In accordance with Article 13 of EU Regulation 2016/679 (GDPR), we inform you that your personal data is collected when you set up your account in the Exprivia Group's Microsoft 365 Tenant, in order to allow you access. If you participate in meetings and events organized by Group companies on the Microsoft Teams platform, any recording and transcription of the Microsoft Teams platform will involve the collection of personal data such as images and voice.

The companies of the Exprivia Group, in their capacity as independent Data Controllers, pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter “GDPR”) and Legislative Decree 196/2003 (hereinafter the “Privacy Code”), as amended by Legislative Decree 101/2018 containing provisions to align national legislation with the GDPR, hereby provide you with information regarding the processing of your personal data as well as the video and audio recordings collected during meetings and events organized by the Group companies on Microsoft’s “Teams” platform.
The Data Controller companies are committed to protecting personal data in accordance with and based on the principles established by the aforementioned regulations.

Some of the companies within the Exprivia Group are based in non-EU countries that do not have legislation considered adequate by the European Commission pursuant to Article 45 of the GDPR. The Group companies that transfer data outside the EU to Group companies located in non-EU countries without adequate protection have nonetheless entered into specific Standard Contractual Clauses to legitimize such transfers. Therefore, even though the non-EU companies are not subject to EU privacy regulations, they act as Data Controllers for processing activities that involve EU citizens or that take place within the territory of an EU Member State, such as processing carried out through TEAMS or other functionalities of the Microsoft 365 system.

The Microsoft 365 Tenant is located in EU countries. For further information on how Microsoft manages the tenant, please refer to the Microsoft informational webpage.https://learn.microsoft.com/it-it/microsoft-365/solutions/tenant-management-overview?view=o365-worldwide.

1. Data Controllers

Each of the Exprivia Group companies listed below, when using the Group Microsoft 365 Tenant, may organize events (e.g., meetings or videocalls) that result in the processing of personal data of participants.

For each event organized through Microsoft 365, the independent Data Controller is the Company that organized the meeting and may therefore activate the recording and transcription functionalities through an authorized employee who sent you the invitation to participate.

The Data Controllers are:

• Exprivia SpA, Registered Office: Via A. Olivetti 11, Molfetta (BA), Italy

• Exprivia Project S.r.l., Registered Office: Via della Bufalotta 378, Rome, Italy

• Exprivia do Brasil Serviços de Informatica Ltda, Registered Office: Av Franklin Roosevelt 115, Conj 705 Parte Centro, Rio De Janeiro CEP 20021-120, Brazil

• Exprivia S.L.U., Registered Office: Avenida de Europa 19, 28108 Alcobendas (Madrid), Spain

• Exprivia Mexico SA de CV, Registered Office: Av. Ejercito Nacional 216 Piso 12 Oficina 1210, Col. Anzures CP 11590, Mexico City, Mexico

• Exprivia IT Solutions (Shanghai) Ltd, Registered Office: Suite 1008, J.D. Tower, 2790 Zhongshan North Road, Putuo District, Shanghai, P.R. China

• ACS-D GmbH, Registered Office: Löwenstraße 4-8, D63067 Offenbach am Main, Germany

• Balance S.p.A., Registered Office: Via Valtorta 43, Milan, Italy

• BALANCE ALBANIA SH.P.K., Registered Office: Rruga "Ibrahim Rrugova", Pallati Nr.5 "Sky Tower", Apartment Nr.3, 8th Floor, Tirana, Albania

Microsoft acts as Data Processor pursuant to Article 28 GDPR for the management of the Teams service.

     2. Source and categories of data processed

Images and audio will be automatically collected by Microsoft Teams, which—through its recording and transcription features—records the screen of the ongoing meeting or, in the case of transcription, records participants’ contributions in order to produce a summary of the meeting. The personal data processed include, for example, identifying data (e.g., first name, last name, email) of the participant, their face, voice, and any additional personal information communicated via chat or spoken during the meeting.

If it is necessary to configure an account to allow you to access other functionalities, additional data may be collected regarding your job role, the company you belong to, and other personal and contact details.

In addition, data such as login credentials and activity history will be collected to allow you to use Teams, as well as log data for security purposes.

Your image and voice will be recorded only if, in the specific meeting, you authorize the activation of your microphone and/or camera. If you refuse, you may use listening-only mode.

     3. Purpose of processing

The recording of the data subject’s video images and voice through the Teams recording function, and the subsequent processing by the Companies, is carried out, depending on the case, for one or more of the following purposes:

a) The need to record the meeting for training/information purposes for internal staff or third parties (e.g., webinars, events, or service presentations);
b) Business needs, where it is necessary to share the recordings with other members of the internal Exprivia team or with an authorized third party, in order to stay updated on the ongoing activities discussed in the meeting;
c) For meetings in which decisions of significant importance for the core business must be made, in order to document the meeting and avoid misunderstandings or incorrect interpretations, thus pursuing a defensive purpose out of court;
d) The need to document the meeting for legal or contractual purposes (for example, recordings to be attached to end-of-project reports, work progress reports, meetings of corporate bodies, etc.). For meetings of corporate bodies, the alternative option of in-person attendance at the company is allowed to ensure the rights of eligible participants.
e) In addition to the cases listed above, in other circumstances where delayed transcription of the key points of the meeting becomes necessary.
f) For IT security purposes

Legal basis:

• For the purposes referred to in point (a), the legal basis is legitimate interest with regard to employees, while for third parties it is the fulfillment of contractual or pre-contractual obligations.

• For the purposes referred to in point (b), the legal basis for processing employees’ data is legitimate interest, while for third parties it is the fulfillment of contractual or pre-contractual obligations.

