Video surveillance policy

We take data protection very seriously and would therefore like to inform you about how your data is processed and the rights you have under current data protection legislation, in particular EU Regulation 2016/679 (hereinafter also referred to as “GDPR”). 

Furthermore, in particular in compliance with the obligations set forth in Article 13 of EU Regulation 2016/679 and the provisions on video surveillance issued by the Italian Data Protection Authority and the EDPB (European Data Protection Board), we inform you that a video surveillance system is in operation at our headquarters in (Via Lombroso, no. 54 and no. 95, 20137 Milan, MI). 

The following information is also provided pursuant to Article 4 of Law No. of 1970 and following the signing of the trade union agreement signed on May 2, 2024, and subsequent amendments and additions, hereinafter also referred to as the Agreement. 

SO.GE.M.I. S.p.A.

Registered office address: Via Lombroso, n. 54, 20137 Milano (MI)

Telephone contact details: +(39). 02.550051

Email contact details: info@foodymilano.it

Data Protection Officer (DPO)

Alessia La Camera

Address for the assignment: Via Lombroso 54, 20137 Milano (MI)

Telephone contact details: +(39). 02.55005483

Email contact details: dpo@foodymilano.it

The categories of “personal data” (pursuant to Art. 4.1 of the GDPR) processed by the Data Controller may include, by way of example but not limited to: 

•  Audio and video images and any additional identifying data. 

The processing of personal data is carried out in accordance with the provisions of the General Data Protection Regulation (GDPR) and any other applicable data protection legislation. Details are provided below: 

Where necessary, the processing of personal data is aimed at safeguarding our legitimate interests or those of third parties. This will be limited to the processing of necessary data only and only on condition that the rights of the data subject do not prevail. The processing will include the following purposes in particular: 

the need for worker safety, limited to the District and excluding the “Palazzo Affari”; 

protection of company assets, i.e., the legitimate need of the data controller to preserve the company's assets (by way of example and without limitation, from acts of vandalism, theft, unauthorized access to the premises with consequent damage to objects forming part of the assets), all in compliance with the data subjects and their rights, in relation to the District and “Palazzo Affari.” 

The retention period for personal data, in relation to the purposes referred to in this section, is: 

For purposes a) and b), a maximum of 7 days. 

Personal data collected in the form of images through the video surveillance system will be processed within the storage periods indicated above and, after this period, unless required to protect the rights of the Data Controller or requested by public authorities, will be immediately deleted through automatic erasure. 

The information collected through the video surveillance system may be used by the Data Controller, within the limits set out in Article 4 of Law 300/70 and the aforementioned Agreement.

Processing necessary for the performance of a task carried out in the public interest may involve the pursuit of the following purposes: 

imposing any penalties referred to in Regional Law No. 6 of 2010 and/or Service Order No. 114 of September 7, 2022 (and respective amendments and additions), limited to the District and excluding “Palazzo Affari”; checking the license plates of vehicles entering the District, in accordance with the Memorandum of Understanding for Legality and Prevention of Organized Crime Infiltration Attempts, dated September 22, 2022 (and subsequent amendments and additions ii.), entered into with the Municipality of Milan and the Prefecture of Milan, limited to the District and excluding “Palazzo Affari”. 

The period of retention of personal data, in relation to the purposes referred to in this section, is: 

For purposes a) and b), for a maximum of 7 days. 

Personal data collected in the form of images through the video surveillance system will be processed within the storage periods indicated above and, after this period, unless required to protect the rights of the Data Controller or requested by public authorities, will be immediately deleted through automatic erasure. 

The information collected through the video surveillance system may be used by the Data Controller, within the limits set out in Article 4 of Law 300/70 and the aforementioned Agreement. 

Within the scope of the above purposes, the Data Controller may communicate your data to: 

The Data Controller's internal offices and departments, specifically appointed for this purpose; 

Public and judicial authorities, and public officials in the event of a request; 

The Data Controller's supervisory and control bodies, if necessary following the detection of illegal activities; 

External parties who collaborate with the Data Controller to achieve the above purposes, in particular for the management, maintenance, and administration of video surveillance systems, specifically appointed as data processors and sub-processors; 

Any law firms in the context of any disputes and legal proceedings to protect the company's assets. 

* Further information on the Recipients (pursuant to Article 4.9 of the GDPR) is available from the Data Controller at the above addresses. 

