(see Articles 12 and 13 of EU Regulation 2016/679 0f the European Parliament and of the Council)
Ms Catia Roschi of the NEW ERMES EUROPE S.r.l. Company with registered office in Via Donizetti, 2-20122 Milano (MI), VAT number 02180340024, in is capacity as Data Controller, hereby informs
you that Regulation EU 2016/679 of the European Parliament and of the Council (“General Data Protection
regulation”) lays down rules on the protection of natural persons with regard to the processing of personal
data, as well as rules on the free movement of such data.
The Regulation protects the fundamental rights and freedoms of natural persons, in particular the right to
the protection of personal data.
The Data Controller (natural or legal person who determines the purposes and means of processing of
personal data) takes appropriate measures to provide the data subject with all the information relating to
According to the above-mentioned regulation, data treatment will be based on principles of fairness,
lawfulness and transparency and protection of your privacy and your rights.
Pursuant to Article 12 and 13 of EU regulation 2016/679, in case of collection of data concerning him/her
from the data subject, the Data Controller shall provide the data subject, when the personal data are
obtained, with the following information:
1. Subject to processing
The Data Controller processes personal data concerning an identified or identifiable natural person (data
subject) such as name, surname, identification number, company name, address, telephone number, email,
bank references and payment details etc. communicated by you when entering into a contract for the
services provided by the Data Controller.
2. Data Controller and Representative of the Data Controller
The data controller is: Ms Catia Roschi
c/o NEW ERMES EUROPE S.r.l. Company with registered office in Via San Michele del Carso, 4-21044 Milano
(MI), VAT number 02180340024, Tel. +39 0332/966106, Fax +39 0332/966236,
The representative of the Data Controller (where applicable) is: Not appointed.
The updated list of the DPOs (where applicable) and Data Processors is kept at the registered office of the
3. Data Protection Officer (if applicable)
The Data Protection Officer is: Not appointed.
4. Purpose of data processing
The data you provide will be processed without your explicit consent for the following purposes:
1A) performance of a contract;
2A) execution of pre-contractual measures;
3A) legal obligation to which the data controller is subject;
4A) pursuit of the legitimate interests of the Controller or of a third party.
The data you provide will be processed with your explicit consent for the following purposes (if applicable):
1B) marketing activity (newsletter);
2B) other (NA)
The processing of data is lawful as:
1C) processing is necessary for the performance of a contract of which the data subject is a party or to the
execution of pre-contractual measures adopted on request of the same.
2C) processing is necessary to fulfil a legal obligation to which the controller is subject;
3C) processing is necessary for the protection of vital interests of the data subject or of another physical
4C) processing is necessary for the legitimate interests of the controller or of a third party, provided that the
interests or fundamental rights and freedoms of the data subject requiring the protection of personal data
are not overriding, in particular where the data subject is a underage.
The Data Controller, pursuant to Article 13 paragraph 3, undertakes not to use any personal data acquired
for purposes other than those for which they were collected, without having provided further information
to the data subject on that other purpose and any other relevant information referred to in paragraph 2, or
without having requested additional consent (where required).
5. Legitimate interests of the Data Controller (where applicable, i.e. only if the conditions of lawfulness of
the data processing referred to in point 3 are addressed in 4C)
Data processing is based on the following legitimate interest: eventual defense of legal claims in court
6. Methods of data processing
The processing of personal data is carried out by means of the operations indicated in Article 4, paragraph
2) and specifically: the collection, recording, organization, structuring, storage, adaptation or modification,
extraction, consultation, use, communication by transmission, diffusion or any other form of provision,
comparison or interconnection, limitation, cancellation or destruction;
The processing of data takes place through the use of tools and procedures suitable to guarantee the
security and confidentiality.
The processing of personal data will be carried out in the following ways:
- Manual entry, on paper
- Manual computerized entry (no automated decision-making)
7. Data dissemination
Without the need for explicit consent (see Article 6 letter b) and c)), the Data Controller may communicate
your data for the above purpose to supervisory bodies, judicial authorities, insurance companies, as well as
to those persons to whom communication is required by law for the above purposes. These subjects will
process the data in their capacity as independent data controllers.
