1. Introduction

This Policy has been drafted in compliance with Art. 24, paragraph 2, of Regulation (EU) no. 2016/679 (hereinafter referred to as the “Regulation”), which governs aspects relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data. The Policy defines:

• the general principles applicable to Trattoria da Fagilino S.a.s. di Diletta Innocenti &C. as Data Controller and the general measures adopted to comply with such principles;
• the responsibilities and tasks of the functions acting on behalf of our company.

The Data Processor reviews the Policy at least annually and evaluates any changes to be made. Possible amendments deriving from:

• organizational changes,
• issuance or amendment of reference legislation (e.g. rulings by the Data Protection Authority)

are approved, upon proposal of the Data Processor, by the Legal Representative. 2. General principles and measures on the processing of personal data

The Policy identifies the main measures implemented by Trattoria da Fagilino S.a.s. di Diletta Innocenti &C. to ensure compliance with the general principles contained in the Regulation, with particular regard to:

• lawfulness of processing;
• data subject rights;
• record of processing activities and data protection impact assessment;
• security of processing;
• management of “data breach” events.

In this regard, Trattoria da Fagilino S.a.s. di Diletta Innocenti &C.:

1. adopts appropriate processes, tools, and controls to ensure full compliance with the general principles on personal data processing;
2. ensures adequate information flows to and from responsible functions, control and operational structures;
3. ensures the implementation of staff training activities on personal data protection, in order to guarantee compliance with applicable legislation by anyone carrying out personal data processing activities within the organizational structure under the authority of the Controller.

The processing of personal data of various categories of data subjects (e.g. clients, employees, suppliers) carried out by Trattoria da Fagilino S.a.s. di Diletta Innocenti &C. is based on the following principles:

• lawfulness, fairness and transparency: personal data are collected and processed lawfully, fairly and in a transparent manner towards the data subject;
• purpose limitation: personal data are collected and processed for specified, explicit, and legitimate purposes;
• data minimization: personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accuracy: personal data are kept accurate and up to date and reasonable measures are adopted to erase or rectify inaccurate or outdated data without delay;
• storage limitation (“data retention”): personal data are kept for no longer than is necessary for the purposes for which they were collected;
• integrity and confidentiality: personal data are processed in a manner that ensures adequate security, through the adoption of appropriate technical and organizational measures;
• privacy by design and privacy by default: aspects relating to data protection must be taken into account from the design, implementation and configuration stages of all technologies used for processing operations. Trattoria da Fagilino S.a.s. di Diletta Innocenti &C. must, by default, only process data necessary to achieve the purposes of processing;
• accountability: personal data processing is carried out in accordance with the above principles and compliance is adequately documented.

2.1. Lawfulness of processing The processing of personal data within Trattoria da Fagilino S.a.s. di Diletta Innocenti &C. may only be carried out on the basis of one or more of the following conditions:

• contract to which the data subject is a party;
• legal obligation to which Trattoria da Fagilino S.a.s. di Diletta Innocenti &C. is subject;
• protection of vital interests of the data subject;
• explicit consent of the data subject;

pursuit of a legitimate interest of Trattoria da Fagilino S.a.s. di Diletta Innocenti &C. 2.1.2. Request for consent Where the processing of personal data is based on the data subject’s consent, the collection of consent is carried out by written statement or, in particular cases characterized by lower risk, orally and documented in writing. Where the form used for obtaining consent also covers other matters, the consent request must be presented in a clearly distinguishable, understandable and easily accessible manner, using clear and simple language so that the data subject’s will is freely expressed. Consent can be withdrawn at any time and its withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. 2.1.3. Legitimate interest In some cases (e.g. direct marketing), Trattoria da Fagilino S.a.s. di Diletta Innocenti &C.’s procedures must provide that the processing of personal data may be carried out for the purpose of pursuing a legitimate interest of Trattoria da Fagilino S.a.s. di Diletta Innocenti &C. In compliance with the accountability principle, in such cases the procedures must provide that the assessment of the correct balance between the interests of Trattoria da Fagilino S.a.s. di Diletta Innocenti &C. and the rights of the data subject is adequately documented. 2.1.4. Data transfer abroad The transfer of personal data to a third country (outside the European Union) or to an international organization may take place without specific authorizations only if the European Commission has decided that the third country or international organization ensures an adequate level of protection, based on several elements (including respect for human rights and fundamental freedoms, the existence and effective functioning of supervisory authorities). In the absence of an adequacy decision, the company may transfer personal data only if it has provided appropriate safeguards and on condition that data subjects have enforceable rights and effective remedies. 2.2. Data subject rights 2.2.1. Processing information In compliance with the principles of transparency, fairness, purpose limitation and data retention, procedures must provide that, at the time of data collection, data subjects are clearly informed about:

• the identity of the Controller and the Data Processor;
• the characteristics of the processing (e.g. its purposes and legal basis, the data retention period);
• the rights of the data subject.

