Personal data processing in web services

Processing of personal data of users of web services and other communication channels, pursuant to Article 13 of (EU) Regulation 2016/679 EU

INPS, with its registered office in Rome, via Ciro il Grande, 21, as Data Controller, hereby informs its users about the processing of their personal data, directly provided by the users themselves, through interaction with:

• the Institute's web services, corresponding to the home page of the INPS institutional website, accessible via internet at the following address: www.inps.it;
• other communication channels such as the Contact Center, Mobile Services, Chats, Skype, Fax and Email.

INPS ensures that the processing of data of the users of the above mentioned INPS services (hereinafter "users"), is carried out in compliance with the conditions and within the limits established by the EU Regulation and Legislative Decree no. 196 of 30 June 2003, as amended and supplemented by Legislative Decree no. 101 of 10 August 2018 "Provisions for the adaptation of national legislation to the provisions of (EU) Regulation 2016/679" and in compliance with the principles of lawfulness, minimisation, limitation, security, correctness and integrity as established by the EU Regulation.

POLICY ON THE USE OF THE WEB PORTAL AND OTHER COMMUNICATION CHANNELS.
Common information

Personal data provided by users

The personal data provided directly by users are necessary to fully benefit from the services provided by INPS, including, for example, the attribution of personal PIN authentication credentials online, online services of the portal and claims for assistance through the Contact Center.

The data required to enable access to the portal and its services are acquired and stored on server storage media and are protected by security measures. Access to the systems by the authorized individual is strictly personal and based on the use of authentication credentials which are only known to the individual user.

Please click here for PIN usage rules and specifications regarding the related responsibilities of the user.

Apart from what is yet to be specified for website navigation data, the user can provide the personal data claimed while browsing the various pages of the site or using the other contact channels: failure to provide such data in cases which are specifically indicated, may make it impossible to obtain what has been claimed.

E.g.: failure to provide the email address means that the PIN cannot be obtained.

The optional, explicit and voluntary sending of electronic mail to the addresses indicated on the website involves, by its very nature, the subsequent acquisition of the sender's address, necessary to respond to claims, as well as any other personal data included in the message.

Specific information is progressively reported or displayed on the pages of the site in relation to the specific service being claimed.

Purposes of the processing and communication of users’ personal data.

The personal data provided by users who access INPS services are necessary to benefit from the services and are not disclosed to third parties, unless provided for by law or regulations, and within the limits set, or alternatively, such information is necessary for the pursuit of the institutional purposes of INPS.

The completion of web forms relating to the Institute's services involves the acquisition of the user's personal data. The user should be aware that such data will be used for processing purposes related to the services themselves. Personal and contact details are collected when claiming a PIN (online, through the Contact Center or at INPS local offices) and are used to communicate with users in the context of digital identity lifecycle management and for the provision of the required INPS services.

In addition, in order to provide the user with a more complete and effective service, the contact details provided are further used by INPS for the sending of:

• confirmations, personal documents or communication relating to claims submitted to the Institute through any contact channel, by the individual concerned;
• information regarding the insurance position and contributor status and any services of interest to the user.

Finally, for the purpose described below, the user may specify in the appropriate section of the site, whether he or she does not accept that the contact details provided can be used by INPS for the following purposes:

• sending informative material or inviting users to complete satisfaction surveys.

INPS invites users to provide personal contact details, indicating, in the appropriate sections, the contact details that can only be traced back to their natural persons and not to third parties or intermediaries and, in claims for services, not to communicate names or additional personal data of other individuals in cases where these are not strictly necessary and required by the procedures.

Some acquired data may be consolidated, in an anonymous form, to produce statistical data, or used for taking proactive measures for the benefit of the authenticated user, as is clear in the Home Page, in the section "You might be interested" or in the section "People like you" or to suggest services/performances of possible interest.

