Introduction
For the undersigned company, personal data represents an asset of great value, to be protected by adopting specific procedures and behaviors. Transparency towards data subjects therefore represents a primary objective, pursued through effective communication tools and aimed at making basic information on the processing of their data available to data subjects. This information is therefore aimed at providing data subjects with all the elements required by current privacy regulations, as well as specific guarantees of reliability to stakeholders.

General information
Users (data subjects, as GDPR, Art.4, c1) are informed of the following general profiles, valid for all areas of processing:

• all personal data are processed in compliance with the applicable privacy regulations in force (EU Reg. 2016/679 and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018);
• all User data are processed in a lawful, correct and transparent manner, in compliance with the general principles set out in Article 5 of the GDPR;
• specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access, pursuant to Article 32 of the GDPR.

Data Controller
The Data Controller is the undersigned Company (in the person of its pro-tempore legal representative) who can be contacted for any request regarding privacy or to exercise the rights listed below, at the following addresses:

DATA CONTROLLER
Name: Italtherm Spa
Email: privacy@italtherm.it

DATA PROTECTION OFFICER (DPO)
Name: Galli Data Service Srl
Email: dpo@gallidataservice.com

Data subject’s rights

• right to request the presence and access to personal data concerning him (Article 15 "Right of access");
• right to obtain the rectification / integration of inaccurate or incomplete data (Article 16 "Right to rectification");
• the right to obtain, if there are justified reasons, the cancellation of data (Article 17 “Right to erasure”);
• right to obtain the limitation of processing (Article 18 "Right to restriction");
• right to receive the data concerning him in a structured format (Article 20 “Right to portability”);
• right to object to the processing and to automated decision-making processes, including profiling (Articles 21, 22 “Right to object”);
• right to revoke a previously given consent;
• the right to submit, in the event of non-response, a complaint to the Data Protection Authority.

The following specific information is provided below, referring to:

1. data processing related to the functioning of this website;
2. data processing of final purchasers of Italtherm products;
3. data processing of customers / commercial partners;
4. data processing of suppliers;
5. data processing for surveillance purposes.

1) DATA PROCESSING RELATED TO THE FUNCTIONING OF THIS SITE

This privacy policy refers to the processing related to browsing the website www.italtherm.it, as well as directly connected third-level subdomains, for example:
https://areariservata.italtherm.it
https://academy.italtherm.it/

1.1 Navigation Data
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and associations with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users who connect to the site, addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters related to the user's operating system and computer environment.

Purpose and legal basis of the processing (GDPR-Art.13, paragraph 1, letter c)	This data is used only for the purpose of receiving anonymous statistical information on the use of the site and to control its correct functioning. The data could moreover be used to ascertain the responsibility in case of presumed IT crimes to the damage of the site (legitimate interests of the owner).
Scope of knowledge (GDPR-Art.13, comma 1, lett. e,f)	The data is processed exclusively by in-house staff, duly authorised and trained in data processing (GDPR-Art.29) and shall not be disclosed to external parties, diffused, or transferred to countries outside the EU. Only in cases of investigation, this data may be placed at the disposal of the competent authorities.
Data retention (GDPR-Art.13, comma 2, lett. a)	This data is usually kept for brief periods, with the exception of possible prolonged connections related to investigation activities.
Data provision (GDPR-Art.13, comma 2, lett. f)	The data is not submitted by the party involved but acquired automatically by the site’s technological systems.

1.2 Cookies
The management of cookies complies with the regulatory requirements in the field:

• "Cookie and other tracking tools guidelines" of June 10, 2021 (published in the Official Gazette No. 163 of July 9, 2021);
• Guidelines 5/2020 on consent under reg.(EU) 2016/679, adopted by the European Data Protection Board;
• Transnational agreements on extra-EU data flows, stipulated pursuant to Title V of the GDPR.

