Privacy policy

Information regarding the processing of personal data pursuant to and for the purposes of Regulation (EU) 679/2016 carried out through the website https://www.onit.it/ (hereinafter referred to as ‘the Website’) including through the use of COOKIES.

(version no. [2] of [22 September 2025])

In compliance with Regulation (EU) No. 679/2016 (hereinafter also referred to as the ‘Regulation’) and applicable national legislation, Onit S.p.a., Onit Sanità S.r.l., Onit Sistemi S.r.l., Onit Smart S.r.l. and Onit Operations S.r.l., each in their capacity as Joint Controllers (hereinafter also referred to as ‘Controllers’ for brevity), hereby intend to inform Data Subjects about the processing of their personal data carried out in the context of the processes relating to newsletter subscription, specifying that, depending on the processing operations taken into consideration, the Companies may have different levels of autonomy in determining the relative means and purposes, as identified in the joint controller agreement entered into between them. The Controller hereby intends to inform all data subjects about the processing of their personal data carried out through the Website and the Cookies used by the Website, emphasising its commitment and attention with regard to the protection of the rights of the data subject.

The Web Policy also provides information on how to manage cookies.

The Web Policy is provided exclusively for the Website and therefore does not apply to other websites, pages or online services accessible via hypertext links (so-called links) that may be published on the Website but which refer to resources outside the domain.

The Data Controller reserves the right to modify the Web Policy at any time and at its sole discretion. Any changes will take effect from the date of publication of the amended version of the Web Policy on the Website.

More detailed information on the purposes of processing and other useful information is provided in the individual policies for the various services.

In any case, the Data Controller ensures that the processing of personal data will be based on principles of correctness, lawfulness and transparency, protection of confidentiality and the rights of the Data Subject.

When the User accesses the Website and uses its services, they confirm that they have read the Web Policy.

Data controller and contact details:

Company Name: Onit S.p.A.

C. F.: 04057301006

Registration in the Forlì-Cesena (FC) Companies Register n. 292006

Legal head office: Via dell'Arrigoni n° 308 - 47522 - Cesena (FC) - Italy

email: onit@onit.it

Certified email: onit@pec.onit.it

Tel.: +39 0547 313110

Fax: +39 0547 318021

For requests regarding the processing of personal data and the exercise of the rights of the data subject, please use the following contact details

email: privacy@onit.it

Certified email: onit@pec.onit.it

Tel.: +39 0547 313110

Fax: +39 0547 318021

Data Protection Officer (DPO) and contact details

The Data Controller has appointed a Data Protection Officer (DPO) who can be contacted for any matter concerning the protection of personal data at the following addresses: Email: nicola.pagliarulo@share-ing.eu; Certified email: share-ing@legalmail.it

Types of data processed, methods of processing, purposes of processing, storage times and/or criteria for determining storage times, legal bases

The following categories of personal data are processed: (i) browsing data; (ii) data provided by the data subject; (iii) data acquired through cookies.
The data is processed using automated methods on the computer systems owned and/or available to the Data Controller.

(i) Browsing data

The computer systems, applications and software procedures used to operate the Website collect, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This category of personal data includes: (a) the IP address or domain name of the computer and terminal used by the data subject; (b) the URI/URL addresses of the resources requested; (c) the time of the request; (d) the method used to submit the request to the server; (e) the size of the file obtained in response to the request; (f) the numerical code indicating the status of the response given by the server; (g) any search engine used to locate the link to the Site, subsequently used to access it; (h) other parameters relating to the operating system and IT environment used by the data subject to access and browse the Site.

(i). 1. Purpose of processing

The purposes of processing the browsing data under (i) are:

(a) to enable use of the Website;
(b) to check the correct functioning of the Website and technological maintenance of the Website;
(c) to ascertain responsibility in the event of offences against the Data Controller through the Website or the Website itself;
(d) to obtain aggregate and anonymous statistical information on the use of the Website.

(i).2. Storage times

Browsing data under (i) do not persist for more than thirty days and are deleted immediately after aggregation and anonymisation. This is without prejudice to any need for investigation of crimes by the judicial authorities.

