DATA CENTER S.P.A. - Registered and Corporate Office, in Rome, n.198 Acilia street, 00125, vat No.00963321005, is the Controller for the processing of data subjects' personal data, as a function of providing outsourced contact center services, backoffice type, and inbound and outbound call center services on behalf of third parties. Employees working under the direct authority of the Controller have been designated "Appointees'' and have received appropriate tasks and operating instructions. Any information and inquiries with reference to the full list of Data Processors can be forwarded by contacting the "Data Protection Officer” (DPO), who is deputed to protect personal data and facilitate compliance with the measures of the GDPR.

The Data Protection Officer (DPO) appointed by the Board of Directors is Alessio Maria Ciavardini.  


Data subjects to exercise their rights over their personal data, according to Chapter III of the European Regulation - Rights of the Data Subject, may write to the DPO at one of the following email addresses: 

  • Certified Email: Systemdatacenter@pec.it
  • Registered mail: to ATTN of the DPO c/o System Data Center Rome, No.198 Acilia Street 00125.

Purpose of the Processing: The personal data of the data subjects are processed, collected, recorded and stored in the IT archives of the Controller for the supply of: (i) outsourcing services on behalf of third parties, contact center, backoffice, inbound and outbound call center, including credit recovery activities and telemarketing activities for specific sectors such as banking, pharmaceutical, energy and utilities, public administration, home shopping, health care, oil branch, non-profit; and (ii) market research, statistics and direct marketing services.

Lawfulness of Processing: The personal data of the data subjects are used lawfully, with accuracy, in order to accomplish with the legitimate interest of the Controller, pursuant to art. 6, first clause, letter f) of the Regulation, respecting interests, rights and freedoms of the data subject.

Legal Basis of the Processing:The Legal Basis of the Processing of data subjects' personal data is given by the legitimate interest of the Controller, pursuant to art. 6, first clause, letter f) of the Regulation, to execute the service agreements commissioned by third parties, which include the implementation of direct marketing activities, market research and statistics, as well as the execution of outbound, inbound and back office contact center services, always respecting their interests or fundamental rights and freedoms.

Type of data processed: SYSTEM DATA CENTER S.P.A. may process the following data subjects' personal data:

"personal data": an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to personal details such as an identification number, tax code, customer code, location data or contact data, such as telephone numbers and/or email, etc;   

Method of Processing: personal data are mainly processed with the help of computer and telematic tools. In some cases, they can be in paper form. In any case, the Controller shall adopt appropriate systems to ensure maximum security and confidentiality, in compliance with the security measures set forth in Annex B of the Privacy Code, the requirements of the Italian Data Protection Authority (DPA) and in accordance with Art. 32 of Regulation (EU) 2016/679, which include strong authentication procedures for computer authentication of data processors, and appropriate measures to protect data from breach, including those accidental, by not allowed parties, in particular through the use of appropriate encryption techniques. With reference to data transmission, all network components are carefully configured for the purpose of preventing unauthorized access to information. Encryption systems are set before data storage. Access to data is allowed through a log system that records access and operations, storing the log files for an established period with respect to the purposes pursued, the whole by information systems for data processing.

Place of Processing: Personal data of data subjects are processed in Italy at the head office of the Controller, as well as at its branch offices. In addition, processing may take place at the Italian headquarters of the External Data Processors appointed for this purpose. All processing is handled only by technicians assigned for processing, or by any mandated persons.   

Personal Data recipients:Personal data may be communicated by the Controller exclusively to third parties commissioning backoffice, inbound, and outbound contact center services for purposes of credit collection, direct marketing, market research and statistics; as well as companies associated with and/or controlled by the Company, groups and/or other legal entities in which the Company participates as a partner, which may therefore become aware of it acting as Controllers, Data Processors or Appointees. The data will not be disseminated outside the specific recipients, except police force and public authorities, in cases of legal requirements.

Personal Data conservation period: Personal data are processed within the limits of the service carried out, in outsourcing on behalf of third parties, by the Controller in accordance with the Purposes of Processing pursued, in observance of the principle of relevance and non-excessiveness; then, they are deleted and/or anonymized through a "pseudonymization" process, in compliance with the Regulation. 


