Data protection policy

Expandi Limited is made of a group of agencies specialized in the consulting, planning and implementation of marketing activities for large and medium size companies in the B2B sector.

Expandi Limited in the context of its activities collects and manages all personal data related with data subjects in accordance with national and European data protection regulations. Expandi Limited uses the data of the interested parties for purposes of its services and products delivered on the territory of the European Union.

Applicability

Recipients subjects of this policy are all actors involved in data processing. In particular, the following categories are strongly advised to submit this policy:

  • a) Internal staff of Expandi Ltd "your", as appropriate); and
  • b) Thirds parties that have a role of suppliers of goods and services
  • c) Data subjects
  • d) Public authority
  • e) Category associations

National and international regulation

Expandi Ltd as a company having its registered office in a Member State of the European Union is subject to the following regulation: EU regulation 2016/679

Definitions

  • Data subjects: Any physical person interested in data processing
  • Data controller: Legal entity or physical person determining the modalities, purposes and limitations of data processing.
  • Data processor: Legal entity or physical person who is appointed by formal contract to carry out treatment activities by name and title.
  • Data protection officer: Control body for compliance with the data protection regulation within the company and contact point for the guarantor authority
  • Personal Data: Any information that could be used to identify a physical person or that could be directly or indirectly linked to the physical person.
  • Consent: Authorization granted by the interested party to the treatment after being duly informed
  • A security incident involving personal data: Any incident involving a loss of availability, integrity or confidentiality of the personal data of the parties concerned.

Roles and responsibility

Expandi Ltd, in order to ensure the protection of the personal data of the persons concerned, it has adopted an internal scheme designed to define its roles and responsibilities.

Data controller: Data controller is EXPANDI LTD.

Data protection officer: The data protection officer may be contacted sending an email to dpo@expandigroup.com.

Consent and choice

This section contains the internal Expandi Ltd standard for managing and collecting consent to treatment.

Consent to treatment

Expandi Ltd undertakes to provide the data subject with the information in the most comprehensive, exhaustive and practicable way possible. Expandi Ltd is committed, in the case of oral consent, to provide a copy of the notice to the email contact provided by the interested party.

Any data subjects can at any time, in accordance with the provisions of the current legislation, revoke the consent to treatment by sending an email to dpo@expandigroup.com

All employees and third parties acting on behalf of Expandi Ltd must therefore:

  • Verify wherever possible the identity of the interested person;
  • Request parent's consent if the interested person is less than 16 years of age;
  • Provide the information prepared by the company before starting any data treatment activities;
  • Collect and record the consent obtained in verbal form;
  • Inform those interested about the treatment of their rights and the procedures for exercising such rights;
  • Communicate to Expandi Ltd promptly through the appropriate instruments the withdrawal of consent by the interested party.
Freedom of Choice

Expandi Ltd undertakes to limit processing activities to the minor possible number and to respond to any legitimate request for data from the interested parties. In order to preserve rights and freedoms of the individuals Expandi Ltd orders:

  • All information shall give details of how the interested persons may exercise their rights;
  • All requests from interested parties concerning the exercise of one or more rights under the applicable law shall be verified no later than one month after receipt by the data controller or the data processor;
  • All those concerned with the treatment are given the right to choose whether or not to transmit their data to non-EU countries;
  • All those concerned with the treatment are informed about the use of profiling tools and automated processing on the data they have provided.

Purpose of the treatment

Lawful purposes

Expandi Ltd, without prejudice to the provisions of European Data Protection Law, undertakes to pursue only and exclusively legitimate purposes in the processing of personal data. Expandi Ltd therefore orders:

  • a) Any purpose of the data processing shall include the request of consent by the interested.
  • b) The purpose of the treatment is to be set out in the clearest and most comprehensible manner by the interested person and in his language of common use.
Purposes description

Expandi Ltd subject to the provisions of European data protection legislation, undertakes to describe the purposes of the treatment in the most complete and comprehensible form for all persons interested in the treatment.

Any updating of whole or part of the information given to the data subject of the treatment must be communicated in the most appropriate manner to the interested parties.

Limitations to data collection

Expandi Ltd undertakes to collect only the appropriate, relevant and strictly necessary data for related purposes according to the principle of data minimization.

