Controller for the data processing is INWIT S.p.A. – Largo Donegani n. 2, 20121 – Milan
Contact information for the Data Protection Officer (DPO) of INWIT
INWIT S.p.A. has appointed a Data Protection Officer.
Contact information of the Data Protection Officer for interested parties (i.e. clients, shareholders, users, suppliers and partners, etc.) of INWIT are as follows:
DPO INWIT, at Infrastrutture Wireless Italiane S.p.A.
Via Largo Donegani n. 2, 20121 – Milan
e-mail address: firstname.lastname@example.org
Information on the processing of personal data as part of video surveillance systems pursuant to Article 13 of Regulation (EU) 2016/679
The purpose of this document (hereinafter referred to as the “Information”) is to provide information regarding the processing of personal data that may be carried out through the video surveillance systems installed by INWIT S.p.A. to protect its corporate assets at its indoor and outdoor sites, as per the appropriate signage, in the manner and for the purposes set out below.
The Information is set forth in accordance with Article 13 of the GDPR, as well as in compliance with the “Provision on video surveillance – April 8, 2010” undertaken by the Italian Data Protection Authority (“Garante”) and the “Guidelines 3/2019 on processing of personal data through video devices” issued by the European Data Protection Board on July 10 2019 (collectively, “Privacy Regulation”).
Identification details of the Data Controller and Data Protection Officer.
Pursuant to Article 4(1)(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”), the Data Controller is INWIT S.p.A. (“INWIT”) with registered office at Via Largo Donegani n. 2, 20121- Milan. The Data Protection Officer, appointed by the Data Controller, can be contacted by email at the following address: email@example.com
Type of data processed and purpose of processing
The type of personal data that may be processed, includes:
- image of subject being filmed, without automated mechanisms of identification of the person;
- other information from the video footage and related static images (e.g., location, date and time, movement, direction, vehicle number plae etc.);
The aforementioned personal data will be processed for purposes related to the protection of the company’s assets and, in particular, INWIT’s infrastructures and Radio Base Stations (SRBs), as well as for granting the security and continuity of the service. The legal basis for the processing is the legitimate interest of the Company, (pursuant to Article 6(1)(f) of the GDPR), represented by the need to safeguard its corporate assets, including in the context of the public service provided, which implies the need to ensure the security of the electronic communication network system.
Operational mode and logic of processing
Data processing is carried out through computer and telematic tools, with logic related to the above-mentioned purposes and, in any case, in such a way as to ensure the security and confidentiality of the data.
In case of an indoor system, the video surveillance area includes the access door to the premises and equipment. In case of outdoor systems, the video-surveillance area includes the access gates, site perimeter, premises and apparatuses.
Recording is activated only in case of alarms and motion in close proximity and within restricted access areas. The system is active 24 hours a day, 365 days a year.
Retention of personal data
Where the system provides for the retention of images, in application of the principle of proportionality, any temporary retention of data must also be commensurate with the time necessary – and predetermined – to achieve the intended purpose.
INWIT retains any personal data collected in accordance with the principles of minimization and limitation of retention under Article 5(1)(c) and (e) of the GDPR. Specifically, as a rule, the retention period for video surveillance images is a maximum of 7 days from recording. At the end of this period, the images and personal data will be permanently deleted by automatic override. In any case, the Data Controller reserves the right to retain personal data for as long as is necessary to fulfil the legal obligations to which it is subject and meet legal defense requirements in court, out of court and in the phases preceding litigation.
Scope of communication and dissemination of data
Personal data are processed by INWIT employees, in their capacity as authorized personal data processors, who have received, in this regard, appropriate operational instructions.
In addition to the employees of INWIT S.p.A., some processing of personal data may also be carried out by the Security Operations Center (SOC); by the systems operator company upon request or for maintenance and testing needs; and by additional third parties to whom INWIT S.p.A. itself entrusts the activities (or part of them) related to the purposes set out in point 2) above, in their capacity as Data Processors, pursuant to Article 28 of Regulation (EU) 2016/679, or as autonomous data controllers. The data may also be processed by the Judicial Authority and the police in case of a specific request for investigative needs aimed at the detection of illegal activities.
Data subjects’ rights
We inform you that as a data subject you have the right to lodge a complaint to the Garante, for the rights listed below, which you may assert by addressing a specific request to the Data Controller.
In particular, you may exercise the following rights:
Art. 15 – Access – you have the right to obtain from the data controller confirmation as to whether or not personal data concerning you are being processed and if so, to obtain access to the personal data and information regarding the processing.
Article 16 – Rectification – you have the right to obtain from the data controller the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you may also obtain the integration of incomplete personal data, including by providing a supplementary declaration.
Art. 17 – Right to be forgotten – you have the right to obtain from the data controller the deletion of personal data concerning you without undue delay, and the data controller has the obligation to delete your personal data without undue delay.
Article 18 – Right to limitation of processing – you have the right to obtain from the data controller the limitation of processing when specific cases occur.
We inform you that the Data Controller undertakes to respond to your requests at the latest within one month after receipt of the request. This deadline may be extended by two months if necessary, taking into account the complexity or number of requests received.
These rights can be exercised by means of a specific request to be addressed by registered mail to the Data Controller or by e-mail to: firstname.lastname@example.org