EU Regulation 679/2016 ("GDPR")
v. June 4, 2018
ENTANDO INC. and ENTANDO S.R.L. (jointly defined as "Entando" or the "Controller") are engaged in the protection of the Personal Data entrusted to it. Management and Security of Personal Data are guaranteed with the utmost care, in accordance with the requirements of the privacy legislation pursuant to EU Regulation 679/2016 (“GDPR“).
This policy explains who we are, for what purposes we could use your data, how we manage them, to whom we can communicate your data, where they could be transferred and which are Your rights.
Premise - About Us
Entando is an international company principally involved in the B2B sector and software services and products.
In particular Entando assist developers and enterprises.
For developers Entando is a low-code, component-based platform that opens the door for accelerated development of cloud Modern Applications that leverage the full potential of continuous integration/continuous delivery, develops, containers, and microservices. Entando unleashes developer creativity, freeing them to work lighter, faster and more efficiently.
For enterprises Entando platform provides the tools to rapid prototyping applications, accelerate time to market, scale applications as the business grows, and deliver a unified and device-agnostic experience to end users across the enterprise.
The applications created by Entando serve a series of products better described on www.entando.com.
1. Who will treat my data?
Your data will be treated, as Data Controller, by:
ENTANDO S.R.L. (the "Controller")
Piazza Salento 9
09127 - Cagliari (Italy)
Subject to direction and coordination of Entando Inc
ENTANDO INC. (the "Controller")
600 B Street, Suite 300
92101 - San Diego (CA) - USA
The list of processor and sub-processor for the processing of personal data is available at the headquarters of the owner or by request at firstname.lastname@example.org .
2. Why do you need my data?
The Data Controller will use your data exclusively for the following purposes:
- Purposes related to the management of the contractual relationship and the provision of software services and other services purchased by the customer and as described on www.entando.com or other informative and / or contractual material of Entando. In this context your Personal Data will be processed for the following purposes: establishment, management and termination of the contractual relationship with Entando; fulfillment of accounting and tax obligations; fulfillment of legal obligations (for example: anti-terrorism checks); anti-money laundering controls; audits for tax and accounting purposes; management of disputes; provision, support, updating and information regarding the services offered and the available features; activation of online services; training courses.
- Purposes related to marketing activities, email marketing. In this context with your specific consent, your personal data will be processed for the following purposes: market research; economic and statistical analyzes; social, cultural and solidarity initiatives; updating on training initiatives; email marketing and updates on initiatives, promotions and offers from Entando or third-party companies that operate in collaboration with the Data Controller; communications and information on the activities of the owner and on the events in which the owner takes part.
Entando will carry out the treatment:
- with reference to letter a) above, because it is necessary for contractual obligations; to fulfill legal obligations, to which Entando is subject (ex. accounting, compensation, social security, anti-terrorism checks); because the treatment is necessary to pursue a legitimate interest (for example, anti-money laundering checks, use of video surveillance tools to protect corporate assets, prevent fraud, safeguard strategic corporate interests and related business relationships).
- with reference to letter b) above, on the basis of your express consent.
Therefore your personal data are necessary or mandatory for the purposes listed in letter a).
The purpose referred to in letter b), on the other hand, does not derive from a legal obligation or contract and the consent to provide such data for such purpose is optional and does not affect provision of the services.
Any partial or total failure to provide the data will result in the partial or total impossibility of achieving the aforementioned purposes.
Entando will always use Personal Data effectively necessary for the specific purpose (minimization).
We will not use your Personal Data for any other purpose other than those described in this statement, if not by informing you in advance and, where necessary, obtaining your consent.
3. How will you use my data?
Your personal data will be processed, through the use of tools and procedures suitable to ensure maximum security and confidentiality, through archives and paper, and also through digital media, computer and telecommunications adequate and in compliance with the GDPR provisions.
The communications may take place in traditional ways (example: paper mail, phone calls with operator), automated (eg, phone calls without operator) and similar (example: fax, e-mail, sms, mms) .
4. How long will you keep my information?
Your personal data will be stored for a period consistent with the purposes of treatment indicated above.
Here below follow the duration of the different treatments:
Purpose: Candidates for job placement
Duration: Maximum 24 months after sending the candidate's Curriculum Vitae
Legal basis: art. 5 lett. e) of GDPR
Purpose: Work contract
Duration: 10 years after the termination of the employment relationship
Legal basis: art. 43 of Presidential Decree 600/73; art. 2946 of the Italian civil code on the ordinary prescription; Title I, Chapter III, of Legislative Decree 81/08 (as amended)
Purpose: Customers, service, suppliers, partners, etc.
