Information on the Processing of Personal Data Pursuant to Articles 13 and 14 of EU Regulation No. 679/2016

The companies belonging to Aetna Group, hereinafter collectively referred to as the "Group", collect and use your personal data, either separately or jointly, as Co-Controllers when you browse or use online services on the Group's websites.

 

Some companies have their own website, and as part of a corporate group, the data processed by each company and the functionalities of each website are largely similar.  For this reason, we would like to inform you that this privacy notice has a general scope and applies whenever you browse or use the online services available on the websites of our companies.

 

By "personal data," we refer to any information that can be used to identify you as an individual.

The purpose of this notice is to provide you with a clear and detailed explanation of how, when, and why we collect and use your data within the Group. It has been designed to present our personal data protection policy in a simple and transparent manner and to illustrate how you can effectively exercise your rights.

 

This information pertains only to data processed by Aetna Group companies through their websites and does not cover other platforms or social media pages that may be accessible through links on our websites. In such cases, you should always refer to the privacy policies available on the respective pages.

 

This information may be subject to changes over time. Therefore, we encourage you to check this page regularly to stay updated on how your personal data are processed.

 

INDEX:

1. Who does this Privacy Policy apply to?
2. Who is the data controller?
3. When do we collect your data?
4. What data will we process?
5. For what additional purposes may we use your data?
6. With whom will we share your data?
7. How will we process your data?
8. Will my data be processed outside the European Economic Area?
9. How long will you retain my data?
10. Links to third-party websites and social networks
11. What are my rights and how can I protect my privacy?
12. Can I file a complaint?
13. Possible modifications

1.       Who does this Privacy Policy apply to?

Since Aetna Group consists of multiple companies, when you access and browse the website, or express your interest through dedicated sections - such as requesting a quote or activating the support service - your data may be shared with other Group companies. These companies will act as Co-Controllers, Data Controllers, or Data Processors, depending on the specific purpose for which the data are being processed.

Therefore, when you browse the websites of different Group companies, each company will act as the "Data Controller" and, for certain types of processing as specified below, as a "Co-Controller".

To learn which companies are part of Aetna Group, please visit the following page:
 https://www.aetnagroup.com/it/il-gruppo/presenza-globale.

 

 

2.       Who is the data controller for my data?

Depending on the website the user is visiting, each company acts as the Data Controller, as specified in Section 1 of this Privacy Policy.

Since the companies within Aetna Group jointly determine the means and purposes of processing related to customer portfolio management and marketing campaigns, certain data provided by the user through the website may be shared with other companies within the Group for common purposes. For this reason, the companies of the Group have regulated their relationships through a specific agreement.

In any case, requests regarding data subject rights related to data processing may be addressed to Aetna Group S.p.A., which can be contacted at the following addresses:

• By mail: Aetna Group S.P.A., S.P. Marecchia 59 - ZIP Code 47826, Villa Verucchio (RN) – Italy;
• By e-mail: [email protected];
• PEC certified e-mail: [email protected].

3.       When do we collect your data?

The Data Controller will collect the information you directly provide in the following cases:

• When you access and browse the website.

• When you submit inquiries or suggestions through the designated sections or contact options.
• When you request assistance regarding our products and/or services.
• When you register on the website.
• When you apply for a job with us.

4.       What data will we process?

When you browse and use the services on the website, the following types of data may be processed:

a)      Browsing Data

Certain personal data, whose transmission is implicit in the use of Internet communication protocols, may be collected while navigating the website. This includes, but is not limited to, traffic data, location data, weblogs, and other communication data required for billing purposes or related to the resources accessed through your device. These data are acquired by the IT systems that enable the website to function properly. While such data are not collected for the purpose of associating them with identified users, they may still allow for user identification due to their nature and through processing and association with data held by third parties. Examples of such data include IP addresses or domain names of computers used to connect to the website, unique resource identifiers (URIs) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the response file, numerical status codes indicating the response from the server, and technical details regarding the operating system and browser used.

