image

Data Processing and Privacy Policy

Certiquality Personal Data Protection Policy

For all personal data processing carried out and in particular for certification, training and inspection processes, Certiquality srl acts as Data Controller.

Certiquality, in fact, as a Quality Certification Body, is Accredited for the Certification of Organizations, Products, Processes, Services, People and for Inspection activities, and is also a Notified Body in the European context and provides training activities on relevant topics.

Since 2008, Certiquality has adopted a Code of Ethics and Conduct and implemented an Organizational Management and Control Model pursuant to Legislative Decree 231/01, from which this policy draws inspiration and with which it is consistent.

The role of Certification Body requires that the activities and services provided are carried out in a third-party and independent manner in order to guarantee all interested parties that there are no threats to impartiality or conflicts of interest. In fact, it is our company that evaluates, from time to time, also through its lead auditors, the depth of the third-party verification, the quality and quantity of data and evidence to be acquired, including personal data, based on the certification and inspection context and the applicable legal requirements.

This assumption establishes and justifies the role of Certiquality as Data Controller of the data of its Customers, their users and workers.

Conversely, the role of Data Processor as prescribed by art. 28 of the GDPR would not be suitable for a Certification Body, precisely because it configures a subordinate position and bound to the Data Controller, for the outsourced management of a process containing personal data. Such an interpretation would conflict with the institutional role of third party that is attributed to Certiquality by the international accreditation and notification regulations. The same applies to employees or people who operate on behalf of Certiquality such as auditors or evaluators, who must maintain independence and third-party status with respect to the Client's position and who must therefore not be authorized by the Client to process data or individually appointed as Data Processors.

It is Certiquality itself that, within its contractual schemes, determines the relationship with the auditor by authorizing him to process personal data or by assigning him responsibility for the same pursuant to art. 29 or 28 of the EU GDPR 2016/679. As Data Controller, Certiquality pays the same attention to the protection of the personal data of its clients (and their workers and users), its suppliers, its workers and their families and requires all its auditors, evaluators, teachers and experts to respect the same rules, binding them to confidentiality.

As a qualified and accredited body for the provision of training and certification services for individuals, CQY acts as the data controller of learners, whether they enroll directly and personally in the courses or are directed to them by the company in which they work in application of the contractual relationship established. This applies equally to company or inter-company courses, both in funded training contexts and in self-financing contexts.

The protection of personal data is based on compliance with the principles illustrated in this document that Certiquality undertakes to disseminate, respect and ensure its structure respects.

For this reason, Certiquality:

- communicates and disseminates its policy regarding the protection of personal data through the website and company tools suitable for the purpose

- listens and pays attention to all interested parties – institutions, students, employees, customers, external collaborators, exam candidates, etc. – and takes due account of their requests regarding the processing of personal data, providing prompt feedback

- processes personal data in a lawful, correct and transparent manner, only for the time strictly necessary for the intended purposes, including those to comply with legal obligations, collects personal data limited to those indispensable for carrying out the activities (relevant and limited personal data), makes public to all the processing carried out (all information notice is published below)

- adopts processes for updating and rectifying the personal data processed to ensure that the personal data are, as far as possible, correct and up to date

- undertakes to continuously update the measures for the protection of personal data

- adopts a code of conduct for its internal and external collaborators (auditors and evaluators, experts, examiners and teachers)

- ensures compliance with the legal and regulatory provisions applicable to the protection of personal data and prevents and minimizes, compatibly with the available company resources, the impact of potential violations or illicit and/or harmful processing of personal data, whether accidental or malicious violations or processing.

In order to pursue the above, Certiquality, as Data Controller of the personal data entrusted to it, has assigned the responsibility for supervising the personal data protection system to an internal senior figure, in application of the principle of accountability. Through this function, the Company's Management periodically establishes, documents and disseminates internally the objectives and the improvement plan related to data protection, which are periodically verified and updated.

Certiquality is committed to ensuring that this Personal Data Protection Policy, and all that follows from it, is understood, implemented and supported by all internal and external parties involved in the activities, including through specific training and information initiatives.

For any questions or observations on the matter, you can contact us at privacy@certiquality.it.

Information notice on data processing and protection

Below is the complete Policy on the processing of personal data of Certiquality Srl (hereinafter “Certiquality”), with registered office in Via Giardino 4, Milan (MI), Italy, Data Controller, contactable at privacy@certiquality.it 

In addition to the personal data voluntarily provided by users and processed for the purposes indicated in specific Certiquality disclosures, during their normal operation the computer systems and software procedures used to operate this site acquire some personal data, the transmission of which is implicit in the use of internet communication protocols.    

