Privacy Policy

Privacy Policy concerning the processing of personal data.
Articles 13 and 14 of REGULATION (EU) no. 679/2016,
Legislative Decree no. 196/2003 amended by Legislative Decree no. 101/2018.

Dear Data Subject,
the undersigned KIOENE S.p.A., with registered office in Via Caltana, 55 – 35010 Villanova di Camposampiero (PD), Tax Code and VAT number 01359600283, as the “Data Controller” hereby informs you, in accordance with Articles 13 and 14 of Regulation (EU) no. 679/2016 (hereinafter referred to as “EU Regulation”), that your data will be processed as indicated below:

Subject of Processing

The Data Controller hereby informs you that your personal, identifying data (e.g. name, surname, company name, address, telephone number, e-mail address, bank and/or payment references, etc.) hereinafter referred to as “personal data” or simply as “data”, provided by you, also verbally, directly or via third parties, in connection with entering into a contractual relationship, may be processed in full compliance with the EU Regulation.The term “data processing” means any operation or set of operations concerning the collection, recording, organisation, storage, consultation, processing, amendment, selection, retrieval, comparison, use, inter-connection, blocking, communication, dissemination and destruction of data.

Nature of the data processed, Legal basis and Purpose of processing

Nature of the data processed. In connection with the contractual relationship or in connection with all preliminary stages prior to the completion of the contract, only “personal data” will be processed, such as:

Legal basis and purpose. Regulation (EU) no. 679/2016, Legislative Decree no. 196/2003 amended by Legislative Decree no. 101/2018.

The processing of your personal data, requested and/or provided, even verbally, is based on the provisions of Article 6 of Regulation (EU) no. 679/2016, upon your consent or in the legitimate interest of the Data Controller, also in order to defend his/her rights in any eventual disputes, as well as the execution of a contract to which you are a party or for the execution of pre-contractual measures (e.g. preparation of an offer, etc.) requested by you, and is necessary:

A) without your explicit consent (Article 6 of the EU Regulation) – primary purposes:

B) Only with your specific and distinct consent (Article 7 of the EU Regulation) – Secondary purposes – Promotional, advertising and marketing purposes.

The personal data collected for primary purposes may also be processed (along with other additional and optional contact information, such as e-mail addresses, mobile phone numbers, geographical addresses, which may be additionally requested of the data subject on registration forms) using automated/computerised methods, for the following purposes, which are specified below pursuant to the General Provision of the Guarantor of 4 July 2013 on Guidelines against spam: commercial promotion, advertising communication and marketing in the broadest sense.

By consenting to Processing for Marketing Purposes, the data subject specifically acknowledges the promotional, commercial and marketing purposes in the broadest sense of the term (including the consequent management and administrative activities) and explicitly authorises, once consent has been given in accordance with the procedures provided for, such processing, since the Data Controller may use means for Processing for Marketing Purposes, such as a telephone with operator intervention or other non-electronic means, not telematic or not supported by automatic, electronic or telematic systems and/or procedures, including manual contact methods and printed mail. The Data Controller may also use means for Processing for Marketing Purposes such as e-mail, fax, SMS, MMS, WhatsApp messages, social media (Facebook, etc.), automatic systems without operator intervention (e.g., e-mail, telephone, fax, SMS, MMS, etc.). ), automatic systems without operator intervention and similar, including electronic platforms and other telematic means.

In order to proceed with Processing for Marketing Purposes, it is mandatory to acquire specific, separate, explicit, documented, prior, informed, free and entirely optional consent.

