Privacy and Cookie Policy

Website privacy policy

This website belongs to the company Urmet S.p.A., which processes the data collected through the website as Data Controller.

The Data Controller guarantees the security, confidentiality and protection of the data obtained or that it will obtain at any stage during the processing of data, in compliance with the provisions of GDPR 679/16 and respecting business secrecy.

This website contains links or references to other third-party websites over which the Data Controller has no control. Such links are provided for user convenience and the Data Controller disclaims any and all liability in connection with such third-party websites and makes no representations as to the accuracy or exhaustiveness of the information contained therein.

This privacy policy is for persons who access and view the Urmet S.p.A. website, pursuant to art. 13 GDPR 679/16 - "European General Data Protection Regulation".

This cookie policy therefore describes the ways that Urmet S.p.A. uses cookies and similar technologies to collect and store information when the user visits the website or receives emails from the company.

Processing Methods

The computer systems and software procedures used to operate this website acquire, during their normal operation, certain personal data, the transmission of which is implicit in the use of Internet communication protocols.

This is information that, by its nature, through processing and association with data held by third parties, can identify users.

Cookie Policy, Pixel Tags, and JavaScript Tags

The website uses session and persistent cookies, technical, analytical, and profiling, in addition to pixel tags and/or JavaScript tags, to collect and store some user-related information. A cookie is a small data file that the website sends and saves on the user's hard drive and/or device (both hereinafter referred to as "computer"); subsequently, when the user accesses the website, the cookies stored on the computer will send information to the entity that sent them. Session cookies are used, for example, to navigate the website without having to re-enter login data and are then deleted from the user's computer once the browser is closed. Persistent cookies remain on the user's computer after the browser is closed but can be deleted at any time using browser settings. Cookies are also divided into "first-party cookies" and "third-party cookies." First-party cookies are set directly by Urmet S.p.A. on the user's computer, solely for the purpose of recognizing them on subsequent visits.

Third-party cookies are sent by an independent service provider operating on behalf of the company and can be used by that third-party service provider to recognize the user when visiting the company's website or third-party sites. Although the company may grant third-party service providers access to the website to send these cookies to users' computers in accordance with applicable laws, as outlined in this cookie policy, the company does not control the information collected by cookies nor does it retain access to such data, which is immediately communicated to the third parties collecting it.

This information is entirely controlled by the third-party service provider in accordance with its respective privacy policy. Pixel tags can also be used in emails sent by Urmet S.p.A. For more information on cookies, visit:

www.allaboutcookies.org or www.youronlinechoices.eu

By using the company's website, the user consents to the use and communication of cookies and pixel tags/JavaScript tags not associated with transactions as described in this policy, unless they revoke such consent and prevent use by modifying their computer's technical settings as described below:

How to disable or delete cookies
If you want to prevent the browser from accepting cookies, be informed every time a cookie is stored on your computer, or delete existing cookies, make the appropriate changes using Internet browser settings, generally accessible from the "Help" or "Internet Options" sections. Refer to the links below:

If you disable or delete cookies through Internet browser settings, some functions or features of this website may not be accessible. Additionally, the user may be prompted to re-enter their login data, and the general use of the website may be limited. If all cookies are deleted from the browser or a different browser or computer is used, the user will need to complete the consent revocation procedure again.

Purpose of Using Cookies, Pixel Tags, and JavaScript Tags

This website uses the following cookies for the purposes listed below:

Urmet S.p.A. uses session cookies to store selected products in the shopping cart and to allow a registered user who has logged in to stay connected to the website. Session cookies store relevant information along with the user's IP address and cookie identification code. These session cookies are transaction-associated cookies necessary for the use of the website, and their use does not require the user's consent.

.          Urmet S.p.A. may also use a permanent cookie to store the user's login data, which they will not need to re-enter each time they visit the website. This function can only be activated if the user checks the box below the login window that informs the user of the presence of this function.

.          Urmet S.p.A. may also set a permanent cookie the first time the user visits the website to recognize them as a visitor and determine whether they have visited the online store for consumers or the one for business customers. This cookie is updated with a date and time indicator each time the user returns to the website and stores information about the products viewed to show the user personalized products on the website's home page based on previously detected preferences. If the user is a registered customer, ABCD can enter a permanent cookie that tracks the time and date of visits, whether the user is registered as a business or consumer customer; this cookie can be associated with user transaction data to show the user personalized products on the website's home page based on previously detected preferences.

Social Media Tools

The Urmet S.p.A. website provides access to social media tools provided by social network platforms such as Facebook, Google, LinkedIn, and Twitter. The user who decides to use these tools by activating a social media tool may share certain personal data with their friends and these social network platforms. Sharing activities are subject to the privacy policies of each social network. Specifically, social network tools are also offered for Facebook to allow Facebook to share user and friend information with registered users while browsing our Urmet S.p.A. website.

For example, social plugins allow Facebook to show user and friend "Likes" on the pages of our products when the user is logged into Facebook while browsing the Urmet S.p.A. website. The company has no control over the information collected by these social media tools and has no access to such data. This information is entirely controlled by the social network in accordance with its respective privacy policy. For more information, visit the websites of the respective social networks.

Data Controller Identity

The Data Controller for the processing activities indicated below is the company Urmet S.p.A., with registered office at Via Bologna 188/C, 10154 Turin, represented by its legal representative pro tempore.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, who can be reached at the headquarters of the Joint Data Controller or contacted via email at dpo@urmet.it.

Purpose of Processing

To provide a quality service, the site requests certain information from the browser. This includes browsing preferences, login information, and frequently viewed pages. This information helps better understand user needs in order to provide an ever-improving service.

Legal Basis for Processing

The use of technical cookies is a processing carried out in the legitimate interest of the Data Controller; the use of other cookies is carried out with the consent of the data subject.

Data Recipients

Personal data processed by the Data Controller is not disclosed, i.e., not made known to undetermined subjects in any form, including making it available or simply consulting it. However, it may be communicated to workers employed by the Data Controller, external subjects collaborating with it designated as Data Processors or authorized to process data as they operate under the authority of the data controller.

They may also be communicated, within the strictly necessary limits, to subjects who, for the purpose of fulfilling your requests, must provide goods or perform services on behalf of the Data Controller. Finally, they may be communicated to subjects authorized to access them under the law, regulations, and community regulations.

In particular, based on the roles and job duties performed, workers have been authorized to process your personal data within the limits of their skills and in accordance with the instructions given to them by the Data Controller.

External subjects operating under the authority of the Data Controller have also been duly authorized based on the type of service provided, the processing carried out, and the nature of the data processed.

External subjects to whom the Data Controller has entrusted the processing of personal data have been designated Data Processors.

Data Transfer

In no case does the Data Controller transfer personal data to third countries or international organizations.

However, it reserves the right to use cloud services; in this case, service providers will be selected from those who provide adequate guarantees, as provided for in Article 46 of the GDPR 679/16.

Data Retention

The Data Controller retains and processes personal data for the time necessary to fulfill the indicated purposes. In this case, navigation data is retained for six months.

Refusal to Provide Data

The data subject may refuse to provide the Data Controller with their navigation data.

To do so, they must disable cookies following the instructions provided by the browser in use.

Disabling cookies may worsen navigation and the use of site features.

Data Subject Rights

With reference to Articles 15 – right of access, 16 - right of rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to data portability, 21 – right to object, 22 – right to not be subject to automated decision-making of the GDPR 679/16, the data subject exercises their rights by writing to the Data Controller at the above address or by email, specifying the subject of their request, the right they intend to exercise, and attaching a copy of an identity document proving the legitimacy of the request.

The Data Controller particularly recalls that every data subject can exercise the right to object in the forms and manners provided for in Article 21 of the GDPR.

Further information on the data subject's rights is provided at the bottom of this section.

Complaint Submission

The data subject has the right to submit a complaint to the supervisory authority of their country of residence.

Automated Decision-Making Processes

In no case, with regard to the processing activities indicated below, does the Data Controller carry out processing consisting of automated decision-making on the data of individuals.

