Privacy Policy

1. PURPOSE OF THE DOCUMENT This document aims to illustrate the privacy policies adopted by Ges.A.P. S.p.A. to design, define, set up and conduct a compliant management system for the processing of personal data carried out by the company both in its capacity as data controller and as data responsible officer. These policies respond to the purpose of: – demonstrating that the processing of personal data is carried out in compliance with the General Data Protection Regulation (hereinafter GDPR); – establishing a basis for transmitting, communicating, sharing, monitoring, updating, reviewing and improving everything the Controller puts in place to ensure that the processing of personal data is carried out in accordance with the GDPR, including security. (Articles 24 and 32 GDPR) 2. DATA PROCESS CONTROLLER a. DATA CONTROLLER The data controller is Ges.A.P. S.p.A. (hereinafter Gesap), with registered office in Cinisi (PA) – 90045, VAT number 03244190827, C.C.I.A.A. PALERMO 128783. The legal representative is the Chairman of the Board of Directors pro tempore. i. Governance Gesap is a public limited company, Italian, managed by a Board of Directors composed of five members. Currently, the social capital, amounting to 66,850,026.85 euros, is mainly subscribed by public Shareholders at 98.59%; other territorial, economic and private entities also participate with minority shares. ii. Business Gesap’s primary purpose is the concession management of the “Falcone Borsellino” International Airport of Palermo. This activity consists in the design, development and management of infrastructures for the operation of airport activities and commercial activities. b. DATA PROTECTION OFFICER Gesap for the nature and for the treatment of the personal data carried out both as controller and as the person in charge of the treatment, does not belong to the obliged subjects referred to in letters a) b) and c) of the first paragraph of art. 37 of the GDPR. However, as recommended by the “Guidelines on personal data protection officers”, given that Gesap is almost wholly owned by public bodies and performs services of public interest, it has deemed necessary to appoint the Personal Data Protection Officer. The Data Protection Officer (DPO) has been identified by Gesap among one of the internal figures of the Company, in the Head of the Legal and Legal Service, reachable at the following contact:  Avv. Anna Tripiciano, Lawyer, – tel. +39 335 1841446; address [email protected]. 3. PRINCIPLES Gesap acknowledges, accepts and undertakes to ensure compliance with the following detailed principles both in the processing of personal data carried out by the same as controller or co-controller , and in those performed as a data processing controller. 4. LAWFULNESS Gesap carries the only processing of personal data that are based on one of the legal bases as per GDPR art. 6(consent, fulfillment of contractual obligations, vital interests of the person concerned or third parties, legal obligations to which the holder is subject, public interest or exercise of public authority, legitimate interest of the controller or third parties to whom the data are communicated). Gesap handles particular categories of personal data (data suitable to reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, genetic data, biometric data intended to uniquely identify a physical person, data relating to the health or sexual life or sexual orientation of the person, …), only if there is one of the cases provided for by art. GDPR.9.2 Gesap processes personal data relating to criminal convictions and offenses or related security measures, only on one of the legal bases referred to in Article 10 of the GDPR and only under the control of the public authority or if the processing is authorized under the law of Union or Member States providing appropriate safeguards for the rights and freedoms of interested subjects. b. CORRECTNESS Gesap processes personal data exclusively for specific, explicit and legitimate purposes, without impropriety or deception towards the data subjects, strictly adhering to the legal bases that legitimize their treatment. c. TRANSPARENCY Gesap shall take appropriate measures to provide the interested subject with all the information referred to in Articles 13 and 14 and the communications referred to in Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, with a simple and clear language. In particular, for each processing performed, Gesap shall inform the data subject of the ways in which personal data are collected, used, consulted or otherwise processed, and the extent to which personal data are or will be processed. The information and communications relating to the processing of such personal data must be easily accessible and understandable. d. LIMITATION OF THE PURPOSE Gesap processes personal data for specific, explicit and legitimate purposes, ensuring that the processing is not incompatible with these purposes. 3 e. DATA MINIMISATION Gesap processes personal data that is appropriate, relevant and limited to what is necessary with respect to the purposes for which it is processed. f. ACCURACY Gesap processes exact personal data and, if necessary, updated; taking all reasonable steps to cancel or correct inaccurate data in a timely manner with respect to the purposes for which it is processed; g. LIMITATION OF CONSERVATION Gesap files personal data in a form that allows identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed; h. INTEGRITY AND CONFIDENTIALITY Gesap processes personal data in such a way as to guarantee adequate security, protecting them, through appropriate technical and organizational measures, against unauthorized or unlawful processing or their loss, destruction or accidental damage. (Article 5 of the GDPR) i. DATA PROTECTION BY DESIGN AND BY DEFAULT Gesap adopts the methodological approach to any project, on the basis of which the protection of personal data must be evaluated from the design stage. For any treatment activity, therefore, both structural and still conceptual, we must consider the protection of personal data from the moment of its design and provide solutions for the protection of personal data. Gesap implements appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for each specific purpose of the processing are processed; in particular, the technical and organizational measures implemented have the purpose of ensuring that – by default – personal data are processed only for the specific purposes of the processing and only by a number of natural persons limited to the pursuit of said purposes. 