Privacy Policy

In accordance to Regulation EU 679/2016 on protection of personal data Canalplast S.p.A
Following its mission and values, Canalplast S.p.A undertakes to protect all natural persons data with due regard for identity, human dignity and fundamental freedoms stated by Constitution in line with Regulation EU 679/2016 (hereinafter “GDPR”) regarding the processing of human subject’s personal data and the free move of such data.

Who we are
The “Controller” is Canalplast S.p.A, VAT registration number IT04798060150 with its registred office in Piazza Duca d’Aosta n. 12, Milano (MI), email address:

Our Policy
Data protection is based on principles contained on this document which Canalplast S.p.A undertakes to spread, respect and make them respect to its employees, associates and recipients or third parties with which it work as part of its activities and mission.
Canalplast S.p.A ensures, implements and supports privacy policy in relation to its practical reality, its investment opportunities and above all its values.
In particular, Canalplast S.p.A undertakes:

  • To communicate and spread its policy regarding data protection;
  • To listen to all data subjects, partners, employees, associates, investors, promoters, recipients, suppliers, providers, in line with their instances about personal data protection and getting instant feedback;
  • To process personal data in according with the principles of lawfulness, fairness and transparency in line with constitutional principles applicable, in particular, regarding the new Regulation EU 679/2016 and as long as necessary for the purposes provided, included for the compliance with legal obligations;
  • To collect personal data limited to what is necessary to realize the activities (data minimisation);
  • To process personal data following the principle of transparency and in relation to the purposes stated by the policies;
  • To update and ratify personal data process in order to ensure the accuracy and updating of data;
  • To store and protect personal data collected with the best available techniques by using service contracts with suppliers which guarantee the protection of all data subjects;
  • To ensure the continuous updating of the security measures of data protection. Canalplast S.p.A will constantly respect this commitment accordingly with principle of accountability, by implementing appropriate technical and organisational measures as well as appropriate privacy policy in order to demonstrate the compliance with the GDPR in accordance with the state of the art, kind of personal data stored and the risks incurred.
  • To clarify the personal data processing and storage in order to ensure an appropriate security;
  • To provide education and give partners information, in relation to the role performed, regarding the principles of lawfulness, fairness with which this privacy policy must comply as well as the safety measures adopted.
  • To promote the development of accountability and awareness of the entire organisation for personal data, as data subjects property;
  • To ensure the respect of law and current regulations concerning personal data protection;
  • To prevent and minimise, compatible with enterprise resource, the impact of potential breaches or unlawful/harmful data processing;
  • Canalplast S.p.A promotes the inclusion of the privacy policy on the improvement plan the organisation pursues with its management systems.

The present privacy policy will bring to all the employees, partners, associates attention through specific outreach meetings.

Why this policy and who are the addressee
This policy is addressed to users (“website”) and to all human data subjects in relation to their business (hereinafter data subject and user).
The access to different website divisions and/or any other requests of information or services by users will be subjected to inclusion of personal data whose processing will be done in compliance with GDPR.
For the use of specific services, specific policies will be provided to the user from time to time as well as specific consents will be asked, if necessary, for the personal data processing.
The current policy is given specifically for the website and not for other websites consulted by users through links recalled inside the present website.

The term personal data is referred to the definition contained in article 4, par. 1) of GDPR, namely, any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

GDPR statues that, before personal data has been processed (following article 4, par. 2) of GDPR), processing means any operation or set of operation which is performed on personal data or on sets of personal data, whether or not by automated or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment or combination, restriction, erasure or destruction) it is necessary to inform the subject which required data belongs about purposes, reasons of the data processing and the way in which they are used.

Personal data shall be communicated to subjects, “recipients”; art. 4 par. 9) of GDPR defines recipientsas a natural or legal person, public authority, agency or another body, to which personal data are disclosed, whether a third party or not.

Personal data shall be communicated to specific subjects (authorized subject as laid down in art. 4 par. 10 of GDPR) considered as natural or legal person, public authority, agency or body other than the data subject, controller, processor and person who, under the direct authority of the controller or processor, are authorised to process personal data.
Inter alia, following art. 4 par. 9 if GDPR, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

In this regard, the aim of current document is to supply, in a simple and intuitive way, all due and useful information in order to ensure the promoter providing, consciously and informed, personal data and requiring/achieving explanation and/or correction at any time.

Categories of personal data and processing
Navigation data
Computer systems and programs responsible for this portal functioning get personal data which transfer occurs implicitly in respect of web communication protocol, according to their operations and for as long necessary for the connection.

