Privacy Policy

Dear Sir/Madame,

pursuant to Articles 13 and 14 of the GDPR, the Retelit Group companies indicated below, inform you that the data relating to your company (hereinafter, the "Client") and the personal data relating to individuals acting on its behalf (hereinafter, the "Data"), will be processed and stored in compliance with the provisions of the European Data Protection Regulation EU 2016/679 (hereinafter, the "GDPR"), the applicable legislation on the protection of personal data, and in accordance with this notice.

It is understood that it is your responsibility to inform the natural persons acting on your behalf of the processing of the Data referred to in this notice and to request their consent, where necessary.

1. Who we are.

The Retelit Group consists of the Parent Company Retelit S.p.A. and the other Companies that will process the data as Joint-Controllers by virtue of the Joint-Controller Agreement entered into pursuant to Article 26 of the GDPR, the essential contents of which are available upon your request at the contacts below. The Joint-Controllers are:

• Retelit S.p.A. with registered office at 9 Via Pola, Milan - 20124;
• Retelit Digital Services S.p.A. (RDS) with registered office at 9 Via Pola, Milan - 20124;
• Retelit Data Center S.r.l. with registered office at via Pola 9, Milan - 20124;
• Brennercom Tirol GmbH with registered office at Eduard Bodem Gasse 8, 6020 Innsbruck.

Hereinafter, severally the Controllers or jointly the "Joint Controllers" or the "Retelit Group".

In any case, for any request regarding the processing of Data, it will also be possible to contact the parent company Retelit S.p.A., by sending

• a registered letter with return receipt to the registered office
• a PEC (registered mail) to address retelit@pec.retelit.com
• an e-mail to the address privacy@retelit.it

For the Companies belonging to the Retelit Group, please refer to the website, on the link https://www.retelit.it/en/legal/legal-notes

2. Data Protection Officer.

The Retelit Group's Joint-Controllers have designated a Data Protection Officer (DPO).
The DPO for the Companies listed below:

• Retelit S.p.A. with registered office at 9 Via Pola, Milan - 20124;
• Retelit Digital Services S.p.A. (RDS) with registered office at 9 Via Pola, Milan - 20124;
• Retelit Data Center S.r.l. with registered office at via Pola 9, Milan - 20124.

contacted by e-mail, at dpo@retelit.it.

3. Type of Data and Method of Processing.

Concerning the activities related to the establishment and subsequent management of the contractual relationship with you and/or the organization for which you are the contact person, the Joint-Controllers collect and process the following categories of Data:

1. data belonging to particular categories under Article 9 of the Privacy Regulations, and specifically data related to health status, necessary for the activation of particular Services and/or to benefit from subsidies;
2. contact data, such as residence or home address, e-mail address, telephone number, content of the inquiry;
3. data inherent in the use of social networks in case of contact through social channels (e.g., nickname, profile picture). Please note that access through and use of social channels are subject to the terms and conditions and privacy and cookie policies of those social networks;
4. voice recordings, video images, advanced electronic signature (AES) to carry out the online identification process, instrumental in providing the mobile telephone Services;
5. telephone traffic data, telematic data, and data on the type of devices used to use the services;
6. company, industry, job role, function;
7. bank details (e.g. IBAN code, credit card number, etc.), other information necessary for payment and/or billing purposes (where applicable);
8. data related to your consumption habits and preferences, in order to send you targeted offers of products and/or services from the Joint-Controllers and/or business partners;
9. in general, any other information necessary for the establishment and subsequent execution of the contract or for ancillary and/or functional activities;
10. data collected as part of surveys and other "customer satisfaction" aimed at detecting the degree of satisfaction and/or improving the quality of service rendered to Customers;
11. data inherent to the analysis of telephone and telematic traffic data, in an anonymous and aggregated manner to improve the technologies and services provided by the Joint-Controllers;
12. data provided by third parties and/or partners, such as data on the creditworthiness of its customers, from public and private records and archives;
13. data to enable us to comply with measures of public authorities;
14. identification data of the telephone cell to which you are connected, while using the mobile telephone Services;
15. data on creditworthiness and punctuality of payments, to prevent the risk of possible fraud, identity theft and credit risk.

