Privacy Policy

1.    Identity of the data controller

MUNDYS SpA (hereinafter "Mundys" or "Data Controller"), with its registered office at Piazza San Silvestro 8, 00187 Rome

2.    Data controller's contact information


3.    Personal Data Collected

  • Identification and/or contact data
  • Browsing data[1] and cookies.

​​​​​​​During use of the Websites, the Controller may gather Data either indirectly (e.g., by tracing the device’s IP address or URL when monitoring use of the Website) or directly (e.g., when you voluntarily enter Data into an online form or, where possible, create a profile on the Website). In this second case, processing will be covered by notices pursuant to art. 13 of the GDPR specifically drawn up and provided from time to time by the Controller and to which reference should be made for further details (e.g., whistleblowing privacy policy).


3.1.   Purpose of processing

  1. Ensure the smooth operation of the website and enable use of all its functions.
  2. Configuration of cookies on the website

3.2.   Legal basis of processing

  1. Legitimate interest
  2. Consent

3.3.   Personal data storage times

  1. Logs deriving from accessing and using the services made available via the web are stored in such a way as to guarantee data security and confidentiality for a period of twelve (12) months
  2. Regarding storage times, reference should be made to the cookie policy.

The retention time may be extended in the event of legal or disciplinary action and to enforce Mundys' rights. In such event, your personal data will be retained for the duration of the proceedings, until they are concluded and all time limits for appeals have expired.

4.    How data is processed and security measures

Data may be processed by technological and/or paper methods and through suitable IT tools (e.g. software, hardware, applications, etc.). In this regard, Mundys has controls and procedures in place to ensure the confidentiality of your data, and is constantly committed to adopting, pursuant to art. 32 of the GDPR, specific technological and organisational measures to protect data against the risk of loss, unlawful or incorrect use and unauthorised access.

5.    Recipients and categories of recipient of personal data

In order to pursue the stated purposes of processing, personal data may be transferred to various entities, including:

  • the Data Controller's employees and collaborators, in their capacity as authorised data processors;
  • third parties contractually linked to the Data Controller, who in certain cases will act as data processors (e.g. marketing service providers, etc.) or autonomous data controllers;
  • judicial authorities and/or public bodies, at their express request and/or under the law, during investigations and checks in their capacity as autonomous data controllers.

A full list of recipients of Data Subjects' Personal Data, including further details on the location of such recipients, is kept at the Data Controller's head office and may be consulted on request.

6.    Transfer of Personal Data

Your personal data will essentially be processed within the European Union. In the event that it is necessary to transfer your data to third parties located outside the European Economic Area (EEA) for specific processing management purposes, such transfer will only take place where the European Commission has confirmed an appropriate level of data protection in the third country or where there are adequate data protection safeguards in place (e.g. EU standard contractual clauses for the transfer of data to third countries).

7.    Data subject rights

With regard to the Data Controller, Data Subjects may at any time exercise their rights as provided for in Articles 15 et seq. of the GDPR, in relation to the processing of their personal data, such as, for example, right of access, correction, deletion, restriction of and opposition to processing by sending an email request to

8.    Right to lodge a complaint with the data protection authority

If you believe that your personal data have been processed unlawfully, you have the right to lodge a complaint with the Italian Data Protection Authority (

9.    Provision of personal data

  • With regard to purpose 1, your data will be acquired via browsing the portal.
  • With regard to purpose 2, processing of your data is subject to your providing free and express consent.

10.    Automated decision-making process

Personal data collected will not be subject to an automated decision-making process.


[1] During their normal operations, the computer systems and software procedures used to run the Company's Websites collect certain data whose transmission is implicit in the use of internet communication protocols.

Such data include the IP addresses or domain names of users' computers connecting to the website, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to a user's operating system and computer environment. These data are used for the sole purpose of obtaining anonymous statistical data on use of the website and to check that it is functioning correctly, and are retained for the time periods set by the relevant legal regulations.

Data referring to Data Subjects, collected either directly or indirectly, may be processed by the Data Controller in order to carry out website management and administration activities, in order to improve users' browsing experience and also to determine responsibility in the event of hypothetical cybercrimes that may harm the website.