Why this page?
Pardgroup S.p.A., with registered office in Via Pietrasanta 14 | 7D 20141 Milan – Italy, and its affiliated companies recognize the central role of personal data in the socioeconomic ecosystem in which it operates and is aware of the importance of clear and transparent communication in order to limit the risks to the freedom and security of all individuals connected to it.
Furthermore, privacy legislation (in particular EU Regulation 2016/679, the “General Data Protection Regulation” – known by the acronym GDPR) requires us to provide you with the following information on the processing of your personal data, pursuant to Articles 13 and 14.
For these reasons, Pardgroup SpA, Via Pietrasanta 14, Milan, VAT number 03369761204, and the affiliated companies referred to on the group website, as “Data Controllers,” hereby explain how your personal data is processed through the group website and the company websites linked to it
“Processing of personal data” means any operation concerning any information relating to an identified or identifiable natural person. For example: your first and last name and email address with a “username” that can identify you (mariorossi@….) are considered “common personal data,” and the fact of collecting, recording, and using them to send you a communication is considered “processing,” as is archiving and sharing them with other parties. Some information, such as that relating to your health or your political or religious beliefs, is personal data belonging to a special category, which requires specific protection. We invite you to visit the website of the Italian Data Protection Authority (“GPDP”) to find further useful information to better understand the issue (https://www.garanteprivacy.it/i-miei-diritti).
WHO TO CONTACT WITH REQUESTS OR COMPLAINTS?
The Data Controller can be contacted for any information at the following addresses:
| Data Controller’s telephone number | 02 86894055 |
| Data Controller’s email address | privacy@pardgroup.com |
The Data Controller has also appointed a Data Protection Officer (DPO) pursuant to Article 37, paragraph 1, letter c of the GDPR. As a data subject, you may always contact the DPO to exercise your rights regarding the protection of personal data at the addresses indicated below:
| DPO contact details | dpo@pardgroup.com |
HIGHLIGHTS, IN SUMMARY
We will generally process common data (e.g., browsing data, content of contact messages) and will only use it within the limits set out in this policy, ensuring its security in accordance with the provisions of the laws on personal data protection.
- We will not keep any unnecessary information about you and will only retain information relating to you for as long as is strictly necessary to achieve the purpose of the processing (see table below).
- You may always request information or exercise all your rights, including the revocation of consent granted, as provided for in Articles 15-22 of the GDPR, by contacting us at the following email address: privacy@pardgroup.com .
- Our website also contains thematic areas (e.g., careers/customers and suppliers/work with us) that involve the processing of personal data that does not necessarily or entirely take place on the website, about which we want to keep you informed in the most agile way possible. For this reason, you will also find information relating to such processing in this document.
What data is processed? Why and for how long?
The Data Controller processes the personal data of data subjects through the website for the purposes and in the manner described in the following paragraphs. Please note that this policy also covers data processing that does not take place through the website but concerns data subjects outside the writing Organization and who can therefore benefit from easy access to information relating to the processing by consulting this Privacy Policy online.
🌐 WEBSITE NAVIGATION
Common data (Art. 6, EU Reg. 2016/679). The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses, the page visited, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters (User Agent), as well as any logs collected by the security systems active on the Data Controller’s systems (e.g., firewalls).