The information are collected in order to combine them with data subjects but, because of their nature, they would identify visitors (e.g. IP address), domain names of terminals used, requests scheduled, etc.
Data, immediately erased after their processing, are used limitedly for the purpose of obtaining anonymous statistic information about web usage and to control their proper functioning. Web contacts details are not stored for no longer than 7 days, unless potential cybercrime against websites.

No data of the service will be communicated or spread.
Data subject is invited to read privacy policy contained in the Privacy section of the website in order to get more information about this matter.

Contact details given by user
The dispatch, optional, explicit and voluntary of personal data required to have access to services and get requests by email, means the subsequent purchase by the controller of sender’s addressee and any other personal data which will be processed to answer the requests or the service supply as well as for making linked activities and respect legal obligations (e.g. about tax matters). Total, partial or incorrect data transfer will determine not only the impossibility on using required services but also, in some cases, to fulfil legal duties.

In order to enjoy services presented, it should be necessary to register by filling an appropriate registration or first contact form (“Form”).
Data transfer stated inside the abovementioned form is required in order to complete registration process specifically for data marked with asterisk (*); consequently, Total, partial or incorrect data inclusion overturns the registration and therefore doesn’t allow enjoy the services.

Personal data will be processed both with manual, informatics and telematics systems in compliance with current legal obligations and principles of lawfulness, fairness, transparency, completeness and non-exceed, minimisation of data and accuracy with organisation and processing strictly linked with the aims pursued and, however, in accordance with current organisational, physical and logical measures. Such measures will be implemented and increased following technologic development in order to guarantee protection, availability and integrity of data processed.

Purposes of the processing and legal basis
User navigation data are proceeded limitedly for obtaining statistic information about website usage.
Regarding data given by the user, they are collected with the only aim of enjoying the services accordingly with the privacy policy released in the appropriate sections i.e. requesting by email in order to reflect the requests received.
The processing of data given by filling of the first contact form and subsequent steps in the processing compared to the selection of the project is made following the aim of:

  • Giving any kind of support in order to answer user requests;
  • Choosing the call for tender of service and draw up the related budget;
  • Choosing the provision of a service and asking related budget;
  • Managing the request of the provision of a service in towards all its steps, even contractual;
  • Communicating and updating services, sending newsletter or promotional information, seminar/webinar invitations, related to controller business;

Legal basis of processing shall be identified pursuant to art. 6 of GDPR among:

  • Precontractual and contractual obligations as part of the implementation of the contract;
  • Legal obligations that the controller is subjected;
  • Consent in case of activities with information and promotional purposes;
  • Necessity of pursue a legitimate interest (e.g. the right of defence) of the controller;

Automated decision-making
The controller states he does not adopt decision likely to affect data subject based only on automated processing of his personal data. All the decision-making process involved with purposes of the abovementioned processing are made by human intervention.

Disclosure of personal data
Personal data shall be disclosed to specific subject considered as recipients or authorized subjects under the authority of the controller. In this sense, in order to carry out the activities necessary to achieve the purposes stated in the current privacy policy, these following recipients should be in a position to process personal data with:

  • Third parties who are part of the activity of processing and/or activities linked and open to the same on behalf of the controller such as people, companies, associations, professional firms, based on EU, responsible for carrying out services, assistance activities and/or consulting against the controller. The abovementioned parties are basically included in these categories: (a) subjects linked with the controller by cooperation agreements, (b) subjects of the sector; (c) credit institutions involved in the provision of services; (d) consultants;
  • Employees and/or associates of the controller who carry out functions involved in the activity of the controller and has received appropriate directives concerning security and use of his personal data;
  • Public authorities or bodies in accordance with the fulfilment by the controller of the legal obligations and any other public subject entitled to require data in the cases provided by law;
  • When required by law or in order to prevent and repress crimes, personal data would be disclosed to public authorities or judicial authorities. Inter alia, following what stated by art. 4 par. 9) of GDPR, public authorities which may receive personal data in the framework of particular inquiry in accordance with Union or Member State law shall not be regarded as recipients;

Personal data will be processed only for the achievement of the specific purpose; consequently personal data processed by third parties will be limited to specific aims. Personal data will not be disclosed.

