Logo Gruppo Onit

Institutional website information_Rev.0.0


Information on the processing of personal data pursuant to and in accordance with Regulation (EU) 679/2016, through the website https://www.onit.it/ (hereinafter: “the Website”) also through the use of COOKIES

(version no. [1] of [14 April 2020])

The current version is available from time to time at the following URL https://onit.it/en/privacy-cookie-policy

The following information (hereinafter “Website Policy”) is provided by Onit Group srl, as Controller (hereinafter “Controller”), to the data subject, in fulfilment of that which is envisaged by Regulation (EU) 679/2016 (hereinafter “Regulation”).

The Website Policy is displayed by the Controller to the data subject, also in compliance with the Data Protection Authority Cookie Regulation (hereinafter “Cookie Regulation”), available at the following URL http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3118884.

The Controller hereby intends to inform all data subjects as regards the processing of personal data concerning them through the Website and Cookies used by the Website, noting their commitment and attention to the protection of the rights of the data subject.

The Website Policy also provides information on how cookies are handled.

The Website Policy is provided exclusively for the Website and, therefore, is not applicable to other websites, web pages or on-line services that can be reached though links that may be published on the Website but refer to resources that are external to the domain.

The Controller reserves the right to amend the Website Policy at any time exclusively at its own discretion. All changes will be effective on the date that the amended version of the Website Policy is published.

More and in depth information relevant to the purposes of the processing and other useful information are provided in the specific information provided for each of the various services.

In any case, the Controller ensures that the processing of the personal data will be based on the principles of fairness, lawfulness, transparency and protection of the data subject's confidentiality and rights.

When the User accesses the Website and uses its services, the same confirms to have read the Website Policy.

Controller and contact information

Name: Onit Group srl
Italian Tax Code: 04057301006
Registration with Register of Companies of FC: 292006
Registered office: Via dell'Arrigoni 308
47522 - Cesena (FC) - Italy
e-mail: onit@onit.it
PEC (certified e-mail): onit@pec.onit.it
Tel.: +39 0547 313110
Fax: +39 0547 318021
For requests relevant to the processing of personal data and the exercise of the rights by the data subject use the following contact information
e-mail: privacy@onit.it
PEC (certified e-mail): onit@pec.onit.it
Tel.: +39 0547 313110
Fax: +39 0547 318021

Data Protection Officer (DPO) and contact information

The Controller has provided for the appointment of a Data Protection Officer (DPO), who can be contacted, for any issues concerning the protection of personal data, using the following contact information: E-mail: nicola.pagliarulo@share-ing.eu; Pec Certified E-mail: nicola.pagliarulo@legalmail.it.

Type of data processed, methods of processing, purposes for the processing, retention time and/or criteria to determine retention time, legal basis

The following categories of personal data are processed: (i) browsing data; (ii) data provided by the data subject; (iii) data acquired through cookies.

Data is processed using automated procedures through the IT Systems owned and/or available to the Controller.

(i) Browsing data

IT Systems, applications and software procedures used to operate the Website collect, during normal operation, some personal data whose transmission is implicit when using Internet communication protocols.

The following are part of this category of personal data: (a) IP address or domain name of the computer and terminal used by the data subject; (b) URI/URL addresses of the resources requested; (c) time of the request; (d) method used to submit the request to the server; (e) file size obtained in response to the request; (f) numeric code indicating the response status given by the server; (g) any search engine used to locate the link to the Website, subsequently used to access it; (h) other parameters relevant to the operating system and IT environment used by the data subject to access and browse the Website.

(i) 1. Purposes for processing data

The purposes for processing the browsing data under (i) are:

  • to consent use of the Website;
  • to check the correct functioning and technological maintenance of the Website;
  • to ascertain liability in the event of offences to the detriment of the Controller through or to the Website;
  • to obtain aggregate and anonymous statistical information on the use of the Website.

(i) 2. Retention time

The browsing data under (i) are not retained for more than thirty days and are deleted immediately following their aggregation and anonymisation. Without prejudice to any need for an investigation of crimes by the judicial authority.

