Privacy Policy Regarding ZucchettiAxess APPs

  Pursuant to Art. 13 European Data Protection Regulation 2016/679 (GDPR)

 

This Privacy Policy is made solely and exclusively for the Side application and not also for any websites through which, for example, the User should access / or use the application

 

Data Controller 

The data controller of personal data, in accordance with Article 4 point 7) of the GDPR, is ZucchettiAxess spa with registered office in Lodi, Via Solferino, n. 1, 26900 – e-mail ufficio.privacy@zucchetti.it

 

Data protection officer

The data protection officer is Dr. Mario Brocca whom you can contact by emailing dpo@zucchetti.it.

 

Developer

The Developer of the application is ZucchettiAxess Spa, with registered office in Lodi, Via Solferino n. 1, 26900 – ufficio.privacy@zucchetti.it

 

Personal data collected

The services provided by the App as well as its features and functions do not require any form of registration of Users. We point out, however, that, the computer systems and software procedures in charge of the operation of the App (such as Apple Store, Google Play or App Gallery), acquire in the course of their normal operation, some data however referable to the User whose transmission is implicit in the use of internet communication protocols, smartphones and devices used. This category of data includes, but is not limited to, geographical location, telephone identity, User’s contact information, e-mail, credit card information. The User may consult the Privacy information available on the following sites

 

• Apple Store – https://www.apple.com/legal/privacy/en-ww/
• Google Play – https://www.google.it/intl/en/policies/privacy/

 

 

App Side collects the following data:

• Geolocation*: the App does not use this feature GPS is not used. To activate the hands-free (hands-free) stamping feature, “iBeacon” devices that emit a BLE signal according to an APPLE standard are installed near the RFID BLE readers. This signal allows the APP SIDE to activate. The iBeacon tells the APP SIDE which reader to send which credential to. The above occurs automatically when the user passes with the device in an area covered by the iBeacon.
  The “where am I” data is not saved on the APP or sent, but the iBeacon signal is only used to activate the APP.

To use the above feature, it is necessary to enable geolocation on the device, even if GPS is not used specifically. In case geolocation activation is not allowed, the hands free feature will not be available.

• Camera*: the App does not use this feature

• Access to files contained in the device*:  the App does not use this feature

***

• Collects and manages the following personal data:

 

• App Side without registration to Credential Manager’s cloud service “Entry 365”

• • Random code that is generated by the App Side upon installation;

 

• App Side with registration to Credential Manager’s cloud service “Entry 365”

• • Phone ID
  • To receive credentials, the user must log in to the Credential Manager with his or her email as the user name. The email address is not stored in the APP
  • Credential(s) generated by Credential Manager service “Entry365” and sent to smartphone (APP Side stores all credentials it receives)

 

 

 

Mandatory or optional nature of providing data and consequences of refusal

The provision of data is optional; however, the provision of some data is necessary for the provision of the service. In this case, refusal to provide it does not allow the provision of the service and the use of that particular feature of the App.

 

Method of treatment

Processing takes place electronically, and while using the app, personal data are redirected through secure connections to the Credential Manager. The random code or credentials received from the Credential Manager are stored by the App Side. Through the App, the user can:

• Delete individual credential
• Request deletion of your account with its associated data from the Credential Manager cloud service.

 

Secure procedures for handling personal and sensitive user data

The developer has developed and implemented secure data processing procedures consisting of security measures at both the technical organizational level and the support services level.

Specifically, the security measures that can be configured at the application level are:

The Side App benefits from all the security measures that the user can choose to activate directly on his or her smartphone, for example, facial recognition, fingerprint, passcode etc..

 

With specific reference to the Side App below are the security measures:

• The credentials received from the Credential Manager cloud service (or the random code in case of using the Side app without registering for the Credential Manager service) are stored on the device in an encrypted format;
• The credential code is transferred to the reading device with different technologies depending on the type of credential: BLE credentials will be sent encrypted in BLE, NFC credentials are sent encrypted in NFC, and QR credentials are read by special QR code reader. Credentials based on secure QR codes that periodically change are available.
• All communication between the App Side and the Credential Manager cloud service is in HTTPS encrypted format;
• Credential Manager databases are encrypted
• For access to SIDE and the Credential Manager, the MFA can be implemented

 

With regard to care procedures, treatment security is ensured for each planned delivery mode with the following methods:

SUPPORT SERVICE

Support for Zucchetti Axess products and services, depending on the mode of delivery, is carried out in the following ways:

• On Site Support
• Phone support
• Support through email/web tickets
• Assistance through receiving customer data base
• Support through TeamViewer and/or Meeting Webex remote connection.
• Support through remote connection via vpn
• Conversions and start-up projects

 

As defined by the contract, assistance performed remotely involves access to the system, which must always be authorized and controlled by the client/processor. Therefore, each access is recorded by the operator performing it through saving the email exchange.

