art. 13 of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR)

Pursuant to art. 13 and 14 of Regulation (EU) 2016/679 (hereinafter “GDPR”) TINEXTA CYBER S.P.A. (hereinafter “Data Controller”), with registered office in Piazza Sallustio, 9 00187 Rome (Italy), in its capacity as “Data Controller”, informs you that in the provision of services and in the context of the related legal relationships to its business recognizes and respects the right to the protection of personal data, as a fundamental right of the person.

In the current regulatory context, the ability to maintain control of one’s information becomes fundamental and requires constant and conscious commitment to ensure adequate levels of personal data protection.

In this regard, it is useful to remember that Regulation (EU) 679/2016 (General Data Protection Regulation – GDPR) defines “personal data” as any information concerning an identified or identifiable natural person (“interested party”).

By “processing”, according to the GDPR itself, we mean, instead, any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, registration, the organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.

The following information describes the methods and purposes of the processing of personal data of users who access and use the website and the connected platform (hereinafter briefly “Site”).

The information is provided only for the Site and not for any third-party websites that may be accessed via hyperlinks (links) encompassed in the Site.


  1. Data Controller and Data Protection Officer

Data controller, pursuant to art. 4 of the GDPR, is TINEXTA CYBER S.P.A., with registered office in Piazza Sallustio, 9 00187 Rome (Italy), P.IVA 15971011000, PEC: [email protected]

TINEXTA CYBER’s Data Protection Officer (DPO) can be contacted at the following PEC address [email protected], or by writing to: Data Protection Officer – Tinexta S.p.A., Piazza Sallustio n. 9, 00187 – Rome (RM).


  1. Nature of the provision of personal data

To use the services offered through the Site, the user may be required to provide the personal data necessary to ensure their use.

in particular, for the purposes of filling in the forms on the Site, the provision of data marked with an asterisk is necessary for the management and response to communications sent by the user.

In any case, it is specified that the user is free to provide the requested data, in the sense that he is not legally obliged to provide them: failure to provide the data indicated as necessary, however, makes it impossible for the Data Controller to return the requested service.


  1. Types of data processed and purpose of processing

The processing operations are carried out with reference to and limited to the personal data necessary for the use of the Site and its functions.

The types of data subject to processing include, in particular:

  • navigation data: during the user’s navigation on the Site, the computer systems used for its operation automatically acquire some information whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of computers and terminals used by users, URI / URL (Uniform Resource Identifier / Locator) addresses of the requested resources, the time of the request, the method used in submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment. These data are processed for purposes related to the provision of the services offered through the Site, including the guarantee of proper functioning of the same. The legal basis of the processing is, therefore, constituted by the execution of a contract of which the interested party is a party, pursuant to art. 6, par. 1, lett. b) of Regulation (EU) 679/2016 (GDPR).

In particular, the navigation data are processed for the purpose of:

  • ensure the correct functionality of the Site and the usability of its services;
  • obtain, only by the data controller directly, aggregated and anonymized statistical information relating to the use of the Site (such as, for example, most visited pages, number of visitors by time or day, geographical areas of origin, etc.).

For more information on the collection, use and storage times of browsing data, please refer to the cookie policy [link].

  • data provided voluntarily by the user, i.e. personal data (identification and / or contact details) provided by users while using the website, by filling in the contact forms in the individual sections, in which the name is requested, surname and contact details and, optionally, further information such as the indication of one’s job role and company and, in particular:
  1. name, surname, e-mail address and other personal data that may be contained in the e-mail messages sent to the addresses indicated on the Site and / or in the related attachments, in order to carry out the processing activities necessary to provide feedback to the user’s requests;
  2. name, surname, and e-mail address provided by filling in the registration form for the newsletter service, in order to send periodic information communications, in-depth information on privacy and information security services, as well as more generally for promotional communications of initiatives TINEXTA CYBER training and services;
  3. data provided by completing the request form relating to training courses and webinars provided by the Tinexta Cyber Academy in e-learning and streaming mode through its Platform (name, surname, e-mail address, company and any other personal data contained in the message ), in order to provide the requested information. Furthermore, with the user’s consent, the data provided may be processed, in combination with the type and theme of the course to which the request for information refers, to send commercial offers and promotional communications in line with one’s own profile. In any case, the e-mail coordinates and the user’s personal data may be used to send information and promotional newsletters on the services and initiatives of TINEXTA CYBER SPA, without prejudice to the right of the interested party to oppose the receipt of communications and updates. of this type, pursuant to art. 21 of Regulation (EU) 679/2016.


