PRIVACY POLICY – WEBSITE

Information notice pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR)

WHY THIS INFORMATION?

Pursuant to Regulation (EU) 2016/679 (“GDPR”), this page describes how personal data are processed. This notice is provided pursuant to Article 13 GDPR. The notice does not apply to any third‑party websites that may be reached via links on this website, for which no responsibility is assumed.

 

Processable personal data:
  • Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity (Recitals 26, 27 and 30 GDPR).
  • Data of contracting parties/users.
  • Browsing data: the computer systems and software procedures used to operate this website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment.
  • Data provided voluntarily: the optional, explicit and voluntary sending of messages to the contact addresses indicated on this website and/or the completion of data collection forms entails the subsequent acquisition of the sender’s address, which is necessary to reply to requests, as well as any other personal data included.

Specific Information

Specific information may be present on the pages of the Site in relation to particular services or processing of the data provided.

 

COOKIES AND OTHER TRACKING SYSTEMS. WHAT ARE THEY? WHAT ARE THEY FOR?

Please refer to the cookie policy published in the website footer and at the following link
  1. WHO IS THE DATA CONTROLLER? HOW CAN YOU CONTACT THEM?

The Data Controller is Crea S.p.A., with registered office at Via Bergamo n. 80, 20882 – Bellusco (MB), in the person of its pro tempore legal representative. You can contact the Controller for any information by e‑mail: privacy@creaspa.it.
  1. PURPOSE OF PROCESSING, LEGAL BASIS, DATA RETENTION PERIOD, NATURE OF PROVISION

 PURPOSE OF PROCESSING  LEGAL BASIS    DATA RETENTION PERIOD    NATURE OF PROVISION  
Browsing this website. The data necessary for the use of web services is also processed in order to: • obtain statistical information on the use of the services (most visited pages, number of visitors by time slot or daily, geographical areas of origin, etc.). • check the proper functioning of the services offered. The processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not override them, taking into account the reasonable expectations of the data subject and the activities strictly necessary for the operation of the website and browsing itself (Art. 6(1)(f) and Recital 47 GDPR). Retention of browsing data will last for the duration of the browsing session.               Provision of data is necessary for browsing the website.          
  Use of cookies and similar technologies. Please refer to the cookie policy in the website footer.     For non‑essential, non‑technical cookies and similar technologies, processing is based on consent to the processing of personal data (Art. 6(1)(a) and Recitals 42 and 43 GDPR). Consent is given through the website’s banner and cookie policy.     Please refer to the cookie policy in the website footer.     Please refer to the cookie policy in the website footer.

 

In addition to browsing, personal data will be processed for:
 PURPOSE OF PROCESSING    LEGAL BASIS  DATA RETENTION PERIOD  NATURE OF PROVISION
A) CONTACTS, sending contact requests, information.     The processing is necessary for the performance of a contract to which the data subject is party or in order to take pre‑contractual measures at the data subject’s request (Recital 44). Art. 6(1)(b) GDPR. Maximum 12 months.   Provision is necessary. Failure to provide the necessary data will make it impossible to be contacted and to receive information.
B) Direct marketing, automated mean “soft-spam” via e-Mail: the data controller will use, for the purpose of direct sale of its own products or services, the email address provided by the data subject in the context of the sale of a product or service, without requiring any prior consent from the data subject, for promotional and commercial communications and newsletters relating to services similar to those already sold, and the data subject, where adequately informed, does not refuse, initially or on subsequent occasions. The data subject, at the time of collection and upon each communication he might receive, is informed of his right to object at any time to the processing. The processing is necessary due to Data controller’s legitimate interest, provided that interests or fundamental rights and freedoms of data subjects are not prevailing (C47-C50) Art. 6 PAR. 1 lett. f) GDPR Art. 130.4 D.Lgs. 196/2003. Until objection (opt-out) Optional: in case of denial the data controller won’t be able to send you promotional communication (soft-spam).
C) DIRECT MARKETING, for sending advertising, commercial and promotional communication material, newsletters, via automated means (email, SMS) and traditional means (telephone and paper mail).   The communications may contain promotional activities and/or logos of third-party partners and companies belonging to the group. There will be no transfer of personal data. For the complete list of group companies and partners, interested parties can write to privacy@creaspa.it. The processing is based on consent to the processing of personal data (C42, C43). art. 6 par. 1 lett. a) of the GDPR. Until consent is revoked (or opt-out). Providing the data is optional. Failure to provide the necessary data will make it impossible to receive direct marketing communications.
D) HANDLING YOUR REQUESTS and requests from other data subjects pursuant to Articles 15 et seq. GDPR (data subject rights). The processing is necessary for compliance with a legal obligation to which the Controller is subject (Recital 45). Art. 6(1)(c) GDPR.   5 years from closure of the request, unless disputes arise. Provision of personal data is mandatory, as it is indispensable to fulfil legal obligations.  