(i).3. Legal basis

The legal basis for the processing of navigation data under (i) consists of the following concurrent and/or alternative criteria: (1) the legitimate interest of the Data Controller, in compliance with and within the limits of Article 6(1)(f) of the Regulation, to ensure the proper use of the Website and to prevent any possible computer crime; (2) the consent of the data subject pursuant to Articles 6(1)(a) and, where applicable, 9(2)(a) of the Regulation, also expressed through relevant behaviour, including the continuation of browsing activity on the website [On the method of expressing consent through this type of behaviour, see Decision of the Italian Authority 8.5.2014, paragraph 1, letter e) of the ruling]; (3) the performance of pre-contractual measures taken at the request of the data subject or the performance of a contract to which the data subject is party, for which processing is functionally necessary [Article 6(2)(b) of the Regulation], with regard to the provision of the navigation service on the website and access to the content therein, provided free of charge unless otherwise indicated.

(ii) Data provided by the data subject

The voluntary sending of messages by the data subject to the contact addresses of the Data Controller, including by email, the completion of forms or questionnaires and their subsequent submission to the Data Controller, will result in the acquisition by the latter of the contact details of the data subject as well as any other data that may be communicated by the data subject when sending the message (e.g. within the content of the message). The data subject is expressly prohibited from communicating personal data of a particular nature and/or personal data of third parties via forms or modules.

It remains understood that if the Data Controller intends to acquire personal data for other specific purposes, it will provide the relevant information notices pursuant to Articles 13 and 14 of the Regulation in relation to such additional purposes.

(ii).1. Purpose of processing

The processing of data communicated by the data subject (1) is aimed at satisfying the communication needs between the data subject and the Data Controller, according to the data subject's requirements, possibly also (2) for the forwarding of any requests for further information beyond that provided on the website or (3) for the initiation of negotiations aimed at concluding contracts for the provision of services provided by the Data Controller. Obviously, in the event of further and more specific processing carried out through the Data Controller's website, the Data Controller will provide the data subject with further and more specific information on the protection of personal data on a case-by-case basis (e.g., in relation to the services requested or if the website contains specific processing such as newsletter subscriptions or requests to send CVs for specific job positions). Only in the event of a concrete and current risk of dispute or unlawful acts perpetrated through the aforementioned means of communication may the data be processed (4) to defend or ascertain a right in court or (5) to allow the necessary investigations, including by the competent public authorities.

(ii).2. Storage times

The data communicated by the data subject under (ii) are retained for the time strictly necessary to meet communication requirements, as well as requests from the data subject in relation to the content specified therein, except for any requirements to ascertain or defend a right in court, in the event of a dispute (in such cases, the retention periods are those related to the aforementioned defensive requirements and the terms may take into account the need for evidence, limitation periods and statutes of limitations, including those lasting ten years, as well as any requirements to ascertain illegalities, including by the competent authorities). Furthermore, it remains understood that the Data Controller may provide for different retention periods in the specific information notices provided with reference to additional specific services that may be provided through the Website or for any other purposes, in relation to which it will provide specific and separate information on the protection of personal data, including with regard to retention periods.

(ii).3. Legal basis

The processing indicated under (ii) is based on the following legal bases, which are concurrent and/or alternative in relation to the specific case: (A) the legitimate interest of the Data Controller, in compliance with and within the limits set out in Article 6(1)(f) of the Regulation, to allow the performance of communication activities related to the conduct of its business or, for the purposes of requesting further information or responding to any illegal acts perpetrated through its IT system; (B) the consent of the data subject pursuant to Articles 6(1)(a) and, where applicable, 9(2)(a) of the Regulation, expressed by clicking on the appropriate consent button in correspondence of the information on the protection of personal data within the message submission form or, in any case, expressed by relevant behaviour, including the conscious and voluntary sending of the communication to the Data Controller, using the tools made available on the website where this information is made available in advance; (C) the implementation of pre-contractual measures taken at the request of the data subject or the performance of a contract to which the data subject is party, for which processing is functionally necessary [Article 6(2)(b) of the Regulation], in the event that the communication sent by the data subject is aimed at establishing, on the initiative of the data subject, or continuing the contacts necessary to conclude a contract concerning one or more of the services provided by the Data Controller; (D) the establishment and/or defence of a right in court or in any case of dispute, where such a need arises in the specific case in relation to communications forwarded by the data subject [Art. 9 (2)(f) of the Regulation].

