Privacy Notice and Policy

With regard to the personal data held and lawfully and correctly processed by KALAWAY S.R.L. (formerly ADM CAPITAL S.R.L. UNIPERSONALE), VAT No. 05154930282, with registered office in Padua, Via San Crispino 82, we inform you as follows:

1. PERSONAL DATA AND PURPOSE OF PROCESSING

In accordance with Regulation (EU) 2016/679, Legislative Decree 196/2003 (as amended by Legislative Decree 101/2018), the decisions and guidance of the Data Protection Authority, and in general all applicable privacy regulations, this websiten processes browsing and usage data (including, where applicable, data derived from cookies or similar tools – see Cookie Policy). Additionally, particularly via the contact form, personal identification data (such as name, surname, residence, etc.) and contact details (such as email address) may be collected. The data provided through the contact form is used to respond to requests sent via email to the Controller (and Joint Controllers), as well as for exercising any data subject rights, including those related to privacy. Once the user contacts the Controller voluntarily, the data provided may be processed for these purposes. The collection of personal data (such as name, email, phone number, residence, etc.) may also be used – with the explicit consent of the data subject – for commercial promotion, direct marketing, sending of advertising material, commercial communication, and conducting market research, particularly using the email address, including for newsletters or traditional marketing (postal mail or phone calls with an operator). The data may also be used for sector studies or statistical analysis (e.g., measuring user time spent on certain website pages).

In the “Careers” section, personal data (such as name, email, phone number, residence, employment history, education, personal situation, etc.) provided via email may be processed to manage recruitment procedures and retained for a certain period to maintain a database for potential hiring.
This website also uses cookies (or similar tools) to collect, store, and process data to provide the website’s specific services, as well as for statistical analysis and personalized marketing. Details on cookie types, features, expiration dates, and how to manage or disable them are provided in the Cookie Policy.

2. METHODS AND LEGAL BASES OF PROCESSING

Processing may be carried out with or without electronic or automated tools, always in compliance with privacy regulations, particularly Article 32 of Regulation (EU) 2016/679, which requires appropriate technical and organizational measures to mitigate risk. Processing is performed by authorized personnel or appointed processors under the Controller’s instructions. The legal basis for processing data submitted via the contact form is the performance of a contract to which the data subject is party (if any) or pre-contractual measures at the data subject’s request (Art. 6(1)(b) GDPR). If these do not apply, processing is based on the Controller’s legitimate interest (Art. 6(1)(f) GDPR). For recruitment purposes, the legal basis is the performance of pre-contractual measures (Art. 6(1)(b) GDPR and Art. 122 of Legislative Decree 196/2003). Any irrelevant special category data (per Art. 9 GDPR) in CVs will not be used. For marketing and promotional purposes, including newsletters, the legal basis is the data subject’s explicit consent (Art. 6(1)(a) GDPR). Traditional marketing (e.g., postal mail or calls with an operator) is based on the Controller’s legitimate interest (Art. 6(1)(f) GDPR, Recital 47).
For cookies, processing is based on the Controller’s legitimate interest and the compliance with Articles 13 GDPR and 122 of Legislative Decree 196/2003 (as clarified by the Italian DPA’s decision of May 8, 2014).

3. DATA PROVISION

Providing personal data via the contact form is not mandatory but is necessary to access services in the reserved area. Refusal or incorrect provision of such data may prevent or limit access to these services.
For recruitment purposes, providing personal data is optional but necessary to participate in selection activities. For promotional and marketing purposes (including newsletters and traditional marketing), providing data is not mandatory but necessary to pursue those activities. Refusal to provide such data may result in limited or no access to those services. The data subject may withdraw consent (for newsletters) or object (to traditional marketing) at any time, with immediate cessation of processing.
Providing data via cookies is optional. For technical cookies essential to the website’s functionality, data collection occurs automatically, but users can manage these through browser settings or as outlined in the Cookie Policy.

4. DATA RETENTION

For pre-contractual services or non-contractual requests, if no deletion/opposition is lawfully requested, data will be retained only as long as necessary to deliver the requested service and defend the Controller’s rights. For information/quote requests, data will be kept for 6 months after the last unanswered communication. For contract-related processing, data will be retained for 10 years following termination or conclusion of the contract, unless further processing is required, in which case data will be retained for the additional purpose and another 10 years. For recruitment purposes, data will be retained for 3 years after consent. The data subject may request deletion at any time. For marketing (including newsletters), unless the data subject objects or requests deletion, data will be retained for the duration of the service. Cookies and similar tools will retain data for the period indicated in the Cookie Policy and never beyond the time needed to perform their specific function (personalized marketing will not exceed 12 months).

5. DATA DISCLOSURE AND SHARING

All data will be processed solely by personnel authorized by the Controller and, where necessary, by designated processors per Art. 28 GDPR. These may include employment consultants, IT providers, administrative/accounting service providers, and document storage entities. Data may also be disclosed to public or private entities to fulfill legal obligations, execute contracts, or defend the Controller’s rights in or out of court. Personal data may be shared with third parties (e.g., business counterparts, technical consultants) when necessary to carry out the Controller’s activities. Data will not be publicly disclosed.
Cookie-derived data may be accessible to third-party cookie providers and collaborators managing this website. Such data is not publicly disclosed.

6. DATA TRANSFER OUTSIDE THE EU

Data is processed within the EU. If it is necessary to use service providers located outside the European Economic Area (e.g., cloud or external servers), transfers will comply with Chapter V of the GDPR.
Data will only be transferred to countries with an adequate level of protection recognized by the European Commission (e.g., the EU-U.S. Data Privacy Framework), or with appropriate safeguards under Art. 46 GDPR (e.g., standard contractual clauses or binding corporate rules).
In any case, the Controller will implement all necessary technical and organizational measures to ensure adequate data protection.

7. DATA SUBJECT RIGHTS

Under GDPR, data subjects have specific rights, including: access to their personal data; receiving data in an intelligible format; requesting updates, rectifications, completions, or deletions (in case of unlawful processing); data portability (to receive or transfer data in a structured, commonly used, machine-readable format); withdrawal of consent (when applicable); anonymization or restriction of unlawfully processed data; and the right to object to data processing for legitimate reasons.
If the data subject believes their privacy rights have been violated, they may lodge a complaint with the Data Protection Authority.
Requests to exercise these rights may be addressed to the Controller or the Data Protection Officer (including a request for a complete list of appointed data processors).

8. JOINT CONTROLLERSHIP AND DPO CONTACT

The Data Controller is KALAWAY S.R.L. (formerly ADM CAPITAL S.R.L. UNIPERSONALE), VAT No. 05154930282, with registered office in Padua (35129 – PD), Via San Crispino 82.
The Data Protection Officer (DPO) is Stefano Rognini, VAT No. 04852330283 – PEC: stefani.rognini@ordineavvocatipadova.it – email: rognini@admassociati.it, with registered office at Via San Crispino 82, Padua (35129 – PD), and domiciled at the same address.