| Purpose and legal basis of the processing (Art. 13, paragraph 1, letter c, EU Reg. 2016/679) | This data is used for the sole purpose of obtaining statistical information on the use of the site and to check its correct functioning. The data could also be used to ascertain responsibility in the event of hypothetical computer crimes against the site. The legal basis for the processing is the legitimate interest of the Data Controller (Art. 6, paragraph 1, letter f) to prevent malfunctions of the site or illegal use of the same. This interest, shared with the users themselves, prevails over the rights and freedoms of the latter (as verified by the Data Controller by means of a LIA – Legitimate Interest Assessment) since the processing is characterized by minimal invasiveness, as it is conducted in such a way as to prevent any unnecessary identification of users. Furthermore, users are informed of the processing through this Privacy Policy and the Cookie Policy. In addition, data subjects have options to independently prevent or interrupt the processing (cookie options, exit from the website). Finally, such processing is necessary for the functioning of the website itself. |
| Scope of communication (Art. 13, paragraph 1, letter e) and Transfer outside the EU (letter f) | The data may only be processed by internal staff who are duly authorized and trained in data processing (Art. 29) or by any persons responsible for website maintenance (in which case they are appointed as Data Processors pursuant to Art. 28) and will not be disclosed to other parties, disseminated, or transferred to countries outside the EU. Only in the event of an investigation may they be made available to the competent authorities. To find out the identity of the external parties responsible for managing and maintaining the website, you can always contact the data controller at the address provided in the section “Who to contact with requests or complaints?”. |
| Data retention period (Art. 13, paragraph 2, letter a) | The data is stored for a maximum of 72 hours after visiting the site and is then deleted or stored only in anonymous form (statistical or aggregate data), except for any extensions related to investigative activities. |
| Provision (Art. 13, paragraph 2, letter f) | The data is not provided by the data subject but is automatically acquired by the website’s technological systems. Such provision is mandatory insofar as, in its absence, it is technically impossible to navigate the website (safely). |
💬 CONTACTS AND RESPONSES TO MESSAGES RECEIVED
Common data (Art. 6, EU Reg. 2016/679). The site allows users to communicate with the Data Controller via a contact form or by sharing contact details. In order to activate these features, the user must enter some personal and contact information (email address or mobile phone number, name) and may communicate some personal data in the text of the message sent.
| Purpose and legal basis of the processing (Art. 13, paragraph 1, letter c, EU Reg. 2016/679) | This data is used for the sole purpose of responding to the user with regard to messages received. This activity is carried out in the legitimate interest of the Data Controller, which prevails over the rights and freedoms of the data subjects (Art. 6, paragraph 1, letter f), as verified by the Data Controller by means of a LIA – Legitimate Interest Assessment. In fact, it is entirely legitimate to expect that the data subject sending a message is reasonably aware that persons authorized by the Data Controller will process the limited information that the data subject has, at their discretion, provided in order to satisfy their interest in receiving a response. |
| Scope of communication (Art. 13, paragraph 1, letter e) and Transfer outside the EU (letter f) | The data may be processed exclusively by internal staff of the Group companies, duly authorized and trained in the processing (Art. 29), or by any persons entrusted with activities inextricably linked to the service, such as the ordinary management of the website, appointed in this case as Data Processors (Art. 28), and will not be communicated to other parties, disseminated, or transferred to countries outside the EU. Only in the event of an investigation may they be made available to the competent authorities. To find out the identity of the external parties responsible for these activities, you can always contact the data controller at the address provided in the section “Who to contact with requests or complaints?”. |
| Data retention period (Art. 13, paragraph 2, letter a) | The data is stored for a maximum of 12 months from the last message exchanged and, subsequently, deleted or stored only in anonymous form (statistical or aggregate data), except for any extensions related to investigation activities. |
| Provision (Art. 13, paragraph 2, letter f) | The provision of data is necessary insofar as, in its absence, it is not technically possible to respond to requests received. This means that the user can avoid providing data but, in this case, it will not be possible to proceed with the online purchase. |
👥 WORK WITH US
Common data (Art. 6, EU Reg. 2016/679). The website allows interested users to view open positions at the Data Controller and submit an application to fill them. To this end, the website requires the completion of an application form that allows access to the selection process managed by ATS platforms and dedicated internal staff, which may involve the collection of personal, contact, and professional training and experience information. Further details will be provided in a specific privacy policy provided to candidates at the beginning of the selection process. Please note that the Data Controller does not intend to process (and will immediately delete) documents containing information on political, religious, or trade union opinions, as well as facts that are not relevant for the purpose of assessing the professional suitability of the candidate.
Special categories of data (Art. 9, par. 1). Generally, no special categories of data are required for this purpose. However, it cannot be ruled out that, in order to highlight conditions relevant under regulations protecting specific categories of workers (diversity and inclusion, Law 68/99), the candidate may share information relating to their state of health or particular conditions affecting them.