(iii) Data acquired through cookies, processing methods, purposes of processing, storage times and legal bases

Cookies can be defined (see Cookie Decision) as «small text strings that the sites visited by the user send to their terminal (usually to the browser), where they are stored before being re-transmitted to the same sites on the next visit by the same user. While browsing a website, the user may also receive cookies on their terminal that are sent from different websites or web servers (so-called ‘third parties’), on which certain elements (such as images, maps, sounds, specific links to pages of other domains) present on the website they are visiting may reside. Cookies, which are usually present in large numbers in users' browsers and sometimes even with long-lasting characteristics, are used for different purposes: performing computer authentication, monitoring sessions, storing information on specific configurations concerning users accessing the server, etc».

The Onit S.p.a. website uses technical cookies, i.e. cookies that are essential for the proper functioning of a website and are used to manage various services related to websites (such as logging in or accessing restricted functions on websites). The duration of cookies is strictly limited to the work session, or they may have a longer duration in order to remember the visitor's choices. Disabling strictly necessary cookies may compromise the user experience and navigation of the website.

The Onit S.p.A. website also includes some components transmitted by Google Analytics, a web traffic analysis service provided by Google, Inc. (‘Google’). These are third-party cookies collected and managed anonymously to monitor and improve the performance of the host website (performance cookies).

Google Analytics uses ‘cookies’ to collect and analyse information about the use of the Onit S.p.A. website in an anonymous form (anonymised IP). This information is collected by Google Analytics, which processes it for the purpose of compiling reports for Onit S.p.A. operators regarding activities on the website itself. The Onit S.p.A. website does not use Google's analysis tool to monitor or collect personally identifiable information.

This site uses Google Maps, a map service provided by Google Inc.

Users can selectively disable Google Analytics by installing the opt-out component provided by Google on their browser. To disable Google Analytics, please refer to the link below:

https://tools.google.com/dlpage/gaoptout

Disabling third-party cookies does not affect the navigability of the Onit Group website in any way.

(iii).1. How to disable and/or not accept cookies

In general, the data subject has the option, at any time, to set their browser to accept all cookies, only some cookies, or to refuse them, disabling their use by the Website.

Furthermore, the data subject can normally set their browser preferences so that they are notified each time a cookie is stored in the memory of their device.

Finally, please note that at the end of each browsing session, the data subject may in any case delete both the browsing cache memory and the cookies collected from their hard drive. Any deactivation of cookies by the data subject on their device does not affect or influence interaction with the Website in any way.

Below are links explaining how to disable cookies for the most popular browsers (for other browsers, we suggest searching for this option in the help section of the relevant software).

- Internet Explorer: http://windows.microsoft.com/it-IT/internet-explorer/delete-manage-cookies#ie=ie-10

- Google Chrome: https://support.google.com/chrome/answer/95647?hl=it

- Mozilla Firefox: http://support.mozilla.org/it/kb/Gestione%20dei%20cookie?redirectlocale=en-US&redirectslug=Cookies

- Opera: http://help.opera.com/Windows/10.00/it/cookies.html

- Apple Safari: http://www.apple.com/it/privacy/use-of-cookies/

The functions of individual cookies can also be disabled via the dedicated page provided by the EDAA (European Interactive Digital Advertising Alliance), which can be accessed at the URL http://www.youronlinechoices.com

Even if authorisation to use third-party cookies is revoked, cookies may have been stored on the data subject's device prior to such revocation. For technical reasons, it is not possible to delete these cookies, but the data subject's browser allows them to be deleted in the privacy settings. The browser options contain the option ‘Clear browsing data’, which can be used to delete cookies, website data and plug-ins.

