Privacy Policy
According to Articles 13 and 14 of EU Regulation 2016/679
Dear Data Subject,
Datrix Group has always valued the protection of personal data of its customers and users.
Through this document (“Policy“), we intend to renew our commitment to ensure that the processing of personal
data by any means is carried out in full compliance with the protections and rights recognized by Regulation (EU)
2016/679 (“GDPR” or “Regulation“) and other applicable rules on the protection of personal data.
The term personal data refers to the definition contained in the Article 4.1 of the Regulation, i.e. “any information
relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who
can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person (the “Personal
Data“).
The Regulation provides that, before processing – by this term should be understood, according to the relevant
definition contained in the Article 4.2 of the Regulations, “any operation or set of operations which is performed
on personal data or on sets of personal data, whether or not by automated means, such as collection, recording,
organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction;” (the “Processing“) – Personal Data, it is necessary that the person to whom such Personal Data
belongs is informed of the reasons for which such data is requested and how it will be used.
For this reason, this Policy – drafted based on the principle of transparency and all the elements required by
Article 13 of the Regulations – aims to provide you, simply and intuitively, with all the useful and necessary
information so that you can give your Personal Data in a conscious and informed way.
Any time, you can request and obtain clarifications or corrections.
A. DATA CONTROLLER AND JOINT CONTROLLER
Under Article 26 of the Regulations, the companies that will process your Personal Data for the purposes outlined in
this Policy and that, therefore, will act as data controllers or joint controllers, are the companies belonging to
the Datrix Group, specifically:
- Datrix S.p.A.
- 3rdPlace S.r.l.
- FinScience S.r.l.
- PaperLit S.r.l.
- ByTek S.r.l.
(individually the “Controller“, jointly “Datrix Group“).
The companies have their registered office in Foro Buonaparte n. 71, 20121 – Milano.
Datrix Group drafted an arrangement, through which the individual companies have committed themselves to jointly:
- determine specific purposes and methods of Processing your Personal Data;
- decide, clearly and transparently, the procedures to provide you with timely feedback should you wish to
exercise your rights, as provided for in Articles 15, 16, 17, 18 and 21 of the Regulation as well as in the
cases of portability of Personal Data provided for in Article 20 of the Regulation; - define this Policy in the parts of common interest, indicating all the information provided by the Regulations.
The necessary content of the agreement is available at the Datrix Group available upon request to the contacts
mentioned in Section G.
B. CONTACT DETAILS OF THE DATA PROTECTION OFFICER
To facilitate relations between you, as the Data Subject, and the Controllers, the Datrix Group has adopted the
figure of the “Data Protection Officer”, identifying and appointing, according to Article 37 of the Regulation, SAPG
Legal Tech S.r.l. (“DPO“).
The DPO, under and for Article 39 of the Regulation, is called upon to perform, among others, the following
activities:
- advising the Datrix Group and the employees carrying out the Processing operations on the obligations arising
from the Regulation as well as from other provisions of the Union or of the Member States relating to the
protection of Personal Data; - monitoring and supervising compliance with the Regulation, the applicable regulations on the protection of
Personal Data and the policies and procedures adopted by the Datrix Group; - provide support in the feedback to the Data Subject;
- cooperate with the competent Authority for the Protection of Personal Data.
According to Article 38 of the Regulations, you may freely contact the DPO for all matters relating to the Processing
of your Personal Data and
if you wish to exercise your rights as provided for in this Privacy Policy, by sending a written communication
to dpo.privacy@sapglegal.com.
C. PURPOSE AND LEGAL BASIS OF THE PROCESSING
The Datrix Group, to allow navigation and your registration to its websites (the “Website“) gather your
Personal Data as well as navigation data (including through cookies), following the policies in the relative CMP
that appear on the Websites when you first access them.
You can change your preferences on navigation cookies at any time by clicking here.
Each Data Controller will conduct the Processing of your Personal Data to allow you to:
- get in touch with the company
- send requests for information
- apply for job positions
- download free resources
- use all the other services provided from time to time by the Website in which you are browsing
To allow the Data Controller to carry out the Processing it will be necessary to provide Personal Data marked as
“mandatory”.
Such Processing will be lawful under Article 6.1, letter b) of the Regulations.
Suppose you fail to provide even one of the marked data. In that case, it will not be possible to process your
Personal Data and, consequently, it will not be possible to respond to your requests and benefit from the services
(provided through the Websites) for which you are required to provide Personal Data.
The Personal Data that will be requested from you for the pursuit of the above purposes will be those indicated in
the registration and contact form, i.e., by way of example and without limitation: name, surname, e-mail address,
telephone numbers of mobile users.
In this case, you will be able to view this Policy in the Privacy Policy section of the Website where you are
browsing.
No Personal Data belonging to the particular categories referred to in Article 9 of the Regulations are processed.
