GENERAL PROVISIONS ON THE USE OF DATA PROCESSING TOOLS AND REGULATION FOR IMPLEMENTATION OF THE "AUTHORITY‘S GUIDELINES CONCERNING THE USE OF ELECTRONIC MAIL AND THE INTERNET IN EMPLOYMENT RELATIONSHIP”
1. Organizational premise:
DA MARIO Snc di Rizzi Lorenzo & C. manages and maintains systems of elaboration and electronic communication and others instruments of processing of data and information, in order to facilitate and support the efficient management and the communication of business information.
All the tools of processing of data and information are private and the employees are expected to use them responsibly, ethically and in accordance with the laws, observing the guidelines following reported and in compliance with the duty of confidentiality established.
Parties involved: the application of the following regulation concerns all the employees, collaborators, consultants, temporary workers who, carrying on their tasks, work with the tools of processing of data and information, regardless of the location of the system and the access.
Are expected to respect the following regulation also the people who, on behalf or instructed by customers and suppliers should access at DA MARIO Snc di Rizzi Lorenzo & C.’s premises or utilize their own or the company’s systems and instruments of processing of data and information.
Measures for the treatment: the regulation applies to the entire network of systems and resources of DA MARIO Snc di Rizzi Lorenzo & C. , which concerns the main system, the personal computers and the workstations, the physical and the virtual server, the web server, the laptop computers, the system software, the databases and the unstructured data storages, the internet, the intranet, the telephones, the mobile processing, communication and registration devices, any support system connected to the electronic communications and to the processing system, the video cameras, the photo cameras and any others photography or video tools.
The instruments of processing of data and information must be used to pursue business target, to allow all workers to carry out the tasks required by their professional role and by their duties.
In this respect, DA MARIO Snc di Rizzi Lorenzo & C. defines the licensing levels to access and use the instruments of processing of data and information, according to the tasks assigned.
The following regulation also applies to the tools of processing of data and information owned by the employees, the customers and the suppliers when used within the working areas of the DA MARIO Snc di Rizzi Lorenzo & C. headquarters, (laptop computers, mobile processing, communication and registration devices, any support system connected to the electronic communication and processing system, video cameras, photo cameras and any others photography or video tools).
All the instruments of processing of data and information employed (except for the BYOD modality), also included all the accessories, are and will remain ownership of the company. All the data stored in the systems (for example, all the messages created, sent, received or stored, same way as the information and the materials downloaded on the company PCs), including those stored in the tools of processing of data and information used in BYOD modality, are and will remain ownership of the company.
Inter alia, the data processed are allowed to be reported beyond the company only if it is provided by a business rule, by a working instruction or by a service order.
In this respect, DA MARIO Snc di Rizzi Lorenzo & C. determines different licensing levels for the access and different levels for the use of the system, according to the tasks assigned.
2. Technical premise:
Instruments of processing of data and information
The systems of processing of data and information that DA MARIO Snc di Rizzi Lorenzo & C. makes available concern solely the support of the business activity. Therefore, according to the carried out task, the employees will be able to have at their disposal a set, more or less wide, of devices and software programs to use. This set is composed of instruments, technologies, employment of resources and systems, so as to correspond to the operational requirements indicated by the heads of managements and offices.
The software tools can be internally produced or purchased under licence.
The decision regarding this is responsibility of the chief executive officer (or of the legal administrative) of DA MARIO Snc di Rizzi Lorenzo & C. , that is, on his authorization, of the service managers.
The tools of processing of data and information owned by the employees, the customers and suppliers could be used in BYOD modality only if it has been expressly authorized by the management or by the responsible person.
Parties who can use electronic tools
The use of processing of data and electronic communication systems, of computing resources in general, of electronic mail and of the internet in particular, for the workers located in Italian territory, is granted to the employee – or to the collaborator – simultaneously with the authorization and instruction letter as "subject authorized to the treatment" (art. 30 d.lgs. 196/2003 e art. 29 GDPR 679/16) that also shows the instructions relating to the processing and data security.
DA MARIO Snc di Rizzi Lorenzo & C. in its capacity as employer acting on the Italian territory, has the power to designate one or more “controllers", by providing them specific instructions about the forms of control admitted and the related directions.
