Get Ticket

Privacy

This document provides information to all those who provide their personal data to Hinto S.r.l. In this
regard, we wish to inform users that the “EU Regulation No. 2016/679 (hereinafter “GDPR”) relating to
the protection of individuals with regard to the processing of personal data and the free movement of
such data” provides for the protection of individuals concerning the processing of personal data as a
right protected by European legislation.

Data Controller

The Data Controller is HINTO S.r.l. [hereinafter “Hinto” or “Data Controller”], VAT and Tax Code
08514440968, with registered office at Via Durini 24, 20122 Milan (MI) – PEC: hinto@postecert.it,
represented by its Legal Representative pro tempore.

Types of Data Processed

In the context of the activities carried out by this company, only those personal data strictly necessary
to achieve the purposes listed below will be processed, in compliance with the data minimization
principle under Article 5.1(c) and the privacy by design principle under Article 25 of the GDPR. This
processing will also be based on principles of fairness, legality, and transparency, protecting the privacy
and rights of the user.
The personal data processed are of a common type (e.g., identification, contact). Their processing
allows the Data Controller to achieve the following purposes:

Purpose of the Lawful Processing of Personal Data

  1. Management of commercial and marketing aspects of the relationship with users/clients (exchange
    of information and sharing of promotional messages with potential and actual users/clients, and management of all aspects related to the service contract, including possible promotional initiatives connected to it);
    The processing of users’ personal data is primarily aimed at populating HINTO’s commercial database by creating and storing records in the company’s management system; it also involves managing communications with subjects interested in obtaining information through the contact channels provided by the Data Controller, including the newsletter service; finally, it is necessary for managing the commercial archive where all documents related to the commercial relationship with users are kept.
  2. Execution of statistical analysis and targeted marketing activities;
    The processing of users’ personal data, namely data on browsing experience, identifying data of devices used by users for browsing, and data related to behavior/choices made on the website or visited page, occurs through cookies or other tracking tools (e.g., pixels) to obtain useful information so that HINTO can, on one hand, optimize the architecture and content of its website or its pages on social communication platforms and, on the other hand, build specific user profiles useful for reaching them with personalized messages or showing them content in line with their preferences.
  3. Compliance with legal obligations arising from the implementation of specific management systems
    (“so-called regulatory compliance”);
  4. Ensure an adequate level of security for the entire corporate ICT system;
  5. Defense of the company’s rights in legal, administrative, criminal, pre-litigation, and conciliatory
    proceedings.

Legal Basis

In compliance with Article 6.1 of the GDPR, the legal basis for the lawful processing of personal data
collected by the Data Controller is represented by:

  1. Performance of the contractual relationship with users, clients, or suppliers [Article 6.1(b) GDPR];
  2. Compliance with legal obligations imposed on the Data Controller in accounting, fiscal, banking,
    insurance matters, and corporate organization/compliance (e.g., Privacy Management Systems) [Article 6.1(c) GDPR];
  3. Freely given, explicit, and unequivocal consent provided by the client/user through positive action
    [Article 6.1(a) GDPR]:

a. Through the use of one of the tools provided by the Data Controller to communicate with the
company: email, phone numbers, and the contact form available on this website;
b. By clicking the button that consents to the installation of all or some non-technical cookies;

  1. Legitimate interest in aggregately analyzing the performance of pages/services on the website
    hinto.com, on social communication platforms, and promoting services and activities via email to
    actual clients [Article 6.1(f) GDPR and Article 130.4 of Legislative Decree No. 196/2003 as amended by
    Legislative Decree No. 101/2018];
  2. Legitimate interest in ensuring the cybersecurity of the entire corporate ICT system and defending
    its rights and legitimate interests in judicial or extrajudicial proceedings [Article 6.1(f) GDPR].

Processing Methods

HINTO processes the personal data provided using paper-based and electronic tools with logic strictly
related to the purposes themselves and, in any case, in a way that ensures the security and
confidentiality of the data.