4. BACKGROUND Taking into account the scope of treatment, the geographical context and the social context in which the Company works the processing of personal data are in compliance with the defined compliance requirements. 5. METHODOLOGY In compliance with the principle of “accountability” (accountability in the English meaning) required by the European Regulation, compliance activities must be undertaken in the spirit of awareness. The choices made must be traceable and shared. 4 These requirements, combined with the need to guarantee the dynamism and adequacy of organizational and technical measures that Gesap carries out to ensure compliance with the GDPR, have driven the methodology according to the UNI CEN ISO standards, the Guidelines and the Best Practices, commonly recognized. 6. TASKS AND RESPONSIBILITIES This paragraph, coherently with the organizational map, describes the tasks and responsibilities of positions, that are organizational articulations (which can be both structures, stable aggregations of people organized to deliver certain outputs, and figures, individual positions stable and equipped with autonomy ) both with regard to the normal operations and objectives of the Company, and with regard to activities related to compliance with the GDPR. The duties and responsibilities related to the conformity of the processing of personal data are communicated by the “Privacy Manager” to all those who must take responsibility, ensuring that the tasks are understood and accepted. The “Privacy Manager” keeps up-to-date the list of positions , acquiring information from other Company functions. All those who process personal data, for any reason and in any position, on behalf of Gesap, must have been previously authorized, trained and instructed. The processing of personal data is subject to an authorization system based on “authorization profiles” drawn up for homogeneous operating units and / or for specific persons. The Privacy Manager ensures that whoever has been authorized to process personal data, carries out the processing operations, within the assigned treatment, according to authorization profiles consistent with the principle of “need to know”. All those who process personal data, for any reason and in any position, on behalf of Gesap, must have been previously authorized, trained and instructed. The processing of personal data is subject to an authorization system based on “authorization profiles” drawn up for homogeneous operating units and / or for specific persons. The Privacy Manager ensures that whoever has been authorized to process personal data, carries out the processing operations, within the assigned treatment, according to authorization profiles consistent with the principle of “need to know”. 7. SECURITY MEASURES GDPR Article. 32 requires the controller and the processor to put in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art and implementation costs, as well as the nature of the object, the context and purpose of the processing, as well as the risk of various probability and seriousness for the rights and freedoms of individuals. Given the nature of the data processed through treatment activities, the estimated vulnerability of the treatment tools, the threats and solutions offered by the state of the art, as well as the resources available, Gesap has identified security levels to be applied to treatment activities carried out in-house and those 5 carried out by its controllers, including an assessment of the adjustment priority and some additional additional customized measures. These safety levels are also proposed by Gesap to the processors on behalf of whom it performs processing activities as the controller. Sources: – GDPR Art. 32 – Annex B to Legislative Decree no. 196/2003 – Technical regulations regarding minimum security measures – Circular 18/4/2017 n. 2/2017 – Minimum ICT security measures for public administrations – CIS Controls – March 2018 – ENISA – Recommendations for a methodology of the assessment of the severity of personal data breaches 8. WEBSITE With regards to the interaction with the website, it should be noted that these policies apply to the website http://www.gesap.it and not to other websites that can be consulted via links. The Gesap website uses technical cookies to improve the browsing experience and does not record any profiling cookies. For more information, refer to the aforementioned Privacy Policy. Following consultation of this site, data relating to identified or identifiable persons may be processed. Browsing data The computer systems and software procedures for the operation of this site acquire, during their normal operation, some personal data whose transmission is implicit in the use of internet communication protocols. This is information that is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or computer domain names used by users connecting to the site, the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters related to the operating system and the user’s computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check the correct functioning and are maintained for the minimum period required by current legislation. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site.