Privacy Policy

1. Data Controller

The data controller for personal data collected through the website www.aisma.it is:
AISMA S.R.L. Corso di Porta Vittoria 28 — 20122 Milan (MI) VAT ID / Tax Code: 11436100967 — REA: MI-2602264
Email: info@aisma.it
PEC: aismasrl@pec.it
For any communication regarding the processing of personal data, the data subject may contact the controller at info@aisma.it or via PEC at the address indicated above.

2. Scope of Application
This policy applies to all users who visit the website www.aisma.it (hereinafter, the “Site”), regardless of the device used or the country of access. This document describes what personal data is collected during browsing and through the contact form, for what purposes, how long it is retained, and what rights are available to the data subject under the GDPR. This policy does not extend to third-party websites that may be accessible via links on the Site. AISMA S.R.L. is not responsible for data processing carried out by such parties.

3. Definitions
For the purposes of this policy, the following definitions apply:

  • Personal data: any information relating to an identified or identifiable natural person (Art. 4, No. 1, GDPR).
  • Data subject: the natural person whose personal data is being processed.
  • Data controller: the party that determines the purposes and means of processing (AISMA S.R.L.).
  • Data processor: an external party that processes data on behalf of the controller, on the basis of a written contract (Art. 28 GDPR).
  • Processing: any operation performed on personal data, including collection, storage, consultation, use, and deletion.
  • Cookie: small text files stored on the user’s device by the visited website.
  • Legal basis: the legal ground that makes processing lawful (Art. 6 GDPR): consent, contract, legal obligation, legitimate interest.
  • CMP (Consent Management Platform): software platform that manages the user’s cookie consent.
  • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  • Supervisory Authority: the Italian Data Protection Authority (Garante per la protezione dei dati personali) (www.garanteprivacy.it).

4. Personal Data Processed and Purposes of Processing

The Site collects personal data in three distinct ways, described below.

4.1 Browsing Data (Technical Logs)
Each visit to the Site involves the automatic collection of certain technical data by the hosting server, necessary for the proper functioning of the system:

  • IP address of the user’s device.
  • Browser type and version, and operating system.
  • Date, time, and duration of the visit.
  • Pages viewed and browsing path.

This data is not associated with the user’s identity and is processed exclusively to ensure the security of the Site and detect any malfunctions. The legal basis is the controller’s legitimate interest (Art. 6, para. 1, letter f), GDPR).

4.2 Contact Form

When the user completes the contact form, the following data is collected, provided voluntarily:

  • First and last name (or company name).
  • Email address.
  • Text of the message sent.
  • Any additional data freely entered in the body of the message.

Data collected through the form is processed to respond to the user’s request and, where applicable, to establish a pre-contractual or contractual relationship. The legal basis is Art. 6, para. 1, letter b), GDPR (performance of pre-contractual measures) or, in the absence of such a relationship, Art. 6, para. 1, letter f), GDPR (legitimate interest of the controller in responding to communications received).

Messages are saved in the administrative area of the Site, accessible only to authorized AISMA S.R.L. personnel via protected credentials. From this area, data can be consulted, exported, and manually deleted by the system administrator.

4.3 Cookies and Analytics Tools

The Site uses cookies, whose legal framework is governed in Italy by Art. 122 of the Privacy Code (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018), read in conjunction with the Supervisory Authority’s Guidelines on cookies and other tracking tools of 10 June 2021.

Cookies are distinguished by function:

Strictly necessary technical cookies: essential for browsing or for the provision of a service requested by the user. They do not require consent and cannot be disabled via the banner.

Analytical cookies: measure how the Site is used (pages visited, session duration, traffic source). They require the user’s prior consent. They are activated via Google Analytics 4, with a configuration that limits the transmission of identifying data.

Profiling and marketing cookies: not active in the current configuration of the Site. If activated in the future, this policy and the Cookie Policy will be updated accordingly, with collection of specific consent.

Cookie consent is managed via a CMP compliant with the Supervisory Authority’s 2021 Guidelines. On first access, the user is shown a banner that clearly presents the available cookie categories and allows free choice, with no non-technical cookie pre-selected. Consent is recorded by the CMP with the date, time, and preferences expressed, and may be revoked at any time via the “Manage cookie preferences” link in the Site footer.

The complete list of active cookies — with name, provider, duration, and specific purpose — is available in the Site’s Cookie Policy, automatically updated by the CMP at each new scan. In the event of any discrepancy between this policy and the Cookie Policy, the most recent version of the Cookie Policy shall prevail.

5. Data Retention

Personal data is retained for the period strictly necessary for the purposes for which it was collected, in compliance with the storage limitation principle (Art. 5, para. 1, letter e), GDPR).

  • Technical browsing logs: maximum 12 months, unless required for judicial or administrative proceedings.
  • Contact form messages: until the conclusion of the negotiation or request, and in any case no longer than 24 months from the last contact. After this period, data is manually deleted by the system administrator (see Compliance Note in § 4.2).
  • Analytical cookies (Google Analytics 4): session data is retained for a configurable period, defaulting to 2 months for user data and 14 months for event data.
  • Strictly necessary technical cookies: for the duration of the session or for the periods indicated in the Cookie Policy.