The user can check, in detail, the types of cookies and set their preferences via the appropriate banner; it is also possible to obtain more information about cookies at the following link: https://www.italtherm.it/cookie_policy.php

Further information about cookies
www.garanteprivacy.it/cookie (collection of the main regulatory interventions on the subject by the Italian Data Protection Authority)
www.allaboutcookies.org (for more information on cookie technologies and their operation)
www.youronlinechoices.com/it/a-proposito (allows users to oppose the installation of the main profiling cookies)

1.3 Correlations with portals and social networks
On the pages of the site, there may be buttons, widgets, plug-ins, links, cookies from Social Networks to facilitate interaction with Social platforms and content sharing. It is noted that the processing of data entered by the user on the various social channels takes place according to the privacy rules and settings of the social network itself, accepted by the user at the time of registration. For informational purposes, here are some links to the main social networks, through which it is possible to manage your privacy settings and cookie acceptance:

• Facebook (information): https://www.facebook.com/help/cookies/
• Facebook (settings): ): your account – privacy section
• Instagarm (information) https://www.instagram.com/legal/privacy
• Youtube: https://www.youtube.com/t/terms
• Linkedin (information): https://www.linkedin.com/legal/cookie-policy
• Linkedin (settings): https://www.linkedin.com/settings
• Twitter (information): https://support.twitter.com/articles/20170514
• Twitter (settings): https://twitter.com/settings/security

1.4 Registration for training courses
Registration allows access to the courses of the Italtherm Academy platform (the procedure is activated by invitation, via email), both online and in-person.

Purpose and legal basis of the processing (GDPR-Art.13, paragraph 1, letter c)	The data necessary for the creation of the profile (e.g., personal data, contacts, credentials, etc.) and for the administrative/operational management of the courses (e.g., consultation of calendars and availability, registration, attendance, obtaining certificates, etc.) are requested. The processing is carried out to fulfill contractual and pre-contractual obligations and related legal obligations (GDPR-Art.6, paragraph 1, letters b, c) necessary for the provision of the service. The courses can be attended by: internal teams, sales agencies, resellers, technical assistance centers, designers, condominium administrators, etc.
Scope of knowledge (GDPR-Art.13, comma 1, lett.e,f)	The data are processed by internal staff, who are regularly authorized and trained in data processing (GDPR-Art.29), or by external entities managing the academy platform, or by instructors. The data will not be disclosed or transferred to non-EU countries.
Data retention (GDPR-Art.13, comma 2, lett.a)	The data are retained for periods compatible with the purpose of collection and related legal obligations (administrative documentation retention), in any case until a possible deletion request by the user.
Data provision (GDPR-Art.13, comma 2, lett.f)	The data are retained for periods compatible with the purpose of collection and related legal obligations (administrative documentation retention), in any case until a possible deletion request by the user.

1.5 Contacts and information requests
This page allows the data subject to request information. Identifying and contact details are required.

Purpose and legal basis of the processing (GDPR-Art.13, paragraph 1, letter c)	Identifying and contact details necessary to respond to contact requests from data subjects are requested. The submission of the request is subject to specific, freely given, and informed consent (GDPR-Art.6, paragraph 1, letter a), documented through a dedicated check-box (GDPR-Art.7, paragraph 1).
Scope of knowledge (GDPR-Art.13, comma 1, lett.e,f)	The data are processed exclusively by personnel who are regularly authorized and trained in data processing (GDPR-Art.29). The company providing the technological platform and its authorized personnel may access the data solely for website maintenance purposes. The data will not be disclosed or transferred to non-EU countries.
Data retention (GDPR-Art.13, comma 2, lett.a)	The data are retained for periods compatible with the purpose of collection.
Data provision (GDPR-Art.13, comma 2, lett.f)	The provision of data related to mandatory fields is necessary to obtain a response, while optional fields are intended to provide the staff with additional useful information to facilitate contact.

1.6 Access to restricted content
The website is equipped with restricted access areas for the limited sharing of confidential content.