This category of data includes IP addresses or domain names of the computers used by users connecting to the site, URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s computer environment (so-called browsing data).

Browsing data are processed on the basis of the legitimate interest of the Data Controller to verify the correct functioning of the site and the services offered and could also be used by the judicial authority to ascertain the perpetration of crimes. The provision of browsing data is necessary to access the website.

In addition, the site uses cookies as better specified in the Cookie Policy present in the footer of each page of the website.

Specific information notices

Certiquality hereby informs users that their personal contact data will be processed with automated and manual tools for the sole purpose of following up and responding to their requests for quotes or information (pre-contractual measures and performance of the contract). The provision of this data is mandatory, as without it Certiquality cannot pursue the above-mentioned purpose.

The data, which will not be disseminated in any way, may be communicated to third parties who support Certiquality in carrying out the activities mentioned above, as well as to parties to whom Certiquality has outsourced the management of some of its IT services, including the activities necessary for the correct use of the website.

User contact details will be retained by Certiquality for a maximum of 5 years.

Users are reminded that, according to legislation in force, they are at all times entitled to exercise their rights of access, rectification, restriction, erasure and objection, as well as to lodge a complaint with the data privacy Authority

. These rights may be exercised by writing to privacy@certiquality.it.

Certiquality hereby informs users that the personal data provided for registration will be used for the management of the services provided by the website, and in particular for registration for the training courses offered. Users will be able to use the profile both for themselves and for the people in their company who wish to register under a single account, without having to enter this data for each event. The provision of data is necessary for completion of the registration procedure. Users are hereby informed that their registration data may be communicated to teaching professionals, to third parties who support Certiquality in the organisation of the course and to the parties to whom Certiquality has outsourced the management of some IT services, including the activities necessary for the correct use of the website.

User data will be stored by Certiquality until deletion of the user’s profile.

Users are reminded that, according to legislation in force, they are at all times entitled to exercise their rights of access, rectification, restriction, erasure and objection, as well to lodge a complaint with the data privacy Authority. These rights may be exercised by writing to privacy@certiquality.it.

For further information on data processing, users should also consult specific information relating to training or events.

Certiquality hereby informs that the personal data provided by users to enrol in the courses offered (both in-person and remotely) will be processed for the organisation and management of the training course and for related administrative activities (performance of the contract), including the survey of user feedback and any updates to legislation and/or standardisation of the subject matter addressed. Certiquality may also process user data (name, surname and e-mail) during user participation in chats with course attendees or in discussion forums and/or in the event that the user needs to contact the course tutor. Participation in the course involves the sharing of first and last names between participants. The provision of this data is mandatory, as without it Certiquality cannot pursue the above-mentioned purpose.

Users are hereby informed that their registration data, which will not be disclosed in any way, may be communicated to teaching professionals, to third parties who support Certiquality in the organisation of the course and to the parties to whom Certiquality has outsourced the management of some IT services, including the activities necessary for the correct use of the website.

User data will be stored by Certiquality for 5 years after the course has taken place.

In the case of courses that require the delivery of a UNI standard in protected electronic format, traceable to the user, personal data will be stored in a special register for the entire period of validity of the standard.

User contact details (generally e-mail address) will be carefully selected and sometimes used, at most for the same period, including for promotional purposes, in accordance with Certiquality’s legitimate interest to keep its customers informed about news, opportunities and offers concerning or related to the service purchased and the field of certification. Users may opt-out at any time and from each individual mailing.

Users are reminded that, according to legislation in force, they are at all times entitled to exercise their rights of access, rectification, restriction, erasure, objection, and to lodge a complaint with the data privacy Authority. The above rights may be exercised by writing to privacy@certiquality.it.

Certiquality hereby informs that the personal data provided by users to enrol in the courses (in-person and remote) promoted in partnership and collaboration with other entities will be processed for the organisation and management of the training course and for related administrative activities (performance of the contract), including the survey of user feedback and any updates to legislation and/or standardisation of the subject matter addressed. Certiquality may also process user data (name, surname and e-mail) during user participation in chats with course attendees or in discussion forums and/or in the event that the user needs to contact the course tutor. Participation in the course involves the sharing of first and last names between participants. The entities operating in partnership act as Joint Data Controllers of the personal data of the participants in the sole context of the organisation and management of the classroom.

The provision of this data is mandatory, as without it Certiquality cannot pursue the above-mentioned purpose.

Users are hereby informed that their registration data, which will not be disclosed in any way, may be communicated to teaching professionals, to third parties who support Certiquality in the organisation of the course and to the parties to whom Certiquality has outsourced the management of some IT services, including the activities necessary for the correct use of the website.

User data will be stored by Certiquality for 5 years after the course has taken place.