The access of personal data, included in some folders or areas of memory eventually granted to the employees, is denied to those subjects who undertaking the maintenance of the computing systems. Furthermore, they are obliged to perform only the operations that are strictly necessary to carry out their duties, they are not authorized to carry out remote control activities, also on their own initiative and they are banned from copy, duplicate, delete, modify, alter any kind of data and information.
The system administrator can execute the operations that are strictly necessary to carry out their tasks, in accordance with the General Provision of the authority for the protection of personal data “Measures and precautions required for the holders of treatments performed with electronic instruments concerning the attribution of the system administrator functions - 27 november 2008” (G.U. n. 300 del 24 dicember 2008).
Assignment and revocation of resources
Systems like desktop and laptop, tablet, smartphone, ecc. granted in allocation to the authorized users, are endowed with software that allow the remote control. The use of the aforementioned software is restricted to the individuals in charge of maintenance of computer systems and to the system administrators, in order to check directly and detect quickly failures, malfunctions, anomalies, irregularities of operation. The individuals in charge of maintenance and the system administrators can conduct the connection to the computer in remote modality in response to the authorization granted by the user from time to time.
At the time of termination of the employment, the system administrator provides to:
- ● delete the authentication credentials in use at the time of termination of the employment;
- ● delete the authorization profile associated with the user;
- ● keep for 60 days the files that contains the mail messages of the mailbox assigned to the user.
Since the allocation and the use of resources, as well as the access and the use of technology services, are granted only to business purposes, so the assignment as the access and the use can be revoked at any time without notice.
For the purpose of this regulation, is defined "work station" a permanent or mobile location from whom the person in charge is able to interact with the information business system in direct or indirect way.
The access indirectly to the corporate information system consists in the possibility for the person in charge to operate on the data stored on equipment supplied with the “work station”, data of business relevance, even in absence of a direct link. The “work station” is usually composed by a personal desktop or laptop computer and it can be composed of others tools appropriate to data processing, such as:
- ● printer;
- ● landline or smartphone;
- ● tablet;
- ● video cameras, photo cameras, digital recorders,
- ● scanner and photocopiers.
Under no circumstances the person authorized will be able to use for the processing of business data, tools of processing of data and information different from those placed at disposal by the company and provided in order to fulfil the tasks assigned, except specific authorization for the BYOD modality.
It is recalled that the above equipment is delivered at the person authorized for business use only, unless he is otherwise previously authorized in writing by the company.
Access at the “work station”
To each person in charge, user of the information system, is assigned an identifier login (called login-id) that enable the access to the network resources (documents, applications, email, ecc.). The login-id s combined with a passkey (password) required to use the login-id itself: the pair of information made up of login-id and password ensures the identity and the uniqueness of the user. For this reason, and under the responsibility of the user, the password must be kept secret and not communicated, or even worse shared with others. In the same way the password must never be written on any hard copy.
Whenever you believe that the confidentiality of your password has been compromised you should take immediate action or change it, requesting help from your system administrator.
The access credentials at the “work station” are provided by the system administrator to the commissioner at the time of the employment, of returning to service or of the restart of a new task.
To the first allocation, the commissioner – as soon as he carry out the authentication – will be asked to replace the password with one that fulfils the minimum safety requirements:
- ● minimum length 8 caracters,
- ● absence of explicit references to the authorized person itself (for example.: name, surname, passcode, USERID, ecc.),
- ● presence of at least of one capital letter,
- ● presence of at least of one number,
- ● deadline, with compulsory replacement, at least quarterly for the employees, not to exceed the time spent in the company for the outsiders.
The system, by notice, recalls and urges the change of your password.
Temporary halt of the “work station”
After a short period of inactivity, the “work station” automatically enters in a blockade state, with simultaneous insertion of the “screensaver”. Only the commissioner, by typing his own credentials (user id e password), can get the release and the resumption of the interrupted session.
It is also required to disconnect (log off) and to physically turn off the equipment at the end of the working time and on any occasion for which you plan an absence in excess of the time, except for special applications/process previously authorized.
Dismissal and/or reassigning of the “work station”
The dismissal and the reassigning of the “work station” may be due to :
- ● leave of absence (for example: health, maternity, etc.),
- ● transfer to another job and/or another function,
- ● resignation,
- ● disappearance of the reasons which had given the permission.
It is responsibility of the personnel department or of the function responsible, to which the person in charge replies hierarchically, notify the system administrator the occurrence of any of the above conditions.
