Following the transposition of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (General Data Protection Regulation), and specifically in compliance with art. 29, the operations for the processing of personal data may only be performed by authorised persons acting under the authority of the Controller or of the Processor and who have been instructed by them (i.e. following the instructions given by one of the above parties).
This regulation is drawn up and circulated for the purpose of providing the instructions required for the processing operations.
In accordance with the new rules mentioned above, and in consideration of the processing of the personal data which the Authorised Person may have access to in performing his or her duties, the Authorised Person will be in charge of performing the above processing in compliance with applicable regulations and, in particular, in observance of the regulatory provisions listed below. In order to have a more complete understanding of the content of these regulations, a table containing the definitions of the terms hereinafter referred to is reported at the end of this Regulation and is an integral part thereof.

I) Norme generali

The personal data that Authorised Person will have knowledge of in exercising his or her duties on behalf of the writer (hereinafter also called “Company”), must be processed in compliance with applicable regulations. Specifically, Authorised Person must:

I.A.1 Process data lawfully and fairly;

I.A.2 Use the personal data that the Authorised Person has knowledge of in exercising the above duties only and exclusively for the processing operations he or she is tasked with;

I.A.3 Store the collected data so as to minimise the risks of loss or destruction (even accidental) of the data, of unauthorised access by third parties or unapproved processing, or of processing that does not comply with the purposes for which the data were collected;

To this end, Authorised Person is required to adopt and comply with the security measures set up by our company, in accordance with the provisions under art. 32 of Regulation (EU) 2016/679.

II) Collection of personal data and consent

In the event that, in performing his or her duties, the Authorised Person needs to collect personal data directly from the data subject or from a third party, he or she must verify that the rules reported below are strictly observed.

II.A.1Information notice

(1) Pursuant to Art. 13 of Regulation (EU) 2016/679, when personal data are collected from the Data Subject or from a third party, the following information is provided to them:
  • a) Type of data collected and processed
  • b) Identity and contact details of the controller and the controller’s representative
  • c) Contact details of the data protection officer
  • d) Purposes of the processing for which the personal data are intended as well as the legal basis for the processing
  • e) Legitimate interests pursued by the controller
  • f) Recipients of the personal data
  • g) Transfer of personal data to a third country or international organisation
  • h) Period for which the personal data will be stored
  • i) Existence of an automated decision-making process, including profiling
  • j) Data subject’s rights
  • k) Provision of data and consequences in the event of refusal to reply
(2) Where personal data are not obtained from the data subject, the above information, including the categories of data processed, is provided to the same data subject upon registration of the data or, if the data are to be used for communication, at the latest at the time of the first communication.

II.A.2 Consent
  • (1) The processing of personal data is allowed only following explicit consent by the data subject.
  • (2) Consent may regard all the processing or one or more processing operations.
  • (3) Consent is valid only if it is expressed freely and specifically in relation to clearly identified processing operations, if it is documented in writing, and if the information under article 13 of Regulation (EU) 2016/679 has been provided to the data subject.
  • (4) Consent must be given in writing when the processing regards “sensitive” data as defined under articles 9 and 10 of Regulation (EU) 2016/679.
II.A.3 The writer has prepared an information notice and made it available/accessible to everyone on its website. The commercial documents used for performing operational activities refer to a link where the data subject may find the requested information.

III) Processing by means of electronic instruments

Computer systems and programmes have been configured by minimising the use of either personal data or identification data, so as to rule out their processing if the purposes sought in the individual case can be achieved by using anonymous data or appropriate methods that allow the identification of the data subject only if necessary.
With regard to the processing covered by this point, the Authorised Person will be provided with authentication credentials for the processing operations he or she is required to perform. These credentials consist of identification codes (user) associated with a confidential keyword (password).
Authorised Person will therefore be required to adopt the measures indicated by the Controller and/or Processor including:

III.A.1 The keyword must be at least eight characters in length.

III.A.2 If the authentication credentials have not been used for at least six months or if they no longer allow personalised access by the data subject to the personal data (disclosure of password), they will be deactivated.

III.A.3 Authorised person must not leave electronic instruments unattended or accessible during working sessions. In the case of absence due to service reasons, he or she must block access to the electronic instrument in order to avoid any unauthorised access as per art. 615-ter of the Italian Criminal Code (type CTRL+ALT+CANC).

III.A.4 Authorised person must act with the required diligence in order to ensure the secrecy of the keyword.