- Data may/will be communicated to the following categories of recipients: third-party managers
who take part in the business process only to fulfil specific legal obligations and in compliance with
contractual obligations, public and private bodies for social security, welfare and insurance
8. Data dissemination to a third country or international organization
Personal data will not be transferred to a third country or international organization.
9. Nature of data provision and consequences of the refusal to respond
The Data Controller has the obligation to inform the data subject whether the disclosure of personal data is
a legal or contractual obligation or a necessary requirement for the conclusion of a contract and whether
the data subject is obliged to provide personal data, as well as the possible consequences of failure to
disclose such data;
The provision of data is:
- Mandatory (point 4, letter A)
In the event that the provision of data for the purposes indicated is mandatory, the reason of the obligation
is due to the performance of a contract or pre-contractual measures.
In the event that the provision of data for the purposes indicated is mandatory any refusal to provide such
- May result in non-performance of the contract;
- May result in partial performance of the contract;
- Failure to continue the relationship;
- Failure to provide services.
10. Data Retention
The Data Processor will process personal data for the time strictly necessary to fulfil the above purposes
and in any case for no longer than 10 years from the termination of the relationship for the Purposes of the
- The personal data processed will be kept until: 10 years after the withdrawal of the contract.
11. Rights of the data subject
At any time, the data subject may exercise his/her rights with regard to the Data Controller.
Article 13 letter b) of EU Regulation 2016/679, states that when personal data are obtained from the data
subject, the data controller provides him/her with information on the following rights necessary to ensure
proper and transparent processing of personal data:
- Right to data access (Article 15)
- Right to data rectification (Article 16)
- Right to data processing cancellation (Article 17)
- Right to restriction of data processing (Article 18)
- Right to opposition to the data processing (Article 21)
- Right to data portability (Article 20)
In addition to the rights set out in Article 13, the EU Regulation provides that the data subject may exercise
- Right to withdraw consent (Article 7)
- Right to propose a complaint to a supervisory authority (Article 77)
The articles dealing specifically with the individual rights of the data subject are set out in the attachment.
12. Right to withdraw the consent (Article 7)
Article 7, paragraph 3) states that the data subject has the right to withdraw his or her consent at any time
in the following case:
- If the processing is based on the consent given to the processing of their data for one or more
specific purposes (Article 6, paragraph 1, letter a));
- Where the processing concerns special categories of personal data (personal data revealing racial
or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership,
genetic data, biometric data, data concerning health or sex life or sexual orientation) and is based
on the consent given to the processing of personal data for one or more specific purposes (Article
9, paragraph 2, letter a)).
Withdrawal of consent shall not affect the lawfulness of processing based on the consent given prior to
Before giving consent, the data subject shall be informed thereof. Consent is withdrawn with the same easy
it is given.
13. Right to complain to a supervisory authority (Article 77)
Article 77 provides that where the data subject, considers that the processing of his/her data is infringes
this Regulation, he/she has the right to propose a complaint to a supervisory authority, in particular in the
Member State where he/she has his/her habitual residence, place of work or the place of the alleged
This is without prejudice to any other administrative or judicial appeal.
The Data Controller shall inform the data subject of the possibility of proposing a complaint with a
supervisor authority and of seeking judicial appeal.
The supervisory authority to which the complaint has been proposed shall inform the complainant of the
state or outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78.
The Data subject also has the right to an effective judicial appeal where the supervisory authority does not
handle a complaint or does not inform the data subject within three months on the progress or outcome of
the complaint proposed. This is without prejudice to any other administrative or judicial appeal.
14. Procedures for exercising the rights of the data subject
The data subject may at any time exercise their rights by sending a registered letter to the Data Controller
and/or to the Data Processor (if appointed):
- A registered letter with return receipt to the following address: NEW ERMES EUROPE S.r.l. with
registered office in Via San Michele del Carso, 4-20144 (MI), VAT number 02180340024;
- An e-mail to the address: firstname.lastname@example.org