• For the purposes referred to in point (d), the legal basis is the legal obligation to which the Data Controller is subject, or the fulfillment of pre-contractual and contractual obligations.

• For other purposes: legitimate interest

For all these purposes, however, your consent is required with regard to data consisting of images and voice. Such consent will be requested when accessing the event or, in any case, when activating the recording and/or transcription features. If you refuse, you will still be able to listen to participants’ contributions, but you will not be able to interact and therefore will not be able to activate your microphone or webcam.

In particular, before the recording feature is activated, participants are informed by the Data Controller so that they may leave the virtual meeting space or refuse to give consent. The system technically allows you, in some cases, to authorize audio recording only and not video recording; however, this will not be possible for meetings that have legal significance.

You may also revoke your consent at any time, easily and free of charge. Revocation of consent does not affect any processing carried out previously, and the Data Controller will assess, on a case-by-case basis, whether to refrain from any further processing of your personal data based on consent, or whether such processing may continue due to a legal obligation (e.g., meetings of the corporate bodies of each Data Controller) or on the basis of the Controller’s legitimate interest, following an assessment of the balance of interests, where it emerges that the legitimate interests pursued by the Controller do not override the interests, rights, or fundamental freedoms of the data subject (e.g., in the event of subsequent defensive needs). This is also due to the fact that, when the recording feature is activated, participants are informed by the Data Controller so that they may leave the meeting.

If it becomes necessary to create an account for you, the purpose of the processing is to allow you to access the Exprivia Group tenant with your credentials in order to facilitate communication and collaboration with the Data Controller. In such cases, the legal basis consists of the contractual or pre-contractual agreements entered into with you or with your organization.

     4. Methods of processing

The data are processed by the Data Controller using electronic methods and procedures, including the use of electronic, telephone, IT, or otherwise automated tools. The same methods and procedures are used when the data are communicated, for the purposes described above, to the third parties indicated in this notice, who in turn are required to process them for the specific purposes set out herein, using methods and procedures that comply with the applicable regulations.

     5. Data Communication 

Once the recording is completed, it is by default stored in the TEAMS cloud in a meeting folder that is visible and accessible only to the organizer and to users of the Exprivia Group Data Controller companies who participated in the meeting. Any external guest users outside the Exprivia Group network who take part in the meeting may only view the recording through their browser on a computer or mobile device. Sharing recordings outside the TEAMS cloud environment is permitted only for the purpose of fulfilling a legal or contractual obligation to which the Data Controller is subject. For further information on how Microsoft processes such personal data, please refer to the link.https://www.microsoft.com/it-it/privacy/privacystatement.

Furthermore, the data subject’s personal data may be collected and used—exclusively for the purposes set out in this Privacy Notice—also by entities that process data on behalf of the Data Controller, appointed by the latter as data processors pursuant to Article 28 of the GDPR. For more information on Microsoft’s Data Protection Addendum (DPA), in its capacity as Data Processor, please refer to the link.https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.

The communication of personal data may also be carried out in compliance with legal obligations and for the purpose of defending or exercising a right in judicial proceedings.

The personal data collected will not be disseminated, meaning they will not be made available to unspecified parties in any form whatsoever, including by making them accessible or available for simple consultation.

     6. Transfer outside the European Union

Personal data will be stored and processed within the European Union. In particular, the Microsoft 365 tenant in which the processed personal data reside is hosted in Microsoft datacenters located in the EU. Data processing is carried out by authorized personnel and from within Italy.

In any case, for exceptional and rare processing situations in which staff of Exprivia Group companies located outside the EU are authorized, Exprivia S.p.A. has entered into Standard Contractual Clauses—approved by the European Commission under the applicable legislation—with the Data Controllers belonging to the Exprivia Group and located in non-EU countries for which no adequacy decision by the European Commission exists regarding personal data protection.

For an updated list of the Exprivia Group companies, please refer to the webpage on the Exprivia Group’s official website.

https://www.exprivia.it/it/location/.

     7. Data Retention Policy

Recordings are automatically saved to the Teams cloud, where they are stored for 120 days before being moved to the recycle bin by default. Meeting organizers may extend the retention period by modifying the details panel of the meeting recording file, in accordance with the specific purposes of data processing (contractual or pre-contractual purposes). Meeting recordings can be recovered from the recycle bin for up to 93 days after deletion. If there are defensive purposes, retention may be extended until the judgment becomes final.

The personal data collected to create your account will be retained until the end of your relationship, or that of your organization, with the relevant Data Controller.

     8. Data Subject rights

Data subjects may exercise the rights provided for in Articles 15 et seq. of EU Regulation 679/2016, in accordance with the nature and type of data processed.

To exercise their rights, data subjects must submit a specific request to the relevant Company, in its capacity as Data Controller, through the parent company’s function at the email address ufficio.privacy@exprivia.com, specifying the Data Controller to whom the request is addressed, or to the parent company’s Data Protection Officer at dpo_expriviaspa@exprivia.com.
These same rights may also be exercised by writing to the Data Controller’s registered office at the addresses indicated above and preferably including “privacy” in the subject line.
You may access the updated list of Data Processors by requesting it using the same procedures described above.

Furthermore, data subjects who believe that the processing of their personal data is carried out in violation of the privacy Regulation have the right to lodge a complaint with the Italian Data Protection Authority (pursuant to Article 77 of the Regulation) using the contact details published on the Authority’s official website (www.garanteprivacy.it), headquartered in Rome, Piazza Venezia 11, 00187, or to seek judicial remedy (Article 79 of the Regulation).