 

CONTRACTORS TO WHOM SERVICE IS PROVIDED

Service is provided to:

• Zucchetti Axess Direct Customers
• Indirect Customers

 

Support service generally involves:

• For direct customers: phone call or email to service (backoffice/dedicated mailbox) that sends an email to support. The call is opened on Ad Hoc;
• For indirect customers, the request is sent directly from the customer to a dedicated mailbox (support@axesstmc.com ) and is used as an HDA ticket tool.

Support is provided on both the Xatlas software and the hardware (firmware) as well as video surveillance systems (whether integrated with Xatlas or not)

PROCEDURES

ON SITE ASSISTANCE

Zucchetti Axess employees access the customer’s facility to do training or technical maintenance/service and installation.

In this case, they work as if they were part of the Customer/Processor’s structure and adopt all the procedures that the Customer requires them to adopt. Clients/Processing Owners may generate individual users for access to their systems, or they may have Zucchetti Axess appointees log in side-by-side to train their staff.

If during the assistance activity the Zucchetti Axess appointees need to take archives or db’s they need to solve the highlighted problems, it is necessary that they inform the customer/Processor and formalize even by just sending an email the information of having taken the DB with the authorization of the Customer .At the end of the activity at the offices of Zucchetti AX, the person in charge who handled the intervention will provide for the deletion of the data; should it be necessary to keep the data for a further period of time, a specific email with the following minimum content must be sent to the Client/Processor, with the following minimum content:

“Dear Customer, I would like to inform you that the problem you reported for the solution of which there was a need to retrieve your archives has been solved. I inform you that we will retain the archives from our information systems for the next X days (to be defined from time to time as needed). At the end of the agreed period, the archives will be removed from the Zucchetti Axess information systems and can no longer be restored.”

 

TLEPHONE ASSISTANCE

It presents no problems from a personal data processing point of view. No data or files are transmitted, and communication remains verbal. Generally, the first contact after the customer’s request for assistance always takes place in this mode, to define the reported issue in detail

 

ASSISTANCE VIA EMAIL/WEB TICKETS

In email assistance, always include the disclaimer in the message text:

“The contents of this email and any attachments are strictly confidential, non-producible in court, and intended for the person(s) to whom it is addressed. The content of the response to this email may also be known by other employees who are part of the same Homogenous Group as the writer or of different homogenous groups but specular to the solution of the problem you reported. If you include attachments containing personal data in your response to the message, the same will be saved in the ticketing tool and/or email attachments by the same kept for 3 years. If you have received this email in error, please report it to us immediately and delete it from your computer. Copying and dissemination of the contents of this email is prohibited. Any misuse of the information contained herein by third parties or otherwise not named in this email may be prosecuted to the fullest extent of the law. Please note that in order to exercise your rights under Articles 15 et seq. of the EU Regulation 2016/679 (GDPR), you can contact the following address: ufficio.privacy@zucchetti.it”.

 

Zucchetti Axess representatives should never have the Customer’s login credentials emailed to them (only those used and in the Customer’s possession, not those generated specifically for technicians to log in), let alone saved on the ticketing tool and/or in emails.

 

If a Customer/partner sends access credentials to their environment without a request from Zucchetti Axess appointees, it is necessary to reply that we are not authorized to access systems with credentials of other users as this mode violates EU Regulation 2016/679 (GDPR). So Zucchetti AX appointees will have to request individual credentials or connection with Teamviewer (or equivalent tool).

 

Each email must be signed with the first and last name of the operator who handled the Client’s problem and the information must be saved in the ticketing and/or email.

Clarification:

The disclaimer can also be included in web tickets.

Personal emails should not be used, as they cannot be checked.

 

ASSISTANCE THROUGH THE RECEIPT OF CUSTOMER DATA BASES

If, in order to solve the problem reported by the Customer/Processor, it is necessary to have the database or other files or queries containing personal data transmitted, it is necessary to notify the customer of this need. If the customer is not able to make the copy independently and requires Zucchetti Axess representatives to do it themselves, it is necessary to receive his/her authorization also for the connection with VPN (to be saved in the ticketing tool and/or in the email). è necessario ricevere la sua autorizzazione anche al collegamento con VPN (da salvare nello strumento di ticketing e/o nella mail).

