INFORMATION ON THE PROCESSING OF PERSONAL DATA
pursuant to Articles 13 – 14 of EU Regulation 2016/679
This privacy notice clearly and transparently describes how we process the personal data of individuals who browse the website humancompany.com or use the digital services available within it. It therefore applies to all data collection and management activities that occur when users access our pages, review information sections, or interact with the tools provided on the site. This notice does not apply to any information collected through other means and/or websites accessible via links on our portals, which are covered by their own specific privacy notices.
This notice may be amended, supplemented, or updated periodically, including in response to changes in applicable legislation or decisions from the Data Protection Authority and/or the European Data Protection Board. Any changes and updates to this Privacy Notice will be communicated to data subjects by updating the Privacy Policy link in the footer and/or other specific sections of the website. We therefore encourage users to regularly consult this Notice to be aware of the most recent version and to stay informed about how their personal data is collected and processed.
Data Controller
The Data Controller is Hu Holding S.p.A (hereinafter also referred to as "Hu Holding", the "Controller" or the "Company"), with its registered office at Via Generale C. A. dalla Chiesa, 13 - 50136 (Florence), Tax Code and VAT No. 07377040485, contactable at the e-mail address: [email protected].
The Data Protection Officer (DPO) can be contacted at the e-mail address: [email protected].
Types of Data
Below, we set out the types of personal data processed through the website, strictly within the purposes defined in this notice.
Personal data provided by the user
Personal data voluntarily provided by the user (e.g. name, surname, email address, etc.) for the various online services that may be available will be processed solely for the purposes described in the specific Privacy Notices prepared by the Data Controller for each online service. These notices, which can be consulted at the time the data are provided on Human Company Group’s systems and websites, may supply further details, such as the legal basis for processing, any recipients of the personal data, the retention period of the personal data (or the criteria for determining such a period), the existence of automated decision-making processes, including profiling, as well as all other information required to exercise data protection rights.
In particular, the voluntary sending of email messages to the addresses indicated on this website, by completing the contact form, entails the acquisition of the sender’s email address and any other personal data (for example, first and last name, telephone number, job title, company name, etc.) entered into the electronic communication, as well as the sender’s details, necessary in order to respond to requests. Providing the data marked with an asterisk (*) in the form is “mandatory”. Failure to provide such data will make it impossible for the Company to process the request.
Browsing data
When browsing the website, certain technical information about the hardware and software used by users may be automatically collected by the IT systems that enable the site to function. Such information is transmitted as an inherent part of Internet communication protocols and may include, for example, the user’s IP address, the domain name of the device used, the identifier of the requested resources (URI), the type and version of browser, the presence of plug-ins, the mobile device identifier (such as IDFA or AndroidID), and additional parameters relating to the operating system and IT environment.
Data collected through cookies
The websites use technical cookies that are necessary for their operation and, only with the user's prior consent, profiling cookies or third-party cookies. Information regarding the types of cookies used, their purposes, retention periods and the procedures for withdrawing or changing consent can be found in the Cookie Policy, to which full reference is made.
Purposes of Processing and Legal Bases
The personal data collected through the website are processed solely for the purposes described in this section, in accordance with the legal bases provided for by the GDPR.
Website browsing
When simply browsing the pages, certain data are processed to ensure the proper functioning of the websites, to monitor traffic, to identify any malfunctions, and to prevent abuse or unlawful activities. These activities are essential for keeping the platforms secure and for providing users with a stable and reliable service. The legal basis for these processing operations is the legitimate interest of the data controller, as set out in Article 6, paragraph 1, letter f of the GDPR.
Handling of Requests
The personal data acquired when a user utilises the addresses indicated on the website to send requests, or completes the contact form, are used solely for the purpose of providing the requested information through an effective and comprehensive response. Such processing is necessary in order to respond to pre-contractual requests pursuant to Article 6, paragraph 1, letter b of the GDPR, as well as to satisfy the legitimate interest of the data controller in managing communications received correctly, as provided for by Article 6, paragraph 1, letter f of the GDPR. The data provided by the user will not be used for any other purpose without first obtaining the explicit consent of the individual concerned.
Statistical analyses on an aggregated basis
Information collected through cookies and similar technologies may be used in an aggregated and anonymous form solely for the purpose of improving the quality of the service and providing statistics regarding the use of the website. The legal basis for such processing is the legitimate interest of the data controller, as set out in Article 6, paragraph 1, letter f of the GDPR.