Consequently, where the data subject decides to give specific consent, he/she must be informed in advance and be aware that the purposes of processing being pursued are of a specific commercial, advertising, promotional and marketing nature in the broadest sense. With a view to absolute transparency, we therefore inform you that the data will be collected and subsequently processed subject to specific consent:

  1. to send advertising and informative material (e.g. newsletters) of a promotional nature;
  2. to send commercial information; to carry out interactive commercial communications by printed, automated or electronic means and, in particular, by ordinary mail or e-mail, telephone (e.g. calls, WhatsApp messages, SMS, MMS), fax and any other computer channel (e.g. websites, mobile apps);
  3. to forward invitations to events, functions and meetings of an informative and promotional nature;
  4. to send updates on promotional initiatives or technical news about equipment, services, training or assistance and/or quality satisfaction surveys;
  5. to send commercial and/or promotional communications from third parties (e.g. associates, business partners, companies and/or physical or legal entities that collaborate with the Undersigned) by printed, automated or electronic means and, in particular, by ordinary mail or e-mail, telephone (e.g. calls, WhatsApp messages, SMS, MMS), fax and any other computer channel (e.g. websites, mobile apps).

By giving optional consent, the data subject specifically acknowledges and authorises such further possible secondary processing.

Processing methods – Existence of an automated decision making process, including profiling

The processing of your personal data is carried out by means of the operations specified in Article 4, section 2) of the EU Regulation and more precisely: the collection, recording, organisation, structuring, storage, adaptation or amendment, retrieval, consultation, use, communication by transmission, dissemination or any other form of making them available, comparison or inter-connection, restriction, deletion, destruction or blocking. Data processing will be based on the principles of fairness, lawfulness and transparency and may be carried out by manual, computerised and telematic means, on printed and/or digital media. Processing will be carried out in such a way as to guarantee the security and confidentiality of the data.

In the event of your explicit consent, your personal data (collected for the purposes specified in the previous points) will be processed for profiling purposes, in particular for creating your profile and/or for analysing your preferences, also by cross-referencing such personal data with other information collected via the profiling cookies you have accepted. Data thus processed may be used to send you specific commercial information and customised promotional initiatives.

The processing of your personal data for profiling purposes will take place using the means and in the manner specified above.

Data retention periods and other information

Processing will be carried out by automated and/or manual methods, in compliance with the provisions of Article 32 of the EU Regulation on security measures, by specifically appointed persons and in compliance with the provisions of Article 29 of the EU Regulation, as well as in accordance with the provisions of Article 130 of Legislative Decree. no. 196/2003 amended by Legislative Decree no. 101/2018.

We hereby inform you that, in accordance with the principles of lawfulness, limitation of purposes and minimisation of data, pursuant to Article 5 of the EU Regulation, subject to your free and explicit consent, your personal data will be kept for the period of time required to achieve the purposes for which they were collected and processed or until the specific consent of the data subject is withdrawn and, therefore:

The specifications of the retention periods for each category of data can be consulted at the company at the data subject’s request.The personal data provided are collected and subsequently processed for the needs connected with fulfilling the purposes for which they are provided and for meeting the legal and contractual obligations arising from them.Processing is carried out exclusively by the Data Controller or by the persons in charge of processing pursuant to Articles 28 and 29 of the EU Regulation, who operate using computer and telematic means with logic strictly related to the expressed purposes, and, however, in such a way as to ensure the security and confidentiality of the data. In accordance with the provisions of Article 5 of the EU Regulation, the data for processing are:

Your personal data will be processed “lawfully, fairly and transparently”, protecting your privacy and your rights.

Please note that in the absence of significant contacts for a period of ten years, or in the event of exercising the rights of the data subject provided for by the EU Regulation (e.g. the right to deletion/removal, limitation), personal data will be transferred to a special encrypted digital and/or printed format archive (protected archive). They will therefore be accessible only to the Data Controller or destroyed without leaving any copies, unless otherwise provided for by applicable law.A regular annual check will be carried out on the data processed and on the option of deleting them if they are no longer required for the envisaged purposes.

Access to data (categories of recipients to whom the data may be communicated)

We also inform you that the data collected will never be disseminated and will not be disclosed without your explicit consent, except for necessary communications that may involve the transfer of data to public bodies, consultants or other entities in order to fulfil fiscal and legal obligations or fulfil primary and secondary purposes (where authorised), subject to our letter of instruction imposing on them the obligation of confidentiality and security of personal data processing.

