Privacy Policy

PRIVACY NOTICE – WHISTLEBLOWING

CUSTOMER PRIVACY NOTICE

Cela srl with registered office in TURIN VIA TREVISO 36 – operational headquarters VIA ISEO 5-7-9 CASTEGNATO 25045 (BS), tax code and VAT number 10073480013 – e-mail info@cela.it, certified e-mail address cela@pec.it., as Data Controller, informs that the processing of personal data transmitted will be performed in compliance with the GDPR 679/2016 and with the national legislation as follows.

Purpose of processing
The processing of your personal data will take place for the purposes related to the correct execution of the contract and for the fulfilment of the tax and accounting obligations incumbent on it.

Legal basis for data processing
The processing of personal data will be carried out, alternatively, for the fulfilment/execution of contractual obligations and/or for the fulfilment of legal, fiscal and contractual obligations related to the same and/or on the basis of a legitimate interest of the Data Controller.

Place of processing and retention
The processing is performed at the registered office and operational headquarters both in paper-based and computer mode and consists of the collection, recording, organisation, retention, consultation, processing, selection, comparison, use, archiving, deletion and destruction. The retention will take place in the same places and will have the duration provided by law, and in any case for the times necessary for execution of the contract. The data retention period will be the one necessary to guarantee the Data Controller the correct fulfilment of the tax, accounting and legal obligations incumbent on it.

Data categories
Your contact details, bank details, personal data of shareholders, of the lawyers represented and of the employees that will be necessary for the exact execution of the contract will be processed.

In the event that the remote assistance service and/or the Industry 4.0 Ipercela remote management system is purchased, Cela srl communicates that in order to guarantee the execution of the service, information will be processed regarding the location of the vehicle as well as the ignition, use, position, inclination, telemetry and active alarms of the vehicle itself. No personal data relating to natural persons using the vehicle will be processed, not even indirectly, by Cela srl and no such data will be transmitted to the same. No responsibility can be attributed to Cela srl for the buyer’s failure to comply with the regulations relating to the processing of the personal data of its employees/collaborators for the use of this technology.

Categories of data subjects
In addition to employees of the Data Controller and to the judicial and police authorities, the categories of data subjects also include social security institutions and tax authorities. In addition, personal data may be transmitted to external data processors pursuant to art. 28 of the GDPR, whose list is available from the Data Controller.

Obligation to communicate data
The communication of personal data is a contractual obligation and is in any case a necessary requirement for conclusion of the contract. If the requested data are not promptly communicated, the Data Controller reserves the right not to execute the contract and/or to terminate the same.

Rights of the data subject
As a data subject, you may exercise the rights provided for by art. 7 of the Privacy Code and by arts. 12, 15 to 22 of the GDPR and you will therefore have the right to request at any time the updating and/or integration of personal data, as well as access to them and/or correction and/or deletion of the same or limitation of the Processing that concerns you or to object to their Processing, in addition to the right to request from the Data Controller your personal data in a format that is structured and readable by an automatic device, also in order to communicate such data to another Data Controller (so-called right of data portability). You may also revoke at any time the consent to the Processing given without prejudice to the lawfulness of the Processing based on the consent given before the revocation. As a data subject, you will have the right to lodge a complaint pursuant to arts. 77 et seq. of the GDPR with a supervisory authority which, for the Italian state, is identified as being the Guarantor for the protection of personal data (www.garanteprivacy.it). The forms, methods and time limits for the submission of a complaint are established and governed by the national legislation in force. The complaint is without prejudice to administrative and judicial actions, which for the Italian State can be proposed alternatively to the same Guarantor or to the competent Court.

Data Controller and Data Protection Officer
The Data Controller, whom you may contact to assert the rights referred to in art. 7 of the Privacy Code and in arts. 12, 15 to 22 of the GDPR, is the company CELA SRL with registered office in TURIN VIA TREVISO 36 – operational headquarters VIA ISEO 5-7-9 CASTEGNATO 25045 (BS), Tax Code and VAT no. 10073480013 – e-mail info@cela.it, certified e-mail address cela@pec.it. The Data Protection Officer of the Data Controller is the lawyer Ms. Maria Capitanio, e-mail m.capitanio@live.com- certified e-mail address maria.capitanio@brescia.pecavvocati.it.

