OpenSymbol Data Processing Notice – Full Version

Dear Data Subject, we are sharing this Notice pursuant to Article 13 of “Regulation (EU) 2016/679 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data.” (hereinafter, the “GDPR”).

1. Definitions

The term “personal data” refers to any information relating to an individual, identified or identifiable, even indirectly, with reference to any other information, including a personal identification number.

The term “Data Subject” refers to natural person to whom the personal data refer. 

2. Responsibility

With respect to the processing defined in this Notice, OpenSymbol srl, located on Via Vecchia Ferriera, 5 – 36100 Vicenza (VI) – VAT no./Tax ID 03184500241 – Economic and Administrative Index (REA) 305343, is the independent Data Controller and/or the Joint Data Controller together with the following companies of the Impresoft Group, to which OpenSymbol belongs, which process the personal data of data subjects independently or jointly, pursuant to the GDPR and in accordance with the specific purposes detailed herein:

  • Formula Impresoft S.p.A., with registered and administrative office on Via Bisceglie 76, Milan, Tax ID and VAT no. 05488960013, in the person of its Legal Representative, Mr. Giuseppe Rossano Ziveri; email address: gdpr@formulaimpresoft.com
  • Qualitas Informatica S.p.A., with registered office on Via Marco Dalla Vecchia, 12, Santorso (VI), Tax ID and VAT no. 01833260241, in the person of its Legal Representative, Mr. Sergio Gasparin; email address: ufficiomarketing@qualitas.it 
  • 4ward S.r.l., with registered office on Via del Vigneto 33, Bolzano, Tax ID and VAT no. 03408060964, in the person of its Legal Representative, Mr. Christian Carlo Alberto Parmigiani; email address: dpo@4ward.it  
  • NextTech S.r.l., with registered office on Piazza San Nicolò, 15 30034 Mira (VE), Tax ID and VAT no. 05488960013, in the person of its Legal Representative, Mr. Mauro Dal Corso; email address: info@nexttech.it 
  • NextCRM S.r.l., with registered office on Via Rossini, 6, Vicenza (VI), Tax ID and VAT no. 04119450247, in the person of its Legal Representative, Mr. Luigi Mattiazzi; email address: direzione@pec.nextcrm.it 

The aforementioned companies act as independent Data Controllers for the purposes referred to in paragraph 4. The companies may also act as Joint Controllers in relation to the processing of data for commercial purposes and marketing, as specified in paragraph 5 below, having jointly determined the purposes, methods and means of processing by means of a dedicated agreement, pursuant to Art. 26 of the GDPR.

Any request regarding this Privacy Policy, the protection of personal data and the security of information can be sent to the DPO of OpenSymbol S.r.l., who can be contacted at dpo@opensymbol.itprivacy@opensymbol.it or at the Impresoft Group email box privacy@impresoftgroup.com.

3. Personal Data Sources

Personal data processed by the aforementioned Data Controllers are collected directly from the website(s) of individual Data Controllers or from the Group website, as well as by means of the web services contained therein (so-called digital touch points), or at the time of events organized by the Data Controllers also at third-party locations, such as, for example, commercial partners, and possibly enhanced with information available through specific services, databases of private companies (LinkedIn, Creditsafe, etc …) or publicly by way of Public Registers and the Chamber of Commerce, Industry, Agriculture and Craftsmanship. 

If the Data Controllers receive data from external companies for the purposes of commercial information, market research, direct offers of products and services, a Notice will be provided at the time of data recording or, in any case, no later than the first possible communication.

