INTERNAL

Data Protection
Definitions and Insights
1. What do we mean by personal data?
Answer
Any information concerning an identified or identifiable natural person.

Insight
Personal Data is any information relating to an identified or identifiable person. Personal Data that has been en-
crypted or pseudonymised, but which can subsequently be made visible and identify an individual, remains Per-
sonal Data and falls within the scope of the legislation. Personal Data that has been anonymised, such that the
individual is not or is no longer identifiable, is no longer considered Personal Data only if the anonymisation is
irreversible.

There are different categories of Personal Data that may be processed. For example, here are some classifications
that allow both direct identification - such as personal data (e.g. first name, last name, etc.) - and indirect identifi-
cation (e.g. tax code, IP address, licence plate number, etc.).

2. What do we mean by special categories of personal data?

Answer
Sensitive data, such as racial or ethnic origin, religious beliefs, political opinions, trade union membership, health,
sex life, genetic and biometric data.

Insight
Data protection legislation gives specific protection for 'special categories' of Personal Data that, by its nature, is
more sensitive. This is Personal Data that reveals:

- racial or ethnic origin;

- political opinions;

- religious or philosophical beliefs;

- trade union membership;

- genetic data;

- biometric data intended to uniquely identify a natural person;

- data relating to a person's health or sexual life or sexual orientation.

The processing of this data is generally prohibited, unless specific exceptions are provided for by the law. Some of
the exceptions that allow the processing of these categories of data include:

• Explicit consent of the data subject.

• The processing is necessary to fulfil obligations or exercise rights in the context of labour law or social
security.

• Protection of vital interests of the data subject or another person, when the data subject is unable to give
his consent.
 INTERNAL

• Foundations, associations or non-profit bodies that process data of members or former members in the
scope of their legitimate activities.

• The processing is necessary for the defense of a right before a court.

• Reasons of relevant public interest, such as public health or safety.

The processing of this data requires more stringent security measures and special attention to ensure that the
rights and freedoms of the data subjects are adequately protected.

3. Who is the data subject?

Answer
Identified or identifiable natural person to whom the personal data relates.

Insight
The Data Subject is the natural person to whom the personal data being processed refers.

More precisely, the data subject is an identified or identifiable natural person, i.e. one who can be identified in a
direct or indirect manner by reference to, for example, information such as: a name, an identification number, lo-
cation data, an online identifier or one or more characteristic elements of his/her physical, physiological, genetic,
psychic, economic, cultural or social identity.

4. Who are the data protection authorities?

Answer
Independent authorities that supervise, through investigative and corrective powers, the enforcement of data pro-
tection regulations.

Insight
Data protection authorities are independent public bodies responsible for ensuring that laws and regulations re-
lating to the protection of personal data are respected, both by public and private entities. Their main role is to
supervise, regulate and protect the rights of individuals with regard to the processing of their personal data in
accordance with the relevant legislation.

5. Can the personal data be processed for any purpose?

Answer
Only for specified, explicit, and legitimate purposes.

Insight
The purpose constitutes the reason for processing of Personal Data. Indeed, one or more purposes must always be
identified for each processing operation. Moreover, data must be collected for specific, explicit, and legitimate pur-
poses and must be processed consistently for those purposes.
 INTERNAL

6. When can data be considered anonymous?

Answer
Data can be considered anonymous when it is no longer possible to re-identify the person to whom it refers. Anon-
ymisation is therefore a de-identification operation that aims to transform personal data into anonymous data
irreversibly.

Insight
Personal data can be considered anonymous when it has been processed in such a way that the data subject is no
longer directly or indirectly identifiable. Data must be irreversibly altered so that the identity of the individual
cannot be traced even by using additional information or data reconstruction techniques.

The main features of anonymisation include:

• Irreversibility: it is not possible, by reasonable means, to reconnect data to a natural person. This means
that even using other information, it is not possible to identify the data subject.

• Non-identifiability: data cannot be linked either directly (such as with a name or an identification num-
ber) or indirectly (through combinations of information that could lead to an identification).

• No link to further data: even when the anonymised data is combined with other available information, it
is impossible to identify the person.

Therefore, anonymised data is no longer personal data.