Retention Periods
All personal data processed by the Data Controller in the context of its activities are retained according
to the following times or criteria:

Processing ScopePurpose of ProcessingRetention Period from Collection
Marketing/CommercialCreation of client/user records and management
of related database		2 years from the last exchange of information or the
last offer if the client remains potential; 10 years
after the end of the supply of goods or services,
unless there is a pending legal dispute
Marketing/CommercialCommercial correspondence with users through
communication tools available on the site
(including social platforms) or by users through
the contact form		2 years from the last exchange of information or the
last offer if the client remains potential; 10 years
after the end of the supply of goods or services,
unless there is a pending legal dispute
Marketing/CommercialConducting statistical-behavioral analyses
(including aggregated data) using cookies and
other tracking tools for improving site
performance in terms of services provided and
navigability		Until the exercise of the right to object in the case of
first-party or anonymized cookies. Until the consent
is maintained, confirmed periodically, in other cases.
See Cookie Policy and banner info for cookie
persistence
Marketing/CommercialConducting targeted statistical-behavioral analyses using cookies and other tracking tools
(e.g., pixels) for executing targeted informational
and advertising actions based on specific profiles		Until the consent is maintained, confirmed periodically. See Cookie Policy and banner info for cookie persistence
Marketing/CommercialCommunication and dissemination of general or
targeted advertising messages via newsletters,
emails, and dedicated pages on the website
hintogroup.eu or active pages on Hinto’s social
communication platforms		In the absence of confirmed periodic consent, 5
years from the end of the last order unless opposed; –
In the case of social communication platforms, until
the user’s consent is maintained through visiting the
page and/or posting comments

Upon expiration of these periods, any personal data contained in the aforementioned documents or
commercial correspondence will be destroyed or deleted.
If, during the above periods, a dispute arises in judicial or extrajudicial proceedings that requires the
retention of personal data used in the dispute beyond these periods, such retention would be justified
until the final resolution of the dispute.

Mandatory Nature and Consequences of Refusal to Provide Data
The personal data processed by the Data Controller in its activities are necessary to respond to or
follow up on requests made; they are also required for the execution of contractual obligations and
compliance with certain legal obligations. Providing such data is not mandatory per se, but without it, it
is not possible to meet users’ expectations and requests or enable the Data Controller to comply with
specific legal obligations once the commercial relationship is operational.

Recipients of Personal Data
The Data Controller processes the personal data necessary to achieve the indicated purposes through
individuals within its organization trained under Article 29 of the GDPR and authorized by formal
appointment letters, trained, and committed to confidentiality regarding the processed information.
To comply with certain legal obligations in regulatory compliance, to protect its rights in judicial or
extrajudicial proceedings, and to carry out advertising-promotional activities, HINTO may
transmit/communicate personal data to third parties.
Some categories of such third parties act on behalf of and in the interest of the Data Controller and are
designated as Data Processors under Article 28 of the GDPR through formal contracts. A list of the
categories of primary recipients is provided below in this paragraph, while a list of individual names can
be obtained by contacting the Data Controller at the following email address: privacy@hintogroup.eu.

Main Categories of Recipients

  1. External professionals/consultants in accounting/fiscal and legal matters;
  2. External professionals/consultants in management systems (e.g., privacy);
  3. Control bodies (Revenue Agency, Financial Police, etc.);
  4. Insurance, credit, banking, and postal institutions;
  5. ICT service providers for the management of internal business activities;
    Users’ personal data from company web pages may also be disseminated through:
  6. Providers of social communication platforms and channels.
    Regarding point “5”, HINTO manages, for the purpose of informing and promoting corporate activities,
    some pages on the following social communication platforms where it is possible to subscribe or like:
    Facebook, Instagram, LinkedIn, and Twitter.
    These platforms may alternatively be responsible for or co-controllers of processing in accordance with
    the guidelines provided in the European Data Protection Board’s Guidelines No. 8/2020 on the
    personalization of advertising messages to users of social communication platforms.

Transfer Abroad (Outside the EU)
The personal data processed as described in this notice may be transferred outside the EU, specifically
to the USA. In this regard, please refer to HINTO’s cookie policy.

Rights of the Data Subject
In relation to the processing of personal data by this company, the user always has the right, within the
limits and under the conditions provided by Articles 15-22 of the GDPR, to exercise the following rights:

  1. Right of access;
  2. Right to rectification and erasure;
  3. Right to data portability;
  4. Right to restriction of processing;
  5. Right to object to direct marketing based on the legitimate interests of the Data Controller;
  6. Right not to be subject to a decision based solely on automated processing.

