Privacy Policy

COMI SPA

as Data Controller, in the person of the Legal Representative in charge, pursuant to
of Articles 13 and 14 of EU Regulation 2016/679 (GDPR), informs that the personal data provided are processed lawfully,
correct and transparent.

INFORMATION ON THE PROCESSING OF PERSONAL DATA

Purpose and legal basis of the processing

The data provided is processed for: the execution of a contract / order for the supply or purchase of goods or services with the Owner,
the fulfillment of the consequent tax and legal obligations, the management of requests for information / quotes, research and / or
staff selection, the sending (always revocable) of commercial communications via e-mail, related products and / or
services similar to those already acquired / provided by the Data Controller, as well as the exercise of the Data Protection rights of the Data Controller.
Therefore, the legal basis of the processing are the contract / order and / or pre-contractual measures (Art.6.1.b GDPR).

Object of the treatment

Personal and identification personal data are processed (eg name / surname, telephone, address, email) relating to customers and / or
suppliers, collected during the presale / offer phase to the formalization of a contract / order for the purchase or supply of
products or services.
For purposes of research and selection of personnel, in addition to the above data, the processing of categories may take place
details of personal data, for example to reveal the state of health. For this type of personal data thevio itself of a
CV for self-candidacy or in response to an offer, will constitute an explicit and free expression of consent to the processing.

Processing methods

Personal data will be collected and processed in paper and electronic format and processed by authorized agents, also through
automated methods for storing, managing and transmitting them and in any case always using suitable tools, as far as possible
possible in the state of the art, to guarantee its security and confidentiality, also through procedures aimed at avoiding the risk of
loss, unauthorized access, illegal use and disclosure.

Data provision

The provision of personal data to achieve the aforementioned purpose, when required, is to be considered mandatory;
their absence will not allow us to perfect the restoration of the relationship, the avoidance of
any requests for information and, in relation to our suppliers, to receive goods and services from them.

Communication and data transfer


In pursuing the aforementioned purposes, the data may be communicated to various subjects, including but not limited to:

  • subjects and entities to whom access to such data is recognized by virtue of regulatory provisions;
  • physical, legal, public or private subjects, to whom communication is necessary or functional to our business, including ad
    example: other group companies or associated companies, banks, lawyers, insurance companies or service platforms.

  • In no case will the personal data provided be disseminated without authorization and the
    their transfer to a third country or to an international organization outside the EEA.

    Data retention

    Personal data collected for contractual purposes will be processed until the end of the relationship and stored no later than 10 years in
    form limited to what is necessary to fulfill the obligations of current tax laws.
    The data collected in the context of pre-contractual measures, requests for information and staff selection, will be processed until
    end of the activity and subsequently stored no later than 12 months for our internal organizational purposes.

    Rights of interested parties

    The Data Controller guarantees the rights provided for in Articles 15 to 22 of the GDPR, including: that of requesting and obtaining access to data, the
    rectification, cancellation or limitation of treatment of the same, as well as the right to object, in whole or in part, for reasons
    legitimate, to the processing of their personal data, to request portability, to revoke the consent (s) provided and to propose
    complaint to a supervisory authority. These rights can be exercised by writing to the Data Controller by post, including electronic mail,
    the references at the bottom of this document.