Personal Data Protection

Last content update: 04/12/2020

Introduction on the personal data processing policy notice

GDPR 2016/679 states (Articles 12, 13 e 14) that the data subject has the right to be informed by the data controller about the processing of her/his personal data providing the following set of information:

  • contacts and identity of the controller as well as (when applicable) those of the data protection officer (DPO);
  • data subject’s rights of Articles 15 to 22 and 34, as well as the data subject’s right to lodge a complaint with a supervisory authority;
  • if an automatized data processing is on place (e.g., profiling);
  • categories of personal data processed (especially when data are not collected directly from the data subject);
  • sources used to retrieve the subject’s personal data and if these sources are publicly accessible (clearly, when data are not collected directly from the data subject);
  • on which legal basis personal data are processed, detailing the legitimate interests of the controller if the data processing is based on Article 6, paragraph 1, letter f) or explicitly informing the data subject about its right to withdraw consent if data processing is based on Article 6, paragraph 1, letter a) or Article 9, paragraph 2, letter a) or explicitly stating if the data processing is a legal obligation or necessary for the execution of a contract (and, in case, if it is mandatory for the data subject to give her/his personal data, and what consequences may occur if she/he omit the request communication);
  • aim and persons/entities to which personal data may be transferred or communicated;
  • for how long the personal data will be stored.

According to the above, the information provided to the data subject is in the following made of two parts: a “general” part (i.e., a part about all the information and details that are in common among all the different data processing flows in place at CRIT) that reports the information requested by the first and the second points, and as “addendum” customized for each data processing flow that informs about all the information requested by the successive points.

Expand Reduce

General notice

CRIT Srl (“CRIT” in the following) is the personal data controller and, according to the Articles 12, 13 and 14 of the European Regulation 2016/679 of the 27th of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR” in the following, namely General Data Protection Regulation), informs on the following:
Personal data

means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing

means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller and data protection officer

Controller of the personal data is

CRIT Srl,
with headquarter in via Confine 2310, 41058 Vignola (MO),
phone: +39 059 776 865,
e-mail: gdpr@crit-research.it.

Data protection officer (DPO) is

Ing. Riccardo Masiero,
phone: +39 059 776 865,
e-mail: gdpr@crit-research.it.

Data subject’s rights

The data subject has the right to obtain from CRIT the access to her/his personal data (Article 15) to be informed about them and their processing, as well as to obtain copy of them (the corresponding administrative fee for copies that may following the first one is of 50 €). CRIT must answer to a data subject’s request without unjustified delay, namely within one month from request’s date. CRIT must use a clear and plain language.

The data subject can request:

  • rectification of her/his personal data, if they are incorrect or incomplete (Article 16);
  • erasure of personal data (Article 17), unless purposes in the public interest or public health, scientific or historical research purposes will exist;
  • restriction of processing of personal data concerning the data subject or to object to such processing (Article 18).

erasures of personal data to each of the each of the recipients to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort; in addition, CRIT must inform the data subject about those recipients if the data subject requests it (Article 19).

If the legal basis of the personal data processing is the data subject’s consent, the performance of a contract, or if the processing is carried out by automated means, the data subject has the right to data portability from CRIT to another controller (Article 20).

In particular, the data subject can, in any moment, to object completely to the processing of her/his personal data, according to Article 21, unless the data processing is necessary for the accomplishment of a task of public interest.

The data subject, furthermore, has the right not to be subject to a decision based solely on automated processing, including profiling (Article 22), unless such procedure is necessary for the processing or finalization of a contract, is authorized by the European Commission or the Italian state or is based on the data subject’s explicit consent.

When a data breach occurs that shows high risks for the fundamental rights and freedom of the data subject, this one has the right to be notified within 72 hours by CRIT about the data breach itself (Article 34), unless CRIT may prove that all the adequate technical and managerial techniques to protect the personal data have been used, if after the data breach CRIT takes all the necessary measure to avoid risks to the rights and freedom of the data subjects, or such communication would involve disproportionate effort.