Upon expiry of the retention period, data is deleted or rendered permanently anonymous.

6. Data Disclosure and Transfers Outside the EU

6.1 Disclosure to Third Parties

Personal data is not sold or transferred to third parties for marketing purposes. It may be disclosed to parties acting as data processors under Art. 28 GDPR:

  • Provider of the Site’s hosting service and infrastructure.
  • Provider of the CMP platform for cookie consent management.
  • Provider of the web traffic analytics service (Google LLC — Google Analytics 4).
  • Professionals or consultants appointed for the technical or legal management of the Site, strictly within the limits necessary for the assignment.

Written contracts pursuant to Art. 28 GDPR are in place with all data processors, ensuring adequate security measures and compliance with applicable regulations.

6.2 Transfers Outside the EU

Google LLC, provider of Google Analytics, is headquartered in the United States. The transfer of data to that country is governed by the Standard Contractual Clauses (SCCs) approved by the European Commission under Implementing Decision 2021/914/EU, supplemented by the additional technical measures indicated by Google in its GDPR compliance documentation.

The Controller periodically verifies the adequacy of the safeguards and updates this policy in the event of significant changes. For up-to-date information, the data subject may consult Google’s Privacy Policy available at policies.google.com.

For data processed through the CMP platform, the Controller verifies that the provider operates in compliance with the GDPR and, where headquartered outside the EU, provides guarantees equivalent to those described above.

7. Security Measures

AISMA S.R.L. adopts technical and organizational measures adequate to ensure a level of security proportionate to the risk, pursuant to Art. 32 GDPR:

  • Site connection via HTTPS protocol with SSL/TLS certificate.
  • Access to the Site’s administrative area protected by individual credentials.
  • Restriction of data access to authorized personnel only, trained in data protection matters.
  • Periodic updates to the Site’s software and related plugins.

In the event of a data breach presenting a risk to the rights and freedoms of data subjects, the Controller will notify the Supervisory Authority within 72 hours of discovery (Art. 33 GDPR) and, where necessary, communicate the breach to data subjects (Art. 34 GDPR).

8. Rights of the Data Subject

The GDPR (Arts. 15–22) grants each data subject a series of rights that may be exercised against the controller at any time.

  1. Access (Art. 15): to know whether the controller processes data relating to the data subject and, if so, to obtain a copy of the data and detailed information about the processing.
  2. Rectification (Art. 16): to correct inaccurate or incomplete data.
  3. Erasure (Art. 17): to request that data be deleted when it is no longer necessary, when consent is withdrawn, or when processing is unlawful. This right is not absolute: it may be limited, for example, if the controller has a legal obligation to retain the data.
  4. Restriction of processing (Art. 18): to have data “frozen” — not further processed — while a dispute about its accuracy or lawfulness is ongoing.
  5. Portability (Art. 20): to receive in structured format data directly provided by the data subject to the controller, or to request its transfer to another controller. This applies only to data processed on the basis of consent or a contract and by automated means.
  6. Objection (Art. 21): to object to processing based on the controller’s legitimate interest. The controller may continue processing only if it demonstrates compelling grounds that override the data subject’s interests.
  7. Withdrawal of consent: for analytical cookies, consent may be withdrawn at any time via the CMP settings, without affecting processing already carried out.

To exercise any of these rights, the data subject submits a request to info@aisma.it or aismasrl@pec.it, with the subject line “Exercise of GDPR Rights” and attaching a copy of a valid identity document.

The controller will respond within 30 days. In cases of particular complexity or volume of requests, the deadline may be extended by a further 60 days, with reasoned notice to the data subject within the first 30 days. The exercise of rights is free of charge, unless the request is manifestly unfounded or repetitive.

The Site does not use automated decision-making processes that produce legal effects on the data subject, nor profiling systems within the meaning of Art. 22 GDPR.

9. Complaint to the Supervisory Authority

Without prejudice to the right to seek judicial remedy, a data subject who considers that the processing of their data is in violation of the GDPR has the right to lodge a complaint with the competent supervisory authority.

In Italy, the supervisory authority is:

Garante per la protezione dei dati personali Piazza Venezia 11 — 00187 Rome Switchboard: +39 06 696771 Email: garante@gpdp.it — PEC: protocollo@pec.gpdp.it Website: www.garanteprivacy.it

A complaint may also be lodged with the supervisory authority of the EU country in which the data subject habitually resides or works.

10. Updates to This Policy

This policy is subject to update in the event of changes to processing activities, regulatory developments, or new guidance from the Supervisory Authority.

Amendments are published on the Site with an indication of the update date. The version in force is always the one published on the Site at the time of consultation.

The Controller carries out an ordinary review on an annual basis and, in any case, on the occasion of:

  • Activation of new data collection tools or cookies.
  • Changes to the purposes of processing or to the recipients of data.
  • Publication of new Supervisory Authority Guidelines or relevant measures.
  • Regulatory changes affecting processing carried out through the Site.

Responsibility for the review lies with the Data Controller, with the support of the legal officer and the Site’s technical contact.