Privacy policy for the sales network, resellers, installers and technical partners

The companies URMET S.p.A., Urmet TLC S.p.A., Simon Urmet S.r.l., Urmet ATE S.r.l., Aprimatic S.r.l., GLT S.r.l. are part of a group of companies with the same shareholding structure, offering complementary and often integrated products and services.

Within this group of companies, URMET S.p.A. provides various services to the other companies in the areas of HR, ICT, marketing, and sales.

In particular, these companies, addressing the same network of retailers and installers of intercom, video intercom, video recording, alarm systems, home automation, and automation products, as well as the same technical partners promoting, advising, recommending, installing, performing maintenance, repair, and replacement of our products, act as Joint Data Controllers for the processing pursuing the following commercial and technical objectives:

·          providing support services to retailers and installers;

·          managing the commercial relationship with retailers and installers;

·          sending useful information and technical and regulatory updates;

·          proposing professional development and support initiatives;

·          reminding or notifying deadlines and obligations;

·          inviting to seminars, meetings, sessions;

·          sending catalogs and other product presentation materials;

·          sending technical, informational, and update documentation;

·          admission to technical and value-added services;

·          information about technical update initiatives and professional training;

·          admission to seminars, courses, professional development sessions;

·          proposing new products and services;

·          preparation of practices for participation in tenders, competitions, etc.;

·          conducting aggregate formative surveys.

Therefore, if you are a retailer or installer and come into contact with any of the above-mentioned Joint Data Controllers, it may happen that you are asked for some personal data. For this reason, we provide you with the following information:

Identity of the Joint Data Controllers

The Joint Data Controllers for the processing of personal data of data subjects are:
Urmet S.p.A., represented by its legal representative pro tempore, with registered office in via Bologna 188/C – Turin;

Urmet TLC S.p.A., represented by its legal representative pro tempore, with registered office in via Bologna 188/C – Turin;

Simon Urmet S.r.l., represented by its legal representative pro tempore, with registered office in via Bologna 188/C – Turin;

Urmet ATE S.r.l., represented by its legal representative pro tempore, with registered office in via Bologna 188/C – Turin;

Aprimatic S.r.l., represented by its legal representative pro tempore, with registered office in via Bologna 188/C – Turin;

GLT S.r.l., represented by its legal representative pro tempore, with registered office in via Bologna 188/C – Turin.

Contact details of the DPO – Data Protection Officer

The Data Controller of the processing, Urmet S.p.A., has appointed the Data Protection Officer, who can be reached at the Data Controller's headquarters or contacted via email at the address dpo@urmet.it.

Source of data and type of collected data

a)          The Data Controllers collect personal data provided voluntarily by the user at the time of registration on the website of any of the Data Controllers or when performing a transaction through the website, in addition to other personal data associated with order processing. This personal data includes: Title, first and last name, company name, VAT number (if applicable), email address, username and password, shipping and billing address (including postal code, city, and country), phone and fax number, type and quantity of ordered products, order date, order processing status, date and time of delivery, order value, currency, payment information, return requests, or user offers, and the following information provided voluntarily by the user: how they became aware of the website, company data, number of employees, and, for corporate customers, the founding date of the company (collectively "transaction data").

b)          The Data Controllers also collect data on user website usage, such as IP address, viewed products; if the user arrives at the website through a referral page or a link in a promotional email or advertisement on another website that redirects to a Data Controller's website. The Data Controllers may also collect information about the referral page and promotional email or targeted advertisement along with the user's IP address to analyze the effectiveness of marketing operations (collectively "usage data").

Purpose of processing

Personal data is processed by the Data Controllers for the following purposes:

1)               Transaction data will be used to process orders, manage payments, communicate with the user regarding the order, handle product returns, customer assistance requests, and perform product withdrawals. They will also be used to acquire pre-contractual data and information; exchange information aimed at the execution of the contractual relationship, including pre- and post-contractual activities; make requests or fulfill received requests; manage accounting and tax obligations.

2)               Transaction data will also be used to send personalized messages to the data subject or invitations to review products; usage data, in the case of registered customers, will be used together with transaction data (excluding payment information) to display personalized products on the website based on user-expressed interests.

3)               If the user requests the sending of marketing communications and newsletters, their transaction data and usage data will be analyzed by the Data Controllers to send personalized commercial communications based on the indicated preferences.

4)               Finally, the data will be used to manage and control risks, prevent possible fraud, insolvencies, or non-compliance; prevent and manage potential disputes, and resort to legal action if necessary.

Legal basis for processing

The legal basis for processing is as follows:

.          Processing is necessary for the performance of a contract to which the data subject is a party or for the execution of pre-contractual measures taken at the request of the data subject, as far as the processing listed in point 1) is concerned;

.          The data subject has given consent to the processing of their personal data for one or more specific purposes, as far as the processing listed in point 2) is concerned;

.          Execution of pre-contractual measures taken at the request of the data subject and legitimate interest of the data controller (maximizing the effectiveness of communications), as far as the processing listed in point 3) is concerned;

.          Processing is necessary for the pursuit of the legitimate interest of the data controller (protection and prevention of fraud and insolvencies), as far as the processing listed in point 4) is concerned.

Data recipients

Personal data processed by the Data Controllers is not disclosed, meaning it is not made known to indeterminate subjects in any possible form, including making it available or simply consulting it. Instead, it may be communicated to employees working for the Data Controllers or to authorized subjects for processing under the authority of the data controller. In this regard, Urmet S.p.A. has entrusted third-party service providers with respect to the operation of the website, such as hosting service providers, marketing and website service providers, IT maintenance service providers, shipping services, and VAT verification services, as well as service providers that allow the integration of other functions into the website that the user can use at their discretion, such as chat tools or the product review function. These service providers, designated as Data Processors, are only provided with the personal data they need to deliver their respective services, and they are not allowed to use or disclose the personal data of the data subjects for other purposes without the prior authorization of the data subject.

If the data subject requests the sending of marketing communications and newsletters from one of the Data Controllers, their name, email address, and other transaction and usage data will be shared to analyze the user's interests and send personalized commercial communications based on the indicated preferences.

The user's transaction data is shared to allow them to manage any product withdrawals and for the Data Controllers to contact the user in this eventuality.

They may also be communicated, to the extent strictly necessary, to subjects who, for the purpose of processing your requests, must provide goods or perform services on behalf of the Data Controllers. Finally, they may be communicated to subjects authorized to access them by virtue of legal provisions, regulations, and community regulations.

In particular, based on the roles and job duties performed, employees have been authorized to process your personal data within the limits of their competencies and in accordance with the instructions given to them by the Data Controllers.

External subjects operating under the authority of the Data Controllers have also been appropriately authorized based on the type of service provided, the processing carried out, and the nature of the data processed.

External subjects to whom the Data Controllers have entrusted the processing of personal data have been designated as Data Processors.

Data Transfer

Under no circumstances do the Data Controllers transfer your personal data to third countries or international organizations.

However, they reserve the possibility of using cloud services; in which case, service providers will be selected from those who provide adequate guarantees, as provided for in Article 46 of GDPR 679/16.

Data Retention

The Data Controllers retain and process your personal data for the time necessary to fulfill the specified purposes. Subsequently, personal data will be stored, and not further processed, for the period established by current provisions in civil and tax law.

Rights of the Data Subject

With reference to Articles 15 - right of access, 16 - right to rectification, 17 - right to erasure, 18 - right to restriction of processing, 20 - right to data portability, 21 - right to object, 22 - right not to be subject to automated decision-making of GDPR 679/16, you can exercise your rights by writing to the Data Controller Urmet S.p.A. at the address above, or by email at dpo@urmet.it, specifying the subject of the request, the right you intend to exercise, and attaching a copy of an identity document that attests to the legitimacy of the request.

The Data Controller particularly reminds that each data subject can exercise the right to object in the forms and manners provided by Article 21 of the GDPR.

Further information on the rights of the data subject is provided at the bottom of this section.

Withdrawal of Consent

With reference to Article 7 of GDPR 679/16, the data subject can withdraw the consent given at any time.

However, some processing covered by this information (points 1) and 4)) is lawful and allowed, even in the absence of consent, as it is necessary for the execution of a contract of which the data subject is a party, or for the fulfillment of his requests, or to pursue the legitimate interests of the data controller.

