Data controller

The Data Controller is Bolton Group S.r.l. with registered office in in Via G.B. Pirelli 19 - 20124 Milan, Italy (“Data Controller” or “Bolton”).

The Data Controller can be contacted at the following e-mail address: privacy@boltongroup.it

DPO Contact Details

The Data Controller has appointed a data protection officer (DPO) which can be contacted at the following e-mail address: DPO@boltongroup.it

Categories of personal data

For the purposes set out in this policy, the Controller will process:

• data collected automatically navigating the Platform;
• personal data you provide us with on the Platform via registration form (i.e.: name, surname, business unit, country, e-mail address).

For further details please read below

• Navigation data
  The computer systems and software procedures that are used to operate the Platform may, in the course of their standard operation, obtain certain personal data the transmission of which is implicit in the use of Internet communication protocols. This data is not collected in order to be associated with data subjects, but by its very nature could, through processing and association with data held, also by third parties, allow to identify users. This category of data includes the IP addresses or domain names of the devices used by users connecting to the Platform, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and IT environment.
  This data is used for the sole purpose to check its correct functioning, allow the proper provision of the various functions you requested, and ascertain any liability in the event of potential cybercrimes to the detriment of the Platform or third parties.
  With regard to personal data collected via cookies, we invite you to read our Cookie Policy.

• Personal data you provide us with
  We collect the data through the Platform, such as anagraphic data, contact data you provide us with in order to register for or log in to the personal area (where registration has already taken place).

Purpose and legal basis of processing

Your personal data will be processed by the Data Controller to (i) allow you to browse the Platform and ensure its proper functioning, (ii) allow you to register in the personal area of the Platform, (iii) allow us to produce reports containing information on the number of employees using the Platform, as well as to (iv)allow us to exercise or defend a right in court proceedings or out-of-court procedures.

In relation to the purposes we pursue, the legal basis are: the performance of a contract and our legitimate interest.

For further details please read below

• Allowing you to browse the Platform for taking part in the onboarding programme and ensuring its proper functioning. The legal basis of the processing is the performance of a contract
  . Providing personal data for this purpose is necessary to enable you to navigate the Platform and to take part in the onboarding programme, as well as to ensure the proper functioning of the Platform.
• Allowing you to register on the Platform by creating a personal account and then accessing your personal area through the login. The legal basis of the processing is the performance of a contract.
  You are not obliged to provide your data for the above-mentioned purpose, but the consequence, in the event you do not provide such data, is that you will not be able to register or access the personal area.
• Allowing us to produce reports containing information on the number of employees using the Platform. The legal basis of the processing is the legitimate interest of the Data Controller in analysing the information on the number of data subjects using the Platform. The Data Controller has considered that this legitimate interest does not affect the rights and freedoms of the data subjects.
• Allowing us to exercise or defend a right in court proceedings or out-of-court procedures. The legal basis of the processing is the legitimate interest of the Data Controller in exercising or defending its rights. The Data Controller has considered that this legitimate interest does not affect the rights and freedoms of the data subjects.

Data retention period

We only retain personal data for as long as it is necessary for the purposes for which it was collected or for any other related legitimate purpose. Therefore, if personal data are processed for two different purposes, we will keep those data until the purpose with the longer retention period ends. In any case, we will no longer process personal data for that purpose whose retention period has expired. Personal data that is no longer needed, or for which there is no legal basis for its retention, will be irreversibly deleted.

For further details please read below

Browsing data are deleted after 7 days without prejudice to any need for criminal investigations by judicial authorities.
The personal data processed to register on the Platform and to access the personal area are retained until the expiry of a period of 12 months from the last access to your personal area and, in any case, no later than the deletion of your account from the Platform.
The personal data processed to produce reports containing information on the number of employees using the Platform are retained until the expiry of a period of 24 months from the registration on the Platform.
In the event that it is necessary to process data for the purpose of legal action or defence, the data is retained for as long as any claims and/or actions may be pursued by the law.

Categories of data recipients

Your personal data will be processed by persons authorised and instructed to process the data under the direct authority of the Data Controller (e.g., employees and contractors as persons authorised to process personal data under the direct authority of the Data Controller).

In some cases, your personal data may be communicated to other parties acting on our behalf as data processors to whom we have given special instructions regarding the processing of your data, including companies that provide us with IT support services, cloud services, etc.

Furthermore, your personal data may also be processed by authorities and institutions to which the access to the data is regulated by provisions of law or regulations or other companies in their capacity as autonomous data controllers.

The list of recipients to whom your personal data are communicated can be requested from the Data Controller by writing to privacy@boltongroup.it

For further details please read below

In particular, your data may be communicated or otherwise provided to, exclusively for the purposes specified above, to the following recipients that will process your personal data as data processors or as autonomous data controllers:

• contractors, consultants of the Data Controller;
• companies that provide us with IT support services for our systems;
• companies that provide us with cloud or hosting services;
• authorities and institutions to which the right of access to data is regulated by laws or regulations (e.g., public security authorities and police forces) and other data controllers, public or private, where there is a legal basis, such as a legal obligation

Transfer of personal data abroad

The Data Controller stores personal data on servers located within the European Union. If necessary, it only transfers them outside the European Union if the necessary safeguards are in place.

For further details please read below

The Data Controller stores the data in the European Union, where it has its own servers. If the Data Controller needs to transfer certain data outside the European Union for the location of a supplier, the Data Controller undertakes to ensure adequate levels of protection and safeguards, such as contractual safeguards, in accordance with the applicable laws, including the execution of standard contractual clauses pursuant to Art. 46(2)(c) of the GDPR, possibly supplemented by additional technical, legal and organisational measures necessary to ensure that the level of protection of personal data is equivalent to that of the European Union.

For any further information on the transfer of your personal data, please send an e-mail to the following address: privacy@boltongroup.it.

Rights of the data subject

In relation to the processing of your personal data, you will always be able to exercise your rights under the GDPR (Articles 15-22), namely:

• obtain confirmation of the processing of personal data (and information on it) and access to their content (right of access);
• update, amend and/or correct personal data (right to rectification);
• request the erasure or restriction of personal data processed in breach of the law, including data the retention of which is not necessary for the purposes for which the data were collected or otherwise processed (right to be forgotten and right to restriction of processing);
• object to the processing at any time where the processing is based on our legitimate interest or in case of marketing (right to object);
• in the cases provided, to receive a copy of the personal data concerning you, rendered in the context of the contract, in electronic format and to request that such data be transmitted to another data controller (right to data portability).

To exercise your rights, you can write to us at the following e-mail address: grouptraining@boltongroup.it

Further rights

If you consider that the processing of your personal data via the Platform infringes the data protection legislation, you always have the right to lodge a complaint with a Supervisory Authority.