Finally, the data subject has right to lodge a complaint with a supervisory authority (in Italy, one can refer to the Garante per la Protezione dei Dati Personali).

Accessibility to personal data and communication

The data subject can request to access to her/his personal data, and exercises one of more of her/his GDPR rights as expressed in articles from 15 to 22 and 34, by downloading the dedicated form from the web site of the “Garante per la Protezione dei Dati Personali”), fill the form, and e-mail (gdpr@crit-research.it), it as attachment to CRIT.

In doing so, please, include as prefix of the e-mail subject the “GDPR” acronym (for example: “GDPR – request copy of personal data”). By using the buttons at the bottom of the page it is possibile to open an e-mail form with the selected objected already typed.

If the Garante’s web site will not be accessible to download the above form, it is possible to request it by e-mail directly to CRIT (gdpr@crit-research.it), always including the prefix “GDPR” in the e-mail’s subject (for example: “GDPR – request for the data accessibility form”). This same procedure can be followed for any kind of request or necessity of information that may concern the personal data processing done by CRIT.

Automated profiling

CRIT does not process personal data by means of tools for automated profiling.

Personal data storing tools

CRIT uses data storing tools located both in the company (file server installed in the headquarter) and in the cloud, these latter managed by European or US companies. Whilst European companies must be compliant with the GDPR, US companies must ensure an adequate level of protection according to the agreement (UE) 2016/1250 of the 12th of July 2016.

Specialized addendum for each data processing flow

In the following all the identified personal data processing flows for the activites of CRIT are listed and explained. The flows are grouped according to the various types of interested data subjects. To visualize the detailed information of each flow, just click on it.

All Users

Collection and use of personal data by the company web site

Categories of processed data

CRIT collects and processes the following personal data:

  • IP addresses;
  • domain names of user computers that connect to the corporate web site;
  • URI (Uniform Resource Identifier) addresses of the requested resources;
  • time of the requests;
  • the method used to send a request to the server;
  • dimension of the file returned as response;
  • the numeric code that identifies the server’s response status (success, error, etc.);
  • further parameters that relate to the user operative system and technical environment.

Personal data sources

CRIT collected the above personal data directly from the data subject or via the transmission of information inherent to the used Internet communication protocols.

Processing legal basis

CRIT processes lawfully the above personal data according to the legitimate interests pursued by CRIT, see Article 6, paragraph 1, letter f) of the GDPR. These legitimate interests are the collection of subscriptions to CRIT’s events and activities on a voluntary basis and the processing of anonymized statistics that analyse user interests in the CRIT initiatives presented by the web site.

Data processing objective

CRIT processes the above personal data with the following objectives:

  • computing anonymous statistics on the use of the web site;
  • check the correct functioning of the web site;
  • infer user responsibilities in case of possible cybercrimes against the corporate web site;
  • records of user working profiles and subscriptions to CRIT events, initiatives and services.

Data processing recipients

CRIT can communicate the above personal data to:

  • postal police;
  • the same recipients listed for the data processing flows that relate to CRIT services, projects and events.

Period of data storage

The data used to retrieve anonymous statics about the corporate web site use are deleted right after their computation.

Data given to CRIT by users on a voluntary basis to access the CRIT services are stored according to what reported for the corresponding data flows.

Personal data collected whilst the user is navigating the web site are processed with automated means only for the period that is necessary to reach the objectives for which they have been collected.

Consent collection

Categories of processed data

CRIT collects and processes the following personal data:

  • personal data for identification (name, surname, home address, mail);
  • personal data for professional identification (name, surname, company contacts).

Personal data sources

CRIT collected the above personal data directly from the data subject.

Processing legal basis

CRIT processes lawfully the above personal data according to legal obligation, see Article 6, paragraph 1, letter c) and Article 7, paragraph 1) of the GDPR.

Data processing objective

CRIT processes the above personal data with the following objectives:

  • storing consents when required (i.e., usually to distribute via web sites, social networks or dedicated web portals, images and videos of the data subject participating to seminars, conferences and events related to the technological and scientific dissemination).