CAREERS PRIVACY NOTICE

Information Notice on the Processing of Personal Data

In accordance with Article 13 of the European Regulation 2016/679 on the protection of personal data (“Regulation”) and applicable national regulations, Cela Srl (hereinafter the “Company”), as the data controller, informs you that the personal data provided by you with the submission of your CV, also through the link on the company website, will be processed in compliance with the current legislative and contractual provisions for the purposes and in the manner indicated below.

Categories of Data
When submitting the CV to present your profile for an open job position or to provide us with your CV for potential future job positions, the Company collects and processes data such as name, surname, date of birth, email address, phone contacts, address, academic background, previous work experiences, and any other data voluntarily included in the CV or accompanying cover letter.

Data Processing and Storage Methods
The data will be processed at the Company’s registered office and operational headquarters and stored on systems and in archives, including paper archives, managed by the Company. This will be done in accordance with the principles of fairness, loyalty, and transparency provided by the applicable data protection laws, solely for the purpose of evaluating your application for possible employment within the Company. If the CV contains data related to third parties (e.g., references for previous work experiences), you must ensure that you have obtained the consent of such individuals to be contacted by the Company for reference purposes. In such case, you authorize the Company to contact these third parties for references and verification of the information received. The data will be treated to protect your confidentiality and rights through the adoption of suitable technical and organizational measures to ensure a level of security appropriate to the risk (such as the ability to restore access to data in case of incidents, etc.). As part of the selection process, the Company may, in certain circumstances, conduct verification activities on the information provided (e.g., academic qualifications and previous employers).

The submission of the application and any related information is entirely voluntary and optional for website users.

Non-Provision of Data
If you decide to apply, you are free to provide the personal data that you consider most suitable for this purpose. However, in case of non-provision of personal data necessary for your identification (such as personal details or your education), the Company will be unable to evaluate your application, as these are essential data for the assessment of the application by the Company. Your consent is not required for the processing of personal data contained in the CV, as the processing is limited to what is strictly necessary to respond to your request and obtain preliminary information for the possible establishment of a contractual relationship, in accordance with Article 6.1 b) of Regulation EU 679/2016. The Company advises candidates not to include in their CV or otherwise communicate to the Company personal data revealing racial or ethnic origin, religious, philosophical, or other beliefs, political opinions, membership of parties, unions, associations, or organizations of a religious, philosophical, political, or union nature, as well as personal data revealing health or sexual life (so-called special categories of personal data).

Retention Period
Your personal data will be kept for a period not exceeding that necessary to evaluate your application for possible employment within the Company, considering the constantly evolving job market dynamics in which the Company operates and the type of skills and experiences sought. In any case, based on the legitimate interest of the Company in identifying the most suitable profile for the positions that may arise, CVs may be kept for a period of up to 3 years, after which they will be deleted, subject to further retention obligations under applicable law. It is understood that you may update your data at any time or request their deletion.

Authorized Data Processing Entities
For the aforementioned purposes, your data may be disclosed to: a) authorized and duly trained personnel of the Company, including Human Resources and Organization personnel and the contacts of the company functions to which the position for which your profile may be considered belongs; b) third parties, such as personnel selection agencies, for purposes strictly related to the management of the application as independent data controllers; c) third parties to whom the Company entrusts the execution of certain services within the scope of personnel search and selection activities and who have been appointed as data processors for this purpose. These entities act in accordance with the instructions of the Company, as data processors based on specific contractual agreements. The list of such entities is available upon request at the contact details provided below. Personal data will not be subject to disclosure.

Rights of the Data Subject
In relation to the described data processing, you may exercise the rights provided by the Regulation (Articles 15-21), including: a) receive confirmation of the existence of your personal data and access their content (right of access); b) update, modify, and/or correct your personal data (right of rectification); c) request their deletion or restriction of processing for data processed unlawfully, including those not necessary for storage in relation to the purposes for which the data was collected or otherwise processed (right to be forgotten and right to restriction); d) object to processing where provided by the Regulation (right to object); e) revoke consent, if given, without prejudice to the lawfulness of processing based on consent given before revocation; f) receive a copy of the data concerning you in electronic format and request that such data be transmitted to another data controller (right to data portability). To exercise these rights or for further information regarding this notice, you can contact the Data Protection Officer (DPO) by sending an email to privacy@cela.it or by regular mail to the Company’s registered office at the addresses indicated. You may also lodge a complaint with the supervisory authority in case of violation of the data protection regulations.

Data Controller
The data controller is Cela Srl, with registered office in Turin, Via Treviso 36, and operational headquarters in Castegnato (BS), Via Iseo 5-7-9, represented by the current Legal Representative. The Data Protection Officer is available at the address privacy@cela.it.

