INFORMATION DOCUMENT ON PERSONAL DATA PROCESSING PURSUANT TO AND FOR THE
PURPOSES OF THE ART. 13 OF REGULATION (EU) 2016/679
In compliance with Regulation (EU) 2016/679, we hereby provide the necessary information
regarding the processing of personal data provided by you. The information is not to be
considered valid for other websites that may be consulted through links present on the
domain websites of the Controller, who is not to be considered in any way responsible
for the websites of third parties.
This information is also provided pursuant to art. 13 of Regulation (EU) 2016/679. The
information is also based on Recommendation no. 2/2001, adopted on 17th May 2001 by the
European authorities for the protection of personal data, assembled in the Group
established by art. 29 of Directive 95/46/EC, in order to identify certain minimum
requirements for the collection of personal data online, in particular the manner,
timing and nature of the information that Data Controllers must provide to Users when
they connect to web pages, regardless of the purposes of the connection; it is also
based on the provisions of Directive 2002/58/EC, as updated by Directive 2009/136/EC,
on Cookies, and the provisions of the Ordinance issued by the Authority for the
protection of personal data on 08.05.2014 on Cookies.
1. Data Controller and Data Processor
The Data Controller, pursuant to Article 4.7 of Regulation (EU)
2016/679 is Exa Srl - Via Donat Cattin, 123 - 52100 Arezzo, Italy, tel. +39 0575 315354,
The Data Processor, pursuant to article 4.8 of Regulation
(EU) 2016/679 is, among others, WEBSOLUTE S.p.A, with registered office in Strada della
Campanara, 15 - 61122 Pesaro (PU), Italy.
2. Types of Data processed
Personal and identifying data
Identifying Data: personal data that allow the direct identification of the Data Subject
(such as, for example, name, surname, e-mail address, address, telephone number, etc.).
Personal Data: any information relating to a natural person who is identified or
identifiable, also indirectly, by way of any other item of information, including a
personal ID code.
The computer systems and software procedures used to operate this Website acquire,
during their normal operation, some personal data whose transmission is implicit in the
communication protocols of the Internet. This information is not collected to be
associated with identified Data Subjects, but by their very nature could, through
processing and association with data held by third parties, allow Users to be
identified. This category of data includes IP addresses or domain names of computers
used by Users connecting to the Website, the URI (Uniform Resource Identifier)
addresses of the requested resources, the time of the request, the method used to
submit the request to the server, the size of the file obtained in reply, the numerical
code indicating the status of the response from the server (successful, error, etc.)
and other parameters regarding the operating system and the User’s IT environment. This
data is used only to obtain anonymous statistical information on the use of the site
and to check its correct functioning.
Defence in legal proceedings
The User's Personal Data may be used for defence by the Data Controller in legal
proceedings or in the preparatory phases to its possible establishment. The data could
be used to ascertain responsibility in the event of hypothetical computer crimes
against the Website.
The User’s Personal Data may be processed with additional methods and purposes related
to system maintenance.
Data provided voluntarily by the User
The optional, explicit and voluntary sending of electronic mail to the addresses
indicated on this Website or the compilation of data collection forms (if any),
involves the subsequent acquisition of the sender's address, necessary to respond to
the requests, as well as any other personal data entered.
Specific policies may be presented in the pages of the Website in relation to particular
services or processing of Data provided by the User or the Data Subject.
We also have a policy for the processing of personal data contained in the CVs that we
receive. This policy is automatically transmitted to the User when he or she sends a CV
to one of our e-mail addresses.
3. Legal basis and purpose for processing and legitimate interest
Pursuant to art. 6, paragraph 1, letter b, the personal data voluntarily provided will
be processed for the following purposes, until you object:
browsing this Website;
any contact request, with the sending of information requested by you;
possible sending of curriculum vitae;
possible filling in of data collection forms in dedicated areas.
4. Data processing and storage method
The processing will be carried out in automated and manual form, with methods and tools
aimed at ensuring maximum security and confidentiality, by persons specifically
appointed to do so in compliance with the provisions of art. 32 of Regulation (EU)
2016/679. The data will be stored for a period not exceeding the purposes for which the
data was collected and subsequently processed. The processing connected to the web
services offered by this Website will be physically put in third-party hosting.
5. Scope of communication, dissemination and transfer of data abroad
Your Data, object of processing, will not be disclosed and may be communicated to
companies contractually linked to Exa srl within the European Union, in accordance with
and within the limits of art. 44 of Regulation (EU) 2016/679, in order to comply with
contracts or related purposes.