Where data have not been obtained directly from the data subject, the information must also indicate the source of the personal data and whether the data originate from publicly accessible sources. 2.2.2. Rights of access, rectification, erasure, portability and objection Procedures must ensure compliance with the principles of accuracy and data retention, providing that each data subject has the right to obtain:

1. confirmation as to whether or not personal data concerning them are being processed and information on the characteristics of the processing (e.g. purposes, categories of personal data, recipients, data subject rights);
2. rectification of inaccurate personal data concerning them, as well as their completion where incomplete;
3. erasure, where certain conditions apply, e.g. where the data are no longer necessary for the purposes for which they were collected, where the data subject has withdrawn consent or exercised the right to object to processing, or where the data have been unlawfully processed;
4. portability of the personal data processed, in a structured, commonly used and machine-readable format, where processing is based on legitimate consent and carried out by automated means;
5. cessation of processing where processing is carried out on the basis of the data subject’s consent.

Procedures must provide that, following each request, data subjects must be provided with the necessary information in a concise, accessible form using simple and clear language, within one month (extendable up to two months in cases of particular complexity), even in case of refusal. 2.3. Record of processing activities, risk analysis, impact assessment and prior consultation Trattoria da Fagilino S.a.s. di Diletta Innocenti &C. must prepare and periodically update a “Record of processing activities” identifying the activities carried out as Controller or Processor. The Record constitutes the mapping of all processing activities performed and is updated periodically. The Record must be made available upon request to the Supervisory Authority. The Record is the basis to ensure compliance with the general principles established by the Regulation. In order to ensure the integrity and confidentiality of personal data, for each processing activity identified in the Record, a risk analysis is carried out. Where such analysis shows that the processing may entail a high risk to the rights and freedoms of data subjects, the procedures must provide for a Data Protection Impact Assessment (DPIA), after consultation with the Data Processor. In particular, the procedures must provide that, when assessing the need to carry out a DPIA on a given processing activity, account is taken of:

1. the level of risk to the rights and freedoms of data subjects,
2. whether the processing involves automated processing (including profiling);
3. whether the processing is carried out on a large scale or
4. whether it may involve large-scale systematic monitoring of a publicly accessible area.

2.4. Security of processing To ensure a level of data processing security appropriate to the risk, the procedures must define technical and organizational measures, taking into account the state of the art and implementation costs in relation to processing risks and the nature of personal data, in accordance with the principles of “privacy by design” and “privacy by default”. These measures may include:

• pseudonymization and encryption of personal data;
• confidentiality and integrity of processing systems and services ensured on a permanent basis;
• mechanisms for testing and evaluating their effectiveness.

Taking into account the risks arising in particular from accidental or unlawful destruction, loss or alteration of personal data, the procedures must define security measures that can ensure an adequate level of personal data protection by default and in advance of the actual processing of the data. 2.5. Management of “data breach” events In order to ensure compliance with the principles of integrity and confidentiality of personal data, where a security breach is identified, whether accidental or unlawful, resulting in destruction, loss, alteration, unauthorized disclosure or access to data compromising its confidentiality, availability or integrity, the procedures must ensure, with the involvement of the Data Processor, that notification to the Supervisory Authority takes place within 72 hours of detection of the breach. Such notification shall contain:

• the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned;
• the contact details of the Data Processor;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Where notification is not made within 72 hours, the reasons for the delay must be indicated. In cases where the breach may result in a high risk to the rights and freedoms of data subjects, the procedures must provide that – after consultation with the Data Processor – data subjects are informed of the breach without undue delay. Such communication is not required if it would involve disproportionate effort or if appropriate technical and organizational measures have been adopted to protect the data (e.g. encryption). The procedures must establish that:

1. the choice of communication method shall take into account the accessibility of data subjects to different formats, and, where necessary, the linguistic diversity of the recipients; and
2. each personal data breach, suspected or confirmed, must be adequately recorded and documented in the breach register in order to ensure compliance with the accountability principle.