Protection of personal data
Information regarding the processing of personal data pursuant to the Articles 13 and 14 of European Regulation n. 2016/679
Pursuant to the Articles 13 and 14 of the European Regulation 2016/679 (hereinafter referred to as “GDPR”) and in adherence to subsequent national norms (hereinafter referred to as the Applicable Law) on the processing and protection of personal data the organiser shall:
- be transparent on the gathering of information and the purpose thereof.
- use such information to provide users with information which serves to achieve the certification of IT skills and to keep such skills up to date.
- refrain from sending marketing messages should users not wish to receive such. Nevertheless, the distribution of essential information related to products or services purchased by users should not be ceased.
- implement security measures to protect users’ personal information.
- respect users’ rights regarding personal data and grant users control of such information
This policy clarifies in detail the respective formalities, timings, the nature, and purposes of processing, and the distribution of information, as well as data obtainable once users connect with the website, to consult, visit or simply browse, regardless of the purposes of such connection, in accordance with Italian and European legal provisions, and in compliance with both the protection of personal data and the free movement of such data. Information shall be available exclusively for the CERTIPASS S.r.l. website (hereinafter referred to as “Data Controller”) accessible online with the following address (hereinafter referred to as “Site”) www.eipass.com and is not available also for other websites which could eventually be consulted by users and are accessible through hyperlinks contained on the company’s site, or which could eventually be published on other websites and refer to resources external to the Controller’s domain.
Further enquiries are to be referred to firstname.lastname@example.org
The Data Controller (hereinafter referred to as Controller) is CERTIPASS S.r.l– Via Lazio 1 – Zona PIP – 70029 Santeramo in Colle (BA), F.C./VAT Number 05805441218 e-mail email@example.com , represented temporarily by the Legal Representative.
Categories of personal data processed by the Data Controller:
In order to provide the services offered by the website, the Data Controller processes the personal data entries. Such data, which is functional for the implementation of the online services provided by CERTIPASS, may implicitly be supplied by the tools used for access and to avail from services, or may explicitly be supplied by the interested party. The Data Controller may process the following categories of users’ personal data:
- technical navigation data related to the IP address, identification codes of the devices employed by the user for access to the site or the services, type of browser, device parameters used to connect to the site, name of the internet service provider (ISP), date and time of visit, web page of origin of the user (referral) and log-out, as well as the potential number of clicks;
- common ID data provided by the user (i.e. Name and Surname, place and date of birth, Address, telephone number, email, Fiscal Code, educational qualifications, current employment, etc.) to follow up on his/her requests. Additional data may be requested, depending on the particular case, for instance, with regard to the enrolment for the services of lecturers at any level or grade. The Data Controller as accredited entity by the MIUR, must also necessarily report such enrolments (amongst the data to be provided is the following: the academic Institution of the enrolled lecturer);
- photographic and/or audio-visual material wherein users are portrayed. In the case of events and/or courses held in physical presence, the Data Controller may develop photographic and/or audio-visual material to improve the promotion/dissemination of information on the event. In such cases, the Data Controller may process photographs and audio/video recordings related to the participating Users authorised to use and publish such, whether partially or entirely, within the limits permitted by law. In the eventuality of courses held in presence, the insertion and use of images and/or video recordings wherein users are portrayed, are considered as effected and granted free of charge. The Data Controller is also authorised, to modify any of the images or audio-visual material according to technical requirements, provided this does not harm the user’s reputation and dignity. The publication and the dissemination of the above-mentioned material by any means (multimedia, hard copy or web, etc.) will be at the discretion of CERTIPASS, whilst respecting the aims of disclosure and commercial objectives, as well as the time limits set for such purposes. Should the material concern underage users, the Data Controller will require the authorisation of Parents, Legal Guardians or of those with parental responsibility.
- other data (personal preferences, hobbies et al), is used to provide an increasingly adequate service in line with the User’s expectations; and users may provide such at their discretion.
This data may also be saved in databases or file archives. The nature of the services offered by the company does not involve the processing of sensitive data, except as required for biometric data, as managed and specified below.
Categories of collected biometric data (where applicable)
For online courses providing EIPASS IT certification and for the EIPASS 7 Standard Modules, given the public relevance and erga omnes content of the qualification, as well as its high level certification which guarantees quality, efficiency, security and the regularity of its delivery system, characterised by autonomous, transparent and impartial requisites, the Data Controller activates an identification method that applies cognitive algorithms of points corresponding to relevant somatic traits (as provided for in Article 1, subparagraph 35, L. 190/2014).
The biometric recognition process serves to identify a person on the basis of one or more biological traits, by comparing them with the data previously saved and available in the database system.
It should be noted that the stored data is a code and not an image: the system, in fact, applies an algorithm that converts the distance between different points of the face into a unique code.
During the examination, therefore, verifications will be made to assess data and not images.
The processing stages are as follows:
- creation and recognition of the model,
- verification, effected by the system by confronting what is detected during the exam with what is saved from previous stages of detection and the creation of the model.