Expandi Ltd it undertakes to collect sensitive data (such as genetic data, health data, biometric data) only with express permission from the party concerned.

Expandi Ltd undertakes to collect personal data of the data subjects under the age of 16 only if expressly authorized by the holder of the parent's liability.

Data minimization

Expandi Ltd according with the European law on privacy by default, adopts the principle of "minimizing the data", while processing data subject’s. This principle is structured in the following technical and organizational measures.

  1. “Need to know privilege”
    Users will have access only to data that match their authorization level. This will enable users to perform only a defined range of activities related to their business role.
  2. Collection limitation
    Expandi Ltd collects as few as possible personal data and only those strictly necessary for the purposes of the specific treatment.
  3. Data erasure
    All personal data and copies that are no longer required for the purpose of the processing will be canceled according to the data retention period declared in the information. Except as stated in the previous paragraph, Expandi Ltd has set a maximum retention period for personal data according to the following parameters:
    • a) Any purpose of the data processing shall include the request of consent by the interested.
    • b) Sensitive data (health data, genetic data, biometric data): 5 years.

    This timeline remains indicative as some categories of data for certain treatments may have specific legislative obligations in terms of data retention.

  4. Data dissemination
    The dissemination of personal data of the individuals between partners, employees and customers is deprecated and forbidden. The company authorizes the transmission of the personal data of the data subjects only to those categories of recipients indicated at the time of the collection of consent. The dissemination of personal data should reflect the company's internal policies regarding the transfer of personal data, defined as “Information Transfer Policy”.
  5. Securing databases using cryptography
    All databases containing personal data must provide data encryption by default using encryption algorithms.
  6. Mobile devices cryptography
    All mobile devices (Laptop and smartphones) on which they reside, transit or are carried out processing operations on the personal data of the data subjects, must be protected by the use of encryption solutions.

Limitations on data use, storage and divulgation

General limitations

All employees who share personal information receive proper instructions on how to treat the personal data and business devices with which they process the data.

It is forbidden to:
  • a) Store copies of the data subject’s personal data on personal devices;
  • b) Store copies of the data subject’s personal data on private-cloud;
  • c) Utilize unprotected USB devices for personal data transfers (especially sensitive data);
  • d) Communicate data subject’s personal data to unauthorized personnel;
  • e) Utilize personal data communication tools unauthorized by Expandi Ltd.
It is recommended to:
  • a) Utilize the personal data of the data subjects solely and exclusively for the purposes agreed with them;
  • b) Periodically check the correct use of the personal data of the data subjects by suppliers, partners and third parties in general;
  • c) Utilize only and exclusively the secure communication tools prepared by the company for the transfer of data to third parties;
  • d) Safely destroy all material copies of the data (paper support) at the end of processing activities or alternatively at the end of the retention period of personal data.
  • e) Safeguard all paper copies of personal data in secure archives;
  • f) Ensure that all personal data of the data subjects are being deleted from all digital archives at the end of the conservation period agreed at the time the consent is collected;
Temporary files safe cancellation

All temporary files and documents that may contain personal data must be deleted at the end of the agreed conservation period when the consent is collected. In this regard, all information systems and applications must have a "garbage collection" procedure in order to prevent the personal data of the data subjects from being inadvertently available in unallocated memory areas.

Data processor notifications

All those responsible for the treatment, both internal and external to the company, must notify the data controller of the disclosure of personal data to third parties.

Notifications content could be:
  • a) Requests for access to data by the judicial authority
  • b) Requests for access to data by public administration.

Expandi Ltd contractually binds all data processors both internal and external to such obligations. For further details, see standard contract attachment “Data protection requirements”.

Records of access to personal data

The data processor of internal and external processing must maintain and update a third-party access data record. For third parties it is meant:

  • a) Public administration
  • b) Law enforcers
  • c) Third parties audit

Within the register the data processor is required to register:

  • a) Date
  • b) Name of the personnel that accessed to personal data
  • c) Personal data access purposes

Expandi Ltd contractually binds all data processors both internal and external to such obligations. For further details, see standard contract attachment “Data protection requirements”.

Use notification of subcontractors by the data processor

The external data processor, appointed by the data controller must communicate to the former the use of companies under subcontracting for the execution of processing activities. The data processor must inform the data controller of the use of subcontracting companies prior to the start of treatment activities.

