The data supplied to Cleaf S.p.a., in compliance with the contractual relationship with Cleaf itself and/or via the website at www.cleaf.it (hereafter the “Website”) when registering on the Website and/or when using services supplied by Cleaf S.p.a., including those in the restricted area of the Website (hereafter “Services”),shall be processed in compliance with personal data protection legislation. Cleaf S.p.a. informs users/clients of the following.

1. Data Controller
1.1 The Data Controller of personal data is Cleaf S.p.a. (hereafter “Cleaf” or “Data Controller”), with its registered office in Macherio (MB), via S. Ambrogio 18, 20846, Italy.

2. Nature of the data processed and purposes of the processing
2.1. The personal data processed, where personal data is defined as any information on a physical person who is identified or may be identified, either directly or indirectly through reference to any other information. The data processed are:
a) the data provided by the user to the Data Controller in compliance with the contractual relationship with Cleaf;
b) the data provided by the user to the Data Controller when requesting for supply of a Service provided by Cleaf, such as name, surname, e-mail address, residence or domicile address, fiscal code, telephone number, fax number, bank details, IP address;
c) the data provided by the user to the Data Controller when submitting his/her application for employment opportunities offered by Cleaf itself on the relevant section of the Website, such as biographical data (name, surname, sex, date of birth, nationality, postal address, telephone number, e-mail address), data regarding user’s education, professional experience, IT skills and knowledge of languages;
d) the data provided by the user to the Data Controller in the course of further contacts with the Data Controller (name, surname, e-mail address, professional position);
e) the data collected by Cleaf when browsing the Website, such as  IP address, information obtained through cookies.
2.2 The data will be used for the following purposes:
a) for the performance and the continuation of the employment relationship with Cleaf, including the management of the contractual service requested, the invoicing of the service rendered, as well as for the fulfilment of obligations under the law and EU regulations or legislation and for exercising rights before the Courts;
b) for the transmission, via e-mail and paper-based mail of commercial proposals related and/or connected to Cleaf’s Services, for sending advertising material exclusively regarding the above-mentioned products or services, Cleaf’s bulletin-newsletter, invitation to conferences, information relating to the area of intellectual property, communications regarding market opportunities concerning the administration of intangible goods (such as trademarks, patents, design) and/or for conduction of market surveys.

3. Obligatory/optional nature of providing data
3.1 Providing the data requested at the time of the establishment of the contractual relationship with Cleaf and/or when registering on the Website or when activating the Services for the purposes identified in the section 2.2A above is mandatory, as it is strictly functional for the performance of the contractual commitments, for providing the Services themselves and meeting legal obligations. Refusal to supply data will make it impossible for Cleaf to fulfill its contractual commitments, to complete the process of registering on the Website and/or therefore provide the Services.
3.2 The user/client may object to processing of the data for the purposes identified in section 2.2B above either by using the opt-out system included in all the communications, either by sending an e-mail to info@cleaf.it.
Providing the data requested at the time of activation of the Services for the purposes identified in sections 2.2B, 2.2C above is optional. Refusal to consent to the purposes of section 2.2B will have no effect on the performance of the contractual commitments and/or for the providing of Services. Users/clients will be able to benefit from Cleaf’s performances and Services anyway.

4. Processing methods
4.1 Users/clients’ data will be collected on line or through the use of physical storage when establishing the contractual relationship with Cleaf, when registering on the Website, when activating the Services, as well as by comparing items of parts of items of information and through the use of the e-mail service.
4.2 Users/client’ data will be processed through registration, consultation, communication, storage and deletion operations conducted primarily using electronic tools and manually, ensuring that appropriate measures are taken to protect the security and guarantee the confidentiality of the data processed.
4.3 Users/client’ data, stored in electronic/magnetic/digital form, are stored and filed on a server located in Italy; personal data stored in paper form shall be filed in specific registers and/or records whose conservation shall be guaranteed by placing the latter in specific containers, stored in suitable premises. Cleaf declares that data registered on its server and/or in suitable premises are protected against the risk of intrusion and unauthorized access, and that it has taken appropriate security measures to ensure the integrity and availability of data and protect areas and places for data storage and accessibility.
4.4 Personal data will be processed by Cleaf employees and/or collaborators acting as data processors, in the context of their respective functions and in accordance with the instructions given by Cleaf. The list of the data processors may be available on request of the data subject.

5. Data disclosure
5.1 Users’ personal data may be disclosed to certain parties appointed by Cleaf to perform the contractual commitments, to provide the Services requested and to meet legal obligations. Users’ data will not be disseminated.

6. Users’ rights
6.1 Data subject are entitled to obtain confirmation of the presence of their personal data and the purposes for which the data are processed at any time. Users are also entitled to request updating, correction, deletion or blocking of data and to refuse its use, entirely or in part.
6.2 Users’ rights are listed below. Specifically:
6.2.1 A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information.
6.2.2 A data subject shall have the right to be informed of:
a) the source of the personal data;
b) the purposes and the modalities of the processing;
c) the logic involved in any personal data processing by electronic means;
d) the contact details of the controller and, where applicable, of the processor and of the controller’s representative;
e) the subject or categories of subjects to whom the personal data may be disclosed or that may access to the data as controller or processor’s representative within the territory of the State.
6.2.3 In addition to the previous information, the data subject is entitled to receive from the Controller the following further information upon request:
a) obtain from the controller without undue delay the update, integration or rectification of inaccurate personal data concerning him or her;
b) the rectification or deletion of personal data or restriction of processing concerning the data subject or to refuse the processing as well as the right to data portability, and the anonymization of the data;
c) the attestation that the operations mentioned in sections a) and b) above have been notified to the subject to whom the data were disclosed, unless the fulfilment of this requirement is impossible or involves disproportionate effort.
6.2.4 The data subject shall have the right to object, at any time, to processing of personal data concerning him or her:
a) for legitimate on grounds relating to his or her particular situation, including profiling;
b) where personal data are processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.
6.2.5 The data subject shall have the right to:
a) lodge a complaint with a supervisory authority (data protection Authority);
b) receive the personal data concerning him or her, which he or she has provided to Cleaf, in a commonly used electronic form and in an easily legible manner, and have the right to transmit those data to another controller without interferences;
c) obtain from the controller restriction of processing.
6.3 To exercise the above mentioned rights and receive information on parties to whom the data are disclosed, or parties who may become aware of data while acting as data processors or persons in charge of the processing, the users may contact Cleaf, by sending a request using the contact details provided above.

7. Duration of processing
7.1 Personal data will be processed with regard to the purposes mentioned in section 2.2.A, for no longer than the duration of the contract with Cleaf, plus a period of 10 years for the fulfilment of current civil, fiscal and tax obligations.
7.2 Personal data will be processed with regard to the purposes mentioned in section 2.2.B for no longer than 24 months starting from the date in which the consent to the processing of personal data was given.
7.3 At the end of the data processing period, the data will be deleted or permanently rendered anonymous.

8. Legal basis for the processing
8.1 The legal basis for the processing shall be constituted in accordance with the contractual relationship, the Data Controller’s legitimate interest and the legal provisions.

9. Updating of Privacy Policy
9.1 This Privacy Policy is subject to occasional revision. Cleaf will notify users when changes are made to data processing conditions by publishing the amendments on the Website. If required under current legislation, users will have the option to consent to any new data processing. If the user refuses, his or her data will not be processed according to the changes of the new privacy policy.

10. Transfer to non-EU countries
10.1 Personal data shall not be transferred to non-EU countries.