OpenSymbol Data Processing Notice – Full Version

OpenSymbol Data Processing Notice – FULL VERSION 

Dear Data Subject, we are sharing this information with all individuals who interface with our internal systems, pursuant to the “Regulation (EU) 2016/679 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data.” (hereinafter, the “GDPR”).

Pursuant to Article 13 of the GDPR, we hereby inform you that:

1. Responsibility 

The Data Controller is OpenSymbol Srl – Via Vecchia Ferriera, 5 – 36100 Vicenza – VAT no./Tax ID 03184500241 – Vicenza Business Register entry no. 03184500241 – Economic and Administrative Index no. 305343 – Share Capital € 10,000 fully paid-up. 

Any request regarding this Privacy Policy, the protection of personal data and the security of information can be sent to the DPO of OpenSymbol Srl at dpo@opensymbol.it.

2. Purpose, Legal Basis, Storage Times

OpenSymbol uses the data it collects from data subjects for the following purposes: 

Commercial

  • to address commercial requests received; 
  • to profile the Company that the user who is filling out represents as an employee or business partner.  

Marketing

  • to collect separate consents for: delivery of newsletters; communication of events and training courses; sharing of industry news and updates on products and services; various types of marketing activities. 

Pursuant to Article 6 paragraph 1 letter f) of the GDPR, processing for commercial purposes is based on the pursuit of legitimate interests by OpenSymbol. Pursuant to recital 47 of the GDPR and according to the logic of a relevant and appropriate commercial relationship between OpenSymbol and the data subject, such interests are applicable to:

  • Prospect employee/OpenSymbol customer;
  • OpenSymbol supplier;
  • OpenSymbol Supplier Employee. 

Pursuant to Article 6, paragraph 1, letter a), processing related to marketing purpose is based on the explicit consent of the data subject.

Pursuant to Article 13, paragraph 2, letter a) processing relating to Marketing purposes is considered valid until the user revokes his/her consent, which can be implemented via the link at the bottom of all communications. A verification email will be sent to all users at least every 4 years, and through which it will be possible to unsubscribe. 

3. Categories of Personal Data 

Pursuant to Article 5, paragraph 1, letter c), OpenSymbol only stores personal data that are adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed (“Data Minimisation”); therefore, the data subjects should neither share personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, nor process genetic and biometric data intended to uniquely identify a natural person, and data related to a person’s health or sexual life, or sexual orientation. If any data subject were to deliberately share data of this type to OpenSymbol, the latter’s employees or business partners who have received specific privacy training sessions, will process such data according to the principles of maximum care and confidentiality.

More specifically, to pursue the processing purposes discussed in paragraph 2 of this Notice, OpenSymbol mainly processes the following personal data categories:

  • Personal data;
  • Contact details; 
  • Corporate data. 

4. Data of Minors 

Pursuant to Article 8, paragraph 1 of the GDPR, the processing of a minor’s personal data is lawful if the minor is at least 18 years old for commercial processing and 14 years for marketing processing. If the minor is younger, such processing is lawful only if and to the extent that consent has been given or authorised by the party exercising parental authority. OpenSymbol requires all users who use the above forms to be at least 18 years of age for commercial processing and 14 years for marketing processing, or to self-certify that consent was given by the party exercising parental authority. 

5. Processing

Processing includes data collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, erasure and destruction. Profiling must be added to these activities; it is performed through the data subject, but with a focus on the company he/she represents as an employee or business partner.

6. Recipients

Potential primary suppliers who may have access to, process, archive, transmit and, in general, process OpenSymbol data and information are also evaluated on information security issues (ISO 27001, ISO 27017 and ISO 27018 standards), as well as in terms of the protection of the Privacy of Natural Persons whose data are processed by OpenSymbol.

OpenSymbol does not transfer your data to third parties for any reason whatsoever. Within the limits relevant to the processing purposes discussed above, your data may be shared with specific suppliers appointed as Data Processors pursuant to Article 28 of the GDPR. It is possible to request the updated list of Data Processors at privacy@opensymbol.it.

7. Processing Location

All processing activities described herein and carried out by OpenSymbol take place within the EU, with the exception of: :

  1. Zendesk Inc. – Ticketing Service;
  2. SureSwift Capital (Docparser/Mailparser) – Email Parsing Service – only for customers who have subscribed to the “Mailparser” service for mining information from emails;
  3. Zapier, Inc. – App Integration Service – only for customers who have subscribed to the “Zapier” service for App Integration.

Specific Data Protection Impact Analysis (DPIA) activities have been performed, and appointment agreements that include standard contractual clauses have been entered into with respect to the Sub-Processors listed above. 

8. Methods of Processing

Processing will be carried out in such a way as to guarantee adequate personal data security, including protection from unauthorised or unlawful processing and from accidental loss, destruction or damage (“integrity and confidentiality”), by means of adequate technical and organisational measures.

OpenSymbol considers the security of information, including personal data, an indispensable factor.
For this reason, the Company has put in place a Quality and Information Security Management System (SGQSI) defined according to rules and criteria established by “best practices”, by international reference standards and in compliance with the provisions set forth in international regulations:

  • ISO 9001 – “Quality Management System”;
  • ISO 27001 – “Information Security Management System”;
  • ISO 27017 – “Information technology — Security techniques — Code of practice for information security controls based on ISO 27002 for cloud services”.
  • ISO 27018 – “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors”.

OpenSymbol has its own qualified Lead Auditor AICQ SICEV ISO 27001 personnel and is ISO 9001, ISO 27001, ISO 27017 and ISO 27018 certified following a compliance assessment by CSQA, an independent third-party control body accredited by Accredia, the Single national accreditation body designated by the Italian government. The certificates issued by CSQA are internationally recognised. More information is available on the page accessible at link.

9. Rights of the Data subject 

Data Subjects have at all times the right to request from the Data Controller access to their data, as well as data rectification or erasure, limited processing, can object to processing, request data portability, and revoke their consent, and seek to enforce these and other rights contemplated in the GDPR, by simply sending their request(s) to the Data Controller or to the DPO, via email at privacy@opensymbol.it.
More in detail, OpenSymbol will manage a request received by a Data Subject without undue delay and, in any case, at the latest within one month of receipt thereof. This deadline will be extended to 3 months in the event of specific and precise data erasure. Data Subjects also have the right to lodge a complaint with a Supervisory Authority. The Personal Data Protection Supervisor is operational in Italy.