PGA S.p.A., a company providing services related to Intellectual Property, for years has been putting significant regard to the protection of its Users’ data, ensuring that the treatment of personal data, carried out by any means, either automated or manual, takes place in a form and in a manner suitable to guarantee the rights of the subjects involved.

With the coming into force of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “Regulation”) and of further applicable rules regarding the personal data protection, PGA has deemed appropriate to reaffirm its commitment to privacy protection, transposing the guiding principles of the aforementioned regulation, and redacting, among other things, a simple and intuitive, but at the same time properly detailed and exhaustive, privacy policy.

With “personal data” we refer to the definition as per article 4, n. 1 of the Regulation i.e. “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (hereinafter “Personal Data”).

Before processing the Personal Data – as per article 4, n. 2 of the Regulation, “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (hereinafter “Processing”) – the Regulation requires that the subject shall be informed of the existence of the processing operation and its purposes.

The current policy, prepared according to the principle of transparent processing and all the other elements required by article 13 of the Regulation, is divided in sections (hereinafter “Sections” and individually “Section”) covering different specific topics, to allow a faster and more fluent reading (hereinafter the “Policy”).

A – Data controller

The legal person that will process the Personal Data for the purposes outlined in Section B of the current Policy that will be considered Data controller as per the definition in article 4, n. 7 of the Regulation, will be:

• PGA S.p.A. (VAT n. IT 06661320967), with headquarter in 20145 – Milan, Italy, Via Mascheroni, no. 31, Commercial Register no. MI-1906196 (hereinafter the “Controller”).

Data will be processed, also in the following operating offices:

• Varese office, located in Via Bernardino Luini, n. 8, 21100 – Varese;
• Brescia office, located in Piazza Vittoria, n. 7, 25121 – Brescia;
• Lugano branch, located in Via Castagnola, n. 21c, 6900 – Lugano, Switzerland.

B- The purposes of the Processing

1. Purpose of the law and contractual obligations – Data Processing compliant with a contractual or legal obligation which the Controller is subject to, or to execute a specific request of User: Personal Data shall be processed, without having to request the consent by User, when obliged by national or community institutions’ laws. Furthermore, Personal Data shall be processed following specific requests by administrative or judicial authorities and, more broadly, by public subjects according to current laws. Personal Data shall be moreover processed for the purposes connected or related to the provision of services by the company. Such data – to be provided for the operational, economic and administrative execution of the service – will be processed also with electronic means, recorded in specific databases, and used strictly and exclusively for the current contractual relationship. Providing Data is fundamental to supply all the services envisaged in the contract; the possible lack of furnish Data will prevent the company to perform the services.
2. Administrative-accounting purposes: Processing for administrative-accounting purposes is the one related to the execution of organizational, administrative, financial and accounting activities, irrespective of the types of data processed. In particular, internal organizational activities, activities that are functional for the fulfillment of contractual and pre-contractual obligations, for accounting purposes and for compliance with tax rules.
3. Commercial and marketing purposes: Personal Data shall be processed to send communications with advertising, informative, promotional content. User can always request not to receive such communications at the moment or after the signing of the contract.
4. Legal defense of a right in court: Personal Data shall be processed every time they will be useful to ascertain, exercise or defend a right of the Controller.
5. Legitimate interest of the Controller: Controller shall process Personal Data, without consent of User, in case of extraordinary operations of merger, disposal or transfer of part of the business, to facilitate the carrying out of the due diligence activities to be done before such operations. It is understood that only the strictly required data, in the most aggregate/anonymous form possible, will be processed.

C – Legal basis for processing

Data Controller may process Personal Data for the following cases:

• Users have given their consent for one or more specific purposes (as for paragraph 3 of Section B);
• provision of Data is necessary for the execution of an agreement with User and/or for any pre-contractual obligations thereof (as for paragraphs 1 and 2 of Section B);
• processing is necessary for compliance with a legal obligation to which the Owner is subject (as for paragraphs 1 and 2 of Section B);
• processing is necessary for the defense in court;
• processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party (as for paragraph 5 of Section B).

In any case, Data Controller will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

D – Methods of processing and data storage

The processing will be carried out in automated and manual manner, with methods and instruments aimed at guaranteeing maximum security and confidentiality, by persons appointed by Data Controller in accordance with EU Regulation 2016/679. Personal Data shall be processed and stored for as long as is necessary for the purpose for which they have been collected for.

E – Purpose of communication and dissemination

Personal Data may be communicated to companies contractually bound to Data Controller and, where necessary, also to subjects outside the European Union, in accordance with the provisions set out in EU Regulation 2016/679.