The Data Controller shall communicate to all recipients to whom the personal data of the data subjects
have been disclosed any rectifications, erasures, or restrictions on processing, unless this proves
impossible or involves disproportionate effort. To exercise these privacy rights under the conditions
provided by the GDPR, it is necessary to contact the Data Controller at the address below and request
the appropriate form.
Postal Address: Via Durini 24, 20122 Milan (MI), Italy
Phone: +39 02 38313616
E-mail: privacy@hintogroup.eu
The data subject also has the right to lodge a complaint with the Data Protection Authority if they
believe that their data is being used unlawfully and the processing continues despite their request for it
to be stopped. For information on how to submit a complaint, please refer to the dedicated page on the
Authority’s website.

Privacy Rights

Right of Access

Referring to the guidelines issued by the EDPB in 2022, the right of access means that the data subject
can obtain from the Data Controller confirmation as to whether or not personal data concerning them
is being processed and, in addition, the following information:

  1. The purposes of the processing,
  2. The categories of personal data concerned,
  3. The recipients or categories of recipients to whom such personal data have been or will be
    disclosed, particularly if recipients are in third countries or international organizations,
  4. The existence of the right of the data subject to request the Data Controller to rectify or erase
    personal data or to restrict the processing of personal data concerning them, or to object to
    such processing.

Right to Rectification and Erasure

The right to rectification means that the data subject can obtain:

  1. The correction of inaccurate personal data concerning them without undue delay,
  2. The completion of incomplete personal data, including by providing a supplementary
    statement.
    The right to erasure of personal data can be exercised if:
  3. The personal data are no longer necessary for the purposes for which they were collected or
    otherwise processed,
  4. Consent is withdrawn and there is no other legal basis for the processing,
  5. The right to object to processing is exercised and there are no overriding legitimate grounds for
    the processing,
  6. The personal data in question are processed unlawfully,
  7. The personal data must be erased to comply with a legal obligation,
  8. The personal data were collected in relation to the offer of information society services.

Right to Data Portability

The right to data portability implies that, without prejudicing the rights and freedoms of others, the
data subject has the right to receive their personal data in a structured, commonly used, and machine-
readable format and has the right to transmit those data to another Data Controller without hindrance
from the current organization. This request may be made directly to the organization to transmit the
data directly to another Data Controller.
This right can be exercised if the legal basis for the processing is: 1a. Consent given freely, specifically,
informed, and unequivocally, or 1b. A contract concluded with the data subject, and 2. The processing is
carried out by automated means.

Right to Restriction of Processing and Objection

The right to restriction of processing may be exercised:

  1. When the data subject contests the accuracy of personal data, for the period necessary for the
    Data Controller to verify the accuracy of such data,
  2. When the processing is unlawful; the data subject opposes the erasure of personal data and
    requests instead the restriction of its use,
  3. When the data subject’s personal data are necessary for the establishment, exercise, or defense
    of legal claims, although the Data Controller no longer needs them for processing,
  4. When the right to object to processing has been exercised.
    The right to object to the processing of personal data can be exercised by the data subject at any time
    for reasons related to their particular situation and for direct marketing purposes.
    The Data Controller must cease processing such personal data unless they demonstrate compelling
    legitimate grounds for processing that override the data subject’s interests, rights, and freedoms, or for
    the establishment, exercise, or defense of legal claims.

Right Not to Be Subject to Automated Decisions

The data subject has the right not to be subject to a decision based solely on automated processing,
including profiling, that produces legal effects concerning them or significantly affects them in a
similar way.
Such automated decisions are permitted if necessary for the performance or conclusion of a contract
between the data subject and a Data Controller or if authorized by law, which must specify the
appropriate measures to safeguard the data subject’s rights, freedoms, and legitimate interests, or if
based on the explicit consent of the data subject.
If the decision is based on a contract or explicit consent, the Data Controller must implement
appropriate measures to protect the data subject’s rights, freedoms, and legitimate interests,
including:

  • At least the right to obtain human intervention from the Data Controller,
  • The right to express their opinion,
  • The right to contest the decision.

Automated decisions must not be based on special categories of personal data unless exceptions apply,
such as explicit consent from the data subject or a significant public interest established by national or
European law, which must be proportionate to the pursued purpose, respect the essence of the right to
data protection, and provide appropriate and specific measures to safeguard the fundamental rights
and interests of the data subject.