Personal data processing holders, persons responsible and persons in charge are identified as follows
Personal data processing holders are identified in the legal representatives of the single Companies and are appointed by the respective Board of Directors.
The appointment of the persons responsible for data processing takes place through specific Organizational Communications, which also define the related competences and the ambits of work. For specific organizational needs, representation powers are conferred through power of attorney to the single persons responsible, thus legitimated to appoint persons responsible outside the Company of the Group.
The appointment of said external persons takes place through specific acts that regulate the appointed subjects’ obligations and duties. The appointment of the single persons in charge, carried out by the persons responsible for the processing, takes place in writing through ad hoc measures that also provide instructions for the correct data processing.
Particular instructions are given to system administrators and the persons in charge of passwords, in consideration of the specificity of their tasks.
Adoption of data security measuresThe adoption of adequate data security measures involves both computerized processing and paper processing.
This is guaranteed through internal operational regulations with which persons responsible and persons in charge must comply.
Risk analyses and the planning of interventions for guaranteeing the security of the personal data processing are carried out through electronic tools by persons responsible for ICT in each Company of Gruppo FS.
Information and consentIn order to provide correct information to the subjects involved in the personal data processing, and to acquire their consent, diversified information schemes have been organized on the basis of the various typologies of addressees: project workers, employees, managers, subjects in search of employment, collaborators, customers, suppliers, visitors, etc.
Said information, in compliance with what provided for by law, specifies the purposes of the processing, the mandatory or optional nature of providing data and consent, the consequences of a possible denial, the rights that the person involved can exert as regards personal data, the subjects that can be informed.