Place and method of data processing

The processing operations connected to the services of the Portal and other communication channels of INPS take place at the offices of the Institute and of the Data Processors (appointed by INPS pursuant to Article 28 of (EU) Regulation 2016/679), and are carried out only by technical or administrative staff, who are expressly appointed and trained for this purpose, with logic strictly related to the purposes for which the data is collected; in any case, this logic is provided in order to ensure the security and confidentiality in compliance with the provisions of the EU Regulation, Articles 5 to 11, and by Legislative Decree no. 196 of 30 June 2003, as amended and supplemented by Legislative Decree no. 101 of 10 August 2018 "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679".

Personal data is processed with automated tools for the time strictly necessary to achieve the purposes for which the data is collected, along with specific security measures which are observed to prevent loss of data, unlawful or incorrect use and unauthorized access. No personal data resulting from the use of the services of the Portal and other communication channels can be disclosed unless it is provided for by specific regulations.

User rights

Users have the right, at any time, to obtain confirmation of the existence or non-existence of personal data concerning them and/or to verify how INPS makes use of them.

Moreover, users have the right to claim, in the forms provided for by the law, the rectification of inaccurate personal data and the completion of incomplete data; in cases indicated by the EU Regulation, without prejudice to the special rules provided for certain processing, they may also claim the deletion of the data, after the prescribed storage periods, or the limitation of processing; opposition to processing, for reasons related to their particular situation, is allowed unless there are legitimate reasons for the continuation of processing.

The appropriate claim to INPS is made by contacting the Data Protection Officer at INPS (INPS - Data Protection Officer, Via Ciro il Grande, 21, postal code 00144, Rome; certified e-mail: responsabileprotezionedati.inps@postacert.inps.gov.it).

NOTICE: The following certified and institutional email addresses, responsabileprotezionedati.inps@postacert.inps.gov.it and responsabileprotezionedati@inps.it are dedicated exclusively to sending the applications referred to in Articles 15 et seq. of Regulation (EU) 2016/679 to the Data Protection Officer and cannot be used for other purposes of contact with INPS (sending service claims, claims regarding the online PIN, request for clarification on benefits, the status of practices, etc.).

Any messages that are not referable to the declared purposes of these mailboxes will not be taken into consideration and no explicit reply will be provided.

Users who believe that the processing of their personal data being carried out by INPS is in violation of the provisions of the EU Regulation have the right to lodge a complaint with the Guarantor for the protection of personal data (National Supervisory Authority), as provided for in Article 77 of this Regulation, or take appropriate legal action (Article 79 of the EU Regulation).

Further information on user rights can be found on the Italian Data Protection Authority's website at www.garanteprivacy.it.

Information on the processing of data of users of INPS institutional services can be consulted in the PRIVACY section of the Institute's website under "Information on the processing of personal data of INPS users pursuant to Article 13 of (EU) Regulation 2016/679".

FURTHER INFORMATION ON THE USE OF PARTICULAR CHANNELS

The WEB Portal

The information is provided only for the INPS website and not for other websites that may be consulted by the user through links made available, for which the Institute is in no way responsible.

The information is founded on the recommendation on minimum requirements for online data collection in the European Union, adopted on 17 May 2001 by the Working Party established by Article 29 of Directive 95/46/EC.

Types of data processed in addition to personal data provided by the user
- Navigation data

Certain information, relating to users visiting the website www.inps.it and navigating its web pages, is automatically acquired by software procedures that apply internet communication protocols.

This category of data includes IP addresses or domain names of computers used by users who are visiting the site, addresses in URL notation (Uniform Resource Locator), the time of the claim and other aspects related to the operating system and the user's IT environment.

Although this data is used anonymously for statistical purposes only, to monitor the use of the site and to check its correct functioning, it may also allow third parties to identify users, through processing and association with other data.

Moreover, at the claim of the competent judicial authority and within the guarantees provided by law, this information could be used to ascertain responsibility in the event of any computer crimes committed against the site.

MY INPS

MyINPS is an area of the portal reserved for authenticated users, as it is accessed exclusively by using PIN, SPID, CIE and CNS login details. The area allows users to check, in a single point, their contacts, the status of the applications submitted, their account statement, the communications received from the Institute and to receive information or to carry out simulations with respect to benefits of interest. In MyINPS, simplified access is also possible to services of direct interest in view of the dynamic evolution of relations with the Institute and the possibility of printing documents and certificates (e.g. civilian invalidity report, CU (certification of the withholding agent), pension payslip, etc.).