In the case of courses that require the delivery of a UNI standard in protected electronic format, traceable to the user, personal data will be stored in a special register for the entire period of validity of the standard.

User contact details (generally e-mail address) will be carefully selected and sometimes used, at most for the same period, including for promotional purposes, in accordance with Certiquality’s legitimate interest to keep its customers informed about news, opportunities and offers concerning or related to the service purchased and the field of certification. Users may opt-out at any time and from each individual mailing.

The entities operating in partnership will make no other use of the data shared unless they provide users with appropriate information under their sole responsibility.

For further information on the details of the joint control of course-related data, users can send an e-mail to privacy@certiquality.it.

Certiquality hereby informs users that the personal data provided to enrol in its webinars, conferences and seminars (free of charge or on payment) will be processed for the organisation and management of the training course and for related administrative activities (performance of the contract), including the survey of user feedback and any updates to legislation and/or standardisation of the subject matter addressed. The provision of this data is mandatory, as without it Certiquality cannot pursue the above-mentioned purpose.

Some events involve live streaming or video recording in order to be replicated in other sessions. Participants can interact directly with the speakers via microphone or chat and their voices may, therefore, also be recorded and reused in the performance of the contract. 

Some webinars also involve recording for the production of promotional videos to be disseminated on social networks, in which case users will be asked to give their consent to the recording through the spontaneous activation of audio or video (disabled by default).

Users are informed that their registration data may be communicated to teaching professionals, to third parties who support Certiquality in the organisation of the course and to parties to whom the company has outsourced the management of some IT services, including the activities necessary for the correct use of the website.

In the case of events jointly arranged with other organisations, it is hereby specified that the partners involved do not receive the names and contact details of the participants, but only the references to the names of the companies present.

User data will be stored by Certiquality for 5 years after the course has taken place.

User contact details will be carefully selected and sometimes used, at most for the same period, including for promotional purposes, in accordance with Certiquality’s legitimate interest to keep its customers informed about news, opportunities and offers concerning or related to the service purchased and the field of certification. Users may opt-out at any time.

Users are reminded that, according to legislation in force, they are at all times entitled to exercise their rights of access, rectification, restriction, erasure and objection, as well as to lodge a complaint with the data privacy Authority. The above rights may be exercised by writing to privacy@certiquality.it.

Certiquality hereby informs its customers (legal persons) and the people who work for them that, within the third party audit processes carried out during the certification and inspection procedures, it is possible that the personal data of workers, and possibly of users of the organisations, will be collected and processed for the purpose of gathering the evidence necessary for the activity that is the subject matter of the engagement received (performance of the contract).

However, judicial information constitutes a special case: In fact, according to accreditation rules, Certiquality is required to be informed in certain specific cases of disputes concerning the client company that relate to issues pertaining to the subject matter of the certified activity, such as (but not limited to) environmental or occupational health and safety incidents, convictions or pending rulings on corruption. This information normally contains data relating to the company and the context of the event, but the presence of personal data in this information cannot be ruled out. At any rate, any special judicial data relating to criminal proceedings concerns events information on which has been made public following the closure of investigations or notifications that a party is under investigation.

The provision of this data is mandatory, as without it Certiquality cannot pursue the above-mentioned purpose.

The data is collected by qualified auditors who are expressly bound to absolute confidentiality vis-à-vis the organisation and Certiquality. It may only be communicated to third parties who aid Certiquality in the implementation of activities (i.e. experts, members of technical commissions, management platforms of certain IT services and website management) and possibly to the designated accreditation bodies. The data collected are generally common personal details (names, surnames, addresses, telephone numbers, e-mail addresses, company affiliation, etc.) and Certiquality auditors are expressly instructed NOT to collect data relating to particular categories, unless required by law or for the purposes of accreditation.

Certification data, including personal data, are retained by Certiquality per accreditation requirement for as long as the certificate is valid plus one full certification cycle, and are processed, managed and stored in offices and on servers within the European Union.

Certiquality also uses the contact details of the persons designated by the client company for all necessary communications of a contractual nature, consisting of information of a managerial or organisational character, dispatch of updates on news from the field of legislation and/or standardisation, and requests for feedback on the service used, for as long as the certificate is valid (and therefore for as long as the contract is in force).

In targeted cases, user contact details (generally e-mail address) will be carefully selected and sometimes used, at most for the same period, including for promotional purposes, in accordance with Certiquality’s legitimate interest to keep its customers informed about news, opportunities and offers concerning or related to the service purchased and the field of certification. Users have the right to opt-out at any time and from each individual mailing.

