PRIVACY NOTICE REGARDING THE PROCESSING OF PERSONAL DATA
(Articles 13 and 14 of EU Regulation 2016/679)
Dear User, please find below some information that we are required to provide to you, not only to comply with legal obligations, but also because transparency and fairness toward you and all data subjects are fundamental to our business.
DATA CONTROLLER
The Data Controller is part of a “business group” as defined in Article 4.19 of the GDPR and manages personal data protection obligations through shared policies and compliance measures under the supervision of the parent company, Sweden & Martina S.p.A. (VAT No. 00401550280) with headquarters in Italy, a country belonging to the European Union, in accordance with the agreements signed between the group companies. The Data Controller is the group company that determines the processing of your personal data. In practice, the Data Controller is usually the company with which you have a professional relationship. You can contact your Data Controller by writing to privacy@sweden-martina.com, in addition to the contact information provided in the “Contact Information for the Data Controller” section of this privacy policy.
DATA PROTECTION OFFICER
The Data Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following addresses:
Email: dpo@sweden-martina.com – Certified Email: dataprotectionofficer@pec.it
CATEGORIES AND DATA SOURCES
For these processing activities, the Data Controller will process general data, such as: personal details, contact information, address information, data related to identification/recognition documents, login and identification data, data related to purchases or use of services, product quality certificates, employment-related data, payment data, financial data, tax data, video surveillance recordings, and data related to accommodation services, including sensitive data. The data is provided by you and/or by third parties such as other suppliers and/or collected from publicly accessible sources.
DELIVERY
For the purposes described above, the provision of your data is required; if you do not provide it, we may not be able to process your data.
TREATMENTS
Your personal data is collected and processed using automated, semi-automated, and non-automated methods, as specified below. In addition to the retention periods indicated in each case, the time required for the statute of limitations to expire with respect to mutual rights and the retention period for backups must also be taken into account.
We process your data in order to take pre-contractual steps at your request or to perform a contract to which you are a party, specifically:
We process your data in order to comply with a legal obligation to which the Data Controller is subject, specifically:
We process your data in order to pursue a legitimate interest of the Data Controller, specifically:
We process your data based on your consent for certain purposes, specifically:
DATA DISCLOSURE
Your data may be disclosed exclusively for technical and operational purposes strictly related to the aforementioned purposes, to parties that process data on behalf of the data controller, appointed as data processors pursuant to Article 28 of EU Regulation 2016/679, banks and financial institutions, shipping and transportation companies, accommodation facilities, travel agencies, as well as public entities to which there is a legal obligation to disclose data (including, but not limited to, the Chamber of Commerce, the Revenue Agency, etc.).
TRANSFER OF DATA OUTSIDE THE EU
The processing of personal data (e.g., storage, archiving, and retention of data on our servers or in the cloud) will be limited to the scope of circulation and processing of personal data within the European Union, with an express prohibition on transferring such data to non-EU countries that do not guarantee (or in the absence of) an adequate level of protection, that is, in the absence of safeguards provided for by EU Regulation 2016/679 (third countries deemed adequate by the European Commission, group BCRs, standard contractual clauses, consent of the data subjects, etc.).
YOUR RIGHTS
As a data subject, you have the right, in accordance with Articles 15 and following of EU Regulation 2016/679, to request from the Data Controller access to your personal data, as well as their rectification and erasure or the right to be forgotten. You also have the right to request data portability, to restrict processing, or to object to such processing. For processing based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent given prior to withdrawal. To exercise your rights or request additional information, you may contact the Data Controller using the contact information provided above. Finally, you may lodge a complaint with the competent supervisory authority.
CHANGES
We reserve the right to update our Privacy Policy. Any changes will be communicated in the manner we deem most appropriate, and we will update the date on this Privacy Policy. Therefore, we recommend that you review our Privacy Policy periodically, including by requesting a copy from the Data Controller.
Last updated M.158 Revision 5 – October 28, 2025
DATA CONTROLLER
The Data Controller is part of a “business group” as defined in Article 4.19 of the GDPR and manages personal data protection obligations through shared policies and compliance measures under the supervision of the parent company, Sweden & Martina S.p.A. (VAT No. 00401550280) with headquarters in Italy, a country belonging to the European Union, in accordance with the agreements signed between the group companies. The Data Controller is the group company that determines the processing of your personal data. In practice, the Data Controller is usually the company with which you have a professional relationship. You can contact your Data Controller by writing to privacy@sweden-martina.com, in addition to the contact information provided in the “Contact Information for the Data Controller” section of this privacy policy.