Cela Srl

PRIVACY NOTICE WHISTLEBLOWING

PURSUANT TO ART. 13 OF EU REGULATION 679/2016 AND LEGISLATIVE DECREE 196/2003 AND SUBSEQUENT AMENDMENTS.

This notice is intended to explain to you, as the Data Subject, the ways in which your personal data will be processed in accordance with the provisions of the legislation on the protection of personal data (EU Regulation 679/2016, GDPR, and Privacy Code 196/2003), specifically concerning your rights and the means of protecting them, related to the report (so-called “”whistleblowing””) you will make through the reporting channel established by the Data Controller pursuant to Legislative Decree 24/2023.

Data Controller:
The Data Controller for the data covered by this notice is Cela S.r.l., with registered office in Turin, Via Treviso 36, and operational headquarters in Via Iseo no. 5-7-9, Castegnato (BS) VAT number Euro 1.593.140,88 fully paid up, represented by its Legal Representative.

Legal basis for processing:
Personal data is collected and processed for purposes strictly related to the management of reports of unlawful conduct, concerning activities and/or behaviors diverging from the procedures implemented by the company. These particularly encompass violations of national or European Union regulations that undermine the public interest or the integrity of the Data Controller, which the reporting individuals become aware of in a public or private working context. Furthermore, it encompasses violations of professional conduct standards and/or ethical principles referred to by current legislation, both internal and external, and/or illicit or fraudulent behaviors attributable to employees, members of social bodies, or third parties (clients, suppliers, consultants, collaborators).

Therefore, the legal basis for the processing is the need to comply with a legal obligation to which the Data Controller is subject, specifically referring to the provisions contained in Legislative Decree 8 June 2001, no. 231 (“Discipline of the administrative liability of legal entities, companies, and associations, even without legal personality, pursuant to Article 11 of Law 29 September 2000, no. 300”) and Legislative Decree 10 March 2023, no. 24 (“Implementation of EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019, on the protection of persons who report breaches of Union law and containing provisions on the protection of persons reporting breaches of national legislative provisions”).

Purpose of processing:
The personal information provided through the report to the competent Office will be processed to ensure:

1) management of the report and whistleblowing procedure;
2) any activities aimed at verifying the validity of the reported fact;
3) adoption of measures consequent to the report;
4) any requests for integration of information to the reporting individual (the so-called whistleblower);
5) protection in court of a right of the Data Controller;
6) response to a request from the Judicial Authority or an Authority assimilated thereto.

Confidentiality and protection of the reporter:
The Data Controller guarantees the confidentiality of the identity of the reporting person, the person involved, and any person mentioned in the report, as well as the content of the report and related documentation. Therefore, except in cases where the criminal liability of the reporting person is established, even by a first-instance judgment, for the offenses of defamation or libel or for the same crimes committed through the report to the judicial or accounting authority, or their civil liability, for the same reasons, in cases of willful misconduct or gross negligence, and subject to other exceptions provided by law (e.g., obligation to report to the judicial authority), the identity of the reporter will be protected from the receipt of the report onward, in accordance with the current provisions of Privacy Regulations. Therefore, subject to the aforementioned exceptions, the Data Controller has determined, pursuant to Article 12, paragraph 2 of Legislative Decree 24/2023, that their identity and any other information from which it can be directly or indirectly inferred cannot be disclosed to subjects other than those competent to receive or follow up on the reports. Your explicit consent will be obtained also in cases where it is necessary to disclose your identity pursuant to Article 12, paragraphs 5 and 6 of Legislative Decree 24/2023, or when it is necessary to decrypt your data in order to enable the defense of the accused in a disciplinary procedure based solely on the report and in which the knowledge of the reporting individual is essential for the defense or for the defense of the person involved.
All those who receive and/or are involved in the management of reports are obliged to protect the confidentiality of such information.

Categories of processed data:
The personal data processed by the Data Controller, in compliance with the whistleblowing procedure, may include common personal data, such as:
– identifying data of the reporting individual (e.g., name, surname, email address, any other contact details provided by the reporting person);
– personal data contained in the reports sent (e.g., personal data – identifying and professional – and any other personal information relating to the reported subject and/or any third parties involved in the report).

The communication of the reporting individual’s identifying personal data (name and surname) and their email address is mandatory in the so-called “named reporting.”

