Information provided pursuant to Art. 13 and 14 of EU regulation 2016/679

This document sets out the methods and purposes of the processing of personal data carried out by the Data Controller, as well as any further information required by law, including information on the rights of the data subject and their related exercise.

Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “Regulation”) establishes rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules relating to the free movement of such data and protects the fundamental rights and freedoms of natural persons, with particular reference to the right to protection of personal data.

The art. 4, no. 1 of the Regulation provides that “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter, “Data subject”).

“Processing” must instead mean any operation or set of operations, carried out with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, recording, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction (art. 4, n. 2 of the Regulation).

Pursuant to the articles. 12 et seq. of the Regulation, it is also envisaged that the data subject must be made aware of the appropriate information relating to the processing activities carried out by the data controller and the rights of the data subjects.


Data Controller

JotUrl Srl
Headquarter: Via Angelo Pegoraro 26, 21013 Gallarate (VA) – Milan Malpensa – Phone +39 02 87167704
Branch office: Via del Tiratoio 1, 50124 Florence – Phone +39 055 7476020
P.IVA IT06002360482
Web Site:

The Data Controller has appointed the Personal Data Protection Officer (RPD/DPO) who can be contacted at their mail.


Data subject to processing and their sources

The Data subject to Processing may be those relating to:
– Personal data, tax code, VAT number, name, registered office, residence and domicile and contact details (email and telephone);
– Data relating to the contractual relationship descriptive of the type of contract, as well as information relating to its execution and necessary for the fulfillment of the contract itself;
– Accounting data relating to the economic relationship, the sums due and payments, their periodic trend, the summary of the accounting status of the relationship;
– Data functional to supplier qualification.
The data is collected from the data subject or from third parties.


Purposes and legal bases of the Processing

The purpose of the processing of personal data is to allow the regular establishment, evolution, administration, management and execution of the contractual relationship of which the data subject is or will be a party.
In particular, the purposes of the processing are the following:
– Fulfillment of tax/accounting obligations
– Supplier management (supplier register, administration of contracts, orders, shipments and invoices, reliability and solvency control)
– Management of disputes (contractual breaches, warnings, transactions, debt collection, arbitration, judicial disputes)
– Internal control services (safety, productivity, quality of services, integrity of assets)
Personal data will be processed for the fulfillment of legal obligations, as well as to fulfill administrative, insurance and tax obligations required by current legislation and also to satisfy accounting and administrative purposes, or to be able to regularly fulfill contractual and legal obligations arising from the legal relationship existing with the data subject.
The data will be processed without the need for further consent for the purposes described above, as regulated pursuant to art. 6 co. 1 letter b) and c) of EU Regulation 2016/679.


Mandatory or optional nature of providing data

The provision of data is necessary in order to correctly fulfill the obligations deriving from the contract of which the data subject is a party, otherwise the Data Controller may not be able to correctly fulfill its contractual obligations.
The essential data must be provided for the fulfillment of legal obligations, regulations, community regulations, or by provisions of Authorities legitimized to do so by law and by supervisory and control bodies.

Methods of Data processing

In compliance with the provisions of the art. 5 of the Regulation, the Personal Data being processed are:

(i) processed in a lawful, correct and transparent manner towards the data subject;

(ii) collected and recorded for specific, explicit and legitimate purposes, and subsequently processed in terms compatible with such purposes;

(iii) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(iv) accurate and if necessary, updated;

(v) processed in a manner that guarantees an adequate level of security;

(vi) stored in a form that allows identification of the data subject for a period of time not exceeding the achievement of the purposes for which they are processed.

The processing will be carried out both with manual and/or IT and telematic tools with organization and processing logic strictly related to the purposes themselves and in any case in such a way as to guarantee the security, integrity and confidentiality of the data themselves in compliance with the organizational, physical measures and logics envisaged by the provisions in force.


Subjects involved in the processing and communication of data

The Processing will be carried out, in part, directly by the Data Controller: among the recipients of the Data subject’s Personal Data are included the authorized subjects belonging to the Data Controller’s organization, appropriately trained and made aware of the constraints imposed by EU Regulation 2016/679.

Furthermore, without prejudice to the communications required by law or the exercise of the right of defense, the Personal Data subject to the Processing may be communicated to people, companies, associations or professional firms that provide services or assistance and consultancy activities to the Data Controller, with particular but not exclusive reference to accounting, legal, administrative, tax and financial matters. For the pursuit of the purposes indicated above, the data may be communicated to third parties who act as independent Data Controllers or Data Processors designated by the Data Controller.

The updated list of Data Processors appointed by the Data Controller can be provided upon request of the data subject.


Data dissemination

The data will not be disseminated.

Data transfer abroad

For the purposes indicated above, Personal Data will be processed within the European Economic Area (EEA). If they are transferred to Third Countries, in the absence of an adequacy decision from the European Commission, the provisions of the applicable legislation regarding the transfer of Personal Data to third Countries will still be respected, such as the Standard Contractual Clauses provided by the European Commission.

Data retention

In general, Personal Data will be kept for the time strictly necessary to achieve the purposes for which they were collected and processed. The data collected will be kept for the entire duration of the relationship with the Data Controller and for 10 years from the date of termination of the relationship, except for any need for the Data Controller to defend his rights in court.

Rights of interested party

Pursuant to European Regulation 679/2016 art. from 15 to 22 and the national legislation in force, the data subject may, according to the methods and within the limits established by the legislation in force, exercise the following rights:

– request confirmation of the existence of personal data concerning him (right of access);
– know its origin;
– receive intelligible communication;
– have information about the logic, methods and purposes of the processing;
– request its updating, rectification, integration, cancellation, transformation into anonymous form, blocking of data processed in violation of the law, including data no longer necessary for the pursuit of the purposes for which they were collected;
– in cases of processing based on consent, receive at the sole cost of any support, the data provided to the data controller, in a structured and readable form by a data processor and in a format commonly used by an electronic device;
– the right to lodge a complaint with the Supervisory Authority (Privacy Guarantor);
– as well as, more generally, exercise all the rights recognized by the current legal provisions.

The exercise of the rights may take place by sending a request which must be addressed without any formality to the Data Controller.
Before providing a response, the data controller may need to identify the data subject by requesting to provide a copy of his or her identity document.
Written feedback will be provided without unjustified delay and, in any case, no later than one month from receipt of the request.

Last updated on 09/11/2023