Data Retention Policy
Data must be processed and retained for the time necessary to fulfill the purposes for which it was collected.
Therefore:
- Personal Data collected for purposes related to the performance of a contract between the Data Controller and the User will be retained until the completion of such contract.
- Personal Data collected and/or processed for purposes related to the legitimate interests of the Data Controller will be retained until such interests are satisfied. The User can obtain further information regarding the legitimate interests pursued by the Data Controller in the relevant sections of this document or by contacting Agile Lab S.r.l.
Subject to the general provisions indicated in the previous points of this section, Personal Data is processed and/or retained by the Data Controller following the standards indicated in the table below:
- Category of individuals and/or data
- Purpose of processing
- Maximum retention period Customers
- Service delivery
- Duration of the contract
- Service procurement
- Duration of the contract and subsequent 10 years, plus any fiscal and/or legal obligations Employees
- Work performance
- Duration of the employment relationship and subsequent 10 years, plus legal obligations
The retention period for art. 9 (GDPR) Data shall be the lowest possible. The retention period for marketing purposes is 2 years from the acquisition of consent.
Personal data processed by the Company on behalf of its customers will be retained according to the contractual provisions until such third party ceases processing or, in any case, requests their deletion or destruction.
The processing of Personal Data for which the Company is the Data Controller, their retention, and duration are defined in accordance with the applicable legal regulations (GDPR, civil and tax legislation, anti-money laundering regulations, investment services regulations, fiscal monitoring regulations, etc.) and contractual obligations.
Once the maximum period allowed for data retention has been reached and no further legitimate reasons permit or require the continued retention, the Data Controller will proceed with their deletion according to the methods and procedures indicated in the specific section of the Data Deletion Policy.
The provisions of this section do not affect the exercise of rights recognized by the applicable legal and contractual provisions to Users and any other entitled individuals.
Compliance Team on an annual basis shall evaluate and check the fuflfilment of the principles above and shall report it on the relevant GDPR Register.
Rights of data subjects
The Data Controller guarantees Users and/or entitled individuals the exercise of the rights granted to them by the current legislation (Articles 15 and onwards of the GDPR and any additional applicable provisions), within the limits and according to the procedures established by such legislation. Without prejudice to any further rights, the Data Controller, in compliance with the applicable regulations, acknowledges the following rights:
- Right of access by the data subject
- Right to rectification of data
- Right to erasure ("right to be forgotten"), unless the conditions indicated in Article 17(3) of the GDPR that limit the exercise of such right are present
- Right to restriction of processing, subject to one or more conditions provided for in Article 18 of the GDPR
- Right to data portability, within the limits and according to the procedures established in Article 20 of the GDPR
- Right to object to processing, within the limits and according to the procedures established in Article 21 of the GDPR
- Right to lodge a complaint with the data protection supervisory authority, without prejudice to the right to seek recourse in other administrative or judicial bodies.
- The rights granted to the User can be exercised through written communication.