(iii).2. Further information on Third-Party Cookies

For third-party cookies installed through the Website, the obligations of disclosure and consent are incumbent upon the third parties, but the Data Controller (of the Website), as a technical intermediary between them and the data subjects (users of the Website), is required to include in the ‘extended’ privacy policy the updated links to the privacy policies and consent forms of the third parties themselves.

Below is a link to Google's privacy policy, a third party from which technical cookies are acquired:

https://policies.google.com/privacy?gl=it

(iii).3. Purpose of processing

(a) allow the use of the Website;
(b) checking the proper functioning of the Website and technological maintenance of the Website;
(c) obtain aggregate and anonymous statistical information on the use of the Website.
(d) prevent and/or combat any computer crimes committed using the Data Controller's Website

(iv).4. Legal basis

The legal basis for the processing of data referred to in purposes (iii).3.a. and (iii).3.b. is: (1) the legitimate interest of the Data Controller, in compliance with and within the limits of Article 6(1)(f) of the Regulation, to ensure the proper use of the Website, to improve the browsing service and interaction with the user, and to prevent and/or combat any computer crimes perpetrated using the Website itself; (2) consent to the processing of personal data - pursuant to Article 6(1)(a) and Article 9(2)(a) of the Regulation - expressed by pressing the appropriate button or by other behaviour suitable for expressing such consent, in accordance with the provisions of the Garante's Decision on Cookies (of 8.5.2014), such as continuing to browse by accessing another area of the site or by selecting an item contained therein (e.g. by clicking on an image or link or on the aforementioned button) or on any other item (it being understood that it is possible to refuse or limit the use of cookies by setting the browser appropriately or by following the information contained in this extended policy).

The use of cookies for the purposes under (iii).3.c. does not constitute processing of personal data and therefore does not require any legal basis for cookies that process exclusively anonymous and therefore non-personal data. Where cookies process personal data by making it anonymous following one or more automatic technical anonymisation operations, in order to subsequently obtain aggregate and anonymous statistics on the use of the Website, the legal basis is consent to the processing of personal data.

The legal basis for the processing of data referred to in purposes (iii).3.e. and (iii).3.f. is also the freely given, specific, informed and unambiguous consent of the data subject. Any consent given by the data subject may be revoked by the data subject at any time.

Optional provision of personal data

The provision of personal data by the data subject – unless otherwise specified – is optional, however failure to provide such data may make it impossible or difficult: for data under (i) and (iii), to navigate the Website correctly and fully or to benefit from a better service when interacting with the Website; for data under (ii), to correctly carry out communications between the data subject and the Data Controller and, therefore, to see requests spontaneously submitted by the data subject through the communication channels on the Website carried out.

Please note that disabling (or inhibiting the functioning of) third-party cookies does not affect the use of the Website by the data subject, but may lead, as specified above, to some limitations in its overall functioning or in the efficiency of navigation.

Recipients and categories of recipients of personal data, as well as the scope of their knowledge

For the purposes described above, the personal data of the data subject will be disclosed to employees, similar personnel and collaborators of the Data Controller, who will act as authorised data processors and/or data controllers.

The following subjects designated by the Data Controller as data processors, pursuant to Article 28 of the Regulation, are also recipients of the data collected:

[LINXS srl], as the provider of services for the development, delivery, operational management and maintenance of the Website's technological platforms.

The complete and updated list of data processors can be requested from the Data Controller's registered office or via the contact details provided in this Web Policy.

The personal data of the data subject may be known, due to their role and in the performance of their duties, by the Data Protection Officer (DPO) appointed by the Data Controller. Finally, it should be noted that the User's personal data may be made available to the competent authorities, where the legal requirements are met, in particular in the event of illegal acts committed by users, where the Data Controller becomes aware of them, without this implying a general obligation of surveillance on the part of the Data Controller.

In the event that third-party cookies are present, the data processed through them may be processed by such third parties, where provided for in the relevant policy (in particular, for the provision of the service), without prejudice to the data subject's right to prevent the use of such cookies through their browser settings or in the manner specified above in this extended policy [see above, paragraph (iii).2].

