Privacy Policy


Background information on the processing of the user’s personal data
Rights of the user concerned
How to exercise rights and/or request information on processing
Background Information


Dear user,

This Privacy Policy is provided to you pursuant to Article 13 of EU Regulation 2016/679 – on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter also “the Regulation” or “GDPR”).

In this Privacy Policy you will find information on the processing of your personal data resulting from navigation within web spaces and the use of the services made available to you through the website.

You will be provided with specific and/or supplementary information on the processing of your personal data each time we collect it, during your interaction with the site, or under contractual relationships established with our Company. You can consult all of them at any time by clicking on the links in the “Information” section at the bottom of this page.

Please note that this Privacy Policy does not apply to web services provided by third parties that you may use or consult and access via hypertext links. For these, we invite you to consult the privacy notices and privacy policies provided by these third parties in the appropriate locations.


Privacy Policy: The GDPR, the Privacy Code, the Provisions of the Guarantor, and in general, all legislation on the protection of individuals with regard to the processing of Personal Data.

GDPR or Regulation: European Union Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data (General Data Protection Regulation)

Personal data: Any information relating to an identified or identifiable natural person. In addition to the data provided by the user via any forms within the individual areas of the Web Services, this also includes data relating to the user’s navigation 

Stakeholder or interested party: The identified or identifiable natural person to whom the Personal Data relates.

Navigation data: The computer systems and software procedures used to operate the Web Services acquire, in the course of their normal operation, certain data whose transmission is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified interested parties, but by its very nature could enable users to be identified through processing and association with data held by third parties. However, if the browsing session is carried out after accessing the Reserved Area (or log in), the data collected are associated with the user’s personal account.

Navigation data includes:

  • IP addresses or domain names of computers used by users connecting to the site;
  • the addresses in URI (Uniform Resource Identifier) notation of the requested resources;
  • the time of the request;
  • the method used to submit the request to the server;
  • the size of the file obtained in response;
  • the numerical code indicating the status of the response given by the server (successful, error, etc.);
  • other parameters relating to the user’s operating system and computer environment.

Data provided by the user: These are the data that the user voluntarily and knowingly shared by sending communications (e.g. by e-mail, to the addresses present in the web domain) or by filling in specific forms, if present in the spaces provided by the Services.

The Data provided by the User are only those strictly necessary for the purposes occasionally required by the services (for precise indications regarding the categories of data occasionally collected, please refer to the individual privacy policies of reference). By way of example, such data may include:

  • personal details;
  • contact details (e.g. e-mail address);
  • information related to the contractual position of the user/customer;
  • geolocation (where the user has given consent to the collection of data relating to his/her location);
  • information related to the use of the individual services made available to the user;
  • relevant facts and events revealed by the user in his/her messages (in this regard, and for his/her greater protection, the user is invited not to provide information that is not strictly pertinent to the subject of the request and the nature of the services provided by the company).

Data Controller or the Controller: The person who decides upon the purposes and means of processing Personal Data. With reference to Web Services, it is the Company of the Unipol Group to which this site refers, and the references of which you can find at the bottom of each page.

Services or Web Services: The services provided through the internet, used through the website and/or any apps.

User: The data subject (natural person) who browses, consults, accesses, or uses the Web Services.

DPO: The Data Protection Officer. The user concerned may request clarifications on the processing of Personal Data or exercise his/her rights by contacting the DPO, in the manner and form indicated in the section “How to exercise rights and/or request information on data processing”.

Privacy Guarantor: The Garante per la protezione dei dati personali [Data Protection Guarantor], i.e. the Italian national supervisory authority for the protection of personal data. See the website of the Privacy Guarantor.

Cookies: Cookies are pieces of information that are stored on your device (e.g. in the memory of your browser) when you visit a website or use a web application. 

Each cookie may contain various data, such as the name of the server from which it comes, a numeric identifier, etc.

See Cookie  Policy for more information.


Below we provide you with useful information regarding the processing of Personal Data carried out through the Web Services.

In particular, we want to inform you about:

  • the identification and contact details of the data controller;
  • the contact details of the Data Protection Officer (DPO);
  • the categories of Personal Data processed through the Web Services;
  • the purposes for which such Personal Data are occasionally processed;
  • the preconditions for processing such data (legal bases);
  • the duration of their storage, always strictly necessary for the pursuit of the stated purposes;
  • the categories of recipients of data communication.
Data controllerRegistered office
ITAL H&R S.r.l.– Via Stalingrado, 37 – 40128 Bologna (Italy).

