In accordance with Art. 13 of the EU Regulation 2016/679 – GDPR General Data Protection Regulation

  1. Data Controller

The Data Controller is CMA S.r.l., with registered office in S.P. 238 Km 11,728, 70033 – CORATO (BA) – Italy, Italian Business Register (of Bari), VAT Number: IT05637380725, in the person of its Managing Director (The Data Controller).

  1. Type of data collected through the website

CMA S.r.l. collects, through its own website, personal data mainly consisting of:

  1. Professional title;
  2. First name and surname;
  3. Date of birth;
  4. City and province of residence;
  5. E-mail;
  6. Qualifications;
  7. Protected group membership;
  8. Curriculum vitae.

The “Website” uses “Google Analytics” cookies with anonymous IP as well as technical cookies useful for its correct functioning and display.

Please, note that our website bears an area reserved for CMA S.r.l customers only, which can be accessed through username and password details (different for each customer), and that contains data in conjunction with the plants realized by customers:

  1. Plant Certificates;
  2. Projects and Technical Reports;
  3. Metal lift shaft structure calculations.


  1. Purpose and legal foundations of data processing

Provided your prior written consent, we will use your personal data to carry out useful activity towards you and fulfil legal and contractual obligations.

The data may be used for the following purposes:

  1. Purposes in connection with a correct and comprehensive implementation of the undersigned contract;
  2. Purposes in connection with the exercise of the Data Controller’s rights (e.g. defence in Court


  1. Purposes in connection with the fulfilment of obligations by law or regulations as well as

obligations under anti-money laundering legislation (for this purpose, consent is not required as data processing is connected with compliance to such duties/law provisions and/or regulations);

  1. Ordinary marketing activities (sending of mail and newsletters).

The Data Controller provides for the use of adequate security measures in order to preserve confidentiality, integrity and availability of your personal data.

  1. Data treatment procedures

The processing of all Personal Data supplied will be based on the principles of fairness, lawfulness and transparency, in compliance with security procedures set out in Articles. 33 and 36 (Annex B) of the Privacy Code and in accordance with Art. 32 of the GDPR.

  • All data is recorded on protected data carrier while paper forms will be suitably preserved and protected by us.
  • Please, note that the consent granted can be revoked at any time.
  • Refusal to submit any relevant personal data, for the purpose of collection, will not allow us to proceed with.

Please, note that the processing of Personal Data will be carried out in accordance with the procedures indicated in Art. 4 letter A) of the Privacy Code and Art. 4 number 2) of the GDPR. Therefore, the methods of processing may consist of:

  • collection, recording, organisation, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction.
  1. Data communication to third parties

Personal Data will be processed by the Data Controller, by the person in charge of Data processing and by any persons appointed in accordance with Art. 30 of the Privacy Code and Art. 29 of the GDPR.

The data may also be communicated to:

  • companies / professional practices that provide assistance, consulting, admin cooperation with the Data Controller as to accounting, managerial, legal, tax-related and financial matters;
  • Public administrations within the limits set by law or regulations;
  • Third party service providers to whom such communication is necessary for the performance of services covered by the contract.

In any case, the data used by such persons will be subject to a commitment on their part not to violate privacy    regulations.

Data are not subject to dissemination.

  1. Commitment of the Data Controller.

The Data Controller is committed to not transferring the Data supplied to any third country or international organisations.

  1. Period of data preservation

All Personal Data collected will be held by the Data Controller until revoked by the data subject (person submitting them)

  1. Mandatory or optional nature of personal data provision and consequences of refusal to respond
  • The provision of data for the purposes referred to in point 1 letter a), b) is optional. However, such provision shall be necessary for the execution of the undersigned contract properly and completely, and refusal to do so will impede performance of the services covered by such contract.
  • The provision of data for the purposes referred to in paragraph 1 letter c) is mandatory for the fulfilment of regulatory obligations.
  • The provision of data for the purposes referred to in point 1 letter d) is optional.
  1. Existence of automated decision-making processes

No automated decision-making process will be run on the data communicated for the treatment subject of this information notice.

  1. Data subject’s rights

The data subject is entitled to enjoy their rights according to Art. 7 of the Italian Legislative Decree 196/03 and Art. 15-22 GDPR, as follows:

  • Access to all personal data,
  • Rectification or erasure of the data (formerly: the right to be forgotten) or processing limitation of the data concerning them,
  • Right to object the processing of personal data,
  • Right of data portability,
  • The right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal,
  • The right of appeal to a supervisory authority in order to lodge a complaint.
  1. Procedures of exercising rights

You may exercise your rights at any time by sending a written notice to CMA S.r.l.’s registered office postal address, or write an e-mail to