Information on the processing of personal data

for users consulting website

pursuant to Article 13 of Regulation (EU) 2016/679

This Privacy Policy describes the methods and purposes for processing the personal data of the user (also ‘Data Subject’ or ‘User’) who visits the site (the ‘Website’).

Users are invited to read this Privacy Policy carefully before submitting any personal information and/or filling in any electronic form on the Website.

By accessing the Website, some of your personal data, as defined by Article 4 of Regulation (EU) 2016/679 (hereinafter ‘GDPR’), will be collected and processed.

This information is provided in accordance with Article 13 of the GDPR and in compliance with the national and European laws that supplement it and regulate the protection of personal data.

Pursuant to the GDPR, this page describes how the personal data of Users are processed through the Website. This information does not concern other websites, pages or online services that can be reached via hypertext links that may be published on the Website, referring to resources outside the domain.

The reproduction or use of pages, materials and information contained within the Website, by any means and on any medium, is not permitted without the prior written consent of Artiness S.r.l. Copying and/or printing for personal and non-commercial use only is permitted. For requests or clarifications please contact the Company at the contacts indicated on the Website. Other uses of the content, services and information on this Website are not permitted.

  1. Data Controller

The Data Controller is ARTINESS S.r.l. (“Data Controller” or “Company“), based in Milan (Italy), Viale Cassala 57, 40143



Tel: +39 02 80889220.

  1. Data Protection Officer

The Data Controller has appointed a Data Protection Officer (DPO), as required by the GDPR, with the tasks of monitoring, supervising and providing expert advice on the protection of personal data.

The DPO can be reached at the following email address:

  1. Type of data processed

3.1 Data communicated by the User

The optional, explicit and voluntary sending of messages to the Data Controller’s contact addresses indicated on the Website, as well as the completion and forwarding of the forms (Forms) on the Website will be used exclusively to respond to the User’s requests.

3.2 Navigation data 

The computer systems and software procedures used to operate the Website acquire, in the course of their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.

This category of data includes the IP addresses or domain names of the computers and terminals used by Users, the URI/URL (Uniform Resource Identifier/Locator) notation addresses of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment.

This data, necessary for the use of web services, is also processed for the purpose of:

a) obtain statistical information on the use of the services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.);

(b) monitor the proper functioning of the Website.

Browsing data is stored for a maximum of 7 days, except in the case of criminal investigations by the competent judicial authorities.

3.3 Information on the processing of personal data carried out through the social media platforms used by Artiness

With regard to the processing of personal data carried out by the operators of the social media platforms used by Artiness, please refer to the information provided by them through their respective Privacy Policies and in compliance with the regulations in force.

3.4 For Cookies and other tracking systems, please refer to the ‘Cookies Policy’ (inserire il link alla cookie policy).

  1. Purpose of processing and legal basis

The Data Subject’s personal data will be processed by the Data Controller, within the scope of its activity, for the following purposes:

a. activities related and necessary to the management of the User’s requests, for the subscription to the newsletter, the sending of feedback and for the possible purchase of products/services offered through the Website by Artiness, the use of related information services, the management of contact or information requests (Art. 6, par. 1, lett. b) GDPR);

b. activities strictly related and necessary to ensure the security and proper functioning of the website (Art. 6(1)(f) GDPR);

c. in order to promote and sponsor the Data Controller’s services, to send e-mails for marketing purposes, exclusively with the specific, free and informed consent of the Data Subject (Art. 6(1)(a) GDPR);

d. the fulfilment of obligations under national and EU law, the protection of public order, the detection and prosecution of criminal offences (Art. 6(1)(f) GDPR).

The provision of data for the purposes referred to in points (a), (b) and (d) is necessary and, therefore, failure to provide such personal data will make it impossible for the User to conclude and obtain answers to his/her requests or to benefit from the services requested by the Users from time to time. Consent to the processing of personal data for the aforementioned purposes is not required, in particular, pursuant to Article 6(1)(b) and (f) of the GDPR and current legislation.

With reference to the purpose of the processing referred to in point c), consent to the processing of personal data is merely optional, it being understood that failure to provide it will make it impossible for the User to receive information and/or commercial communications relating to the Data Controller’s products and/or services.