Purpose and legal basis of the processing (GDPR-Art.13, paragraph 1, letter c)	The necessary data are used to allow user access (usually username/password). Specific, freely given, and informed consent is required (GDPR-Art.6, comma 1, letter a), documented through a dedicated checkbox (GDPR-Art.7, comma 1).
Scope of knowledge (GDPR-Art.13, comma 1, lett. e,f)	The data are processed by internal staff, who are regularly authorized and trained in data processing (GDPR-Art.29), or by external entities managing the platform. The data will not be disclosed or transferred to non-EU countries.
Data retention (GDPR-Art.13, comma 2, lett. a)	The data are retained for periods compatible with the purpose of collection and related legal obligations (administrative documentation retention), in any case until a deletion request is made by the user.
Data provision (GDPR-Art.13, comma 2, lett. f)	The failure to provide the data will result in the impossibility to complete access to restricted areas.

1.7 Work with Us
The page allows the interested party to submit their professional application. The applicant's identifying information, contact details, and curriculum vitae are required.

Purpose and legal basis of the processing (GDPR-Art.13, paragraph 1, letter c)	The data are collected for the proper management of personnel selection procedures, evaluation of applications, and for subsequent contacts. The submission of the request is subject to specific, freely given, and informed consent (GDPR-Art.6, paragraph 1, letter a). Upon potential hiring, the candidate will receive regular information related to the established professional relationship.
Scope of knowledge (GDPR-Art.13, comma 1, lett.e,f)	The data are processed by internal staff, who are regularly authorized and trained in data processing (GDPR-Art.29), or by external entities managing the platform. The data will not be disclosed or transferred to non-EU countries.
Data retention (GDPR-Art.13, comma 2, lett.a)	The data are retained for periods compatible with the purpose of collection, typically identified as 24 months, but in any case until a deletion request is made by the user.
Data provision (GDPR-Art.13, comma 2, lett.f)	The provision of data related to mandatory fields (marked with *) is necessary to submit your application, while optional fields are intended to provide the staff with additional useful information to facilitate the selection process.

1.8 Data provided voluntarily by Users
The optional, explicit and voluntary sending of messages to contact addresses, private messages sent by users to institutional profiles/pages on social media (where this possibility is provided), as well as the compilation and forwarding of any forms/modules present , involve the acquisition of the sender's contact details, necessary to reply, as well as all personal data included in the communications. The sender therefore remains personally responsible for the accuracy of the data provided, as well as their pertinence and non-excess with respect to the requests in question.

2) DATA PROCESSING OF ITALTHERM END CUSTOMERS

2.1 Subject of the processing
The company operates in a B2B channel, selling its products to other legal entities (agencies, resellers, technical assistance centers, installers, hereinafter collectively referred to for simplicity as Commercial Partners), who resell products, services, spare parts to the final buyer (private consumer). Italtherm comes into direct contact with the data of the final buyer, defining the methods and purposes of the processing, only in the following contexts:

• Product warranty management;
• Management of bonuses and tax benefits;
• Consumer credit services.

In relation to these services, Italtherm acts as the Data Controller, and the Commercial Partner acts as the external Data Processor for the collection and transmission phases to Italtherm itself. In relation to sales transactions with end customers, the Commercial Partner instead acts as the autonomous Data Controller of the processing.

2.2 Purpose and legal basis of the processing
The data are processed for the proper provision of the aforementioned services, as well as related contractual and legal obligations.

PURPOSE	TYPE OF DATA	DATA SUBJECT INVOLVED
Management of warranties	Data collected through completion of a card (personal information, product label, commissioning details, etc.)	Commercial partner for data collection
Management of bonuses and tax benefits	Data necessary for the application and provision of the contribution (personal information, economic data, etc.)	Commercial partner for data collection; Entities involved in the provision of the contribution
Consumer credit services	Data necessary for the application and provision of credit (personal information, economic data, etc.)	Commercial partner for data collection; Financial institution (Data Controller) for credit provision

2.3 Processing Methods and Storage Period
The processing of personal data is carried out through the operations specified in Art. 4 No. 2) of the GDPR, namely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction of data. Personal data are processed both in paper and electronic form. The Data Controller will process personal data for the time necessary to fulfill the purposes for which they were collected and related legal obligations (typically coinciding with the relationship with the data subject, subject to extension for obligations related to the retention of administrative documentation and commercial correspondence, as well as for the time connected to potential tax audits).

