PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA pursuant to Article 13 of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
1. General Information
In compliance with Articles 12 and 13 of Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”), this page describes the processing of personal data carried out by CGR SpA, headquartered in Parma, Via Cremonese 35/A — 43126, Tax Code and VAT no. 01800660340 (hereinafter, the “Company” or “Data Controller”) with regard to the individuals involved in the processing activities listed below (“data subjects”).
This notice does not apply to any other data processing that may occur while navigating third-party websites reached via links provided on this site.
The Data Controller ensures that all personal data processing activities are carried out in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality.
2. Types of Processing
DATA FOR CONTACT REQUESTS, CONSULTATIONS, AND QUOTES
The management of contact requests submitted through the references provided on this website (https://cgrspa.com/en/contacts/), as well as consultations and quotations requested via the dedicated forms (https://cgrspa.com/en/contacts/request-a-quote/), may involve the collection of the user’s personal data.
| Purpose of processing (Art. 13, para. 1, letter c, GDPR) | Personal data are collected exclusively to respond to user requests and to communicate with the data subject in any follow-up phases. Some data may be mandatory and will be indicated with asterisks. |
| Categories of personal data | Identification data (first name, last name); contact details (telephone number, email address); country; any additional data/information included in the request. |
| Lawfulness of processing (Art. 13, para. 1, letter c, GDPR) | Processing is carried out to fulfill a request made by the data subject (Art. 6, para. 1, letter b, GDPR). |
| Scope of data communication (Art. 13, para. 1, letter e-f, GDPR) | Data are processed exclusively by authorized and trained personnel. They may also be processed by external parties appointed by the Controller (e.g. website management support, consulting firms), who act as data processors under Article 28(3) GDPR. Personal data will not be disclosed to third parties, nor transferred outside the EU/EEA. |
| Processing methods (Considerando 39, GDPR) | Personal data are processed lawfully, fairly, and transparently using IT and paper tools. Technical and organizational security measures have been implemented to prevent data loss, misuse, or unauthorized access. |
| Data retention period (Art. 13, para. 2, letter a, GDPR) | Personal data are processed lawfully, fairly, and transparently using IT and paper tools. Technical and organizational security measures have been implemented to prevent data loss, misuse, or unauthorized access. |
| Nature of data provision (Art. 13, para. 2, letter e, GDPR) | Providing personal data is optional. However, failure to provide them may hinder the ability to manage the request and issue a response. |
DATA RELATED TO JOB APPLICATIONS
Personal data contained in résumés sent to the specific addresses listed on this website (https://cgrspa.com/en/work-with-us/send-cv/) are processed for purposes related to recruitment and personnel selection.
| Purpose of processing (Art. 13, para. 1, letter c, GDPR) | Personal data included in CVs sent to addresses listed on the website are processed for personnel search and selection purposes. |
| Categories of personal data | Identification data (e.g., name, surname), contact details (email address, phone number, residence), professional information (previous roles), personal information (education, certifications, areas of interest). |
| Lawfulness of processing (Art. 13, para. 1, letter c, GDPR) | Processing is necessary to take steps at the request of the data subject prior to entering into a contract (Art. 6, para. 1, letter b, GDPR). |
| Scope of data communication (Art. 13, para. 1, letter e-f, GDPR) | Data are processed by authorized personnel and, where necessary, by external parties (e.g. recruitment agencies, technical support providers), who act as data processors under Article 28(3) GDPR. Data will not be disclosed to third parties or transferred outside the EU/EEA. |
| Processing methods (Considerando 39, GDPR) | Data are processed using both digital and paper formats, with security measures in place to prevent loss, misuse, or unauthorized access. |
| Data retention period (Art. 13, para. 1, letter a, GDPR) | Data are retained for the duration necessary to evaluate applications, and no longer than 24 months. |
| Nature of data provision (Art. 13, para. 1, letter e, GDPR) | Providing data is optional, but failure to do so may prevent the proper evaluation of the candidate and handling of the application. |
CLIENTS, SUPPLIERS, AND RELATED CONTACT PERSONS
In the context of activities related to contractual relationships with clients and suppliers, the personal data of these parties (and/or their representatives or contacts) may be processed.