The withdrawal of consent, where applicable, may limit or compromise the methods of interaction and communication of the customer or user with one or more Data Controllers.

Submission of Complaint

The data subject has the right to submit a complaint to the supervisory authority of the state of residence.

Refusal to Provide Data

Data subjects cannot refuse to provide the Data Controllers with personal data necessary to comply with the legal regulations governing commercial transactions and taxation.

The provision of additional personal data may be necessary to improve the quality and efficiency of the transaction.

Therefore, refusal to provide data required by law will prevent order processing. The additional data indicated in point a) of the "Source of Data and Type of Data Collected" paragraph is provided voluntarily; however, if the data subject decides not to provide the requested data, one or more Data Controllers may not be able to provide services, allow the completion of the transaction through the website, or process the order.

The data indicated in point b) is provided voluntarily by the data subject, and if the data subject decides not to provide the requested data, the provision of products and services will not be compromised.

Automated Decision-Making Processes

In no case do the Data Controllers carry out treatments consisting of automated decision-making processes on your data.

Privacy policy for those who fill out the online forms

Identity of the Data Controller

The Data Controller for the processing activities indicated below is the company Urmet S.p.A. located at Via Bologna 188/C, 10154 Turin, represented by its legal representative pro tempore.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, who can be reached at the headquarters of the Data Controller or contacted via email at dpo@urmet.com.

Source of Data and Type of Collected Data

The processed personal data are those provided by filling out the form, possibly integrated with data taken from public directories or already known, ensuring, in any case, the coherence of the processing.

Purpose of Processing

Personal data are processed to fulfill requests made by filling out online forms. Additionally, the data, including email addresses, will be included in archives and used (also considering the General Provision of the Guarantor G.U. July 1, 2008, No. 188/C, formulation 6, points a, b, c) for sending, including via email, technical, promotional, and commercial communications regarding products and services similar to those for which requests have been made.

Legal Basis for Processing

The legal basis for processing is constituted by the execution of a contract of which the data subject is a part or the fulfillment of their requests.

Data Recipients

The personal data processed by the Data Controller are not disclosed, meaning they are not made known to undetermined subjects in any possible form, including making them available or simple consultation. Instead, they may be communicated to employees working for the Data Controller, to external subjects collaborating with it designated as Data Processors or authorized to process data as they operate under the authority of the data controller.

They may also be communicated, strictly within the necessary limits, to subjects who, for the purpose of processing your requests, need to provide goods or perform services on behalf of the Data Controller. Finally, they may be communicated to subjects authorized to access them by virtue of legal provisions, regulations, and community norms.

In particular, based on the roles and tasks performed, employees have been authorized to process your personal data within the limits of their skills and in accordance with the instructions given to them by the Data Controller.

External subjects operating under the authority of the Data Controller have also been duly authorized based on the type of service provided, the processing carried out, and the nature of the data processed.

External subjects to whom the Data Controller has entrusted the processing of personal data have been designated as Data Processors.

Data Transfer

In no case does the Data Controller transfer personal data to third countries or international organizations.

However, the Data Controller reserves the possibility of using cloud services; in this case, service providers will be selected from those that provide adequate guarantees, as envisaged by Art. 46 GDPR 679/16.

Data Retention

The Data Controller retains and processes personal data for the time necessary to fulfill the stated purposes. Specifically, data entered in online forms is kept for two years.

Refusal to Provide Data

The data subject may refuse to provide the Data Controller with their data.

However, failure to provide data could compromise or make it impossible to respond to or process the requests.

Rights of the Data Subject

With reference to Articles 15 – right of access, 16 - right of rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to data portability, 21 – right to object, 22 - right to object to automated decision-making of GDPR 679/16, the data subject exercises their rights by writing to the Data Controller at the address above, or by email, specifying the subject of their request, the right they intend to exercise, and attaching a photocopy of an identity document attesting to the legitimacy of the request.

The Data Controller particularly recalls that every data subject can exercise the right to object in the forms and ways provided for by Art. 21 GDPR.

Further information on the rights of the data subject is provided at the end of this section.

Withdrawal of Consent

With reference to Article 7 of GDPR 679/16, the data subject can withdraw consent at any time if previously given.

However, the processing covered by this information is lawful and permitted, even without consent, as it is necessary for the execution of a contract of which the data subject is a party, or for the fulfillment of their requests.

Filing a Complaint

The data subject has the right to file a complaint with the supervisory authority of their country of residence.

Automated Decision-Making Processes

Under no circumstances, with regard to the processing indicated below, does the Data Controller carry out processing that involves automated decision-making on the data of individuals.

Privacy policy for recipients of the printed catalogue

This information is provided to recipients of the shipment of the printed catalog, pursuant to Article 13 of the GDPR 679/16
– "European Regulation on the Protection of Personal Data."

Identity of the Data Controller

The Data Controller for the processing outlined below is the company Urmet S.p.A., with its registered office at Via Bologna 188/C, 10152 Turin, represented by its legal representative pro tempore.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, who can be reached at the headquarters of the Data Controller or contacted by email at dpo@urmet.it.

Source of Data

The personal data of recipients of the printed catalog are in the archives of the Data Controller as a result of:

·           previous purchase orders,

·           spontaneous registration on the website,

·           submission of requests, or they have been collected from third parties, such as directory managers or address providers, including, in particular, the Yellow Pages and other directories.

Purpose of Processing

The personal data of catalog recipients are processed for:

·           sending the catalog (considered pre-contractual activity),

·           acquiring, managing, and processing orders, as well as complying with administrative, legal, and tax obligations,

·           post-contractual activities, such as Customer Service.

Legal Basis of Processing

The legal basis is constituted by the necessity to fulfill pre-contractual, contractual, and post-contractual obligations.

Data Recipients

The personal data processed by the Data Controller is not disclosed, meaning it is not made known to indeterminate subjects in any possible form, including providing or simply consulting. Instead, it may be communicated to workers employed by the Data Controller, external subjects collaborating with it designated as Data Processors, or authorized to process data as they operate under the authority of the data controller.

They may also be communicated, strictly within the necessary limits, to subjects who, for the purpose of processing your requests, need to provide goods or perform services on behalf of the Data Controller. Finally, they may be communicated to subjects authorized to access them under the provisions of laws, regulations, and community regulations.

In particular, based on the roles and tasks performed, workers have been authorized to process your personal data, within the limits of their skills and in compliance with the instructions given to them by the Data Controller.

External subjects operating under the authority of the Data Controller have also been duly authorized based on the type of service provided, the processing carried out, and the nature of the processed data.

External subjects to whom the Data Controller has entrusted the processing of personal data have been designated as Data Processors.

Data Transfer

The Data Controller does not transfer personal data to third countries or international organizations under any circumstances.

However, the Data Controller reserves the right to use cloud services; in such cases, service providers will be selected from those who provide adequate guarantees, as provided for in Article 46 of GDPR 679/16.

Data Retention

The Data Controller retains and processes personal data for the time necessary to fulfill the specified purposes. In this case, the data is retained for two years.

Refusal to Provide Data

The data subject has the right to refuse to provide the Data Controller with their data.

However, failure to provide data may compromise or make it impossible to respond to or process requests.

Rights of the Data Subject

With reference to Articles 15 – right of access, 16 - right of rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to data portability, 21 – right to object, 22 - right to object to automated decision-making of GDPR 679/16, the data subject exercises their rights by writing to the Data Controller at the address above or by email, specifying the subject of their request, the right they intend to exercise, and attaching a copy of an identity document to attest to the legitimacy of the request.

The Data Controller specifically recalls that every data subject has the right to object in the forms and ways provided for by Article 21 of GDPR.

Additional information about the rights of the data subject is provided at the bottom of this section.

Withdrawal of Consent

With reference to Article 7 of GDPR 679/16, the data subject can revoke the consent given at any time.

However, the processing covered by this information is lawful and permitted, even without consent, as it is necessary for the execution of a contract of which the data subject is a party.

