Privacy policy

Information regarding the protection of personal data

(Legislative Decree 196/2003, as amended by Legislative Decree no. 101/2018 ̶ EU General Data Protection Regulation [GDPR] no. 679/20161)

EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (thereafter referred to as the “Regulation”) and Legislative Decree 196/2003, as amended by Legislative Decree no. 101/2018 (thereafter referred to as the “Code”), foresee that Nomisma Società degli Studi Economici S.p.A., based in Bologna, at Strada Maggiore 44, fiscal Code and VAT number 02243430374, PEC address nomisma-pec@legalmail.it, as Data Controller of personal information, has the obligation to provide interested parties with this information concerning the processing of personal data that are provided on a voluntary basis.

In the event that data are acquired from third parties, the interested parties ensure that they have obtained the prior consent of the third party for the communication and utilisation of the aforementioned data, and that the third party has been informed of the purposes for the processing of the data.

The information and/or personal data that were voluntarily communicated or acquired from third parties are stored in the databases of the Data Controller.

The interested party declares to be more than 18 years old. Otherwise, in case the data provided belong to a minor under eighteen years of age, the parent or guardian of the minor authorises the processing of such data.

The interested party guarantees the accuracy and truthfulness of the data provided, undertaking to update them regularly and to notify the Data Controller of any variation of the data.

Essential information concerning Data protection.

1. Data Controller and Responsibility for controlling and processing of data

The Data Controller is NOMISMA Società di Studi Economici S.p.A., with headquarters at Strada Maggiore 44, 40125 – Bologna, Fiscal Code and VAT number 02243430374.

2. Purposes of processing and recipients of the data

The Data Controller shall process the data provided by the interested party, directly or through an intermediary, possibly integrated with data collected from third parties, for the following purposes:

  1. purposes connected and instrumental to contract requirements and to the consequent obligations deriving from them, as well as for compliance with obligations foreseen by law, regulations and/or Community legislation;
  2. application of social security and welfare legislation
  3. marketing and commercial activities;
  4. management, recruitment and selection of personnel and collection of curricula vitae;
  5. market analyses and surveys; legal and economic treatment of personnel;
  6. association and promotional activities;
  7. survey and quality evaluation of local public services.

All of the collected data, as well as the processing and purposes specified above, are necessary or related to Company activities.

The Company will adopt appropriate measures to ensure that the information collected is kept securely and utilised only for the purposes indicated in this information.

For the abovementioned purposes, the data may be made accessible, communicated or shared with employees and collaborators of the Data Controller or other subjects (indicatively, banking institutions, consultants, insurance companies for the provision of insurance services, etc.) which engage in activities that are strictly connected to those of the Data Controller.

The data will neither be disseminated nor transferred to countries and/or organisations outside the EU and there are no automated processes such as profiling.

3. Data processing methods

The processing of data for the purposes spelled out above is carried out through electronic or automated means as well as paper-based methods, and takes place according to organisational, technical and administrative measures aimed at ensuring the integrity, security and confidentiality of data in full compliance with the provisions of the law.

The processing of personal data is carried out through operations indicated in Article 4 n. 2 of the Regulation and consists of the following activities: collection, recording, organisation, structuring, storage, adaptation, modification, retrieval, consultation, use, communication by way of transmission, dissemination or any other form of provision, comparison or interconnection, limitation, deletion or destruction.

In full compliance with the rules of the Code and the Regulation, the processing carried out will be based on principles of correctness, lawfulness and transparency.

4. Data retention period

Pursuant to Article 14 n. 2 a) and Article 15 d) of the Regulation, the Data Controller will process the personal data for the time strictly necessary for the fulfillment of the aforementioned purposes, and in compliance with the current rules regarding the conservation of accounting-administrative documents. Once this time has elapsed, the data will be deleted or rendered unusable.

5. Lawfulness of data processing

In accordance with Art. 6 of the Regulation, the Company informs those concerned that the processing of their personal data for the pursuit of the above-mentioned purposes meets the following conditions of lawfulness:

  1. expressed consent of the interested party to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
6. Rights of the interested party

The interested party has the rights referred to in Articles 15-21 of the Regulation, and namely the rights to:

  • Obtain from the Data Controller the confirmation of the existence or not of personal data that concern him/her, even if not yet recorded, and their communication in an intelligible form;
  • Obtain indications on: a) the purposes and methods of processing; b) the details that identify the Data Controller, those responsible for data processing and the designated representative pursuant to Article 3, paragraph 1 of the Regulation; c) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of the data in their capacity as designated representative in the territory of the State, as managers or agents;
  • Request the correction of inaccurate personal data without unjustified delay, as well as the integration of incomplete data.
  • Obtain the deletion of personal data (so-called “right to be forgotten”), without unjustified delay, if one of the following hypotheses occurs: a) the personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) the interested party revokes the consent to the processing of data and there is no other legal basis for the processing; c) the interested party opposes the processing of data pursuant to Article 21, paragraph 1 of the Regulation; d) the personal data have been processed unlawfully; e) the personal data must be deleted in order to fulfill a legal obligation under Union or Member State law to which the Data Controller is subject.
  • Request limitation to the processing of data in the following cases: a) inaccuracy of personal data; b) unlawfulness of processing; c) ascertainment, exercise or defence of a right in court, although the Data Controller no longer needs it for processing; d) pending the verification of the possible prevailing of legitimate reasons of the Data Controller with respect to those of the interested party in case of opposition to the processing of data pursuant to Article 21, paragraph 1.
  • Obtain the right to portability of data, namely: a) the right to receive a subset of personal data without it necessarily leading to the transmission of these data to another controller; b) the right to transmit personal data to another Data Controller at the request of the interested party and if technically possible.
  • Oppose the processing of personal data entirely or partially for legitimate reasons, even if pertinent to the purpose of the collection.

The aforementioned rights of access, rectification, deletion, limitation, opposition, and portability of data may be exercised directly by the interested party or by his/her legal or voluntary representative, by means of a request addressed to the Data Controller.

The interested party also enjoys the right to complain to the Guarantor Authority, pursuant to Art. 141 of the Code and Art. 77 of the Regulation.

To exercise these rights, it is possible to contact the Company by sending a request to the following e-mail address: privacy@nomisma.it