4. Purpose, Legal Basis, Storage Times

OpenSymbol and the other companies of Impresoft Group use any data they collect from data subjects for the following purposes, whether independently or jointly, depending upon the specific situation:

Commercial

  • To respond to commercial requests received from one or more of the Group’s companies.
    Pursuant to Article 6 paragraph 1 letter b) and f) of the GDPR, processing for commercial purposes is based on the need to implement a contract to which the Data Subject is a party, to put in place pre-contractual measures adopted at the Data Subject’s request, or to pursue the legitimate interests of OpenSymbol and/or the other companies of the Impresoft Group, pursuant to Recital 47 of the GDPR and according to the logic of a relevant and appropriate commercial relationship between OpenSymbol and/or the other companies of the Impresoft Group and the Data Subject.

Marketing

  • Promotion and sale of products and services similar to those already purchased by the Data Subject (so-called soft spam), through commercial communications that may also be of specific interest to the Data Subject.
    The provision of data is not mandatory and their processing does not require consent in light of the validity of the legitimate interest of the Data Controllers, pursuant to Art. 6 par. 1 letter f) of the GDPR, in performing marketing activities for the benefit of its customers.
  • Transmission of promotional material (delivery of newsletters, promotion of workshops, webinars, events, promoting products and services) and automated remote commercial communication (such as, email, text messages and instant messaging) and traditional communication (such as operator calls).
    Pursuant to Article 6, paragraph 1, letter a), processing related to marketing purpose requires the explicit consent of the Data Subject.

Legislative/Judicial Purposes

  • To fulfill legal requirements, regulations, EU legislation, provisions issued by authorities legitimated by the law or by supervisory and control bodies, or if necessary to ascertain, exercise or defend one’s rights in court.
    The provision of personal data is mandatory and its processing does not require consent and is based on Article 6 paragraph 1 letter c).

Statistical Purposes

  • Feedback on quality for the purpose of improving Company’s activities and services (e.g., feedback concerning customer satisfaction with the quality of the services rendered, and activities carried out by the Company, as well as the processing of market surveys and research), also by means of automated remote communication (such as, email, text message and instant messaging) and traditional communication (such as, operator calls).
    The provision of personal data is not mandatory and their processing does not require consent in light of the validity of the legitimate interest of the Data Controllers, pursuant to Art. 6 par. 1 letter f) of the GDPR.

Personal data will be kept for a period of time not exceeding the achievement of the purposes underlying processing, within the limits prescribed by the current legislation, in compliance with the minimization principle pursuant to Art. 5.1.c) of the GDPR, and allowing additional storage times to fulfill legal obligations and to allow the defense in court of the Joint Data Controllers and the exercise of their rights. As it pertains to personal data processed by OpenSymbol, an email is sent at least every 4 years to all Data Subjects with an updated Privacy Policy Notice, indicating also the ways in which Data Subjects can assert their rights.

Once the need and/or obligation to process the personal data of the data subject is no longer applicable, OpenSymbol will delete or make data anonymous or, if this is not possible (for example, since personal data have been stored in the backup archives), to keep them securely, anonymizing them and excluding them from any further processing until their erasure

5. Joint Data Processing

The Joint Data Controllers, as identified in paragraph 1 of this Notice, have entered into a Joint Data Controllers Agreement pursuant to Article 26 of the Regulation.

The Data Controllers, through the aforementioned agreement, intend to jointly process data collected in the exercise of their activities to manage their customers and for marketing purposes. Specifically, these activities concern:

  • transmission of promotional material (delivery of newsletters, promotion of workshops, webinars, events, promoting products and services) and automated remote commercial communication (such as, email, text messages and instant messaging) and traditional communication (such as operator calls);
  • feedback on quality, including by automated remote communication (such as email, text message and instant messaging) and traditional communication (such as operator calls).

The provision of data for marketing purposes is optional and its processing is subject to the legitimizing assumption of consent. If consent to processing is not granted, the promotion activities cannot be implemented, which will not prejudice the Data Subject in any way.

Concerning the aforementioned commercial and marketing purposes, the Joint Controllers have also jointly determined the processing methods by means of a dedicated agreement, and have defined, in a clear and transparent way, the procedures to provide the Data Subjects with timely information, should they wish to exercise their rights, as provided in Art. 9 below, and Articles 15, 16, 17, 18 and 21 of the Regulation, as well as in the cases of portability of personal data provided for by Article 20 of the Regulation.