Filing a Complaint

The data subject has the right to file a complaint with the supervisory authority of their country of residence.

Automated Decision-Making Processes

In no case, with regard to the processing indicated below, does the Data Controller carry out treatments that consist of automated decision-making processes on the personal data of individuals.

Privacy policy for newsletter subscribers

This information is provided to the recipients of the shipment of the paper catalog, in accordance with Article 13 of the GDPR 679/16
– "European Regulation on the Protection of Personal Data."

Data Controller's Identity

This privacy policy is addressed to those who subscribe to the newsletter in accordance with Article 13 of the GDPR 679/16 - "General Data Protection Regulation."

Data Controller's Identity

The Data Controller referred to below is Urmet S.p.A., located at Via Bologna 188/C, 10154 Turin, Italy, represented by the legal representative pro tempore.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, reachable at the Controller's office or via email at dpo@urmet.it.

Data Source

The personal data processed are those entered in the registration form.

Purpose of the Processing

The personal data of the subscribers are processed for:

·           Sending the newsletter via email,

·           Conducting surveys and assessing satisfaction,

Legal Basis of the Processing

The legal basis is the data subject's consent expressed through an unequivocal positive action, namely, voluntary and free registration. The registration is also confirmed through a double opt-in procedure.

Data Recipients

The personal data processed by the Data Controller are not disclosed or in any way made known to undetermined subjects, even if made available or viewed. Instead, they may be communicated to workers operating for the Data Controller, to third parties collaborating with it as Data Processors, or who are authorized to process data under the authority of the Data Controller.

They may also be communicated, strictly as necessary, to subjects who, for the purpose of fulfilling your requests, need to provide goods or perform tasks or services on behalf of the Data Controller. Finally, they may be communicated to subjects authorized to access them by virtue of legal provisions, regulations, and community legislation.

In particular, depending on their roles and duties, workers have been authorized to process your personal data within the limits of their responsibilities and in accordance with the instructions given to them by the Data Controller.

External subjects operating under the authority of the Data Controller have also been duly authorized based on the type of service provided, the processing carried out, and the nature of the data processed.

External subjects to whom the Data Controller has entrusted the processing of personal data have been designated as Data Processors.

Data Transfer

In no case does the Data Controller transfer personal data to third countries or international organizations.

However, it reserves the right to use cloud services, in which case service providers will be selected from those that provide adequate guarantees, as provided for in Article 46 of the GDPR 679/16.

Data Retention

The Data Controller retains and processes personal data for the time necessary to fulfill the specified purposes. In this case, data is kept until individuals unsubscribe from the mailing list or as long as email addresses remain active.

Withdrawal of Consent

With reference to Article 7 of the GDPR 679/16, the data subject can revoke the given consent at any time.

The withdrawal of consent, which can be done through the link provided at the bottom of the newsletter, results in the suspension of newsletter sending.

Refusal to Provide Data

The provision of personal data is optional, and the failure to provide them may, at most, result in the impossibility of receiving the newsletter.

Submitting a Complaint

The data subject has the right to submit a complaint to the supervisory authority in their country of residence.

Automated Decision-Making Processes

In relation to the specified treatments, in no case does the Data Controller carry out treatments consisting of automated decision-making processes regarding personal data of individuals.

Privacy policy for those who call the Contact Centre

This information is provided to individuals who call the "Contact Center," in accordance with Article 13 of the GDPR 679/16 – "European Regulation on the Protection of Personal Data."

Identity of the Data Controller

The Data Controller for the treatments indicated below is the company Urmet S.p.A., located at Via Bologna 188/C, 10154 Turin, represented by its legal representative pro tempore.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, who can be reached at the headquarters of the joint Data Controller or contacted via email at dpo@urmet.it.

Data Source

Personal data is provided voluntarily by the data subject during the phone call.

Purpose of the Processing

Personal data is processed to handle requests made by users over the phone to obtain maintenance and support services for facilities, systems, and connections; installation and programming services; delivery of products and equipment; reporting faults; and requests for various information. At the end of the call, in order to improve the quality of the main Customer Service processes and more effectively guide the training of the staff, users are asked to voluntarily and anonymously participate in a survey expressing their judgment on the telephone service and the quality of the received technical assistance.

Legal Basis for Processing

Execution of a contract of which the data subject is a party or execution of pre-contractual measures taken at the request of the data subject (processing of telephone requests).

Legitimate interest of the Data Controller (survey).

Data Recipients

Personal data processed by the Data Controller is not disclosed, i.e., it is not made known to indeterminate subjects in any possible form, including making it available or simply consulting it. Instead, it may be communicated to employees working for the Data Controller, to external subjects collaborating with it designated as Data Processors, or authorized to process data as they operate under the authority of the data controller.

They may also be communicated, within strictly necessary limits, to subjects who, for the purpose of processing your requests, need to provide goods or perform services on behalf of the Data Controller. Finally, they may be communicated to subjects authorized to access them under the provisions of laws, regulations, and community regulations.

In particular, based on the roles and work duties performed, employees have been authorized to process your personal data within the limits of their responsibilities and in accordance with the instructions given to them by the Data Controller.

External subjects operating under the authority of the Data Controller have also been duly authorized based on the type of service provided, the processing carried out, and the nature of the data processed.

External subjects to whom the Data Controller has entrusted the processing of personal data have been designated Data Processors.

Data Transfer

In no case does the Data Controller transfer personal data to third countries or international organizations.

However, it reserves the right to use cloud services; in this case, service providers will be selected from those who provide adequate guarantees, as provided for in Article 46 of GDPR 679/16.

Data Retention

The Data Controller retains and processes personal data for the time necessary to fulfill the specified purposes. In this case, the data is retained for two years.

Refusal to Provide Data

The data subject may refuse to provide the Data Controller with their data.

However, failure to provide the data may compromise or make it impossible to respond to or process requests.

Data Subject Rights

With reference to Articles 15 - right of access, 16 - right of rectification, 17 - right to erasure, 18 - right to restriction of processing, 20 - right to data portability, 21 - right to object, 22 - right to object to automated decision-making of GDPR 679/16, the data subject exercises their rights by writing to the Data Controller at the address above or by email, specifying the subject of their request, the right they intend to exercise, and attaching a copy of an identity document to attest to the legitimacy of the request.

The Data Controller particularly emphasizes that every data subject can exercise the right to object in the forms and ways provided for in Article 21 of the GDPR.

Further information on the data subject's rights is provided at the bottom of this section.

Withdrawal of Consent

With reference to Article 7 of GDPR 679/16, the data subject can withdraw consent at any time. However, it is highlighted that the processing covered by this information is lawful and permitted even in the absence of consent. In any case, consent can be denied by ending the phone call.

Refusal to Provide Data

The data subject may refuse to provide their personal data as the provision is optional. However, their refusal to provide data may prevent the processing of incoming requests.

Automated Decision-Making Processes

In no case, concerning the processing indicated below, does the Data Controller carry out processing consisting of automated decision-making on the data of individuals.

Privacy policy for job applicants and those who voluntarily submit their CVs

This information is provided to those who, spontaneously or in response to a job search, submit their resumes, pursuant to Article 13 of GDPR 679/16 - "European Regulation on the Protection of Personal Data."

Identity of the Data Controller

The Data Controller for the treatments indicated below is the company Urmet S.p.A., with registered office at Via Bologna 188/C, 10154 Turin, represented by its legal representative pro tempore.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, who can be contacted at the Data Controller's office or by email at dpo@urmet.it.

Category of Data and Source of Processed Data

The Data Controller, by way of example and not exhaustively, will process the following categories of personal data: name, surname, date of birth, residence, email address, and telephone contacts, educational background, work experiences, and any additional data you include in the curriculum vitae and/or provide during evaluation interviews.

If there are irrelevant data in the curriculum you submitted concerning the purpose of evaluating your application, the Data Controller will refrain from using such information.

The personal data processed are those provided during:

.          sending the curriculum via email or the dedicated section of the Data Controller's website https://www.urmet.com/it-it/lavora-con-noi;

.          evaluation interviews;

.          direct contacts during exhibitions, fairs, etc.;

.          reports from third parties;

.          social networks (e.g., Facebook: https://www.facebook.com/UrmetOfficial/, LinkedIn: https://www.linkedin.com/company/urmet-spa/, etc.) through which the Data Controller has published announcements.