Difference between pseudonymised and anonymized data:

In the pseudonymised data the identifying information has been replaced by an identifier (for example, a code or
number). However, with additional information, the pseudonymised data could allow the identification of the in-
dividual. Pseudonymised data is not considered anonymous and remains subject to data protection regulations.

7. Which rights can the data subject exercise?

Answer
Right to rectification of personal data.

Insight
The Data Protection legislation regulates the recognition of a series of rights to the Data Subject, which can be
exercised to protect their Personal Data.

These recognized rights are:

- Right of access: which consists in asking the Data Controller whether or not Personal Data relating to him is
being processed and, if so, to obtain access to that data.

- Right of rectification: which consists in the possibility for the Data Subject to request changes to his or her
Personal Data in the event that he or she believes that such data is not up to date or is otherwise inaccurate. The
Data Subject has therefore the right to obtain the integration of incomplete Personal Data, also by providing a sup-
plementary declaration.

- Right to erasure: also known as the right to be forgotten. This right gives the Data Subject the possibility to
request the deletion of his or her data without undue delay and applies, as a rule, in situations where the relation-
ship with the Data Subject has ended. This right depends on the retention period of the specific Personal Data
governed by the legislation and is not absolute in scope. For example, if Personal Data is used to fulfill a legal obli-
gation or for purposes relating to public health, or scientific research, then the right to erasure may be refused.
 INTERNAL

- Right of Data Processing Limitation: which allows the Data Subject to obtain from the Data Controller a re-
striction of the processing when various circumstances apply. For example, one may restrict the processing of one's
data when one fears that it is inaccurate or when one disputes its processing.

- Right to data portability: which gives the Data Subject the possibility to request the transfer of Personal Data
concerning him/her provided to a Data Controller to another Data Controller. Personal Data concerning the Data
Subject must be received in a structured, machine-readable format.

- Right to object: which allows the Data Subject to object at any time to the processing of Personal Data. The Data
Controller, therefore, is obliged to refrain from processing Personal Data, unless he/she proves the existence of
compelling legitimate grounds for processing that override the interests or rights of the Data Subject or for the
establishment, exercise or defence of legal claims. The data subject may also object to the processing of data for
commercial and/or direct marketing purposes. In the case of processing based on consent, however, the possibility
to withdraw consent prevails over the right to object. It should be emphasised that an objection to processing is a
different matter from the deletion of data.

8. What does "consent of the data subject" mean?

Answer
The expression of wishes made by the data subject through an unequivocal statement or affirmative action regard-
ing the processing of its personal data.

Insight
Consent to the processing of personal data is the explicit and informed permission that a person (the data subject)
gives an organization or a company to collect, use, process or share his personal data. According to the relevant
legislation, consent is one of the main legal bases for processing personal data.

Consent must have the following characteristics to be valid:

• Free: consent must be given voluntarily, without any pressure or coercion. The data subject must be free
to give consent or not, and to withdraw it at any time without consequences.

• Explicit: consent must be expressed clearly and unambiguously, through a positive action (such as sign-
ing a form or selecting a box). Silence, pre-selection of options or inactivity cannot be considered as valid
consent.

• Informed: before giving consent, the data subject must be informed clearly and in a comprehensible way
about what data will be collected, for what purposes it will be used, who will have access to the data and
how long it will be kept. The data subject must also be informed of its rights, such as the right to withdraw
consent.

• Specific: consent must be given for one or more specific purposes for processing the data. General con-
sent is not allowed for various uses that are not well defined.

• Documented: the controller must be able to demonstrate that consent has been obtained in a legally
compliant manner. This means that controller must keep a record of the consent given by the data subject.

9. When is it possible for the data subject to withdraw the consent?

Answer
At any time.

Insight
 INTERNAL

According to the relevant legislation, the data subject has the right to withdraw his consent at any time. Upon
revocation, the data controller must stop the processing of the data for which consent was provided, unless there
is no other legal basis for continuing the processing (e.g., a legal obligation).

10. What is a "data breach"?

Answer
A security breach that can result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure,
or access of personal data that is transmitted, stored, or processed.

Insight
A Security Breach or Data Breach means a breach of security that accidentally or unlawfully results in the destruc-
tion, loss, modification, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise
processed.

If the breach is capable of jeopardising the rights of the data subjects, the Data Controller shall notify the competent
authority and the data subjects themselves of the Data Breach.