6. Categories of Personal Data

Pursuant to Article 5, paragraph 1, letter c), OpenSymbol and the other companies of the Impresoft Group, only store personal data that are adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed (“Data Minimisation”); therefore, the Data Subjects should neither share personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, nor process genetic and biometric data intended to uniquely identify a natural person, and data related to a person’s health or sexual life, or sexual orientation. If any Data Subject deliberately shared data of this type to OpenSymbol or the other companies of the Impresoft Group, any employees or business partners of OpenSymbol or other companies of the Impresoft Group who have received specific privacy training sessions, will process such data according to the principles of maximum care and confidentiality. More specifically, to pursue the processing purposes discussed in paragraph 2 of this Notice, OpenSymbol and the other companies of the Impresoft Group process the following personal data categories: 

  • Personal data;
  • Contact details;
  • Corporate data.

7. Data of Minors

Pursuant to Article 8, paragraph 1 of the GDPR, the processing of a minor’s personal data is lawful if the minor is at least 14 years old. If the minor is younger, such processing is lawful only if and to the extent that consent has been given or authorised by the party exercising parental authority. 

8. Processing

Processing includes data collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, erasure and destruction. Profiling must be added to these activities; it is performed through the data subject, but with a focus on the company he/she represents as an employee or business partner.

9. Recipients

The Data Controllers may communicate the personal data of the Data Subjects to third parties in the fulfillment of legal requirements.

Upon receipt of a specific consent, the Data Controllers may share personal data with third parties (companies that are part of the Group), which will process them as independent Data Controllers, for the purposes of commercial information, statistical surveys, market research, and direct offers of their products and services.

The Data Controllers may share the personal data of the Data Subjects with to third parties, which will operate as independent Data Controllers or will be designated as Data Processors and are essentially included in the following categories:

  • subjects providing banking services, including subjects that manage payment systems;
  • persons, companies, associations or professional firms that provide assistance and consultancy services or activities to the Data Controllers, with particular, but not exclusive, reference to accounting, administrative, legal, tax and financial and commercial matters;
  • commercial, marketing and legal partners, suppliers of technical services and/or software platforms, system administrators, hosting providers, IT companies and communication agencies; 
  • subjects that perform operations related to the control, revision and certification of activities carried out by the companies of the Group, also in the interest of customers.

The data of Data Subjects will not be communicated, disclosed or sold to third parties or used for purposes other than those indicated above, without prior communication and explicit consent of the Data Subjects, where necessary.

It is possible to request the updated list of Data Subjects at privacy@opensymbol.it or privacy@impresoftgroup.com

The subjects designated as Data Processors by OpenSymbol, which may have access, process, archive, transmit and, in general, operate on personal data, are also evaluated on information security matters (pursuant to ISO 27001, ISO 27017 and ISO 27018 regulations) and on personal data protection.

10. Processing Location

In the event that OpenSymbol or the Joint Data Controllers need (permanently or temporarily) to transfer Personal Data to Third Countries outside the EU for the purposes indicated above, such transfer may take place provided that it complies with the methods permitted by current law and, in particular, the provisions of the GDPR referred to in: i) in Art. 44 – General Principle for Data Transfer; ii) in Art. 45 – Transfer on the Basis of an Adequacy Decision; iii) in Art. 46 – Transfer Subject to Adequate Guarantees; iv) Article 49 – Exceptions in Specific Situations. 

