​​​​​The data controller

This policy applies to the website https://www.leonardologistics.it/en/ ( “Website”). The Data Controller for any personal data ( “Data”) is Leonardo Logistics S.p.A., VAT No and Tax Code 08401270015, with its headquarters in Piazza Monte Grappa n.4 - 00195 Rome, in the person of its present legal representative ( “Data Controller” or “Company”). The Data Controller provides this policy pursuant to Articles 13 and 14 of EU Regulation 679/2016 et seq. (“GDPR”) and international, European and Italian laws on personal data processing, in each case to the extent in which they are applicable at the time, along with their respective amendments, supplements and reforms (collectively, together with the GDPR,“Applicable Privacy Regulations”).
 
Purposes and legal grounds for the processing  

As explained in more detail in the sections that allow users of the Website to sign up to member services - providing their personal data - the data of the users involved is processed based on the requests expressly sent by these users, from time to time, through the Website. In particular, all data collection and subsequent processing is aimed at achieving the following purposes:

• to share the content on the Website;
• to handle customer relationships. In particular, the Leonardo Logistics S.p.A. website features various contact methods by email, where users can indicate their email to request information on products, or official communications from Leonardo Logistics S.p.A.. In both cases, the Leonardo Logistics S.p.A. website does not store the user’s data, but rather it is sent to the relevant company departments; 
• general information requests;
• to redirect users to third-party pages where they will be able to access members’ areas they are interested in. The Leonardo Logistics S.p.A. website does not actually allow access to certain members’ areas; when this happens, the requests to the user to enter their data for registration and the subsequent processing shall be handled by a third-party supplier of the members’ access page, with a specific personal data processing policy and subject to special consent from the data subject;
• commercial information on the services provided by the Data Controller and/or its other affiliated companies;
• purposes connected to any obligations provided for by applicable laws or regulations, as well as by the provisions laid down by competent supervisory and control bodies/authorities.

The Data Controller shall not use the data provided for purposes other than those relating to the service, including the ones listed above, which the user involved has agreed to, or only within the terms indicated from time to time in any additional specific policy accompanying a particular, different service requested by the user.
 
Who we allow to process data

For the purposes of providing the service which the user has agreed to, data may be disclosed to third parties, including affiliated companies, as well as to consultants who assist the Data Controller in meeting users’ requests (for example, legal and tax firms), which shall act, depending on the case, as independent data controllers or as data processors pursuant to Article 28 of the GDPR. Data shall also be sent to any third parties to whom data must be disclosed to comply with laws or regulations.

The updated list of data processors is available upon request at the Data Controller’s e-mail address: dpo.lls@leonardo.com or  leonardo_logistics@pec.leonardo.com.

At the Data Controller’s organization, personal data is only processed by staff specifically authorized by the Data Controller itself and identified from staff responsible for administration, communication, accounting or IT system technical maintenance. These people are appointed as authorized data processors and carry out any essential processing to achieve the aforementioned purposes.

Unless the specific policy states otherwise, personal data shall not be circulated or transferred to third-party countries outside the European Economic Area.
 
How we process data

All the processing done as part of the Website shall be carried out

• according to methods and procedures strictly required to meet the user’s requests, through operations or a series of operations as indicated under Article 4, paragraph 1, number 2 of the GDPR;
• through the use of electronic or automated tools, but also with paper/manual tools. In this respect, please note that data is stored in paper archives located at the Data Controller’s headquarters and in electronic archives located both at these same headquarters and on servers controlled by the Data Controller and, in any case, located in the European Economic Area.

Data shall be processed using methods related to the purposes for which it was collected and in accordance with the Applicable Privacy Regulations for the purposes mentioned above or specified from time to time in any additional policies submitted to the user.

Personal data shall be processed for the time strictly required to achieve the purposes for which it is collected. 

Types of data processed and optional data provision

We shall process both data that is strictly necessary to fulfil users’ requests and data that is provided optionally and is not strictly necessary to fulfil the request.
If the data subject refuses to provide their personal data or grant their consent, when required, to processing:

• in the case of data that is strictly necessary to fulfil users’ requests, it shall not be possible for the Data Controller to meet these requests;
• in the case of data that is provided optionally, it shall not be possible to provide at least part of the services requested or to provide commercial information for users on the services offered by the Data Controller and its other affiliated companies.

 
Browsing data

The computer systems and software procedures used to run this website acquire certain personal data during normal use, which is transmitted using Internet communication protocols. This information is not collected to be associated with identified data subjects. However, by its very nature, it might be used to identify users by means of processing and matching with information held by third parties.