(i) 3. Legal basis

The legal basis for the processing of browsing data under (i) consists of the following concurrent and/or alternative criteria: (1) legitimate interest of the Controller, in compliance with and within the limits set out by art. 6 (1) (f) of the Regulation, to ensure the correct use of the Website and to prevent any possible computer crimes; (2) consent of the data subject pursuant to articles 6, sub. 1, lett. a) and, if necessary, 9, sub. 2, lett. a) of the Regulation, expressed also by means of relevant behaviour, including the continuation of the browsing activity on the website [On the method of provision of consent through this type of behaviour see Reg. of the Data Protection Authority 8/5/2014, sub. 1, lett. e) of the device]; (3) the execution of pre-contractual measures implemented at the request of the data subject or the execution of a contract to which the data subject is a party, for which processing becomes functionally necessary [art. 6, sub. 2, lett. b) of the regulation], as regards the provision of browsing services on-site and access to the contents therein, provided free of charge unless otherwise indicated.

(ii) Data provided by the data subject

Voluntary sending by the data subject of messages to the contact addresses of the Controller, also by sending e-mails, filling in forms and sending them to the Controller, entails the acquisition by the latter of the contact details of the data subject, as well as any other data communicated by the same when sending the message (e.g. within the contents of the latter). It is strictly forbidden for the data subject to provide personal data of a particular nature and/or personal data of third parties using forms.

Without prejudice that the Controller, where the same intends to acquire personal data for other specific purposes, will present the relevant information pursuant to arts. 13 and 14 of the Regulation, as regards such further purposes.

(ii) 1. Purposes for processing data

The processing of the data provided by the data subject (1) is aimed at satisfying the communication needs between the latter and the Controller, according to the needs of the data subject, possibly also (2) for the forwarding of any requests for more information with respect to to those present on the website or (3) to start negotiations aimed at the execution of service supply contracts with the Controller. Obviously, in the event of further and more specific processing carried out through the Controller’s Website, the same will, from time to time, provide the data subject, correspondingly, with a further and more specific information on data protection (e.g., relevant to the services requested or should the Website contain specific processing, i.e. registration for newsletters or requests for CVs for specific job positions). Only in the event that there is an actual and current risk of disputes or crimes committed through the aforementioned means of communication, the data may be processed (4) to defend or ascertain a right in court or (5) to allow the necessary investigations, including by the competent public authorities.

(ii) 2. Retention time

The data provided by the data subject under (ii) are retained for the time strictly necessary to satisfy communication requirements, as well as the requests from the data subject relevant to the contents that will be specified therein, without prejudice for any necessity of verification or defence of a right in court, in the event of a dispute (for which retention times are those relevant to the aforementioned defensive requirements and the time frames may take into account the necessity of evidence, periods of limitation, including ten-yearly, as well as any requirements for ascertaining crimes, including by the competent authorities). Also without prejudice that the Controller can provide for different retention times in the context of specific information for solutions presented with reference to further specific services provided through the Website or any other purposes, in respect of which it will proceed to provide specific and separate information on the subject of personal data protection also for that which concerns storage times.

(ii) 3. Legal basis

The processing indicated under (ii) is based on the following legal basis concurrent and/or alternative in relation to the specific case: (A) the legitimate interest of the Controller, in compliance with and within the limits set out by art. 6(1)(f) of the Regulation, to allow the performance of communication activities relevant to the performance of its business activity or, for the purposes of requesting more information or for responding to any crimes perpetrated through its computer system; (B) the consent of the data subject pursuant to articles 6, sub. 1, lett. a) and, if necessary, 9, sub. 2, lett. a) of the Regulation, expressed by clicking on the consent button present in correspondence to the information on the protection of personal data within the message form or, in any case, expressed through pertinent behaviour, including the informed and voluntary sending of the communication to the Controller using the tools available on the website where this information is made available in advance; (C) the execution of the pre-contractual measures adopted upon request of the data subject or the execution of a contract to which the data subject is a party, for which the processing becomes functionally necessary [art. 6, sub. 2, lett. b), of the Regulation], in the event that the communication sent by the data subject is aimed at establishing, upon the initiative of the data subject, or continuing, the contacts necessary to execute a contract having as its purpose one or more services provided by the Controller; (D) the establishment and/or defence of a right in court or in the event of a dispute, where such requirement arises in the specific case in relation to the communications sent by the data subject [art. 9, sub. 2, lett. f), of the Regulation].

