GDPR Notice

Personal Data Processing Notice
Articles 12 et seq. of EU Regulation 2016/679 (GDPR)

Subject: Personal data processing notice according to Articles 12 et seq. of EU Regulation 2016/679

Introduction - EU Regulation 2016/679 (“General Data Protection Regulation”), hereinafter GDPR) safeguards natural persons with reference to processing of their personal information. According to that law, processing of personal details referring to a subject, specifically defined as the “data subject”, is based on the principles of correctness, lawfulness and transparency and protection of the subject’s privacy and rights. We are providing this notice to inform you that, in compliance with the above rules and in relation to the contract or relationship you have with us, our organisation has some of your personal data obtained orally, directly or through third parties who carry out tasks regarding you or who obtain information and share it with us to satisfy your request. Since these data are to be considered “personal data”, according to the GDPR they must therefore benefit from the safeguards put in place by the aforesaid provisions. According to the above legislation, you are a data subject who benefits from rights that protect your personal data. In accordance with Articles 12 et seq. of the GDPR, as the Data Controller, our organisation will process the personal data provided by you in compliance with the law, with utmost care by implementing effective procedures and processes for safeguarding the processing of your personal details. To this end, by using tangible procedures for safeguarding the data collected, the writer is committed to protecting the information disclosed so as to avoid unauthorised access and dissemination, keeping them accurate and ensuring that they are used appropriately.

Based on this introduction, the following information is supplied:

Personal data collected - As the Data Controller, the writer uses your personal data for carrying out its business at best.
You may be asked to provide the following data, even partially:
  • personal data, tax ID, VAT Reg. No., business name, registered office, residence, domicile and contact details;
  • data related to contractual relationship describing the type of contract, information related to its execution necessary for fulfilment of the same contract;
  • accounting data related to economic relations, sums due and payments, their periodic trend, a summary of the accounting status of the relationship;
  • data for better defining the relationship with our organisation, making our collaboration more effective and our operations more efficient;
  • data related to: Your employees and/or collaborators, information about the service performed or your business.
Data retention period - The data collected will be kept for the whole term of the contract or collaboration with our organisation and for 10 years from the termination date of the contract. If during the term of the contract data not related to administrative or accounting obligations are processed, these data will be kept for the time required for achieving the purposes for which they were collected and then erased. You will be informed with notices about the retention period of those data when they are collected.

Obligatory or optional nature of providing data and the consequences of your refusal - Essential data for furthering the contractual relationship must be given to the writer, as well as necessary details for obligations provided by laws, regulation, EU provisions, and the provisions of the authorities authorised by the law or by supervisory and control bodies.
Non-essential data for furthering the contractual relationship must be qualified and considered supplementary information and supplying those, if asked, is optional. However, refusing to supply these details will make the way our organisation handles relations with third parties less efficient.
In the event “sensitive data or data whose processing involves specific risks” are essential for executing the contract or fulfilment of certain services or legal obligations, supplying those data is obligatory, and since their processing is only permitted with the consent of the data subject (pursuant to Arts. 9 and 10 of the GDPR), you should also give your consent for their processing.

Processing methods - In accordance with and due to the effects of Articles 12 et seq. of the GDPR, we wish to inform you that the personal data supplied by you will be recorded, processed and kept in our hard copy and electronic files in compliance with adequate technical and organisational measures referred to in Art. 32 of the GDPR. Processing of your personal Information can consist of any task or series of tasks including the ones specified in Art. 4, paragraph 1, point 2 of the GDPR.
Personal data will be processed by using suitable instruments and procedures for ensuring security and confidentiality and may be carried out directly and/or through delegated third parties, manually by using hard copies, and by using IT means or electronic instruments. For the purposes of handling our relations correctly and fulfilling legal obligations, your data may be entered in internal records of the Data Controller and if necessary in records and registers obligatory by law.