• Purpose of processing: to ensure secure and proper use of the website.
• Legal basis for processing: the Data Controller's legitimate interest in ensuring the proper operation of the website and the security of navigation, while balancing these interests with the rights of the data subject (Art. 6(1)(f) GDPR).

b)      Information or Quote Requests via Designated Sections

You may contact us through the contact forms available on the website or by using the contact details provided to request information or assistance. This process involves the collection of the personal data you voluntarily provide, including name, surname, e-mail address, city, and any additional information you voluntarily include in the form. By submitting a request, you allow us to contact you and reply using the details provided.

• Purpose of processing: to provide appropriate support regarding your inquiries and reply to your requests.
• Legal basis for processing: performance of the service you have requested (Art. 6(1)(b) GDPR).

 

 

 

c)       Registration and Access to the Reserved Area

Certain websites within the Group allow users to create a personal account to access various services. To register and access the reserved area, you may be asked to provide certain details such as your name, surname, e-mail address, residence or workplace information, which are necessary to provide the requested service. Access to the reserved area is regulated through credentials that you create during registration or that are directly provided by the Data Controller.

Once your personal account is created, your user page may store information related to your identification and contact details, your purchase history, your programs, and service requests. You can always manage your personal information and history directly from your account or request specific updates. Additionally, you can delete your account and all associated data at any time. However, some data may need to be retained by the Data Controller for periods required by applicable laws (for example, billing data related to completed purchases).

After account deletion, the Data Controller will only retain records related to your registration, subscription, and cancellation, which are necessary to demonstrate proper compliance with regulatory requirements.

• Purpose of processing: to provide the requested service and allow users to access features and services reserved for registered account holders.
• Legal basis for processing: performance of the contractual relationship in which the data subject is involved (Art. 6(1)(b) GDPR).

d)      Work with us

You can contact us to submit your application for open positions by filling out the dedicated form in the "Careers" section, thereby authorising the Data Controller to process your personal data for this purpose. To this end, you will be required to provide identifying details (name and surname), a contact e-mail address, and to share a file with your curriculum vitae, as this information is necessary for the company to which you are applying to evaluate your application.

Providing these data is mandatory only for submitting an application and is therefore left to the discretion of each individual candidate whether to proceed with submitting their curriculum vitae. Any refusal to provide the requested information will result in the inability to use this service, without further consequences.

Consent to processing is not necessary, pursuant to Article 111-bis of Italian Legislative Decree No. 196/2003 (so-called Privacy Code, as amended by Italian Legislative Decree No. 101/2018) and Article 9, paragraph 2, letter b) of the GDPR, when the processing concerns data contained in CVs spontaneously sent by candidates for the possible establishment of an employment/collaboration relationship, even where such data fall within the special categories provided for in Article 9 of the GDPR (for example, in cases where such data must be known in relation to the potential employment relationship, particularly regarding the candidate's protected status or the need to undergo pre-employment medical examinations). In case, at the time of the interview, the data subject will be provided with any additional information regarding the processing of his/her personal data.

Data will be retained for the period necessary to evaluate your application and, in any case, for a maximum period of two years. Submitted data can also be deleted at any time, upon a specific request by the candidate to the Data Controller.

• Purpose of processing: provide the requested service and evaluate the application received for the possible establishment of an employment relationship.
• Legal basis for processing: performance of the contractual relationship in which the data subject is involved (Art. 6(1)(b) GDPR).

e)      Sending communications for marketing purposes within the framework of legitimate interest and soft spam

In some cases, the Group may use the e-mail address provided by the user through the website (for example, when using the contact form) to send promotional communications, even without obtaining the user's prior consent. This processing will be carried out in compliance with Article 6, letter f) of the GDPR and Article 130, paragraph 4, of Italian Legislative Decree No. 130/2003. Specifically, users are informed of this processing activity through this privacy notice, and they are always granted the right to object, in a simple and free manner, to such processing: every communication sent by the Co-Controllers includes a reference to this information and instructions (on how to opt-out), either by contacting the Co-Controllers or by directly selecting the appropriate link provided at the bottom of each communication.