International data transfers

The Controller does not transfer personal data to other countries or to an international organization.

– Rights of Data Subject:   

Transparent Communications: Pursuant to Art. 7 of the Code for the Protection of Personal Data and Articles 12, 15-22, and 34 of the Regulation, data subjects by contacting the Controller or the DPO may obtain all necessary communications related to the processing in a concise, transparent, intelligible, and easily accessible way, with simple and clear language, particularly in the case of information regarding minors. Information shall be provided in writing or by other means, including, where appropriate, by electronic means. If requested by the data subject, the information may be provided orally, once its identity is proven by other means. The controller cannot refuse to comply with the data subject's request in order to exercise his or her rights, except for failure to identify it.

The Controller shall provide to the data subject information regarding the action taken in relation to request, without unjustified delay and, in any case, within one (1) month from the receiving. 

Except as provided in Art. 12, clause 5 of the Regulation, the information is made free of charge.

The right of the Controller, to request documents proving the identity of the information applicants, remains unaffected, referred to in Art. 7 of the Privacy Code and Articles 15-22 and 34 of the Regulation, should it have reasonable doubts about the identity of the individual making the request under the applicable regulatory requirements, mentioned above.

Right of Access by the data subject: The data subject expressly take note that he/she has the right to obtain information concerning:

  •  the origin and category of personal data;
  • the purposes and methods of processing 
  • the logic applied in the case of processing carried out by electronic instruments;
  • the identification details of the Controller and of his appointees; 
  • the subjects or categories of subjects to whom the personal data have been or will be communicated, particularly in case of third countries or international organizations, or who may find out about them as designated delegate of managers or persons in charge in the State territory;
  • the personal data conservation period, or if not possible the criteria used to determine it;
  • the update and rectification of data, otherwise the integration of them;
  • the deletion of his/ her personal data or the restriction of their processing, also the right to object; 
  • the conversion into anonymous form or the blocking of personal data processed in legal violation, including for whose storage is not necessary in relation to the purposes for which the data were collected or subsequently processed;
  • the knowing of all available information about the origin of the personal data;
  • the existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

The Data Subject always has the right to lodge a complaint with the Italian Data Protection Authority.

Where personal data is transferred to a third country or international organization, the data subject has the right to be informed of the existence of adequate safeguards in accordance with Regulation (EU) 2016/679. 

Right of rectification: The Data Subject shall have the right to obtain from the Controller the rectification of inaccurate personal data without undue delay, as well as the integration of incomplete personal data.

Right to Erasure ("right to be forgotten")The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him/her without undue delayand the Controller shall have the obligation to erase personal data without undue delay, according to the Regulation, the Privacy Code conditions and the DPA provisions.

Right to Restriction of Processing:  The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject. 

Right to Data Portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the controller to which the personal data have been provided.

Right to Object: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. The Controller shall no longer process the personal data unless he demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing, to be understood as any processing of data for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication. 

Security

The Controller guarantees the security of Users' personal data in accordance with Articles 31 et seq. of the Privacy Code and Annex B thereto, and Article 32 of the Regulation.

Principles of relevance and non-excess of processing.

Data collection takes place in compliance with the principles of relevance, completeness and non-excess in relation to the purposes for which they are processed. Personal data will be kept for as long as is strictly necessary for the purposes pursued by the processing of such data.

Source of personal data

The Controller may process in its archives data subjects' personal data provided by third parties outsourcing contact center services, backoffice type, inbound and outbound call center, and direct marketing, market research and statistical services; as well as from publicly accessible sources.

Prohibition of Profiling

Personal data of data subjects are neither profiled nor processed by automated decision-making.

Right of Appeal

The Data Subject expressly acknowledges that the processing of data by the Controller is subject to the control of the Guarantor for the Protection of Personal Data, to whom all complaints about the collection, management and processing of data in compliance with the Regulation, the Code for the Protection of Personal Data, and the regulatory provisions of the Guarantor itself may be addressed.