pursuant to Art. 13 and 14 of Regulation (EU) 2016/679
This information notice (the “Information Notice”) is provided pursuant to Articles 13 and 14 of Regulation
(EU) 679/2016 (“GDPR”) in relation to the processing of personal data of the guests of Crealis S.p.A. who use
the Wi-Fi network service provided at its facilities (the “Guests”).
1. Data controller
The data controller is Crealis S.p.A., with registered office in Bodio Lomnago (VA), via Luigi Galvani 1, 21020,
VAT and C.F. 13400560150 (hereinafter “Crealis” or the “Data Controller”).
2. Data collected
As part of the use of the Wi-Fi service, Crealis may collect and process the following personal data of Guests:
(i) Identifying data: first name, last name, e-mail address;
(ii) Browsing and connection data: information about the Guests’ browsing through the Wi-Fi
network (e.g. websites visited, IP address, log data, information about the browser used by the
Guest, pages visited, date, time and duration of each visit, as well as other parameters related to
the Guest’s operating system and computer environment).
Hereinafter jointly referred to as “Data”.
3. Purpose and legal basis of processing
Data are processed according to the following purposes and legal basis:
3.1 Performance of a contract
The Data will be processed in order to allow Guests to access and use Crealis’ Wi-Fi network.
The legal basis of this processing is the performance of the contract. The provision of Data for the abovementioned
purposes is compulsory and necessary for the correct execution of the above-mentioned activities.
Any partial or total refusal to provide Data for these purposes will make it impossible for Guests to access the
Wi-Fi network and use the service provided by the Data Controller.
3.2 Fulfilment of legal obligations
The Data may also be processed to enable the Data Controller to fulfil its obligations under the law, a
regulation, Community legislation or an order of the Authority.
The provision of Data for this purpose is necessary to comply with the legal obligations to which the Data
Controller is subject.
3.3 Legitimate interest
The Data shall be processed in order to exercise the rights of the Data Controller, such as the right of defense
in court. This legitimate interest is to be considered prevailing since it corresponds to a constitutionally
guaranteed right and, as such, is socially recognized as prevailing over the interests of the individual
concerned. The provision of Data for this purpose is necessary to allow the Data Controller to defend itself in
judicial and extrajudicial proceedings.
4. Data recipients
The Data shall be processed by employees of the Data Controller, specifically designated as persons authorized
to process the Data (such as, by way of example, the IT department managers), where necessary for the
performance of the activities referred to in paragraph 3 above.
Furthermore, Personal Data may be communicated to third parties where necessary for the establishment,
management, execution and/or conclusion of the contractual relationship with the Data Controller. In this
case, the third-party recipients of the Personal Data – autonomous data controllers or duly designated as data
processors – belong to the following categories:
(i) external parties acting as autonomous data controllers such as, by way of example, Authorities and
supervisory and control bodies and, in general, to parties, including private parties, entitled to request
the data (such as, for example, accounting consultants, legal consultants), Public Authorities that
expressly request them for administrative or institutional purposes, in accordance with the provisions
of the applicable national and European legislation;
(ii) subjects outside the company who provide services to the company and are useful for its activities
(for example: suppliers of IT services for managing databases, including contacts and e-mails,
providers of digital services and IT consultants who provide technical assistance to the company,
suppliers of technical services and assistance for managing and maintaining the Wi-Fi network, training
institutes, banking and financial intermediaries); these subjects have been specifically appointed as
data processors and their names are available upon request to the Data Controller, using the contact
details indicated in paragraph 7 below.
5. Period of Data Retention
Data processed for:
(i) the performance of the contractual relationship to which the data subject is party are kept for the
time strictly necessary to fulfil the purposes indicated, in any case no longer than one working day
from their collection. Once this period has elapsed, Guests who wish to re-access the service must reenter
their Data;
(ii) the fulfilment of legal obligations to which the Data Controller is subject are retained for the duration
provided for by law;
(iii) the legitimate interest of the Data Controller, and specifically in the case of litigation, will be retained
for the duration of the litigation, until the time limits for appeals have been exhausted.
6. Transfer of Data to third countries
The Data Controller, for the provision of the Wi-Fi network service to Guests, may make transfers of Data
outside the European Union. To this end, appropriate measures will be taken in accordance with applicable
data protection legislation to ensure an adequate level of data protection. In particular, such transfers may
take place to countries for which the European Commission has adopted an adequacy decision pursuant to
Article 45 of the GDPR, or through the use of Standard Contractual Clauses approved pursuant to Article
46(2)(c) and (d), or through Binding Corporate Rules (BCRs) pursuant to Article 47 of the GDPR, in addition to
any derogatory measures referred to in Article 49 of the GDPR.
7. The rights of the data subject
Guests, as data subjects (i.e., subjects to whom the Data refers), are holders of rights conferred by the GDPR.
In particular, pursuant to Articles 15-22 of the GDPR, Data Subjects have the right to request and obtain, at
any time, access to their personal data, information on the processing carried out, rectification and/or
updating of personal data, cancellation and restriction of processing. They also have the right to object to the
processing and to request data portability (i.e. to receive personal data in a structured, machine-readable,
commonly used format). Finally, data subjects always have the right to revoke their consent at any time (this,
in any case, will not affect the lawfulness of processing carried out on the basis of consent given before
revocation) and to lodge a complaint with a supervisory authority (in Italy: Garante per la Protezione dei Dati
Personali).
The above-mentioned rights may be exercised at any time, by simple request to the Data Controller to be
transmitted:
• by post, to Bodio Lomnago (VA), via Luigi Galvani 1 – 21020; or
• to the e-mail address privacyenoplastic@crealisgroup.com.