Expandi Limited is made of a group of agencies specialized in the consulting, planning and implementation of marketing activities for large and medium size companies in the B2B sector.
Expandi Limited in the context of its activities collects and manages all personal data related with data subjects in accordance with national and European data protection regulations. Expandi Limited uses the data of the interested parties for purposes of its services and products delivered on the territory of the European Union.
Recipients subjects of this policy are all actors involved in data processing. In particular, the following categories are strongly advised to submit this policy:
Expandi Ltd as a company having its registered office in a Member State of the European Union is subject to the following regulation: EU regulation 2016/679
Expandi Ltd, in order to ensure the protection of the personal data of the persons concerned, it has adopted an internal scheme designed to define its roles and responsibilities.
Data controller: Data controller is EXPANDI LTD.
Data protection officer: The data protection officer may be contacted sending an email to dpo@expandigroup.com.
This section contains the internal Expandi Ltd standard for managing and collecting consent to treatment.
Expandi Ltd undertakes to provide the data subject with the information in the most comprehensive, exhaustive and practicable way possible. Expandi Ltd is committed, in the case of oral consent, to provide a copy of the notice to the email contact provided by the interested party.
Any data subjects can at any time, in accordance with the provisions of the current legislation, revoke the consent to treatment by sending an email to dpo@expandigroup.com
All employees and third parties acting on behalf of Expandi Ltd must therefore:
Expandi Ltd undertakes to limit processing activities to the minor possible number and to respond to any legitimate request for data from the interested parties. In order to preserve rights and freedoms of the individuals Expandi Ltd orders:
Expandi Ltd, without prejudice to the provisions of European Data Protection Law, undertakes to pursue only and exclusively legitimate purposes in the processing of personal data. Expandi Ltd therefore orders:
Expandi Ltd subject to the provisions of European data protection legislation, undertakes to describe the purposes of the treatment in the most complete and comprehensible form for all persons interested in the treatment.
Any updating of whole or part of the information given to the data subject of the treatment must be communicated in the most appropriate manner to the interested parties.
Expandi Ltd undertakes to collect only the appropriate, relevant and strictly necessary data for related purposes according to the principle of data minimization.
Expandi Ltd it undertakes to collect sensitive data (such as genetic data, health data, biometric data) only with express permission from the party concerned.
Expandi Ltd undertakes to collect personal data of the data subjects under the age of 16 only if expressly authorized by the holder of the parent's liability.
Expandi Ltd according with the European law on privacy by default, adopts the principle of "minimizing the data", while processing data subject’s. This principle is structured in the following technical and organizational measures.
This timeline remains indicative as some categories of data for certain treatments may have specific legislative obligations in terms of data retention.
All employees who share personal information receive proper instructions on how to treat the personal data and business devices with which they process the data.
All temporary files and documents that may contain personal data must be deleted at the end of the agreed conservation period when the consent is collected. In this regard, all information systems and applications must have a "garbage collection" procedure in order to prevent the personal data of the data subjects from being inadvertently available in unallocated memory areas.
All those responsible for the treatment, both internal and external to the company, must notify the data controller of the disclosure of personal data to third parties.
Expandi Ltd contractually binds all data processors both internal and external to such obligations. For further details, see standard contract attachment “Data protection requirements”.
The data processor of internal and external processing must maintain and update a third-party access data record. For third parties it is meant:
Within the register the data processor is required to register:
Expandi Ltd contractually binds all data processors both internal and external to such obligations. For further details, see standard contract attachment “Data protection requirements”.
The external data processor, appointed by the data controller must communicate to the former the use of companies under subcontracting for the execution of processing activities. The data processor must inform the data controller of the use of subcontracting companies prior to the start of treatment activities.
Expandi Ltd reserves the right to terminate the contract as a result of any change.
Any change by the data processor shall be notified promptly and he shall receive the appropriate authorization from the data controller before is possible to proceed with the appointment of a subcontractor.
Expandi Ltd in order to implement a system designed to determine the quality of personal data, establish the following:
Expandi Ltd has prepared one or more information to collect the consent. Such information are in accordance with the applicable data protection legislation.
All employees are required to use only and exclusively the information provided by the company.
All consensus-gathering information are disclosed to the data subjects at the time of the approval of the consensus.
All information provided by the company are available to the public at the company's websites and easily reachable by the data subjects.
All information related to data processing are provided by the company at the headquarters and at the branch offices.
Copies of the information are delivered electronically to all those who have given their consent to the data processing via telephone. A track of effective reporting is maintained at company systems throughout the duration of the treatment.
Expandi Ltd, in order to facilitate the exercise of the rights of the data subjects, has prepared a set of appropriate procedures and communicates the existence of the rights to them at the time of the collection of the consent.
Expandi Ltd in order to guarantee the right of access to personal data by the data subjects, as provided by the legislation in force in Article 15 of EU Regulation 2016/679, has prepared the following procedure:
www.expandigroup.com/contactprivacy.html
Expandi Ltd provides to set clear the modalities of exercising this right at the moment of the consensus collection to all data subjects.