Data processing recipients

CRIT can communicate the above personal data to:

  • public authorities for control purposes.

Period of data storage

CRIT will store the above personal data according to law, namely along the period that the corresponding personal data (i.e., those processed on the legal basis of the collected consent) will be retained.

Customers and Suppliers

Invoices delivery and reception

Categories of processed data

CRIT collects and processes the following personal data:

  • personal data for identification (name, surname, CF, CI, home address, mail, …);
  • personal data for professional identification (name, surname, company contacts).

Personal data sources

CRIT collected the above personal data directly from the data subject.

Processing legal basis

CRIT processes lawfully the above personal data for the performance of a contract, see Article 6, paragraph 1, letter b) of the GDPR.

Data processing objective

CRIT processes the above personal data with the following objectives:

  • payment of provided activities;
  • payment of requested activities.

Data processing recipients

CRIT can communicate the above personal data to:

  • personal data processors (accounting firms);
  • public authorities and controllers (Guardia di Finanza, postal police, …).

Period of data storage

CRIT will store the above personal up to a maximum period of 10 years from the last contact with the data subject.

CRIT members, Members of the CRIT Supplier Network, Customers, Prospects and Leads

Services: storage of professional profiles, subscription to events and storage of corresponding material, surveys, submission of commercial offerings and pre-contract agreements

Categories of processed data

CRIT collects and processes the following personal data:

  • personal data for professional identification (name, surname, company contacts, event attendance, feedbacks on CRIT activities, …).

Personal data sources

CRIT collected the above personal data directly from the data subject.

Processing legal basis

CRIT processes lawfully the above personal data according to the legitimate interests pursued by CRIT, see Article 6, paragraph 1, letter f) of the GDPR. These legitimate interests are the performance of the CRIT’s core businesses such as the creation of company networks that can be realized by means of the exchange of professional contacts and the organization of events, including also the necessity to collect feedback on the provided services to improve them over time.

Data processing objective

CRIT processes the above personal data with the following objectives:

  • submission of commercial offering and pre-contract agreements (management of orders through credits);
  • networking;
  • collaborative activities (round tables, techno-tours, seminars, …);
  • information (CRIT update, …);
  • event management;
  • statistical analysis on CRIT activities and corresponding KPI (overall attendance to the organized events, level of satisfaction, scouting scores, …).

Data processing recipients

CRIT can communicate the above personal data to:

  • CRIT members;
  • customers;
  • suppliers;
  • members of the CRIT supplier network;
  • prospect;
  • leads;
  • event speakers.

Period of data storage

CRIT will store the above personal data up to a maximum period of 10 years from the last contact with the data subject. If the collected data would be useful for statistical analysis (trend analysis on event attendance, computation of CRIT performance indices, report on past activities, …), these data are retained until the data subject will object to the corresponding processing, or when they will be not useful anymore for the above statistical analysis.

Projects: retrieval and storage of company registration certificates

Categories of processed data
CRIT collects and processes the following personal data:

  • personal data for identification (name, surname, CF, home address, mail);
  • personal data for professional identification (current job, …).

Personal data sources

CRIT collected the above personal data directly from the data subject and/or Public Administration (company registration certificates by “la Camera di Commercio”).

Processing legal basis

CRIT processes lawfully the above personal data according to the legitimate interests pursued by CRIT, see Article 6, paragraph 1, letter f) of the GDPR. These legitimate interests are the performance of the CRIT core business such as the writing and submission of project proposals about new technologies and innovation.

Data processing objective

CRIT processes the above personal data with the following objectives:

  • writing and submission of project proposals.

Data processing recipients

CRIT can communicate the above personal data to:

  • public administrations.

Period of data storage

CRIT will store the above personal data for 5 years since the project’s proposal submission.

Events: interview recording and photo shootings

Categories of processed data

CRIT collects and processes the following personal data:

  • photos, videos (to be intended not as biometric data since they are not processed via any specific technical mean allowing the unique identification or authentication of natural persons).

