The protection of personal data is one of the primary objectives of EIC C.C. (hereinafter referred to also as “EIC”) For this reason, EIC has decided to formalise the principles in force in its organization regarding the protection of personal data in order to:
- increase awareness of the importance of the security of personal data among all workers by providing a system of company rules that emphasize training and information, as well as accountability by all users;
- ensure a system of rules and structures that guarantees the security of personal data, including through the structures used for their storage;
- provide a system in which place trust, both inside and outside the organization;
- reduce the risk of uncontrolled disclosure of personal data and in general data Breach;
- continue updating the technical and organisational measures adopted;
- improve the management of relations with third parties (communication, disclosure of information, access to business information, levels of risk);
- ensure compliance with current national and international rules on privacy and protection of personal data, but also in the field of protection of intellectual property, copyright and competition.
The processing of personal data within the organization must take place in full respect of the confidentiality of data subjects and in accordance with the privacy legislation (i.e. EU Regulation no. 679/2016), respecting the principles of:
- purpose and necessity, minimising the use of personal data, which must be adequate, relevant and limited to what is necessary in relation to the identified purposes;
- lawfulness and correctness of processing, which can be carried out only in accordance with one of the conditions of lawfulness provided (legal obligation, consent, contract, vital interests, public interest task, pursuit of a legitimate interest);
- relevance, completeness and not excess of the collected data with respect to the purposes of the processing;
- accuracy and updating of data;
- limited storage of data, so as to allow the identification of data subjects in a period of time not exceeding the achievement of the purposes for which the processing took place;
- transparency: information and communications relating to the processing of data must be easily accessible and comprehensible.
Every subject who, by reason of the exercise of a function, profession or office, have access to personal data and in general to confidential information concerning the activity of the Company may not use them to their own or other’s advantage, but exclusively for the execution and within its own office or business activity.
In any case, it is recommended that the utmost confidentiality, in accordance with the company rules adopted, regarding personal data that may reveal racial or ethnic origin, political opinions, philosophical or religious beliefs, trade union membership, in addition to the processing of genetic data, biometric data, data relating to the health, sexual life or sexual orientation of a natural person or data relating to criminal convictions or criminal proceedings in general, and, more generally, information of a confidential nature concerning the Company and the work performed.
The disclosure of personal data and information to the outside must be carried out by the competent business functions in compliance with current regulations or business rules, in compliance with the principle of transparency and truthfulness.
EIC intends to protect personal data processed in its organization from the widest range of possible threats, in order to ensure business continuity, minimize risks, ensure return on investment, business opportunities, compliance with current regulations, profitability of business. The protection of personal data is essential for the organization.
The entire organization must be aware of the importance of security in the management of personal information and data and commit to sharing the objectives and principles of security provided.
The protocols adopted shall be evaluated – and justified – taking into account a number of elements including the nature, scope, context and purpose of the processing, in order to identify, on the basis of an objective assessment, the likelihood and seriousness of the risk to the rights and freedoms of natural persons.
All data and information stored in the company’s computer and telematic systems, including e-mail messages, are the property of the Company and must be used exclusively for the performance of business activities, in the manner and within the limits indicated by it. Also to ensure compliance with the regulations on privacy, the correct and responsible use of IT and telematic tools is pursued; any use for the purpose of collection is prohibited, the storage and dissemination of personal data and in general of information for purposes other than those connected with the exercise of the EIC’s activity.
Rome, 28th October 2022