Upon the receipt of the notification, the system administrator will provide to block the commissioner’s credentials (USERID e PASSWORD) and to save documents, data and folders that is competence of the same.
Documents, data and folders will then be made available to a new person in charge, always by the system administrator, upon written request of the responsible function who needs to access it.
3. Legislation premise
The personal data protection code (d.lgs. 196/2003 – Codice della Privacy) and the European regulations on the protection of personal data (GDPR 679/16) define “personal data” any information concerning a natural person identified or identifiable, even indirectly, by reference to any other information, including a personal identification number.
The personal data are therefore related to individuals who act in the name and on behalf of customers, potential customers, suppliers, to temporary, occasional and seasonal employees, candidates, consultant, partners, etc. You process personal data when:
- ● you acquire or provide information over the phone;
- ● you consult, utilize, store documents and paper documents or files;
- ● you consult, utilize, store magnetic or optical recorded support;
- ● you send or receive a fax, a mail, an ordinary letter;
- ● you fit, change, delete data on a computer;
- ● you work with existing data to derive prospectuses, statistics or new data;
The processing of personal data is permitted only to those who have been formally authorized and instructed. The authorization happens in writing and the “letter of authorization” reports on case by case basis the setting of the treatment allowed to every employees responsible to the treatment.
The letter contains the written instructions to which the authorized subjects must be concerned.
The formulate instructions are .mandatory provisions, imparted by the legal representative.
The subjects authorized, moreover, must first provide to classify (eventually with the help of the data Controller) the personal data object of the treatment, with the purpose to distinguish those common from those sensitive or judicial, observing in this last case the greatest cautions that this type of data requires.
4. General use of the “work station” and others equipment
In the setting of the authorizations received from the Direction or from his/her own hierarchical person responsible, the authorized subject will always have to respect the following rules:
- ● inform at the right moment the Direction or his/her own hierarchical person responsible and the system administrator, if he comes in possession, or sends or wrongly spreads , information not of his/her competence or of the corporate body of affiliation;
- ● don't use shared disk areas devote to other corporate body or function on which the authorized person has not received explicit authorization;
- ● don't access to processing and communication system on which the authorized person has not received explicit authorization;
- ● don’t use the “work station” for the memorization and the treatment of proper data, not of business competence;
- ● don’t use the “work station” in presence of food and/or drink;
- ● don’t leave the “work station” unattended, in particular in places accessible to others;
- ● only use for the rescue of data the areas disk and the procedures predisposed to this purpose by the system administrator in accord with the direction.
The authorized person must always act with the maximum diligence and with the employment of all the means to his disposition with the purpose to preserve the safety of the business informative patrimony.
The authorized person must set the maximum attention to reduce the waste of resources owed to incorrect use of the systems. Just as an example, not exhaustive, he should pay attention to:
- ● don't print documents until after having used the function "preview of press" with the purpose to verify the quality of the documents in press;
- ● limit the access and the use of internet to what is strictly necessary;
- ● don't send attachments of great dimensions;
- ● don't use business resources for personal purposes.
Furthermore is forbidden at the authorized person to intervene on the “work station” to modify the configuration of the same one (SW e/o HW). Every intervention of change must be demand to the system administrator, who will provide for its realization, if it deemed necessary and in accord with the standards defined with the Direction.
It is recalled that the authentication credentials must be managed and stored absolutely in a reserved way, and they cannot be communicated to anybody and for any motive.
The attempt from a user to carry out non authorized accesses constitutes a violation of the business safety politics and as such it will be sanctioned in accordance with the national contract of job and the code of discipline.
Finally, it is made obligation to always use a “block code” to prevent the improper use of the business cellular telephones, of the smartphone and of the tablet and the access to the data in it stored, both as it regards those assigned in use that those personnel used in BYOD modality.
