INFORMATION ON THE PERSONAL DATA PROCESSING
(Article 13 of EU Regulation 2016/679 - GDPR)
The data provided by the interested party for the performance of the employment relationship (hereinafter jointly "personal data") are processed by Hex Trust Italia Srl (hereinafter, "the Company"), with registered office in Corso Magenta 74, 20123 in Milan, as Data Controller. The interested party is informed by Hex Trust Italia Srl on the processing of his data that will be carried out, in compliance with the principle of prudence and responsibility ("accountability"). To this end, Hex Trust Italia Srl provides the information required by art. 13 paragraph 1 and art. 14 paragraph 1 of EU Regulation no. 2016/679 (hereinafter, “GDPR”), informing the interested party that his/her data will be processed according to the specifications indicated below. Likewise, it is specified that, pursuant to the aforementioned legislation, the interested party will be the recipient of an update regarding any change in the purposes of a new processing before proceeding with the same.
1. PROCESSING PURPOSE.
The Data Controller processes the personal data (hereinafter also "data") of the interested party (by way of example and not limited to: name, surname, address, telephone, e-mail, bank and payment details) for a legitimate interest. which constitutes the legal basis of the processing itself as it is attributable to a contractual relationship.
The information is not mandatory if:
- The processing concerns non-personal data, but anonymous data (aggregated data, statistics, etc.) or attributable to entities and, in any case, to legal persons or data to be used for exclusively personal and domestic purposes;
- The interested party already has the information;
- The communication of such information is impossible or associated with a disproportionate effort or is attributable to the jurisprudence of a European Union State to which the Data Controller belongs;
- Personal data must remain confidential due to secrecy obligations.
2. PROCESSING PURPOSE.
Your personal data is processed by Hex Trust for the following purposes:
A. Without your express consent – pursuant to art. 6 lett. b), e) GDPR) - for the following Service Purposes:
fulfilment of obligations established by law; by regulations; by community legislation (e.g. anti-money laundering law, which provides for customer profiling and various other obligations); by the Decree of the Ministry of Economy and Finance of 02/17/2022 (also "VASP Decree") which introduced the "Italian Register of Virtual Asset Suppliers" ("VASP Register") in relation to which it specified content, methods and frequency of transmission of information relating to the operations carried out as regulated by the Body of Agents and Mediators ("O.A.M."); execution of the activities necessary and strictly connected and instrumental to the management of contractual relationships (e.g., prevention of fraud also through tools identity verification).
B. Only subject to your specific and distinct consent (art. 7 GDPR) for the following Marketing Purposes:
- market research; commercial and promotional activities relating to products and services of Hex Trust and third-party companies to which personal data may be communicated and whose identity is knowable at the Data Controller's headquarters. Commercial and promotional communications may be conveyed using traditional tools (paper mail) or remote communication techniques, such as telephone, even without an operator, e-mail, IT applications (APP), reserved area, text messages, fax, WhatsApp, other social networks . The provision of data for this purpose is optional and the processing requires the consent of the interested party. The above to carry out profiling activities consisting in the identification of preferences, tastes, habits, needs and consumption choices and in the definition of the profile of the interested party, in order to improve the products or services offered and also satisfy the needs of the same. The consent given for the sending of commercial and promotional communications also extends to traditional contact methods.
3. INFORMATION TIMES.
If personal data is collected from the interested party:
- directly, the Information is provided prior to the relationship;
- not directly (pursuant to art. 14 of Regulation 2016/679), the information is provided no later than one month from collection or at the time of communication of the data to the interested party himself or to third parties appointed.
4. TREATMENT METHODS.
The data processing is carried out through the operations indicated in the art. 4 no. 2) of the GDPR, in particular: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. This excludes diffusion. The processing of personal data does not currently involve automated decision-making processes: if necessary, the Data Controller will specify this and indicate the logic of such decision-making processes and the expected consequences for the interested party. Personal data is subjected to paper and electronic processing.