The Joint-Controllers collect the Data :

• directly from the data subject, through customer care operators and by other means of contact, such as, for example, websites and applications on mobile devices such as tablets and smartphones;
• through third parties, financial risk centers and retailers, when acting as autonomous Controllers;
• from public sources, such as freely accessible records, directories and documents (such as financial statements or chamber of commerce registrations), as well as from sources such as print and/or digital newspapers, information drawn from telephone directories, websites of public agencies and supervisory and control authorities.

4. Purpose and legal basis of data processing.

Personal Data are processed:

1. to fulfil legal and/or regulatory obligations to which the Joint-Controllers are subject, including obligations of a fiscal, accounting, administrative nature, related to the provision of services or sale of their products, including assistance through customer support and send you service communications (e.g., updates and changes in contractual conditions, service interruptions or exceptional and emergency cases) as well as to detect and verify any technical issues, carry out technical maintenance activities, including remotely;
2. for the performance of contracts of which the data subject is a party and for the adoption of pre-contractual measures taken at your request;
3. to carry out ordinary pre-contractual activities related and/or instrumental to the establishment of the contractual relationship, such as, but not limited to, creditworthiness, credit rating and/or reliability checks to prevent the risk of possible fraud, identity theft and credit risk;
4. for the establishment, exercise or defence of legal claims of the Joint-Controllers;
5. for conducting corporate transactions such as sales, acquisitions, mergers, demergers or other organizational transformations;
6. for sending promotional e-mails (so-called "Soft-spam"), whereby the Joint-Controllers may use the e-mail details you provide in the context of the sale of a similar product or service, without requesting your consent, if properly informed, you do not refuse such use, either initially or in subsequent communications. At the time of collection and when sending each communication, he or she is informed of the possibility of objecting to the processing at any time, easily and free of charge;
7. for the sending of surveys and other "customer satisfaction" aimed at detecting the degree of satisfaction and/or improving the quality of service rendered to Customers;
8. for direct marketing activities, consisting of sending advertising material or carrying out market research, commercial and promotional communication, newsletters, by automated means (electronic mail, SMS) and traditional means (operator phone call and paper mail). To compare and, if necessary, improve the results of automated communications, the Joint-Controllers will be able to use systems with reports, which allow them to know the number of readers and interactions with the message, the devices and operating systems used to read the communication;
9. for non-automated profiling activities, whereby personal data entered into Data Base/CRM business/platforms, will be used to perform analysis and evaluations in order to improve service management and send targeted promotional communications;
10. for the analysis of telephone and telematic traffic data, in an anonymous and aggregated manner to improve the technologies and services provided by the Joint-Controllers;
11. to carry out the SIM card activation process for the purpose of identification and completion of the online contract;
12. for checking the quality of services provided to the Customer and for training Customer Care staff.

5. Legal form

The processing of the Data for the purposes at a), b), c) and k) does not require your consent as necessary to fulfil the legal obligations or for the execution of the contracts to which you are party and/or for the adoption of the precontractual measures adopted on your request, as per Article 6, paragraph 1, letters b) and c) of the GDPR.
The processing of the Data for the purposes at d), e), f), g), j) and l) does not require Your consent as necessary to pursue the legitimate interest of the Joint-Controllers, in accordance with Article 6, paragraph 1, letter f) of the GDPR.
The processing of the Data for the purposes at h) and i) requires your consent in accordance with Article 6, paragraph 1, letter a), which can be revoked at any time.