2.4 Scope of Processing
The data are processed by internal personnel who are regularly authorized and trained under Art. 29 of the GDPR. It is also possible to request information about the scope of communication of personal data, obtaining precise indications on any external entities acting as Data Processors or Data Controllers (e.g., consultants, technicians, banks, transporters, etc.). The data may be communicated to affiliated companies for various purposes. The data are not subject to dissemination or transfer outside the EU (they may be transferred outside the EU only in compliance with the conditions set out in Chapter V of the GDPR, aimed at ensuring that the level of protection of data subjects is not compromised, as specified in Articles 45, 46, 47, and 49).

3) PROCESSING OF CUSTOMER DATA (BUSINESS PARTNERS)

3.1 Object of the Processing
The company operates in a B2B channel, selling its products to other legal entities (agencies, resellers, technical support centers, installers, collectively referred to as Business Partners). The data processed from these entities include tax-related information (e.g., name, surname, company name, personal/tax information, address, phone number, email, bank and payment references) and data of their operational contacts (name, surname, and contact details) for communication/training purposes.

3.2 Purpose and Legal Basis of the Processing
The data are processed to:

• conclude contractual/professional relationships and provide related products/services;
• fulfill pre-contractual, contractual, and tax obligations arising from existing relationships, as well as manage necessary communications related to them;
• comply with legal obligations, regulations, EU legislation, or orders from authorities;
• exercise legitimate interests and rights of the Data Controller (e.g., the right of defense in legal proceedings, protection of credit positions, ordinary internal operational, managerial, and accounting needs);
• conduct technical/commercial communications related to Italtherm products/services, which Business Partners need to be informed about for the proper conduct of their activities;
• conduct technical/commercial training activities on Italtherm products and services.

Italtherm organizes informational/promotional events related to its products, services, and activities. During such events, photo/video content may be produced, featuring employees/references of partners, as well as any additional invitees. The photo/video/testimonial content may be published on printed materials such as brochures, catalogs, or other promotional printed materials; on the institutional website of Italtherm and associated sites (social networks, etc.); on local and/or national media or affiliated company sites. Italtherm commits to producing and using photo/video materials that do not harm the reputation and dignity of the individuals depicted, ensuring compliance with current privacy laws. The Partner will inform participants (their own employees/collaborators and other invitees, such as clients) and notify Italtherm of any requests from individuals not to be included in the footage. Italtherm, where technically feasible, will ensure signage indicating photo/video coverage of the event, along with specific information during participant data collection contacts. Italtherm (Data Controller) retains full ownership of the materials produced, excluding any financial compensation for the individuals involved.

3.3 Processing Methods and Storage Period
The processing of personal data involves operations as specified in Art. 4 No. 2) of the GDPR, namely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction of data. Personal data are processed in both paper and electronic formats. The Data Controller will process personal data for the time necessary to fulfill the purposes for which they were collected and related legal obligations (typically coinciding with the relationship with the data subject, subject to extension for obligations related to the retention of administrative documentation and commercial correspondence).

3.4 Scope of the Processing
The data are processed by internal personnel who are regularly authorized and trained under Art. 29 of the GDPR. Additionally, it is possible to request information regarding the scope of communication of personal data, obtaining precise indications on any external entities acting as Data Processors or Data Controllers (e.g., consultants, technicians, banks, transporters, etc.). The data may be communicated to affiliated companies for various purposes. The data are not subject to dissemination or transfer outside the EU (they may be transferred outside the EU only in compliance with the conditions set out in Chapter V of the GDPR, aimed at ensuring that the level of protection of data subjects is not compromised, as specified in Articles 45, 46, 47, and 49).

4) SUPPLIER DATA PROCESSING

4.1 Purpose of the processing
The company processes identifying personal data of suppliers (e.g., name, surname, company name, personal/tax data, address, phone number, email, bank and payment details) and their operational contacts (name, surname, and contact details) used in the context of purchasing products/services.

4.2 Purposes and legal basis of the processing
The data is processed for:

• concluding contractual/professional relationships and acquiring related products/services;
• fulfilling pre-contractual, contractual, and fiscal obligations arising from existing relationships, as well as managing necessary communications related to them;
• complying with obligations under the law, regulations, EU legislation, or orders from authorities;
• exercising a legitimate interest and rights of the Controller (e.g., the right to defense in legal proceedings, ordinary internal operational, managerial, and accounting needs).