III.A.5 Authorised person must provide the System Administrator with the authentication credentials which will be used to allow access to the data in the event of his or her prolonged absence or impediment.

III.A.6 Within the company website, personal data will be collected exclusively for commercial purposes, in compliance with the purpose for which the User/Data Subject has registered and, in any case, for purposes connected to and/or necessary for the management activities of the WEBSITE, with the exclusion of any other use and/or use in conflict with the interests of the User/Data Subject, without prejudice to the legal obligations of the Data Controller or Processor. These data will be exclusively limited to and relevant to exercising the functions of the WEBSITE which the User/Data Subject has registered to. They will also be exact and, if necessary, updated according to the indications provided by the User/Data Subject upon registration. They will be stored for the period needed to perform the activities covered by the authorised processing and for a further maximum period of 2 (two) months from termination of the authorised processing. In any case, processing may not exceed a period of ten years, except in the case of explicit renewal by the data subject. Personal data will be processed using suitable methods to ensure their security and prevent their loss or destruction (even partial).
Personal Data may be acquired and processed even for the purposes provided for in anti-money laundering legislation as introduced by Community Directive no. 2001/97/EC, by Italian Leg. Decree no. 56/2004 and subsequent transposition amendments and supplements, and by implementing Ministerial Decrees. Personal Data may be communicated to the UIC (Italian Exchange Office) in order to verify the correct fulfilment of the above obligations. The provision of Personal Data is merely an option, not an obligation, unless expressly required by law; however, it is necessary for registering to the website, while consent to the processing is a condition for registration. Personal data are provided whenever a data subject accesses our website to register, accesses it to manage/use the services it offers, or connects his or her account on a third-party website to his or her website account where permitted by the latter.

III.A.7 The user or data subject is aware of the Processing of “Log Data”. These data are automatically registered by our servers or server spaces, including Third-party websites, whenever the user or data subject accesses the website or uses it, regardless of whether he/she is or is not a registered user or whether he/she has accessed his/her account; these data include, by way of example, IP address, date and time of access, the hardware and software used for access, the websites and URLs which he or she comes from and moves to after ours, number of clicks, pages viewed and the order of such pages, as well as the amount of time spent on specific pages. These data are also the subject of separate consent which the Data Subject issues to the Data Controller for performing search engine activities in the web browser (e.g. Google) and may be used for analysis services and to trace the user’s or data subject’s activities resulting from his or her interaction with the website.
No personal data regarding users are acquired by the website through cookies. We do not use cookies for transmitting personal information and we do not use persistent cookies of any kind or user tracing systems. The use of session cookies (which are not stored on the user’s computer and disappear when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to allow safe and efficient browsing of the website. The session cookies used on this website avoid the use of other IT technologies that could potentially affect the confidentiality of users’ browsing and do not allow the acquisition of the user’s personal identification data. Cookies used for integrating third-party software products and functions (Google Maps, YouTube videos, social network integration, etc.) integrate functions developed by third parties in the website pages in order to share the website contents or use third-party software services. These cookies are sent from third-party domains and from partner websites that offer their functions within the website pages. Data subjects may disable cookies from their browser settings, but the procedures and processing of data following a “Do Not Track” signal in the http header coming from their browser or mobile application will be changed. The activities of a Data Subject are traced whenever he or she clicks on an advertisement for the website services on Third-party websites or platforms such as search engines and social networks. The website does not allow Third Parties to collect information regarding Users’ online activities.

III.A.8 The website could use social plug-ins provided and managed by Third Parties. By using similar plug-ins, the Data Subject could send to Third Parties the information he or she is viewing on a certain part of the website. If the Data Subject has not logged into his or her account with Third Parties, such third party should not become familiar with his or her identity unless consent to the Processing of the Personal Data has been provided by the Data Subject directly to the Third Party. If the Data Subject has logged into his or her account with the Third Party, such Third Party may be able to link information regarding the Data Subject’s visit on the website to his or her account. Similarly, his or her interactions with the social plug-in could be recorded. These methods for accessing the Data Subject’s data by the Third Party are unrelated to the website’s functions and the processing is not performed by the website Controller or Processor, but by the Third Party to which the Data Subject should have provided his or her consent to the processing of his or her personal data. The Data Subject declares that he or she is familiar with the privacy policy of such Third Parties and with their personal data processing procedures and declares that he or she has validly authorised their treatment, exempting the Controller and the Processor from any liability with regard to the website. In the event that the data required for registration and browsing are not provided, membership to the website cannot be accepted and/or continued and the account will not be enabled or will be cancelled if consent to renew the authorisation to process the Personal Data is refused.

