1. Scope of Corporate Policy on Data Protection
The data of Customers and Business Partners are an important competitive factor and they greatly contribute to the creation of Moto Morini's value (hereinafter also "The Company"); therefore the Company intends to protect these data from the risk of unauthorized access. In addition to this protection, Customers and Business Partners generally also expect a safe treatment of their data. Moto Morini, with this Corporate Policy, mainly based on the principles of European law, imposes uniform and universally applicable standards for the protection and security of personal data handling of Customers and Business Partners.
This Corporate Policy ensures an adequate level of data protection as required by the European Directive on the Protection of Personal Data and other national laws.
3. Validity and amendment of the Directive
This Corporate Policy is valid for all companies in Moto Morini Group, i.e. for Moto Morini Ltd. and all depending and affiliated companies, including their Associates. This Corporate Policy extends to any processing of personal data of Customers and Business Partners. This also includes the data of potential customers, suppliers and partners. This Policy also applies to legal persons, if the public law of the State of membership includes legal persons under the sphere of safeguard of the right to data protection.
Any amendment to this Policy shall be made solely by Moto Morini's Data Processing Manager.
Companies belonging to the Group shall follow the provisions of this Policy in their valid version. Only if this was to result in a worsening of the position of the person concerned, the version in force at the time of processing of his/her data applies.
4. Validity of Public Law
This Corporate Policy on data protection includes the principles of protection of personal data internationally accepted, id does not replace the existing public law, and it shall remain in force for the Company in any case except when it clashes with the current regulations of a Country where it is applied, in which case the Policy will be set aside in favour of the rules of that Country.
The obligations to statements deriving from public law for the processing of personal data must be observed.
5. Security of data processing
In order to guarantee data security, appropriate technical and organizational measures are implemented, also guaranteeing the protection of personal data from unauthorized access, processing or illegal distribution, as well as loss, alteration or destruction by mistake. They relate to the security of sensitive data in both electronic and in hard copy processing. These technical measures are updated along the way with the improvement of existing technologies, in accordance with the cost / result ratio.
6. Principles of personal data processing
The person concerned must be informed about the processing of his/her data. During data collection, the person concerned must be able to identify or be informed on the following:
The Person concerned must be informed about the optional nature of providing data for marketing purposes.
In addition to the provisions of corporate standards, and pursuant to the law in force in any single state, it is possible to apply additional or different requirements regarding the content and quantity of information to be provided to the persons concerned.
2. Obligation to the purposes
The processing of personal data shall only serve the purposes established before data collection. Any possible subsequent change is permitted to a limited extent and it may take place with the consent of the person concerned or under public law, as a result of contractual agreements with the person concerned.
3. Correctness and legality
The data belonging to the person concerned must be processed pursuant to current regulations. In the processing of personal data the right to privacy must be protected.
4. Objective correctness and actuality of data
Personal data must be stored and updated properly. To this end appropriate measures must be taken in order to ensure that data that for any reason whatsoever are not correct, will either be deleted, corrected or integrated.
5. Economy of data
Prior to the processing of personal data it is necessary to determine whether and to what extent these are necessary to achieve the purpose intended with the processing. If this is possible in order to reach the target and the work load is adequately correlated with the purpose intended, it is preferable to use anonymous or statistical data.
Except for contrary provisions of law, personal data cannot be stored as a reserve for potential future purposes. Data no longer needed shall be deleted, in compliance with applicable storage regulations.
6. Sensitive Data
Sensitive data may only be processed under certain conditions.
The processing of such data must be expressly allowed or required by the law of the State.
7. Need-to-Know Principle
Associates must have access to personal data only according to the Need-to-Know Principle. It is understood that the Associates shall have access to data only when necessary for their specific functions.
8. Automated individual decisions
Automatic processing of personal data - through which the person's concerned individual characteristics of sensitive nature or that may result harmful for the same (such as customer reliability etc.) are assessed - must meet special requirements: they cannot constitute the sole basis of decisions with negative consequences for the aforesaid Person concerned. In order to avoid errors a control by an Associate must be guaranteed. Moreover, the person concerned must be notified about the circumstances and the result of the automated individual decision and the opportunity to take a stand. All this, except for different and more restrictive laws.
7. Personal data transmission
For some corporate processes it is necessary to transmit personal data of Customers or Business Partners to third parties. If this does not happen on the basis of a legal obligation, it must be checked each time if this is against a sensitive interest of the person concerned. For the transmission of personal data to an entity outside Moto Morini, the requirements mentioned above must be complied with.
The transmission to State organizations or authorities, when required, must be based on laws relevant at that specific point in time.
In the case of transmission of data by a third party to the companies of Moto Morini Group it is necessary to guarantee that the data have been collected legally in order to be processed and / or used.
8. Telecommunications and Internet
The processing of personal data collected during telecommunications with the person concerned, must comply with this Corporate Policy and the law in force.
9. Data confidentiality
Personal data of Customers and Business Partners shall be processed confidentially; Associated are forbidden to collect, process or use these data without authorization and in particular when such use, collection or processing is not related to the functions of the aforementioned Associate.
10. Rights of the Person concerned
Any person concerned may assert the following rights, whose claim must be assigned without delay to the competent department.
1. The Person concerned may require information about which of his/her personal data, and from where and for which purpose, have been stored.
2. When personal information is transmitted to a third party, information on the identity of the recipient or categories of recipients must be provided.