In addition to the above purposes, your Personal Data may be processed to provide you with a better service and to
promote products and services of your interest supplied and promoted by Datrix Group.
Concerning these purposes (including direct marketing), under Article 6.1 letter f) of the Regulation and Article 130
paragraph 4 of the Italian Privacy Code (so-called “soft spam exception”), the Datrix Group may carry out this
activity based on their legitimate interest, regardless of your explicit consent and in any case up to your
opposition or limitation (in accordance with the provisions of Section F, letter f). d) and f) of the Policy) to
such Processing, as better explained in Recital 47 of the Regulation, in which it is “considered legitimate interest
of the data controller to process personal data for direct marketing purposes”.
The choice mentioned above it is possible as a result of the assessments made by the Data Controller regarding the
potential prevalence of your interests, rights and fundamental freedoms that require the protection of Personal Data
over your legitimate interest in sending direct marketing communications.
Moreover, you may legitimately oppose the receipt of promotional communications at any time, without prejudice in any
way to the Processing for other purposes.
D. SUBJECTS TO WHOM YOUR PERSONAL DATA MAY BE COMMUNICATED
Your Personal Data may be disclosed to specific entities the considered recipients of such Personal
Data. Article 4, point 9) of the Regulation, defines as the recipient of a Personal Data “the natural or legal
person, public authority, service or other body receiving communication of personal data, whether or not a third
party” (the “Recipients”).
From this point of view, to correctly carry out all the processing activities necessary to pursue the purposes set
out in this Privacy Policy, the following Recipients may find themselves in a position to process your Personal
Data:
- third parties which carry out part of the Processing and activities connected and instrumental on behalf of a
Data Controller or the Datrix Group. These subjects have been appointed as Data Processors, being
understood individually by this expression, under Article 4 point 8) of the Regulation, “the natural or legal
person, public authority, service or other body processing Personal Data on behalf of the Data Controller”
(“Data Processor“); - individuals, employees and collaborators of a Data Controller or of the Datrix Group, who have been entrusted
with specific or multiple processing activities on your Personal Data. These individuals have been given
specific instructions regarding the security and correct use of Personal Data and are defined, following Article
4 point 10) of the Regulation, as “persons authorized to process Personal Data under the direct authority of the
Data Controller or the Data Processor” (the “Authorized Persons“).
Where required by law or to prevent or repress the commission of a crime, your Personal Data may be communicated to
public bodies or judicial authorities without them being defined as Recipients. According to Article 4.9 of the
Regulation, “public authorities that may receive communication of Personal Data in the context of a specific
investigation in accordance with Union or Member State law are not considered Recipients”.
E. PROCESSING PERIOD
One of the principles applicable to the Processing of your Personal Data concerns the limitation of the period of
storage, regulated by Article 5.1 letter e) of the Regulation which states that “Personal Data are stored in a form
that allows the identification of the Data Subject for a time not exceeding the achievement of the purposes for
which they are processed; Personal Data may be stored for longer periods provided that they are processed
exclusively for purposes of archiving in the public interest, for scientific or historical research or statistical
purposes, under Article 89, paragraph 1, without prejudice to the implementation of appropriate technical and
organizational measures required by these Regulations to protect the rights and freedoms of the Data Subject”.
In light of this principle, your Personal Data will be processed by Datrix Group only to the extent necessary for the
pursuit of the purpose set out in Section C of this Policy.
In particular, your Personal Data will be processed for a period of time equal to the minimum necessary, as indicated
in Recital 39 of the Regulations, i.e. until the termination of the contractual relationship between you and the
Data Controller, without prejudice to a further period of storage that may be imposed by law as also provided for in
Recital 65 of the Regulations.
Concerning the Processing carried out to achieve the other purposes set out in this Policy, the Datrix Group may
legitimately process your Personal Data until you communicate, in one of the ways set out in the Information Notice,
your desire to limit or oppose the Processing. Any such limitation or opposition will, in fact, require the Datrix
Group to stop processing your Personal Data for such purpose.
F. RIGHTS OF DATA SUBJECTS
As provided for by Article 15 of the Regulations, you may access your Personal Data, request its correction and
updating, if incomplete or incorrect, request its deletion if it has been collected in violation of a law or
regulation, and oppose its Processing for legitimate and specific reasons.
In particular, here below, you will find all the rights that you may exercise, at any time, against a Data
Controller.
Right of access
You will have the right, according to Article 15.1 of the Regulations, to obtain confirmation from the Data
Controller as to whether or not your Personal Data is being processed and, if so, to get access to such Personal
Data and the following information: a) the purposes of the Processing; b) the categories of Personal Data in
question; c) the Recipients or categories of Recipients to whom your Personal Data has been or will be communicated,
in particular if Recipients from third countries or international organizations; d) when possible, the period of
retention of the Personal Data envisaged or, if this is not possible, the criteria used to determine this period; e)
the existence of the right of the Data Subject to ask the Data Controller to correct or delete Personal Data or to
limit the Processing of Personal Data concerning him/her or to object to their Processing; f) the right to lodge a
complaint with a supervisory authority; g) if Personal Data are not collected from the Data Subject, all available
information on their origin; h) the existence of an automated decision-making process, including the profiling
referred to in Article 22, paragraphs 1 and 4, of the Regulation and, at least in such cases, significant
information on the logic used, as well as the importance and expected consequences of such Processing for the Data
Subject.
