Privacy policy

Privacy Policy

Vitrum Design srl ensures the protection and safeguarding of personal data and their regulation according to the contents of this privacy policy. This policy is provided in accordance with Legislative Decree 196/2003, Legislative Decree 101/18, and Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and Council, of April 27, 2016, regarding the protection of natural persons concerning the processing of personal data (hereafter GDPR 2016/679).

  1. Data Controller and Processing Managers – Art. 13 para. 1 lett. [a] [b] GDPR 2016/679
    The Data Controller is Vitrum Design srl, Via Filippo Brunelleschi, 16, 20146 Milan (MI) – email info@vitrumdesign.com, where you can exercise your rights recognized by the GDPR and to know the updated list of all Data Processing Managers and their contact details. Vitrum Design srl also has a corporate DPO appointed, Dr. Anna Dondana, email: a.dondana@gmail.com.
  2. Types of Data Processed
    The Data Controller may process the categories of data of the interested parties listed below within its business processes:
    a) Website Visitors: They may provide their contact details (email address) if they wish to be updated on the company’s news by subscribing to a newsletter; this occurs by entering their email in the designated field and submitting it via the SUBSCRIBE button; a similar procedure applies if they want to receive information in the section of the website dedicated to open positions (“Career”). To be contacted, the “CONTACT” area allows for opening their email program and sending an email from the visitor’s address to info@vitrumdesign.com. This category of interested parties pertains exclusively to Article 14 of the GDPR;
    b) Clients: They provide the Data Controller with the contact details of their representatives (name, surname, position within the client company, email and phone contacts, and office address); they may provide their data through the website (CONTACT area and subsequent email submission to info@vitrumdesign.com) or give their business card and/or data during trade fairs, congresses, or dedicated meetings;
    c) Business Owners and Self-Employed Workers: They provide the Data Controller with their identifying data (name, surname, place and date of birth, residence address, tax code, copy of an identity document, email and phone contacts). Such data is requested by the Data Controller before the contract is signed, in compliance with anti-money laundering regulations.
    d) Suppliers of Products or Services: They provide the Data Controller with the contact details of their representatives (name, surname, position within the client company, email and phone contacts, and office address); they may provide their data through the website (CONTACT area and subsequent email submission to info@vitrumdesign.com) or give their business card and/or data during trade fairs, congresses, or dedicated meetings;
    e) Contractors: They provide the Data Controller with the contact details of their representatives and the data related to the obligations under Article 26 of Legislative Decree 81/08 of all workers who go to the client’s sites (contact details, hiring data, training, health suitability, identification badges, and specific operational details);
    f) Employees and Collaborators: The processing of employee and collaborator data is regulated by specific information with attached consent available in the corporate Privacy archives, and for which it is necessary to refer to the contacts indicated in point 1.
    g) Individual Businesses (clients or suppliers): In cases where the client or supplier is classified as an Individual Business, it will be necessary to process banking and residence/home data in addition to the above-mentioned data.
    h) Other Categories: Any other categories of interested parties will be processed with separate information.
  3. Purposes and Legal Basis for Processing – Art. 13 and 14 para. 1 lett. [c] GDPR 2016/679
    The purposes and legal bases for the processing of the categories of interested parties listed in the previous paragraph from a) to g) are as follows:
    a) To be contacted by Vitrum Design srl and to articulate the reasons that prompted the interested party to enter their data on the website, both on “Contacts” and “Career”, based on explicit consent or to receive periodic newsletters in their inbox (area “SUBSCRIBE: stay updated on Vitrum news”).
    b), d) and g): For the execution of a contract to which the interested party is a party or for the execution of pre-contractual measures taken at their request.
    c) To comply with a legal obligation to which the Data Controller is subject (European anti-money laundering directive);
    e) For the execution of a contract to which the interested party is a party or for the execution of pre-contractual measures taken at their request, as well as to comply with the legal obligations of Health and Safety at Work to which the Controller and the contractor are subject.
    f) To fulfill contractual and legal obligations related to the employment relationship and health and safety of workers, based on explicit consent. Additional processing based on the legitimate interests pursued by the Data Controller is described in the final part of this document in the section “Video Surveillance.”
  4. Source of Data Entered on the “Contacts” and “Career” Pages – Art 14 para. 2 lett. [f] GDPR 2016/679
    The above-mentioned data – or part of it – will be collected at the time of registration on the website in the space called “Contacts,” in the “Career” space, or in the “Subscribe” area. They are therefore provided directly by the interested party and do not come from publicly accessible sources.
  5. Communication and Dissemination of Data – Arts. 13 and 14 para. 1 lett. [e] [f] GDPR 2016/679
    All the above information may be transmitted, without further need for consent, to external companies and consultants functional to the performance of the contractual relationship, as provided by applicable regulations, such as lawyers, accountants, notaries, technical consultants, etc. It is possible to know the complete list of the above recipients by sending a specific request to the contacts indicated in point 1. If personal data is disseminated, such dissemination will be preceded by the prior acquisition of specific consent.
  6. Data Control, Storage, and Retention Duration – Arts. 13 and 14 para. 2 lett. [a] GDPR 2016/679
    The processing of personal data involves the collection, recording, organization, storage, and possible communication of the same data to third parties as described in point 5. The processing of personal data of categories b), c), d), f) in point 2 is carried out in accordance with what is established by Article 5 of the European Regulation on the processing of personal data, on:
  • Paper Support: contact details, business cards, invoice data, contracts, and more generally documents related to contractual management activities (corporate documents that may possibly contain contact details of representatives or owners of individual businesses);
  • Electronic Support: contact details, business cards, invoice data, contracts, and more generally documents related to contractual management activities (corporate documents that may possibly contain contact details of representatives or owners of individual businesses) in compliance with the legality, legitimacy, confidentiality, and security rules provided by current regulations.
    In general, files relating to the interested parties mentioned in letters a)-f) of point 2 are stored on the company server, accessible only to authorized personnel and data processors, as well as internal and external Managers (Ref. Complete list available at the contacts mentioned in point 1), who are therefore required to access the information only for legitimate purposes related to the nature of their work. Paper documentation, if existing, is archived in locked cabinets located in the office section, thus reachable only by Vitrum Design srl personnel. The databases of Vitrum Design srl have systems that ensure protection against unauthorized access, as well as other external factors that could cause harm to personal data. Access requirements to the data are regulated, and access is granted only to those pursuing authorized and lawful processing purposes. Suitable and appropriate training is provided to all employees who can access personal information, while the relationship with external parties is managed by a specific contract regarding the processing of personal data. The period for which personal information will be retained will depend on the duration of the relationship. The retention period may still be longer than the contractual period, based on legislative obligations or the need to manage any complaints or non-conformities that may arise even after the relationship is closed.
  1. Transfer of Personal Data Abroad
    Personal information may not be transferred, stored, or processed in locations outside Italy and the European Economic Area.
  2. Rights of the Interested Party – Art. 13 para. 2 lett. [b] [c] [d] GDPR 2016/679 and Art. 14 para. 2 lett. [c] [d] [e] GDPR 2016/679
    The interested party has the right to revoke consent, obtain access to personal data and their update or rectification. The interested party has the right, for legitimate reasons, to obtain the deletion of the same or to limit the processing concerning them, the portability of the data, or to object to their processing. Finally, the interested party has the right to request the transformation of the data into anonymous form. To exercise their rights, the interested party should contact the Data Controller or the corporate DPO using the contacts indicated in point 1. The interested party can also always contact the Authority for the protection of personal data.
  3. Nature of Providing Personal Data and Consequences of Possible Refusal to Respond
    Providing personal