Savills is committed to ensuring that your privacy is protected and our use of your personal information is governed by this Privacy Notice. On this site, “Savills”, “our” and “we” each mean all the Italian companies in the Savills group (including but not limited to Savills Italia S.r.l. and Savills Italy S.r.l.) which collect and use your information in the manner set out in this Privacy Notice. Any reference to “you” or “your” refers to anyone whose personal information we process.
1. Data controller and data processor – art. 13 and 14 co. 1 lett. [a] [b] GDPR 2016/679
The Data controller is Savills, Via Manzoni 37, 20121 Milano - Milano, email firstname.lastname@example.org, to which you can address to exercise your rights listed in GDPR and to know the updated list of all Data processors and their contact details.
Savills also has a company DPO appointed in the person of Anna Dondana, e-mail address: email@example.com
2. Kind of collected and processed data
Savills may process the following categories of data, according to the business processes involved:
a) Website visitors: they can enter their contact details (name, surname, email address and telephone number) if they want to be contacted by our experts, through the "Contact Us" format or if they wish to receive information in the dedicated section of the website to open careers. This category of data subject responds exclusively to Art. 14 of the GDPR;
b) Customers: they provide to the Data Controller the contact details of their company referents (name, surname, qualification, email and telephone contacts and address of their office), they can provide their personal information through their business cards or personally during fairs and congresses or dedicated meetings;
c) Product suppliers: provide to the Data Controller the contact details of their company referents (name, surname, qualification, email and telephone contacts and address of their office), they can provide their personal information through their own business card or personally during fairs and congresses or dedicated meetings;
d) Procurement suppliers: provide to the Data Controller the contact details of their company referents and the data concerning the obligations pursuant to Art. 26 of D.Lgs. 81/08 belonging to all the workers who could go to the client's sites (contact details, employment data, training, health suitability, identification card and specific operational details);
e) Employees and collaborators: the processing of employees and collaborators data is regulated by a specific policy, with attached consent, available from the company Privacy archives and for which it is necessary to contact the figures indicated at the point 1 of this policy;
f) Individual companies (customers or suppliers): in the event that the customer or supplier are configured as an Individual Company, it will be necessary to process the bank and residence / domicile data in addition to the data mentioned above for each category.
3. Purpose and legal bases of data processing – art. 13 and 14 co. 1 lett. [c] [d] GDPR 2016/679
The purposes and legal bases for the processing of the categories of data subjects listed in the previous paragraph from a) to f) are the following:
a) To be contacted by Savills and to be able to argue the reasons that led the data subjects to enter their data on the website both on “Contact us” and on “Careers”.
b) , c) and f) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
d) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract but also to fulfil the legal obligations of Occupational Health and Safety to which the Controller and the contractor are subject.
e) To fulfil the contractual and legal obligations connected with the employment relationship and the health and safety of workers and on the bases of explicit consent.
There are further processing, based on the legitimate interests pursued by the data controller described in the final part of this document in the "Video surveillance" paragraph.
4. Origin of the data entered on the web pages “Contact us” and “Careers” - art 14 co. 2 lett. [f] GDPR 2016/679
The above data will be collected at the time of registration on the website in the space called "Contact Us" or in the "Careers" space. They are therefore supplied directly by the data subject and do not come from publicly accessible sources.
5. Communication and data sharing – art. 13 and 14 co. 1 lett. [e] [f] GDPR 2016/679
All the aforementioned information may be transmitted, without further consent, to companies and external consultants functional to the performance of the contractual relationship, according to the provisions of the applicable regulations, such as lawyers, accountants, notaries, technical consultants etc.
It is possible to know the complete list of the above recipients by sending a specific request to the contacts indicated in point 1.
6. Control, storage and time of data retention - art. 13 and 14 co. 2 lett. [a] GDPR 2016/679
The processing of personal data consists in the collection, recording, organization, storage and possible communication of the same data to third parties as described in point 5.
The processing of personal data of categories b), c), d), f), as described in point 2 is carried out in compliance with the provisions of article 5 of the European Regulation on the processing of personal data, on:
- paper support: contact details, business cards, data on invoices, contracts, and more generally documents relating to contract management activities (company documents that can possibly contain contact details of referents or owners of individual companies);
- IT support: contact details, business cards, data on invoices, contracts and more generally documents relating to contract management activities (company documents that can possibly contain contact details of referents or owners of individual companies);
in compliance with the rules of lawfulness, legitimacy, confidentiality and security provided by current legislation.