Expandi Ltd in order to guarantee the right of rectification of personal data by data subjects, as provided for by the regulations in force in article 16 of EU regulation 2016/679, has prepared the following procedure:
Send an email to dpo@expandigroup.com
Expandi Ltd provides to set clear the modalities of exercising this right at the moment of the consensus collection to all data subjects.
Expandi Ltd in order to guarantee the right of personal data to be deleted by the data subjects, as provided for by the regulations in force in Article 17 of the EU 2016/679 Regulation, the following procedure has been prepared:
Send an email to dpo@expandigroup.com
Expandi Ltd provides to set clear the modalities of exercising this right at the moment of the consensus collection to all data subjects.
Expandi Ltd in order to guarantee the right to limit the processing by the interested parties, as required by the legislation in force in Article 18 of the EU 2016/679 Regulation, has prepared the following procedure:
Send an email to dpo@expandigroup.com
Expandi Ltd provides to set clear the modalities of exercising this right at the moment of the consensus collection to all data subjects.
Expandi Ltd in order to guarantee the right to portability, as required by the legislation in force in Article 68 of the EU 2016/679 Regulation, has prepared the following procedure:
Send an email to dpo@expandigroup.com
Expandi Ltd provides to set clear the modalities of exercising this right at the moment of the consensus collection to all data subjects.
Expandi Ltd in order to promptly and fully satisfy the complaints and requests from data subjects about the methods of exercising their rights, it has established an internal complaints management process.
All data subjects will be able to express complaints or requests by contacting dpo@expandigroup.com
Expandi Ltd undertakes to comply with the deadline established by law of 30 days to respond to the data subjects. This deadline may eventually be increased to 90 days upon communication to the data subjects in the first thirty days.
Expandi Ltd provides to set clear the modality access to this service at the moment of the consensus collection to all interested parties.
Expandi Ltd in order to ensure compliance with the current legislation on the protection of personal data, it has defined a pattern of internal responsibility towards data protection and management.
Expandi Ltd has appointed an internal person responsible for the protection of personal data. This figure will be responsible for managing, coordinating and updating the entire data processing process, ensuring compliance with the current legislation, through the various company functions.
Expandi Ltd undertakes to perform and review every three years, in accordance with articles 35-36 EU regulation 2016/679 data protection impact assessments in the cases provided by the law.
Impact assessment will produce those outcomes:
Expandi Ltd at the request of the guaranteeing authority, undertakes to provide the said authority with a copy of the assessments carried out.
For further details on how to conduct an impact assessment on data protection, please contact the person responsible for the protection of personal data at dpo@expandigroup.com.
Expandi Ltd undertakes to guarantee the data subject the same level of security even when such data is processed on behalf of the company by third parties.
In this regard, Expandi Ltd has prepared a contractual attachment called "Requirements for the protection of personal data".
Expandi Ltd undertakes to demand the signing of this contractual annex to all third parties involved in data processing.
Expandi Ltd also reserves the right to carry out checks on the third parties who are signatories to the annex.
Expandi Ltd in order to verify the compliance of the various business functions with this policy and in accordance with the provisions of art. 37-39 of EU Regulation 2016/679, has appointed a Person in charge of the Protection of Personal Data (DPO).
The data protection officer will have the following tasks and responsibilities:
Expandi Ltd undertakes to promote a company culture sensitive to the issue of personal data protection. Expandi Ltd believes that the training of personnel on these issues is fundamental and therefore has prepared special training modules for all employees who are preparing to take up employment with the company. This formation is available to all Expandi Ltd personnel.
The data protection officer, in order to guarantee an adequate level of information about the protection of personal data, will provide an annual report on the security of personal data to the board of directors of Expandi Ltd.
Expandi Ltd in accordance with the art. 30 of EU regulation 2016/679, maintains and updates a register of processing activities.
The register contains:
The responsibility for maintaining the registry is on Country Privacy Officer.
Expandi Ltd in accordance with article 33 par 3 paragraph 5 of EU regulation 2016/679, maintains and updates a record of security incidents involving the personal data of the data subjects.
Expandi Ltd in order to guarantee the individual freedom of those involved, manages the life cycle of security incidents involving personal data. This process therefore requires constant monitoring of the vulnerabilities and potential effects of security incidents on personal data.
In this regard, Expandi Ltd reserves the right to notify the incident also at a later stage in regard to the detection of the incident following the changes in the security measures or potential impact for the interested parties.
Should a security incident occur involving the personal data of the data subjects, Expandi Ltd undertakes to respond promptly in order to guarantee the individual rights and liberties of the data subjects pursuant to art. 32-34 of the EU 2016/679 regulation.
Expandi Ltd undertakes to request formal authorization from data subjects before processing the transfer of data abroad. Expandi Ltd undertakes to transmit such data through secure communication channels and to carefully select any foreign third parties that will be involved in data processing activities.