Privacy Policy

Pursuant to and for the purposes of Article 13 of the European Data Protection Regulation 2016/679 (“GDPR”) and national privacy regulations, we inform you that your Personal Data shall be processed through electronic and manual tools, as well as via social media networks, in Italy and/or abroad. This Policy (hereinafter, the “Policy”), drawn up based on the principle of transparency and all that required by the GDPR, is divided into individual sections, each of which addresses a specific topic in such a way as to render reading quicker, easier and comprehensible.

The Data Controller of your Personal Data is Umbriafiere SpA which, pursuant to and for the purposes of EU Regulation 2016/679 (hereinafter, the “GDPR”) communicates that the aforementioned legislation establishes the protection of Data Subjects with respect to the processing of Personal Data and that such processing will be based on the principles of correctness, lawfulness, transparency and protection of your confidentiality and rights. Your Personal Data shall thus be processed in accordance with the provisions of the stated legislation and the confidentiality obligations therein.

A) Processing necessary for proper management of the relationship

Accounting and tax management
Purpose: active and passive invoicing; tax compliance
Processing type: in-house
Data type: common
Storage location: company headquarters
Processing duration: 10 years (data is erased 10 years after last use)

Supply contract management
Purpose: customer and supplier master data for drawing up contracts for the purchase and sale of goods and services
Processing type: in-house
Data type: common
Storage location: company headquarters
Processing duration: 5 years

Technical designs and Chamber of Commerce data
Purpose: carrying out technical activities, stand allocation and event services
Processing type: in-house
Data type: common
Storage location: company headquarters
Processing duration: limited to the set-up period

Legal practice management
Purpose: litigation and contract management
Processing type: external
Data type: common
Storage location: company headquarters
Processing duration: 5 years (the data will be retained for the minimum time necessary for management and legal obligations)

Tax returns, financial statements and corporate documents
Purpose: fulfilment of legal requirements in tax and corporate matters
Processing type: external
Data type: common
Storage location: company headquarters
Processing duration: data will be retained for the minimum time required by taxation and civil law

B) Processing necessary for the provision of additional information and services

Contact management for marketing purposes
Purpose: contact details of recipients of communications regarding sales, events, catalogues and competitions
Processing type: in-house
Data type: common
Storage location: company headquarters
Processing duration: data will be retained for the minimum time necessary

The processing of functional data for fulfilment of these obligations is necessary for the proper management of the relationship, with the provision of such data being mandatory for implementation of the purposes set out in Point A) above. Failing to provide the information or providing only partial or inexact details may render it impossible for us to fulfil our commercial contractual obligations. The Data Controller also makes it known that failure to provide the information or the incorrect communication of any of the mandatory details may make it impossible for the Data Controller to guarantee the suitability of the processing itself. Moreover, the provision of your data for the specific purposes under Point B) is optional, however refusal shall render it impossible for Umbriafiere SpA to process your request and to contact you. In any case, you may revoke your consent – even partially – such as by consenting only to traditional contractual arrangements.

The Personal Data of minors under 16 years of age will not be processed by the Data Controller, unless authorised by the holder of parental responsibility.

The Data Controller has a legitimate interest in transferring Personal Data to internal Group companies for in-house administrative, analytical and reporting purposes.

Method of processing and parties outside the company to whom your Personal Data may be disclosed
Your Personal Data (including given name, surname, address, email address, telephone number, address of residence and/or domicile, date and place of birth and tax code) may be processed in paper and/or computerised form, exclusively by persons authorised to process the data and by persons designated as Data Processors and/or appointed to conduct such processing in compliance with the GDPR so as to correctly perform all processing activities necessary to pursue the purposes set out in this Policy.
Your Personal Data may be disclosed to public bodies or judicial authorities, where required by law or to prevent or suppress the commission of a crime, and in any case to:

• The lawful recipients of communications required by law or regulations (such as, for example, public offices or authorities);
• Companies and/or associates and/or individual professional firms and their contractors for managing administrative and tax services used to fulfil their legal or contractual obligations.

