Privacy Policy

This notice describes how the personal data of users who visit or interact with the website https://www.qualityandsafety.org (hereinafter, the "Site") is processed, in compliance with Regulation (EU) 2016/679 ("GDPR"), Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 ("Privacy Code") and the Guidelines of the Garante per la Protezione dei Dati Personali (the Italian Data Protection Authority).

This notice applies exclusively to the Site and does not concern the processing carried out by Quality and Safety Srl as Data Processor on behalf of its clients within the scope of the software and professional services provided. For such processing, please refer to the contracts and notices provided directly to the clients and data subjects involved.

1. Data Controller

The Data Controller is:

Quality and Safety Srl
Registered office: Via Einaudi, 38, 10024 Moncalieri (TO), Italia
Email: info@qualityandsafety.org
Phone: +39 011 0842948
P.IVA 10018310010
R.E.A TO 1098857
PEC: amministrazione@pec.qualityandsafety.org (channel for receiving electronic invoices)

2. Data Protection Officer (DPO)

Quality and Safety Srl has appointed a Data Protection Officer (DPO), who can be contacted for any matter relating to the processing of personal data and the exercise of data subjects' rights:

PEC email: DPO@pec.qualityandsafety.org

For more information about the company's GDPR commitment, the documents for exercising rights and the roles in the services provided to clients, please refer to the dedicated page GDPR and data protection.

3. Types of data processed

In relation to browsing and use of the Site, the Controller may process the following categories of personal data:

3.1 Browsing and usage data

The computer systems and software procedures responsible for the operation of the Site acquire, during their normal operation, certain data whose transmission is implicit in the use of Internet communication protocols. These include, by way of example:

• IP addresses (including in pseudonymised or aggregated form);
• type and version of the browser and operating system;
• user-agent, browser language, time zone;
• referring and exit URLs, navigation path within the Site;
• date and time of the request, HTTP response codes;
• technical information about the device and screen resolution.

Such data is generated automatically when accessing the pages and may be recorded in the logs of servers, CDN and security systems for the time strictly necessary for the purposes indicated in point 4.

3.2 Data provided voluntarily by the data subject

The voluntary sending of messages through the contact details provided on the Site (contact form, mailto: links, telephone) entails the acquisition of the data entered or communicated by the data subject, such as:

• first and last name;
• name of the company or organisation to which they belong;
• email address;
• telephone number;
• subject of the request;
• content of the message and any other information voluntarily provided.

The form on the Contacts page uses the mailto: protocol: the data entered is transmitted via the user's email client and is not stored in a database of the Site. Any additional data contained in the email message (for example attachments or signatures) is processed to the extent that the data subject makes it available.

3.3 Cookies and similar technologies

The Site uses cookies and similar technologies. For detailed information on types, purposes, duration and management methods, please refer to the Cookie Policy.

4. Purposes of processing and legal basis

Personal data is processed for the purposes indicated below, each supported by a legal basis pursuant to art. 6 GDPR:

• Browsing and operation of the Site — to allow access to the pages, deliver the requested content and ensure correct technical operation. Legal basis: performance of pre-contractual measures at the data subject's request or legitimate interest of the Controller (art. 6.1 lett. b and f).
• Response to contact requests — to handle information, quotes, commercial assistance or support sent via email, telephone or contact form. Legal basis: performance of pre-contractual measures (art. 6.1 lett. b) and, where applicable, consent (art. 6.1 lett. a).
• Management of business relationships — to retain evidence of communications with prospects and clients. Legal basis: legitimate interest of the Controller (art. 6.1 lett. f).
• Security and diagnostics — to prevent abuse, fraudulent activities and cyberattacks; to manage logs and technical monitoring. Legal basis: legitimate interest of the Controller (art. 6.1 lett. f).
• Statistical analysis — to measure use of the Site and improve the browsing experience. Legal basis: legitimate interest of the Controller (art. 6.1 lett. f) and/or consent (art. 6.1 lett. a) for non-technical cookies, where required.
• Legal obligations — to comply with legal, regulatory or administrative obligations. Legal basis: compliance with a legal obligation (art. 6.1 lett. c).
• Legal protection — to defend the Controller's rights in judicial or extrajudicial proceedings. Legal basis: legitimate interest of the Controller (art. 6.1 lett. f).

Providing the data marked as mandatory in the contact form is necessary to allow the Controller to respond to the request. Failure to provide it makes it impossible to handle the communication. Browsing data is necessary for the operation of the Site; restricting it may prevent or impair the use of certain features.

5. Processing methods and security measures

Personal data is processed using IT and electronic tools, in compliance with the principles of lawfulness, fairness, transparency, minimisation, accuracy, storage limitation, integrity and confidentiality provided for by the GDPR.

Quality and Safety Srl adopts appropriate technical and organisational measures to protect data from unauthorised access, disclosure, modification or destruction, in line with information security best practices and with the ISO/IEC 27001 standard adopted by the organisation. These measures include, among others, encryption in transit (HTTPS/TLS), access control, backup policies and infrastructure monitoring.

Processing is carried out by authorised and instructed personnel as well as — where necessary — by external parties appointed as Data Processors pursuant to art. 28 GDPR.

