Legal & Corporate

Privacy Policy

Extended notice on personal data processing provided by UESE ITALIA S.p.A. pursuant to Regulation (EU) 2016/679, the Italian Privacy Code as amended and the applicable rules governing electronic communications, cookies, security and business relationship management.

1. Data controller and contact details

The data controller is UESE ITALIA S.p.A., with registered office at Piazza Trivulziana 4/A, 20126 Milan, Italy, VAT No. IT04398760274, REA MI 2679515. The Controller determines the purposes and means of processing carried out in connection with corporate, commercial, training, consulting, compliance, cybersecurity, technical and legal support, ticketing and recruiting activities delivered through this website and any further digital channels attributable to the Company.

For privacy-related requests, data subject rights management or data protection matters, individuals may contact UESE through the corporate contact details published on the website or write to dpo@uese.it. Where appointed, the Data Protection Officer may be contacted through the same channel or through any specific contact details made available by the Controller from time to time.

2. Scope of this notice

This notice applies to personal data processing activities carried out by UESE in its capacity as controller through the corporate website, contact forms, information request forms, spontaneous or solicited job applications, commercial enquiries, customer care channels, ticketing systems, preliminary assessments or audit requests, document downloads and, more generally, any digital or documentary interaction in which the data subject directly submits personal data to the Company.

This notice does not apply to third-party websites, applications, platforms or services accessible through external links or independently operated integrations. In those cases users should review the privacy notices published by the relevant third parties before submitting personal data or using their services.

3. Categories of personal data processed

Depending on the relationship with UESE and the requested service, the Company may process the following categories of personal data:

  • Identification and contact data, such as name, surname, company name, role, email address, telephone number, business address, country and sector or field of activity.
  • Professional, organisational and contractual data, such as information relating to the represented organisation, project needs, quotation data, order and contract data, invoicing details and administrative management information.
  • Technical browsing data, including IP address, application logs, session data, device identifiers, browser information and security parameters generated by IT and network systems.
  • Data included in support requests or tickets, including attachments, incident descriptions, legal questions, compliance issues, operational information or documents voluntarily uploaded by the user.
  • Recruitment-related data, such as CVs, cover letters, professional experience, qualifications, certifications and further information contained in documentation submitted by candidates.
  • Special categories of data within the meaning of Article 9 GDPR, only where strictly necessary, relevant and lawfully provided by the data subject or required by applicable law, with appropriate safeguards and legal bases in place.

4. Purposes of processing and legal bases

UESE processes personal data for specified, explicit and legitimate purposes. The main purposes and relevant legal bases are summarised below.

PurposeMain legal basisExamples of processing
Managing contact requests, quotations, demos and preliminary assessmentsArticle 6(1)(b) GDPR - pre-contractual measures requested by the data subjectRequests submitted through online forms, email, telephone or service landing pages
Delivering services, support, ticketing, consulting, training, audits and related activitiesArticle 6(1)(b) GDPR - performance of a contract or related servicesOperational management of the relationship, ticket handling and organisation of technical activities
Complying with legal duties, regulatory compliance, rights defence and system securityArticle 6(1)(c) and 6(1)(f) GDPR - legal obligations and legitimate interestsAdministrative retention, traceability, audit trail, abuse prevention and access control
Recruitment and candidate assessmentArticle 6(1)(b) GDPR; where necessary, Article 9 GDPR and applicable national lawCV screening, interviews and evaluation of a profile for current or future positions
Sending informational communications, newsletters or direct marketingArticle 6(1)(a) GDPR - consent where required; or legitimate interest where permitted by lawUpdates about services, events, content or promotional initiatives
Managing cookies, analytics and non-technical tracking toolsUser consent where required by applicable lawBrowsing preferences, measurement, optional personalisation and enhanced functionality

5. Nature of data provision

Providing the data indicated as necessary in forms or otherwise required in relation to a specific service is mandatory in order for the request to be properly managed. Failure to provide such data may prevent UESE from processing the contact request, preparing a quotation, delivering support, processing a ticket, formalising a contractual relationship or assessing an application.

Providing additional, optional or unsolicited data is left to the free choice of the data subject. UESE encourages users not to submit information exceeding what is necessary for the relevant purpose, unless this is strictly required and justified by the operational or regulatory context.

6. Processing methods and security measures

Personal data are processed by means of manual, electronic and telematic tools, using logic strictly related to the declared purposes and in compliance with the principles of lawfulness, fairness, transparency, minimisation, accuracy, integrity, confidentiality and storage limitation. Processing is carried out by authorised personnel who have received appropriate instructions and are bound by confidentiality obligations, as well as by duly appointed external parties where necessary.