All processing is carried out in accordance with the methods set out in Articles 6 and 32 of the GDPR and through the adoption of suitable security measures.

Persons within the company to whom your Personal Data may be disclosed
Your data is communicated exclusively to competent and duly-appointed persons for the performance of the services necessary for proper management of the relationship, with guaranteed protection of the rights of the Data Subject.
Your data shall only be processed by personnel expressly authorised by the Data Controller and, in particular, by the following categories of authorised persons:

• Internal data processors with administrative, accounting and commercial functions.

Your Personal Data will be processed by the Data Controller within the territory of the European Union. Should it become necessary due to technical and/or operational reasons to avail of entities located outside the European Union, we can ensure you that such entities will be appointed as Data Processors pursuant to and for the purposes of Article 28 of the GDPR and that the transfer of your Personal Data to such entities, limited to the performance of certain processing activities, shall be governed by a specific appointment contract in compliance with the guarantees and protections set out in the GDRP. All necessary precautions will be implemented in order to ensure the full protection of your Personal Data, basing such transfer on the assessment of appropriate safeguards including but not limited to the decisions regarding the adequacy of Third Country Recipients expressed by the European Commission, along with the appropriate safeguards expressed by the Third Party Recipient pursuant to Article 46 of the GDPR.
In any event, you may request further details from the Data Controller if your Personal Data has been processed outside the European Union, in asking for evidence of the specific safeguards adopted.

Please note that, in accordance with the principles of lawfulness, purpose limitation and data minimisation, pursuant to Article 5 of the GDPR, your Personal Data will be retained for the period necessary to pursue the purposes related to Point A) above. In particular, your Personal Data will be processed for the minimum necessary period of time, being until the termination of the existing contractual relationship between you and the Data Controller, without prejudice to an additional retention period that may be imposed by law. Your data shall be retained for a further period in connection with the purposes of contestation and eventual litigation.

You have the right to obtain from the Data Controller the erasure (Right to be Forgotten), limitation, updating, rectification and portability of your Personal Data, to object to its processing, as well as being able to exercise in general all rights set out under Articles 15, 16, 17, 18, 19, 20, 21 and 22 of the GDPR.
EU Regulation 2016/679: Articles 15, 16, 17, 18, 19, 20, 21 and 22 – Rights of the Data Subject

1. The Data Subject has the right to obtain confirmation of the existence or not of their own Personal Data, even if not yet registered, and its communication in an intelligible form.
2. The Data Subject has the right to be informed in regards to:
   • The origin of Personal Data;
   • The purposes and modalities of processing;
   • The logic applied in the event of processing carried out with the aid of electronic instruments;
   • The identification details of the Data Controller, the Data Processor and the representative designated pursuant to Article 5(2);
   • The entities or categories of entities to whom the Personal Data may be communicated or who may become aware of the data in their capacity as designated representative(s) in the Italian territory, as Data Processor(s) or person(s) in charge of processing.
3. The data subject has the right to achieve:
   • The updating, rectification or – whereby in their interest – integration of the data;
   • The erasure, transformation into anonymous form or blocking of data processed in breach of the law, including data whose retention is not necessary in relation to the purposes for which the data was collected or subsequently processed;
   • Certification that the operations referred to in Points A) and B) have been brought to the attention, also in regards to their content, of those to whom the data has been communicated or disseminated, except whereby such proves impossible or involves a manifestly disproportionate amount of effort compared with the right that is to be protected;
   • Data portability.
4. The Data Subject has the right to object, in whole or in part:
   • For legitimate reasons, to the processing of Personal Data concerning them, even if pertinent to the purpose of collection;
   • To the processing of Personal Data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communications.

You may exercise your rights by contacting [email protected], attaching a copy of your identity document.
In any case, you will always have the right to lodge a complaint with the competent Supervisory Authority (Personal Data Protection Authority), pursuant to Article 77 GDPR, if it is considered that the processing of your data is contrary to applicable Privacy legislation.