(iii) Data acquired through Cookies, methods of processing, purpose of processing, retention times and legal basis

Cookies can be defined (see Cookie Regulation) as «small strings of text that the websites visited by the user send to the terminal of the latter (usually to the browser), where they are saved in order to be sent to the same websites at the next visit by the same user. While browsing on a website, the user can also receive cookies on their terminal that are sent from different websites or web servers (so-called "third parties"), where there may be some elements (such as, for example, images, maps, sounds, specific links to pages of other domains) on the website that the same is visiting. Cookies, usually found in users' browsers in very large numbers and sometimes even with long temporal persistence, are used for different purposes: execution of computer authentication, sessions monitoring, storage of information on specific configurations concerning users accessing the server, etc.».

The Onit Group Website uses technical cookies, i.e. cookies that are necessary for the correct functioning of a website that are used to manage various website services (e.g. login or access to private areas of the websites). The duration of the cookies is strictly limited to the work session or can take advantage of a longer time frame in order to remember the choices made by the visitor. The disabling of strictly necessary cookies can compromise the user and browsing experience of the website.

The Onit Group website also includes some components transmitted by Google Analytics, a web traffic analysis service provided by Google, Inc. (“Google”). These are third-party cookies collected and managed anonymously to monitor and improve the performance of the host website (performance cookies).

Google Analytics uses cookies to anonymously collect and analyse (anonymised IP) information on the usage behaviour of the Onit Group website. This information is collected by Google Analytics, which processes the same in order to prepare reports for Onit Group operators regarding website activities. The Onit Group website does not use Google's Analytics tool to monitor or collect personal identification information.

This website uses Google Maps, which is Google Inc.’s map service.

The user can selectively disable the actions of Google Analytics by installing the opt-out component provided by Google on his/her browser. To disable Google Analytics, please see the following link: https://tools.google.com/dlpage/gaoptout.

Disabling “third party” cookies does not in any way affect the browsing experience on the Onit Group website.

(iii) 1. How to disable and/or not accept cookies

The data subject, in general, has the possibility, at any time, to set his/her browser to accept all or certain cookies or to refuse them, disabling their use by the website. Furthermore, the data subject can normally set his/her browser preferences in order to be notified whenever a cookie is stored in the memory of their device.

Lastly, please note that at the end of each browsing session, the data subject can, in any case, delete from his/her hard disk, both the browsing cache-memory and the Cookies collected. The disabling of Cookies by the data subject on his/her device does not in any way prejudice or influence interaction with the Website.

Below are links that illustrate how to disable cookies for the most popular browsers (for other browsers that may be used, we suggest you search for this option in the relevant software help section).

  • Internet Explorer: http://windows.microsoft.com/it-IT/internet-explorer/delete-manage-cookies#ie=ie-10
  • Google Chrome: https://support.google.com/chrome/answer/95647?hl=it
  • Mozilla Firefox: http://support.mozilla.org/it/kb/Gestione%20dei%20cookie?redirectlocale=en-US&redirectslug=Cookies
  • Opera: http://help.opera.com/Windows/10.00/it/cookies.html
  • Apple Safari: http://www.apple.com/it/privacy/use-of-cookies/

The functions of the individual Cookies can also be disabled through the specific page made available by the EDAA (European Interactive Digital Advertising Alliance) available at the URL http://www.youronlinechoices.com/it/le-tue-scelte

Even if the authorisation to use any third-party cookies is revoked, the cookies may have been stored on the person's device before such revocation. For technical reasons it is not possible to delete these Cookies, however, the data subject’s browser allows the deletion of the same in the privacy settings. The browser options contain the option “Delete browsing data”, which can be used to delete Cookies, website data and plug-ins.

(iii) 2. Further information on Third Party Cookies

For third-party cookies installed through the Website, disclosure and consent requirements are borne by third parties, however, the Controller (of the Website), as technical intermediary between the aforementioned and the data subjects (users of the Website), is required to include the updated links of the policies and consent forms of the aforementioned third parties in the full disclosure of the privacy policy.