  1. WHO WILL RECEIVE THE PERSONAL DATA? DATA RECIPIENTS

Personal data will be disclosed to entities that will process the data as independent Controllers, or as Processors (Art. 28 GDPR), and will be processed by natural persons (Art. 29 GDPR) acting under the authority of the Controller and the Processors on the basis of specific instructions regarding the purposes and methods of the processing. Data will be disclosed to recipients belonging to the following categories:
  • Entities based in Italy that provide services for the website and communication networks, including e‑mail, hosting and website management;
  • For direct marketing, subject to consent of subjects for the management of direct marketing activities;
  • Competent authorities for compliance with legal obligations and/or orders of public bodies, upon request.

The list of Art. 28 Processors is available by writing to privacy@creaspa.it.
  1. WILL DATA BE TRANSFERRED TO NONEEA COUNTRIES?

Personal data will not be transferred to third countries outside the EEA.

If there is a need to use software, platforms or management systems that process data outside the EEA, the Data Controller undertakes to verify that the country of destination has been, pursuant to art. 45 GDPR, deemed adequate or that the recipient company has signed the standard contractual clauses (SCC) as per art. 46, par. 2, letter. c and letter d GDPR or that it is part of the Privacy Framework. For information on the guarantees relating to the transfer of data outside the EEA, data subjects can write to privacy@creaspa.it.
  1. IS THERE AN AUTOMATED PROCESS?

Personal data will be processed by traditional manual, electronic and automated means. No fully automated decision‑making processes are carried out.
  1. WHAT ARE YOUR RIGHTS? HOW CAN YOU EXERCISE THEM?

Data subjects may exercise their rights as set out in Articles 15 et seq. GDPR by contacting the Controller at privacy@creaspa.it.

The Controller guarantees data subjects the possibility to request, at any time, access to their personal data (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18). The Controller (Art. 19) shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data has been disclosed. The Controller shall inform data subjects who request it of such recipients.

The Controller guarantees the right to data portability (Art. 20) and, in the case of requests under Art. 20, will provide data in a structured, commonly used and machine‑readable format.

Data subjects have the right to object (Art. 21), at any time, to processing based on legitimate interest, by writing to the above contacts with the subject line “objection”. Data subjects have the right to revoke the consent given, without prejudice to the lawfulness of the processing based on the consent given before the revocation.

To no longer receive automated direct marketing communications (e-mail, SMS-type messages, instant messaging), data subjects are invited to write an e-mail to privacy@creaspa.it with the subject “automated cancellation” or to use our automatic cancellation systems provided for e-mails only (opt-out).

To no longer receive traditional direct marketing communications (telephone calls with operator and paper mail), data subjects are invited to write an e-mail to privacy@creaspa.it with the subject “cancellation from traditional”.

To no longer receive any marketing communications, data subjects are invited to write an email to privacy@creaspa.it.  with the subject “marketing cancellation”.

If data subjects believe that the processing of personal data carried out by the Controller infringes the provisions of Regulation (EU) 2016/679, they are free to lodge a complaint with the national supervisory authority, in particular in the Member State of their habitual residence or place of work, or where the alleged violation of the Regulation occurred (Garante per la Protezione dei Dati Personali https://www.garanteprivacy.it/), or to seek the appropriate judicial remedies.
  1. CHANGES TO THIS PRIVACY NOTICE

The Controller may change, modify, add to or remove any part of this Privacy Notice. To facilitate verification of any changes, the notice will contain an indication of the date of its update.

 

Date of update: 28/11/2025