Information Notice on the processing of personal data for the purpose of the e-learning training service pursuant to art. 13 EU Regulation 2016/679

Dear user,

Assos of Switzerland GmbH (hereinafter only "Assos"), in its capacity as Data Controller (hereinafter "Data Controller") for the e-learning training service, pursuant to art. 13 of EU Regulation 679/2016 ("GDPR") wishes to inform you that it considers privacy and the protection of personal data one of the main objectives of its business.

Therefore, he invites you to read this information notice carefully which is aimed at all those who access the e-learning platform, request registration for training events via the dedicated portal and/or platform services that are only accessible from the area and -learning, at the web page https://academy.assos.com/.

1.    Data Controller and Data Protection Officer

The Data Controller for the regional training service is Assos of Switzerland GmbH which is required to implement training events to support its internal staff to instruct them on the correct methods of processing personal data during the performance of their professional activity.

ASSOS of Switzerland GmbH, CH-100.090.328, can be reached via e-mail privacypolicy@assos.com, and tel. +41 91 641 78 78. The Data Protection Officer (DPO) can be reached at dpo@assos.com.

2.    Purpose of the data processing

The e-learning training service processing and, in particular, the collection, registration, storage, consultation, communication, will be performed for the following purposes:

a) the fulfillment of contractual obligations of the Data Controller connected to the provision of training activities on security and compliance with the protection of personal data in the performance of professional activities;

b) the fulfillment of legal obligations of fiscal and administrative nature by the Data Controller;

c)   the planning of the organization of the training service plan by sending e-mails or paper mail and information regarding the training sessions provided and the activities carried out.

3.    The legal basis of the processing for these purposes

The legal basis of the processing for these purposes is the following: art. 6 par. 1 lit. b) of the GDPR (“processing is necessary for the execution of a contract of which the data subject is a party or for the execution of pre-contractual measures adopted at the request of the same”).

Your personal data is not subject to any automated decision-making process, including profiling.

4.     Types of personal data collected

The data collected and stored are those strictly necessary for the fulfillment of the purposes of managing the contractual obligations connected to the performance of the training activities of the Data Controller and the fulfillment of legal obligations of fiscal and administrative nature.

In particular, the following data is collected:

a) personal access and authentication data;

b) images/videos of users for carrying out training activities in live mode and/or remote exam sessions;

c) personal identification data (name, surname, e-mail, other identification elements such as tax code) are mandatory both as required by the legislation on the attribution of certificates and for administrative and organizational purposes. This is to avoid generating user identification problems, in issuing certificates, in case of homonyms.

d) the tracking data of the training activities within the e-learning platforms which allow: to complete the training course over time; the assessment of attendance, the detection of passing of the final test.

e) navigation data: IP address, session cookies, pages viewed, login attempts.

5.    Data Retention times for personal data

The data are stored in a secure manner for the time necessary to pursue the purposes for which they are processed, except for the longer time necessary to fulfill legal or regulatory obligations due to the nature of the data or document.

6.    Personal data processing methods

The processing of personal data and/or images/videos may take place using paper, IT or telematic tools and with adequate security measures to guarantee the security and confidentiality of your personal data. The platforms used will be managed by specially appointed internal staff of proven reliability. The Data Controller will promptly inform the interested parties, if there is a particular risk of violation of their data without prejudice to the obligations deriving from the provisions of art. 33 of the GDPR relating to personal data breach notifications.

7.    Data Subject’s Rights

The data subject can exercise the following rights with reference to the data processed by the Data Controller:

•      Information. The data subject has the right to know how his data is used by the Data Controller (right which is exercised with this information).

•      revoke consent at any time. The data subject can revoke the previously expressed consent to the processing of personal data.

•      object to the processing of your data. The data subject can oppose the processing of his data when it takes place on a legal basis other than consent.

•      access his own data. The data subject has the right to obtain information on the data processed by the Data Controller, on certain aspects of the processing and to receive a copy of the data processed.

•      check and ask for rectification. The data subject can verify the correctness of his data and request its updating or correction.

•      obtain the limitation of the processing. When certain conditions are met, the data subject can request the limitation of the processing of their data. In this case, the Data Controller will not process the data for any other purpose than their conservation.

•      obtain the cancellation (right to be forgotten) or removal of your personal data. When certain conditions are met, the data subject can request the cancellation of their data by the Data Controller.

•      receive their data or have them transferred to another Data Controller (portability). The data subject has the right to receive their data in a structured format, commonly used and readable by an automatic device and, where technically feasible, to obtain their transfer without obstacles to another Data Controller. This provision is applicable when the data are processed with automated tools and the processing is based on the consent of the data subject, on a contract of which the data subject is a part, or on contractual measures connected to it.

•      propose a complaint. The data subject can lodge a complaint with the competent personal data protection supervisory authority or take legal action.