 

To carry out this activity, it is necessary to send the client/processor an email of the following tenor:

“Esteemed Client,

In order to resolve the problem you have reported, it is necessary to perform checks on your records.

We ask you to authorize us to connect through VPN to take copies and process them for resolution of what was reported.”

 

The records will be kept for as long as is strictly necessary to resolve the reported issue and must be deleted, by Zucchetti Axess representatives, at the end of the intervention.

The data must be saved in non-backed-up directories.”

 

If there is a need to maintain records there is a need to send an email to the customer, as below:

“Esteemed customer,

having resolved the problems on the archives you sent to us, we request your permission to retain your archives at our infrastructure for an additional _____ days. This preservation is intended to verify any issues that you report to us while using the restored archives. At the end of the aforementioned period we will permanently delete the archives. If after that period there is a need for your archives we will request them from you.

We ask for your express confirmation to this effect by responding to this message. Should your response be in the negative, we will arrange for immediate deletion of your records.”

 

Customer files may never be forwarded to work groups other than those aimed at solving the problem reported by the customer.

 

The only option we have for retaining records without the client’s prior authorization is to anonymize them

 

ASSISTANCE THROUGH REMOTE TEAMVIEWER CONNECTION

This mode of connection on clients’ instruments ensures privacy in that:

• The connection is always requested by the customer
• Access credentials are always individual
• The customer gives us access to an environment with authorization profile chosen by the customer for us to perform the service activities
• The customer can disconnect us whenever he/she wishes.

 

 

Through TeamViewer, it is also possible to have 2-level support access the same session we opened. In this case the client has the evidence because it is provided by the tool and therefore implicitly accepts this mode.

 

In case there is a need not to show the customer codes, passwords, licenses that we need to enter for the correct operation of the tool, it is essential to use the TeamViewer function : Show black screen

It is essential to use our TeamViewer as it is licensed and customized with all the documentation that must be produced by the Personal Data Processing Act.

 

Only in exceptional cases and after careful evaluation by the person in charge and the privacy office is it possible to use other connection tools that behave in the same way.

 

ASSISTANCE THROUGH CONNECTION VIA VPN

If support activities are to be carried out via VPN or private access, it is necessary for Zucchetti Axess employees to enter customer systems:

• Subject to customer approval
• That they have active credentials for the time required to perform the required activities
• That at the end of the activity they are deactivated by the Client/Processor

 

User creation should be requested only from the client, who must generate it individually for each Zucchetti AX appointee

 

An email must be sent to the customer:

“In order to perform the support activities you have requested, it is necessary to create individual access profiles for the operators who will perform this activity. Therefore, it is necessary for you to generate such credentials in the system.”

 

When the Client makes the request to us, once the individual user is created:

“In order to perform the service activities you requested, it is necessary for me to activate the user matched to me.”

 

At the end:

“The service activity has ended we remind you to deactivate the credentials in order to protect your personal data.”

 

OTHER TYPES OF ASSISTANCE

Assistance is also provided on video surveillance systems. When the camera does not work, if the system is integrated into Xatlas, action is taken directly on Xatlas; in these cases access is to configuration settings or images but only in real time and no one ever accesses the recordings. If the recordings do not go, assistance is carried out to the video surveillance system maintainers.

 

 

Categories of recipients to whom the data may be disclosed

Personal data collected may be disclosed to Zucchetti Group companies and their subcontractors in order to perform all support and maintenance activities.

 

Period of retention of personal data

Credentials are stored in Side until the user deletes them. The data that make up the user’s account are stored in the Entry365 Credential Manager cloud service. The user can request deletion of this data and destruction of his or her account through the App.

 

Purposes of the processing for which personal data are intended

The app is used for time card punching and overcoming access control. Additional purpose of processing is to provide support and maintenance services to the Owner

 

Scope of knowledge of your data

To receive credentials, an account is created on the Credential Manager cloud server with the user’s data. The user logs onto the Credential Manager via the App with his or her email and a password. An account has already been created on the Credential Manager associated with his or her email.

 

Territorial scope of treatment

The data provided will be processed in Italy.

 

Rights of data subjects

You will be able to exercise your rights by sending an email to ufficio.privacy@zucchetti.it, in particular you will be able to request access to the personal data concerning you, rectification or deletion or you will be able to request restriction of processing and you will be able to object to processing. In addition, you will have the right to data portability and should you wish to file a complaint, you may also file it with the Data Protection Authority