5. Requirements and prohibitions of use
The use of the processing and communication and treatment systems, and more generally, of the resources and of the computing services, it always owes to be marked to the principle of commune good sense and of civilization. Therefore, in order to ensure the functionality, the security, the correct employment of the system and, at the same time, to assure the protection of the employees’ privacy - privacy put at risk by the possibilities of monitoring offered by the technology (for example.: profiling, communication/diffusion of personal data, also sensitive) – and to ensure the full respect of the norms applicable, you prescribe what follows:
- ● General requirements:
In the use of resources and of instruments of processing of data and information, as well as the informatic systems, must always be respected the mandatory and applicable law norms. In particular, considered the setting of the operability, the data and the tools made available to the authorized people it is forbidden to use the resources, the instruments of processing of data and information and the computing systems to:
- ● perform treatment operations of personal data in violation of the norms of the d.lgs. 196/2003;
- ● carry out activities, gestures, actions of any kind which can jeopardise the own and the other people's safety and health or introduce new or not anticipated elements of risk – d.lgs. 81/2008
- ● attest or make false statements at the certifier of electronic signature on the identity or on own or on others personal quality - 495-bis C.P.;
- ● spread equipment, devices or computer programs headed to damage or to interrupt a computing or a telematic system - 615-quinquies C.P.;
- ● damage information, data and computing programs - Art. 635-bisP.;
- ● damage information, data and computing programs used by the State or by other public corporate body or however of public utility - 635-ter C.P.;
- ● damage computing or telematic systems - 635-quater C.P.;
- ● damage computing or telematic system of public utility - 635-quinquies C.P.;
- ● perform computer fraud as subject that lends services of certification of electronics signature - 640-quinquies C.P.;
- ● download, preserve, duplicate, reproduce, receive, send, spread, material with a pornographic or discriminatory content, or such to instigate to hate and violence.
- ● Observance at use of the “work station”:
The “work station” is the most important tool for the use of the business informative system and, as such, it must be maintained in the best way.
The system administrators, excepted particular situations, ensure the management of the machinery park, both from the point of view of the hardware, periodically renewing it according to the business demands and in line with the Direction, both from the point of view of the software, by providing to the authorized person instruments of processing of data and information and of work always technically updated and suitable to the characteristics of his working activity.
Only the system administrators, or people by them authorized and qualified, can perform operations on the “work station”.
To the users of the “work station” it is forbidden to:
- ● access to the business computer system and sustain inside it for non-working motives or not of service;
- ● use the resources or the services in violation of normative community, laws, rules, provisions, prescriptions, or commit illegal or discriminatory activities;
- ● modify the planned configurations;
- ● set up hardware and use software products which have not been preventively authorized;
- ● set up, use software which allow the automatic interception of the traffic or the violation of the passwords;
- ● use the resources, the instruments of processing of data and information or the services for commercial, promotional, advertising purposes, without having obtained the authorization from the business Direction or from the own hierarchical person responsible;
- ● use excessive space disk or absorb broadband capacity in the telecommunication systems , through the setting up or the dispatch of mail not tightly correlated to the working activity, or in general, through the transfer of file or messages of excessive dimensions;
- ● send or deposit on the servers or on the disk of the own computer material of illegal or discriminating nature;
- ● conceal the own identity inside the computer systems;
- ● use the authentication credentials of others users, for any reasons;
- ● try to violate password or others protection systems or try to overcome the restrictions imposed by the system;
- ● reproduce or hand out business equipment without authorization;
- ● copy or modify files, drawn up by others users, without authorization;
- ● alter data, try to introduce or to spread virus, trojan, backdoor, dataminer or other malefic codes;
- ● interfere with the correct functioning or damage the net equipment;
- ● intercept or alter whatever kind of data or of digital communication;
- ● use instruments of processing of data and information and/or personal devices within the business network, unless specifically authorised from the Direction or from the own hierarchical person responsible (BYOD modality);
- ● Use the company tools of processing of data and information for personal use without preventive authorization from the Direction or from the own hierarchical person responsible;
- ● use mobile devices of internet connection in the presence of active network connection.
- ● Provisions about the use of the internet
DA MARIO Snc di Rizzi Lorenzo & C. has invested a significant quantity of resources in the development of technologies and services related to the world of Internet. The availability of these resources has allowed the activation of an ampler series of business services oriented to the communication with the external world, with the purpose to develop a best integration with the partners, the suppliers and, obviously, the clients.
This availability must be understood as an instrument placed at the disposal and that shall be used so that it does not jeopardise the image and the security of the company, and also that it dose not compromise her own production.
