Dear User / Data Subject,
this Notice is provided pursuant to Legislative Decree no. 196 of 30 June 2003 and subsequent amendments (known as the Privacy Code), as well as pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
We inform you that the personal data you provide in the context of consulting the site will be processed by OTO Agency in the person of its legal representative pro tempore as Data Processing Controller (hereinafter also Data Controller) in compliance with the protection principles established by the Personal Data Protection Code and subsequent amendments, as well as with all European and national legislative interventions and/or provisions of the Supervisory Authorities. The following information is provided only for the site and not also for other websites that may be consulted by the User via links to it.


The processing is necessary and functional for the use of the site
The first purpose of the processing is to allow users to contact the company OTO Agency, the Data Controller, directly in order to obtain more information about the services it offers.
A further purpose of the processing is to allow the Data Controller to send newsletters and promotional offers to users who give their consent.
More specifically, data spontaneously provided by the User is processed by the Data Controller:

  • to allow the User to contact the Data Controller directly and, consequently, obtain more information on the services offered by the latter;
  • for Marketing purposes and therefore to facilitate the promotion and provision of any future services offered by the Data Controller and which the User wishes to use, including by entering the User’s data in the Data Controller’s IT systems. Such processing is optional and will only be carried out with the User’s consent;
  • to enable the Data Controller to send periodic newsletters with updates on the latter’s activities. Such processing is optional, will be carried out only with the User’s consent and will take place by entering the data in computer systems owned by the Data Controller


In order to contact the Data Controller, the User must provide the following personal data:

  • name;
  • surname;
  • e-mail address

The user may also optionally enter the following data:

  • telephone number.

In order to receive regular newsletters and advantageous promotional offers
the User must compulsorily provide the following personal data:

  • name;
  • e-mail address.

Without prejudice to the Data Subject’s personal autonomy and without prejudice to the provision of browsing data, the provision of the data indicated with the “compulsory” field in the form is mandatory and failure to provide, even partially, data expressly indicated as necessary will make it impossible for the Data Controller to provide the relative service.


The Data Controller is OTO Agency in the person of its legal representative pro tempore (VAT and Tax Code 04286630167) with registered office in via Gian Battista Rubini, 26 – 24030 Valbrembo, Bergamo.

Please note that the Data provided may be processed by other parties involved in the Data Controller’s organisation, all acting as Data Supervisors, persons in charge of the processing, or external parties (such as third party technical service providers, hosting providers), appointed as Data Processors or, if necessary, External Data Processors by the Data Controller.

Finally, users are informed that the Data Controller, in view of the large amount of data processed, has appointed as Data Protection Officer Ms. Marta Savona, lawyer, with office in 24121 – Bergamo, Passaggio San Bartolomeo 3, email:


The personal data provided will be processed at the Data Controller’s premises or by External Data Processors appointed by the Data Controller (by way of example but not limited to: IT and logistics service providers; outsourcing and cloud computing service providers and management service providers; external professionals and consultants). The processing will take place using computer and/or telematic procedures in the manner and to the extent necessary to pursue the aforementioned purposes and will be stored at the same premises.

The Data Controller makes use of services provided by leading companies in the sector entrusted with the development and maintenance of management software and the technical maintenance of the site.


The Data Controller declares that the data processed is not transferred to third parties.


Please note that the Data provided will be processed and kept by the Controller for the purposes indicated above and stored by the Controller in accordance with the timeframes set out below.
In case of invoicing, the data relating to the services requested will be kept for 10 years from the date of invoicing, as provided for by the applicable tax law.
The data provided for the sole purpose of contacting the Controller will be kept for two years from when the request is received, unless they are later deleted.
Where you have consented to the processing of your personal data for marketing purposes, your personal data will be processed until you have withdrawn your consent to the processing of your data for marketing purposes for all or some of the contact methods, unless the retention of your data is still necessary for other purposes covered by this policy. In any case, the data will be deleted after three years from the date on which the User gave his or her consent, unless they explicitly renew it.


You may at any time exercise your rights vis-à-vis the Data Controller pursuant to Legislative Decree 193/2006 and Regulation (EU) 2016/679 as referred to in the following articles:
II. RIGHT TO RECTIFICATION – Art. 15 Reg. (EU) 2016/679
V. RIGHT TO DATA PORTABILITY – Art. 20 Reg. (EU) 2016/679
VI. RIGHT TO OBJECT – Art. 21Reg. (EU) 2016/679

We inform you that the rights set out in the above paragraphs may be exercised at any time by sending an e-mail to the following address: together with a digital copy of your valid identity document.