6. Conferment of data

The conferment of Data for the purposes at a), b) and c) constitute respectively a legal and a contractual obligation. In these cases, failure to provide the Data will result in the inability of the Joint-Controllers to establish and/or continue business relations with you.
The provision of Data for the purpose at d), e), f), g), j) and l) is necessary for the pursuit of the legitimate interest of the Joint-Controllers, without prejudice to your right to object to the processing at any time in the case of special situations that concern you. Failure to provide such will prevent the achievement of the legitimate interest of the Joint-Controllers as stated above. The denial will have to be balanced against the legitimate interest of the Joint-Controllers.
The provision of Data for the purpose at h) and i) is optional and failure to provide it will result in the inability of the Joint-Controllers to process personal data for the above purposes.
With regard to the purposes as per point f), the Companies may use the e-mail details provided by you in the context of a previous sale of products and services. This is without prejudice to the fact that you may object at any time to such processing (initially or on the occasion of subsequent communications), in the manner described in the appropriate section of this disclosure.

7. Addressees or categories of addressees.

The Data will not be disclosed. Personal data may be communicated to parties qualified as Joint-Controllers, Autonomous Data Controllers or Data Processors (Article 28 GDPR) and processed by individuals (Article 29 GDPR) acting under the authority of the Joint-Controllers and Data Processors on the basis of specific instructions given, regarding the purposes and methods of processing. Data will be disclosed to recipients in the following categories:

• employees or collaborators in any capacity, of the Joint-Controllers or Group Companies;
• group companies, including those based in EEA countries;
• individuals who manage/support/assist, even if only occasionally, the Joint-Controllers in the administration of the Information System and telecommunications networks (including e-mail, websites and/or web platforms);
• subjects and entities, provided for by current accounting and tax regulations as recipients of mandatory communications, providers of assistance and consulting services with reference to the activities of the technological, accounting, administrative, legal, insurance, IT, commercial, credit, tax, market research, marketing sectors;
• Italian and foreign entities performing data acquisition, processing and treatment services necessary for the functioning of user services, including connection/interconnection/roaming services (domestic and international) and portability services;
• banking and equivalent institutions;
• commercial and distribution network;
• potential buyers and entities resulting from the merger or any other form of legal transformation;
• parties and members of the Supervisory Board;
• Competent Authorities.

The list of data processors is available upon request from the data subject by writing to privacy@retelit.it .

8. Retention period.

The Contractors will process your Data for as long as is strictly necessary to achieve the purposes stated and described in this policy.

Specifically, depending on the purpose of processing, the expected retention periods are as follows:

Pre-contractual activities	Up to 60 months after Data collection
Fulfillment of legal obligations	Up to 10 years after the termination of the provision of services/products
Administrative, accounting and tax purposes, including corporate transactions such as sales, acquisitions, mergers, demergers or other organisational transformations	Up to 10 years after the termination of the provision of services/products
Online identification for activation of landline telephone services	For the duration of the contractual relationship
Signature audit - AES service pursuant to Legislative Decree No. 82/2005, as amended (hereinafter referred to as "CAD") and the Prime Ministerial Decree of February 22, 2013 Article 57, letter b) as amended	up to 20 years after data collection
Verification of the degree of financial reliability, solvency and fraud prevention	for the duration of the contractual relationship
Marketing purposes so-called "soft spam"	up to "opt-out" opposition according to Article 21 paragraphs 2 and 3 GDPR
Processing for carrying out direct marketing activities	until consent is revoked or until 24 months after termination of the contractual relationship
Non-automated profiling	until consent is revoked or until 24 months after termination of the contractual relationship
Processing for the management of extrajudicial, judicial and regulatory litigation	For the duration of the contractual relationship, unless extended in the event of any pending litigation with Retelit Group customers
Recording of calls for verification of service quality and training of customer care workers	up to 90 days after registration acquisition
Conducting surveys and other "Customer Satisfaction" surveys	Up to 24 months after termination of the contractual relationship, unless objected to under Article 21 GDPR
Processing of telephone and/or computer traffic data for service billing purposes including payments	up to 6 months, unless extended, for litigation management
Retention of telephone and/or computer traffic data for the purpose of investigating and prosecuting crimes	30 days (unanswered calls), 12 months (telematic traffic), 24 months (telephone traffic) and 72 months (to assist competent authorities in the fight against terrorism and serious crimes), respectively, according to specific legal provisions