The communication of identifying personal data is not required or mandatory in the so-called “anonymous reporting,” and in this case, in addition to protecting the content of the transmission, the anonymity of transactions between the reporter and the Whistleblowing reporting channel is guaranteed, making it impossible for the recipient and all subjects involved in any way in the management of the transmission to trace the sender.

Information concerning the reported facts may be processed, depending on the contents of the report, including any references to data concerning third parties that may be involved in the reported facts and mentioned by the reporting individual or acquired during subsequent investigative activities.

Refusal to provide personal data:
Any refusal to provide common identifying and contact data (name, surname, and email address) of the reporting individual in the so-called “named report” will result in the inability of the Data Controller to follow up on the submitted report. The provision of the reporting individual’s personal data is optional in the “anonymous report.”

Methods of personal data processing:
The Data Controller collects and/or receives the reporting individual’s personal data through their input via the reporting channel established by the Data Controller and accessible from the company’s website. The data will be processed both electronically and on paper and will be managed by the personnel of the Data Controller specifically appointed and trained. Your data may also be processed by subjects authorized by law to access it and by Data Processing Managers specifically appointed pursuant to Article 28 GDPR by the Data Controller, and the list of these is kept by the Data Controller. Please note that if personal data clearly not relevant to the report are accidentally acquired during the handling of the reports, they will be promptly deleted.

Data retention:
Data related to the reports and related documentation will be retained for no longer than five years from the date of communication of the final outcome of the reporting procedure at the operational headquarters and the registered office of the Data Controller and/or at the appointed Data Processor. In the event of disputes concerning the circumstances reported, the data may be kept for a longer period, coinciding with the duration of the dispute itself, in addition to the prescription and/or expiration period.

Transfer of data outside the EU:
Data will be processed within the European Union, where the Data Controller or Processors have their headquarters or servers. Data will not be transferred outside the European Union.
Data Subject Rights: At any time, the Data Subject may exercise the rights under Articles 15 and following of EU Regulation 679/2016, GDPR, as listed below. For obvious reasons of protecting the reporter’s confidentiality, reporting subjects are encouraged to exercise their rights, particularly those concerning rectification or deletion of their personal data, using the same platform indicated in the whistleblowing procedure for reporting and by sending a request through the platform in this regard.

Right of access (Art. 15 GDPR): Right of the Data Subject to obtain from the Data Controller confirmation as to whether or not personal data concerning them are being processed and, if so, to access such data;
Right to lodge a complaint with a supervisory authority (Art. 15 1. f) GDPR): The Data Subject has the right to lodge a complaint under Articles 77 and following GDPR with a supervisory authority, which for the Italian state is identified as the Garante per la protezione dei dati personali (www.garanteprivacy.it). The forms, methods, and terms for submitting the complaint are provided and regulated by current national legislation. The complaint does not affect administrative and judicial actions, which for the Italian state can be alternatively proposed to the same Garante or to the competent Court;

Right to rectification (Art. 16 GDPR): Right of the Data Subject to obtain from the Data Controller the rectification of inaccurate personal data concerning them without undue delay. If the provided data is incomplete, it can be supplemented by the Data Subject through a supplementary statement;
Right to erasure (right to be forgotten) (Art. 17 GDPR): The Data Subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay. In this case, the Data Controller shall have the obligation to erase such data without undue delay;

Right to restriction of processing (Art. 18 GDPR): Right of the Data Subject to obtain restriction of processing in certain situations: the Data Subject disputes the accuracy of personal data; the processing is unlawful, and the Data Subject opposes the erasure of the data, instead requesting restriction; the personal data are required for the establishment, exercise, or defense of a legal claim; the Data Subject has objected to processing, pending the verification of the legitimate grounds of the Data Controller overriding those of the Data Subject;

Right to data portability (Art. 20 GDPR): The Data Subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, and the right to transmit such data to another controller without hindrance from the Data Controller in cases where: a) the processing is based on consent pursuant to Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), or on a contract pursuant to Article 6, paragraph 1, letter b); the processing is carried out by automated means;

Right to object (Art. 21 GDPR): Right of the Data Subject to object to the processing of their personal data.

Contact details:
To contact the Data Controller, you can call the following phone number: 0039 030 988 4084, or email: info@cela.it, or certified mail to the registered office in Turin, Via Treviso 36 and/or the operational headquarters in Via Iseo no. 5-7-9, Castegnato (BS).
To contact the Data Protection Officer (DPO), you can call the following phone number: 0039 3404728795 or email: privacy@cela.it.