Data Retention Period
Personal data are retained for varying periods depending on the specific purpose for which they were collected. The retention period is determined in accordance with the principles of limitation and minimisation set out by the GDPR, and data are deleted or anonymised once the purposes for which they were processed have been fulfilled.
Data collected via the contact form are retained only for the time strictly necessary to manage and respond to the user's request, after which they are deleted or anonymised.
Browsing data are retained for a maximum period of 30 days, unless longer retention is required for reasons related to system security or for the investigation of potential computer-related offences.
Methods of Processing and Security Measures
Processing is carried out using IT and/or electronic tools, with organisational methods and procedures strictly related to the purposes indicated, always in full compliance with the principles of lawfulness, fairness, transparency, minimisation, integrity, confidentiality, and security as provided for by the GDPR.
Processing is conducted using methods suitable to ensure the protection of data at every stage, from collection to storage, and through to possible deletion. The Data Controller adopts appropriate security measures to prevent unauthorised access, disclosure, alteration, or destruction of personal data.
Disclosure of Data
Access to the data is granted exclusively to individuals who have been duly authorised and instructed by the Company.
Specifically, in order to carry out certain processing activities, the Data Controller may disclose data to the following categories of external parties, who will process this data, depending on their role with regard to the processing, either as independent data controllers or as data processors pursuant to Article 28 of the GDPR, only to the extent strictly necessary for pursuing the purposes outlined in this notice:
other companies within the Human Company Group (companies directly or indirectly controlled by Hu Holding);
other external consultants and suppliers who perform auxiliary activities related to the aforementioned purposes, such as cloud service providers, IT providers or hosting providers, postal couriers, communication agencies;
professional firms, particularly when necessary for the protection of the Company's rights;
banks and credit institutions, insurance companies;
parties who may access the data by virtue of legal, regulatory, or EU provisions, within the limits established by such rules.
The updated list of data recipients is available by requesting it from the Data Controller’s email address.
Data Transfers
The Data Controller does not transfer personal data to countries outside the European Economic Area (EEA). Should this become necessary, data subjects will be informed in advance, and appropriate safeguards will be implemented for the transfer to the recipients. Depending on the circumstances, these safeguards may include: verification of the existence of an adequacy decision for the destination country by the European Commission, the signing of standard contractual clauses, or the assessment of any supplementary measures adopted in accordance with EDPB Recommendation 01/2020.
Data Disclosure
Personal data collected through the website is not made publicly available.
Rights of Data Subjects
Regulation (EU) 2016/679 (GDPR) grants data subjects specific rights. In particular, with regard to the processing of their personal data covered by this notice, the data subject has the right to request from the Data Controller:
Access: The data subject may request confirmation as to whether or not personal data concerning them is being processed, as well as further information regarding the details contained in this notice (Art. 15 GDPR);
Rectification: The data subject may request the correction or completion of any data they have provided, should it be inaccurate or incomplete (Art. 16 GDPR);
Erasure: The data subject may request that their data be deleted if it is no longer required for the purposes outlined above, in the event of withdrawal of consent or objection to processing, if processing is unlawful, or if there is a legal obligation to delete the data (Art. 17 GDPR);
Restriction: The data subject may request that the processing of their personal data be restricted, for example if they dispute its accuracy for the time needed to verify it, in the event of unlawful processing and opposition to data erasure, if the data is needed to establish, exercise, or defend a legal claim, or in case of objection to processing pending verification of any overriding legitimate grounds of the Data Controller (Art. 18 GDPR);
Portability: The data subject may request to receive their data, or to have it transmitted to another Controller as specified by them, in a structured, commonly used and machine-readable format (Art. 20 GDPR);
Objection: The data subject may object at any time to the processing of their data, except where there are legitimate grounds for processing that override their interests, for example for the establishment or defence of legal claims by the Company (Art. 21 GDPR).
To exercise these rights, data subjects may contact the Data Controller at any time by sending a request to the following e-mail address: [email protected]
To ensure proper management of the request and the protection of the data, the Company will verify the identity of the requester before proceeding. Once the identity has been verified, the Data Controller will respond within 30 days of receipt of the request, except in complex cases where an extension is required, in accordance with the terms set out in the applicable legislation.
Users also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) if they believe that their data has been processed in breach of the regulations. The Authority can be contacted via telephone switchboard on 06.696771, by e-mail at [email protected], or by certified mail at [email protected].
Date of last updated: 29/01/2026