Purpose of Processing

The personal data of those who spontaneously or in response to a job search send their curriculum vitae are processed for purposes related to the evaluation and selection for a job position at the Data Controller or companies connected to the Data Controller. Alternatively, it is processed to possibly propose other job offers in the future at the Data Controller or companies connected to the Data Controller consistent with the professional profile of the data subject.

Legal Basis for Processing

The legal basis is:

.          the execution of pre-contractual measures taken at your request;

.          consent expressed through the free decision to send the CV;

.          compliance with legal obligations required by law or at the request of the public authority;

.          the pursuit of the legitimate interest to prevent or stop fraudulent activities or harmful abuses for the site and to exercise the rights of the Data Controller, for example, the right to defend in court.

Data Retention

The data mentioned so far will be stored in paper archives and computer databases (servers and/or cloud) for a period not exceeding thirty months from the receipt of the CV via the website or email or from your last interaction with the website (access, data update, or CV upload), unless you express your willingness for an additional data retention period before the expiration of the aforementioned term.

Data Recipients

The personal data processed by the Data Controller is not disclosed, i.e., it is not made known to undetermined subjects in any form, including making it available or simple consultation. Instead, it may be communicated to the company functions interested in the candidate who work for the Data Controller, to external subjects collaborating with it designated as Data Processors or authorized to process it as they operate under the authority of the data controller. The data may also be communicated to companies connected to the Data Controller, which process the personal data of the data subject for the same purposes and in the same manner as described in this notice.

In particular, based on the roles and work duties performed, workers have been authorized to process your personal data within the limits of their competencies and in accordance with the instructions given to them by the Data Controller.

Data Transfer

Under no circumstances does the Data Controller transfer personal data to third countries or international organizations.

However, the possibility of using cloud services is reserved; in this case, service providers will be selected from those who provide adequate guarantees, as provided for in Article 46 of the GDPR 2016/679.

Data Subject Rights

With reference to Articles 15 – right of access, 16 - right to rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to data portability, 21 – right to object, 22 - right to object to automated decision-making of GDPR 2016/679, the data subject can exercise their rights by writing to the Data Controller at the address of the registered office mentioned above, or by email at dpo@urmet.it, specifying the subject of their request, the right they intend to exercise, and attaching a photocopy of an identity document that attests to the legitimacy of the request.

The Data Controller particularly emphasizes that every data subject can exercise the right to object in the forms and ways provided for by Article 21 of the GDPR 2016/679.

Further information on data subject rights is provided at the bottom of this notice.

Consent Revocation

With reference to Article 7 of the GDPR 2016/679, the data subject can revoke any consent given at any time.

However, the processing subject to this notice is lawful and permitted, even without consent, as it is aimed at the execution of pre-contractual measures (the evaluation of the application and the selection of candidates) taken at the implicit request of the data subject.

Complaint Filing

The data subject has the right to file a complaint with the supervisory authority of their country of residence.

Refusal to Provide Data

The data subject may refuse to provide their personal data to the Data Controller.

The provision of data is optional, but any refusal to provide it in whole or in part may result in our inability to evaluate and select the application.

Automated Decision-Making Processes

The Data Controller does not carry out automated decision-making processes on the data of those who spontaneously or in response to a job search send their curriculum vitae.

Privacy policy for people who work for customers or suppliers

The management of the contractual relationship with customers and suppliers necessarily involves the processing of personal data (identifying information, phone numbers, email addresses) related to individuals with whom contact is made.

This information is therefore provided in accordance with Article 13 of the GDPR 2016/679 – "European Regulation on the Protection of Personal Data" to individuals who operate at customers and suppliers.

Due to the difficulty of sending it directly to the interested parties, the information is made available to customers and suppliers, with a request to notify it to the interested parties.

Identity of the Data Controller

The Data Controller for the treatments indicated below is the company Urmet S.p.A. with registered office at Via Bologna 188/C, 10154 Turin, represented by its legal representative pro tempore.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, who can be reached at the Data Controller's office or contacted via email at dpo@urmet.it.

Data Source

The personal data processed are those provided by the data subject on the occasion of:

- visits or phone calls;
- direct contacts for participation in exhibitions, expos, etc.;
- proposal of offers;
- transmissions and transactions subsequent to the order.

Purpose of the Processing

The personal data of natural persons in contact are processed for:

·       forwarding communications of various kinds and through various means of communication (phone, mobile phone, SMS, email, fax, postal mail);

·       formulating requests or fulfilling received requests and proposals;

·       exchanging information aimed at the execution of the contractual relationship, including pre and post-contractual activities.

Legal Basis for the Processing

The legal basis is constituted by the necessity to fulfill pre-contractual, contractual, and post-contractual obligations.

Data Recipients

The personal data processed by the Data Controller is not disclosed, nor is it made known to undetermined subjects in any possible form, including making it available or simple consultation. Instead, they can be communicated to workers employed by the Data Controller, to external subjects who collaborate with it designated as Data Processors or authorized to process as they operate under the authority of the data controller.

They may also be communicated, strictly within the necessary limits, to subjects who, for the purpose of fulfilling your requests, must provide goods or perform services or tasks on behalf of the Data Controller. Finally, they may be communicated to subjects authorized to access them by virtue of legal provisions, regulations, and community regulations.

In particular, based on the roles and work tasks carried out, workers have been authorized to process your personal data within the limits of their competencies and in compliance with the instructions given to them by the Data Controller.

External subjects operating under the authority of the Data Controller have also been duly authorized based on the type of service provided, the processing carried out, and the nature of the data processed.

External subjects to whom the Data Controller has entrusted the processing of personal data have been designated as Data Processors.

Data Transfer

In no case does the Data Controller transfer personal data to third countries or international organizations.

However, it reserves the possibility of using cloud services; in this case, service providers will be selected among those who provide adequate guarantees, as provided for by Article 46 of GDPR 679/16.

Data Retention

The Data Controller retains and processes personal data for the time necessary to fulfill the specified purposes. In this case, the contact person's data is kept for two years following their cessation.

Rights of the Data Subject

With reference to Articles 15 (right of access), 16 (right of rectification), 17 (right to erasure), 18 (right to restriction of processing), 20 (right to data portability), 21 (right to object), and 22 (right not to be subject to automated decision-making) of GDPR 679/16, the data subject exercises their rights by writing to the Data Controller at the address above or by email, specifying the subject of their request, the right they intend to exercise, and attaching a copy of an identity document attesting to the legitimacy of the request.

The Data Controller specifically recalls that every data subject can exercise the right to object in the forms and ways provided for by Article 21 of the GDPR.

Further information on the data subject's rights is provided at the bottom of this section.

Revocation of Consent

With reference to Article 7 of GDPR 679/16, the data subject can revoke the consent given at any time.

However, the processing subject to this information is lawful and allowed, even in the absence of consent, as it is necessary for the performance of a contract of which the data subject is a party (the supply of products and services relationship).

Refusal to Provide Data

The data subject can refuse to provide their personal data to the Data Controller.

However, the provision of personal data is necessary for the proper and efficient management of the contractual relationship. Therefore, any refusal to provide it may compromise the contractual relationship in whole or in part.

Automated Decision-Making Processes

In no case, with regard to the processing indicated below, does the Data Controller carry out treatments consisting of automated decision-making processes on the personal data of natural persons.

Privacy policy for visitors

This information is provided to guests and, in general, to all individuals temporarily present at the premises of Urmet S.p.A., pursuant to Article 13 of GDPR 679/16 – "European Regulation on the Protection of Personal Data."

Identity of the Data Controller

The Data Controller for the treatments indicated below is the company Urmet S.p.A. with registered office at Via Bologna 188/C, 10154 Turin, represented by its legal representative pro tempore.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, who can be reached at the headquarters of the Joint Data Controller, or contacted by email at dpo@urmet.it.