• Purpose of processing: to inform you about products similar to those you have previously purchased and that may be of interest to you.

• Legal basis for processing: the regulatory provision pursuant to art. 130, paragraph 4, of Italian Legislative Decree no. 196/2003 which legitimises sending communications regarding products or services similar to those already requested (art. 6, paragraph 1, lett. c and f, GDPR).

f)        Newsletter and commercial information

The Group sends newsletters, commercial, promotional, and advertising information via e-mail to those who explicitly request it and expressly authorize the Group through the appropriate forms. This service is provided only after the user has given explicit and unequivocal consent (by selecting the appropriate checkbox on the website). The provision of data is mandatory solely for the purpose of receiving the newsletter, and any refusal will result in the inability to use the service, without further consequences.

You may manage your preferences at any time to receive only the communications that interest you and modify the consents you have given by contacting the Data Controller or following the instructions found at the bottom of each communication.

In any case, to stop receiving the newsletter, you can simply select the unsubscribe link located at the end of each e-mail or send a specific request to [email protected]. The unsubscribe process is partially automated, meaning that additional communications may still be received for a short period after the request is submitted, but no later than 72 hours from the request for cancellation, as pre-scheduled e-mails may have already been prepared before the request was processed.

• Purpose of processing: to send the data subject e-mail communications regarding the Group’s products and services, news, updates on related topics, as well as offers and promotions.
• Legal basis for processing: the data subject's consent (Article 6, paragraph 1, letter a, GDPR), freely given and revocable at any time by sending a request to the Data Controller using the contact details provided on the website or by selecting the unsubscribe link at the bottom of each communication.

g)      Cookie

What are cookies? A cookie is a small text file that stores brief information about navigation on a particular website and is installed on your device when you access the site. Each cookie contains different data (e.g., the name of the server it originates from, a numerical identifier, etc.), may remain in the system for the duration of a session (until the browser is closed) or for extended periods, and may contain a unique identification code.

When you revisit the website, cookies will be sent back to the originating site (first-party cookies) or to third-party providers capable of recognizing them (third-party cookies).

The Data Controller assures you that the cookies used on its website do not damage your device and help provide a faster and better browsing experience.

What are they used for? Cookies serve different purposes depending on their type: some are strictly necessary for the proper functioning of a website (technical cookies), while others enhance performance to provide a better user experience, allow for statistical analysis of website usage, as analytics cookies, or enable the display of personalized advertising, as profiling cookies.

The website may use both cookies that do not require your consent for their installation (technical cookies) and cookies that require your prior consent before being used (profiling cookies). This information is displayed in the banner at the beginning of the session and in the cookie settings panel, which is always available on the website.

Specifically, the following types of cookies may be enabled on the website:

1. Technical cookies (which do NOT require your consent):

These cookies are necessary for the website’s functionality and allow access to its features (so-called browsing cookies) or authentication within a session.

The use of functional cookies is also permitted, as they store your preferences and settings, thereby improving your browsing experience on the website.

To ensure functionality, these cookies are generally not deleted when the browser is closed; however, they have a predefined lifespan (usually up to a maximum of two years) and automatically deactivate after this period. These cookies and the data they collect will never be used for additional purposes.

The installation of technical cookies occurs automatically when accessing the website or activating certain functions (e.g., selecting the "remember me" option). You can disable them at any time by modifying your browser settings; however, doing so may result in issues with the proper display of the website.

• Purpose of processing: ensure the proper functioning and security of the website;
• Legal basis for processing: the Data Controller's legitimate interest in ensuring the proper operation of the website and the security of navigation, while balancing these interests with the rights of the data subject (Art. 6(1)(f) GDPR).

1. Analytics cookies (which may NOT require your consent if anonymised)

These cookies track user choices on the website and data related to online browsing (e.g., pages viewed, time spent on a page, etc.) for statistical analysis, typically in an anonymous and aggregated form. If users are traceable and identifiable through such analysis, these tools may only be used with their explicit consent.