To the users qualified in a permanent or temporary way to the internet navigation it is forbidden to:
- ● surf on non-correlated web sites with the job performance;
- ● carry out download of programs and files outside the work, unless explicit authorization of the company’s direction and of the own hierarchical person responsible;
- ● get into, enter, participate or use forum, blog, social network, chat line, on-line auctions non-correlated with the operational activity, in absence of express authorization of the company's Direction or of the own hierarchical person responsible;
- ● download, copy, preserve, spread file which have an offensive, discriminatory, paedophile content, or have other illegitimate content criminally;
- ● have access to websites of game, pornographic or with discriminatory finality;
- ● enable video chat tools unless express authorization of the company's Direction or of the own hierarchical person responsible.
- ● Provisions about the use of the electronic mail
The infrastructure of Internet connection is also used by the system of electronic mail which, in addition to allow the exchange of information inside the company, makes it possible to develop and maintain the relationships with external entity at the same.
It is necessary to underline that the user represents a voice of the company at the moment in which he sends messages to the outside of the same one.
For this reason, the use of this instrument must be based on the same principles of fairness provided for the access of Internet.
To the users authorized to enter to one or more business mailboxes it is forbidden to:
- ● Use the electronic mail for reasons not related to the entrusted tasks;
- ● send, print, store offensive or discriminatory messages; .
- ● communicate the business e-mail address to participate in debates, forum o mailing list of content not related to the performance of the entrusted tasks;
- ● create secret or hidden folders for the conservation of the messages.
- ● Provisions about the use of the landline and of the business smartphone
To all those people who use the company's telephones, fixed or smartphone, also assigned in temporary use, it is forbidden to:
- ● send, receive, store Whatsapp messages or of others application of messages, offensive and discriminatory SMS and MMS;
- ● communicate the telephone numbers to call center, societies of services of information or of subscription entertainment, virtual communities. etc;
- ● use the equipment to take pictures or to record videos of personal character, download music and games, etc.
- ● use the equipment to take pictures or to record videos of any kind inside the company, unless express authorization of the company's Direction;
- ● use the equipment to carry out activities not related to the performance of the entrusted tasks;
- ● store in the telephone memory or in the SIM telephone numbers and personal contacts, messages, SMS and MMS without importance in the working context.
- ● Provisions about the use of photo cameras, video cameras and of others instruments of acquisition of pictures
To all those people, be they employees or external subjects, who have access to the premises of DA MARIO Snc di Rizzi Lorenzo & C. with photo cameras, video cameras, computer and others devices (tablet, smartphone, actioncam, etc) equipped with photo/video camera it is forbidden to:
- ● Take pictures and record videos inside the premises of DA MARIO Snc di Rizzi Lorenzo & C. without an express authorization in writing of the company's Direction;
- ● handle photo cameras, video cameras and actioncam devoid of a lens cover;
- ● move inside the premises handling computer, tablet, smartphone, etc devoid of the appropriate sticker which is placed to cover the lenses at the time of the entry in the company.
6. Prevention about the misuse
To prevent possible controversies and to adapt the requirements of a smooth operation of the work activities with those of safeguard of the personal privacy of the employees and of the external subjects authorized to the access, agreeing in the recognition that the workplace is also a place of sociability and of personal and professional relationships, you resort to the following precautions:
- ● Relative to the use of the “work station”
- ● In every personal computer, tablet or smartphone, has to be set a “screen saver” which is activated in automatically way after 2 minutes of non-use of the device itself. To the first attempt of reuse, to be able to resume the work session interrupted, the device asks for the placing of the user password, which is the code of blockade;
- ● Anyway, before leaving the own work station, the user is required to activate manually the block of the instruments of processing of data and information (for the computer pressing simultaneously the buttons CTRL-ALT-CANC (DEL for the laptop), which means clicking on the bottom "computer lock”. To unlock the computer will be necessary to use the user password.
- ● All the magnetic-optic reusable supports (disks, videotapes, cartridge, CDs, DVDs, etc.) which contains business, personal or non-personal data, must be managed with particular caution and attention, in order to avoid the recovery of their informative content by non-authorized people, being aware that a trained person might recover the memorized data also after their deletion;
- ● the magnetic-optic reusable supports (disks, videotapes, cartridge, CDs, DVDs, etc.) shall not be used for produce copies of data liable to confidentiality or to industrial secret, except an express authorization of the company's Direction or of the own hierarchical person responsible;
- ● the magnetic supports containing sensitive and judiciary data (rule 21 of the technical disciplinary - Enclosure B) must be stored in locked archives; if not more used, the supports must be formatted and sent to the System administrators, who will provide to make the information in them content intelligible and in no way technically reconstructed;
- ● the foregoing considerations must be also applied as it concerns the use of removable media of backup (flash drives, external disks/storage, etc.) which must not be left unguarded.