This data category includes IP addresses or the domain names of the computers used by users accessing this website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of such requests, the method used to submit the request to the server, the size of the file received in reply, the numerical code indicating the server response status (successful, error, etc.) and other parameters relating to the user’s operating system and computer set-up.

This data is only used to extract anonymous statistical information on how the Website is used and to ensure that it is running properly. It is deleted immediately after processing. Data might be used to ascertain liability in the event of any cyber-crimes against the Website: other than in this case, the data on web contacts shall not be stored for longer than seven days.
 
Data provided voluntarily by the user

The personal data normally required to use the Website’s services includes personal and contact details. If emails are sent optionally, explicitly and voluntarily to the addresses indicated on the Website, the sender’s email address shall then be acquired, which is required to answer the requests, as well as any other personal data included in the message. Specific summaries shall be gradually shown or displayed on the Website’s pages for particular requested services or for registration to the Website’s members’ areas. Data belonging to special categories under Article 9 of the GDPR is not normally processed; if this data needs to be processed for certain services, a special notice shall be issued beforehand, and the specific consent of the user involved shall be requested.
 
Cookies and other information reading/archiving technologies on the user’s device

We may use cookies on this Website (small text files transferred by the Website to the device used for browsing by the user) as well as other information reading and/or archiving technologies on the user’s device, such as fingerprinting, email trackers or clear GIFs/beacons, the purpose of which is to analyse the user’s access to that given web page, and any other information that can be obtained from legible parameters through functions on the web page, in order to customise and facilitate users’ browsing experience and to improve the profiling of users for advertising and/or commercial purposes.
Cookies can be “temporary” (or session cookies, as they are deleted at the end of the connection) or “permanent” (they stay saved on the user’s hard drive, unless the user deletes them).

For more information on how to set your cookie preferences through your browser, please see the relative instructions:

• Internet Explorer
• Firefox
• Chrome
• Safari

For more information on the types of cookies used by the Website, and the functions permitted by enabling or disabling them, please refer to the “Cookie Policy” found here.

To exercise the rights on the use of cookies and other profiling tools, you can contact the following email address of the Data Controller dpo.lls@leonardo.com as described in detail below.
 
Data subject rights

Regarding the personal data processed by the Data Controller, users of the Website may exercise the rights provided for by the Applicable Privacy Regulations within the limits provided for therein and, in particular, they may:

• ask the Data Controller for confirmation of the existence of their personal data, the source of this data, the methods and purposes of the processing, the categories of subjects to whom the data may be disclosed, as well as the identification details of the data controller and data processors;
• request access to personal data, its anonymization, blocking, amendment, integration or deletion, or the restriction of processing;
• object to processing in cases provided for by the Applicable Privacy Regulations;
• exercise their right to portability;
• withdraw their consent at any time (when this is the necessary legal grounds for the processing), without affecting the lawfulness of the processing based on consent granted before the withdrawal;
• file a complaint with the Italian Data Protection Authority, following the procedures and instructions published on the Authority’s official website at garanteprivacy.it .
• To exercise the rights provided for by the Applicable Privacy Regulations, you can fill out the appropriate form found at the following link, and send it to the following addresses: dpo.lls@leonardo.com, or leonardo_logistics@pec.leonardo.com.

For any communications, requests or reports about privacy, you may send an email to the email addresses indicated above.

Any amendments or deletion or restricting of the processing carried out upon request from the user involved – unless this proves impossible or involves disproportionate effort – shall be reported by the Data Controller to each recipient that was sent the personal data. The Data Controller shall disclose these recipients to users if they request it.

Users should constantly check this Privacy Policy to find out about any changes or alterations to the policies by the Data Controller regarding privacy, primarily due to legislative amendments.

Leonardo Logistics S.p.A., with its registered head office in Piazza Monte Grappa n.4 - 00195 Roma, email leonardo_logistics@pec.leonardo.com, in the person of its present legal representative, as the data controller of your personal data that it intends to process (“Data Controller”), hereby provides you with the following policy pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ( “GDPR”) and the applicable legislation at the time on personal data protection (collectively, “Privacy Regulations”).

The Data Controller has appointed a Data Protection Officer (DPO), as provided for by the GDPR, in charge of monitoring, supervision and specialist consultancy in the field of privacy, who can be contacted for any support required at the following email address: dpo.lls@leonardo.com.
 