However, when the following conditions apply:

• The IP address is properly anonymised;
• The data collected through analytics cookies refer to a single digital resource (e.g., website, app) and are used only in an anonymous and aggregated form;
• The cookie provider does not combine the information with other data processing activities or share them with third parties,

the complete data anonymisation is ensured, and these cookies may be activated without requiring user consent, as the data collected are not linked to any identifiable individual.

• Purpose of processing: obtain statistics on user behaviour on the website based on aggregated and anonymised data.
• Legal basis for processing: depending on the case:

- The legitimate interest of the Data Controller in optimising website performance and improving the services provided through it, while balancing this interest with user rights (Art. 6, paragraph 1, letter f, GDPR).

- The user’s consent (Art. 6, paragraph 1, letter a, GDPR), freely given and revocable at any time via the cookie banner or by following the instructions provided below and in the Cookie Policy.

1. Profiling and marketing cookies (which require your CONSENT):

This website also uses profiling and third-party cookies, whose installation is subject to your prior explicit consent, either given through the cookie banner or managed at any time via the Cookie Policy.

Profiling cookies may include different categories, such as advertising profiling cookies, retargeting cookies, or social cookies.

• Advertising profiling cookies: create a user profile that enables the display of advertisements aligned with browsing preferences.
• Retargeting cookies: created to send advertisements related to previously viewed or purchased products that have shown user interest.
• Social cookies: this site allows the installation of cookies related to social network plug-ins. These cookies are managed directly by third parties and allow the display of advertising messages in line with your preferences.

When you access the website, a banner will inform you of the presence of profiling and retargeting cookies. Through this banner, you can accept or decline their installation and select the specific cookies you wish to enable.

You may revoke your consent at any time, without affecting your ability to browse the site and access its content.

The installation of profiling, retargeting, analytics, and social cookies, along with any other activities related to them, is managed by third-party services. For further details or to enable/disable these cookies, you can refer to the privacy policies of the respective third parties, which are listed in our Cookie Policy.

Users are informed about cookies through both a brief notice (displayed in the banner until consent is given or refused) and through our Cookie Policy, which we recommend reading carefully for more details on the cookies used on the website and how to disable them.

• Purpose of processing: analyse user browsing behaviour to promote personalised advertising;
• Legal basis for processing: the user’s consent (Art. 6, paragraph 1, letter a, GDPR), freely given and revocable at any time via the cookie banner or by following the instructions provided below and in the Cookie Policy.

1. Social Media Plug-ins

The website includes certain buttons that direct users to the Data Controller’s social media profiles. Only when clicking these buttons may certain cookies be activated for marketing and profiling purposes by the third parties managing these social networks. The Data Controller does not directly manage these tools but informs users that such cookies may be activated when using specific website functions. For more information on how to disable these cookies, please refer to the privacy policies of the respective social networks:

• LinkedIn: https://it.linkedin.com/legal/privacy-policy
• YouTube: https://policies.google.com/privacy?hl=it

Disabling Cookies via Browser

You can find more information about cookies and verify the installation of various cookies on your browser/device, as well as disable them where supported, by visiting http://www.youronlinechoices.com/it/.

Commonly used browsers (e.g., Internet Explorer, Firefox, Chrome, Safari) accept cookies by default, but this setting can be modified by the user at any time. This applies to both PCs and mobile devices such as tablets and smartphones, as it is a widely supported feature.

Cookies can easily be disabled or blocked by accessing the options or preferences of the browser being used and generally only third-party cookies can also be blocked. In general, these settings will only apply to that specific browser and device unless there are options available to unify preferences across different devices. Specific instructions can be found in the options or help section of each browser. However, disabling technical cookies may affect the full or correct functionality of various websites, including this one.