- ● Relative to internet
- ● It is tolerated the personal use, as long as occasional, not extended, made out of the working time and, in any case, it must not interfere with the working activity;
- ● The private use is free, but the time of use has to stay within the one-hour limit per month – on this point can be effected random checks;
- ● The company has the perfectly entitled to configure systems or to use filters suitable for prevent or impede operations which can interfere with the working activity, for example, the upload or the access to determined sites (inserted in a black list) and/or the download of file or of software of particular dimensions or of particular kind of files. The general requirements for the configuration and the general rules of filters application are established by the Direction. Both the requirements that the rules are applied and managed by the Administrator system.
- ● Relative to the electronic mail
- ● It is tolerated the private use, as long as occasional, not extended and it must not interfere with the working activity;
- ● Every user of the business e-mail system is invited to identify in the hierarchical superior the own trustee, authorized to access at the electronic mailbox in case of sudden or extended absence of the user himself, and to communicate to the own hierarchical responsible person name and surname of the trustee chosen;
- ● In the case of undelayable work requirements, which demand the access to the e-mail messages stored in the user’s mailbox who is absent or is unable to access, the own hierarchical responsible person may request to the trustee to access to the mailbox under consideration and to verify the content of the remarkable messages; the delegate person will report the “relevant data” necessary for the execution of the working activity to the hierarchical responsible person of the absent user, while a person in charge by the Direction or by the own hierarchical responsible person will prepare a statement, copy of which will be delivered to the concerned user on his return to work;
- ● In the case of the user has not provided to choose the own trustee, always that the undelayable work requirements, which demand the access to the e-mail messages stored in the user’s mailbox, the own hierarchical responsible person might require to the Administrators of system to carry out the access – through the use of the configuration password – and to perform the task normally entrusted to the trustee. Also in this case, a person in charge by his own hierarchical responsible person will prepare an appropriate statement, copy of which will be delivered to the concerned user on his return to work.
- ● Relative to the use of landline or mobile phone
- ● It is tolerated the private use, al long as occasional, not extended and limited to the real need situations, of the equipment of landline and of business mobile phone allocated in use;
- ● In the case of the equipment should be given back or sent to maintenance, the allotted is obliged to delete from the memories of the equipment itself any data, information, reference to other subjects non applicable with the working activity.
- ● Relative to the use of photo cameras, video cameras and other instruments of acquisition of pictures
- o The employees cannot use photo cameras, video cameras and actioncam belonging to them whatever is the reason why they have been introduced in the company and, in any case, they must keep the lenses covered;
- o the employees who introduce in the company computer, tablet, smartphone to use them in BYOD modality can only use them into their work station, unless otherwise authorization by the Direction;
- o the third parties are required to lodge eventual photo cameras, video cameras and actioncam belonging to them at the reception, at the time of their entry in the company, unless otherwise and express authorization by the Direction; in any case such equipment must be fitted with a cover lenses;
- o the third parties are required to not use or to not handle computer, tablet, smartphone, etc while they are moving from an office or from a section to another; in any case the above devices must have the appropriate sticker which is applied to cover the lenses at the time of the entry in the company.
- ● Further rules
As far as not related to a treatment or to an instrument of treatment, it is remind that the movement or the relocation out of the premises of DA MARIO Snc di Rizzi Lorenzo & C. of objects, components or parts of them, secured by an industrial secret or by a confidentiality entry, must take place with arrangement capable of prevent possible access not authorized. The objects, the components or the parts of them must be transported always properly covered and their possible disposal can happen only to the failure of the industrial secret or of the confidentiality entry, or only after have made them no more identifiable.
7. Possibility of controls and their gradualness
The company does not record in the interest of remote control without prejudice the right of the competent Authorities to carry out checks of identification of the workers, when this is dictated:
- ● by demands connected with the exercise of the rights or the defence in the legal headquarter ,
- ● by objective evidence and by clues of commission of crime,
- ● by need of safeguarding of life or of safety of third subjects, by legal provisions or by the judicial authority;
The Company can undertake verifications on the abnormal behaviours which are carried out with anonymous checks on aggregated data, referred to the whole interested sector (or to a certain area).