No disclosure of personal data is envisaged.

The Data Controller informs you that your personal data will not be disclosed to countries within the EU or to countries outside the EU and the EEA.

The data subject may exercise the following rights, to the extent possible (taking into account the specific nature of the processing operations described above) and within the limits set out in the aforementioned agreement: 

right of access by the data subject [Article 15 of the EU Regulation] (the possibility of being informed about the processing of one's Personal Data and, where applicable, receiving a copy thereof, in the cases and within the limits provided for in the same article); 

right to rectification of one's Personal Data [Art. 16 of the EU Regulation] (the data subject has the right to rectify inaccurate personal data concerning him/her, with the exception of images and recordings); 

the right to erasure of one's Personal Data without undue delay (“right to be forgotten”) [Article 17 of the EU Regulation] (the data subject has, and will have, the right to have their data erased in the cases provided for in the same article); 

right to restriction of processing of their Personal Data in the cases provided for in Art. 18 of the EU Regulation, including in the case of unlawful processing or contestation of the accuracy of the Personal Data by the data subject [Art. 18 of the EU Regulation]; 

right to data portability [Article 20 of the EU Regulation], the data subject may request their Personal Data in a structured format in order to transmit it to another data controller, in the cases provided for in the same article (and therefore also if it is technically feasible); 

right to object to the processing of their Personal Data [Art. 21 of the EU Regulation] (the data subject has, and will have, the right to object to the processing of their personal data, in the cases provided for in the same article); 

the right not to be subject to automated decision-making [Article 22 of the EU Regulation] (the data subject has, and will have, the right not to be subject to a decision based solely on automated processing). 

Further information about the rights of the data subject can be obtained by requesting a full extract of the above articles from the Data Controller. 

The above rights may be exercised in accordance with the provisions of the Regulation by sending an email to the following address: info@foodymilano.it. 

In accordance with Article 19 of the EU Regulation, the Data Controller shall inform the recipients to whom the personal data have been disclosed of any rectifications, erasures, or restrictions on processing requested, where possible. 

To allow for a more rapid response to your requests made in the exercise of the above rights, they may be addressed to the Data Controller at the contact details indicated in point 1. 

If the data subject believes that their rights have been compromised, they have the right to lodge a complaint with the Data Protection Authority, in accordance with the procedures indicated by the Authority itself at the following internet address http://www.garanteprivacy.it/ web/guest/home/docweb/-/docweb-display/docweb/4535524 or by sending written communication to the Italian Data Protection Authority.

Please note that if the legal basis for the processing purposes is a legal obligation or the performance of a task in the public interest, the data subject must necessarily provide the requested data. 

Otherwise, it will be impossible for the Data Controller to pursue the specific processing purposes. 

With regard to the above purposes, which are based on a compelling legitimate interest and do not require consent, the data subject may not object to the processing of their data carried out in the terms and manner indicated above, if they are present or pass through the area subject to video surveillance, unless the duration of the processing exceeds the storage period indicated above in the absence of the reasons for extension indicated in point 3.1 above. 

The use of purely automated decision-making processes as detailed in Article 22 of the GDPR is currently excluded. If, in the future, it is decided to establish such processes for individual cases, the data subject will be notified separately if required by law or by an update to this policy. 

The number of cameras and their location are described in a specific floor plan, which is available and can be consulted only by employees at the Technology office. 

The video surveillance system implemented will not be connected to the internet but only to the company intranet, and therefore it will not be possible to view images in real time from a remote location, with the sole exception of the security officer, who will be able to view them in real time from the so-called “Control Room,” as well as, when strictly necessary for the pursuit of the aforementioned purposes, to persons expressly authorized by the Data Controller and indicated in the aforementioned Agreement (which can only be consulted by employees of the Data Controller). 

The cameras will be positioned so as not to film you while you are carrying out your work activities and will be activated and in operation 24 hours a day, 7 days a week. 

Personal data collected in the form of images through the video surveillance system will be processed with the support of information systems by personnel expressly and specifically designated as Data Processors and Authorized Persons for the processing of personal data from video surveillance, who may carry out consultation, comparison, and any other operations necessary for the pursuit of the above purposes, in compliance with the legal provisions necessary to ensure, among other things, the confidentiality and security of the data as well as the accuracy, updating, and relevance of the data with respect to the aforementioned purposes.