GDPR General Guidelines

Fundamentals of AGILE LAB compliance system

  • Compliance Team is responsible for compliance activities as better detailed under the circle/role rules
  • Company's compliance repositories are:
    • a) Compliance SharePoint for private and confidential documents
    • b) online Handbook, for public documents
    • c) Training assets
  • Compliance Team has access and manages the Compliance Sharepoint and the compliance section of the corporate Handbook, assessing whether a document is public or not
  • English is the main language

The effectiveness and need for updating this section of the Handbook and / or the respective procedures are subject to continuous checks and periodic audits on the basis of what is indicated in the specific Policies and in any case on an semi-annual basis.

Compliance Team is responsible of updating the GDPR Registers of the Company, unless otherwise specified, on an ongoing or at least annual basis, after a direct discussion with the lead links of the internal Circles/Business Units to gather the applicable information for the specific services/activities provided to the client or carried out internally.

Originals of the GDPR Registers are stored on the Compliance SharePoint.

The provisions set out in this document, which also contain a description of the Company's work tools, are to be considered binding for every employee and collaborator of Agile Lab.

The violation of the provisions of this document may constitute a disciplinary offense, even of a serious nature, relevant for the purposes of the employment relationship and / or serious breach of the existing consultancy relationships with the Company.

Privacy Principles

In order to prevent outsiders from gaining knowledge of the Data being processed, employees, collaborators and/or advisors must observe the following rules of ordinary diligence, as well as all other measures deemed necessary to ensure compliance with the provisions of the privacy regulations:

  • all processing operations must be carried out in such a way as to ensure compliance with security measures, the confidentiality of the information that comes into their possession considering all data confidential and, as a rule, subject to secrecy
  • all operations, whether digital or paper-based, concerning or relating to Data in relation to which Agile or Agile's clients are controllers, must be carried out exclusively using Company equipment and tools
  • the individual phases of work and the conduct to be observed must make it possible to avoid the risk of loss or destruction of Data, the risk of access by unauthorized persons, and the risk of processing operations that are not permitted or do not conform to the purposes for which the Data were collected
  • for the purposes referred to in the previous point, given the specific activity of Agile Lab, a further procedure for managing access to certain specific infrastructures is being implemented, of which the interested parties will be informed in due course
  • in the event of moving away, even temporary, from the workstation, all necessary measures must be taken (e.g. blocking of the PC) so that third parties, even if employees, cannot access the Data for which any type of processing was underway
  • must be carried out only processing operations limited to what is necessary for the purposes for which the Data were collected
  • with regard to the Data related with client companies are controllers, must be carried out only those processing operations necessaries to fulfil the contractual commitments undertaken
  • the accuracy of the data processed and their relevance to the purposes pursued in each case must be constantly verified. If a data subject withdraws his/her consent to the processing of Data pursuant to art. 7, paragraph 3, of the Regulation, the employee and/or collaborator must promptly notify the Controller or, if present, the Processor for the adoption of any necessary measure

Processing of Special Personal Data (art. 9 GDPR)

All processing of special personal data in accordance with art. 9 of the GDPR (race or ethnic origin data, religious or philosophical beliefs data, political opinions data, trade union membership data, genetic data, biometric data, health data and data concerning sexual orientation) shall be executed reducing the most any security and confidentiality issue. Documents shall be stored on segregated folders to be limited to selected workers and the head of the interested circle, who has the responsibility to select the additional users allowed to access the data.

Circle leaders shall monitor and report to Compliance Team.

Data Subject Rights Management - Retention and Deletion

Agile establishes a structured process to ensure full compliance with GDPR rights of the data subject (Arts. 12-23), including:

  • handling requests for access, rectification, erasure, restriction, objection and portability
  • verifying the identity of the requester
  • ensuring appropriate response within statutory deadlines
  • maintaining logs of all rights-related activities on the Compliance SharePoint
  • defining and implementing retention, deletion and anonymisation rules for each processing activity, consistent with Record of Processing and legal requirements

The Compliance Team ensures the annual review of retention schedules and supervises the technical deletion mechanisms, in collaboration with Internal IT and any other Functions that may be involved in specific processing of personal data.

Data Protection Impact Assessment (DPIA)

A formal DPIA process is established for processing operations likely to result in high risks to the rights and freedoms of individuals (Art. 35 GDPR). The process includes:

  • risk identification and evaluation
  • assessment of necessity and proportionality
  • consultation with the DPO
  • documentation and approval workflow stored on the Compliance SharePoint

An update of the Witboost DPIA shall be completed by year-end, based on the information currently available and further developments.

For processing involving sensitive or high-risk data categories, the Company shall:

  • periodically review and update all Privacy Notices contained in the Handbook
  • verify clarity, lawfulness, fairness and transparency of all disclosures to data subjects
  • update Consent Forms where applicable
  • align the documentation with any new processing purposes, technologies, tools, or organisational changes

A complete review of all relevant Handbook sections shall be carried out as part of the General Policy update.

Risk Assessment and First-Level Controls on Processing Activities

Agile adopts a structured risk assessment process supporting:

  • identification of risks associated with each processing activity
  • evaluation of adequacy and effectiveness of existing measures
  • design of first-level controls ensuring the principles of data minimisation, correctness, retention, modification, deletion and security
  • definition of accountability measures for each Circle involved

For outsourced processing activities, the Company establishes monitoring mechanisms to ensure ongoing compliance by Processors, including:

  • periodic verification of contractual safeguards
  • checks on technical and organisational measures
  • documented assessments with evidence stored on the Compliance SharePoint
    © AgileLab https://www.agilelab.it/

    Found an error in the handbook? The source code can be found here. Please feel free to edit and contribute a merge request
    Modified at: 2026-01-28 23:49:09

results matching ""

    No results matching ""