| Purpose of processing (Art. 13, para. 1, letter c, GDPR) | Data are processed to: establish or fulfill contractual or professional relationships; manage communications; comply with legal obligations; and protect the Controller’s legitimate interests (e.g., legal defense, operational or accounting needs). |
| Categories of personal data | Identification data (name, surname, tax code/VAT); contact details (phone, email/PEC, legal address); professional data (employer details); banking and payment information. |
| Lawfulness of processing (Art. 13, para. 1, letter c, GDPR) | Processing is carried out based on: contract execution (Art. 6(1)(b)); legal obligations (Art. 6(1)(c)); or the legitimate interests of the Controller (Art. 6(1)(f), GDPR). |
| Scope of data communication (Art. 13, para. 1, letter e-f, GDPR) | Data are processed by authorized personnel and, where necessary, by data processors (e.g. legal or tax consultants, public authorities). Data are not transferred outside the EU/EEA unless required by law or investigation. |
| Processing methods (Considerando 39, GDPR) | Data are handled lawfully and securely, using both digital and paper systems. Technical and organizational safeguards are in place to mitigate risks. |
| Data retention period (Art. 13, para. 1, letter a, GDPR) | Data are retained for as long as required to meet contractual or legal obligations. |
| Nature of data provision (Art. 13, para. 1, letter e, GDPR) | Providing data is mandatory for the purposes outlined above. |
NEWSLETTER
Personal data voluntarily submitted through this website (https://cgrspa.com/en/contacts/request-a-quote/) are processed for purposes related to the distribution of newsletters.
| Purpose of processing (Art. 13, para. 1, letter c, GDPR) | Personal data voluntarily provided through the website are used to send informational newsletters. |
| Categories of personal data | Identification data (name, surname, email address). |
| Lawfulness of processing (Art. 13, para. 1, letter c, GDPR) | Processing is based on the data subject’s consent (Art. 6, para. 1, letter a, GDPR). |
| Scope of data communication (Art. 13, para. 1, letter e-f, GDPR) | Data are processed by authorized personnel and, where necessary, by third-party providers (e.g. IT services, newsletter management tools), appointed as data processors. Data are not disclosed or transferred outside the EU/EEA. |
| Processing methods (Considerando 39, GDPR) | Data are processed lawfully and securely using IT systems. Adequate safeguards have been implemented to prevent unauthorized access or misuse. |
| Data retention period (Art. 13, para. 1, letter a, GDPR) | Data are retained until the user withdraws consent. |
| Nature of data provision (Art. 13, para. 1, letter e, GDPR) | Providing data is optional. However, refusal to provide consent will prevent the sending of newsletters. |
WEBSITE BROWSING
The IT systems and software procedures used to operate this website collect, during their normal functioning, certain personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of the computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the server’s response (successful, error, etc.), and other parameters related to the user’s operating system and IT environment.
| Purpose of processing (Art. 13, para. 1, letter c, GDPR) | System logs and metadata are collected for the purpose of analyzing usage statistics and ensuring site security and functionality. Data may be used to investigate cybercrimes. |
| Lawfulness of processing (Art. 13, para. 1, letter c, GDPR) | Processing is based on the legitimate interest of the Controller to ensure the security of its systems and monitor site performance (Art. 6(1)(f), GDPR). |
| Scope of data communication (Art. 13, para. 1, letter e-f, GDPR) | Data are processed by authorized staff and relevant service providers, acting as data processors under Article 28(3) GDPR. Data may be disclosed to authorities in specific cases and are not transferred outside the EU/EEA. |
| Processing methods (Considerando 39, GDPR) | Data are collected via IT systems and processed automatically. Technical and organizational safeguards are applied to protect data. |
| Data retention period (Art. 13, para. 1, letter a, GDPR) | Data are generally retained for a short period unless extended for investigation purposes. |
| Nature of data provision (Art. 13, para. 1, letter e, GDPR) | Data provision is implicit in accessing and navigating the website. |
COOKIE
For more information on cookies, please refer to the Cookie policy.
3. Data Subject Rights
AUnder current regulations, data subjects may exercise the following rights by contacting: privacy@cgrspa.com
- Access (Art. 15): Confirm whether personal data is being processed and, if so, access those data.
- Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Erasure (Art. 17): Request deletion of data under applicable legal conditions.
- Restriction (Art. 18): Request limitation of processing in specific circumstances.
- Data portability (Art. 20): Receive data in a structured, commonly used format.
- Objection (Art. 21): Object to processing based on the Controller’s legitimate interest.
If you believe your data is being processed in violation of the GDPR, you may lodge a complaint with the Italian Data Protection Authority or pursue legal action.
This privacy notice was last updated on 12 June 2025.