5. SUBJECTS TO WHOM PERSONAL DATA MAY BE COMMUNICATED.
It is not necessary to specify the categories of personal data being processed when their collection is carried out without the intermediary of third parties delegated for this purpose by the Data Controller.
6. STORAGE OF PERSONAL DATA.
The Data Controller will process personal data for the time necessary to fulfil the aforementioned purposes and in any case for a period not exceeding 10 years from the termination of the relationship and no later than 2 years from the collection of data for the purposes referred to in point 2.B.
7. COMMUNICATION OF PERSONAL DATA TO THIRD PARTIES.
The Data Controller may communicate personal data - even abroad - to employees and collaborators of Hex Trust Italia Srl (as persons in charge and/or internal data processors and/or system administrators) or to third parties (as of independent data controllers or external data processors) for:
- contractual obligations, to external personnel and authorized employees;
- national and supranational regulatory obligations, communications to judicial authorities, to insurance companies;
- activities connected and instrumental to the execution of contractual obligations;
- commercial and promotional activities attributable to the services provided by the Owner or by Third Parties (if specific consent has been expressed).
8. UPDATED LIST OF THIRD PARTIES TO WHICH PERSONAL DATA SHALL BE COMMUNICATED.
The names of third parties to whom the data may be communicated are reported in a specific list updated by the Data Controller and available at the headquarters of Hex Trust Italia Srl.
9. PERSONAL DATA TRANSFER.
Personal data is stored on servers located outside the European Union. The Owner, if necessary, reserves the right to move the servers within the European Union. Having said this, the Data Controller hereby ensures that the transfer of non-EU data complies with the applicable legal provisions in light of the standard contractual clauses envisaged by the European Commission. In particular, in light of art. 49 of the GDPR, the Data Controller informs the Subject Interested in the Processing that a transfer of personal data to a third country or an international organization may be carried out in the absence of an adequacy decision pursuant to Article 45, paragraph 3, or of adequate guarantees pursuant to Article 46, including binding corporate rules, provided that the interested party has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the interested party due to the absence of an adequacy decision, in accordance with Guidelines no. 2/2018 on derogations from Article 49 pursuant to Regulation (EU) 2016/679 defined by the European Data Protection Board.
10. PERSONAL DATA PROVISION.
The Data Controller may communicate the data, without the need for express consent (art. 6 letter b) and c) of the GDPR), for the purposes referred to in the art. 2.A), as they are mandatory. In the absence of this, the Owner will not be able to guarantee the services referred to in the aforementioned art. 2.A). The provision of data for the purposes referred to in art. 2.B) is, however, optional. The interested party may, therefore, decide not to provide any data or to subsequently deny the possibility of processing data already provided: in this case, he/she will not be able to receive newsletters, commercial communications and advertising material relating to the Services offered by the Data Controller, while continuing to have right to the Services referred to in the art. 2.A).
11. AUTOMATED DECISION MAKING.
There is no automated decision making.
12. INTERESTED PARTY RIGHTS.
The interested party, pursuant to and for the purposes of art. 15 of the GDPR, you have the right to:
- Obtain confirmation of the existence of your data being processed, access to them and a copy of them;
- Obtain: updating, rectification, integration, cancellation ("right to be forgotten"), portability and limitation of data processing as well as the related communication to subjects to whom they have possibly been forwarded/transferred;
- Object, for legitimate reasons, to the processing of your personal data;
- Revoke, at any time, consent to the processing of your personal data;
- Submit a complaint to the Supervisory Authority.
The Data Controller undertakes to promptly communicate to the interested party any case of violation of their personal data which may present high risks connected to their rights and freedoms.
13. INTERESTED PARTY'S RIGHTS.
The interested party may, at any time, exercise the rights by also sending in an alternative way:
14. DATA CONTROLLER.
The Data Controller of personal data is Hex Trust Italia Srl, Corso Magenta 74 – 20123 Milan.