UESE adopts technical and organisational measures proportionate to the risk and consistent with the nature of the services delivered, including controls normally expected in enterprise and compliance-driven environments, such as access segregation, logging, monitoring, credential management, internal policies, escalation procedures and vendor governance criteria. No digital system can be considered entirely risk-free; accordingly, the Company periodically reviews and updates its controls in light of technological and regulatory developments.

7. Data sources and data not collected directly from the data subject

As a rule, data are collected directly from the data subject. In some cases UESE may receive data from employers, principals, project partners, corporate representatives, certification bodies, ticketing platforms, recruiting agencies or persons lawfully acting on behalf of the data subject. In such cases data are processed within the limits compatible with the purpose for which they were disclosed and, where necessary, in accordance with supplementary information made available from time to time.

8. Recipients, processors and categories of involved parties

Personal data may be disclosed or made accessible, on a strict need-to-know basis, to:

  • authorised internal personnel within commercial, legal, administrative, HR, IT, training, customer care and compliance functions;
  • providers of IT infrastructure, hosting, cloud, ticketing, application maintenance, managed security, email or collaboration services;
  • consultants, professionals, auditors, lawyers, tax advisers or technical partners involved in delivering the requested services;
  • authorities, public bodies, institutions or third parties lawfully entitled to request data pursuant to laws, regulations or orders;
  • contractual counterparties, clients or project partners where necessary for the management of the requested service or related relationship.

Depending on the circumstances, these parties act as processors under Article 28 GDPR, authorised persons or independent controllers. Updated information on the relevant categories of processors may be requested from the Controller to the extent permitted by applicable law.

9. Transfers of personal data to third countries

Where, for technical, organisational or service-related reasons, personal data need to be transferred to countries outside the European Economic Area, UESE ensures that such transfers take place in compliance with the conditions laid down by the GDPR, including adequacy decisions, standard contractual clauses, supplementary measures, binding corporate rules or other lawful transfer tools.

Upon request, data subjects may obtain general information about the safeguards used for any international transfers, subject to confidentiality, security and third-party rights constraints.

10. Retention periods and retention criteria

Personal data are retained for no longer than necessary to achieve the purposes for which they were collected, taking into account the nature of the relationship, limitation periods, legal duties, defence needs and accountability requirements. As a general rule:

  • data relating to contact requests or quotations are retained for the time necessary to manage the request and, afterwards, for a reasonable follow-up period linked to commercial opportunities or protection of the Controller’s rights;
  • data processed in connection with contractual or pre-contractual relationships are retained for the duration of the relationship and for the subsequent civil, tax, administrative and evidentiary periods required by applicable law;
  • ticketing, support and security log data are retained for periods consistent with operational needs, internal control, cybersecurity, incident management and litigation defence;
  • CVs and application data are retained for the time strictly necessary to assess the application and, where relevant, for further periods compatible with future recruitment rounds, unless otherwise requested by the data subject or required by law;
  • data processed for marketing purposes based on consent are retained until consent is withdrawn or, in any case, until periodic review confirms the persistence of interest and lawfulness of the processing.

11. Cookies, analytics and tracking technologies

The website may use technical cookies, measurement tools and, where activated, additional tracking technologies or optional features. The use of non-technical cookies or tracking tools requiring consent is based on the user’s choices expressed through banners, preference centres or equivalent tools, in accordance with applicable law from time to time.

For further details on types, purposes, duration, involved third parties, consent management and withdrawal of preferences, users should consult the Cookie Policy.

12. Data subject rights

Within the limits and subject to the conditions laid down in Articles 15-22 GDPR and the applicable national framework, data subjects may obtain confirmation as to whether their personal data are being processed, access such data, request rectification, updating, supplementation, erasure, restriction of processing, object to processing on grounds relating to their particular situation and request data portability where provided by law.

Where processing is based on consent, the data subject may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal. Data subjects also have the right to lodge a complaint with the Italian Data Protection Authority or any other competent supervisory or judicial authority under applicable law.

13. Minors

The website’s services and contents are not ordinarily directed at individuals under 18 years of age, unless expressly governed by specific initiatives. UESE does not knowingly collect personal data from minors without the legal conditions required by applicable law. Should it become aware that minors’ data have been provided in a non-compliant manner, the Company will promptly manage the matter and implement the necessary measures where feasible.

14. Changes, updates and current version

This Privacy Policy may be amended or updated at any time to reflect legal developments, guidance issued by competent authorities, organisational changes, updates to delivered services or technological implementations. The version published on this page constitutes the current and effective version.

Main references. This notice has been drafted taking into account, among others, Regulation (EU) 2016/679, Legislative Decree No. 196/2003 as amended, the European framework governing electronic communications and the applicable guidance issued by the Italian Data Protection Authority on cookies and tracking tools.