Ceasing the anomalies, it won’t be carried out additional checks.
In any case, it won’t be carried out extended, constant or indiscriminate checks.
8. Data retention
The company memorizes and stores the following information, related to the use of electronic instruments, essential for the following purposes :
- ● security of the internal network and of the intercorporate network to and from the outdoor: the installed firewall record the access log to the network, to internet, comprehensive of the identifying data of the user who has created them. These records are stored on the firewall themselves, to whom enter only the system operators belonging to the technical structure of the service provide, authorized by the Administrator himself. The external system Administrator produce periodically report and statistics containing anomalous and aggregate data, concerning the conditions of use and the saturation of the systems, as well as every anomalous or suspect kind of access. Report and statistics are made available, in anonymous form, of the treatment responsible Person and of the Direction.
- ● use of the Internet connection: the browsing data are recorded in anonymous form, according to as above reported;
- ● defence of the correspondence and of the computing browsing (antispam/antivirus): are stored the data related to the attacks;
- ● automatic control of the sites content (web filtering): are collected in anonymous form data related to the navigated sites according to as above reported.
The software systems are programmed and configured in order to store per 12 months and automatically the data related to the Internet access and to the computerised traffic.
Exceptionally, the storage can be extended, for the time strictly necessary and only for the necessary information, in case of documented and objective:
- ● technical requirement or particular security,
- ● indispensability of the data in relation to the exercise of a right or of the defence in a court of law,
- ● richiesta, da parte dell'autorità giudiziaria o della polizia postale, di custodire o consegnare i dati ad una qualsivoglia autorità.
The non-compliance with the provisions contained in this regulation will lead the application of the following penalties, graduated in relation to the gravity of the infringement, which integrate those provided for in current collective agreement applied by DA MARIO Snc di Rizzi Lorenzo & C. .
The imposition of the penalties does not preclude, or jeopardise, the judicial action of the employer of:
- ● complaint of unlawful acts of criminal offence,
- ● claim for compensation for damage to the heritage or the corporate image.
It is also recalled the attention of the employees on the fact that the misuse of the business tools of processing of data and information may also integrate the following hypothesis of crime :
- ● theft or subtraction of energy;
- ● altered operating of the computer systems;
- ● abusive access to secure computer/telematic systems;
- ● spread of programmes headed to damage or block a computer system;
- ● violation, subtraction or deletion of mail;
- ● unlawful interception, impediment or interruption of computing or telematic communication;
- ● installation of equipment designed to intercept, prevent or stop computing or telematic communication;
- ● damage of computing or telematic systems;
- ● computer fraud.
Reporting and operation of the rights of the employee
The following regulation shall be read also as an integration of the reporting already delivered to every employees with regards to the processing of his/her personal data. The purposes of the treatments subject of the following regulation are indicated in premise, while the modalities of the treatment are indicated in the following recitals and in particular at the recitals 6 and 7.
Concerning the following regulation, the rights referred to in Article 7 of the privacy code must be performed addressing to Rizzi Lorenzo di DA MARIO Snc di Rizzi Lorenzo & C. Via Porta Rossa 3/B, Cuneo (CN)
11. System administrators and their knowability
The aforementioned General Measure of the Competition Authority for the protection of the personal data “Measures and precautions required for the holders of treatment performed with electronic instruments, concerning the attributions of the function of system administrator”, require some obligations with regard to the regulation of the activities carried out by the professionals aimed to the management and to the maintenance of the processing equipment or of their components.
In particular, whenever the activity of the system administrators also concerns indirectly the service or the system which treats o permits the treatment of personal information of the workers, the following measure provides that the Controller, in its capacity as employer, is required to make known or knowable the identity of the system administrators in the context of their own organizations, according to the features of the company or of the service, in relation to the different computing services which these are responsible.
12. Publication of the regulation
The following regulation is publicized:
- ● with the inclusion in the intranet, and it replaces those previously adopted,
- ● with the distribution by mail,
- ● with the publication on the notice board ,
- ● with the manual delivery to each new taken,
documenting properly the happened communication.
The following regulation comes into effect from 04/06/2018 and it will be subjected to update every time comes the necessity and it will be subjected to a revision at least once a year.