Corporate Personal Data Protection

Last Content Update: 04/12/2020

General notice

CRIT Srl (“CRIT” in the following) is the personal data controller and, according to the Articles 12, 13 and 14 of the European Regulation 2016/679 of the 27th of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR” in the following, namely General Data Protection Regulation), informs on the following:


Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller and data protection officer

Controller of the personal data is

with headquarter in via Confine 2310, 41058 Vignola (MO),
phone: +39 059 776 865,

Data protection officer (DPO) is

Mr. Riccardo Masiero,
phone: +39 059 776 865,
Data subject’s rights

The data subject has the right to obtain from CRIT the access to her/his personal data (Article 15) to be informed about them and their processing, as well as to obtain copy of them (the corresponding administrative fee for copies that may following the first one is of 50 €). CRIT must answer to a data subject’s request without unjustified delay, namely within one month from request’s date. CRIT must use a clear and plain language.

The data subject can request:

  • rectification of her/his personal data, if they are incorrect or incomplete (Article 16);
  • erasure of personal data (Article 17), unless purposes in the public interest or public health, scientific or historical research purposes will exist;
  • restriction of processing of personal data concerning the data subject or to object to such processing (Article 18).

erasures of personal data to each of the each of the recipients to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort; in addition, CRIT must inform the data subject about those recipients if the data subject requests it (Article 19).

If the legal basis of the personal data processing is the data subject’s consent, the performance of a contract, or if the processing is carried out by automated means, the data subject has the right to data portability from CRIT to another controller (Article 20).

In particular, the data subject can, in any moment, to object completely to the processing of her/his personal data, according to Article 21, unless the data processing is necessary for the accomplishment of a task of public interest.

The data subject, furthermore, has the right not to be subject to a decision based solely on automated processing, including profiling (Article 22), unless such procedure is necessary for the processing or finalization of a contract, is authorized by the European Commission or the Italian state or is based on the data subject’s explicit consent.

When a data breach occurs that shows high risks for the fundamental rights and freedom of the data subject, this one has the right to be notified within 72 hours by CRIT about the data breach itself (Article 34), unless CRIT may prove that all the adequate technical and managerial techniques to protect the personal data have been used, if after the data breach CRIT takes all the necessary measure to avoid risks to the rights and freedom of the data subjects, or such communication would involve disproportionate effort.

Finally, the data subject has right to lodge a complaint with a supervisory authority (in Italy, one can refer to the Garante per la Protezione dei Dati Personali).

Accessibility to personal data and communication

The data subject can request to access to her/his personal data, and exercises one of more of her/his GDPR rights as expressed in articles from 15 to 22 and 34, by downloading the dedicated form from the web site of the “Garante per la Protezione dei Dati Personali”), fill the form, and e-mail (, it as attachment to CRIT.

In doing so, please, include as prefix of the e-mail subject the “GDPR” acronym (for example: “GDPR – request copy of personal data”). By using the buttons at the bottom of the page it is possibile to open an e-mail form with the selected objected already typed.

If the Garante’s web site will not be accessible to download the above form, it is possible to request it by e-mail directly to CRIT (, always including the prefix “GDPR” in the e-mail’s subject (for example: “GDPR – request for the data accessibility form”). This same procedure can be followed for any kind of request or necessity of information that may concern the personal data processing done by CRIT.

Automated profiling

CRIT does not process personal data by means of tools for automated profiling.

Personal data storing tools

CRIT uses data storing tools located both in the company (file server installed in the headquarter) and in the cloud, these latter managed by European or US companies. Whilst European companies must be compliant with the GDPR, US companies must ensure an adequate level of protection according to the agreement (UE) 2016/1250 of the 12th of July 2016.

Specialized addendum for each data processing flow

In the following all the identified personal data processing flows for the activites of CRIT are listed and explained. The flows are grouped according to the various types of interested data subjects. To visualize the detailed information of each flow, just click on it.

All Users

Customers and Suppliers

CRIT members, Members of the CRIT Supplier Network, Customers, Prospects e Leads

External Users



Contact CRIT about personal data processing

Contact DPO

GDPR – Generic information

Accessibility (Article 15)

GDPR – Request information on personal data GDPR – Request copy of personal data

Modify (Articles 16, 17, 18)

GDPR – Request rectification of personal data GDPR – Request erasure of personal data

GDPR – Request restriction of personal data processing

Portability (Article 20)

GDPR – Request portability of personal data

Objection (Article 21) e Consent’s withdrawal (Article 7, paragraph 3)

GDPR – Object to personal data processing GDPR – Withdraw your consent

Last technical maintenance of this web page: 01/09/2022