| Purpose and legal basis of the processing (Art. 13, paragraph 1, letter c, EU Reg. 2016/679) | This data is used for the sole purpose of assessing the suitability of the proposed candidate for one of the positions open at the Data Controller. This activity is carried out at the request of the candidate and is preparatory to the conclusion of a contract; therefore, the legal basis is that of the execution of pre-contractual measures at the request of the data subject (Art. 6, paragraph 1, letter b). In the cases specified above, where it is necessary to process information of a particular nature, the legal basis will be that referred to in Art. 9, par. 2, letter h) (assessment of the employee’s working capacity). |
| Scope of communication (Art. 13, paragraph 1, letter e) and Transfer outside the EU (letter f) | The data may be processed exclusively by internal personnel, duly authorized and trained in processing (Art. 29), or by any persons entrusted with activities inextricably linked to the service, such as the ordinary management of the website, appointed in this case as Data Processors (Art. 28), and will not be communicated to other parties or disclosed. In some cases, the data may be transferred to countries outside the EU, as described in detail in the ad hoc information provided at the beginning of the selection procedure. Only in the event of an investigation may they be made available to the competent authorities. To find out the identity of the external parties responsible for these activities, you can always contact the data controller at the address provided in the section “Who to contact with requests or complaints?”. |
| Data retention period (Art. 13, paragraph 2, letter a) | The data is retained for a maximum of 12 months from the submission of the application and, subsequently, deleted or retained only in anonymous form (statistical or aggregate data), except for any extensions based on specific legitimate interests (see the ad hoc information provided at the beginning of the selection process) or related to investigation activities. Only in the event of the candidate’s subsequent inclusion in the Data Controller’s workforce will the data retention be extended in accordance with the information provided at the start of the employment or collaboration relationship. |
| Provision (Art. 13, paragraph 2, letter f) | The provision of data is necessary insofar as, in its absence, it is not technically possible to apply. This means that the user can avoid providing data but, in this case, it will not be possible to proceed with the evaluation of their application. |
💼 RELATIONSHIPS WITH CUSTOMERS AND SUPPLIERS
Common data (Art. 6, EU Reg. 2016/679). This section contains all the necessary information regarding the data processing carried out by the Data Controller in the context of normal relations with customers and suppliers, in order to undertake normal purchase and sale transactions connected with the ordinary operations of the Organization. The data processed for this purpose are personal and contact details (name, surname, email address, or telephone number) of the customer or supplier who is a natural person or of their representatives, in the case of customers or suppliers who are legal entities. This information is necessary in order to maintain normal relations between organizations and exchange official communications, as well as for the conclusion of contracts governing relations between the parties (including the fulfillment of tax obligations, preliminary supplier qualification activities and any checks on customers and suppliers for legal purposes, where required (e.g., Law 231/2001 and anti-money laundering regulations).
| Purpose and legal basis of the processing (Art. 13, paragraph 1, letter c, EU Reg. 2016/679) | This data is used for the sole purpose of implementing contractual and pre-contractual measures and related legal obligations; it is therefore legitimized by Art. 6, paragraph 1, letters b) and c). |
| Scope of communication (Art. 13, paragraph 1, letter e) and Transfer outside the EU (letter f) | The data may be processed exclusively by internal personnel, duly authorized and trained in processing (Art. 29), or by any parties entrusted with activities inextricably linked to the service, such as the ordinary management of the website, appointed in this case as Data Processors (Art. 28), and will not be communicated to other parties, disseminated, or transferred to countries outside the EU. Only in the event of an investigation may they be made available to the competent authorities. To find out the identity of the external parties responsible for these activities, you can always contact the data controller at the address provided in the section “Who to contact with requests or complaints?”. |
| Data retention period (Art. 13, paragraph 2, letter a) | The data is retained for a maximum of 10 years from the termination of the contractual relationship and, subsequently, deleted or retained only in anonymous form (statistical or aggregate data), except for any extensions related to investigation activities. |
| Provision (Art. 13, paragraph 2, letter f) | The provision of data is mandatory insofar as, in its absence, it is not technically possible to continue or commence the contractual relationship. This means that the data subject may refuse to provide the data but, in this case, it will not be possible to continue with the contractual relationship envisaged. |
⚖️ LEGAL DEFENSE OF THE DATA CONTROLLER
Finally, please note that all the data referred to in the table above may be processed by the Data Controller in order to exercise its right of defense in court (Art. 6, paragraph 1, letter f, and Art. 9, paragraph 2, letter f). In fact, the Data Controller has a legitimate prevailing interest in this regard, as established by established case law, see, for example, Ord. Cass. 19531/2021, according to which “the interest in the confidentiality of personal data must give way to the protection of other legally relevant interests, which are considered to prevail in the necessary balancing operation, including the interest, where genuine and not surreptitious, in exercising the right of defense in court.” Such processing could take place if, before the expiry of the specified retention periods, a pre-litigation phase or full-blown litigation were to arise. In this case, the retention of the data will be extended for the entire duration of the dispute and the data may be communicated to the professionals appointed to defend the Data Controller in court (generally acting as independent Data Controllers or, where necessary, appointed as Data Processors pursuant to Art. 28) and to the judicial or supervisory authority before which the dispute is brought.