In any case, the data acquired is processed by the Data Controller with appropriate technical and organisational techniques, in line with the GDPR, as well as in accordance with precautionary measures aimed at ensuring compliance with the principles of lawfulness, proportionality and necessity: use of the minimal amount of information, deciphering of data upon acquisition, ensuring adequate protection of data during the storage phase in the database, and the definite cancellation once the necessary period required for the fulfilment of the intended purposes has expired.
At the initial stage the system requires, the cooperation and awareness of the user (interactive biometric system): upon his/her first access to the reserved area on the DIDASKO platform, be it screen, smart phone and/or tablet, the user must take a photograph showing his/her face, in accordance to the following guidelines:
- the face must be positioned in the centre of the frame; the photograph must show only the person concerned (no other person may appear in the photograph) in a frontal and natural posture (the face must not be inclined), the subject must look straight at the lens (the webcam); artistic postures (eg; wearing sunglasses, profiles, hands on face, arms raised etc.) shall not be allowed;
- correct focusing and light contrast must be ensured in order to enable the face traits to be clearly distinguishable.
- Data storage by clicking on the key which enables “CONFIRM BIOMETRIC ACQUISITION”. Should the result not be satisfactory, the user may replace the stored data, by clicking on the key which enables “PLAY CAMERA” in order to restart the process.
- Creation and identification of the model
The system identifies the principal traits of the user’s face through additional analysis tools; it subsequently performs the tracking and the identification of facial features by the processing of the acquired image.
At the end of the process described in the previous point, the user will be assigned a code that will be saved within the system.
During the examination, the system carries out random selections of images that, upon being instantly submitted to the coding process as described in relation to the creation of the model, are compared with the saved data.
The enrolment of minors is subject to the indication and authorisation of data related to Parents/Legal Guardians/those who have parental Responsibility and who authorise their enrolment. The personal data of Parents/Legal Guardians/those who have parental Responsibility and the personal data of the minors will not be disclosed.
The Data Controller reserves the right to carry out random verification on the minors enrolled in the www.eipass.com site in order to verify the accuracy of the data related to Parents/Legal Guardians/those who have parental Responsibility entered upon enrolment.
Purposes and legal basis of the process
The processing of personal data through the site, is aimed at the fulfilment of legal obligations, norms and regulations, and in any case such processing shall be undertaken solely for the following purposes:
- those closely related and necessary for registration to the eipass.com site and for the use of the DIDASKO platform, the services and/or the App developed or made available by the Data Controller, for the use of related information services; the management of contact requests or information; the acquisition of products and services offered through the site;
- activities connected to the management of the User’s requests and to the submission of feedback that may affect the transmission of promotional material; for the improvement of the purchase orders of offered services, including issues related to the payment by credit card; shipment management; the right of afterthoughts on distance shopping; and updating of the availability of temporarily unavailable services;
- the fulfilment of obligations imposed by community and national legislation, for the protection of public order, and the detection and repression of crime;
- direct marketing, that is delivery of advertising material, direct sale, marketing research or commercial communication of services offered by the Data Controller; such activity may be carried out by submitting advertising/informative/promotional material and/or invitations to initiatives and events.
- Website security: automatically saved data, such as the IP address, which may be used in compliance with the regulations in force, in order to prevent website threats or further damages to users, as well as harmful or unlawful activities. Such data is never used for user profiling, but solely for website security purposes and the protection of its users.
The provision of data for the purposes referred to as in points 1), 2) and 3), when related to a pre-contractual and/or contract stage, on servicing a user’s request, or in pursuance of a specific legal provision, is mandatory, and failing that, it shall not be possible to receive information and to access to services that may be required; with regard to point 4) of this information Access to data processing by the user is, conversely, readily available and optional, and may always be withdrawn with no reaction on the use of services, except for the determent of the Data Controller to keep the users updated on new initiatives, specific promotions or benefits that may eventually be available.
Any User adhering to the system, has a personal account on DIDASKO; with regard to data compiled from particular categories of Users, Supervisors and Inspectors, the data processing will include also the publication, in a dedicated area, on the eipass.com website.
Users are expressly informed of such publication upon subscribing to the service. Data will be processed by CERTIPASS through electronic, automated and manual tools for the proper delivery of the service, in compliance with the aforementioned legislation, and in consideration of the aforementioned aims and objectives to ensure the security and privacy of such data.
Communication, promulgation and entrants who access the data
The processing is carried out with the aid of electronic or automated devices and is undertaken by the Data Controller and/or third parties on whom the Data Controller may rely to save, manage and transmit such data. Data processing is to take place in consideration of data organisation and personal data processing principles, also considering the logs deriving from the access and the use of services made available through the web, pertaining to those products and services used in relation to the aforementioned objectives, and in order to guarantee data security and confidentiality. The processed personal data will be saved for the duration of time as established by the applicable regulations.
to data protection issues, in the website sections created for specific services, where personal data is requested from the user, this data is encrypted through security technology referred to as Secure Sockets Layer, abbreviated as SSL.
SSL technology encrypts information before it is exchanged via Internet between the user’s computer and the Data Controller’s central systems, rendering it unintelligible to unauthorized persons and thus ensuring the confidentiality of the information submitted. Furthermore, payments effected by using electronic payment systems are carried out through the payment service provider (PSP)’s platform, and the Data Controller only retains the minimum information essential to manage any eventual disputes.