The Data Controller
Cela s.r.l.
§ I declare that I have received the information pursuant to Article 13 of GDPR 679/2016 and have understood it in its entirety.

PRIVACY NOTICE GENERAL

Owner and Data Controller

CELA SRL – VIA TREVISO 36 (TO)
Owner contact email: info@cela.it

Types of Data collected
Among the types of Personal Data that this Application collects, by itself or through third parties, there are: Usage Data; Cookies; first name; last name; phone number; company name; address; county; email address; ZIP/Postal code; various types of Data; city; Universally unique identifier (UUID); answers to questions; clicks; keypress events; motion sensor events; mouse movements; scroll position; touch events; number of Users; device information; session statistics; browser information.
Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.
Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using this Application.
Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.Any use of Cookies – or of other tracking tools — by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy.
Users are responsible for any third-party Personal Data obtained, published or shared through this Application.

Mode and place of processing the Data

Methods of processing
The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of this Application (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Owner at any time.

Place
The Data is processed at the Owner’s operating offices and in any other places where the parties involved in the processing are located.
Depending on the User’s location, data transfers may involve transferring the User’s Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data.

Retention time
Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the Users’ consent.

The purposes of processing

The Data concerning the User is collected to allow the Owner to provide its Service, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as the following: Displaying content from external platforms, Contacting the User, Tag Management, Advertising, SPAM protection and Analytics.
For specific information about the Personal Data used for each purpose, the User may refer to the section “Detailed information on the processing of Personal Data”.

Detailed information on the processing of Personal Data

Personal Data is collected for the following purposes and using the following services:

Contacting the User

Contact form (this Application)
By filling in the contact form with their Data, the User authorizes this Application to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header.
Personal Data processed: address; city; company name; county; email address; first name; last name; phone number; various types of Data; ZIP/Postal code.

Tag Management

This type of service helps the Owner to manage the tags or scripts needed on this Application in a centralized fashion.
This results in the Users’ Data flowing through these services, potentially resulting in the retention of this Data.Google Tag Manager (Google Ireland Limited)
Google Tag Manager is a tag management service provided by Google Ireland Limited.
Personal Data processed: Usage Data.
Place of processing: Ireland – Privacy Policy.

SPAM protection

This type of service analyzes the traffic of this Application, potentially containing Users’ Personal Data, with the purpose of filtering it from parts of traffic, messages and content that are recognized as SPAM.

Google reCAPTCHA (Google Ireland Limited)
Google reCAPTCHA is a SPAM protection service provided by Google Ireland Limited.
The use of reCAPTCHA is subject to the Google privacy policy and terms of use.
Personal Data processed: answers to questions; clicks; keypress events; motion sensor events; mouse movements; scroll position; touch events; Tracker; Usage Data.
Place of processing: Ireland – Privacy Policy.

Analytics

The services contained in this section enable the Owner to monitor and analyze web traffic and can be used to keep track of User behavior.
Google Analytics 4 (Google Ireland Limited)
Google Analytics 4 is a web analysis service provided by Google Ireland Limited (“Google”). Google utilizes the Data collected to track and examine the use of this Application, to prepare reports on its activities and share them with other Google services.
Google may use the Data collected to contextualize and personalize the ads of its own advertising network.
In Google Analytics 4, IP addresses are used at collection time and then discarded before Data is logged in any data center or server. Users can learn more by consulting Google’s official documentation.
Personal Data processed: browser information; city; device information; number of Users; session statistics; Trackers; Usage Data.
Place of processing: Ireland – Privacy Policy – Opt Out.

Displaying content from external platforms

This type of service allows you to view content hosted on external platforms directly from the pages of this Application and interact with them.
This type of service might still collect web traffic data for the pages where the service is installed, even when Users do not use it.
Google Fonts (Google Ireland Limited)
Google Fonts is a typeface visualization service provided by Google Ireland Limited that allows this Application to incorporate content of this kind on its pages.
Personal Data processed: Usage Data; various types of Data as specified in the privacy policy of the service.
Place of processing: Ireland – Privacy Policy.
Google Maps widget (Google Ireland Limited)
Google Maps is a maps visualization service provided by Google Ireland Limited that allows this Application to incorporate content of this kind on its pages.
Personal Data processed: Cookies; Usage Data.
Place of processing: Ireland – Privacy Policy.
Font Awesome (Fonticons, Inc.)
Font Awesome is a typeface visualization service provided by Fonticons, Inc. that allows this Application to incorporate content of this kind on its pages.
Personal Data processed: Usage Data.
Place of processing: United States – Privacy Policy.