Typically, modern browsers:

• Offer the "Do Not Track" option, which is supported by some websites (but not all). When enabled, certain websites may no longer track certain browsing data.
• They offer anonymous or private browsing, which prevents data from being stored in the browser and avoids saving the browsing history, although navigation data may still be acquired by the website provider.
• They allow the deletion of stored cookies, either in full or in part. However, upon revisiting a website, cookies may be reinstalled unless their installation has been blocked.

Below are links to support pages for the most commonly used browsers, containing instructions on how to disable cookies in each:

• Firefox (https://support.mozilla.org/it/kb/Attivare%20e%20disattivare%20i%20cookie);
• Microsoft Edge (http://windows.microsoft.com/it-it/internet-explorer/delete-manage-cookies#ie=ie-11);
• Safari (iOS) (https://support.apple.com/it-it/HT201265);
• Chrome (desktop: https://support.google.com/chrome/answer/95647?hl=it; Android e iOS https://support.google.com/chrome/answer/2392971?hl=it).

 

 

 

5.       For what additional purposes may we use your data?

Your personal data may also be used for the following purposes:

1. To comply with legal obligations and requests from public or governmental authorities.
2. To handle any disputes or legal proceedings and to defend the Data Controller’s rights in both judicial and extrajudicial settings.
3. To share data for internal administrative purposes among companies within the Group.

In such cases, the legal bases for processing will be:

• For point a), compliance with a legal obligation.
• For point b), the legitimate interest of the Data Controller in protecting its rights, provided it is appropriately balanced against the rights of the data subject.
• For point c), the legitimate interest of the Data Controller in sharing information with companies within the Group.

6.       With whom will we share your data?

In accordance with the purposes outlined in the previous section, the Data Controller/Co-Controller’s personnel may be assigned to process your data in order to provide the requested services, information, or support.

Additionally, within the limits of these purposes and based on the Data Controller’s legitimate interest, your data may be shared with other companies belonging to the same corporate group as the Data Controller.

Access to your personal data will be expressly authorised by the Data Controller, who, if necessary, may designate service providers and entities responsible for carrying out its activities as Data Processors, in compliance with Articles 28 and 29 of the GDPR.

In this regard, please note that the list of cookie providers is available in the Cookie Policy of each website.

Furthermore, the list of Data Processors is available at the Data Controller’s premises and can be requested using the contact details provided above.

User data will never be sold to third parties, except in cases where it is required by the nature of the services provided, or if, due to a legal obligation or a legitimate interest, the Data Controller is required to disclose them to the relevant judicial or regulatory authorities.

7.       How will we process your data?

Your personal data will also be processed using electronic means for the time strictly necessary to achieve the purposes for which they were collected.

The Data Controller will implement the technical and organisational measures necessary to prevent data loss, unlawful or improper use, and any unauthorised access by third parties.

To ensure the security of your personal data, the Data Controller will limit the number of individuals authorised to access servers or databases and will implement protective systems to mitigate the risk of cyberattacks. 

8.       Will my data be processed outside the European Economic Area?

The data processed by the Data Controller are stored on servers located within European territory.

However, some Group companies are based in non-European countries, and your data may be shared with them as specified in Sections 1 and 2.

Additionally, some cookie service providers are based in the United States, as specifically indicated in our Cookie Policy.

In such cases, personal data may also be transferred to servers located abroad. However, all necessary precautions will be taken to ensure the highest possible level of data protection. These transfers will be based on: a) Adequacy decisions issued by the European Commission for the recipient third countries; b) Appropriate safeguards provided by the third party or recipient company, as outlined in Article 46 of the GDPR; c) The adoption of the so-called Binding Corporate Rules (BCRs), along with the implementation of technical and IT security measures to best protect personal data and the rights of data subjects, as required by the GDPR and European regulations

For more details regarding cookie providers and cookie management services located in non-European countries, please refer to our Cookie Policy.

9.       How long will you retain my data?

The Data Controller will process your personal data for the period reasonably necessary to achieve only the purposes previously listed, which can be reviewed in the section “What data will we process?”, or for the retention periods required by applicable regulations.