Data Source

The personal data processed is provided by the data subjects on the occasion of:

·    visits or interventions at the headquarters,

·    interviews or work sessions at the headquarters,

·    delivery or collection of goods, parcels, correspondence.

Purpose of the Processing

The personal data mentioned above are processed for the following purposes:

·    access control at the premises,

·    detection of presence within the premises,

·    identification of individuals for emergency management.

Legal Basis for the Processing

The personal data of guests are lawfully processed for:

·    compliance with a legal obligation (Emergency management),

·    legitimate interests of the Data Controller (access control and detection of presence within the premises).

Recipients of the Data

The personal data processed by the Data Controller is not disclosed, or made known to undetermined subjects, in any possible form, including making them available or simple consultation. Instead, they may be communicated to employees working under the authority of the Data Controller, external subjects collaborating with it designated as Data Processors or authorized to process the data as they operate under the authority of the Data Controller.

They may also be communicated, within the strictly necessary limits, to subjects who, for the purpose of fulfilling your requests, need to provide goods or perform services on behalf of the Data Controller. Finally, they may be communicated to subjects authorized to access them by virtue of legal provisions, regulations, or community norms.

In particular, based on the roles and job duties performed, employees have been authorized to process your personal data within the limits of their competencies and in accordance with the instructions given to them by the Data Controller.

External subjects operating under the authority of the Data Controller have also been duly authorized based on the type of service provided, the processing performed, and the nature of the data processed.

External subjects to whom the Data Controller has entrusted the processing of personal data have been designated Data Processors.

Data Transfer

Under no circumstances does the Data Controller transfer personal data to third countries or international organizations.

However, it reserves the right to use cloud services; in this case, service providers will be selected from those providing adequate guarantees, as provided for in Article 46 of GDPR 679/16.

Rights of the Data Subject

With reference to Articles 15 – right of access, 16 - right of rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to data portability, 21 – right to object, 22 - right to object to automated decision-making of GDPR 679/16, the data subject exercises their rights by writing to the Data Controller at the above address, or by email, specifying the subject of their request, the right they intend to exercise, and attaching a photocopy of an identity document to attest to the legitimacy of the request.

The Data Controller specifically reminds that every data subject can exercise the right to object in the forms and manners provided by Article 21 of the GDPR.

Additional information on the rights of the data subject is provided at the end of this section.

Data Retention

The recorded data will be deleted after one year from access.

Withdrawal of Consent

With reference to Article 7 of GDPR 679/16, the data subject can withdraw consent at any time if previously given. It is highlighted, however, that the processing subject to this information is lawful and permitted even in the absence of consent.

Refusal to Provide Data

The data subject can refuse to provide their personal data to the Data Controller as it is optional. However, their refusal to provide data will result in the inability to access the premises.

Automated Decision-Making Processes

Under no circumstances, with respect to the treatments indicated below, does the Data Controller carry out processes that consist of automated decision-making on the data of individuals.

Privacy policy for directors, statutory auditors and members of the Supervisory Body

This information is provided to the members of the Board of Directors, Auditors, and members of the Supervisory Body, pursuant to Article 13 of GDPR 679/16 – "European Regulation on the Protection of Personal Data".

Identity of the Data Controller

The Data Controller for the treatments indicated below is the company Urmet S.p.A. with registered office at Via Bologna 188/C, 10154 Turin, represented by its legal representative pro tempore.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, who can be reached at the headquarters of the Co-Data Controller, or contacted by email at dpo@urmet.it.

Data Source

Personal data is provided voluntarily by the interested party upon acceptance of the appointment.

Purpose of the Processing

Personal data is processed to convene the Corporate Bodies and the Supervisory Body, to pay fees and compensation, and to comply with legal obligations in tax and social security matters, to make reports and expense reimbursements, and to draw up documents, reports, and other formal acts.

Legal Basis of the Processing

The processing is carried out for legal obligation and for the performance of a contract of which the data subject is a party or the performance of pre-contractual measures adopted at the request of the data subject.

Recipients of the Data

The personal data processed by the Data Controller is not disclosed, or made known to undetermined subjects, in any possible form, including making it available or simply consulting it. However, it can be communicated to employees working for the Data Controller, external subjects collaborating with it designated as Data Processing Managers, or authorized to process it as they operate under the authority of the data controller.

They can also be communicated, strictly within the necessary limits, to subjects who, for the purpose of processing your requests, must provide goods or perform services on behalf of the Data Controller. Finally, they can be communicated to subjects authorized to access them by virtue of legal provisions, regulations, community regulations.

In particular, based on the roles and work duties performed, employees have been authorized to process your personal data, within the limits of their skills and in compliance with the instructions given to them by the Data Controller.

External subjects operating under the authority of the Data Controller have also been appropriately authorized based on the type of service provided, the processing carried out, and the nature of the data processed.

External subjects to whom the Data Controller has entrusted the processing of personal data have been designated as Data Processing Managers.

Data Transfer

The Data Controller does not transfer personal data to third countries or international organizations under any circumstances.

However, it reserves the possibility of using cloud services; in this case, service providers will be selected from those who provide adequate guarantees, as provided for in Article 46 of GDPR 679/16.

Data Retention

The Data Controller retains and processes personal data for the time necessary to fulfill the specified purposes. In this case, data entered in online forms is retained for two years.

Data Subject's Rights

With reference to Articles 15 – right of access, 16 - right of rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to data portability, 21 – right to object, 22 - right not to be subject to automated decision-making of GDPR 679/16, the data subject exercises their rights by writing to the Data Controller at the address provided above, or by email, specifying the subject of their request, the right they intend to exercise, and attaching a photocopy of an identity document attesting to the legitimacy of the request.

The Data Controller particularly emphasizes that each data subject can exercise the right to object in the forms and manners provided for in Article 21 of GDPR.

Further information on the data subject's rights is provided at the bottom of this section.

Withdrawal of Consent

With reference to Article 6 of GDPR 679/16, the data subject can withdraw consent at any time. However, it is highlighted that the processing subject to this information is lawful and permitted even in the absence of consent, so the withdrawal of consent would have no effect on the processing.

Refusal to Provide Data

The provision of certain data (personal information, tax data) is mandatory for the purposes of assuming the office, administrative, and tax purposes. Some additional data (phone number, email address, etc.) are essential for managing organizational aspects. For this reason, their partial or incomplete communication could compromise the effective management of the relationship.

Automated Decision-Making Processes

In no case, with regard to the following treatments, does the Data Controller carry out processing consisting of automated decision-making processes on the data of natural persons.

Privacy policy for recipients of email messages

The contents of emails are to be considered confidential. Therefore the information therein or any attachments are reserved exclusively for the recipients. Persons or parties other than the recipients themselves, also pursuant to art. 616 of the Italian criminal code, are not authorised to read, copy, modify, forward the message to third parties. Those who receive our communication by mistake may not use it or bring it to the attention of anyone, but must delete it from the mailbox and notify the sender. The sender's authenticity and the contents are not guaranteed, except for digitally signed documents. Furthermore, pursuant to art. 13 GDPR 679/16, we inform you that our archives include email addresses of individuals, companies, organisations to which previous communications have been sent by email or by other means of communication or that have voluntarily and directly provided their email addresses. These addresses are used by us in compliance with the willingness of data subjects to receive emails from our company. We also inform you that all the mailboxes of the domain ".....@urmet.it" are company mailboxes and, as such, are used for work-related communications. Therefore, for operational needs any message, whether outgoing or incoming, could be read by parties other than the sender and/or the recipient.

In the event that data subjects wish to have their email address removed from our records, or to exercise the rights under Articles 15 – right of access, 16 - right of rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to data portability, 21 – right to object, 22 - right not to be subject to automated decision-making of GDPR 679/16, they can write to the Data Controller identified in the president, CEO, and legal representative pro tempore of the company Urmet S.p.A. located at Via Bologna 188/C – 10152 Turin.