International transfer of data
Your personal data will be processed inside EU territory. If subjects based outside EU will be necessary for data processing, the transfer of Your data, limited to specific processing activities, will be regulated in compliance with what stated in par. V of GDPR. All the due precautions will be adopted in order to guarantee the maximum protection of Your personal data basing the processing: (i) on adequacy decisions of third countries recipient stated by European Commission; (ii) on appropriate guarantees expressed by third party recipient following art. 46 of GDPR; (iii) on the adoption of binding obligations for the company.

Storage period
One of the principles provided by the GDPR concerns the limitation of the storage period, regulated by art. 5, par. 1, pt. e) that statues as follow: personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data are processed; personal data may be stored for no longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical purposes or statistical purposes in accordance with article 98 (1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject. In the light of this principle, the controller will process Your personal data limited on what it is necessary for the achievement of the purposes stated by this privacy policy. In particular, personal data will be processed for no longer than the end of the current precontractual and contractual relationships, considering the period of limitation and storage obligations provided by tax law and any other obligations stated by laws, regulations, and, consequently, principle of non-exceed (art. 6 of GDPR) will be applied. In this case, personal data will be stored for no longer than 10 years, that is the term provided by civil law.

Marketing communication and the withdrawal of consent
The controller will process personal data given and referred to promotional purposes in order to send other information linked with their activities and products supplied by the controller himself. Such communication shall be made by email, mobile phone, i.e. advertising products in the homes’ subject. Specific consent may be necessary for this specific purpose (art. 6, par. a) GDPR.
Marketing communication activities will not be processed without specific consent for this purpose.
Personal data released for the abovementioned purposes will be stored for no longer than 10 years and, anyway, until the withdrawal of Your consent. As GDPR requires, when the subject gives the consent for the personal data processing for one or more of the purpose for which it is required, he will be able to revoke it totally/partially without prejudice for the lawfulness of the processing based on released consent before the withdrawal at any time.
The procedures for withdrawing the consent are simple and intuitive: it is necessary to contact the controller and/or the joint controllers by using contacts set out in this policy.
In addiction and for simplicity, when You receive emails by the controller that are not of Your concern anymore, You will not receive any other communication by clicking on the button unsubscribe set at the bottom of the same or through the contacts for which the consent has been collected (SMS, mail, email, phone calls, social media).

Rights of the data subjects
As stated by art. 15 of GDPR, data subject shall have the right to access his personal data, to obtain the rectification and updating, if incomplete or incorrect, to obtain the erasure when the collecting has been done unlawfully, to object to the processing of any personal data for specific and legal reasons.
In particular, the rights you can exercise at any moment against the controller are the following:

  • Right of access (Article 15 GDPR): data subject has the right to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence for the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a compliant with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • Right to rectification (Article 16 GDPR): the data subject shall have the right to obtain from the controller the rectification of inaccurate personal data. Taking into account the purposes of the processing, the data subject shall have the right to have the incomplete personal data completed, including by means of providing a supplementary statement.
  • Right to erasure (Article 17 GDPR): data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which the were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing; (c) the data subject object to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2); (c) the (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subjected; (e) the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1). Where the controller has made the personal data public ad is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  • Right to restriction of processing (Article 18 GDPR): the data subject shall have the right to obtain from the controller restriction of processing where one of the applies: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (d) the data subject has objected to processing pursuant to Article 21 (1) pending the verification whether the legitimate grounds of the controller override those of the data subject. Where the processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
  • Right to data portability (Article 20 GDPR): the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided providing written authorisation.
  • Right to object (Article 21 GDPR): data subject shall have the right to object at any time to processing of personal data when the processing is realize in order to achieve the purpose of marketing, included profiling in so far as it is linked to direct marketing
  • Right to lodge a complaint to supervisory authority: Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The data subject shall exercise the abovementioned right by addressing the controller.
Requests, in accordance with Article 15 of GDPR, shall be addressed to Canaplast S.p.A, S.p.A., or by email as set out in the contact section. Furthermore, You shall consult the “privacy policy section” if the website where you may find all the information concerning our policy about personal data Processing applied by the controller, usage and processing of data, updated information about contacts and communication channels available for the data subject from the controller.

You can contact the controller to the mail address: For any other request or need the data subject may send a communication to Canalplast S.p.A, Piazza Duca d’Aosta n. 12 Milano (MI), email address he updated list of the processors is available upon request. Furthermore, You may consult inside privacy policy section of the website all the information about policy applied by the controller on personal data, updated information about contacts and communication channel available for the data subject from the controller.

The controller

Updated version of the privacy policy to May 2018