  1. Recipients of Personal Data

The personal data provided by the Data Subject for the purposes described in the preceding paragraph may be brought to the attention of the following parties:

    1. employees and/or collaborators in any capacity whatsoever of the Data Controller for the performance of administration, IT and/or logistical support, communication and/or marketing activities, who will act on the basis of specific instructions provided with regard to the purposes and methods of such processing, pursuant to Article 29 GDPR and Article 2-quaterdecies of Legislative Decree 196/2003 (Privacy Code) and subsequent amendments and additions;
    2. to all those natural and/or legal, public and/or private persons when the communication is necessary or functional for the performance of the Data Controller’s activities in the manner and for the purposes described above (e.g. hosting services, website management and development);
    3. to all those persons to whom the right of access to such data is recognised by virtue of regulatory or administrative provisions.

This is without prejudice to the possible communication of the data at the request of the judicial or public security authorities, in the manner and in the cases provided for by law.

The subjects belonging to the category sub b) will operate as separate Data Controllers or as Data Processors appointed for this purpose by the Data Controller, pursuant to Article 28 of the GDPR. The list of Data Processors may be consulted at the Data Controller’s registered office or may be requested by sending a written request to the contacts indicated above.


The processing of personal data is carried out by the Data Controller in accordance with current legislation, in particular:

i) is carried out by manual means or with the aid of electronic and automated means, in all cases, suitable to guarantee security and confidentiality and to prevent unauthorised access to personal data by third parties;

ii) is carried out directly by the Data Controller’s organisation and/or by data processors identified by the Data Controller, on the basis of a contract signed pursuant to Article 28 of the GDPR.

Personal data will only be kept for as long as necessary for the purposes for which they are collected, respecting the principle of minimisation set out in Article 5(1)(c) of the GDPR, as well as the legal obligations to which the Data Controller is bound, without prejudice, in any case, to the right of the Data Subject to withdraw consent at any time.

In any case, the personal data of Data Subjects will be stored for a maximum of 12 months.

  1. Scope of Data Communication

Personal data may be communicated and/or otherwise shared with third parties and Public administrations in compliance with the law.

Some of the persons indicated will process personal data as Data Processors of the Data Controller, by virtue of an appointment as Data Processor conferred by the Data Controller itself pursuant to and for the purposes of Article 28 of the GDPR. The list of names of the Data Processors may be requested from the Data Controller by the Data Subjects at the contact details indicated above.

Other parties (such as, for instance, authorities legitimised by law, health control bodies or other supervisory and control bodies, public administration bodies) may process personal data, received by the Controller, as autonomous data controllers.

The natural persons, employees and collaborators of the Data Controller, managers or third parties, authorised to process the personal data provided by the Data Subjects, act under the instructions of the Data Controller, managers or third parties, and under a confidentiality obligation.

  1. Data Transfer Outside the European Union

Personal data are not subject to dissemination or transfer to countries outside the European Union or international organisations. If such a transfer should become necessary and/or unavoidable, for the organisational needs of the Data Controller, it should be noted that it will only be made to countries considered safe by the European Commission or, in any case, in accordance with one of the methods permitted by the law in force and in particular in compliance with the appropriate guarantees set out in Article 46 of the GDPR, for example by signing the Standard Contractual Clauses approved by the Commission or on the basis of one of the exceptions set out in Article 49, such as the consent of the Data Subjects.

  1. Rights of data subjects

The Data Subject may, at any time, exercise the rights set out in Articles 15 to 22 of the GDPR and in particular:

i) obtain confirmation as to whether or not personal data is being processed and, if so, obtain access to that data as well as information on the processing carried out, pursuant to Article 15 of the GDPR;

ii) request the rectification, deletion or restriction of the processing of personal data;

iii) obtain portability of one’s personal data;

iv) revoke, at any time, any consent given, without prejudice to the lawfulness of the processing carried out by the Data Controller prior to the revocation;

v) be made aware of the existence of an automated decision-making process, including profiling.

The Data Subject also has the right to object to the processing of personal data at any time, pursuant to Article 21 of the GDPR. In case of opposition to the processing of personal data processed for direct marketing purposes and for the performance of profiling activities, the Data Subject will obtain the immediate interruption of the processing.

If you believe that your Personal Data is being processed in breach of the Regulation, you have the right to lodge a complaint with the Data Protection Authority, as provided for in Article 77 of the GDPR itself, or to take appropriate legal action.

In order to exercise these rights, Data Subjects may at any time contact the Data Controller or the DPO at the contacts indicated above. 

Any modification or deletion or restriction of processing carried out at the request of the Data Subject, or following revocation of consent – unless this is impossible or involves a disproportionate effort – will be communicated by the Data Controller to each of the recipients to whom the Personal Data have been disclosed. The Data Controller may communicate such recipients to the Data Subject upon request.


Document updated 2022, 13 July.