Users are reminded that, according to legislation in force, they are at all times entitled to exercise their rights of access, rectification, restriction, erasure and objection, as well as to lodge a complaint with the data privacy Authority. The above rights may be exercised by writing to privacy@certiquality.it. 

Given the difficulty of reaching every single user, the present Policy is made public on this website and delivered to each client company at the opening of an audit, together with the commitment to confidentiality, so that it can be made clear by the organisation to all its workers and users.

Certiquality hereby informs that the personal data provided by users to access a skills certification programme will be processed for the management of said programme, for the exam and for the issuance and maintenance of the certificate in fulfilment of the contract, including the survey of user feedback and the update on the legislative/standardisation news related to the certificate. The provision of this data is mandatory, as without it Certiquality cannot pursue the above-mentioned purpose.

Depending on the certification programme chosen, user data shall be posted on the Certiquality website and published in Italy and abroad by CISQ, ACCREDIA and IQNET and any other recognition bodies in accordance with the procedures provided for by the same, in the exercise of their activities as autonomous Data Controllers. User data may be communicated to external examiners and technical committee experts, as well as to those to whom Certiquality has outsourced the management of some IT services, including activities necessary for the correct use of the website. User data will be stored by Certiquality for the duration of the contractual relationship plus the time of a certification cycle.

User contact details (generally an e-mail address) will be used for the same period, including for promotional purposes, in accordance with Certiquality’s legitimate interest to keep its customers informed about news, opportunities and offers concerning or related to the service purchased and the field of certification. Users may opt-out at any time and from each individual mailing.

Users are reminded that, according to legislation in force, they are at all times entitled to exercise their rights of access, rectification, restriction, erasure and objection, as well as to lodge a complaint with the data privacy Authority. The above rights may be exercised by writing to privacy@certiquality.it.

Certiquality hereby informs that the personal data provided by users in the “Work with us” section of the website are processed for the sole purpose of recruiting and selecting personnel to establish an employment or collaboration relationship with Certiquality (pre-contractual measures and performance of the contract), with automated and manual tools. The provision of this data is mandatory, as without it Certiquality cannot pursue the above-mentioned purpose.

User data, which will not be disclosed in any way, may be communicated to those to whom Certiquality has outsourced the management of some IT services, including activities necessary for the correct use of the website.

User data will be stored by Certiquality for 2 years from the receipt of the CV and subsequently deleted from its database, unless the user wishes to remain registered.
Users are reminded that, according to legislation in force, they are at all times entitled to exercise their rights of access, rectification, restriction, erasure and objection, as well as to lodge a complaint with the data privacy Authority. The above rights may be exercised by writing to privacy@certiquality.it.

Certiquality hereby informs that the personal contact data provided by the user (telephone number and e-mail address) through spontaneous subscription to our news services will also be used to send informative and commercial communications to the user regarding the activities of the Institute, certification and training.

Subscription to the service is absolutely free and data processing is therefore based on user consent, which can be revoked at any time.

Certiquality may contact the users by e-mail, text message or telephone to keep them updated with regard to activities, to send updates on legislation and standards and news relating to the field of certification in general, and to provide users with information and commercial offers and/or advertising material on the services offered, courses, conferences and seminars, as well as to ask users to participate in market research.

User data, which will not be disclosed in any way, may be communicated to those to whom Certiquality has outsourced the management of some IT services, including activities necessary for the correct use of the website.

User contact details will be used by Certiquality for this purpose until consent is withdrawn, upon which it will be deleted, subject to storage for other contract related reasons.

Users are reminded that, according to legislation in force, they are at all times entitled to exercise their rights of access to as well as rectification, restriction, erasure of their personal data as well as revocation of consent. The aforementioned rights can be exercised by writing to privacy@certiquality.it. Consent can also be revoked at any time from the footer of the newsletter, and is applicable for all the above.

Users are also reminded that they have the right to lodge a complaint with the data privacy Authority in relation to any violations of current legislation on the subject matter.

Certiquality hereby informs users that the personal contact data they provide will be processed, with automated and manual tools, for the sole purpose of following up and managing any reports made in relation to the performance of the contract. The provision of this data is mandatory, as without it Certiquality cannot pursue the above-mentioned purpose.

The data, which will not be disseminated in any way, may be communicated to third parties involved in reporting, accreditation and recognition bodies (e.g. Accredia) and to parties to whom Certiquality has outsourced the management of some of its IT services, including the activities necessary for the correct use of the website.

User contact details will be retained by Certiquality for a maximum of 5 years.

Users are reminded that, according to legislation in force, they are at all times entitled to exercise their rights of access, rectification, restriction, erasure and objection, as well as to lodge a complaint with the data privacy Authority. The above rights may be exercised by writing to privacy@certiquality.it.