DATA PROTECTION OFFICER
The Data Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following addresses:
Email: dpo@sweden-martina.com – Certified Email: dataprotectionofficer@pec.it
CATEGORIES AND DATA SOURCES
For these processing activities, the Data Controller will process general data, such as: personal details, contact information, address information, data related to identification/recognition documents, login and identification data, data related to purchases or use of services, product quality certificates, employment-related data, payment data, financial data, tax data, video surveillance recordings, and data related to accommodation services, including sensitive data. The data is provided by you and/or by third parties such as other suppliers and/or collected from publicly accessible sources.
DELIVERY
For the purposes described above, the provision of your data is required; if you do not provide it, we may not be able to process your data.
TREATMENTS
Your personal data is collected and processed using automated, semi-automated, and non-automated methods, as specified below. In addition to the retention periods indicated in each case, the time required for the statute of limitations to expire with respect to mutual rights and the retention period for backups must also be taken into account.
We process your data in order to take pre-contractual steps at your request or to perform a contract to which you are a party, specifically:
- Identification and selection of suppliers and subsequent management of contractual obligations (we will retain the data for 10 years from the year in which the last contract ends);
- Receipt and shipment of documents and goods (we will retain the data for 10 years from the relevant fiscal year or from the termination of the last contract);
- Accommodation and related services in connection with business negotiations (we will retain data for 10 years after the termination of the last contract for data related to accommodation);
We process your data in order to comply with a legal obligation to which the Data Controller is subject, specifically:
- maintenance of accounting records and compliance with tax obligations (we will retain the data for 10 years from the relevant year);
- management and maintenance of the network and IT systems (we will retain the data for 18 months after the termination of the contractual relationship with regard to obligations pertaining to system administrators);
- ensure corporate compliance, e.g., manage obligations related to personal data protection (we will retain the data for the time strictly necessary to fulfill the purpose).
We process your data in order to pursue a legitimate interest of the Data Controller, specifically:
- internal corporate management control (we will retain the data for 10 years from the relevant fiscal year);
- activity scheduling (we will retain the data for 10 years from the year the data was collected);
- monitoring of people entering the company and call routing (we will retain the data for one year from the date it was collected);
- quality checks on goods and services (we will retain the data for 10 years from the year the last contract ends);
- ensure corporate compliance, e.g., prevent the commission of criminal offenses for the benefit or in the interest of the organization (we will retain the data for the time strictly necessary to fulfill this purpose)
- video surveillance activities to protect company assets, ensure personal safety, and provide perimeter security against intrusions and property damage (we will retain the data for 24 hours, except in cases where the footage must be retained—e.g., theft);
- management and maintenance of the network and IT systems (we will retain data for 10 years from the year the contractual relationship ends for accounts, passwords, and usernames)
- to prevent and/or detect any misuse and to defend our rights and interests in court or during the preliminary stages leading up to any legal proceedings (we retain the data until the purpose of the processing no longer applies).
We process your data based on your consent for certain purposes, specifically:
- promotion of the Data Controller’s activities and recording via video or photography, with possible subsequent publication (except for data subject to disclosure, we will retain the data until consent is withdrawn; thereafter, processing will be limited to mere storage for 10 years from the year in which consent was withdrawn).
DATA DISCLOSURE
Your data may be disclosed exclusively for technical and operational purposes strictly related to the aforementioned purposes, to parties that process data on behalf of the data controller, appointed as data processors pursuant to Article 28 of EU Regulation 2016/679, banks and financial institutions, shipping and transportation companies, accommodation facilities, travel agencies, as well as public entities to which there is a legal obligation to disclose data (including, but not limited to, the Chamber of Commerce, the Revenue Agency, etc.).
TRANSFER OF DATA OUTSIDE THE EU
The processing of personal data (e.g., storage, archiving, and retention of data on our servers or in the cloud) will be limited to the scope of circulation and processing of personal data within the European Union, with an express prohibition on transferring such data to non-EU countries that do not guarantee (or in the absence of) an adequate level of protection, that is, in the absence of safeguards provided for by EU Regulation 2016/679 (third countries deemed adequate by the European Commission, group BCRs, standard contractual clauses, consent of the data subjects, etc.).
YOUR RIGHTS
As a data subject, you have the right, in accordance with Articles 15 and following of EU Regulation 2016/679, to request from the Data Controller access to your personal data, as well as their rectification and erasure or the right to be forgotten. You also have the right to request data portability, to restrict processing, or to object to such processing. For processing based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent given prior to withdrawal. To exercise your rights or request additional information, you may contact the Data Controller using the contact information provided above. Finally, you may lodge a complaint with the competent supervisory authority.
CHANGES
We reserve the right to update our Privacy Policy. Any changes will be communicated in the manner we deem most appropriate, and we will update the date on this Privacy Policy. Therefore, we recommend that you review our Privacy Policy periodically, including by requesting a copy from the Data Controller.
Last updated M.158 Revision 5 – October 28, 2025