In general, the files relating to the data subjects referred to in letters a) -f) of point 2, are stored in the company server. These are accessible only to the Authorized to access the server and to the internal processors, as well as to the internal and external managers (Ref. complete list available to the contacts referred to in point 1), who are therefore required to have access to information exclusively for legitimate purposes, related to the nature of their work.
The paper documentation, if existing, is stored in locked cabinets placed in the offices, therefore reachable only by Savills personnel.
The Savills databases have systems that guarantee protection from both unauthorized access and other external factors that could cause damage to personal data. The data access requirements are regulated, and access is granted only to those who pursue authorized and lawful processing purposes.
In reiterating the guarantee that access to personal information is limited to employees and collaborators of Savills, or to other persons working on its behalf, we declare that suitable and appropriate training is provided to all employees who can access personal information, while the relationship with external employees is managed by a specific contract, regarding the processing of personal data.
The period for which personal information will be stored will depend on the duration of the relationship. The retention period may however be longer than the contractual period, based on legislative obligations or the need to manage any complaints or non-conformities that may arise even after the termination of the relationship.
7. Personal data transfer abroad
We may transfer, store, or process your personal information in locations outside Italy and the European Economic Area (EEA). Where the countries to which your personal information is transferred do not offer an equivalent level of protection for personal information to the Italian laws, we will ensure that appropriate safeguards are put in place.
8. Data subject rights - art. 13 and 14 co. 2 lett. [b] [c] [d] GDPR 2016/679
The data subject has the right to revoke the consent, obtain access to personal data and their update or correction. The data subject for legitimate reasons has the right to obtain the erasure of the same or the restriction of processing that concerns them, the portability of the data or to object their processing. Finally, the data subject has the right to request the transformation of data in anonymous form. To exercise his rights, the data subject must contact the Data Controller or the company DPO using the contacts indicated in point 1.
The data subject may also always contact the Data Protection Authority.
9. Providing personal data and consequences of a rejection - art. 13 and 14 co. 2 lett. [e] [f] GDPR 2016/679
Provide your personal data is optional, but if you do not provide the information required for the previous purposes, we will not be able to perform our contract with you or answering your contact request.
10. Further information - art. 13 co. 2 lett. [f] GDPR 2016/679 e art. 14 co. 2 lett. [g] GDPR 2016/679
As regards your data, it does not exist an automated decision-making process, or indeed a kind of profiling-process.
It is not in the interests of Data Controller to spread your data, neither to transmit them to Third for purposes different from those indicated above in this policy.
Savills informs that video surveillance equipment has been installed at the company offices, in compliance with the provisions of law no. 300 of May 20, 1970 "Statute of workers", of Regulation 679/2016 GDPR as well as of the general provision on video surveillance of April 8, 2010 adopted by the Authority for the protection of personal data.
2. Purpose of data processing – art. 13 co. 1 lett. [c] [d] GDPR 2016/679
The video surveillance system monitoring through video cameras installed at the entrances of the site, with relative registration in the terms provided for by the current privacy regulations.
The video cameras are visible and provided with signalling through appropriate signage.
The personal data collected and processed through the video surveillance system are images of people and things that occasionally find themselves in transit within the area of action of the same.
These data are collected and processed exclusively for the purpose of protecting the corporate assets against possible damage, unauthorized entry, theft and robbery.
3. Processing methods - art. 13 co. 2 lett. [a] GDPR 2016/679
The collection and processing of data, takes place in compliance with the principles of necessity, correctness, relevance and not excess in relation only to the aforementioned purposes of protecting corporate assets. The controls on the recorded data are performed exclusively in the event of theft and alarm signalling, by reviewing the records with the presence of the Public Safety Authorities. Specifically, the images collected are treated in a way to guarantee their safety and at the same time protect the rights, personal freedoms, dignity and confidentiality of the persons concerned. The images are recorded and stored for a maximum of 48 hours, after which they are deleted, except for special extension requirements related to holidays or the closure of offices or if it is necessary to adhere to a specific investigative request by the judicial authority or of the Judicial Police.
4. Data communication – art. 13 co. 1 lett. [e] [f] GDPR 2016/679
The data collected will not be disseminated, sold or exchanged with third parties, except in the case of crimes committed against the company; in these cases the images will be made available to the competent authority that will be called on the place.
5. Data subject rights - art. 13 co. 2 lett. [b] [c] [d] GDPR 2016/679
The data subjects have all the rights set in Articles 15 - 21 of GDPR and, in particular, the right to access the data concerning them and to verify the purposes, methods and logic of their treatment. With reference to the recorded images, the right to update, rectify or supplement them is not actually exercisable; the interested party has the right to obtain the blocking of the data if they are processed in violation of the law.