III.A.9 The Controller does not transfer the data of Data Subjects abroad or to third countries. All of the Data Subject’s rights are fully guaranteed, as better specified under art. 7 (“Right of access to personal data and other rights) of Italian Leg. Decree no. 196/03 which he or she declares to be familiar with. Users/Data Subjects are guaranteed a number of rights which are listed below, in compliance with EU Regulation 2016/679 and which must be exercised following a request submitted to the Processor:
  • - Right of access (art. 15) to the data to obtain confirmation as to whether or not personal data concerning them are being processed and to verify the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been disclosed, the period for which the personal data will be stored, the existence of any automated decision-making procedure, including profiling as per art. 22, paragraphs 1 and 4 of Regulation EU 2016/679;
  • - The right to obtain the rectification of inaccurate personal data and to have incomplete personal data completed (art. 16);
  • - The right to obtain the erasure (art. 17) of personal data without undue delay at the request of the Data Subject and the obligation to erase them if they are no longer necessary for the Processing purposes; the Data Subject withdraws consent to the Processing; the Data Subject objects to the Processing pursuant to art. 21 of the EU Regulation; the data have been unlawfully processed; the obligation to erase them is required by Italian or EU legal provisions (the obligation to erase the data does not apply for exercising the right of freedom of expression and information, for compliance with a legal obligation which requires processing, for reasons of public interest or public order requiring processing, for reasons of justice that justify the processing.)
  • - The right to restriction of processing (art. 18) when the Data Subject contests the accuracy of the personal data for a period enabling relevant verification, the processing is unlawful and the Data Subject opposes the erasure of the personal data, the Controller no longer needs to continue processing the personal data but the processing is required by the Data Subject for purposes of justice and for the exercise of legal claims, and when the Data Subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
  • - Obligation for the Controller to notify any erasure, rectification or restriction of processing (art. 19) to any Recipients of personal data that have been processed.
  • - The right to data portability (art. 20) meaning the Data Subject’s right to receive, free of charge, the personal data concerning him or her, in a structured, durable, commonly used and machine-readable format, also provided in multiple examples, by e-mail at the address specifically indicated by the User/Data Subject, and meaning the right to transmit the Personal Data to another Controller, without hindrance, if the processing is performed using automated means as in the case at issue;
  • - The right to object to the processing of his or her Personal Data (art. 2), without prejudice to the Controller’s right to demonstrate the existence of binding legitimate grounds for the processing;
  • - The right not to be subject to automated decision-making, including profiling, unless such decision-making is necessary for entering into or for performance of a contract between the Data Subject and the Controller, is authorised by national or EU law, or can be deemed to be already authorised based on the Data Subject’s explicit consent (art. 22).
IV) Processing data using instruments other than electronic instruments

IV.A.1 The Authorised Person must store the personal data during processing.

IV.A.2 In the event of personal data processing, the Authorised Person must ensure the custody of the documents and acts containing the data.

IV.A.3 The Authorised Person must check access to the archives which have been entrusted personally to him or her and contain sensitive and/or judicial data, as well as verify that the persons accessing them are duly authorised.

IV.A.4 As to the paper material related to the personal data being processed, the Authorised Person must ensure that this material is stored with equal diligence. Therefore, the material will not be left unattended at his or her desk and it will be placed in appropriate containers provided with locks at the end of every work session.

IV.A.5 The Authorised Person must also take care to apply the same measures to all other forms used for reproducing personal data (e.g. USBs, CD-ROMs, etc.).

IV.A.6 The Authorised Person is required to disclose, circulate or transmit the data he or she has knowledge of only within the company and/or according to the instructions given to him or her and, in any case, shall not be able to disclose or circulate the data for purposes other than those for which the data are processed by the Company.

IV.A.7 While performing his or her tasks, if the Authorised Person has access to so-called “sensitive” data (defined by articles 9 and 10 of Regulation (EU) 2016/679), for processing purposes and based on the tasks entrusted to him or her, the Authorised Person must pay particular attention and use diligence in complying with the above provisions and with any further provisions requested from him or her by the Controller or Processor, with specific reference to so-called “sensitive” data.

IV.A.8 The Authorised Person shall in any case promptly inform the Company, the Manager or his/her immediate superior of any matter that is relevant for the correct application of the Code and of its implementing regulations, as well as in the event that he or she detects any anomalies or any other issue that could endanger the security of the personal data being processed. The Authorised Person may contact these people also to obtain clarifications on his or her duties, on data processing methods or on the security measures to be adopted for the processing.