1.   Categories of data subjects and processed personal data

This policy is aimed at anyone who, in various ways, has had or has professional, commercial or business dealings with one or several Italian or foreign legal entities belonging to the Leonardo Group ( “Group”), including but not limited to: individuals working as freelancers or as the contact person for legal entities qualified as clients, suppliers (other than those on the Leonardo List of Suppliers), partners or other counterparties of the Group or anyone who has entered into contact with the Group because, for example, they have taken part in an event or another initiative organized by the Group, etc. (collectively, “Data Subjects”).

Only “ordinary” personal data shall be processed, such as name and surname, tax code, VAT number, residence, domicile, work head office, email or certified email address, telephone number, relevant company, role and/or position at the company, etc. ( “Data”).
 
2.   Intended purposes of the processing of Data and relative legal grounds

The Data might be processed to:

a.    manage existing contractual relationships with Data Subjects and/or with the organizations which Data Subjects work for and to send communications on this relationship. The legal grounds for carrying out this processing are the fulfilment by the Data Controller of specific contractual or pre-contractual obligations made to the Data Subjects and/or the legal entity which the Data Subjects work for (Article 6, letter b of the GDPR), as well as to comply with legal provisions and regulations (Italian or EU) and any orders and requirements for the Data Controller from judicial authorities, supervisory bodies and professional associations (Article 6, letter c of the GDPR);
b.    to comply with obligations arising from the Group’s procedures and/or any standards (including regarding security) applicable to the Group, based on Article 6, letter c of the GDPR;
c.    if Data Subjects have taken part in an event, conference, seminar, etc., organized by the Group, in order to send Data Subjects invitations to other similar events to the one they attended, identified as being in their specific interest. The legal grounds for carrying out this processing are the legitimate interests of the Data Controller and the Group in establishing and maintaining successful, optimal professional relationships with the Data Subjects (Article 6, letter f of the GDPR).

The provision of Data is required to carry out the existing relationship between the Data Subjects and the Data Controller or one or several of the Group’s companies. Without the Data, it shall not be possible for the Group to manage this relationship.
 
3.   Categories of recipients of Data

Data might be disclosed to public and/or private organizations authorized to receive it by law, as well as to individuals and/or legal entities that provide services or assistance and consultancy to the Data Controller and/or the Group’s other companies.

Data shall be processed by the Group through its duly authorized staff, only to the extent necessary and based on specific instructions from the Data Controller, with guaranteed confidentiality and privacy. Data shall not be circulated. If, for the purposes described, any Data must be transferred to countries outside the European Economic Area or to international organizations, the Data Controller shall strictly comply with the provisions on the issue laid down by the Privacy Regulations and shall ensure that the recipient follows the same standards set by the Privacy Regulations.
 
4.   Data processing methods and the relative storage

Data shall be processed in accordance with the Privacy Regulations and shall be done with computer and/or manual systems, which are adequate in any case to guarantee the security of this processing. Data shall be processed in accordance with the principles of proportionality and necessity, so any unnecessary Data shall not be collected or processed, as well as with the principles of fairness and transparency and adequate security measures.

Data shall be stored for the time strictly necessary to achieve the purposes for which it was collected, unless it must be stored for longer in order to fulfil specific legal obligations and/or to protect a right in court of the Data Controller and/or the Group’s other companies.
 
5.   Data Subject rights

Data Subjects may exercise their rights provided for by the Privacy Regulations. In particular, Data Subjects may:

a.    ask the Data Controller for confirmation of the existence of their personal data, the source of this data, the methods and purposes of the processing, the categories of subjects to whom the data may be disclosed, as well as the identification details of the Data Controller and its data processors;
b.    request access to personal data, its anonymization, blocking, amendment, integration or deletion, or the restriction of its processing;
c.    object to processing in cases provided for by the Privacy Regulations;
d.    exercise their right to portability, within the limits provided for by Article 20 of the GDPR;
e.    withdraw their consent at any time, without affecting the lawfulness of the processing based on consent granted before the withdrawal;
f.    file a complaint with the Italian Data Protection Authority, following the procedures and instructions published on the Authority’s official website at garanteprivacy.it.

Any amendments or deletion or restricting of the processing carried out upon request from the Data Subjects – unless this proves impossible or involves disproportionate effort – shall be reported by the Data Controller to each recipient that was sent the personal data. The Data Controller shall disclose these recipients to Data Subjects when requested by the latter.

In order to exercise their rights under the previous paragraph, as well as for any clarifications, Data Subjects may contact the Data Controller directly by sending an e-mail to the address dpo.lls@leonardo.com.