Privacy policy

Privacy notice pursuant to Art. 13 of EU Regulation No. 679/2016 

1) Introduction

Mundys (hereinafter "Mundys" or the "Company"), its registered office at Piazza San Silvestro 8, 00187 Roma, as Data Controller, will process the Personal Data provided by you for investor relations communication.

This information is provided by Mundys, pursuant to art. 13 et seq. of EU Regulation 679/2016 (hereinafter the "Regulation" or "GDPR") and in compliance with Legislative Decree 196/2003 as amended (hereinafter the "Privacy Code") and applicable legislation.

2) Type of data processed

Mundys will collect and use the following categories of personal data voluntarily provided by you:

  • personal and contact data (e.g. name, surname, e-mail, company, country, etc.). 

In compliance with the principle of data minimisation, Mundys only collects data that are adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed. 

3) Purpose and legal basis of processing

Mundys shall process personal data to manage institutional and periodic communications on the corporate performance of the Company and the Group (financial statements, stock’s performance, renewal of corporate bodies, etc.), as well as for the invitation to corporate events. The processing of your data is optional and based on your consent (Article 6, paragraph 1, GDPR). We remind you, however, that in the absence of your consent we will not be able to guarantee the service requested.

Mundys will not use your personal data for purposes incompatible with those mentioned above, unless required or authorised to do so by law.

4) How data is processed and security measures

Data may be processed by technological and/or paper methods and through suitable IT tools (e.g. software, hardware, applications, etc.). In this regard, Mundys has controls and procedures in place to ensure the confidentiality of your data, and is constantly committed to adopting, pursuant to art. 32 of the GDPR, specific technological and organisational measures to protect data against the risk of loss, unlawful or incorrect use and unauthorised access. 

5) Storage times

Your data will be kept for the period necessary in relation to the purposes for which they were collected or subsequently processed, in accordance with legal obligations. In particular, they may be retained for a period of 48 months from the date of registration or if you withdraw your consent.

In the event of litigation or for the exercise of the right of defence in court, the above retention periods shall be suspended until such time as the parties have fully resolved on the matter. 

6) Disclosure of personal data

Your personal data may be accessed by Company’s authorized individuals, as well as communicated in accordance with the requirements of the law, regulations or contracts, always in compliance with the principles expressed in Article 5 of the Regulations, to third parties such as:

  • providers of services related to communications management;
  • providers of IT services;
  • competent authorities and/or public bodies to comply with statutory requirements.

Third parties to whom personal data may be communicated may act as independent Data Controllers or Data Processors, undertaking in both cases to protect the confidentiality and security of personal data in accordance with the applicable legislation.  

Under no circumstances will your personal data be disseminated.

7) Transfer of data outside EU

In the event that it is necessary to transfer your data to third parties located outside the European Economic Area (EEA) for specific purposes, such transfer will only take place where the European Commission has confirmed an appropriate level of data protection in the third country (Commission's decision on adequacy) or where there are adequate data protection safeguards in place (e.g. EU standard contractual clauses for the transfer of data to third countries). 

8) Data subject rights 

For legitimate and well-founded reasons, and consistent with any existing legal and contractual obligations to which the Data Controller is subject, data subjects may exercise the rights granted by Regulation (EU) 2016/679 in articles 15 et seq. of the Regulation. This can be done by writing to the email address or, for the attention of the Data Controller, to the postal address at Pizza San Silvestro 8, 00187 Rome, specifying the subject of the request and the reasons for which the data subject intends to exercise their rights.
Please note that, under existing legislation, data subjects have the right:

  • to request that their data be updated, amended, added to, removed or converted into anonymous form and block the processing of any data processed in breach of the law, including data no longer needed for the purposes for which it was collected;
  • to be informed of the reasons for which the data is processed and the related procedures and purposes;
  • to receive the data in a structured, commonly used electronic format;
  • to withdraw any consent given for the processing of their data at any time and object to, in full or in part, the use of such data.
  • to lodge a complaint with the Data Protection Authority and to exercise the other rights granted to you by existing legislation.

Mundys reserves the right to assess the applicability, with respect to the processing of your personal data, of one or more of the above rights.

9) Changes to this notice 

Mundys reserves the right to amend and update this notice over time.