Trackone | Personal data redention policy

Home
Personal data redention policy

EXTRACT FROM THE

USCO S.p.A. PERSONAL DATA RETENTION POLICY

1. Introduction and purpose

This extract from the USCO S.p.A. personal data retention policy (hereinafter also simply “USCO” or “the Company”) is issued:

in the light of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation; hereinafter for brevity "EU Privacy Regulation" or "Regulation" or "GDPR"), which completes the existing legislation on privacy;
understanding the legislation on the subject of privacy (hereafter for brevity "Privacy legislation") as the combination of all legal provisions on the protection of personal data as completed by the GDPR;

to provide general guidance on personal data retention procedures.

2. Definitions

"Personal data": all information regarding an identified or identifiable private individual ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identity or one or more characteristic elements of his or her physical, physiological, genetic, mental, economic, cultural or social identity.
“Processing”: any operation or set of operations performed on personal data, with or without the use of automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
"Controller": a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or European laws, the controller or the specific criteria for its nomination may be designated by national or European laws.
"Data processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

3. Principles relating to the duration of the processing of personal data

3.1. General principles

In compliance with the Privacy Legislation, the processing of personal data for which USCO is the DataController or Processor is carried out in compliance with the principles summarised below.

The personal data are:

processed lawfully, with propriety and transparently with regard to the data subject;
collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
adequate, relevant and limited to the minimum necessary for the purposes for which they are processed.

In general terms, the data are kept in a form which allows identification of the data subject for a time period no longer than is necessary for achieving the purposes of the processing.

The fulfilment of legal obligations, the implementation of existing civil, fiscal, corporate, welfare, employment or other legislation, or cases where the processing is necessary for the establishment, exercise or defence of a legal right or whenever the courts exercise their judicial functions, can require some personal information to be kept for longer than the deadlines specified in the aforementioned obligations or regulations.

Furthermore, the legislator and the controlling authority may establish specific durations for certain types of processing, in compliance with the limitations provided for by the Privacy Legislation.

3.2. Specific indications for types of data subjects

Without prejudice to the application of the general principles of paragraph 3.1. above, according to which the duration of the retention of personal data depends on the achievement of the purposes for which the data are processed (purposes specified in the privacy policies or connected with the legal basis of the processing), indication is given below, for the main categories of data subjects, of the factors that determine the duration of the main personal data processing operations for these categories of data subjects and the cases where legal retention constraints may apply.

Data subject categories	Factors that determine the duration of processing	Possible application of other legal retention constraints*
Personnel (employees and associates)	Duration of the employment or collaboration relationship	P
Candidates	Period of interest for the professional profile of the candidate, also following the job vacancy. No longer than 2 years.
Customers	Term of the contractual relationship and time periods necessary for the provision of the service	P
Third parties	Term of the contractual relationship	P
Visitors	6 months from registration
Trade agents and sales representatives	Term of the contractual relationship	P
Administrative positions (board members, auditors, etc.)	Office term	P

*For example, legal obligations or constraints arising from civil, tax, social security or employment legislation (usually 10 years from the end of the contractual relationship), cases of exercise of rights before the courts, etc., or other specific processing duration constraints determined by the legislator or by the supervising authorities for certain purposes.

In the event that it becomes necessary to apply factors that affect the duration of the processing other than those indicated above, these are duly indicated in the privacy policies addressed to the recipients.

4. Right to erasure

The data subject has the right to obtain the erasure of personal data concerning him or her without undue delay and the controller must erase such personal data where one of the following grounds applies:

the personal data are no longer necessary with regard to the purposes for which they were collected or otherwise processed;
the data subject revokes the consent on which the processing is based (in cases where consent provides the legal basis of the processing), if there are no other legal grounds for the processing;
the data subject opposes the processing pursuant to current law and there are no overriding legitimate grounds for proceeding with the processing;
the personal data have been unlawfully processed;
the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

or in further cases provided for by the Privacy Legislation.

The previous paragraph shall not apply to the extent that processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
in so far as the right referred to in the previous paragraph is likely to render impossible or seriously impair the achievement of the objectives of that processing;
for the establishment, exercise, or defence of legal claims;

or in further cases provided for by the Privacy Legislation.

5. Contacts

For more information on the duration of the processing or exercise of the rights to erasure, contact: privacy@usco.it