This privacy policy is provided in compliance with Article 13 of the EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”) concerning the processing of your personal data when using the institutional website www.eng.it of Engineering Group, (the “Site”).

This document explains the purposes and methods by which your personal data are processed, what personal data are processed, what rights the data subjects have and how these rights can be exercised.

1.      Data Controller and Data Protection Officer

Pursuant to Article 4 of the GDPR, the data controller of your personal data referred to in this privacy policy is Engineering Ingegneria Informatica S.p.A., with registered office in Rome, Piazzale dell’Agricoltura 24, 00144, Tax Code 05724831002.

The Data Controller has appointed a Data Protection Officer or “DPO”, who can be reached at the following e-mail address: dpo.privacy@eng.it.

2.      Categories of personal data processed

The Controller will collect and process personal data of a common nature through your use of the Site.

The data collected and processed may be: Site Usage Data (clicks; search history; browsing history; usage data; video views data; session duration; interaction events; page events; browser information; device information; page scroll interactions; IP address; number of sessions; pageviews; operating systems) and Location Data (city; province; geographic region; language; country).

3.      Purpose of processing and legal bases

Your personal data may be processed for the following purposes:

a)      Statistical analysis

Your data may be processed by the Controller in order to carry out analyses and process statistics on the use of the Site made by users. The Data Controller may, on the basis of your consent (managed through appropriate functionality on the Site), learn, by means of detailed insights, the browsing behaviour of users (visits to the Site, average time spent on the pages, device used, etc.) (Article 6(1)(a) GDPR).

b)      Performing network checks, spam and bot protection

Your data may be processed to filter the Site from unwanted traffic, messages and content recognised as SPAM or to protect it from the activities of malicious bots, to ascertain, perform data and network security checks and to prevent and counter possible computer crimes; therefore, in pursuit of the legitimate interest of the Data Controller to maintain the protection of internal computer systems and apply appropriate security measures (art. 6(1)(f) GDPR).

c)      Defence of a right in court

Your data may also be processed for the purpose of asserting, exercising or defending a right in court (Art. 6(1)(f) GDPR).

The provision of your personal data for the purposes under a) is optional. The provision of your personal data for the purposes referred to in points b) and c) is necessary and failure to do so may make it impossible for the Controller to provide the services in whole or in part.

The Controller may also collect and process your personal data through cookies or other tracking tools. For further information, please consult the cookie policy of the Site.

4.      Data processors and authorized persons

The Data Controller will share your personal data with its employees and collaborators specifically identified and instructed by a written deed pursuant to Article 29 of the GDPR (“Authorized Persons”), who will process them, under the authority of the Data Controller, exclusively for the purpose of performing their respective work duties.

Your personal data may also be shared with third parties, appointed as data controllers by the Data Controller in writing pursuant to Article 28 of the GDPR, or, where required by applicable law, as autonomous data controllers.

In particular, your personal data will be processed for purposes ancillary to and/or connected with the provision of services offered by third parties in the context of browsing the Site.

It is also specified that your data may be shared with public authorities if this is required by law or by order of the competent authorities.

5.      Transfer of data outside the EU

In pursuit of the above-mentioned purposes, some of your personal data may be shared with recipients located outside the European Union/European Economic Area. In such circumstances, the Data Controller ensures that the transfer of such data takes place in compliance with the provisions of Chapter V of the GDPR (Transfers of Personal Data to Third Countries or International Organisations), therefore on the basis of an adequacy decision of the European Commission pursuant to Article 45 GDPR or, failing that, with the adoption of the appropriate safeguards referred to in Article 46 of the GDPR, such as the Standard Contractual Clauses in the latest version published by the European Commission.

6.      Data retention period

Your personal data will be kept, with logic strictly related to their security and the resilience of the systems used for their processing, for the time strictly necessary to achieve the purposes for which they were collected.

In any case, your personal data collected for statistical purposes will not be retained after 5 years of their collection (or until you revoke your consent through the appropriate function on the Site).

In particular, the storage and processing of your data will take place in full compliance with the principles of data minimisation and storage limitation pursuant to Article 5 of the GDPR.

In addition, the Controller may keep your personal data for a further period in order to fulfil contractual and legal obligations applicable to it and, where necessary, to assert, exercise or defend its own rights in and out of court, in any case for the maximum period permitted by the law in force at the time.

7.      Rights of data subjects

Pursuant to current legislation, you have the following rights.

• Access: you have the right to access at any time the data concerning you that are available to the Data Controller, as well as any useful information concerning the processing carried out by the latter;
  
• Rectification: you have the right to obtain the rectification and/or correction of inaccurate data concerning you that is available to the Controller;
• Deletion: upon the occurrence of particular reasons, you have the right to request and obtain, without undue delay, the deletion of your data in the possession of the Controller;
• Restriction: in special cases, you have the right to have the processing of your data restricted;
• Portability: in the event of automated processing of data based on your consent or the performance of a contract, you have the right to receive, in a structured, commonly used and machine-readable format, your personal data provided to the Controller, as well as the right to transmit such data to another controller without hindrance;
• Objection: you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on the pursuit of the legitimate interests of the controller, unless the controller proves the existence of compelling legitimate grounds that override your interests, rights and freedoms;
• Automated decision-making: you have the right not to be subject to a decision based solely on automated processing of your data, including profiling, where such a decision significantly affects you.

You may exercise your rights, in the manner set out in Article 12 of the GDPR and within the limitations set out in Article 23 of the GDPR, by writing to the Controller’s contact details set out in this notice or to the DPO’s address: dpo.privacy@eng.it.

Without prejudice to any other administrative or judicial remedy, you are also guaranteed the right to lodge a complaint with the competent supervisory authority where you believe there has been a violation of your data protection rights. Further information is available at https://www.garanteprivacy.it.