Privacy policy for cloud service users

Urmet S.p.A. produces, distributes, and manages its own and third-party apps on its cloud platforms. Therefore, Urmet S.p.A. can process user data for cloud services both as the Data Controller (own cloud services) and as the Data Processor designated by Data Controllers who are third-party cloud service providers. In both cases, the cloud service is provided by Urmet S.p.A.. This information is provided in accordance with Articles 12, 13, and 14 of the GDPR 679/16 – “European Regulation on the Protection of Personal Data” and as a courtesy to all those who use the apps distributed by clients but managed and maintained by Urmet S.p.A. as the Data Processor.

Identity of the Data Controller

The Data Controller (or the Data Processor) for the following processes is the company Urmet S.p.A. with registered office at Via Bologna 188/C, 10152 Turin, represented by its legal representative pro tempore.
 The Data Controller guarantees the security, confidentiality, and protection of personal data at all stages of the data processing process.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, who can be reached at the office of the Joint Data Controller or contacted by email at dpo@urmet.it.

Source of Data

The personal data processed is that which users knowingly and freely provide at the time of their registration for cloud services (name, user ID and password, email, mobile phone number, physical address, etc.), as well as data generated by the use of the cloud services themselves (geolocation data, conversations, promotions, user/device pairings, video recordings, etc.).

Purpose of Processing

User personal data is processed for:

1)      enable registration and subsequent use of cloud services,

2)      geolocate users to provide the requested service,

3)      deliver services and chats,

4)      manage user/device pairings,

5)      record images and videos,

6)      improve the user experience of the services,

7)      provide technical support,

8)      allow users to benefit from promotions,

9)      generate aggregated statistical data regarding user device preferences,

10)      manage and maintain cloud platforms,

11)      optimize processing and access to data resources.

Legal Basis for Processing

The legal basis is the data subject's consent, expressed by checking the checkbox for the inseparable set of purposes listed in points 1, 3, 4, 5. Consent for geolocation, as mentioned in point 2, is separately expressed using the methods of the device used by the user to access the service. Additional consent is required and expressed by checking the checkbox for the purpose mentioned in point 8.

The legal basis for the processing mentioned in point 9 is the legitimate interest of the Data Controller.

Fulfillment of a contract between the Data Controller and the Data Processor, of which the data subject is a part, for the processing mentioned in points 10 and 11.

Recipients of the Data

The processed personal data is not disclosed, meaning it is not made known to undetermined subjects in any possible form, including making it available or simply consulting it. However, it may be communicated to workers employed by Urmet S.p.A., to external subjects collaborating with it designated as Data Processors or authorized to process the data under the authority of the Data Controller.

They may also be communicated, to the extent strictly necessary, to subjects who, for the purpose of fulfilling your requests, must provide goods or perform services on behalf of Urmet S.p.A.. Finally, they may be communicated to subjects authorized to access them by virtue of legal provisions, regulations, and community standards.

In particular, based on the roles and job duties performed, workers have been authorized to process your personal data within the limits of their skills and in accordance with the instructions given to them by the Data Controller.

External subjects operating under the authority of Urmet S.p.A. have also been duly authorized based on the type of service provided and the nature of the data processed.

Some data related to preferred promotions, and therefore user consumption habits, are automatically generated and anonymously aggregated for commercial partners.

Data Transfer

Urmet S.p.A. does not transfer personal data to third countries or international organizations. It also reserves the right to use cloud services outside the EU; in this case, service providers will be selected from those providing adequate guarantees, as provided for in Article 46 of GDPR 679/16.

Data Retention

Urmet S.p.A. retains and processes personal data for the time necessary to fulfill the indicated purposes. Specifically, data provided at the time of registration is kept for 2 years after the user's deletion. Geolocation data is deleted every time cloud services are closed.

Rights of the Data Subject

With reference to Articles 15 – right of access, 16 - right of rectification, 17 – right to erasure, 18 – right to restriction of processing, 20 – right to data portability, 21 – right to object, 22 – right to object to automated decision-making of GDPR 679/16, the data subject exercises their rights by writing to Urmet S.p.A. at the address above, or by email, specifying the subject of their request, the right they intend to exercise, and attaching a copy of an identity document attesting to the legitimacy of the request.

Urmet S.p.A. specifically notes that every data subject can exercise the right to object in the forms and ways provided for in Article 21 of GDPR.

Further information on the data subject's rights is provided at the bottom of this section.

Withdrawal of Consent

With reference to Article 7 of GDPR 679/16, the data subject can withdraw their consent at any time. Denying consent to geolocation limits the functionalities offered by cloud services. Revoking other consents results in the immediate cessation of the revoked processes.

Refusal to Provide Data

The data subject can refuse to provide their personal data to Urmet S.p.A..

The provision of personal data requested at the time of registration is essential to access and use cloud services. Therefore, any refusal to provide it will not allow the use of cloud services, and the registration process will be interrupted.

Automated Decision-Making Processes

In no case, regarding the processing indicated below, does Urmet S.p.A. carry out processing consisting of automated decision-making processes on the data of individual users.

Privacy policy for app users

This information is provided to all those who use the apps distributed directly or through websites and platforms of third parties, in accordance with Articles 12, 13, and 14 of GDPR 679/16 – "European Regulation on the Protection of Personal Data."

Identity of the Data Controller

The Data Controller for the treatments indicated below is the company Urmet S.p.A. with registered office in Via Bologna 188/C 10152 Turin, represented by its pro tempore Legal Representative.
The Data Controller guarantees the security, confidentiality, and protection of personal data in its possession at any stage of the data processing process.

Identity of the Data Protection Officer

The Data Controller has appointed the Data Protection Officer, who can be reached at the headquarters of the Joint Data Controller or contacted via email at dpo@urmet.it.

Source of the Data

The personal data processed is that consciously and freely provided by users at the time of their registration on the app (name, user ID and password, email, mobile phone number, physical address, etc.), as well as data generated by the use of the app itself (geolocation data, conversations, promotions, user/device pairings, video recordings, etc.).

Purposes of the Processing

The personal data of users are processed for:

1)      enabling the registration and subsequent use of the app,

2)      geolocating users to provide the requested service,

3)      delivering services and chats,

4)      managing user/device pairings,

5)      recording images and videos,

6)      managing and maintaining cloud platforms,

7)      optimizing processing and data access resources,

8)      improving the user experience of the app and services,

9)      enabling technical support,

10)      enabling users to take advantage of promotions,

11)      generating aggregated statistical data regarding user preferences for device usage.

Legal Basis for Processing

The legal basis is the consent of the data subject, expressed by checking the checkbox for the inseparable set of purposes listed at points 1, 3, 4, 5. The consent for geolocation, as mentioned in point 2, is expressed separately using the specific methods of the user's mobile device. Additional consent is required and expressed by checking the checkbox for the purpose mentioned in point 8.

The legal basis for the processing mentioned in point 9 is the legitimate interest of the Data Controller.

Data Recipients

The personal data processed by the Data Controller is not disclosed, i.e., not made known to undetermined individuals in any possible form, including making them available or simple consultation. Instead, they can be communicated to employees working under the authority of the Data Controller, external subjects collaborating with it designated as Data Processors, or authorized to process data as they operate under the authority of the Data Controller.

They may also be communicated, within strictly necessary limits, to subjects who, for the purpose of fulfilling your requests, need to provide goods or perform services on behalf of the Data Controller. Finally, they may be communicated to subjects authorized to access them under provisions of law, regulations, or community legislation.

In particular, based on the roles and tasks performed, employees have been authorized to process your personal data within the limits of their competencies and in accordance with the instructions given to them by the Data Controller.

External subjects operating under the authority of the Data Controller have also been duly authorized based on the type of service provided, the processing performed, and the nature of the data processed.

Some data related to preferred promotions, hence user consumption habits, are automatically generated and presented in an anonymous and aggregated form to commercial partners.

Data Transfer

The Data Controller does not transfer personal data to third countries or international organizations. It also reserves the possibility of using extra-EU cloud services; in that case, service providers will be selected from those providing adequate guarantees, as envisaged by Article 46 of GDPR 679/16.

Data Retention

The Data Controller retains and processes personal data for the time necessary to fulfill the specified purposes. In this case, the data provided at the time of registration is kept for 2 years after the user's deletion. Geolocation data is deleted each time the app is closed.