3. In the event that personal data prove to be inaccurate or incomplete, the Person concerned may request their correction or integration.
4. The Person concerned is authorized to request the deletion of his/her data if the purpose of data processing is no longer current or the relevant deadlines have elapsed, or the legal basis of data processing data is missing or no longer applies.
5. The person concerned may object to the processing of personal data for purposes of direct advertising or market and opinion research; therefore the corresponding data must be made inaccessible for such purposes.
6. The person concerned has in general the right to object to the processing of his/her data and this must be taken into account if his/her sensitive interest, due to particular personal circumstances, outweighs the Data Processing Manager's interest. What above does not apply, if a rule of law binds to proceed to data processing in any case.
11. Data processing on behalf of third parties
In case of data processing on behalf of third parties, a service provider is put in charge of data processing, without any transfer of responsibility for the corresponding corporate procedure. In case of transmission of personal data within a processing procedure assigned to a third party (outsourced), the Client remains the Data Processing Manager. All rights of persons concerned must be asserted against him/her. Moreover, in assigning the order, the following rules shall be observed:
1. In choosing the Commission Agent it must be made sure that he/she can provide the necessary technical and organization requirements, as well as adequate security measures. The selection criteria must also comply with those of Moto Morini's Data Protection Manager.
2. The performance of data processing on behalf of third parties must be regulated in a written contract, stipulating the requirements of data protection and information security; such contract shall be drawn up so that Moto Morini's requirements and directives are complied with by the Commission Agent.
12. Eligibility of data processing
1. Data processing collected for the purposes of a contractual relation.
Personal data of the person concerned can be processed for the execution, preparation or compliance with the requirements necessary for the future stipulation of a contract. The measures of customer loyalty or advertising are not provided for in this context. The limitations expressed by the persons concerned must be taken into consideration if they were to be contacted in the pre-contractual stage.
2. Processing data for advertising purposes
The processing of personal data for advertising purposes is permitted, provided it is compatible with the purpose for which the data were originally collected and with the consent to advertising purposes by the person concerned.
If the person concerned refers to Moto Morini with a query, data processing to satisfy this request is still to be considered eligible.
In the event that the Person concerned should oppose the use of his/her data for advertising purposes, the processing of these data for this purpose is not permitted. All this, except for further severity imposed by the applicable law.
3. Consent to the processing of personal data
The processing of personal data may be authorized by consent of the person concerned. Changes to the purpose of data processing may also be authorized on the basis of the consent of the person concerned. Before granting his/her the consent, the person concerned must be informed pursuant to what provided for by this Corporate Policy. The consent form must be provided generally in writing or electronically. If it is verbal, it still must be documented according to applicable law.
4. Data processing on the basis of legal authorizations
The processing of personal data is permitted even when the laws of the corresponding State require or imply or allow the processing of such data.
The processing of personal data is also allowed when this is necessary to attain a Data Processing Manager's or third parties' justified interest. These terms usually mean interest of legal nature. The processing of personal data on the basis of a justified interest cannot be executed if in the specific case there is a doubt about whether the sensitive interests of the person concerned prevail on the interest of data processing.
13. Liability and sanctions
The Board of Directors and the Company's Executives, as in charge of data processing, are required to ensure compliance with legal requirements and criteria set out in the directives on data protection. The management tasks of the Executives include guaranteeing, in their own area of competence, through organization, personal and technical measures, the regular processing of data in accordance with the required principles of protection.
Any abuse in personal data processing or other breaches against the right to data protection are prosecuted in many States under criminal law too and they can lead to claims for damages. Possible violations for which individual Associates can be held responsible, generally involve labour penalties under the national law in force.
14. The Company's Data Protection Manager
The Company's Data Protection Manager, as a technically independent internal entity, checks on the compliance with national and international data protection regulations. He/she is responsible for the directives in the field of data protection and he/she checks their compliance, performing inspections and controls on the corresponding procedures. The Company's Data Protection Manager is appointed by the Board of Directors of Moto Morini Ltd.
The corresponding corporate and plant managements shall appoint a Coordinator to work alongside the Data Protection Manager. These Coordinators, who are the references for data protection at local level, may carry out controls and they must notify the contents of data protection directives to the Associates. The respective corporate managements are bound to assist the Company's Data Protection Manager.
The technical departments must inform the Data Protection Coordinators about any new processing of personal data. The Coordinators, in turn, are bound to promptly notify the Company's Data Protection Manager about any risks to data security. In case of data processing projects that may pose particular risks to the privacy of those concerned, the Company's Data Protection Manager shall be involved in it, prior to the start of the process of information processing. The above applies in particular to sensitive data.
The technical departments must ensure that their Associates are trained to the extent necessary to processing personal data. In the event of breaches of data protection regulations and of complaints, the Executives in charge are bound to inform in person and without delay the competent Coordinator or the Company's Data Protection Manager. Furthermore, any person concerned may contact at any time the Company's Data Protection Manager for suggestions, requests, and queries on information or complaints regarding the issue of data protection. These requests and complaints can be treated as confidential at the person's concerned request.
The Company's Data Protection Manager and its Associates may be contacted at the following addresses:
Mr. Fernando Sciascia, B.S.Eng.
via Beri n° 24, 27020 Trivolzio (PV)
Tel. +39 0382 193881
Fax +39 0382 930496