Privacy Policy

Processing activities, purposes and legal bases for processing

1. Managing the services requested (including online services) and the related accounting, invoicing and payment activities, and provision of support and update services;

• Disbrain is the data controller, since it determines the purposes and means of processing personal data, as described in this policy;

• the legal bases for the processing are the provision of services requested to fulfil a contract and compliance with legal obligations on accounting and tax;

• data are stored for 10 years after the last invoice or until possible disputes have been settled, if any, in accordance with legislation on the retention of accounting documents. Data may be stored for a further year in backup systems;

2. Quality management and collection of data on customer satisfaction;

• Disbrain is the data controller, since it determines the purposes and means of processing personal data, as described in this policy;

• the legal basis for the processing is the controller's pursuit of its legitimate interests, especially for quality assurance purposes;

• data are stored for 5 years after collection of data through client surveys. Data may be stored for a further year in backup systems;

3. Identifying users of the services offered online and tracking their activities, visible through the interfaces available to the users;

• Disbrain is the data controller, since it determines the purposes and means of processing personal data, as described in this policy;

• the legal basis for the processing is the provision of services requested to fulfil a contract;

• data are stored for 10 years after the last access, to pursue the controller's legitimate interests and its right to defence investigations. Data may be stored for a further year in backup systems;

4. Processing data entered by users (for example, attachments), concerning the provision of services requested;

• Disbrain is the data processor since the user determines the purposes and means of processing personal data;

• data are not stored after they are deleted by users. Data may be stored for a further year in backup systems;

5. Managing requests for assistance or contact or CVs received via the website;

• Disbrain is the data controller, since it determines the purposes and means of processing personal data, as described in this policy;

• the legal bases for the processing are the provision of the services requested and the pursuit of the controller's legitimate interests for quality assurance purposes;

• data are stored for one year after the service has been provided (CVs are kept for 10 years, unless subsequently otherwise agreed with the applicants) to allow quality assurance checks. Data may be stored for a further year in backup systems;

6. Managing the website, using cookies (for more information see the section on cookies below);

• Disbrain is the data controller, since it determines the purposes and means of processing personal data, as described in this policy;

• the legal basis for the processing is the controller's pursuit of its legitimate interests for quality assurance purposes;

• the data are stored in cookies on the user's computer and expire after one year.

Privacy contact

Disbrain has appointed a privacy contact person, with responsibility for monitoring the fairness of processing carried out by Disbrain. You may contact this person at the following email address: privacy@disbrain.com.

Disclosure to third parties

Disbrain may disclose part of the data to external companies or persons for the performance of some of the activities relating to the processing of personal data.

This includes third parties providing the following services: invoicing activities and preparation of accounting statements; auditing of accounts; auditing of the quality and security management system and trust services; legal, accounting and tax advice.

Other external companies include: shipping agents and couriers for sending documentation and material; banking institutions; mailing services (for update services).

The abovementioned external companies have agreed, by formal contract, that they will process data only for the purposes required and adopt appropriate security and control measures for the processing of personal data. A list of external companies used is available from the offices of Disbrain. In situations where Disbrain is the data processor, the data controller authorizes Disbrain beforehand to make changes to such subjects.

All the external companies guarantee their cooperation in order to ensure that the rights of data subjects are respected, incidents are dealt with effectively and the right of audit is adhered to.

Transfers to third countries

Data are not transferred abroad.

Only contact details used for update services are transferred abroad (USA) to use mailing platforms. These platforms adhere to the Privacy Shield protocol (www.privacyshield.gov), which is considered to provide an adquate level of protection for the processing of personal data.

Security measures

Disbrain adopts security measures to ensure the protection of personal data processed. These include the following:

• the personnel authorised to access and process personal data has been trained and instructed on the security rules to be implemented (e.g. concerning the use of IT devices, email and passwords) and undertakes to keep confidential the personal data of which it may become aware;

• a process is in place to grant, amend, delete and review access rights to personal data in order to reduce access to such data on the basis of the need-to-know and need-to-use principles;

• measures are in place to minimise the authorisation of privileged IT system users (so-called System Administrators) and log their activity (e.g. by giving them only personal user IDs and activating appropriate logging systems;

• a process for erasing data and storage media is in place in order to avoid data recovery by unauthorised persons;

• physical security controls are in place to minimise access by unauthorised persons to data in a hard-copy format;

• IT-security mechanisms appropriate to the level of risk identified are in place (e.g. regular updating of antivirus software on IT systems, data backups, activity logs and log storage, prompt updating of IT systems with patches and fixes, filtering of traffic to/from the Disbrain computer network, encryption of mobile devices);

• a change management process is in place (systems, networks and applications, processes, physical security) in order to ensure the effectiveness of personal data security measures;

• suppliers ensure the security of personal data processed through contracts, in line with the details provided herein;

• an incident management process is in place including the prevention and minimisation of the impact of incidents and, in some cases, their notification to the Supervisory Authority and data subjects;

• audits are done to check the effective implementation of security measures; this process also covers suppliers processing personal data.

Additional measures

Disbrain ensures assistance to its clients as required:

• implementing requests from data subjects in accordance with their rights;

• assisting clients in the event of incidents with an impact on the security of personal data;

• assisting clients in the preparation of risk assessments relating to privacy and impact on personal data;

• erasing or destroying personal data at the end of the contractual relationship;

• answering requests from data protection authorities.

Disbrain guarantees its clients the right to audit, provided that it is limited only to the processing operations concerning them and preceded by at least 30 days' notice.

Your rights

You have specific rights as a data subject according to the law. These include:

• the right to obtain, if not prevented by laws or regulations, access to your personal data, their rectification or erasure and restriction of processing; you may also request portability (i.e. receive all the data concerning you in a structured, commonly used and machine-readable format); these rights may be exercised, without any impact on the performance of services, by sending a request to privacy@disbrain.com;

• the right to withdraw consent to the processing of your data, if not prevented by laws or regulations and to the extent applicable; this right may be exercised, without any impact on the performance of services, by sending a request to privacy@disbrain.com;

• the right to send a complaint to Disbrain or the national data protection authority (in Italy: il Garante per la protezione dei dati personali) by following the instructions on the website.

Cookies

Cookies are small data files stored in your browser when you visit a website. The Disbrain website only uses technical cookies to allow you to view the website content more effectively and make it user-friendly. Your consent is not required to use these cookies in accordance with the regulations in force. Disbrain also installs on your device, or allows third parties to install, some cookies for collecting anonymous, statistical information in an aggregate form about your navigation on the website pages. These cookies relate to the following statistical analysis:

• Google Analytics (https://support.google.com/analytics/answer/2763052?hl=it).

Your consent is not required to use these cookies and the related processing of your personal data in accordance with the privacy regulations in force.

Please note that you can prevent the use of some or all of the cookies described above, by configuring your browser used for navigating:

• Chrome (https://support.google.com/accounts/answer/61416?hl=it);

• Firefox Mozilla (https://support.mozilla.org/it/kb/Attivare%20e%20disattivare%20i%20cookie);

• Internet explorer e MS Edge (https://support.microsoft.com/it-it/kb/278835 e https://support.microsoft.com/it-it/help/17442/windows-internet-explorer-delete-manage-cookies);

• Opera (https://help.opera.com/Windows/10.00/it/cookies.html).


ver. 12 September 2018