With reference to Article 13, section 1, letter (e) of the EU Regulation on personal data protection, we hereby indicate the data subjects or categories of subjects (duly identified and instructed) who may become aware of the user’s personal data in their capacity as data processors or persons in charge of processing, and we provide a list according to the categories below:

Your personal data may also be communicated to external subjects who are recipients of documents concerning you, in order to carry out the activities described above, and to external subjects who interact with the Undersigned, always and exclusively for activities related to the aforementioned purposes. These categories are:

A. Consultants (e.g. accountants and/or tax consultants and/or labour consultants) for aspects that may concern you and in accordance with the Law;
B. Companies operating in the IT sector (Data Centres, Cloud Providers, companies that provide IT services, including back-up and/or maintenance of equipment and software, including applications, etc.), including those based abroad, but, in any case, those always established and/or using equipment located in the European Union, for the purposes of data security and confidentiality;
C. Professionals and/or Companies operating in the field of occupational safety;
D. Consultants and Law firms for any eventual disputes;
E. Public administration bodies for carrying out institutional duties, within the limits established by the Law and regulations;
F. Social security and welfare institutions, and certifying bodies;
G. Insurance companies, as well as liquidators, consultants and experts appointed by them;
H. Company consultants;
I. Partner companies, and/or providers of services essential to the purposes specified in point 2 above;
L. Public authorities and administration bodies for purposes related to fulfilling legal obligations or to persons entitled to access them in accordance with legal provisions, regulations and EU legislation;
M. Banks, financial institutions or other entities to which the transfer of the aforementioned data is required for carrying out our operations in order to fulfil our contractual obligations towards you.

For the sake of brevity, a detailed list of such parties is available for you to view at our registered office.

Disclosure and transfer of data

Without the need for explicit consent (Article 6, letters b) and c) of the EU Regulation), the Data Controller may disclose your personal data for the purposes mentioned in the previous point 2.A) to supervisory bodies, judicial authorities, as well as to any parties to whom disclosure is required by Law to fulfil the aforementioned purposes.Such parties will process the data in their capacity as independent data controllers.During and after browsing, your data may be disclosed to third parties, in particular to:

Your data will not be disseminated.

Personal data are stored on devices located at the Data Controller’s registered office or at providers within the European Union. Data provided by you may be transferred to countries outside the EU, as we use external Data Processors who, in carrying out their services (such as the provision of e-mail boxes, other types of cloud services, or other kinds of services), may undertake such a transfer, also via their sub-processors.

Data may also be transferred to parties who provide the following services on behalf of the Undersigned or independently:

In order to ensure the security of such transfers, we only use parties that offer the necessary guarantees to put in place appropriate technical and organisational measures so that the processing carried out complies with the provisions of Regulation (EU) no. 679/2016 (e.g., by assessing the presence of adequacy decisions or regulating the contractual relationship by using standard contractual clauses).

In any case, it remains clearly understood that, if necessary, the Data Controller reserves the right to transfer data, also to countries outside the EU. In this case, the Data Controller hereby guarantees that the transfer of data outside the EU will take place in compliance with the applicable provisions of Law, subject to the stipulation of standard contractual clauses (standard contractual clauses are available at the following link: and to standard verifications foreseen by the European Commission (more specifically, the conditions set out in CHAPTER V of the EU Regulation will be respected).

Transfer to countries outside the EU will, in any case, be carried out in such a way as to provide appropriate and adequate guarantees pursuant to Articles 46 or 47 or 49 of Regulation (EU) no. 679/2016.

For data kept on the Data Controller’s own devices, and any data kept by providers, the Data Controller has put adequate technical and organisational measures in place to guarantee an appropriate level of security, in full compliance with the provisions of the EU Regulation.

Browsing: your browsing data may also be transferred, solely for the above-mentioned purposes, to the following countries:

Cookie Management: if you have any doubts or concerns about using cookies, you can always take action to prevent them from being set up and read, for example, by changing your privacy settings in your browser to block certain types of cookies.