Failure to provide such data will make it impossible to establish a relationship with the Controller. These purposes represent, under Articles 6(b), (c), and (f), suitable legal bases for the lawfulness of processing. If processing is intended for different purposes (e.g., marketing communications, production of photo/video content, etc.), specific consent from the data subjects will be required.

4.3 Methods of processing and retention period
The processing of personal data involves operations as outlined in Art. 4, no. 2) of the GDPR, specifically: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction of data. Personal data is processed both in paper and electronic form. The Controller will process personal data for the time necessary to fulfill the purposes for which they were collected and related legal obligations (normally corresponding to the relationship with the data subject, subject to extensions for obligations to retain administrative documentation and commercial correspondence).

4.4 Scope of the processing
The data is processed by internal personnel duly authorized and trained under Art. 29 of the GDPR. It is also possible to request information about the scope of personal data communication, obtaining precise indications on any external subjects acting as Data Processors or independent Data Controllers (e.g., consultants, technicians, banks, carriers, etc.). The data may be communicated to any affiliated/controlled companies. The data is not subject to disclosure or transfer outside the EU (it may be transferred outside the EU only in compliance with the conditions set out in Chapter V of the GDPR, aimed at ensuring that the level of protection of data subjects is not compromised, as specified in Articles 45, 46, 47, and 49).

5) DATA PROCESSING FOR VIDEOSURVEILLANCE PURPOSES

To complete the information provided to data subjects through signs displayed in areas where videosurveillance systems are operational, it is communicated that:

• The processing of personal data through videosurveillance systems complies with current privacy regulations (EU Regulation 2016/679 "GDPR"; Legislative Decree 196/2003, as amended and supplemented by Legislative Decree 101/2018; General Provisions of the Italian Data Protection Authority, expressly recognized by Article 22, paragraph 4 of Legislative Decree 101/2018);
• The recording of images is carried out, as Data Controller, by Italtherm, represented by the current Legal Representative;
• The system is installed for SECURITY purposes, and the use of cameras aims to protect property, individuals, and assets from potential intrusions, fires, thefts, robberies, or acts of vandalism, and for potential defense of the Controller's rights in judicial proceedings (evidence collection);
• Recorded images may be stored for the period strictly necessary to achieve the aforementioned purposes, in any case not exceeding the terms prescribed by law (not exceeding 7 days), except for longer periods required to comply with specific requests from judicial or police authorities related to ongoing investigative activities. At the end of the prescribed retention period, recorded images are deleted by overwriting;
• Images can only be processed by formally authorized and trained personnel or external companies that, as Data Processors, collaborate in the maintenance of the systems and surveillance activities. They are not in any way communicated or disclosed outside the Controller's premises, except for compliance with orders from judicial or police authorities or, in case of offenses, their use in judicial proceedings;
• Images will be processed using suitable tools and methods to ensure an adequate level of security and confidentiality, with particular reference to the measures indicated in Article 32 of the GDPR and the General Provision of 08/04/2010;
• Data subjects have the right to contact the Data Controller for any request to access the video-recorded data concerning them, in accordance with Articles 15 and following of the GDPR. In particular, the data subject, if identifiable, has the right to obtain confirmation from the controller of the existence or not of personal data concerning them, and their communication in an intelligible form; to obtain information about the origin of the data, the purposes and methods of the processing, the identification details of the controller and, if appointed, the processors, etc.; to obtain the deletion or blocking of data processed unlawfully; and to object, for legitimate reasons, to the processing itself;
• Any recording of workers and use of video-recorded images complies with current labor law regulations (Article 4 of Law 300/70 "Workers' Statute", as amended by Article 23 of Legislative Decree 151/2015 "latest implementing decree of the Jobs Act").

6) POLICY UPDATE

Please note that this information notice may be subject to periodic revision, also in relation to relevant regulations and case law. In case of significant changes, appropriate notice will be prominently displayed on the homepage of the website for a reasonable period of time. We invite data subjects to periodically review this policy.