This policy, pursuant to Article 13 of European Regulation (EU) 2016/679 (hereinafter the “GDPR”), describes the processing of
personal data of those who enter into legal relations or otherwise provide their personal data to the Pleion S.p.A. as customers or in any
other capacity (hereinafter “Data Subjects”).
1) Data Controller.
The Data Controller is Pleion S.p.A. (“Data Controller”) with registered office in Cerea Via Venezia 11, postal code 37053, e-mail
firstname.lastname@example.org for contact purposes. The updated list of any Data Processors (those who could be charged with processing or who
process the data on behalf of the Data Controller), is available at the registered office indicated above. The Data Controller did not
appoint a personal data protection officer (DPO), having assessed that, given the type of processing performed, appointing such a
figure is neither mandatory nor beneficial.
2) Processing location and method.
Processing related to the services on the Data Controller's website, currently http//www.pleion.it, as well as processing carried out by
Pleion S.p.A. in any other capacity under this policy, takes place at the Data Controller's office and is carried out by suitably appointed
internal technical staff (Data Processors) pursuant to the GDPR and/or by staff outside the Data Controller's organisation, appointed in
writing as Data Handler, pursuant to Article 28 of the GDPR.
All personal data are processed primarily in electronic form but also in paper form. The data will be kept in a form that allows the user to
be identified only for as long as necessary to achieve the purposes for which the data were originally collected and, in any case, within
the limits of the law. Specific security measures are followed to prevent data loss, illegal or improper use and unauthorised access, in
compliance with the GDPR.
The Data Controller has adopted adequate safety measures to protect your data against loss, wrongful use, or alteration. The Data
Controller will not transfer your personal data to a third country or an international organisation.
In order to ensure that the personal data is always accurate, up-to-date, complete, and pertinent, Data Subjects are asked to send any
changes to the e-mail address indicated above in point 1.
3) Purposes of processing
Personal data processing is for the following purposes:
4) Legal basis of processing
Primarily the correct and complete execution of the contract and other tasks and assignments from the Data Subject, even if
only for preparing estimates.
To allow users to know about and get more information on the Data Controller’s activities and other initiatives, within the limits
and for the sole purpose of delivering services that can be accessed through the company’s website.
The Data Controller’s fulfilment of its tax and accounting obligations.
The Data Controller’s compliance with obligations in other mandatory regulations (e.g., security).
Upon explicit consent of the data subject, for sending - even by e-mail via automated systems - communications containing
information relating to the Data Controller and the activities it organizes (e.g., invitations to conferences and events in general,
including management of the related participation), as well as updates and/or information of a legal and/or promotional nature,
including but not limited to newsletters, presentations, in-depth information and updates on matters relating to the activities carried
out by the Data Controller, including profiling the Data Subject for the purpose of directing, improving, or customising the Data
Controller's initiatives by taking into account the Data Subject’s specific needs or interests;
Personal data are processed lawfully in that:
The performance of the activities in letters a) and b) of point 3 above does not require the Data Subject’s consent since these services
are performed, in most cases, in response to requests made directly by the data subject pursuant to Art. 6, p. 1, letter B) of the GDPR.
Likewise, the processing of Data for purposes sub c) and sub d) does not require the Data Subject’s consent, as it is necessary to fulfil a
legal obligation of the Data Controller, pursuant to Article 6 p.1, lett. C) of the GDPR
Processing of personal data for the purposes sub e) requires the Data Subject’s consent pursuant to Article 6, p. 1, lett. a) of the GDPR.
5) Consequences of failure to communicate personal data
Providing personal data for the purposes mentioned above is optional and the only consequence of failing to provide such data is that it
will be impossible for the Data Controller to manage and process the Data Subject’s requests or send the above-mentioned
6) Storage of personal data
Personal data will be kept for the amount of time that is strictly necessary to achieve the purposes for which it was collected. Once the
purpose for the processing is no longer valid or if the right to oppose processing or revoke consent has been exercised, the Data
Controller will still be legally able to keep all or part of the personal data for the purposes permitted by the GDPR (e.g., to enforce a right
Personal data subject processed for the purposes indicated above will be kept for the time needed for tax purposes, which is currently
7) Disclosure of data
Personal data may be communicated to:
8) Types of data processed
Company employees and contract workers who perform functional tasks for the purposes indicated above (Data processors);
Accountants, external consultants, or outsourcing companies that process data to perform specific legal obligations (subjects
bound as Data Processors tasked by the Data Controller to carry out functional operations for the purposes mentioned
Judicial or Administrative Authorities for the fulfilment of contract and legal obligations.
The computer systems and software procedures used for the operation of the Data Controller’s website (internet address indicated
above) as part of their standard function, acquire personal data, which is implicit in the use of internet communication protocols.
This information is not collected for the purpose of being associated with identified persons, but by its very nature could result in
the identification of users through processing and matching it with information held by third parties.
This category of data includes: IP addresses or the domain names of computers used by users who connect to the website, URI
(Uniform Resource Identifier) addresses for the requested resources, the time of the request, the size of the file received in
response, the numerical code indicating the status of the response provided by the server, and other parameters relating to the
operating system and the user’s computing environment.
This data may only be used to obtain anonymous statistical data on the use of the website and to check that it is operating
correctly and are deleted immediately after processing. Data may be used to determine liability in the event of any potential cyber
crime against the Site.
the privacy link on the same website.
9 - Recipients and Categories of Recipients
Data provided voluntarily by the user or collected from third-parties
No data will be subject to dissemination or transfer to third party without the consent of the Data Subject. Where communication
to third-party suppliers or the Data Controller’s partners is necessary for organisational or administrative needs or to support the
services performed, the Data Controller will be required to appoint the latter as a Data Processor pursuant to the GDPR. Personal
data provided to us are not subject to dissemination or automated decision-making processes.
10) Rights of the data subject
Every Data Subject has the rights set forth in Art. 15 to 20 of the GDPR. For example, each Data Subject may request the following from
the Data Controller:
Policy version 1 of 25.5.2018
access to their personal data and related information; rectification of inaccurate information or the integration of incomplete
data; deletion of the data (upon the occurrence of one of the conditions indicated in Article 17, paragraph 1 of the GDPR and in
compliance with the exceptions set forth); restriction of processing (upon the occurrence of one of the cases indicated in Article 18,
paragraph 1 of the GDPR);
obtaining portability of their personal data (i.e. obtain in a structured, machine-readable format, also in order to be able to pass
them on to another data controller);
Oppose the processing of the personal data at any time upon occurrence of particular situations;
Revoke consent at any time, limited to cases where the processing is based on your consent for one or more specific purposes
and relates to common personal data (e.g., date and place of birth, or location of residency), or particular categories of data (e.g.,
data that reveal race, political orientation, religion, or health). This excludes processing based on consent given prior to withdrawal;
lodge a complaint with a Supervisory Authority (Personal Data Protection Supervisor – www.garanteprivacy.it).