Your data may be communicated to third parties belonging to the following categories:
firms or companies in the context of assistance and consultancy relationships;
competent authorities, to fulfil legal obligations and/or provisions by public
bodies, on request.
The subjects belonging to the above categories carry out the function of Data Processor,
or they operate in total autonomy as separate Data Controllers. The list of processors
is constantly updated and is available at the corporate headquarters of Exa srl, Via
Donat Cattin, 123 - 52100 Arezzo, Italy.
6. Automated process and profiling
The processing of your Data will not be subject to automated processing nor profiling
7. Nature of the provision and refusal
Apart from what specified about navigation data, the User is free to provide their
personal data. The provision of data is optional but necessary.
Failure to provide the data marked with the symbol *, may make it impossible to obtain
what is required or to use the Data Controller’s services.
This Website and the Data Controller’s services are not intended for children under the
age of 18. The Data Controller does not knowingly collect any personal information
about minors. In the event that information on minors is involuntarily recorded, the
Data Controller shall delete it in a timely manner, at the Users’ request.
9. Rights of the Data Subject
You can assert your rights as expressed in Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016, by contacting the Data Controller
calling our headquarters at +39 0575 315354 or sending an e-mail to firstname.lastname@example.org,
or by mail to the Company’s registered office in Via Donat Cattin, 123 - 52100 Arezzo,
Pursuant to article 13, paragraph 2, and articles 15 to 22 of the Regulation, we inform
you that with regard to the processing of your personal data you may exercise the
Right to access the personal data and the following
- the confirmation as to whether personal data concerning
him or her are being processed;
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the
personal data have been or will be disclosed;
- where the personal data are not collected from the Data
Subject, any available information as to their source;
- the existence of automated decision-making, including
- a copy of personal data object of the processing
Right to rectification and the right to have incomplete
personal data completed;
Right to erasure (‘right to be forgotten’) where one of the
following grounds applies:
- the personal data are no longer necessary in relation to
the purposes for which they were collected or otherwise processed;
- the Data Subject withdraws consent to the data processing
and where there is no other legal ground for the processing;
- the Data Subject objects to the processing and there are no
overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a
legal obligation in Union or Member State law to which the Controller is subject.
Where the Controller has made the personal data public and is
obliged to erase the personal data, the Controller shall inform other controllers which
are processing the personal data that the Data Subject has requested the erasure by
such controllers of any links to, or copy or replication of, those personal data.
Right to restriction of processing where one of the following
- the accuracy of the personal data is contested by the Data
Subject, for a period enabling the controller to verify the accuracy of the personal
- the processing is unlawful, and the Data Subject opposes
the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the
purposes of the processing, but they are required by the Data Subject for the
establishment, exercise or defence of legal claims;
- the Data Subject has objected to processing pending the
verification whether the legitimate grounds of the controller override those of the
The right to lodge a complaint with a Supervisory Authority for
the protection of personal data, following the procedures and indications
published on the official Website of the Authority: www.garanteprivacy.it
Right to data portability: The Data Subject shall have
the right to receive the personal data concerning him or her, which he or she
has provided to a Controller, in a structured, commonly used and
machine-readable format and have the right to transmit those data to another
controller without hindrance from the controller to which the personal data
have been provided, where the processing is based on consent or a contract and
the processing is carried out by automated means. In exercising his or her
right to data portability, the Data Subject shall have the right to have the
personal data transmitted directly from one controller to another, where
Right to object at any time to processing of personal data,
including profiling based on those provisions:
- the processing takes place on the basis of the legitimate
interest of the Controller, after the grounds for the opposition have been explained;
- where personal data are processed for direct marketing
The Data Subject shall have the right not to be subject to a decision based
solely on automated processing, including profiling,
but shall not apply if the decision: is necessary for entering into, or
performance of, a contract between the Data Subject and a Data Controller, or
is authorised by Union or Member State law to which the Controller is subject
or is based on the Data Subject's explicit consent.
Right to withdraw consent at any time.
The exercise of the rights is not subject to any form of restriction and is free of
10. Changes to the Provacy Policy
The Data Controller reserves the right to modify, update, add or remove parts of this
required to check any changes periodically. In order to facilitate this verification,
the policy will indicate the date on which it was last updated. The use of the Website
after the publication of the changes is an acceptance of the policy.