Categories of Personal Data, purpose, and legal basis of processing and retention periods

Categories of Personal DataPurpose of processingLegal basesTerms of Data Retention
Navigation dataAllowing web browsing and the provision of servicesRequirement to perform a contract to which the data subject is party or to provide a service at the request of the data subjectFor the duration of navigation within the services
Obtaining anonymous statistical information on the use of the Web Services, for the sole purpose of monitoring their correct functioningLegitimate interest of the companyCollected data are aggregated and no longer traceable to the individual user who did the browsing
Data provided by the User: provision of Web ServicesRequest for informationRequirement to execute requests made by the data subject (pre-contractual phase) or legitimate interestThe time needed to provide feedback
 Booking at the facilitiesRequirement to execute requests made by the data subject (pre-contractual phase) or contractual phaseThe validity period of the reservation

The provision of your Personal Data is free and optional. We remind you, however, that for the pursuit of certain purposes (to provide you with the appropriate feedback requested, for registration in the Reserved Area or for the provision of individual Services) it is indispensable; if not provided, in such cases, it may not be possible to proceed with the pursuit of the aforementioned purposes.

However, we invite you to consult the individual data processing notices for more details.

Processing methods and recipients of data communication

The above data will not be subject to dissemination and may be viewed the by employees of our company specifically authorised to process them. They may also be acquired and/or processed by other companies of the Unipol Group and/or by the companies. Processing operations may be carried out by external parties to whom we entrust the performance of activities on our behalf, and with whom we enter into appropriate agreements aimed at regulating the processing of data.

Finally, the data may be communicated to public authorities or law enforcement agencies at their express request.

The processing of Personal Data is always carried out following the adoption of appropriate security measures to ensure the confidentiality, availability and integrity of such data.


The Web Services may use technical, analytical, and profiling cookies, both first and third party ones.

Cookies are essential for improving the services and providing products that are always in line with users’ preferences.

Any use of profiling and/or third-party cookies will always be subject to your prior consent.

To find out more, click here. 


The Privacy Law (Articles 15-22 of the Regulation) guarantees the user, as the Data Subject, the right to access his/her data, as well as the right to rectification and/or integration, cancellation or portability. The Privacy Policy also gives the user the right to request the restriction of data processing and to object to data processing, as well as the possibility to revoke any consent given (revocation does not affect the lawfulness of the processing carried out up to that moment).

RightsWhat does it consist of?Prerequisites for exercise
Access to dataThe user may request from the Data Controller: confirmation that he/she is processing data relating to the user;a copy of the data concerning the user;information concerning data processing (e.g. legal bases, retention periods, categories of data recipients, etc.)The user always has the right to submit such a request
Correcting or supplementing dataThe user may request the Data Controller to: correctupdateedit the Personal Data processedIf the data processed are inaccurate or incomplete
Data deletionThe user may request the Data Controller to erase the Personal Data being processedPersonal Data are no longer necessary for the purposes for which they were collected or otherwise processed;the user revokes the consent on which the processing is based, and if there is no other legal basis for the processing;the user objects to the processing pursuant to Article 21 and there is no overriding legitimate reason for processing;Personal Data have been unlawfully processed; the Personal Data must be erased in order to comply with a legal obligation imposed by a European Union or Member State law to which the Data Controller is subject
Limitation of the processing of Personal DataThe user may request that the Controller does not carry out any processing operation on the user’s Personal Data other than storage, except with the user’s consent or to protect his/her rightsthe user disputes the accuracy of the Personal Data, for the period necessary for the controller to verify the accuracy of such Personal Data; the processing is unlawful and the data subject objects to the erasure of the Personal Data and requests instead that their use be restricted;although the data controller no longer needs the Personal Data for processing purposes, the Personal Data are necessary for the establishment, exercise or defence of legal claims; the user has objected to the processing, pending verification of whether the legitimate reasons of the data controller prevail over those of the data subject
Objecting to the processing of Personal DataThe user may object to processing based on a legitimate interest (including the sending of promotional communications) or a public interestThere must be grounds relating to the particular situation of the user, except where the objection is to processing for direct marketing purposes
Objections to automated decision-makingThe user may object to automated decision-making processes. If such a process is necessary for the conclusion of a contract, or if it is based on explicit consent, or if it is authorised by law or regulation of the State or the European Union, the user has the right to obtain human intervention by the Controller, to express his/her opinion and to contest the decisionThere is a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or significantly affects him/her in a similar way
Portability of Personal DataThe user has the right to receive in a structured, commonly used, and machine-readable format, the Personal Data concerning him/herProvided that all the following conditions are met: the data have been provided by the user;the processing is based on consent or on a contract; the processing is carried out by automated means
Withdrawal of consentThe user may revoke the consent previously given. Revocation does not affect the lawfulness of the processing carried out up to that momentAlways


The “Data Protection Officer” is available to clear any doubts, for clarifications, for the exercise of the rights of the Data Subjects, and to provide an updated list of the categories of data recipients.

Data Protection Officer or

This does not affect your right to approach the Privacy Guarantor, including by means of a complaint, where deemed necessary for the protection of your Personal Data and your rights in this respect.


The list of background information is given below:

ITAL H&R information for customers at facilities – Ed. 22.01.2019 (IHR_InfC_Clie_01)

Back to index