Tasks entrusted to organisations abroad - While going about his business, the Data Controller can occasionally ask service providers to perform certain services on his behalf, such as processing or other services, for example; performances necessary for execution of required tasks or services; dispatches and deliveries; accounting records; administrative tasks. If the service provider delegated by the Data Controller for carrying out certain tasks is a company that carries out payment, collection, treasury, banking or financial intermediation services, the following services could be provided: mass processing related to payments, bills, cheques and other securities; transmission, envelop stuffing, transport and sorting of communications; filing of records, survey of financial risks; fraud prevention controls; credit collection. The aforesaid service providers will only be provided necessary information for performing the services requested, they are forced to comply with privacy laws and are forbidden to use the data supplied for any other purpose than the one agreed upon. Service providers not delegated by us as processors shall be appointed Processors in accordance with Art. 28 of the GDPR and will process data only as strictly necessary for supplying the service requested and only for the same purpose and will also guarantee that their delegates have signed a confidentiality agreement. For matters not specified herein, these subjects shall provide a specific notice on personal data they process.

Transfer of personal data abroad - The data provided by you will only be processed in Italy. If during the term of the contract your data are processed in a country not belonging to the EU, the rights given to you by EU legislation will be guaranteed and you will be notified immediately.

Purpose of processing your personal data - The main purpose of processing your personal data the writer intends to achieve is to allow for the administrative relations specified in the introduction to be established and/or continue properly.
In particular, the purposes of the processing are as follows:
  • Administrative and accounting
  • Tax compliance requirements or fulfilment of accounting obligations;
  • Customer management such as customer administration; administration of contracts, orders, dispatches and invoices; reliability and solvency checks;
  • Handling disputes such as defaults on contracts; reminders; transactions; credit collections; arbitrations; judicial disputes;
  • - Internal checking services on security, productivity, quality of services, integrity of assets;
  • Looking after commercial and marketing activities such as market analysis and surveys;
  • Promotional activities;
  • Survey of customer satisfaction level;
Personal data will be processed for fulfilling legal obligations and for administrative, insurance and tax obligations provided by applicable legislation and for achieving accounting and commercial purposes, or to be able to regularly fulfil contractual and legal obligations deriving from legal relations with the data subject. Data supplied can be used for contacting the data subject during market researches regarding the products or services or the range of supplies or commercial campaigns. The data subject is free to choose not to give his or her consent for these purposes and specify the methods with which he or she wishes to be contacted or receive commercial notices.

Persons who may know your data - The following categories of subjects appointed as processors or delegates by the writer may learn your data:
  • Employees or collaborators in general working in
    • Protocol and internal secretariat offices;
    • Employees in charge of accounting and billing;
    • Workers looking after production and commercialisation of products and services;
    • Workers in the marketing department;
  • Consultants appointed to provide our organisation with advice, assistance and services;
  • Members of supervisory bodies;
  • Our agents, representatives and distributors;
Personal information may be known by subjects with agreements with the writer, specified in the paragraph entitled “Processing methods”. To such subjects the writer may delegate fulfilment of certain obligations or performance of certain acts required for execution of the on-going relationship with the data subject.

Disclosure and dissemination - Your data may be disclosed, meaning making one or more subjects aware of it, by the writer outside of the company for implementing all necessary legal and/or contractual obligations. In particular, your data may be disclosed to:
  • Public entities, public officers, supervisory authority based on legal and/or contractual obligations;
  • bank and/or credit institutes for looking after payments stemming from the contract;
Your data may be disclosed by the writer:
  • to subjects who may access your data by virtue of provisions of law, EU regulations and legislation, within the limits provided by such rules;
  • the subjects who need to access your data for purposes related to the on-going relationship between us, as strictly necessary for carrying out related tasks, such as credit institutes and couriers;
  • our consultants and/or professionals, as strictly necessary for carrying out their assignment at our or their organisation, subject to being appointed by us as processors obliging them to keep your data confidential and secure.
At any rate, your data will only be disclosed to service providers for carrying out acts regarding fulfilment of relations which may take place with the Data Subjects the data refer to.
Dissemination - The writer will not disseminate your data indiscriminately. In other words, your data will not be made known to a wide range of subjects, even by making them available or for viewing.
Trust and confidentiality - The writer values the trust demonstrated by data subjects who gave their consent to the processing of their personal Information, and consequently undertakes not to sell or rent personal data to others.

