Data Controller and Reference Standards
Data Controller is Sisthema Informatica e Sistemi S.p.A., headquartered in Via Gaetano Sbodio, 2  – 20123 Milano – Italy, hereinafter “Sisthema” for brevity. Sisthema deals with personal data in full compliance with European General Data Protection Regulation (hereinafter “GDPR”, for brevity). In compliance with articles 12, 13, and 14 of the GDPR, Sisthema provides public information about its policy about processing of personal data when acting as Data Controller.

Scope
This notice applies to Sisthema as Data Controller*, to its website, and to personal data relating to natural persons. Sisthema cannot and will not be in any way responsible for data processing by independent third parties and third party websites eventually linked by Sisthema’s website. Sisthema is a “Business-to-Business” (B2B) company, therefore as Data Controller systematically deals with data of legal persons while European law (GDPR) applies to personal data of natural persons only.

Occasionally, personal data of natural persons may be processed by Sisthema acting as Data Controller, electronically or manually, in full compliance with the GDPR and subjected to appropriate security measures as provided by the legislation and the best industry practices. Data and information of legal persons are, however, treated in confidence and subjected to the same security measures and adequacy to the same standards.

* This notice is out of scope when Sisthema processes personal data on behalf of another controller. In such a case, Sisthema acts as Data Processor and such data processing is regulated under a contract with such Data Controller.

Purpose of data processing without your explicit consent
All personal information you freely provide to Sisthema without explicit consent, via web or mail or otherwise, are optional and the result of your own free choice. Sisthema will process such information only for the purposes of: (a) responding to and fulfilling your requests, (b) fulfilling any contractual obligations, (c) pursuing legitimate interests of Sisthema (for example to defend itself in a court of Law), (d) to comply with legal and fiscal obligations.

Purpose of data processing with your explicit consent
Only after express consent of the “data subject” (you as a natural person, that is), Sisthema will process your personal data as a natural person for promotional and commercial purposes: for example, to inform you about new offers of products or services.

Personal data retention
Sisthema will keep your personal information for the time that is strictly necessary and sufficient for the stated purposes or provided by legal and fiscal regulations or until you request them to be deleted (see also Data Subject’s rights).

Data Subject’s rights
You are a “data subject” if Sisthema processes as data controller* any information relating to you as a identified or identifiable natural person. As a data subject you have the following rights:

• to withdraw your consent to processing of your personal data for marketing or commercial purposes** ,
• to ask Sisthema about the existence of personal data about you and to access them,
• to obtain from Sisthema the rectification of any inaccurate personal data about you,
• to obtain from Sisthema the erasure of your personal data**
• to lodge a complaint with the supervisory authority.

* if Sisthema processes your data as data processor on behalf of another data controller, please contact your data controller to exercise your rights

** that will not affect the lawfulness of processing based on consent before its withdrawal

*** your request will be fulfilled, unless there are legal grounds for retaining such data (such as; honor a contract, fiscal obligations,…)

Categories of personal data
As Data Controller Sisthema may process “special data” (such as; sensitive, medical, judicial, political, etc.) only if there are contractual obligations or other legal basis to do so. Namely, Sisthema usually process employees and free-lancers data for the purposes of salary payments, social security, insurance, labor law, and labor/project contracting. If you freely and by your own choice, or by error, provide Sisthema with special data and there are no legal grounds or contractual obligations to retain them, Sisthema will immediately erase such data.

Sources of personal data
Sisthema can receive your personal data from you the same and by your free choice from multiple sources (email, Sisthema’s website, telephone, fax, etc.) or from public sources (socials, websites, public registers). Whatever the source, Sisthema will not process your personal data as natural persons for marketing or commercial purposes without your explicit consent.

Contact / Questions
contact the Data Controller (Sisthema) in case you have any questions or concerns or to exercise your rights as Data Subject.