  1. Processing methods, purposes, legal basis and nature of the data processed

Your data is collected and registered in a lawful and correct manner for the purposes indicated above in compliance with the principles and requirements set out in art. 5 c 1 of the GDPR.

The processing of personal data takes place using manual, computerized and telematic tools, also by means of collaborators and employees authorized to do so, with logic strictly related to the purposes themselves and, in any case, in order to guarantee their security and confidentiality.

Personal data will be processed by TINEXTA CYBER S.P.A. for the entire duration of the assignment and also subsequently to assert or protect one’s rights or for administrative purposes and / or to execute obligations deriving from the applicable pro tempore regulatory and regulatory framework and in compliance with the specific legal obligations on the conservation of data.

Specific security measures are adopted in order to minimize the risk of destruction or loss, even accidental, of the data being processed, of unauthorized access, of treatment that is not permitted or does not comply with the purposes indicated in this statement.

In compliance with current legislation on the protection of the data subject’s personal data, they will be stored, collected and processed by the Company for the following purposes:

  • fulfillment of contractual obligations, execution and / or stipulation of the contract with the Customer and / or management of any pre-contractual measures [paragraph 2 lett. a) and c)];
  • fulfillment of any regulatory obligations, tax and fiscal provisions deriving from the conduct of business activities and obligations related to administrative and accounting activities [par. 2 lett. a) and c)];
  • sending newsletters and communications for direct marketing purposes via email, sms, mms, push notifications, paper mail, telephone with operator, in relation to products and services provided [par. 2, lett. b) and c)].

The legal bases of the processing for the purposes a) and b) indicated above are Articles 6.1.b) and 6.1.c) of the Regulations. The provision of data for the aforementioned purposes is optional, but failure to provide the data and refusal to provide it would make it impossible for the Company to execute and / or stipulate the contract and provide the services requested by it.

The legal basis for the processing of personal data for purpose c) is art. 6.1.a) of the GDPR as the treatments are based on consent; it is specified that the Data Controller may collect a single consent for the marketing purposes described here.

The granting of consent to the use of data for marketing purposes is optional and, if the interested party wishes to oppose the processing of data for marketing purposes carried out with the means indicated here, as well as revoke the consent given, he may do so at any time. without any consequence (except for the fact that it will no longer receive marketing communications) following the instructions in the “Rights of the interested party” section of this Information.

Finally, we remind you that for the treatments carried out for the purpose of sending direct advertising material or direct sales or for carrying out market research or commercial communications in relation to products or services similar to those used by the Customer, the Owner may use e-mail addresses or personal data pursuant to and within the limits permitted by art. 130, paragraph 4 of the Code and the general provisions of the Guarantor Authority for the protection of personal data, even in the absence of explicit consent.

The legal basis for data processing for this purpose is art. 6, paragraph 1, lett. f) of the GDPR, without prejudice to the possibility of opposing such processing at any time, following the instructions in the “Rights of the interested party” section of this Notice.


  1. Data retention period

The data being processed will be kept for a period of time not exceeding that necessary to achieve the purposes for which they were collected or subsequently processed and, in particular:

  1. the data provided by sending e-mails or filling out the contact forms on the site will be kept for the time necessary to provide feedback;
  2. the data provided for the purpose of subscribing to the newsletter service will be processed until the interested party exercises the right to object pursuant to 21 of the GDPR;
  3. the data processed in order to find a request for information on initiatives, training courses and webinars of the Academy made available on the Site will be kept for a maximum period of 12 months from their conferment.

The Data Controller will, after the expiry of the retention terms according to the indicated criteria, adopt preordained measures for the cancellation or anonymization of the data that should not be kept for specific regulatory obligations.


  1. Categories of recipients

Within the limits of what is provided for each specific functionality and / or for each specific service, the personal data processed by the Data Controller will not be disclosed, i.e. it will not be disclosed to indeterminate subjects, in any possible form, including that of making them available. or simple consultation.

Instead, they may be made accessible to workers and / or collaborators who work for and under the responsibility of the Data Controller, in their capacity as designated and / or authorized to process personal data and / or System Administrators, and / or companies. third parties or other subjects who carry out outsourcing activities on behalf of the Data Controller, appointed for this purpose as external managers of the processing of personal data pursuant to art. 28 GDPR.

