Política de privacidad
Documento informativo de acuerdo con el art. 13 del Reglamento (UE) 2016/679 (GDPR)
Last updated: July 21, 2025
PRIVACY POLICY – WEBSITE
Information document pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR)
WHY THIS INFORMATION?
Pursuant to Regulation (EU) 2016/679 (hereinafter "GDPR"), this page describes the methods of processing personal data. This is information provided pursuant to art. 13 GDPR. This information is not valid for other third-party websites, which may be accessed via links on this website, for which we assume no responsibility.
Personal data that may be processed
- Personal data: any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (C26, C27, C30 GDPR).
- Contractor/user data.
- Browsing data: the IT systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of computers and terminals used by users, URI/URL (Uniform Resource Identifier/Locator) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and IT environment.
- Voluntarily provided data: the optional, explicit and voluntary sending of messages to the contact addresses indicated on this website and/or completion of data collection forms involves the subsequent acquisition of the sender's address, necessary to respond to requests, as well as any other personal data entered.
Information about personal data processing through Social Media platforms
Regarding the processing of personal data carried out by the managers of the Social Media platforms used by the Data Controller, please refer to the information provided by them through their respective privacy policies. The Data Controller processes personal data provided by users through the dedicated Social Media platform pages, to manage interactions with users (comments, public posts, etc.) and in compliance with current legislation.
Specific information notices
Specific information notices may be present on the Website pages in relation to particular services or data processing provided.
COOKIES AND OTHER TRACKING SYSTEMS. WHAT ARE THEY? WHAT ARE THEY FOR?
For Cookies and other tracking systems, please see the cookies policy.
1. WHO IS THE DATA CONTROLLER? HOW TO CONTACT THEM?
The Data Controller is IROMA S.R.L., with registered office in Rome, Via Pietro Rosa, 48/B, (00122 - RM), in the person of its pro-tempore Legal Representative, who can be contacted for any information by phone: +39 06 83361840, email: info@iroma.net.
HAS A DATA PROTECTION OFFICER BEEN APPOINTED? WHAT ARE THEIR CONTACT DETAILS?
IROMA S.R.L. has appointed its Data Protection Officer (DPO) pursuant to arts. 37, 38 and 39 of the GDPR. The DPO can be reached at the Data Controller's address indicated above and by email at: dpo.iroma@dpoprofessionalservice.it
2. PURPOSE OF PROCESSING, LEGAL BASIS, DATA RETENTION PERIOD, NATURE OF DATA PROVISION
| PURPOSE OF PROCESSING | LEGAL BASIS | DATA RETENTION PERIOD | NATURE OF DATA PROVISION |
|---|---|---|---|
| Browsing on this website. Data necessary for the use of web services is also processed for the purpose of: obtaining statistical information on the use of services (most visited pages, number of visitors by time slot or day, geographical areas of origin, etc.); checking the correct functioning of the services offered. The data will be used to ascertain responsibility in case of hypothetical computer crimes against the site. | Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. | 12 months. | Provision is necessary. Failure to provide the necessary data will make it impossible to browse the website. |
| Use of cookies and comparable technologies. See the cookies policy. | For non-technical necessary cookies and comparable technologies, processing is based on consent to the processing of personal data (art. 6 par. 1 letter a and C42, C43 of the GDPR). Consent is given through the banner and cookie policy of the site. | See the cookies policy. | See the cookies policy. |
In addition to browsing, personal data will be processed for:
| PURPOSE | LEGAL BASIS | RETENTION PERIOD | NATURE OF PROVISION |
|---|---|---|---|
| A) CONTACTS, sending contact requests, information. | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (C44). Art. 6 par. 1 letter b) of the GDPR. | Maximum 12 months. | Provision is necessary. Failure to provide the necessary data will make it impossible to be contacted and receive information. |
| B) DIRECT MARKETING, for sending newsletters, via automated means (email, WA, SMS) and traditional means (phone and postal mail). Communications may contain promotional activities. There will be no transfer of personal data. The Data Controller, to compare and possibly improve the results of automated communications, uses systems with reports. | Processing is based on consent (art. 6 par. 1 letter a of the GDPR). | Until withdrawal of consent or 24 months from last contact. | Provision is optional. Failure to provide consent will not result in negative consequences, but it will not be possible to receive marketing communications. |
| C) DEMO REGISTRATION & CREDENTIAL PROVISION (Educational Institutions) | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (C44). Art. 6 par. 1 letter b) of the GDPR. | Until termination of the contract and for the technical time necessary to disable credentials. | Provision is necessary. Failure to provide the necessary data will make it impossible to access the reserved area. |