- Data related to your curriculum vitae and job application will be retained for two years.

- Data used for sending newsletters and commercial communications will be retained until you request deletion or for a maximum of five years from the date of your consent.

- Data used for soft spam communications will be retained until you request deletion or for five years from the last time you expressed interest in the Group (e.g., by contacting us through the website).

- The retention periods for cookie-related data can be found in our Cookie Policy.

At the end of the retention period, your personal data will be deleted or permanently anonymised. 

10.   Links to third-party websites and social networks

The website may contain links to and from the websites of our partners, advertisers, and social networks. Please note that the Data Controller assumes no responsibility for any personal data that may be collected through these external websites and their associated services. If the user follows a link to any of these third-party websites, he/she is encouraged to carefully review the Privacy Policy provided by each external entity before using their services.

11.   What are my rights and how can I protect my privacy?

Regarding your personal data, and in compliance with the GDPR, the Data Controller informs you that you have the right to request:

• Access to your data.
• Modification and rectification of any errors in our database concerning your data.
• Deletion of your data if they are held without a legal basis.
• Restriction of data processing.

• Objection to data processing.
• Data portability.

Additional templates and further details on how to exercise these rights are available here: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924.

 

Below is a table detailing how to exercise your rights:

 

YOUR RIGHT	HOW CAN YOU EXERCISE IT?
Access	You may request: Confirmation of whether your personal data are being processed; A copy of your data. Additional information about your personal data that is not already included in this privacy notice.
Correction	You may request the correction of inaccurate or incomplete personal data. Before correcting, we will verify the accuracy of the data stored in our records.
Erasure/ Right to be Forgotten	You may request your personal data to be deleted, but only if: Its retention is no longer necessary for the purposes for which it was collected; You have withdrawn your previously given consent (where processing is based on consent). The processing was carried out unlawfully. It is necessary to comply with a legal obligation to which the Data Controller is subject (in relation to an order issued by an Authority).
Restriction	You may request that the processing of your personal data be restricted, but only if: Its accuracy has already been contested. It is no longer necessary for the purposes for which it was collected, but a legal dispute is ongoing regarding its use. Following your request for restriction, the use of your personal data is still permitted when: Your consent remains in effect; It is necessary to exercise or defend a legal claim; It is required to protect the rights of another individual or legal entity involved in the processing.
Portability	You may request a copy of your personal data in a structured, readable, and commonly used format.
Objection	You may object at any time to the processing of your personal data when: ·         The legal basis for processing is the Data Controller’s legitimate interest. ·         Your personal data is processed for direct marketing purposes, including profiling where it is related to direct marketing. When you object: ·         If the processing is for direct marketing, your personal data will no longer be used for such purposes. ·         If the processing is based on the Data Controller’s legitimate interest, processing may continue only if compelling legitimate grounds are demonstrated that override the interests, rights, and freedoms of the data subject or if necessary for the establishment, exercise, or defence of legal claims. You can exercise your right to object through automated means that use specific technologies, such as those available on the website in your personal area and in e-mails (unsubscribe link).

The Data Controller guarantees that every request concerning your rights will be addressed within thirty days from the date of receipt.

12.   Can I file a complaint?

You have the right to file a complaint with the Data Protection Authority, if you believe that the Data Controller’s processing of your data does not comply with the provisions of European Regulation No. 679/2016 and national legislation.

In Italy, the competent authority is the Garante per la protezione dei dati personali, whose contact details are available at: http://www.garanteprivacy.it/.

More information and the complaint form template can be found here: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 .

Additionally, if the conditions outlined in Articles 78 and 79 of the GDPR are met, you have the right to bring an action before the competent judicial authority.

 

 

 

 

13.   Possible modifications

The information provided in this document may be modified over time, in cases where processing activities change, new data are collected, or legislative or regulatory updates occur. Additionally, modifications may be made due to technological advancements. For this reason, we recommend that you periodically review this Privacy and Cookie Policy, which is always kept up to date on this page.