Personal data sources

CRIT collected the above personal data directly from the data subject.

Processing legal basis

CRIT processes lawfully the above personal data according to the legitimate interests pursued by CRIT (see Article 6, paragraph 1, letter f) of the GDPR) or, if considered appropriate, even according to the data subject’s consent, see Article 9, paragraph 2, letter a) of the GDPR. Therefore, if you plan to attend one or more CRIT events and it is required your consent, please fill, sign and e-mail to CRIT the following form:

Download PDF


Data processing objective

CRIT processes the above personal data with the following objectives:

  • company communication (corporate web site, project web sites, annual report, …).

Data processing recipients

CRIT can communicate the above personal data to:

  • anyone (public web sites).

Period of data storage

CRIT will store the above personal data sopra until the data subject will object to the corresponding processing, or, in any case, when there will be not the necessity anymore to use such data for the company communication.

CRIT Newsletter Subscriptions

Categories of processed data

CRIT collects and processes the following data:

  • personal data for professional identification (name, surname, company, company mail).

Personal data sources

CRIT collected the above personal data directly from the data subject and/or from his/her company.

Processing legal basis

CRIT processes lawfully the above personal data according to the legitimate interests pursued by CRIT, see Article 6, paragraph 1, letter f) of the GDPR. These legitimate interests are the performance of the CRIT core business such as the improvement of effective communications related to the services/activies realized for shareholders, suppliers and customers that want to be part of the CRIT networks.

Data processing objective

CRIT processes the above personal data with the following objectives:

  • CRIT processes the above personal data with the following objectives: (i) communication of collaboration opportunies, (ii) training and education and (iii) news related to innovation and new technologies.

Data processing recipients

CRIT can communicate the above personal data to:

  • the company of the data subject.

Period of data storage

CRIT will store the above personal data until the data subject will object to the corresponding processing, or, in any case, when there will be not the necessity anymore to use such data for the newsletter service.

Subscription to the video platfrom CRIT (KODE – Knowledge On DEmanad)

Categories of processed data

CRIT collects and processes the following personal data:

  • personal data (name, surname, gender, age range);
  • personal data for professional identification (name, surname, company, company role, company mail, relationship with CRIT);
  • login/logout data (system log) and operation done with and/or through the KODE platform (i.e., content visualization).

Personal data sources

CRIT collected the above personal data directly from the data subject.

Automated profiling

The KODE platform (which is based on the THRON cloud solution) automatically links platform’s profiled users with the description (tag) of the contents that the users view most. This allows CRIT to infer about user interests and therefore implement mechasmis as the “list of racommendend contents”. Information about user interests is it not however used by CRIT for marketing automation (e.g., automatic mail or notifications).

Processing legal basis

CRIT processes lawfully the above personal data according to the data subject’s consent, see Article 9, paragraph 2, letter a) of the GDPR.

Form to fill and send to CRIT to collect the consent to data processing:

Download PDF

Data processing objective

CRIT processes the above personal data with the following objectives:

  • authentication to the provided service;
  • customization of the service according to user interests;
  • company communication related to the KODE platfrom and corresponding contents.

Data processing recipients

CRIT can communicate the above personal data to:

  • the company of the data subjec.

Period of data storage

CRIT will store the above personal data until the data subject will object to the corresponding processing, or, in any case, when there will be not the necessity anymore to use such data for the KODE video platform service.

External Users

Usability Tests

Categories of processed data

CRIT collects and processes the following personal data:

  • personal data (name, surname, gender, age, physical charateristcs that are necessary for evaluating the test results, e.g., right hand/left hand);
  • biometric identification data (photos, videos).

Personal data sources

CRIT collected the above personal data directly from the data subject.

Processing legal basis

CRIT processes lawfully the above personal data according to the data subject’s consent, see Article 9, paragraph 2, letter a) of the GDPR.