| D) HANDLING YOUR REQUESTS and requests from other data subjects, pursuant to arts. 15 et seq. of the GDPR (data subject rights). | Processing is necessary for compliance with a legal obligation to which the controller is subject (C45). Art. 6 par. 1 letter c) of the GDPR. | 5 years from closure of the request, except in case of litigation. | Provision of personal data is mandatory, as it is indispensable for fulfilling legal obligations. |
3. TO WHOM WILL PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS
Personal data will be disclosed to subjects who will process the data as independent Data Controllers, or Data Processors (art. 28 GDPR) and processed by natural persons (art. 29 GDPR) acting under the authority of the Data Controller and Data Processors on the basis of specific instructions provided regarding the purposes and methods of processing. Data will be disclosed to recipients belonging to the following categories:
- Subjects based in Italy, providing services for the website and communication networks, including email, hosting and website management;
- Subjects based in Italy, with whom the Data Controller has entered into agreements and with prior consent, where required;
- For direct marketing, with prior consent to subjects for the management of direct marketing activities;
- Competent authorities for compliance with legal obligations and/or provisions of public bodies, upon request.
The list of Data Processors pursuant to art. 28 is available by writing to info@iroma.net or to the other contact details indicated above.
4. WILL DATA BE TRANSFERRED TO NON-EEA COUNTRIES?
Personal data will be transferred pursuant to articles 44 et seq. of the GDPR, in particular:
- art. 45 GDPR to third countries or international organizations for which the Commission has issued an adequacy decision: Switzerland;
For information on guarantees regarding the transfer of data outside the EEA, data subjects may write to info@iroma.net
5. IS THERE AN AUTOMATED PROCESS?
Personal data will be subject to traditional manual, electronic and automated processing. It should be noted that no fully automated decision-making processes are carried out.
6. WHAT ARE YOUR RIGHTS? HOW CAN YOU EXERCISE THEM?
Data subjects may exercise their rights as expressed in arts. 15 et seq. of the GDPR, by contacting the DPO at the email address: dpo.iroma@dpoprofessionalservice.it or by contacting the Data Controller at the email address: info@iroma.net, or by writing to the contact details indicated above.
The data controller guarantees data subjects the possibility of requesting, at any time, access to their personal data (art. 15), rectification (art. 16), erasure (art. 17), restriction of processing (art. 18). The data controller communicates (art. 19), to each recipient to whom personal data has been transmitted, any rectifications or erasures or restrictions of processing carried out. The data controller communicates these recipients to data subjects who request them.
The data controller guarantees the right to data portability (art. 20) and, in case of requests pursuant to art. 20, will provide data subjects with data in a structured, commonly used and machine-readable format.
Data subjects are entitled to object (art. 21), at any time, to the processing of data based on legitimate interest, by writing to the contact details above with subject "objection". In case of exercise of the right to object to processing based on legitimate interest, the data controller recognizes data subjects the possibility of obtaining, upon request, information on the balancing test carried out.
Data subjects are entitled to withdraw consent given, without affecting the lawfulness of processing based on consent given before withdrawal.
To no longer receive automated direct marketing communications (email, SMS, WA, instant messaging) data subjects are invited to send an email to info@iroma.net with subject "unsubscribe from automated" or to use our automatic unsubscription systems provided for emails only (opt-out).
To no longer receive traditional direct marketing communications (phone calls with operator and postal mail) data subjects are invited to send an email to info@iroma.net.
To no longer receive any marketing communications, data subjects are invited to send an email to info@iroma.net with subject "unsubscribe marketing".
In the event that data subjects believe that the processing of personal data carried out by the Data Controller is in violation of Regulation (EU) 2016/679, they are free to lodge a complaint with the national supervisory authority, in particular in the Member State where they habitually reside or work, or in the place where the alleged violation of the Regulation occurred (Italian Data Protection Authority https://www.garanteprivacy.it/), or to seek appropriate judicial remedies.
7. CHANGES TO THE PRIVACY NOTICE
The data controller may change, modify, add or remove any part of this Privacy Notice. To facilitate verification of any changes, the notice will contain the date of update.