Data Retention Policy

Premises

The processing of personal data (as well as categories of sensitive/particular data) is governed by Legislative Decree 196/03 (Personal Data Protection Code) and subsequent amendments, and starting from 25 May 2018, by European Regulation 2016/679 relating to the protection of natural persons with regard to the processing of personal data.

Pursuant to art. 11 of the Privacy Code and art. 5 of EU Regulation 2016/679, the personal data subject to processing must be:

  • Processed lawfully, fairly and in a transparent manner;

  • Collected and recorded for specific, explicit, legitimate purposes, and used in other processing operations in terms compatible with such purposes;

  • Accurate and, where necessary, updated;

  • Adequate, relevant, complete and not excessive in relation to the purposes for which they were collected or subsequently processed;

  • Stored in a form which permits identification of the data subject for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed : personal data may be processed for longer periods provided that they are processed solely for archiving purposes in the public interest, scientific, historical research or statistical purposes, subject to the implementation of appropriate technical and organisational measures required by the GDPR ;

  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

Purpose

This Data Retention Policy provides guidance on maximum times of conservation of documents generated and/or kept by Vismaravetro Srl containing personal data, including particular data, of data subjects interested in the processing (website users).

The procedure is therefore a valid tool to help preserve personal data processed in compliance with the principles indicated above, to ensure that the retention time is proportional to the achievement of the purposes for which such data were collected; this allows to preserve only what maintains a legal relevance or has assumed historical value and to eliminate the documentation deemed no longer useful.

Criteri

Criteria have been defined for determining the maximum period of data retention. In determining the aforementioned period, the following were taken into account:

  • National and international regulations

  • Jurisprudential rulings

  • Contributions of the doctrine

In order to calculate the data retention period and to fill the gaps and shortcomings in the legislation in this area, one of the criteria used is represented by the analogical extension, aimed at regulating equivalent and unregulated cases by applying the rules provided for similar cases.

The limitation period for filing legal actions (defense in court) has constituted a further element of evaluation for the categories of acts liable to a greater probability of involvement in litigation procedures.

The expected times refer to both traditional and electronic documents.

The maximum time period indicated must be considered applicable to all documentation produced following the provision of personal data and stored in the relevant places (in the case of paper storage) or in servers or IT tools (in the case of data on electronic media) to which access is permitted only to personnel authorised by the Data Controller (persons in charge or responsible).

Control system

For each office/functional area, the designated/delegated subjects must periodically check whether there is archived data whose Retention Time has expired and therefore needs to be deleted, in order to manage the archive in an orderly manner and allow only the data considered necessary to be retained.

To this end, the persons in charge must proceed:

  • To the constant updating of documents produced and/or received, with appropriate classification;

  • To schedule periodic checks, in relation to the retention times;

  • To the periodic elimination / deletion of useless documents.

Data deletion

Data erasure means physical or technical destruction sufficient to render the information contained in a document no longer recoverable by ordinary commercially available means.

The Data Controller has adopted destruction methods agreed upon and approved by IT technicians, which can be used for any type of information stored on electronic/multimedia media such as CD-ROMs, DVDs, USB sticks and other types of mobile media, hard drives, mobile devices, portable drives or registered databases or back-up files.

Paper documents will be securely shredded and the relevant locations locked in the designated officer's office. Waste will be periodically collected only by authorized personnel for disposal.

Sanctions

Failure to comply with the measures may result in suspension or revocation of individual access to the company's information technology systems, related disciplinary procedures and, in certain circumstances, appropriate legal action may be taken.

Functional areas \ Types of data processed \ Retention time

SPARE PARTS WEBSITE

Processed data

PERSONAL DATA : company names of legal entities, names and surnames of company contacts of legal entities, addresses of the legal entity's headquarters, e-mail addresses (generic and nominative e.g. name.surname@xxx.it ), telephone numbers (including direct numbers and mobile numbers of company contacts), personal data of natural persons such as name, surname, residence, tax code (if applicable), date of birth, e-mail addresses, telephone numbers and data relating to the use of Vismaravetro Srl websites.

SPECIAL DATA: not collected through the website.

Interested

Website Users

Treatment methods

Data processing carried out electronically, i.e. contact via e-mail and data storage on company CRM, processing carried out via websites

Purpose

Processing carried out for e-commerce purchases and related administrative-accounting activities, i.e. connected to the performance of organizational and functional activities for the fulfillment of contractual and pre-contractual obligations towards the interested party.

Processing carried out for direct marketing purposes, i.e. for sending advertising or direct sales material or for carrying out market research or commercial communication via e-mail.

Storage time

Processing carried out for administrative-accounting purposes: 10 years

Data processing carried out for direct marketing purposes: 2 years from the collection of consent with subsequent updating of the data and renewal of the consent given.

Processing of data of potential customers: once the negotiation phase is concluded, if the “potential” customer does not become an “actual” customer, the personal data will be immediately deleted or processed anonymously, where their retention is not otherwise justified.

Regulatory references
  • Art. 2220 cc "the writings must be kept for ten years from the date of the last registration. For the same period, invoices, letters and telegrams received and copies of invoices, letters and telegrams sent must be kept. The writings and documents referred to in this article may be kept in the form of recordings on image media, provided that the recordings correspond to the documents and can be made legible at any time with means made available by the person using said media”;
  • Measure regarding the management of waste electrical and electronic equipment in relation to the security measures of 13 October 2008, which defined the measures to be adopted for the deletion of data processed through the use of storage media;
  • Art. 5 of Regulation 2016/679 – Principles applicable to the processing of personal data;
  • Art. 13 of Regulation 2016/679 – Information to be provided where data is collected from the data subject;
  • C. 39 of Regulation 2016/679 “. …. In order to ensure that personal data are not retained longer than necessary, the data controller should establish a deadline for erasure or for periodic review……”.

Destruction Mode

Data processed with computer tools must be deleted by deleting the file from the system (DELETE function) and following the following rules in relation to the computer media used for processing:

  • Secure deletion of information, which can be achieved with computer programs – such as wiping programs or file shredders – “low-level” formatting of hard disk devices (low-level formatting–LLF), degaussing of memory devices based on magnetic or magneto-optical media).
  • In the case of disposal of the media, they must be destroyed through one of the following systems:
    • punching or mechanical deformation systems;
    • physical destruction or disintegration (used for optical media such as CD-ROMs and DVDs);
    • high intensity demagnetization.