Please note that if you ask us to stop all processing of your personal data and not just that performed for promotional purposes, we will not be able to continue to provide you with the services you have requested and that, unless you request us to stop only sending promotional communications through automated systems, we will stop all processing of your personal data, including that performed using traditional means.

In any event, our company may retain certain personal data of yours if we need these in order to defend or assert a right. If you wish, the updated list containing the names of the persons in charge of processing your data is available to you at the Data Controller’s premises, and can also be requested by e-mail in writing to


For the purposes of this Regulation, the following definitions shall apply:

Personal data: any information relating to an identified or identifiable natural person, also referred to as ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

Processing shall mean any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as their collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Limitation of processing: the marking of the personal data stored with the aim of limiting their processing in the future;

Profiling: any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of that person’s professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Pseudonymisation: the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organisational measures to ensure that such personal data is not attributed to an identified or identifiable natural person;

Archive: any structured set of personal data accessible according to specified criteria, regardless of whether this set is centralised, decentralised or functionally or geographically distributed;

Data controller: the natural or legal person, public authority, service or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria applicable to his/her designation may be established by Union or Member State law;

Data processor: the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller;

Recipient: the natural or legal person, public authority, service or other body receiving communication of personal data, whether a third party or not. However, public authorities that may receive communication of personal data in the context of a specific investigation in accordance with Union or Member State law are not considered recipients; the processing of such data by those public authorities is in accordance with the applicable data protection rules according to the purposes of the processing;

Third party: any natural or legal person, public authority, service or other body other than the data subject, the controller, the data processor and the persons authorised to process personal data under the direct authority of the controller or supervisor;

Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes, whereby the data subject, by a statement or an unambiguous affirmative action, indicates his/her agreement to personal data relating to him/her being processed;

Personal data breach: a breach of security leading accidentally or unlawfully to the destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed;

Genetic data: personal data relating to hereditary or acquired genetic characteristics of a natural person that provide unambiguous information on the physiology or health of that natural person, and which result in particular from the analysis of a biological sample of that natural person;

Biometric data: personal data obtained by specific technical processing relating to physical, physiological or behavioural characteristics of a natural person that enable or confirm their unambiguous identification, such as facial image or dactyloscopic data;

Data relating to health: personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health;

Principal establishment:
(a) in the case of a data controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are taken in another establishment of the data controller in the Union and the latter establishment has the power to order the implementation of those decisions, in which case the establishment which has taken such decisions shall be considered to be the principal establishment;
(b) in relation to a data processor with establishments in more than one Member State, the place where its central administration in the Union is located or, where the controller does not have a central administration in the Union, the establishment of the controller in the Union where the main processing activities are carried out in the context of the activities of an establishment of the controller in so far as that controller is subject to specific obligations under this Regulation;

Representative: the natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents them in relation to their respective obligations under this Regulation;

Enterprise: any natural or legal person, regardless of its legal form, engaged in an economic activity, including partnerships or associations regularly engaged in an economic activity;

Group of undertakings: a group consisting of a parent company and the companies controlled by it;

Binding corporate rules: the personal data protection policies applied by a controller or processor established in the territory of a Member State upon the transfer or set of transfers of personal data to a controller or processor in one or more third countries, in the context of a group of undertakings or a group of undertakings carrying out a common economic activity;

Supervisory authority: an independent public authority established by a Member State pursuant to Article 51;

Supervisory authority concerned: a supervisory authority which is affected by the processing of personal data because:
(a) the controller or processor is established in the territory of the Member State of that supervisory authority;
(b) data subjects residing in the Member State of the supervisory authority are or are likely to be substantially affected by the processing; or
(c) a complaint has been lodged with that supervisory authority;
Cross-border processing
(a) processing of personal data which takes place in the course of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State;
(b) processing of personal data which takes place in the course of the activities of a single establishment of a controller or processor in the Union, but which affects or is likely to substantially affect data subjects in more than one Member State;

Relevant and reasoned objection: an objection to the draft decision as to whether or not there is an infringement of this Regulation, or whether or not the action envisaged in relation to the controller or processor complies with this Regulation, when the objection clearly demonstrates the relevance of the risks posed by the draft decision with regard to the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union;

Information society service: the service defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);

International organisation: an organisation and its subordinate bodies governed by public international law or any other body established by or on the basis of an agreement between two or more States.