Form to fill and send to CRIT to collect the consent to data processing:

Download PDF

Data processing objective

CRIT processes the above personal data with the following objectives:

  • analysis (not automated) and report about product usability

Data processing recipients

CRIT can communicate the above personal data to:

  • the customer company that requests the service (………………………..).

Period of data storage

CRIT will store the above personal data until the data subject will object to the corresponding processing, or when requested by the customer company that requested the service.

Voluntary rectruitment for future usabilty tests

Categories of processed data

CRIT collects and processes the following personal data:

  • personal data (name, surname, mail, phone number).

Personal data sources

CRIT collected the above personal data directly from the data subject.

Processing legal basis

CRIT processes lawfully the above personal data according to the data subject’s consent, see Article 9, paragraph 2, letter a) of the GDPR.

Form to fill and send to CRIT to collect the consent to data processing:

Download PDF

Data processing objective

CRIT processes the above personal data with the following objectives:

  • contact user databases for usability test recruitment.

Data processing recipients

CRIT will maintened data stored in the company archives for the purporses of this information notice.

Period of data storage

CRIT will store the above personal data until the data subject will object to the corresponding processing, or before if the usability test service will be dismissed.

Applicants

Storage of professional profiles

Categories of processed data

CRIT collects and processes the following personal data:

  • Curriculum Vitae;
  • personal data for identification (name, surname, CF, CI, home address, mail, …);
  • photographs, videos (not to be intended as biometric data since they are not processed via any specific technical mean allowing the unique identification or authentication of natural persons).

Personal data sources

CRIT collected the above personal data directly from the data subject.

Processing legal basis

CRIT processes lawfully the above personal data according to the data subject’s consent, see Article 6, paragraph 1, letter a) and Article 9, paragraph 2, letter a) of the GDPR. Therefore, for job applications, please send to CRIT both your CV and the following form, filled and signed:

Download PDF

Data processing objective

CRIT processes the above personal data with the following objectives:

  • employee selection.

Data processing recipients

CRIT does not transmit the above personal data to third parties.

Period of data storage

CRIT will store the above personal up to a maximum period of 10 years since their reception.

Alumni

Collection of Alumni profiles, networking and events

Categories of processed data

CRIT collects and processes the following personal data:

  • Curriculum Vitae;
  • personal data for identification (name, surname, CF, CI, home address, mail, personal mobile number…);
  • photographs, videos (to be intended not as biometric data since they are not processed via any specific technical mean allowing the unique identification or authentication of natural persons).

Personal data sources

CRIT collected the above personal data directly from the data subject.

Processing legal basis

CRIT processes lawfully the above personal data according to the data subject’s consent, see Article 6, paragraph 1, letter a) and Article 9, paragraph 2, letter a) of the GDPR.

Therefore, if you want to join the CRIT Academy and you are at least 16 years old, please send to CRIT the following form, filled and signed:

Download PDF

If, instead, you are less than 16, please fill and send the following one (that must be signed by one of your parents):

Download PDF


Data processing objective

CRIT processes the above personal data with the following objectives:

  • employee selection;
  • company communication (web site, project web sites, annual reports, …);
  • newsletter on technological and innovation themes, as well as opportunities to get in direct contact with companies of the CRIT networks;
  • notification about job opportunities;
  • forwarding alumni contacts to CRIT members and members of the CRIT supplier network;
  • membership of the network “CRIT Alumni”.

Data processing recipients

CRIT can communicate the above personal data to:

  • anyone (concerning data that are made publicly available on web sites);
  • CRIT members and members of the CRIT supplier network (concerning data exchange related to job opportunities).

Period of data storage

CRIT will store the above personal data sopra until the data subject will object to the corresponding processing, or, in any case, until the “CRIT Academy” initiative will continue to run.

Contact CRIT about personal data processing

The personal data processing flows identified in CRIT's activities are listed below (grouped according to the types of interested parties). Select the flow of interest to view the corresponding detail.

Processing of Personal Data

"*" indicates required fields

Get in touch