Therefore, data can be transferred: 

  • to non-EU countries or international organizations, if the European Commission has deemed that said countries or organizations provide an adequate level of protection (Article 45 of the GDPR); 
  • to non-EU countries or international organizations that have provided adequate guarantees (for example, by the adoption of Standard Clauses approved by the European Commission) provided that the Data Subjects are afforded enforceable rights and effective means of redress – (Article 46 of the GDPR);
  • to non-EU countries or international organizations, on the basis of binding corporate rules (Binding Corporate Rules – BCR) for companies belonging to the same business group (Article 47 of the GDPR);
  • to non-EU countries or international organizations, on the basis of the derogation provided for the applicability of conditions referred to in Art. 49 and, in particular, those referred to in paragraph 1, letter: b) Execution of a Contract; c) Stipulation or Execution of a Contract between the Data Controller and another Natural or Legal Person in the Interest of the Data Subject.

All processing activities described herein and carried out by OpenSymbol take place within the EU, with the exception of:

  • Zendesk Inc. – Ticketing Service – USA;
  • SureSwift Capital (Docparser/Mailparser) – Email Parsing Service – only for customers who have subscribed to the “Mailparser” service for mining information from emails;
  • Zapier, Inc. – App Integration Service – only for customers who have subscribed to the “Zapier” service for App Integration.

Specific Data Protection Impact Analysis (DPIA) activities have been performed, and appointment agreements that include standard contractual clauses have been entered into with respect to the Sub-Processors listed above.

11. Methods of Processing

OpenSymbol and the other Group companies implement adequate technical and organizational measures to ensure a level of security appropriate to the risk, which include one or more of the following measures, as warranted:

  • personal data pseudonymization and encryption;
  • ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services on a permanent basis;
  • ability to promptly restore the availability and access of personal data in the event of a physical or technical incident;
  • periodic verification of the effectiveness of technical and organizational measures in order to guarantee safe processing.

All the staff and business partners of OpenSymbol and of the other Group companies which access the personal data specified in this Notice have received specific authorizations and instructions from the Data Controller/Joint Controllers. 

For this reason, OpenSymbol has put in place a Quality and Information Security Management System (QISMS) defined according to rules and criteria established by “best practices” and by international reference standards, and in compliance with the provisions set forth in international regulations:

  • ISO 9001 – “Quality Management System”;
  • ISO 27001 – “Information Security Management System”;
  • ISO 27017 – “Information Technology – Security Techniques – Code of Practice for Information Security Controls based on ISO 27002 for Cloud Services”.
  • ISO 27018 – “Code of Practice for the Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors”.

OpenSymbol has its own qualified Lead Auditor AICQ SICEV ISO 27001 personnel and is ISO 9001, ISO 27001, ISO 27017 and ISO 27018 certified following a compliance assessment by CSQA, an independent third-party control body accredited by Accredia, the Single national accreditation body designated by the Italian government. The certificates issued by CSQA are internationally recognised. More information is available on the page accessible at link.

12. Rights of the Data subject

Pursuant to Arts. 15-22 of the GDPR, Data Subjects are afforded specific rights. In particular, Data Subjects must be granted by the Data Controllers: data access, rectification and erasure; restriction of processing; withdrawal of consent and data portability means. A Data Subject has also the right to object to data processing for legitimate reasons /or commercial purposes. 

The Data Controllers undertake to reply to the Data Subject as soon as possible after ascertaining his/her identity. 

If a Data Subject exercises his/her right to object to data processing, each Data Controller and/or the Joint Controllers reserve the right not to proceed with the request, and, therefore, to continue with processing, in the event that there are legitimate mandatory reasons to proceed in this regard, which prevail over the interests, rights and freedoms of the Data Subject.

Such rights may be exercised both towards individual Controllers and the Joint Data Controllers by sending a written communication to:

      We inform Data Subjects that, pursuant to Article 12 of the GDPR, if their are manifestly unfounded or excessive, in particular due to their repetitive nature, the Data Controllers may: a) charge a reasonable fee to compensate for the administrative costs incurred to provide the information or communication, or take action following a request, or b) refuse to comply with the request.

      Data Subjects also have the right to lodge a complaint with the Data Protection Supervisor. The Personal Data Protection Supervisor is operational in Italy.