Privacy Policy

DATA CONTROLLER

The Data Controller is:
Cereal Docks S.p.A. (hereinafter also “CONTROLLER”)
Via dell’Innovazione, n. 1, 36043 – Camisano Vicentino (VI)
Tel. +39 0444 419411
email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Certified Electronic Mail: This email address is being protected from spambots. You need JavaScript enabled to view it.
VAT number and Tax Code: 02218040240

DATA PROTECTION OFFICER

The Data Protection Officer is:
TZ&A Studio Associato (hereinafter also "DPO”)
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Cereal Docks S.p.A. And other “Cereal Docks Group” companies have decided to avail themselves of the right established by art. 37, paragraph 2, of the GDPR for the shared designation of the same Data Protection Officer, who acts in synergy with the internal privacy team.

The DPO is domiciled c/o the CONTROLLER and may be contacted for any need related to the personal data processing of all the data subjects.

TEAM PRIVACY

The CONTROLLER has decided to appoint an internal “Privacy team” of persons with organisational, technical, and IT skills.

The Privacy team’s task is to support the activities of the CONTROLLER and DPO.

PARTIES AUTHORISED TO PROCESS DATA (pursuant to art. 29 GDPR)

The MOP envisages that each employee/collaborator of the CONTROLLER only processes data that is indispensable for his/her tasks, based on the internal organisation and, above all, the purposes indicated and proposed by the data subject (so-called principle to “purpose limitation and data minimisation”, art. 5 paragraph 1, letter b) and c) of the GDPR). For this purpose, processing has been segmented into uniform areas of processors, limiting employees/collaborators operating in each area to a specific processing area. Each authorised processor has received specific instructions on personal data processing from the CONTROLLER. For that purpose, the design of the IT system is “compartimentalised”. The employee/collaborator can only access data that is indispensable for their jobs from their IT position. The specific processing areas are designated after careful analysis of the structure and company organisation and of the flow of internal and external data to the Company. This is summed up in a specific internal matrix identifying the processing environment of each area.

The employee/collaborator has also been given internal regulations on the use of IT instruments and the rules of conduct, including ethical ones, on all information accessed due to his/her specific job.

To effectively guarantee adjustment to the personal data processing principles, the CONTROLLER has also envisaged training and updating courses on the subject for employees/collaborators who, due to their jobs, process personal data.

SYSTEM ADMINISTRATORS (INTERNAL AND EXTERNAL)

The CONTROLLER uses computer systems to manage and organise its activities. For that reason, CONTROLLER activities have always been based on care over the construction of software, how it is used, and data security. Parties with “administrator” privileges in the company are specifically appointed and trained. Even the other external specialised companies accessing company data are specifically appointed as External Processors and/or External System Administrators pursuant to art. 28 of the GDPR.

The suppliers or external computer services are chosen with care for their professional skills, not purely technical but also related to data protection, favouring certified companies.

• Right to be informed (data processing transparency)

The data subject has the right to be informed of how the CONTROLLER processes his/her personal data, for what purposes and on other information envisaged by art. 13 of the GDPR. For that purpose, the CONTROLLER has prepared organisational processes enabling, when the personal data are acquired or requested, an Information notice form created “ad hoc” to be issued based on the category the data subject belongs to (employee, customer, supplier, etc.). This document suitably notifies all subjects the data refer to on how the CONTROLLER conducts its processing. The information model may be requested with a specific request addressed to the CONTROLLER.

• Right to withdraw consent (art. 13)

You have the right to withdraw your consent at any time for all processing where the legitimacy assumption is a display of your consent. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

• Right to access data (art. 15)

You may request a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. You have the right to obtain a copy of the personal data being processed.

• Right to rectification (art. 16)

You have the right to obtain rectification of inaccurate personal data concerning you and to have incomplete personal data completed.

• Right to be forgotten (art. 17)

You have the right to obtain erasure of the personal data concerning you from the controller if the data are no longer needed for the purpose for which they were collected or otherwise processed, if consent is withdrawn, if there is no other overriding legitimate grounds for the processing, if the personal data have been unlawfully processed, if there is a legal obligation to erase them; if the data refer to web services provided to minors without the relative consent. The erasure may take place unless the right to freedom of expression and information is prevalent, they are stored to fulfil a legal obligation or to perform a task in the public interest or exercising public powers, on grounds of public interest in the health sector, for filing purposes in the public interest, scientific or historical research or for statistical purposes or to ascertain, exercise or defend a right before the law.

• Right to restriction of processing (art. 18)

You have the right to ask the controller to limit processing when the accuracy of the personal data is contested (for a period enabling the controller to verify the accuracy of the personal data) or if processing is unlawful, but you oppose the erasure of the personal data and request the restriction of their use instead, or if they are needed by you to for the establishment, exercise or defence of legal claims, whereas they are no longer needed by the Controller.

• Right to data portability (art. 20)

You have the right to receive the personal data concerning you which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller if the processing is based on consent, on a contract and if processing is done automatically, unless the processing is needed to perform a task of public interest or is connected to the exercising of public powers, and that their transmission does not adversely affect the rights and freedoms of others.

• Right to object (art. 21)

You have the right, at any time, to fully or partially object to the processing of your personal data if that processing is performed to pursue a legitimate interest of the Controller or for direct marketing purposes.

• Right to lodge a complaint with a Supervisory Authority (art. 77).

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes this Regulation.