Advertising

This type of service allows User Data to be utilized for advertising communication purposes. These communications are displayed in the form of banners and other advertisements on this Application, possibly based on User interests.
This does not mean that all Personal Data are used for this purpose. Information and conditions of use are shown below.
Some of the services listed below may use Trackers to identify Users or they may use the behavioral retargeting technique, i.e. displaying ads tailored to the User’s interests and behavior, including those detected outside this Application. For more information, please check the privacy policies of the relevant services.
Services of this kind usually offer the possibility to opt out of such tracking. In addition to any opt-out feature offered by any of the services below, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section “How to opt-out of interest-based advertising” in this document.

Information on opting out of interest-based advertising

In addition to any opt-out feature provided by any of the services listed in this document, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section of the Cookie Policy.

Cookie Policy

This Application uses Trackers. To learn more, Users may consult the Cookie Policy.

Further Information for Users

Legal basis of processing

The Owner may process Personal Data relating to Users if one of the following applies:

Users have given their consent for one or more specific purposes.
provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
processing is necessary for compliance with a legal obligation to which the Owner is subject;
processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Owner;
processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party.

In any case, the Owner will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Further information about retention time

Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the Users’ consent.

Therefore:

Personal Data collected for purposes related to the performance of a contract between the Owner and the User shall be retained until such contract has been fully performed.
Personal Data collected for the purposes of the Owner’s legitimate interests shall be retained as long as needed to fulfill such purposes. Users may find specific information regarding the legitimate interests pursued by the Owner within the relevant sections of this document or by contacting the Owner.

The Owner may be allowed to retain Personal Data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn. Furthermore, the Owner may be obliged to retain Personal Data for a longer period whenever required to fulfil a legal obligation or upon order of an authority.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

The rights of Users based on the General Data Protection Regulation (GDPR)

Users may exercise certain rights regarding their Data processed by the Owner.
In particular, Users have the right to do the following, to the extent permitted by law:

Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent.
Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
Restrict the processing of their Data. Users have the right to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
Have their Personal Data deleted or otherwise removed. Users have the right to obtain the erasure of their Data from the Owner.
Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance.
Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

Users are also entitled to learn about the legal basis for Data transfers abroad including to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data.

Details about the right to object to processing

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.
Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time, free of charge and without providing any justification. Where the User objects to processing for direct marketing purposes, the Personal Data will no longer be processed for such purposes. To learn whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. Such requests are free of charge and will be answered by the Owner as early as possible and always within one month, providing Users with the information required by law. Any rectification or erasure of Personal Data or restriction of processing will be communicated by the Owner to each recipient, if any, to whom the Personal Data has been disclosed unless this proves impossible or involves disproportionate effort. At the Users’ request, the Owner will inform them about those recipients.

Additional information about Data collection and processing

Legal action

The User’s Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of this Application or the related Services.
The User declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.

Additional information about User’s Personal Data

In addition to the information contained in this privacy policy, this Application may provide the User with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.

System logs and maintenance

For operation and maintenance purposes, this Application and any third-party services may collect files that record interaction with this Application (System logs) or use other Personal Data (such as the IP Address) for this purpose.

Information not contained in this policy

More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the beginning of this document.

Changes to this privacy policy

The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page and possibly within this Application and/or – as far as technically and legally feasible – sending a notice to Users via any contact information available to the Owner. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.
Should the changes affect processing activities performed on the basis of the User’s consent, the Owner shall collect new consent from the User, where required.

Definitions and legal references

Personal Data (or Data)

Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.

Usage Data

Information collected automatically through this Application (or third-party services employed in this Application), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Application, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User’s IT environment.

User

The individual using this Application who, unless otherwise specified, coincides with the Data Subject.

Data Subject

The natural person to whom the Personal Data refers.

Data Processor (or Processor)

The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

Data Controller (or Owner)

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Application. The Data Controller, unless otherwise specified, is the Owner of this Application.

This Application

The means by which the Personal Data of the User is collected and processed.

Service

The service provided by this Application as described in the relative terms (if available) and on this site/application.

European Union (or EU)

Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

Cookie

Cookies are Trackers consisting of small sets of data stored in the User’s browser.

Tracker

Tracker indicates any technology – e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting – that enables the tracking of Users, for example by accessing or storing information on the User’s device.

Legal information

This privacy policy relates solely to this Application, if not stated otherwise within this document.

PRIVACY NOTICE – CUSTOMER

PRIVACY NOTICE – CAREERS