Duration: 10 years from the end of the contractual relationship
Legal basis: art. 2948 of the Italian Civil Code, which provides a period of 5 years for payments; art. 2220 of the Italian Civil Code, which provides a period of 10 years, for the keeping of accounting records; art. 22 of the D.P.R. September 29, 1973, n.600.
Purpose: Customers, for marketing purposes (both first-party and third-party) and profiling
Duration: In compliance with the terms prescribed by law for the type of activity and in any case until the revocation of consent or until the exercise of the right of opposition
Legal basis: art. 23 of Legislative Decree 196/03; General Provision of 15/05/13 Italian Garante Privacy; art. 21 GDPR.
5. Will you share my information with other subjects?
Your Data may be communicated to Entando partners for the management of contracts in place with You, and to third parties, (including Credit Recovery Companies, Professionals, Public Bodies, Auditing Bodies or Supervisory Bodies), to fulfill obligations deriving from the law, regulations, community regulations or for aspects concerning the management and execution of the contractual relationship.
Your personal data will not be transferred to third parties for marketing purposes unless you have expressly permitted such transfer.
For all the purposes indicated in this statement your data may be transferred also abroad, inside and outside the European Union, in compliance with the rights and guarantees provided by the current legislation, subject to verification that the country in question ensure an "adequate" level of protection.
The Data will also be processed by internal resources of the Entando offices, properly trained, which operate as authorized personnel to process the Data in accordance with art. 29 GDPR.
We also inform you that in compliance with a company policy, all company emails will be kept through an archived outsourced archiving system with adequate security measures in order to protect them.
Access to the archived Data may be carried out only by public authorities, in the cases and methods provided for by the laws in force, in the event of legal disputes.
Your personal data are not subject to dissemination.
MailChimp declared to be GDPR compliant. MailChimp is currently included in the Privacy Shield as per the following link: https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG
6. What are my rights?
At any time, you will have the right to ask:
- access to your personal data;
- correction of your personal data in case of inaccuracy;
- cancellation of your personal data;
- limitation of their treatment.
You will also have:
the right to oppose their treatment:
- if processed for the pursuit of a legitimate interest of Entando, except where permitted by law;
- if processed for direct marketing purposes;
- the right to their portability (where applicable), meaning you can receive your personal data, which you have given to us, in a structured format, and, if possibly, through a digital tool (such as excel, pdf or similar).
We will handle your request with the utmost care to ensure the effective exercise of your rights.
Finally, you will have the right to lodge a complaint with the National Supervisory Authority (Italian Garante Privacy).
7. Can I withdraw my consent after I gave it?
Yes, you can revoke your consent at any time, without this, however this will not:
- prejudice the lawfulness of the treatment based on the consent given before the revocation;
- prejudice further processing of the same data based on other legal bases (for example, contractual obligations or legal obligations to which Entando is subject)
8. I still have questions ...
Appendix – Definitions of certain terms referred to above:
(Article 4 of the GDPR): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(Article 4 of the GDPR): means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
Legal Basis for Processing:
(Article 6 of the GDPR): At least one of these must apply whenever personal data is processed:
Consent: the individual has given clear consent for the processing of their personal data for a specific purpose.
Contract: the processing is necessary for compliance with a contract.
Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary to perform a task in the public interest, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for the legitimate interests of the Data Controller unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
(Article 4 of the GDPR): this means the person or company that determines the purposes and the means of processing personal data.
(Article 4 of the GDPR): means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Data Subject Rights:
(Chapter 3 of the GDPR) each Data Subject has eight rights. These are:
The right to be informed; This means anyone processing your personal data must make clear what they are processing, why, and who else the data may be passed to.
The right of access; this is your right to see what data is held about you by a Data Controller.
The right to rectification; the right to have your data corrected or amended if what is held is incorrect in some way.
The right to erasure; under certain circumstances you can ask for your personal data to be deleted. This is also called ‘the Right to be Forgotten’. This would apply if the personal data is no longer required for the purposes it was collected for, or your consent for the processing of that data has been withdrawn, or the personal data has been unlawfully processed.
The right to restrict processing; this gives the Data Subject the right to ask for a temporary halt to processing of personal data, such as in the case where a dispute or legal case has to be concluded, or the data is being corrected.
The right to data portability; a Data Subject has the right to ask for any data supplied directly to the Data Controller by him or her, to be provided in a structured, commonly used, and machine-readable format.
The right to object; the Data Subject has the right to object to further processing of their data which is inconsistent with the primary purpose for which it was collected, including profiling, automation, and direct marketing.
Rights in relation to automated decision making and profiling; Data Subjects have the right not to be subject to a decision based solely on automated processing.