Rights of the data subject

The data subject may, under the conditions laid down in the Regulation, exercise the rights set out in Articles 15 to 21 thereof and, in particular:

the right of access pursuant to Article 15 of the Regulation, which provides for the right to obtain confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, to obtain access to his or her personal data – with the right to obtain a copy thereof – and the communication, among other things, of the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) recipients to whom the data have been or will be disclosed; d) the period for which the data will be stored or the criteria used to determine that period; e) the rights of the data subject (rectification, erasure of personal data, restriction of processing and the right to object to processing); f) the right to lodge a complaint; g) the right to receive information on the origin of their personal data, where these have not been collected from the data subject; h) the existence of automated decision-making, including profiling, where this is carried out;
the right to rectification pursuant to Article 16 of the Regulation, which provides for the right to obtain, without undue delay, the rectification of inaccurate personal data concerning the Data Subject and/or the integration of incomplete personal data;
the right to erasure (known as the right to be forgotten) pursuant to Article 17 of the Regulation, which provides for the right to obtain, without undue delay, the erasure of personal data concerning the Data Subject, when: a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject has withdrawn consent and there is no other legal basis for the processing; c) the data subject has successfully objected to the processing of personal data; d) the data has been processed unlawfully; e) the data must be erased to comply with a legal obligation; f) the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation. The right to erasure does not apply to the extent that processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims;
the right to restriction of processing pursuant to Article 18 of the Regulation, which provides for the right to obtain restriction of processing when: a) the accuracy of the personal data is contested by the data subject; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the personal data are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to processing pending verification of whether the legitimate grounds of the controller override those of the data subject;
the right to data portability pursuant to Article 20 of the Regulation, which provides for the right to receive, in a structured, commonly used and machine-readable format, personal data concerning the Data Subject provided to the Data Controller and the right to transmit them to another data controller without hindrance, where the processing is based on consent and is carried out by automated means. The right to obtain, in addition, that personal data be transmitted directly from Onit S.p.A. to another Data Controller, where technically feasible;
the right to object pursuant to Article 21 of the Regulation, which provides for the right to object, at any time, to the processing of personal data concerning the Data Subject based on the condition of legitimacy of legitimate interest, including profiling where carried out, unless there are legitimate reasons for the Data Controller to continue processing that prevail over the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of a right in court;
the right not to be subject to automated decision-making pursuant to Article 22 of the Regulation, which provides for the right of the data subject not to be subject to a decision based solely on automated processing, including profiling where it is carried out, which produces legal effects concerning him or her or similarly significantly affects him or her, unless this is necessary for the conclusion or performance of a contract or the data subject has given their consent. In any case, automated decision-making shall not concern the personal data of the data subject and the User may at any time obtain human intervention by the data controller, express their opinion and contest the decision;
the right to withdraw consent at any time and with the same ease with which it was given, without prejudice to the lawfulness of processing based on consent given prior to withdrawal.

The data subject also has the right to lodge a complaint with the Italian Data Protection Authority, Piazza di Montecitorio n. 121, 00186, Rome (RM), or to take appropriate legal action.

The above rights may be exercised by contacting the Data Controller at the addresses indicated.

The exercise of rights by the data subject is free of charge pursuant to Article 12 of the Regulation. However, in the event of manifestly unfounded or excessive requests, including due to their repetitiveness, the Data Controller may charge a reasonable fee, in light of the administrative costs incurred in handling the request, or refuse to comply with the request.

Please note that the Data Controller, including through designated structures, will take charge of the request and provide, without undue delay – and in any case, no later than one month after receipt of the request – information regarding the action taken in response to the request. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests.

Finally, please note that if the Data Controller has doubts about the identity of the natural person making the request, it may request further information necessary to confirm the identity of the data subject.

Changes

The Data Controller may make changes to this policy. Users are therefore invited, when accessing the Website and/or at any time, to check the updated version of the personal data protection policy, which is always available for consultation by interested parties.