The interactions that users perform with respect to the services displayed in MyINPS are recorded for institutional and control purposes as well as for statistical processing; these tracking data will be kept for a period not exceeding 5 years, without prejudice to any disputes.

In any case, this information may be made available to the competent Authorities, within the guarantees provided by law, to ascertain any responsibility in the event of computer crimes or other investigations.

Contact Center

Contact Center activities are carried out exclusively in Italy.

INPS, through the Contact Center, provides a special contact channel to facilitate the use of its services for its users. Individuals responsible for this purpose may be employed by the Institution for this reason, pursuant to and for the purposes of Article 28 of Regulation (EU) 2016/679.

Contact with the Contact Center is initiated as a result of the interaction between the user and an advanced automatic responder, aimed at defining the user's needs. As a result of this interaction, the call is transferred to an operator or to an automated service (without an operator). Where necessary for the specific service claimed, the user is invited to provide certain identification data, their contact channels and, in the case of some services, 4 randomly selected characters of their PIN code to enable authentication. This information may also be used to provide automatic correspondence regarding the service claimed.

In order to make more effective use of the electronic channels made available by the Institute, and to implement the quality of the services offered, the personal data of the individual concerned and information relating to the history of his/her previous interactions with the Contact Center may be processed.

The conversation with the Contact Center operator:

• may be recorded for purposes of monitoring the quality of the service provided and improving it;
• will be registered for the acquisition of data used for processing the claims of specific Inps services (e.g. calls for tenders, maternity leave, domestic workers enrolments...).

In all cases of recordings, the user is notified in advance and the continuation of the call, after listening to the information about the recording, assumes consent being given and the willingness to continue the conversation with the recording.

The recordings will be archived with confidential access, and for the functions described above, will be made available upon reasonable claim, to certain dependent workers of the Institute specifically authorized, as well as to the competent authorities who may claim them; they may never be communicated to persons outside INPS, unless expressly provided for by law.

The recordings of the conversations will be kept for the time strictly necessary to fulfil the purpose for which the calls were made - specifically, no more than 6 months. After this deadline, the recordings will be deleted, without prejudice to any obligations on maintaining recordings, arising from the law.

Chat

The chat tool is used to provide information and assistance to users as an alternative to the telephone channel (Contact Center). The service may be carried out by a virtual operator (chatbot).

All messages within the chat are archived, for the protection of the user and the Institute, and stored on electronic media for a maximum of 5 years. Access to archived messages can be granted to certain dependent workers of the Institute for service requirements, and, if necessary, to the competent authorities who claim it; they are never communicated to parties outside INPS unless expressly provided for by law.

If the user has provided an email address, this will be used at the end of the chat to send the content of the conversation with the operator in electronic format.

Mobile

The Institute's mobile channel displays services to users in a simplified and optimized way, for convenience, through mobile devices such as smartphones and tablets. As is the case with the web portal, the personal data provided directly by users are necessary to benefit from the services made available by INPS, including, for example, the attribution of personal PIN authentication credentials online (which, in this specific case, the user can save on their mobile device). Such data, which may be saved as Tax Code and PIN, are secured according to encryption algorithms and therefore protected by security measures. Access to these pages by the authorized person is strictly personal and based on the use of authentication credentials which is only known to the individual users. Some mobile services, such as INPS Answers Responds,, require the user to read the privacy policy, without which it is impossible to obtain the claimed service.

SMS

SMS messages from INPS can be sent both by automated procedures and by authorized Institute operators by a special application accessible from the company intranet.
Communications sent by SMS, for the protection of the user receiving the communication, and the Institute, are kept by the latter for no longer than five years on electronic media. Access to the information stored is granted, for service requirements, to certain dependent workers of the Institute and, where appropriate, to the competent authorities on claim. The archived data is never communicated to parties or individuals outside INPS unless this is expressly provided for by law.