With reference to the protection of personal data, in compliance with art. 33 of the GDPR, the user is requested to submit a report by communicating to the Data Controller any circumstances or events leading to an eventual breach of personal data (data breach), in order to allow a prompt evaluation and implementation of eventual measures aimed at preventing such event.
The measures adopted by the Data Controller do not exempt the user from being cautious on the use, of a sufficiently complex password/PIN, which must be changed periodically, especially in case of any doubt that such data may have been violated/identified by third parties, as well as from safeguarding such to prevent the access of any unauthorised third parties, or any irregular and unauthorized use.
Purpose of biometric data processing
Considering the high number of individuals who, for various reasons, access our system and the large number of examinations that are daily scheduled and undertaken, the purpose of the process of authentication is to avoid any tampering or intrusive attempts by third parties, through computer authentication.
In order to protect the overall certification process, the Organization aims to safeguard users and, above all, those who receive and are entrusted with the accreditation of the qualifications, with regard to ascertainment of the fact that it is the candidate enrolled in the study course who is undertaking the exam and not any unauthorized third parties.
CERTIPASS, therefore, considers it essential to activate such system in compliance with the regulations, whilst weighing the various rights and interests involved to confirm and strengthen the quality of the services and its reputation among all stakeholders.
Areas of Communication and transfer of data
To pursue the above-mentioned purposes, the Data Controller may communicate and process the user’s personal data in Italy and abroad to third parties with whom it has relations, whereby such third parties provide services on his/her request. Third parties shall only be provided with the information necessary to undertake the requested services, whilst all measures are taken to protect personal data. Data may be transferred outside the European Economic Area, if deemed to be necessary for the management of the contractual relationship. In such case, protection and security obligations equivalent to those guaranteed by the Data Controller will be imposed on the recipients of the data. In the case of use of services offered directly by Partners, only data which is strictly necessary will be provided for their execution. Nevertheless, only the data necessary for the pursuit of the intended purposes will be communicated and, where required, the guarantees applicable for transfer of data to third countries will be applied.
Moreover, personal data may also be disclosed to commercial service providers for marketing purposes by the responsible external data processors nominated for this task.
Furthermore, personal data may be communicated to the competent public institutions and authorities in compliance with regulatory obligations, or for determining responsibilities in the event of cybercrimes on the website, as well as those communicated to or attributed to third parties (as the persons responsible or, in the case of suppliers of electronic communication services, of self-employed), who provide IT and online services (e.g. hosting, management and website development services) and those engaged by the Data Controller for the performance of tasks and activities of a technical and organisational nature instrumental for the operation of the website. Those belonging to the above-mentioned categories operate as distinct Data Controllers or as Managers responsible appointed for this purpose by the Data Controller.
Personal data may also be shared with the Data Controller’s collaborators (consultants, collaborators, administrative, commercial and marketing staff, lawyers, credit institutions, system administrators, postal couriers, hosting providers, etc.), who are individuals expressly trained, appointed and authorised for the data processing, always and only for the fulfilment of the described purposes.
Duration of Personal Data Processing and storage
Data will be saved strictly for the necessary period and within the limits of the fulfilment of the purpose for which it was requested in order to manage the request.
The codes related to biometric data acquired by the system will not be diffused and/or transferred by any means; these may be made accessible to Judicial or Police Authorities who request such, for purposes necessary strictly for any eventual verification of the observance of the examination procedure.
Rights of the interested Party
The user may, at any time, exercise the rights recognised by law, including:
- access to personal data, by the Data Controller, the categories involved, and the addressees to whom this may be communicated, once the purpose of pursuit is made evident by decisive automated processing;
- Adjustment of inaccurate personal data concerning the interested Party without undue delay;
- Cancellation of data in determined cases;
- Limitation of processing or appeal to such, when possible;
- The possibility to obtain data portability of that provided to the Data Controller, that is, the receipt of data in a structured format, commonly used and easily legible from an automatic device, as well as the sharing of such data with another Data Controller, within the limits and obligations imposed by art. 20 of the GDPR.
With regard to the processing of the mentioned purposes referred to in point 4), the User may always withdraw the consent and may exercise the right to object to direct marketing (both “traditional” and “automated”). The objection, in absence of any contrary indications, will be intended to refer to both traditional and to the automated communications. Should the user have a DIDASKO account, he/she may always have access to all data that he/she provided through the MYEIPASS section in the reserved area; hereupon the user may always modify and delete data which is not essential for a correct and complete delivery of service. For further information, the User may contact firstname.lastname@example.org. Furthermore, the interested person is always entitled to lodge a complaint to the Control Authorities as provided by art. 77 of the GDPR, by contacting email@example.com or through http://www.gpdp.it.
Data Protection Officer (DPO)
The Data Protection Officer (hereinafter referred to as DPO) responsible is Advocate Daniela Maffei – Via Lifondi, 10 – 70029 Santeremo in Colle (BA), certified e-mail: firstname.lastname@example.org.
Data protection in case of PayPal purchase