Below is the link that illustrates Google’s privacy policy, Third Party whose technical cookies are acquired:

(iii) 3. Purposes for processing data

  • to consent use of the Website;
  • to check the correct functioning and technological maintenance of the Website;
  • to obtain aggregate and anonymous statistical information on the use of the Website.
  • to prevent and/or contrast any computer-related crimes committed while using the Controller’s Website

(iv) 5. Legal basis

The legal basis for the processing of the data for the purposes under (iii).3.a. and (iii).3.b. is: (1) the legitimate interest of the Controller, in compliance with and within the limits set out by art. 6(1)(f) of the Regulation, in order to guarantee the correct use of the Website, improve the browsing service and interaction with the user, as well as to prevent and/or contrast any computer crimes perpetrated using the Website; (2) consent to the processing of personal data - pursuant to art. 6, sub. 1, lett. a) and art. 9, sub. 2, lett. a), of the Regulation - expressed by clicking on a specific button or by another behaviour suitable for expressing the mentioned consent, in compliance with the provisions of the Data Protection Authority’s Regulation on the subject of Cookies (dated 8/5/2014), such as the continuation of the browsing through access to a different area of the Website either by selecting an element contained on the same (e.g. by clicking on an image or link or the aforementioned button) or on any other element therein (it being understood that it is possible to deny or limit the use of cookies by adequately configuring the browser or by following the information in this regard contained in this full disclosure).

The use of cookies for the purposes under (iii).3.c., does not constitute the processing of personal data and, therefore, does not require any legal basis for the cookies that exclusively process anonymous and not personal data. Where the cookies, instead, elaborate personal data anonymising the same following one or more automatic technical operations, of anonymisation, to subsequently obtain aggregate and anonymous statistics on the use of the Website, the legal basis is the consent to the processing of personal data.

The legal basis for the processing of the data for the purposes under (iii).3.e. and (iii).3.f. is also constituted by the informed, free and express consent of the data subject. Any consent provided by the data subject may be revoked by the same at any time.

Optional supply of personal data

The provision of personal data by the data subject - unless otherwise specified - is optional, however, failure to do so may result in the impossibility or difficulty: for the data under (i) and (iii), to correctly and fully browse the Website or to benefit from a better service, in the interactions with the Website; for the data under (ii), to correctly carry out communications between the data subject and the Controller and, therefore, to see the requests spontaneously forwarded by the data subject through the communication channels present on the Website executed.

It is be noted that disabling (or inhibiting the operation of) third-party cookies does not affect the use of the website by the data subject, but may involve, as specified above, certain limitations in its overall operation or browsing efficiency.

Recipients and categories of recipients of the personal data, as well as the scope of knowledge of the same

For the pursuit of the above-described purposes, the Controllers’ employees, persons treated and such and contractors, that operate as persons authorised to process data and/or processors will gain knowledge of the data subject’s personal data.

The following parties appointed as Processors by the Controller are also recipients of the data pursuant to article 28 of the Regulation: [LINXS srl], as a provider of development, delivery, operational management and maintenance services for the technological platforms of the Website.

The complete and updated list of Processors can be requested at the Controller's registered office or through the contact details indicated in this Website Policy to contact the same.

The Data Protection Officer (DPO), appointed by the Controller, because of his/her role and in execution of his/her duties, may gain knowledge of the data subject’s personal data. Finally, it is specified that the User's personal data may be made available to the competent authorities, where legal requirements exist, in particular in the event of crimes being committed by users, where the Controller becomes aware of it, without the same implying a general obligation of surveillance by the Controller.

Should third party cookies exist, the data processed through the same may be processed by third parties, where envisaged in the relevant information (in particular, for the supply of the service), without prejudice to the right of the data subject to prevent the use of such cookies through the configuration of his/her browser or in the ways envisaged above herein this full disclosure [see sub. (iii).2].

