INFORMATION ON THE PROCESSING OF PERSONAL DATA OF CLIENTS WITH CONSENT
Henoto S.p.A. (hereinafter “HENOTO”), with registered office in Bologna (BO), Via A. Maserati 18, registered with the Bologna Companies Register under No. 555349, Tax Code and VAT No. 03275590283, represented by its CEO, Engineer Giovanni Giuliani, PEC address: henoto@pec.it (hereinafter, the “Data Controller”), as Data Controller, hereby informs you that any personal data you provide will be processed in compliance with applicable law.
1. Object of the Processing
The Data Controller exclusively processes common personal data, specifically identifying personal data (e.g., name, surname, company name, Tax ID, VAT number, address, telephone number, email, banking and payment references — hereinafter “Personal Data”) provided by you to the Data Controller or to third parties (upon your consent for the transfer of data to a third party), or collected from Public Sources (public registers, lists, documents available to anyone) for the purposes and with the recipients indicated in Articles 2 and 4 below.
2. Purpose of the Processing
Your Personal Data will be processed by the Data Controller for the following purposes:
a) To fulfil pre-contractual (e.g., quotations) and contractual obligations arising from the relationship with the Company (e.g., fulfilment of the contract, access to fairs/sites, issuing and signing of delivery reports, issuing of invoices);
b) To comply with legal provisions and regulations (e.g., tax declarations to judicial authorities if requested, communications to public authorities for authorizations, communications to event organizers);
c) To exercise the rights of the Data Controller, in particular the right of defence in court.
Provision of data for the purposes above is mandatory. Failure to provide data and/or an explicit refusal to allow processing will make it impossible for the Data Controller to fulfil the contract, without prejudice to the contents of Article 7 below.
d) Subject to explicit consent, for promotional communications, marketing activities, automated or non-automated (telephone contact with operator), and profiling.
3. Processing Methods and Storage
The processing of your Personal Data is carried out through the operations indicated in Article 4 of the Italian Privacy Code and Article 4(2) of the General Data Protection Regulation (GDPR), namely: collection, registration, storage, consultation, processing, extraction, use, blocking, communication, deletion, and destruction of data.
Your Personal Data is processed both in paper and electronic forms. In all cases, the logical and physical security of data and, in general, the confidentiality of Personal Data will be ensured through all necessary technical and organizational measures.
4. Access to and Processing of Data
4a) For the purposes described in Article 2(a)–(c), your data may be processed or made accessible by:
· Personnel (employees and collaborators) of the Data Controller, acting under appointment as data processors and under the responsibility of the Controller;
· Companies belonging to Henoto (i.e., subsidiaries or companies in which the Controller has a stake);
· Companies of the Bologna Fiere S.p.A. Group;
· Consultants or subcontractors of the Data Controller;
· External service providers, including IT services, engaged to perform certain services for the purposes described in Article 2, acting, if applicable, as External Data Processors.
4b) For the purposes in Article 2(d), subject to explicit consent, your data may also be accessed or processed by third-party companies (e.g., Interevent S.r.l., MagNews platform) under service contracts and, if applicable, appointed as External Data Processors.
5. Transfer of Personal Data
Personal Data is stored on servers located at the Data Controller’s premises and in the Cloud and will be transferred to Henoto only for the purposes indicated in Article 2(a)–(c), subject to Article 7.
6. Retention Period of Personal Data
The Data Controller will process Personal Data for the purposes in Article 2(a)–(c) for as long as necessary to fulfil those purposes, and in any case for no more than 10 years after the termination of the relationship, for purposes of protection within statutory limitation periods.
For processing based on consent, Personal Data will be processed for the purposes in Article 2(d) for a maximum of three years, unless consent is revoked by the data subject at any time, as indicated in the relevant notice.
7. Recipients and Categories of Recipients
In addition to the recipients in Article 4 and subcontractors or suppliers of requested goods/services, where the transfer of data is necessary for contract fulfilment, the Data Controller may communicate some of your Personal Data to third parties, unless you expressly refuse consent.
For assignments involving provision of trade fair setups outside Italy, the Data Controller may communicate some of your data to recipients abroad, exclusively for purposes that serve to fulfil contractual obligations.
Where required by law, transfers are governed by appointment of the third party as Data Processor.
The list of appointed Data Processors is maintained and updated by the Data Controller and is available for consultation at the Controller’s offices.
8. Rights of the Data Subject
As a data subject, you have the following rights under Article 7 of the Italian Privacy Code and Articles 15–21 of the GDPR:
· Right of Access – Obtain confirmation whether your Personal Data is being processed and, if so, information regarding the purposes, categories of data, retention period, and recipients (Article 15 GDPR);
· Right to Rectification – Obtain correction of inaccurate data and completion of incomplete data without undue delay (Article 16 GDPR);
· Right to Erasure – Obtain deletion of Personal Data in applicable cases (Article 17 GDPR);
· Right to Restriction – Obtain restriction of processing where applicable (Article 18 GDPR);
· Right to Data Portability – Receive your Personal Data in a structured, commonly used, machine-readable format and transmit it to another Data Controller without hindrance (Article 20 GDPR);
· Right to Object – Object to the processing of your Personal Data, unless legitimate grounds exist for the Controller to continue processing (Article 21 GDPR);
· Right to Lodge a Complaint – File a complaint with the Data Protection Authority, Piazza di Montecitorio 121, 00186 Rome, Italy.
9. How to Exercise Your Rights
You may exercise your rights at any time by sending a written communication to: privacy@henoto.com.
The Data Controller will respond within 30 days, and if your request is accepted, will ensure communications are made to the third parties responsible for processing employee data.
If your request is accepted, the Data Controller will also delete data from any archives, allowing remote verification by the user.
If you wish to file a complaint regarding the processing of your data or the handling of your request, you may submit it directly to the Italian Data Protection Authority.