If you prefer to act independently through your web browser’s preferences, you can find detailed information on the required procedure in your browser guide, as web browsers differ significantly from one another, and differences are often found even among different versions of the same browser.

Nature of data provision and the consequences of a refusal to reply

The provision of data for the purposes referred to in the preceding “Point 2.A) – Primary purposes” of this privacy policy is required for establishing the contractual relationship and for the proper execution of the contract. We hereby inform you that if you refuse to provide such data or if you fail to authorise their processing for such purposes, it will be impossible for our Company to fulfil its legal and contractual obligations towards you.
In such a case, failure to provide data will make it impossible to establish or continue the contractual relationship, to the extent that such data are necessary for us to properly perform the tasks related to the management of the contract.

The provision of data for the purposes mentioned in the previous “Point 2.B) – Secondary purposes” is, instead, optional. You may therefore decide not to provide any data or, subsequently, refuse, at any time, to allow the processing of data already provided.

Providing the Data Controller with personal data and granting consent to Processing for Marketing Purposes and consent to disclosure to third parties for Processing for Marketing Purposes for the purposes and in the manner set out above are entirely voluntary and optional (and, in any case, revocable without formality even after the service has been provided by sending an e-mail to the Undersigned (see point 10). Failure to provide such data will not result in any consequences other than not allowing the Data Controller or any third party to proceed with the aforementioned marketing processing or informing you directly about new products and technical services.

If you refuse to give your consent for marketing purposes, there will be no interference and/or consequence to your being able to access the Promotional Initiatives organised from time to time, but they will not be communicated directly.

Some information fields on the website may be marked with an (*) asterisk. Filling in these fields is mandatory when entering your personal data. If you fail to provide this information, you will not be able to use the service for which the information is requested.

Following receipt of a request to withdraw the consent given (opt-out), the Data Controller will promptly remove and delete the data from the databases used for Processing for Marketing Purposes and inform any third parties, to whom the data have been communicated, of the same purposes of deletion. The receipt of the request for cancellation will automatically be considered as confirmation that the data have been cancelled.

Rights of the data subject

In your capacity as a data subject, you have rights pursuant to Articles 15-22 of the EU Regulation, as listed below and more specifically the data subject has the right to:

Procedure for exercising rights

You may exercise your rights at any time by sending, without any formality, clear communication to that effect:


Anything provided by the Data Controller that forms the basis of our contractual relationship with you does not include the intentional collection of personal information referring to minors. In the event that information about minors is inadvertently recorded, the Data Controller will delete it in a timely manner at the request of the data subject.

Personal data not obtained from the data subject

It may occur that the Undersigned is not the Data Controller to whom you have given your personal data but is the co-controller of the data or in charge of externally processing data, and has therefore subsequently received your data due to a contract between the parties. In this case, please note that the Undersigned will make every effort to ensure that you are informed and have given consent to processing. At any time, you may ask the Undersigned to provide the source of your data.

Data Controller and Data Processors

Below we provide information that needs to be brought to your attention, not only to comply with legal obligations, but also because transparency and fairness towards our customers is an essential part of our business.

Data Controller. The Data Controller for your personal data is KIOENE S.p.A., which is responsible for the lawful and correct use of your personal data. You may contact KIOENE for any information or request by telephone on +39 049 922 2311, or by e-mail to:

D.P.O. (Data Protection Officer) You may also contact the Data Protection Officer to obtain information and forward requests concerning your data or report any inefficiencies or problems that you may encounter.

The Data Controller has appointed Mr Nicola Ghinello as the Data Protection Officer, who can be contacted as follows: Tel. +39 348 3165267, e-mail:

Data Processors. An updated list of data processors is kept at the registered office of the Data Controller.

Data controller

To contact us
KIOENE S.p.A. welcomes any comments regarding this privacy notice.
We suggest you contact us at the following address: