pursuant to article 13 of EU Reg. 79/2016


Dear Customer,


we wish to inform you that EU Reg. 679/2016 (and Legislative Decree No. 196/2003 and subsequent amendments and additions) provide for the protection of individuals with regard to the processing of personal data. According to these regulations, the processing of data must be conducted within the principles of correctness, legality, transparency and respect for your privacy and rights.


Pursuant to art. 13 of EU Reg. 679/2016, we hereby provide you with the following information:


  1. Your personal data are processed for the following purposes:





  1. Providing data is required to achieve the objectives referred to in point a) and if not provided it will be impossible to establish a commercial/professional relationship with the Data Controller.


  1. Your personal data will be processed by subjects, where necessary, specially appointed by the Data Controller as data processors and/or anyone acting under their authority and who has access to personal data. These subjects will only process your data if it is necessary in relation to the purposes of the provision and only within the framework of carrying out the tasks assigned to them by the Data Controller, undertaking to solely process data necessary to carry out their duties and to only perform operations necessary to achieve them.

Furthermore, your personal data may be communicated for the purposes referred to in point a), to:


c1) Your data will not be transferred by the Controller to a third country or an international organisation.

c2) In accordance with the Decision "Measures and arrangements for data controllers performed with electronic instruments relating to system administrator functions - 27 November 2008" (Official Journal No. 300 of 24 December 2008) and related additions and amendments, the Data Controller has specific appointed "System Administrators" who, as part of performing their duties, can access, even indirectly, services or systems that process or that allow the processing of personal information.


Your personal data will not be disseminated.


  1. Your data will be kept for the time necessary to achieve the objectives mentioned above and in order to comply with the regulatory requirements of the sector; the retention period will be determined by the duration of the commercial/professional relationship and obligations of an administrative, accounting and tax nature. In particular, at the end of your contractual relationship with the Data Controller, your data will be retained for a further period of 10 years in order to comply with inspections by the competent authorities, existing legal civil, tax and accountancy obligations, as well as for purposes of exercising or defending the Controller’s rights in the courts.

If a dispute arises, your personal data will be processed for all the time required in relation to said dispute.

  1. The personal data you provide us will not be processed as part of automated decision-making processes (including profiling).
  2. If the personal data provided must be processed for additional purposes other than those indicated above, the Controller will provide you with information about these different purposes and any further relevant information.


       The Controller, taking into account the state of the art and the cost of implementation and the nature of the scope of application, the context and purposes of the processing both when determining the processing means and during the processing itself (so-called risk analysis - accountability), has put in place appropriate technical and organisational measures, intended to effectively implement the principles of data protection and to integrate the necessary guarantees in the processing in order to meet the requirements of EU Reg. 679/2016 and protect the rights of the data subject.   

       In this perspective, your personal data will be processed for purposes that are related and/or instrumental to the commercial/professional relationship established in compliance with the objectives to be pursued referred to above.

       The data will be processed by methods and instruments suitable to guarantee security (arts. 24, 25 and 32 EU Reg. 679/2016) and will be performed by means of an automated process and by non-automated means (paper archives). The Controller, in the context of processing your personal data for the purposes indicated above referred to in a), will use any technical and organisational measures to ensure a security level appropriate to the risk, so as to permanently ensure, their confidentiality, integrity, availability and the resilience of the processing systems and services (by way of example and not limited to: checks on both the assignment to data processors and the classification of such data; procedures, if sustainable, pseudonymisation and encryption and disaster recovery mechanisms). 


Below are some of the legal bases of the processing put in place by the Data Controller:


The legal basis for processing your personal data for the purposes referred to in section a) (i) is represented by the need to implement the existing commercial relationship between you and the Data Controller, pursuant to art. 6.1(b) of EU Reg. 79/2016.


The legal basis for processing your personal data for the purposes referred to in section a) (ii) is represented by the need to fulfil a legal obligation the Data Controller is subject to pursuant to art. 6.1(c) of EU Reg. 79/2016.


The legal basis for processing your personal data for the purposes referred to in section a) (iii) is represented by the legitimate interests of the Data Controller to exercise or defend their rights in the courts (pursuant to art. 6.1.(f) of EU Reg. 679/2016), on which, the Controller does not consider that any of their rights, interests or fundamental freedom prevail.


The Data Controller is: OPTIMA SPA with a sole shareholder (a company subject to management and coordination activities by Cone Investments UK Ltd.), whose registered office is in Via Gaggio No. 72, in San Clemente (RN), Tax Code - VAT No. 01622060406, Telephone: +39 0541 859411, Fax: +39 0541 859412, Email, Certified (above and hereinafter defined as the “Controller”).


Pursuant to art. 28 of EU Reg. 679/2016, the Data Controller may use third parties that process data on their behalf and formally appointed by them as data processors. The complete and updated list of data processors appointed will be provided by the Data Controller on simple request, by sending a communication to the address indicated above.

Pursuant to art. 29 of EU Reg. 679/2016, the Data Controller may use anyone acting under their authority and/or the appointed processor; these subjects will be duly instructed.


The Data Controller has not currently appointed the DPO. (37 of EU Reg. 679/2016 and WP Guidelines article 29 of 13.12.2016), as no such figure is required in the organisation, given that the characteristics of the processing do not fall under the specific case referred to in the afore-mentioned article 37.


The Data Controller hereby informs you that:


  1. the data subject has the right to ask the Controller to access their personal data and rectify or erase them or limit processing concerning them or object to their processing in addition to the right to the portability of data (art. 15, art. 16, art. 17, art. 18, art. 20 of EU Reg. 679/2016); with the exercising of the right to access, the data subject has the right to obtain confirmation from the Controller about whether or not personal data that concern them are being processed, while exercising the right to the portability of data enables the data subject to obtain personal data in a structured format from the Data Controller, for common use and readable or transfer said data from the original Data Controller to another (see WP 242 of 13.12.2016);
  2. the data subject has the right, if the processing is based on article 6(1)(a) or on article 9, paragraph 2(a)), to withdraw their consent at any time without affecting the legality of the processing based on the consent given before the withdrawal;
  3. the data subject has the right to file a complaint with a supervisory authority;
  4. the data subject has the right to be informed by the Controller who must do so without a justified delay, of a breach of their personal data which may present a high risk for the rights and freedoms of natural persons (art. 34 of EU Reg. 679/2016).


The full text of the articles of EU Reg. 679/2016 relating to your rights (articles 15 to 23 inclusively) can be accessed at any time at the following links present on this website of the Data Protection Authority:

or, alternatively, they will be provided to you by the Controller on simple request, by sending a communication to the address indicated above.



This website uses technical cookies and third-party cookies, in order to collect statistical information on users. To learn more and to manage these cookies, click here . If you continue browsing through access to another area of the site or selecting an item of the same (for example, an image or a link) you express your consent to the use of cookies and other profiling technologies used by the site. To hide this message click here .