Privacy Policy – under Art. 13 EU Regulation 2016/679

Dear Data Subject,

With this document (the “Policy“), we intend to assure you of our commitment to ensure that the processing of personal data, carried out using both automated and manual methods, takes place in full compliance with the protections and rights recognized by the Regulation (EU) 2016/679 (“GDPR” or the “Regulation“) and by the further applicable rules on the protection of personal data.

The term personal data refers to the definition contained in Art. 4 paragraph 1 of the Regulation, i.e. “any information concerning an identified or identifiable natural person; an identifiable person can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more features of his or her physical, physiological, economic, cultural or social identity” (the “Personal Data“).

This Privacy Policy – drafted based on the principle of transparency and including all the elements required by Art. 13 of the Regulation – aims to provide you simply and intuitively with all the useful and necessary information so that you can give your Personal Data in a conscious and informed way and, at any time, exercise your rights under the GDPR.


According to Article 26 of the Regulation, the companies that will process your Personal Data for the purposes outlined in this Policy and that, therefore, will act as the Data Controller or Co-processors, are the companies belonging to the Datrix Group, precisely:

  • Datrix S.p.A., with registered office in Foro Buonaparte no. 71, 20121 – Milan;
  • 3rdPlace S.r.l., with registered office at Foro Buonaparte no. 71, 20121 – Milan;
  • FinScience S.r.l., with registered office at Foro Buonaparte no. 71, 20121 – Milan;
  • PaperLit S.r.l., with registered office at Foro Buonaparte no. 71, 20121 – Milan;
  • ByTek S.r.l., with registered office at Foro Buonaparte no. 71, 20121 – Milan.

(individually the “Data Controller“, jointly the “Datrix Group“).

Datrix Group has entered into a joint-control agreement, through which the individual companies have undertaken to:

  • jointly determine specific purposes and methods of Processing of your Personal Data;
  • jointly determine, clearly and transparently, the procedures for providing you with timely feedback should you wish to exercise your rights, as provided for by Articles 15, 16, 17, 18 and 21 of the Regulation, as well as in cases of portability of Personal Data as provided for by Article 20 of the Regulation, as better described in the relevant section of this Privacy Policy;
  • jointly define this Privacy Policy in the parts of common interest, indicating all the information required by the Regulation.

The agreement’s original content is available at Datrix Group and can be provided upon specific Data Subjects’ request.


The Data Controller has appointed a Data Protection Officer (the “DPO“), identifying SAPG Legal Tech S.r.l. with registered office in Via Durini n. 15, 20122 – Milan (MI).

As provided for in Article 38 of the GDPR, you may freely contact the DPO for all matters relating to your Personal Data processing or, if you wish to exercise your rights, by sending a written communication to the e-mail address


Your Personal Data will be processed exclusively for the following purposes:

  • Sending of the newsletter for the events of H2020 – CRIMSON project;
  • Sending communications on future events, initiatives and activities of H2020 – CRIMSON project, by e-mails and newsletter;
  • Sending web surveys regarding the H2020 – CRIMSON project by e-mails or social sharing.

According to Article 6, paragraph 1, letter a) of the GDPR, the legal basis for the processing carried out is the Data Subject’s explicit consent. For this reason, on the website or on the newsletter, you will find a form through which you can freely decide whether to give or withhold such consent.

We inform you that you will have the right to revoke such consent at any time, without affecting the lawfulness of the processing based on the consent given before the revocation.

The processing will be carried out only on common Personal Data such as contact details.


Your Personal Data may be managed, on behalf of the Data Controller, exclusively by staff expressly authorized to process it (under Art. 29 GDPR) and by third parties expressly appointed as data processors (according to Art. 28 GDPR) to correctly carry out all processing activities necessary to pursue the purposes set out in this Policy. 

Where required by law or to prevent or suppress the commission of a crime, The Data Controller may also disclose your Personal Data to public bodies or judicial authorities.


In compliance with the principle of limitation of the storage period (Art. 5.1 letter e) of the Regulation), your Personal Data will be processed by the Data Controller only for the time necessary to achieve the purposes set out in this Policy, in any case no longer than 4 years.

In particular, your Personal Data will be processed for a period of time equal to the minimum necessary, as indicated by Recital 39 of the Regulations, i.e., until the termination of the existing relationship between you and the Data Controller, as well as for an additional storage period that may be imposed by law (as also provided by Recital 65 of the Regulations).


You may at any time exercise your rights under Art. 15 et seq. of the Regulation against the Data Controller. In particular, you have the right to obtain:

  • confirmation that your Personal Data is or is not being processed and to obtain access to the data and the following information: the purpose of processing, categories of personal data, recipients and categories of recipients to whom the data has been or will be communicated as well as the relevant storage period;
  • the rectification of your Personal Data that is inaccurate and the integration of your Personal Data that is incomplete, also by providing a supplementary declaration;
  • the deletion of Personal Data and the limitation of the processing in the cases provided for by the GDPR and the privacy legislation in force;
  • where applicable, the portability of your Personal Data and, in particular, the possibility to request the direct transmission of your Personal Data to another data controller;
  • the right to object at any time, for reasons related to your particular situation, to the processing of your Personal Data in full compliance with the privacy legislation in force.

To exercise your rights, you may contact the Data Controller at the following e-mail address, attaching a copy of your identity document:

In any case, if you believe that the processing of your Personal Data is contrary to the Privacy Regulations, you will always have the right to complain to the competent supervisory authority (Guarantor for the Protection of Personal Data), according to Art. 77 GDPR.


The Data Controller will process your Personal Data within the territory of the European Union.