Said data may be disclosed to third parties belonging to the following categories:

• suppliers of IT services related to the management of the informative system and networks used by Data Controller (including e-mail and newsletter services);
• freelancers, firms or companies with regard to the supply of consultancy services;
• counterparties and their attorneys;
• subjects that carry out audits and certification of the activities carried out by Data Controller;
• competent authorities for compliance with legal obligations and/or provisions of public authorities.

The subjects belonging to said categories perform the function of Data Processor or operate in complete autonomy as an independent Data Controller. The list of Data Processors is constantly updated and available at the headquarters of Data Controller.

Data processed in application of the corporate security procedures are not subject to communication, without prejudice to express and specific requests eventually made by the competent judicial Authorities.

Moreover, during the ordinary processing activities, the subjects expressly designated by Data Controller as Processors and/or persons in charge of the processing will be able to access the Personal Data and identifying them.

F – Transfer of data abroad

Personal Data may also be transferred outside the European Union. In this case, PGA will take all necessary security measures to protect such Personal Data. Consequently, any transfer of Personal Data to countries located outside the European Union will be carried out in compliance with suitable guarantees, such as contractual data protection clauses, in accordance with EU Regulation 2016/679.

G – Nature of the consent and refuse

The refusal to provide data deemed necessary and indispensable for the fulfillment of obligations arising from outstanding contracts, regulations, European legislation or provisions issued by supervisory authorities, will make it impossible for the company to establish or continue the relationship.

The consent to allow Data Controller to send commercial communications is optional. User can oppose such processing at any time by exercising the rights set out in the EU Regulation 2016/679 in the forms and methods indicated in this statement.

Data Controller also states that failure to communicate, or incorrect communication, one of the mandatory information will have the following consequences:

• the inability of the owner to guarantee the adequacy of the treatment to the contractual agreements for which it is performed;
• the possible mismatch of the treatment results to the obligations imposed by the tax, administrative and civil law to which it is addressed.

H – User’s rights

As provided for in Article 15 of the Regulation, Data subject may access his/her personal data, request that it be corrected and updated, if incomplete or incorrect, request its cancellation if it was collected in violation of a law or regulation, as well as oppose processing for legitimate and specific reasons.

In particular, below is a list of all the rights that can be exercised, at any time, vis-à-vis Data controller and/or the joint data controllers.

1. Right of access: User has the right, pursuant to article 15(1) of the Regulation, to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from Data controller rectification or erasure of personal data or restriction of processing of personal data concerning Data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g)where the personal data are not collected from Data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for User.
2. Right to rectification: User has the right to obtain, pursuant to Article 16 of the Regulation, the rectification of inaccurate personal data. Taking into account the purposes of the processing, it is possible to have incomplete personal data completed, including by means of providing a supplementary statement.
3. Right of erasure: User has the right to obtain, pursuant to Article 17(1) of the Regulation, the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) Data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing; c) Data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or Data subject objects to the processing pursuant to Article 21(2); d) the personal data have been unlawfully processed; e)the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. In some cases, as provided for in Article 17(3) of the Regulation, the controller is entitled not to delete your personal data if their processing is necessary, for example, to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest, for purposes of filing in the public interest, scientific or historical research or for statistical purposes, for ascertaining, exercising or defending a right in court.
4. Right to restriction of processing: User has the right to obtain the restriction of processing, pursuant to Article 18 of the Regulation, where one of the following applies: a) the accuracy of the personal data is contested by Data subject, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and Data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but they are required by Data subject for the establishment, exercise or defense of legal claims; d) Data subject has objected to processing pursuant to Article 21(1) of the Regulation pending the verification whether the legitimate grounds of the controller override those of Data subject. In case of restriction of processing, personal data will be processed, except for storage, only with the consent of or for the establishment, exercise or defense of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest.
5. Right to data portability: pursuant to Article 20 (1) of the Regulation User shall have the right to receive his personal data provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. In this case, it will be the responsibility of Data subject to provide us with all the exact details of the new data controller to whom intends to transfer his personal data by providing written authorization.
6. Right to object: pursuant to Article 21(2) of the Regulation and as also reiterated in Recital 70, User may object at any time to the processing of his personal data if they are processed for purposes of direct marketing, including profiling to the extent that it is related to such direct marketing.
7. Right to lodge a complaint with a supervisory authority: without prejudice to the right to appeal to any other administrative or judicial body, if the processing of personal data carried out by Data controller and/or joint controllers is deemed to be in violation of the Regulation and/or applicable law, a complaint may be lodged with the relevant Data Protection Authority.

To exercise all rights as identified above, simply contact Data controller and/or joint controllers in the following ways:

• writing to the Privacy Office of PGA S.p.A., located in 20145 – Milan, Italy, Via Mascheroni, no. 31;
• by sending an e-mail to info@pga-ip.com to the attention of the Privacy Office indicating in the reference “PRIVACY”;
• by calling the telephone number (+39) 02.91470892.