Expandi Ltd reserves the right to terminate the contract as a result of any change.

Any change by the data processor shall be notified promptly and he shall receive the appropriate authorization from the data controller before is possible to proceed with the appointment of a subcontractor.

The data processor undertakes to:
  • a) Submitting to the subcontracting company the security provisions prepared by the data controller.
  • b) Notify to the data controller the country in which the subcontractor performs his / her duties.

Accuracy and quality

Expandi Ltd in order to implement a system designed to determine the quality of personal data, establish the following:

  • a) All changes to personal data must be tracked and must report the author of the modification and the date;
  • b) Systems and methods of data collection must guarantee the completeness and accuracy of personal data;
  • c) The accuracy of personal data collected from sources outside the company must be checked before processing them.

Communications and transparency

Information

Expandi Ltd has prepared one or more information to collect the consent. Such information are in accordance with the applicable data protection legislation.

All employees are required to use only and exclusively the information provided by the company.

All consensus-gathering information are disclosed to the data subjects at the time of the approval of the consensus.

All information provided by the company are available to the public at the company's websites and easily reachable by the data subjects.

All information related to data processing are provided by the company at the headquarters and at the branch offices.

Copies of the information are delivered electronically to all those who have given their consent to the data processing via telephone. A track of effective reporting is maintained at company systems throughout the duration of the treatment.

Transparency

Expandi Ltd, in order to facilitate the exercise of the rights of the data subjects, has prepared a set of appropriate procedures and communicates the existence of the rights to them at the time of the collection of the consent.

Data subjects rights

Right of access

Expandi Ltd in order to guarantee the right of access to personal data by the data subjects, as provided by the legislation in force in Article 15 of EU Regulation 2016/679, has prepared the following procedure:

www.expandigroup.com/contactprivacy.html

Expandi Ltd provides to set clear the modalities of exercising this right at the moment of the consensus collection to all data subjects.

Data rectification

Expandi Ltd in order to guarantee the right of rectification of personal data by data subjects, as provided for by the regulations in force in article 16 of EU regulation 2016/679, has prepared the following procedure:

Send an email to dpo@expandigroup.com

Expandi Ltd provides to set clear the modalities of exercising this right at the moment of the consensus collection to all data subjects.

Right to data erasure

Expandi Ltd in order to guarantee the right of personal data to be deleted by the data subjects, as provided for by the regulations in force in Article 17 of the EU 2016/679 Regulation, the following procedure has been prepared:

Send an email to dpo@expandigroup.com

Expandi Ltd provides to set clear the modalities of exercising this right at the moment of the consensus collection to all data subjects.

Right to treatment limitation

Expandi Ltd in order to guarantee the right to limit the processing by the interested parties, as required by the legislation in force in Article 18 of the EU 2016/679 Regulation, has prepared the following procedure:

Send an email to dpo@expandigroup.com

Expandi Ltd provides to set clear the modalities of exercising this right at the moment of the consensus collection to all data subjects.

Right to portability

Expandi Ltd in order to guarantee the right to portability, as required by the legislation in force in Article 68 of the EU 2016/679 Regulation, has prepared the following procedure:

Send an email to dpo@expandigroup.com

Expandi Ltd provides to set clear the modalities of exercising this right at the moment of the consensus collection to all data subjects.

Requests and complaints management

Expandi Ltd in order to promptly and fully satisfy the complaints and requests from data subjects about the methods of exercising their rights, it has established an internal complaints management process.

All data subjects will be able to express complaints or requests by contacting dpo@expandigroup.com

Expandi Ltd undertakes to comply with the deadline established by law of 30 days to respond to the data subjects. This deadline may eventually be increased to 90 days upon communication to the data subjects in the first thirty days.

Expandi Ltd provides to set clear the modality access to this service at the moment of the consensus collection to all interested parties.

Responsibility

Expandi Ltd in order to ensure compliance with the current legislation on the protection of personal data, it has defined a pattern of internal responsibility towards data protection and management.

Governance model

Expandi Ltd has appointed an internal person responsible for the protection of personal data. This figure will be responsible for managing, coordinating and updating the entire data processing process, ensuring compliance with the current legislation, through the various company functions.

Data protection impact assessment

Expandi Ltd undertakes to perform and review every three years, in accordance with articles 35-36 EU regulation 2016/679 data protection impact assessments in the cases provided by the law.

Impact assessment will produce those outcomes:

  • a) Identification of risks for the data subject;
  • b) The definition of security measures for the specific treatment.

Expandi Ltd at the request of the guaranteeing authority, undertakes to provide the said authority with a copy of the assessments carried out.

For further details on how to conduct an impact assessment on data protection, please contact the person responsible for the protection of personal data at dpo@expandigroup.com.

Security requirements for third parties and external processors

Expandi Ltd undertakes to guarantee the data subject the same level of security even when such data is processed on behalf of the company by third parties.

In this regard, Expandi Ltd has prepared a contractual attachment called "Requirements for the protection of personal data".

Expandi Ltd undertakes to demand the signing of this contractual annex to all third parties involved in data processing.

Expandi Ltd also reserves the right to carry out checks on the third parties who are signatories to the annex.

Internal controls

Expandi Ltd in order to verify the compliance of the various business functions with this policy and in accordance with the provisions of art. 37-39 of EU Regulation 2016/679, has appointed a Person in charge of the Protection of Personal Data (DPO).

The data protection officer will have the following tasks and responsibilities:

  • a) Monitor the company's compliance with the EU regulation on data protection;
  • b) To act as a point of contact with the guarantor authority and the public administration;
  • c) Expressing opinions on data protection impact assessments;
  • d) Promote a company culture regarding the protection of personal data.
Education and awareness

Expandi Ltd undertakes to promote a company culture sensitive to the issue of personal data protection. Expandi Ltd believes that the training of personnel on these issues is fundamental and therefore has prepared special training modules for all employees who are preparing to take up employment with the company. This formation is available to all Expandi Ltd personnel.

Personal data security report

The data protection officer, in order to guarantee an adequate level of information about the protection of personal data, will provide an annual report on the security of personal data to the board of directors of Expandi Ltd.

Data protection regulation compliance

Records of data processing

Expandi Ltd in accordance with the art. 30 of EU regulation 2016/679, maintains and updates a register of processing activities.

The register contains:

  • a) Data controller;
  • b) Data processor;
  • c) Data subjects categories;
  • d) Categories of data provided by data subjects;
  • e) Any data transfers outside the EU;
  • f) Data processing activities;
  • g) Purpose of the processing;
  • h) DPO;
  • i) Data retention time.

The responsibility for maintaining the registry is on Country Privacy Officer.

Security incidents register

Expandi Ltd in accordance with article 33 par 3 paragraph 5 of EU regulation 2016/679, maintains and updates a record of security incidents involving the personal data of the data subjects.

Life cycle of the security incident

Expandi Ltd in order to guarantee the individual freedom of those involved, manages the life cycle of security incidents involving personal data. This process therefore requires constant monitoring of the vulnerabilities and potential effects of security incidents on personal data.

In this regard, Expandi Ltd reserves the right to notify the incident also at a later stage in regard to the detection of the incident following the changes in the security measures or potential impact for the interested parties.

Security incidents and notification

Should a security incident occur involving the personal data of the data subjects, Expandi Ltd undertakes to respond promptly in order to guarantee the individual rights and liberties of the data subjects pursuant to art. 32-34 of the EU 2016/679 regulation.

  1. Modality of notification to data subjects
    Expandi Ltd depending on the nature of the accident, could inform all those affected that the security incident occurred. The methods of communication of the incident could vary depending on the nature of the incident and the number of data subjects involved.
  2. Notification to the national guarantor
    Expandi Ltd will provide, depending on the severity of the incidents occurred, adequate notification to the national privacy guarantor no later than 72 hours from the time the accident was detected.
  3. Data transfers outside EU borders
    Expandi Ltd in accordance with art. 44-49 of EU Regulation 2016/679 prohibits the transfer of personal data of European citizens outside the borders of the Union.

    4. Expandi Ltd undertakes to request formal authorization from data subjects before processing the transfer of data abroad. Expandi Ltd undertakes to transmit such data through secure communication channels and to carefully select any foreign third parties that will be involved in data processing activities.