Information document pursuant to art. 13 of the (It.) Legislative Decree No. 196/2003 and of the European Privacy Regulations No. 2016/679 (General Data Protection Regulation GDPR)  

In compliance with the European Regulation No. 2016/679, we hereby provide you with the required information with regard to the processing of personal data provided.


Personal data shall mean any information regarding an identified or identifiable individual (“data subject”); an identifiable individual is an individual that may be identified directly or indirectly with particular reference to such identification data as name, identification number, location data, online identification or one or more characteristic elements of his/her physical, physiological, genetic, psychic, economic, cultural or social identity.


The data controller is the individual or legal entity that establishes the purposes and equipment for the processing of personal data.

Pursuant to the European Regulation No. 2016/679, the Data Controller is ESA S.p.A. with registered office in Via Padre Masciadri no. 4/A, 22066 Mariano Comense (CO), VAT No. 13464240152.


Your personal data will be processed in accordance with the legislative provisions of the aforementioned regulation and confidentiality obligations established therein, for administrative, accounting, financial, fiscal and commercial, marketing and promotion purposes related to contract concluded and to the operation of our Company.


Any data of a personal nature provided will be communicated to recipients who will process them in their capacity as Data Processors pursuant to art. 28 of EU Regulation 2016/679 and/or in their capacity as natural persons acting under the authority of the Data Controller and Representative, pursuant to art. 29 of EU Regulation 2016/679 for the purposes indicated in point C) of this information note. Precisely, personal data will be communicated to the following parties who for this purpose can process the data on our behalf: employees of our Company, Public Bodies, Authorities or Institutions, Banks and Credit Institutes, independent collaborators of the Company, professionals (lawyers, accountants, etc.), consultants, contractors of the Company, other offices of this Company and of other companies, including foreign ones, related to it or belonging to the group, i.e. those with which a correspondence relation exists, commercial agents and brokers, companies in charge of promotions and editorials, auditors, leasing companies, airlines and railways, hotels, travel and other similar agencies, as well as any legitimate recipient of communications established by laws or regulations.

Data of a personal nature provided in accordance with EU Regulation 2016/679 may be sent abroad to European Union and Extra EU countries, in order to comply with the aforementioned purposes.


The processing of personal data for the aforementioned purposes is performed both in an automated manner, on electronic or magnetic media and non-automated, in paper format, in accordance with the confidentiality and security rules established by the law, by the consequent regulations and by internal provisions.

Please note that our Company uses a digital cloud computing platform (MailUp) for the creation, sending, marketing automation and tracking of newsletters, emails and SMS messages. With the help of this platform our Company may get to know, for example: the number of unique readers, openings, so-called unique “clickers” and of clicks, devices used to read the message, operating systems used to read the message, details on the activity of single users, emails sent per date/hour/minute and sending mode, emails delivered or not, emails forwarded, unsubscribed users, who opened a email or clicked a certain link in real time, users with message display problems, link tracking, i.e. the number of clicks on the message links, the graphical map of links to display the area that aroused most interest, quality benchmarks related to the sector to compare and, if possible, improve the communication results.


In accordance with EU Regulation 2016/679 the personal data collected will be stored in a form that would allow the identification of data subjects for a time period required for the achievement of the purposes for which the personal data are processed.


Considering the restrictions and terms established by the law, the Data Controller undertakes to reply to the data subject’s requests related to the personal data regarding him/her. In particular, on the basis of the applicable law:

  1. A data subject is entitled to obtain from the Data Controller the confirmation or not of the processing of personal data regarding him/her and in such a case to obtain to personal data and to the following information:
  • data processing purposes;
  • categories of personal data in question;
  • recipients or categories of recipients to which personal data were or will be communicated, in particular in the event of recipients from third countries or international organizations;
  • if possible, the established personal data storage period or, if impossible, the criteria used to determine this period;
  • the existence of the data subject’s right to ask the Data Controller for personal data adjustment or deletion or for the limitation of the processing of personal data regarding him/her, or to oppose to their processing;
  • the right to file claims to supervisory authorities;
  • should the data not be collected from the data subject, all available information on their origin;
  • the existence of an automated decision-making process, including profiling.
  1. A data subject is entitled to obtain from the Data Controller the rectification of inaccurate personal data regarding him/her without any unjustified delay. Considering the processing purposes, the data subject is entitled to obtain the integration of incomplete personal data, also by providing a supplementary declaration.
  2. The data subject is entitled to obtain from the data controller the erasure of any personal data regarding him/her without any unjustified delay, and the data controller undertakes to delete the personal data without any unjustified delay in accordance with the restrictions and cases established by the applicable law. The Data Controller informs each of the recipients to whom personal data were sent of any rectification or erasure or limitation of the processing within the limits and the forms established by the applicable regulation.
  3. The data subject is entitled to obtain limitation of the processing from the Data Controller.
  4. The data subject is entitled to receive in a structured, common use and readable form from automatic devices, the personal data regarding him/her provided to a Data Controller and is entitled to send such data to another controller without any hindrances from the Data Controller to whom he/she provided them.
  5. The data subject is entitled to file complaints to the Authority responsible for personal data protection, Piazza Monte Citorio no. 121, 00186 Rome (RM).

To exercise the above-listed rights towards the Data Controller, the data subject must file a written request to the Company headquarters using the following email address:

The communication of personal data is not an obligation. You are free to provide your personal data. The non-provision of personal data entails the impossibility to use the services offered by the Data Controller.


The information note is provided to the data subject pursuant to (It.) Legislative Decree no. 196/2003 and EU Regulation 2016/679, who declares to be aware of the purposes for the processing.