All this information can be found in this Policy, which will always be available to you in the Privacy Policy section
of the Websites.
Right of rectification
You will be able to obtain, under Article 16 of the Regulations, the rectification of your Personal Data that is
inaccurate. Taking into account the purposes of the Processing, you will also be able to obtain the integration of
your Personal Data that is incomplete, even by providing an additional statement.
Right to cancellation
You may obtain, under Article 17.1 of the Regulations, the deletion of your Personal Data without unjustified delay
and the Data Controller will be obliged to delete your Personal Data if there are even one of the following reasons:
- your Personal Data is no longer necessary for the purposes for which it was collected or otherwise
processed; - you have revoked the consent on which the Processing of your Personal Data is based, and there is no other legal
basis for its Processing; - you have opposed the Processing under Article 21, paragraph 1 or 2, of the Regulations and there is no longer
any prevailing legitimate reason to process your Personal Data; - your Personal Data has been processed unlawfully; e) it is necessary to delete your Personal Data to comply with
a legal obligation provided for by a Community or national law.
In some cases, as provided for by Article 17.3 of the Regulation, the Data Controller is entitled not to delete your
Personal Data if their Processing is necessary.
For example, for the exercise of the right to freedom of expression and information, for the fulfilment of a legal
obligation, for reasons of public interest, for archiving in the public interest, for scientific or historical
research or statistical purposes, for the ascertainment, exercise or defense of a right in court.
Right of Limitation of Processing
You will be able to obtain the limitation of the Processing, according to the Article 18 of the Regulations, in case
one of the following hypotheses applies:
- you have challenged the accuracy of your Personal Data (the limitation will continue for the period necessary
for the Controller to verify the accuracy of such Personal Data); - the Processing is unlawful, but you have opposed the deletion of your Personal Data by requesting, instead, that
its use be limited; - although the Controller no longer needs it for the Processing, your Personal Data is used for discovering,
exercising or defending a right in court; - you have opposed the Processing under Articles 18 and 21.1 of the Regulations, and you are waiting for the
verification of whether the legitimate reasons of the Data Controller prevail over your own.
In case of limitation of the Processing, your Personal Data will be processed, except for storage, only with your
consent or to ascertain, exercise or defend a right in court or to protect the rights of another natural or legal
person or for reasons of public interest. We will inform you, in any event, before such limitation is lifted.
Right to data portability
You may, at any time, request and receive, under Article 20.1 of the Regulations, all your Personal Data processed by
the Data Controller in a structured, commonly used and readable format or request its transmission to another data
controller without hindrance. In this case, it will be your responsibility to provide us with all the exact details
of the new data controller to whom you intend to transfer your Personal Data by giving us written authorization.
Right of opposition
According to Article 21.2 of the Regulations and as also reiterated in Recital 70, you may object, at any time, to
the Processing of your Personal Data if it is processed for direct marketing purposes, including profiling to the
extent that it is related to such direct marketing.
Right to lodge a complaint with the supervisory authority
Without prejudice to your right to appeal in any other administrative or judicial venue, if you believe that the
Processing of your Personal Data conducted by the Data Controller violates the Regulations and applicable law, you
may complain at the competent Data Protection Authority.
G. CONTACTS
To exercise all your rights as identified above, you shall contact the Datrix Group by sending an e-mail to privacy@datrixgroup.com.
Please note that, at any time, you may also contact the Datrix Group’s DPO in the manner provided in Section B of
this Policy.
H. PLACES OF PROCESSING
Your Personal Data will be processed by the Datrix Group within the territory of the European Union.
Should it be necessary, for technical and operational reasons, to make use of subjects located outside the European
Union, we hereby inform you that such subjects will be appointed as Data Processors according to and for the
purposes of Article 28 of the Regulation and the transfer of your Personal Data to such subjects, limited to the
performance of specific processing activities, will be regulated in accordance with the provisions of Chapter V of
the Regulation.
Therefore, all necessary precautions will be taken to ensure the fullest protection of your Personal Data, based on:
(a) decisions of adequacy of the recipient third countries expressed by the European Commission; (b) adequate
guarantees expressed by the recipient third party pursuant to Article 46 of the Regulation; (c) the adoption of
binding corporate rules, so-called binding corporate rules; (d) the adoption of standard contractual clauses
approved by the European Commission.
In any case, you may request further details from the Datrix Group if your Personal Data has been processed outside
the European Union by requesting evidence of the specific guarantees adopted.