Rights of the data subject

The data subject can, pursuant to the conditions envisaged by the Regulation, exercise the rights pursuant to articles 15 to 21 of the same and, in particular:

  • right of access pursuant to article 15 of the Regulation, which provides for the right to obtain confirmation whether personal data concerning him/her is being processed and, in this case, obtain access to his/her personal data - with the right to obtain a copy of the same - and communication, inter alia, of the following information: a) purpose of the processing; b) categories of personal data processed; c) recipients to whom the data has been or will be communicated; d) data retention period or criteria used; e) rights of the data subject (rectification, erasure of personal data, restriction of processing and the right to object to the processing); f) the right to lodge a complaint; g) the right to receive information on the origin of your personal data, should the same not have been collected from the data subject; h) the existence of an automated decision-making process, including profiling where it is carried out;
  • right to rectification pursuant to article 16 of the Regulation, which provides for the right to obtain, without undue delay, the rectification and/or integration of the incorrect personal data that concern the data subject;
  • right to erasure (so-called right to be forgotten) pursuant to article 17 of the Regulation, which provides for the right to obtain, without undue delay, the erasure of the personal data that concern the data subject, when: a) the data is no longer necessary for the purposes for which it was collected or otherwise processed; b) the data subject has revoked his/her consent and no other legal basis for the processing exists; c) the data subject has successfully objected to the processing of the personal data; d) the data has been unlawfully processed; e) the data has to be erased in compliance with a legal obligation; f) the personal data has been collected relevant to the offer by the IT company of services pursuant to article 8, subsection 1, of the Regulation. The right to erasure is not applicable to the extent in which the processing is necessary for the fulfilment of a legal requirement or for the execution of a task performed in the interest of the public or for the ascertainment, exercise or defence of a right in court.
  • right to the restriction of processing pursuant to article 18 of the Regulation, which provides for the right to obtain the restriction of the processing, when: a) the data subject disputes the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and, instead, requests the restriction of its use; c) the personal data is necessary for the data subject for the ascertainment, exercise or defence of a right in court; d) the data subject objected to the processing pending the verification whether the legitimate grounds of the Controller override those of the data subject;
  • right to data portability pursuant to article 20 of the Regulation, which envisages the right to receive the personal data concerning him/her, which he/she has provided to a Controller, in a structured, commonly used and machine-readable format, as well as the right to send the same to another Controller without impediment, should the processing be based on consent or be carried out using automated equipment. The right to obtain the sending of such data directly by Onit Group srl to the other Controller, where the latter is technically feasible;
  • right to object pursuant to article 21 of the Regulation, which envisages the right to object, at any time, to the processing of personal data concerning the data subject based on the legitimacy of legitimate interest, including profiling, where applicable, unless there are legitimate grounds for the Controller to continue the processing that prevail over the interests, rights and freedoms of the data subject or for the ascertainment, exercise or defence of a right in court;
  • right to not be subject to an automated decision-making process pursuant to article 22 of the Regulation, which envisages the right of the data subject to be subject to an automated decision-making process based solely on automated processing, including profiling where applicable, which produces legal effects concerning him/her or similarly significantly affects him/her, unless the same is necessary for the execution of a contract or the data subject has given his/her consent. In any case, an automated decision-making process cannot concern the personal data of the data subject and the User can, at any time, obtain human intervention by the Controller, express his/her point of view and dispute the decision;
  • right to revoke consent given at any time and with the same ease with which it was provided, without this compromising the lawfulness of the processing based on the consent given prior to the revocation.

The data subject also has the right to lodge a complaint to the Data Protection Authority, Piazza di Montecitorio 121, 00186, Rome (RM), or to take the appropriate legal action. The above rights can be exercised, towards the Controller, by contacting the same using the contact information indicated.

The exercise, by the data subject, of his/her rights is free pursuant to article 12 of the Regulation. However, in the case of manifestly unfounded or excessive requests, also due to their repetitiveness, the Controller may charge a reasonable fee, in light of the administrative costs incurred to manage the request, or deny the satisfaction thereof.

It is noted that the Controller, also through specific structures, will provide to take care of the request and provide, without undue delay - and, in any case, at the latest, within a month from receiving the same - information relevant to the action taken in relation to the request. This deadline can be extended by two months if necessary, taking into account the complexity and the number of requests.

Lastly, it is noted that if the Controller has doubts about the identity of the natural person making the request, the same may request further information necessary to confirm the identity of the data subject.


The Controller can make amendments to this information. Therefore, we ask users, when accessing the Website and/or at any time, to check the latest version of the information on data protection, which is always available for consultation by the data subjects.