Rights referred to in Articles 15 et seq. of GDPR - According to Art. 15 of the GDPR, you have the right to obtain confirmation as to the existence of your personal data even if they have not yet been recorded. Exercise of these rights is subject to verifying the identity of the data subject by submission of ID, which will not be kept by the writer, but looked at for verifying justification for the request.
You have the right to access your personal data and the following information:
  • a) the purposes of the processing;
  • b) the categories of personal data processed;
  • c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in other countries or international organisations;
  • d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • e) where the personal data are not collected from the data subject, any available information as to their source;
  • f) the existence of an automated decision-making process, including profiling, referred to in Article 22, paragraphs 1 and 4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
When personal data are transferred to another country or to an international organisation, you have the right to be informed about appropriate safeguards pursuant to Art. 46 of the GDPR. You have the right to ask the data controller for rectification or erasure of your personal data or restriction of processing of personal data and to object completely or partially to such processing.

In order to exercise these rights, you may contact our Personal data controller by sending a letter to Sesa SpA, Via Mantova, 12 - Olgiate Olona (VA). The Data Controller will answer you within 30 days from receipt of your formal request.
You should remember that in case there has been a breach of your personal data, you may lodge a complaint with the concerned authority: The Italian Data Protection Supervisor.

Identification of the Data Controller and the Representative in the State or Data Processor, if any.
Data Controller - Data Controller: Carlo Umberto Santori. Tel.: 031 631388; Fax: 0331 677313; certified email:

Processors - Playing the role of processors are external companies with which a contract has been signed and which need to receive your personal data for fulfilment of such agreements.
To know the names of Processors, when appointed, and to know the names of the persons appointed for performing such function in future, every data subject may send a letter of request to the Data Controller at the address provided above.
It should be clarified that the Processors specified above do not respond to requests for exercising the rights of data subjects referred to in Articles 15 et seq. of the GDPR. As the Data Controller, this task is only looked after by the writer.

Processing not requiring the consent of the data subject - It is clarified that although the writer does not have your consent, he has the right to process your personal data when necessary for:
  • fulfilment of an obligation imposed by law, regulations or community provisions;
  • fulfilling obligations deriving from a contract you are a party to or for fulfilling certain requests you made prior to conclusion of the contract.
Your consent is not required when processing:
  • 1) regards data obtained from public registers, lists, deeds and documents anyone can know, notwithstanding the limits and procedures established by laws, regulations and EU regulations for knowing and publicising data or data related to carrying on an economic activity, processed in compliance with business and industrial secrecy regulations in force;
  • 2) is necessary for saving a life or for the safety of a third party. In such case, the data controller is required to inform the data subject about processing of personal details by sending a notice, even after processing, without delay. In such cases, consent is given after the notice has been provided.
  • 3) excluding dissemination, is necessary for conducting investigations for defending one’s rights, referred to in Law No. 397 of 7 December 2000, or for asserting or defending a right in court, provided that the data are processed only for such purposes for the time strictly necessary for achieving the purpose, in compliance with business and industrial secrecy regulations in force;
  • 4) excluding dissemination, is necessary in the cases found by the Italian Data Protection Supervisor, based on principles of law, for the purposes of the legitimate interests pursued by the data controller or by a third-party recipient of the data, even in reference to the activities of banking groups and subsidiaries or associated companies, when the fundamental rights and freedoms, dignity or lawful Interest of the data subject prevail.

The Personal Data Controller
Sesa SpA

Legal Representative Carlo Umberto Santori