9. Data transfer to third countries.

The Joint-Controllers undertake to process and store Personal Data within the European Economic Area (EEA).
Notwithstanding the above, in order to achieve the purposes set out in paragraph 4, Data may be transferred outside the EEA, on the basis of and with the guarantees provided for in Article 44 and subsequent of the GDPR, to entities that offer the Joint-Controllers services related to the processing activities carried out (e.g. technology service providers, cloud, CRM, etc.).
Such transfer, where applicable, will take place in compliance with the conditions set forth in the GDPR and will be regulated, depending on the recipients, through the use of the Standard Contractual Clauses ("SCCs") adopted by the European Commission or - alternatively - on the basis of an adequacy decision of the Commission and/or any other instrument allowed by the relevant legislation, including adherence to the certification mechanism of the "EU-U.S. Data Privacy Framework" ("DPF"). For information about the guarantees inherent in the transfer of data outside the EEA, interested parties can write to privacy@retelit.it.

10.Rights that can be exercised by the interested party.

During the period in which the Joint-Controllers carry out the processing of your Data, you, as an interested party, may, at any time, exercise the rights provided for in Article 15 and subsequent of the GDPR

1. Right of access (Article 15 GDPR): You have the right to obtain confirmation about the existence or otherwise of processing concerning your Data, and, if applicable, the right to receive any information concerning the processing;
2. Right of rectification (Article 16 GDPR): You have the right to have your Data corrected if it is incomplete or inaccurate;
3. Right of deletion (oblivion) (Article 17 GDPR): in certain circumstances, you have the right to obtain the deletion of your Data, if it is not relevant to the continuation of the contractual relationship and/or necessary to fulfil a legal obligation to which the Joint-Controllers are subject and/or for the establishment, exercise and/or defence of a right in court;
4. Right to restriction of processing (Article 18 GDPR): You have the right to obtain the restriction of processing concerning your Data, in the cases provided for in Article 18 of the GDPR;
5. Right to portability (Article 20 GDPR): You have the right to receive personal data about you in a structured, commonly used, machine-readable format and to request its transmission to another data controller, if technically feasible.
6. Right to object to the processing of personal data (Article 21 GDPR): You have the right to object, at any time, for reasons related to your particular situation, to the processing of your Data, if based on the lawfulness condition of legitimate interest, unless there are legitimate reasons for the Joint-Controllers to continue the processing, which override the interests, rights and freedoms of the interested party, such as the establishment, exercise or defence of a right in court.
7. Revocation of consent in relation to processing carried out for marketing and/or profiling purposes: interested parties are granted the right to revoke the consent given where provided as a legal basis, without affecting the lawfulness of the processing based on the consent given prior to revocation.
   To stop receiving direct marketing communications and/or revoke consent to profiling, you can email us at dpo@retelit.it or privacy@retelit.it, use our automatic unsubscribe systems provided for e-mails only (opt-out) or access the Customer area using - where available - the appropriate function.
8. The Joint-Controllers shall communicate (Article 19 GDPR) to each of the recipients to whom the personal data have been transmitted, any rectification or erasure or restriction of processing carried out. The Joint-Controllers shall inform the data subjects of these recipients, if they so request.

11. Right to lodge a complaint to the Authority.

In the event that you believe that the processing of personal data carried out by the Joint-Controllers is in violation of the provisions of Regulation (EU) 2016/679, you may file a complaint with the National Supervisory Authority, in particular in the member state where you normally reside or work, or in the place where the alleged violation of the Regulation occurred (Privacy Guarantor https://www.garanteprivacy.it), or to take appropriate legal action.

12. Final Provisions.

The Joint-Controllers may change, modify, add or remove any part of this Privacy Policy, the updated version of which can always be found on the Parent Company's website at https://www.retelit.it/it/privacy.

Date of update: February 28, 2025