The updated list of persons appointed as Data Processors pursuant to art. 28 GDPR can be requested from the Data Controller.

In no case will personal data be communicated, disseminated, sold or otherwise transferred to third parties for illegal purposes and, in any case, without providing suitable information to the interested parties and obtaining their consent, where required by law.

This is without prejudice to any communication of data at the request of the judicial or public security authorities, in the manner and in the cases provided for by law.


  1. Transfer abroad

In no case will personal data be communicated, disseminated, sold or otherwise transferred to third parties for illegal purposes and, in any case, without providing suitable information to the interested parties and obtaining their consent, where required by law. This is without prejudice to any communication of data at the request of the judicial or public security authorities, in the manner and in the cases provided for by law. Personal data will not be transferred abroad, to countries or international organizations not belonging to the European Union that do not guarantee an adequate level of protection, recognized, pursuant to art. 45 GDPR, based on an adequacy decision of the EU Commission. In the event that it is necessary for the provision of the Site’s services, the transfer of personal data to countries or international organizations outside the EU, for which the Commission has not adopted any adequacy decision pursuant to art. 45 GDPR, will take place only in the presence of adequate guarantees provided by the recipient country or organization, pursuant to art. 46 GDPR and provided that the data subjects have enforceable rights and effective remedies. In the absence of an adequacy decision by the Commission, pursuant to art. 45 GDPR, or adequate guarantees, pursuant to art. 46 of the GDPR, including the binding corporate rules, the cross-border transfer will take place only if one of the conditions indicated in art. 49 GDPR.


  1. Rights of the interested party

The interested party has the right to access their personal data, to request their correction, updating and cancellation or limitation, if incomplete, erroneous or collected in violation of the law, as well as to oppose the processing for legitimate reasons or obtain portability.

The interested party, in particular, pursuant to articles 15-22 of Regulation (EU) 679/2016, has the right to obtain confirmation of the existence or not of personal data concerning him, even if not yet registered, and their communication in an intelligible form.

The interested party also has the right to obtain the indication:

  1. the purposes and methods of the processing;
  2. of the logic applied in case of processing carried out with the aid of electronic tools;
  3. of the identification details of the Data Controller, of the Manager and of the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as authorized for processing.

The interested party has the right to obtain:

  1. updating, rectification or integration of their data;
  2. the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including data which need not be kept for the purposes of the processing;
  3. the limitation of processing, when one of the hypotheses referred to in Article 18 of the GDPR occurs;
  4. the attestation that the operations referred to in letters a), b) and c) have been brought to the attention of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment proves impossible or involves a use of means manifestly disproportionate to the protected right;
  5. the transmission of data concerning him, provided to the Data Controller and processed on the basis of the consent expressed by the interested party for one or more specific purposes, in a structured format, commonly used and readable by an automatic device. Pursuant to art. 20 of the GDPR, the interested party also has the right to transmit such data to another Data Controller without impediments and, if technically feasible, to obtain the direct transmission of personal data from one Data Controller to the other.
  6. if the processing is based on consent, withdraw your consent at any time (pursuant to Article 7, paragraph 3 of the GDPR).

The interested party has the right to object, in whole or in part:

  1. for legitimate reasons, to the processing of personal data concerning him, even if pertinent to the purpose of the collection;
  2. to automated decision-making processes that significantly affect your person.

Without prejudice to any other administrative or judicial appeal, the interested party has the right to lodge a complaint and / or report to a supervisory authority, particularly in the Member State in which he usually resides, works or in the place where the alleged violation has occurred.


  1. Exercise of rights

The above rights are exercised with a request addressed to the Data Controller, directly or through an authorized person, orally or by sending an e-mail message to [email protected].

The interested party also has the right to contact the Data Protection Officer (D.P.O.) in charge, at the following e-mail address [email protected].

The request is formulated freely and without formalities by the interested party, who has the right to receive appropriate feedback within a reasonable time, depending on the circumstances of the case.

The interested party may use, for the exercise of his rights, non-profit bodies, organizations or associations, whose statutory objectives are of public interest and which are active in the field of protection of the rights and freedoms of the interested parties with regard to to the protection of personal data, giving, for this purpose, a suitable mandate. The interested party can also be assisted by a trusted person.

To find out about your rights, lodge a complaint and always be updated on the legislation on the protection of individuals with regard to the processing of personal data, the interested party can contact the Data Protection Authority for the protection of personal data, by consulting the website at address

Best regards

The Data Controller



Information updated in July 2024