IV.A.9 The Authorised Person must in any case strictly adhere to the instructions given by the Controller and/or Processor(s) and to any updates in such instructions. Simi Group S.r.l. appoints Mr. Matteo Orlandi as Data Processor.

In drawing attention to the importance of the legal requirements on the processing of personal data, as well as to the fact that any breach of these regulations may entail both civil and criminal liability for the Controller and the Processor, pursuant to art. 161 et sequitur of the Code, we remind you that every single breach of the above obligations shall be subject to disciplinary sanctions in accordance with and for the purposes of the procedures established by art. 7 of Italian Law 300/1970 and by the N.C.L.A. applied.
It is understood that the appointment as Authorised Person, as provided for and regulated in this communication, may be freely revoked at any time by the Company.
It is also understood that the appointment as Authorised Person is functional and necessary for performing the duties assigned to the single Authorised Person. Consequently, in addition to the amount already due for performing the aforementioned duties, no further compensation or reimbursement will be due to the Authorised Person as a result of the above appointment.

Definition of terms

Digital authentication: All electronic instruments and procedures used for verifying an identity, even indirectly;
Database Any organised grouping of personal data divided into one or more units located in one or more sites;
Blocking The retention of personal data with temporary suspension of any other processing operation;
Disclosure Providing knowledge of the personal data to one or more parties other than the data subject, the representative of the controller in the State territory, the processor and the authorised persons, in any form, also by making them available or through consultation;
Electronic communication Any information exchanged or transmitted between a finite number of parties by means of a publicly available electronics communication service. This does not include any information transmitted as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identified or identifiable subscriber or user receiving the information;
Authentication credentials The data and devices owned by a person who is familiar with them or to whom they are uniquely related, used for digital authentication;
Personal data Any information relating to natural persons, legal persons, bodies or associations, identified or identifiable, even indirectly, through reference to any other information, including a personal identification number;
Identification data Personal data that allow direct identification of the data subject;
Sensitive data Personal data that could reveal racial or ethnic origins, religious, philosophical or other beliefs, political opinions, membership to political parties, trade unions, associations or organisations of a religious, philosophical, political or trade union character, as well as personal data that could reveal details about the person’s state of health or sex life;
Judicial data Personal data that could reveal any provisions pursuant to article 3, paragraph 1, letters a) to o) and r) to u), of Italian Presidential Decree no. 313 of 14 November 2002, concerning criminal records, the register of administrative sanctions related to offences and of related pending proceedings, or the status of either suspect or accused person pursuant to articles 60 and 61 of the Italian Code for Criminal Procedure;
Anonymous data Data that originally, or after processing, cannot be associated with an identified or identifiable data subject;
Circulation Providing knowledge of the personal data to undetermined persons, in any form, also by making them available or through consultation;
Data Protection Authority The authority under article 153, introduced by Italian Law no. 675 of 31 December 1996;
Authorised persons The natural persons authorised to perform processing operations by the controller or processor;
Data subject The natural person, legal person, body or association to whom/which the personal data refer;
Minimum measures All the technical, IT, organisational, logistics and procedural security measures that configure the minimum level of protection requested in relation to the risk of breach;
Keyword Component of an authentication credential associated with a person and known to such person, consisting of a sequence of characters or other data in digital format;
Email Any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until the recipient has knowledge of it;
Authorisation profile All the information, uniquely associated with a person, which determines which data he or she has access to, as well as the processing permitted;
Processor The natural person, legal person, public authority or any other agency, association or body entrusted by the controller to process the personal data;
Electronic communications networks The transmission systems, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, networks used for radio and television broadcasting, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, and cable television networks, irrespective of the type of information conveyed;
Authorisation system All the instruments and procedures that enable the access to data and the methods for processing them, based on the applicant’s authorisation profile;
Electronic instruments The computers, computer programmes and any electronic or automated device used for processing the personal data;
Controller The natural person, legal person, public authority or any other agency, association or body who/which, either alone or jointly with others, determines the purposes and methods of the processing of the personal data as well as the instruments used, including the security profile;
Processing Any operation or set of operations, whether or not using electronic instruments, regarding the collection, recording, organisation, storage, consultation, processing, alteration, selection, extraction, comparison, use, interconnection, blocking, disclosure, circulation, erasure and destruction of data, even if not recorded in a database.