Rights of the Data Subject

With reference to Articles 15 - right of access, 16 - right of rectification, 17 - right to erasure, 18 - right to restriction of processing, 20 - right to data portability, 21 - right to object, 22 - right to object to automated decision-making of GDPR 679/16, the data subject exercises their rights by writing to the Data Controller at the address above or by email, specifying the subject of their request, the right they intend to exercise, and attaching a copy of an identity document attesting to the legitimacy of the request.

The Data Controller particularly reminds that every data subject can exercise the right to object in the forms and ways provided by Article 21 of GDPR.

Further information on the rights of the data subject is provided at the bottom of this section.

Withdrawal of Consent

With reference to Article 7 of GDPR 679/16, the data subject can withdraw the consent given at any time. Denying consent to geolocation limits the functionalities offered by the app. The withdrawal of other consents determines the immediate cessation of the revoked processing.

Refusal to Provide Data

The data subject can refuse to provide their personal data to the Data Controller.

The provision of personal data requested at the time of registration is essential to access and use the app. Therefore, any refusal to provide data will not allow the use of the app, and the registration process will be interrupted.

Automated Decision-Making Processes

In no case, with respect to the processing indicated below, does the Data Controller carry out processing consisting of automated decision-making processes on the data of individual users.

List of Data Subject's rights

The data subject, according to GDPR 679/16, can exercise specific rights by contacting the Data Controller, including: the right to request access to their personal data; the right to request the correction of their personal data; the right to request the deletion of their personal data; the right to request the limitation of the processing of their personal data; the right to request data portability; the right to lodge a complaint with the competent data protection supervisory authority.

Please note that if the data subject wishes to have more information about the processing of their personal data or exercise the aforementioned rights, they can write to the address dpo@urmet.it.

Right of access: each data subject has the right to obtain confirmation of the existence or not of personal data concerning them and, in such case, to request access to such data. Access information includes, among other things, the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data has been or will be communicated.

They also have the right to obtain a copy of the personal data undergoing processing. For any further copies requested, the Controller may charge a reasonable fee based on administrative costs.

Right to rectification: each data subject has the right to obtain the rectification of inaccurate personal data concerning them. Depending on the purposes of the processing, each data subject has the right to complete incomplete personal data, including by providing a supplementary statement.

Right to erasure ("right to be forgotten"): in certain circumstances, each data subject has the right to obtain the erasure of personal data concerning them.

Right to restriction of processing: in certain circumstances, each data subject has the right to obtain the restriction of the processing of personal data. In this case, the respective data will be marked and can only be processed by the Controller for certain purposes.

Right to data portability: in certain circumstances, each data subject has the right to receive the personal data concerning them, in a commonly used and readable format, and also has the right to transmit them to another entity without hindrance.

Whistleblower privacy policy

This information is provided, pursuant to articles 12 and 13 of EU Regulation 2016/679 on the protection of personal data, to individuals (administrators, executives, employees, consultants, workers of suppliers, etc.) who report suspected violations of laws or regulations within the scope of the employment relationship.

Data Controller

The Data Controller is Urmet S.p.A., represented by the temporary legal representative, with registered office at via Bologna 188/C – 10154 Turin (TO).

Data Protection Officer (DPO)

The Data Protection Officer (DPO) can be reached at the office and can be contacted via email at dpo@urmet.it.

Source and Type of Processed Data

Personal data is provided by the reporter during the reporting using the internal reporting channel made available by the Controller.

In particular,

·         the name, surname, and contact details of the reporter (unless the report is anonymous);

·         the name, surname, and other personal data of the individuals mentioned in the report;

·         a description of the alleged misconduct, as well as a description of the circumstances of the event that may reveal information related to special categories of data under Article 9 of the GDPR.

Purpose and Methods of Processing

Acquisition and management of internal reports of violations of national and European legislation on whistleblowing, including investigative and inquiry phases to ascertain any violations. The information provided and the identity of the reporter (if the report is not anonymous) will be treated as confidential in all stages of processing. In particular, the identity of the reporter and all elements of the report from which the identification of the reporter can be derived, directly or indirectly, will not be disclosed to third parties, nor to the persons reported or the responsible Organizational Units. The identity of the reporter may be disclosed only in cases provided by law or within the scope of judicial proceedings.

Legal Basis

To fulfill a legal obligation under Legislative Decree 24/2023 (Article 6 letter c and Article 9 letter g GDPR).

Data Retention Period

Reports and related documentation are kept for the time necessary for their management and, in any case, for no more than five years from the date of filing the report. However, where applicable, such personal data may be kept for a longer period, if necessary for the application of sanctions or disciplinary measures.

Data Provision

Providing data related to the report is optional. In particular, the reporter can submit the report anonymously.

In any case, the failure or partial provision of data concerning the reported event and the people involved will significantly limit the possibility of conducting the necessary investigations.

Data Recipients

The data and personal information provided may be viewed, processed, and used by:

·         internal staff members of the office responsible for managing the reporting channel

·         members of the OdV (Supervisory Body)

·         internal collaborators, consultants, operating under the authority of the Data Controller, expressly authorized;

·         external supplier providing the reporting platform.

Finally, they may be communicated to persons authorized to access them under the law, regulations, European standards.

The detailed list of recipients is made available by the Data Controller.

Transfer Outside the EU

The Data Controller does not transfer personal data to third countries or international organizations.

Rights

The reporter can exercise the rights provided by GDPR 2016/679, including in particular: access to personal data and all other information related to the reported event (Article 15) and rectification of data if they are inaccurate or their integration if they are incomplete (Article 16);

Requests to exercise rights can be sent to the following address: via Bologna 188/C – 10154 Turin (TO) to the attention of the DPO.

In addition, the reporter can lodge a complaint with the Supervisory Authority (Data Protection Authority).

Automated Decision-Making Processes

The Data Controller does not carry out automated processing of personal data consisting of automated decision-making processes.

Whistleblower privacy policy to third parties

This information is provided in accordance with Articles 12 and 14 of EU Regulation 2016/679 on the protection of personal data to facilitators, reported subjects, witnesses, and other individuals involved and mentioned in the report, made identifiable.

Data Controller

The Data Controller is Urmet S.p.A., represented by its legal representative pro tempore, with registered office at via Bologna 188/C – 10154 Turin (TO).

Data Protection Officer (DPO)

The Data Protection Officer (DPO) can be reached at the office and can be contacted by email at dpo@urmet.it.

Source and Type of Data

Personal data is provided by the reporter when submitting the report using the internal channel made available by the Controller.

As part of the acquired report, the Controller may process common data and special categories of data under Article 9 GDPR, identifiable from the content of the report or acquired in subsequent investigative phases.

Purpose, Legal Basis, Data Retention Period

Management of internal reports of violations of national and European laws on whistleblowing, including instructional and investigative phases aimed at verifying any violations.

Legal Basis

To fulfill a legal obligation under Legislative Decree 24/2023 (Article 6 letter c and Article 9 letter g GDPR).

Data Retention Period

Reports and related documentation are kept for the time necessary for their management and, in any case, for no more than five years from the date of filing the report. However, where applicable, such personal data may be kept for a longer period, if necessary for the application of sanctions or disciplinary measures.

Recipients

The provided personal data and information may be viewed, processed, and used by:

·         internal staff responsible for managing the reporting channel

·         members of the Surveillance Body (Organismo di vigilanza)

·         internal collaborators, consultants, operating under the authority of the Data Controller, expressly authorized;

·         external provider supplying the reporting platform.

Finally, they may be communicated to those authorized to access them by virtue of legal provisions, regulations, European standards.

The detailed list of recipients is made available by the Data Controller.

Transfer outside the EU

The Data Controller does not transfer personal data to third countries or international organizations.

Rights

With reference to their personal data processed in the context of the report, individuals involved or mentioned in the report cannot exercise the rights provided by the GDPR, in compliance with Article 2 undecies of the Privacy Code (Legislative Decree 196/2003 and subsequent amendments). This is because exercising such rights could result in an effective and concrete prejudice to the protection of the confidentiality of the identity of the reporting person.

Automated decision-making processes

The Data Controller does not carry out processing of personal data that involves automated decision-making processes.