6. Retention period

Personal data is retained for the time strictly necessary to pursue the purposes for which it was collected, in compliance with the storage limitation principle (art. 5.1 lett. e GDPR):

• Browsing data and technical logs — for a period generally not exceeding 12 months, unless extensions are justified by security needs, incident investigations or legal obligations.
• Contact and correspondence data — for the time necessary to handle the request and, in the absence of subsequent contractual relationships, for a maximum of 24 months from the closure of the last commercial communication, unless more stringent retention obligations or ongoing disputes apply.
• Data relating to clients — for the duration of the contractual relationship and, where applicable, for the limitation and retention periods provided for by law.
• Cookies — for the periods indicated in the Cookie Policy.

Once the retention period has elapsed, data is deleted, irreversibly anonymised or rendered inaccessible, unless the law requires or permits further retention.

7. Recipients and categories of recipients

Personal data may be communicated, within the limits of the purposes indicated, to the following categories of recipients:

• authorised internal personnel of Quality and Safety Srl, as persons authorised to process data;
• providers of IT services, hosting, content delivery network (CDN), cloud computing, email and technical support, appointed as Data Processors;
• legal, tax and accounting consultants and qualified professionals, where necessary for specific purposes;
• public authorities, supervisory bodies and law enforcement, when required by law or by binding measures.

The Site is hosted on cloud infrastructure within the European Union (Amazon Web Services — AWS, S3 and CloudFront services). Browsing data may transit through nodes of the content delivery network to ensure performance and availability of the Site.

Personal data is not subject to generic dissemination. No sale or transfer of data to third parties for autonomous marketing purposes is carried out.

8. Third-party services and content

To deliver some features of the Site, the Controller makes use of services provided by third parties that may process personal data as independent controllers or as data processors:

• Google Tag Manager (Google Ireland Limited) — a tool for managing tags and scripts, used to activate traffic measurement and analysis services. Google may process usage data and online identifiers. Privacy notice: policies.google.com/privacy.
• Google Fonts (Google Ireland Limited) — the Site loads typographic fonts from Google's servers; during loading, the IP address and technical data of the browser may be processed.
• Google Maps (Google Ireland Limited) — the Contacts page embeds an interactive map that may entail the processing of location and browsing data by Google.

For each service, you are invited to consult the privacy notices of the respective providers. The data subject may restrict or prevent the loading of such resources by configuring the browser settings or by using blocking extensions, with a possible reduction in the functionality of the Site.

9. Transfer of data to third countries

The data processed for hosting and delivery of the Site is stored predominantly within the European Economic Area (EEA).

Some providers listed in point 8 (in particular Google LLC and the companies of the Google group) may transfer personal data to the United States of America or other non-EEA countries. Such transfers take place, where applicable, on the basis of adequacy decisions of the European Commission, Standard Contractual Clauses (SCC) approved pursuant to art. 46 GDPR and supplementary measures adopted by the provider. A copy of the applicable safeguards may be requested by contacting the Controller or the DPO.

10. Automated decision-making processes

The Controller does not use decision-making processes based solely on automated processing, including profiling, that produce legal effects on the data subject or significantly affect them in a similar way, pursuant to art. 22 GDPR.

11. Rights of the data subject

As a data subject, the user has the right to exercise at any time, within the limits provided by the GDPR, the following rights:

• Access (art. 15) — to obtain confirmation of the existence of processing and access their data;
• Rectification (art. 16) — to obtain the correction of inaccurate data or the completion of incomplete data;
• Erasure (art. 17) — to obtain the erasure of data, where the legal conditions apply;
• Restriction (art. 18) — to obtain the restriction of processing in specific cases;
• Portability (art. 20) — to receive data in a structured format and transmit it to another controller, where applicable;
• Objection (art. 21) — to object to processing based on legitimate interest, for reasons relating to their particular situation;
• Withdrawal of consent — to withdraw at any time the consent given, without affecting the lawfulness of processing based on consent before the withdrawal.

To exercise these rights, it is possible to:

• write to info@qualityandsafety.org;
• contact the DPO at the PEC address DPO@pec.qualityandsafety.org;
• use the form available on the page GDPR and data protection or download the document Rights exercise request form.

The Controller responds without undue delay and, in any case, within one month of receipt of the request, which may be extended by a further two months in cases of particular complexity, informing the data subject of the reasons for the extension.

12. Complaint to the Supervisory Authority

A data subject who believes that their right to the protection of personal data has been violated has the right to lodge a complaint with the Garante per la Protezione dei Dati Personali (the Italian Data Protection Authority):

Garante per la Protezione dei Dati Personali
Piazza Venezia, 11 — 00187 Roma
Website: www.garanteprivacy.it

The right to apply to the competent judicial authority remains unaffected.

13. Minors

The Site is not intended for minors under 14 years of age. The Controller does not knowingly collect personal data of minors under 14 years of age. Should it become aware of the processing of data relating to minors without valid consent of the holder of parental responsibility, it will proceed with prompt deletion.

14. Changes to this notice

The Controller reserves the right to update this notice at any time, including as a consequence of regulatory, technical or organisational changes. The version in force is always the one published on this page, with an indication of the date of last update.

In the event of substantial changes affecting the rights of data subjects, the Controller will make them known by appropriate means (for example a notice on the Site).