Pursuant to art. 13 and ss. of EU Regulation 2016/679 and in relation to your personal data of which Sofito S.r.l. will come into possession, we inform you of the following:

1. Data Controller

The data controller is SOFITO S.r.l. (VAT number 11177490015) with registered office in Via XX Settembre n. 31, 10121 – Turin (TO), in the person of its pro tempore legal representative.

2. Data processed 

The Data Controller may process the following data of each employee and visitor who intends to access the company premises:

  • information on movements made in the previous days;
  • information on any contacts with people positive to the virus in the previous days;
  • information on the health of the person concerned (by way of example: body temperature detection, presence of symptoms from Covid-19, etc.).
  • Contact details (telephone number and / or e-mail address), which will be used only if there were positive cases with which the interested party may have come into contact within the premises.

3. Purpose and legal basis of the processing

The purpose of the treatment is the prevention of the contagion of COVID-19.

The collection and processing of personal data of employees and any other visitor is carried out:

  • for reasons of public interest (Article 9, letter g GDPR);
  • to protect vital interests (art. 6, lett. d e art. 9, lett. c GDPR);
  • to fulfill legal obligation (art. 6, lett. c e art. 9, lett. b GDPR);
  • to implement anti-contagion security protocols.

4. Place of processing

The data are processed and stored in the headquarters of the owner.

5. Processing methods

The treatment will be based on principles of correctness, lawfulness, transparency and protection of confidentiality and your rights.

The processing will be carried out in an automated and / or manual form, in compliance with the provisions of art. 32 of the GDPR 2016/679 on security measures, by specifically appointed persons, in compliance with the provisions of art. 29 GDPR 2016/679.

The data of a sensitive nature about the state of health of employees will also be processed in accordance with Legislative Decree 81/08 and other regulations relating to safety and hygiene at work by the competent doctor, who is the owner and autonomously responsible for the sensitive data processed.

6. Data communication

All the data collected may be communicated both in Italy and abroad for the specified purposes to the Health Authorities, the Police Forces, the National Civil Protection Service and public and private structures operating within the National Health Service, as well as to all other subjects institutionally authorized to process personal data that are necessary for the performance of the functions attributed to them in the context of the emergency caused by the spread of COVID-19.

7. Data retention times

We point out that, in compliance with the principles of lawfulness, purpose limitation and data minimization, pursuant to art. 5 GDPR 2016/679, your personal data will be kept for the period of time necessary to achieve the purpose of containing the spread of COVID-19, as well as for compliance with legal obligations and requirements.

8. Data provision and possible refusal

The provision of data is mandatory as required by legal obligations and therefore any refusal to provide them, in whole or in part, allows the Owner to deny access to the premises.

9. Transfer of data abroad

Personal data may be transferred outside the national territory to countries located in the European Union, or even outside the European Union, if required for reasons of public interest, or if it is necessary for the achievement of the purpose of preventing the contagion of the COVID-19, to fulfill legal obligations, as well as to safeguard vital interests. With reference to transfers outside the territory of the European Union to countries not considered adequate by the European Commission, the Data Controller adopts suitable and appropriate security measures to protect the personal data received, in accordance with the applicable legislation and in particular with Articles 45 and 46 of the GDPR.


Right of access

The interested party has the right to ask the data controller for access to their personal data. Upon request, the data controller provides a copy of the personal data being processed. In case of further copies requested by the interested party, the data controller may charge a fee based on administrative costs. If the interested party submits the request by electronic means, and unless otherwise indicated by the interested party, the information is provided in a commonly used electronic format.

Right of rettification

The interested party has the right to obtain from the data controller the correction of inaccurate personal data concerning him without undue delay.

Taking into account the purposes of the processing, the interested party has the right to obtain the integration of incomplete personal data, also by providing an additional declaration.

Right to cancellation (“right to be forgotten”).

The interested party, with the exception of the cases provided for by Article 17, paragraph 3, of EU Regulation 2016/679, has the right to obtain from the data controller the cancellation of personal data concerning him without undue delay and the data controller has the obligation to delete personal data without undue delay, if there is one of the cases provided for in Article 17, paragraph 1, of EU Regulation 2016/679 pursuant to art. 5 Federal Data Protection Act (LPD).

Right to limitation of treatment

The interested party has the right to obtain from the data controller the limitation of the processing using one of the hypotheses referred to in art. 18 of EU Regulation 2016/679.

Right to object to processing.

The interested party has the right to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him pursuant to Article 6, paragraph 1, letters e) or f) of EU Regulation 2016/679.

The data controller refrains from further processing personal data unless he demonstrates the existence of compelling legitimate reasons for proceeding with the processing that prevail over the interests, rights and freedoms of the data subject or for the assessment, exercise or the defense of a right in court.

Right to data portability.

The interested party has the right to receive in a structured format, commonly used and readable by an automatic device, the personal data concerning him provided to a data controller and has the right to transmit such data to another data controller without impediments from part of the data controller to whom it provided them only in the cases provided for by law and without affecting the rights and freedoms of others.

Revocation of consent.

If the processing is based on art. 6, paragraph 1, letter a), or on art. 9, paragraph 2, letter a) of EU Regulation 2016/679, the interested party has the right to withdraw the consent given at any time without prejudice to the lawfulness of the processing based on the consent given prior to the revocation.

Right of complaint.

The interested party has the right to lodge a complaint with the supervisory authority.

The interested party can exercise his rights with a written request sent by registered letter with return receipt to the registered office of the owner or by certified e-mail to privacy@snodo.com.

This information does not replace, but integrates, any information provided previously. In case of conflict, the provisions contained in this document prevail over the previous ones.