What are cookies? Does the website use them?
Cookies are short pieces of text (letters and/or numbers) that allow the web server to store information on the client (the browser) to be reused during the same visit to the site (session cookies) or later, even after several days (persistent cookies). Cookies are stored, according to user preferences, by the individual browser on the specific device used (computer, tablet, smartphone). Similar technologies, such as web beacons, transparent GIFs, and all forms of local storage introduced with HTML5, can be used to collect information on user behavior and service usage. In the rest of this policy, we will refer to cookies and all similar technologies simply as “cookies.” The site only uses technical cookies that are strictly necessary for the site to function. For more information on the cookies used by this site, please see the cookie policy HERE.
What are social network and app plugins used for?
This site also incorporates plugins and/or buttons for social networks, in order to allow easy sharing of content on your favorite social networks. These plugins are programmed so as not to set any cookies when accessing the page, in order to safeguard the privacy of users. Cookies may be set, if provided for by social networks, only when the user makes effective and voluntary use of the plugin. Please note that if the user browses while logged into the social network, they have already consented to the use of cookies conveyed through this site at the time of registration with the social network. The collection and use of information obtained through the plugin are governed by the respective privacy policies of the social networks, to which reference should be made.
How is data processed?
Fundamental principles and data security
In accordance with the GDPR, the processing of personal data of data subjects will be carried out in accordance with the principles of lawfulness, fairness, transparency, and minimization. Personal data will be processed by formally authorized and trained personnel, mainly using electronic or automated means, following procedures and using tools that are appropriate to ensure the security and confidentiality of the data. All technical and organizational measures necessary to ensure the level of data protection required by law will be taken.
Finally, please note that, at present, the website does not carry out automated processing involving profiling or the use of advanced intelligent automation technologies in any form. However, in the event of profiling or other automated decision-making processes, the Data Controller will verify in advance that all the requirements of Article 22 are met, in addition to carrying out a DPIA – Data Protection Impact Assessment (Article 35, EU Regulation 2016/679) and notifying the data subjects by updating this document.
What rights do I have as a data subject? How can I exercise them?
By way of example, data subjects may exercise the following rights vis-à-vis the Data Controller:
- Right of access (Art. 15 GDPR): the data subject has the right to be informed about the processing of their personal data and to obtain a copy of it;
- Right to rectification (Art. 16 GDPR): the data subject has the right to have inaccurate personal data concerning them rectified;
- Right to erasure (Art. 17 GDPR): the data subject has the right to obtain the erasure of their data without undue delay;
- Right to restriction of processing (Art. 18 GDPR): the data subject has the right to obtain restriction of the processing of their personal data in certain cases, such as when the accuracy of the data is contested or the processing is unlawful;
- Right to data portability (Art. 20 GDPR): the data subject has the right to receive their personal data in a structured, commonly used and machine-readable format, in order to transmit it to another data controller;
- Right to object (Article 21 GDPR): the data subject has the right to object to the processing of their personal data on legitimate grounds relating to their particular situation;
- Right not to be subject to automated decision-making (Art. 22 GDPR): the data subject has the right not to be subject to a decision based solely on automated processing.
We remind you that data subjects may exercise their rights and request further information regarding the processing by contacting the data controller at the following email address: privacy@pardgroup.com
Data subjects who believe that the processing of their personal data violates the provisions of the Regulation have the right to lodge a complaint with the Supervisory Authority, as provided for in Article 77 of the Regulation, or to take appropriate legal action (Article 79 of the Regulation).
Can the data controller modify the policy?
The Data Controller reserves the right to change, modify, update, add, or remove parts of this information document at any time, ensuring, in any case, adequate and similar protection of personal data.
Should the Data Controller make significant changes to this policy (e.g., processing of personal data for different and additional purposes), it will notify you by publishing the updated text on this website, highlighting the update.
Last update 06/30/2025