This document discloses Morrow Sodali data protection policies and practices on Personal Identifiable Information (“personal data”) where Morrow Sodali is Controller as defined in the General Data Protection Regulation EU 679/16 (“GDPR”).
- attendees of Morrow Sodali physical and online events, webinars and presentations, or Morrow Sodali-sponsored events;
- subscribers to Morrow Sodali publications and newsletters;
- Personal information provided on third party sites not controlled by Morrrow Sodali. When interacting with our websites, you may also have the ability to link or connect with non-Morrow Sodali websites, services, social networks, applications or other features. Enabling these features will lead to other parties than Morrow Sodali processing information as autonomous controllers and you are encouraged to review the privacy policies of these parties before using these features
When not specified otherwise, terms used but not defined in this document, such as “personal data”, “processing”, “controller”, “processor”, and “data subject”, will have the same meaning as set forth in Article 4 GDPR.
In this document “EU data subject” means any data subject who is in a EU Member State.
In this document “California data subject” means any resident or household in the State of California.
Personal Data Processing Information
The Controller may also collect personal data when users access and use any service provided by the website, such as by completing web forms (e.g. Contact Us, Work with us, etc.), completing online surveys, messaging the Controller using email or hyperlinks, following social networks links or using other direct or indirect forms of communication with the Controller. Some services (e.g. social networks) may be provided by third parties, who act as an autonomous Controller for such personal data.
Processing may include the performance on personal data of all or a set of the following operations: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, transmission, cancellation, and destruction of data. Such operations may be performed either manually and/or by automated means.
Personal data may be processed and stored either in physical and/or digital format.
Personal Data Categories
The Controller process the following categories personal data:
- a) Generic personal data (e.g. First and Last Name, Date and Place of Birth, etc)
- b) Generic Contact Data (e.g. email address, phone, postal address etc.)
- c) Job related information (e.g. Company, Job Role, etc)
- d) Financial Data (e.g. Financial asset ownership, etc.)
- e) Navigation related data (e.g. IP address, web Session ID, Device ID, etc.)
Processing purpose and legal basis
The legitimate purpose for processing personal data may be one of more of the following:
- To perform direct marketing activities on email, phone, postal service, etc
- To contact data subject and initiate a business relationship or to take steps at the request of the data subject prior to entering into a contract;
- To analyze web navigation behaviors and patterns
- To analyze, develop, improve and optimize our sites, facilities, products and services and, to maintain security of our sites, networks and system.
The legal basis for the processing detailed above can be one of the following:
- Controller’s Legitimate Interest (Article 6.1.f GDPR)
- Data subject’s consent (Article 6.1.a GDPR)
- Contractual obligations (Article 6.1.b GDPR)
Technical and Organizational security measures
Considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller has implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk, including, but not limited to:
- Information Security Policy defined and applied consistently
- Access to data granted only on need-to-know and least privilege principals
- System protection against virus/malware, updated periodically
- Periodic Vulnerability Assessment
- Regular backup of personal data performed and tested
Technical and Organizational security Measures (“TOMs”) are subject to continuous upgrade and may change without notice. An updated list of TOMs may be requested at any time by contacting the Controller.
The Controller will retain personal data for as long as is necessary for the processing purpose(s) for which it was collected and any other permitted linked purpose (e.g., when the Controller must comply with certain legal/regulatory requirements and retain personal information for longer than the purpose for which data were originally collected). Retention periods are based on business needs.
Personal data that are no longer needed are either irreversibly anonymized (and the anonymized information is retained) or securely destroyed in accordance with internal retention policy.
Personal Data Transfer and Sharing
In the fulfillment of the purposes stated in the relevant section this document, personal data may be transferred to the following recipients or categories of recipients:
- Controller’s affiliate companies, i.e. legal entities of Morrow Sodali Group in which the Controller holds a majority rights of ownership.
- Third party companies or other subjects that process data on behalf of the Controller as Data Processor (Article 28 GDPR);
- Supervisory Authorities, Law Enforcement Agencies, Judiciary Authorities, etc. located within or outside the EEA, where such transfer is mandated by law. Such entities will process personal data as independent Controllers.
Furthermore, the Controller may transfer and process personal data in countries outside the EEA only if, subject to the other provisions of the GDPR, one of the following provisions is applied:
- Personal data are transferred to a third country or an international organization where the Commission has decided that it ensures an adequate level of protection (Article 45 GDPR); or
- Personal Data are transferred where the Controller provides appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (Article 46 GDPR); or
- the Controller has an agreement in place with the or entity located outside based on the European Commission Standard Contractual Clauses the EEA (Article 47 GDPR); or
- Personal data are transferred to when data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards (Article 49 GDPR).
EU Data Subject Rights
EU data subjects, are granted all rights set forth by the GDPR; and in particular:
- a) Right to obtain confirmation as to whether or not personal data concerning the data subject are being processed by the Controller, and, where that is the case, access to the personal data in an intelligible form and to the other information.
- b) Right to rectification of inaccurate personal data concerning the data subject. Considering the purposes of the processing, data subjects have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- c) Right to be forgotten or the right to obtain the erasure of personal data concerning the data subject to the provisions and limitation stated in Article 17 of the GDPR;
- d) Right to obtain from the Controller restriction of the processing of your personal data according to the provisions and limitations of Article 18 of the GDPR.
- e) Right to object, on grounds relating your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
- f) Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- g) When the legal basis for the processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, EU data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement if they consider that the processing of relating personal data infringes the GDPR.
EU Data subjects also have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
California Data Subject Rights
We declare hereby that Morrow Sodali Group and/or its affiliates do not and will not sell your personal data.
Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), California residents may request that we:
- a) disclose to you the following information:
• the categories and specific pieces of personal information we collected about you and the categories of personal information we sold,
• the categories of sources from which we collected such personal information;
• the business or commercial purpose for collecting personal information about you;
• the categories of third parties to whom disclosed personal information
- b) delete personal information we collected from you or correct inaccurate personal information about you;
We will respond to your request consistent with applicable law. If you are an authorized agent making an access or deletion request on behalf of a Californian resident, please reach out to and indicate that you are an authorized agent. We will provide you with instructions on how to submit a request as an authorized agent on behalf of a Californian resident.
How to exercise rights
EU and California data subjects may exercise their rights at any time, by contacting the Controller at the contacts detailed in the relevant section.
Additionally, EU data subjects only may exercise their rights by contacting the Controller’s Representative in the Union at the contacts detailed in the relevant section.
Controller and Representative in the Union
The Controller of personal data processing is:
Morrow Sodali Global LLC.
333 Ludlow Street, 5th Floor, South Tower
Stamford, CT 06902, USA
Telephone: +1 203 658 9400
The Controller has nominated for all the purposes specified in Article 27 GDPR, the following affiliate Company as its Representative in the European Union (hence on “Representative”):
Morrow Sodali S.p.A.
Via XXIV Maggio, 43
00187 Rome, ITALY
Telephone: +39 06 4521 2800
Data Protection Officer
Ing. Guido Zucchelli
The Representative can be addressed by EU data subjects in addition to or instead of the Controller on all issues related to compliance with GDPR.
Version 4.0 of 15/06/2023