privacy policy

In compliance with Regulation (EU) 2016/679, we hereby provide the necessary information regarding the processing of personal data provided by you. The information is not to be considered valid for other websites that may be consulted through links present on the domain websites of the Controller, who is not to be considered in any way responsible for the websites of third parties.

This information is also provided pursuant to art. 13 of Regulation (EU) 2016/679. The information is also based on Recommendation no. 2/2001, adopted on 17th May 2001 by the European authorities for the protection of personal data, assembled in the Group established by art. 29 of Directive 95/46/EC, in order to identify certain minimum requirements for the collection of personal data online, in particular the manner, timing and nature of the information that Data Controllers must provide to Users when they connect to web pages, regardless of the purposes of the connection; it is also based on the provisions of Directive 2002/58/EC, as updated by Directive 2009/136/EC, on Cookies, and the provisions of the Ordinance issued by the Authority for the protection of personal data on 08.05.2014 on Cookies.


1. Data Controller and Data Processor

The Data Controller, pursuant to Article 4.7 of Regulation (EU) 2016/679 is Exa MP Srl – Via Cappucini 2 – 20122 Milan, Italy, tel. +39 0575 315354, e-mail:

The Data Processor, pursuant to article 4.8 of Regulation (EU) 2016/679 is, among others, WEBSOLUTE S.p.A, with registered office in Strada della Campanara, 15 – 61122 Pesaro (PU), Italy.


2. Types of Data processed

Personal and identifying data

Identifying Data: personal data that allow the direct identification of the Data Subject (such as, for example, name, surname, e-mail address, address, telephone number, etc.).

Personal Data: any information relating to a natural person who is identified or identifiable, also indirectly, by way of any other item of information, including a personal ID code.

Navigation data

The computer systems and software procedures used to operate this Website acquire, during their normal operation, some personal data whose transmission is implicit in the communication protocols of the Internet. This information is not collected to be associated with identified Data Subjects, but by their very nature could, through processing and association with data held by third parties, allow Users to be identified. This category of data includes IP addresses or domain names of computers used by Users connecting to the Website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters regarding the operating system and the User’s IT environment. This data is used only to obtain anonymous statistical information on the use of the site and to check its correct functioning.

Defence in legal proceedings

The User’s Personal Data may be used for defence by the Data Controller in legal proceedings or in the preparatory phases to its possible establishment. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the Website.


The User’s Personal Data may be processed with additional methods and purposes related to system maintenance.

Data provided voluntarily by the User

The optional, explicit and voluntary sending of electronic mail to the addresses indicated on this Website or the compilation of data collection forms (if any), involves the subsequent acquisition of the sender’s address, necessary to respond to the requests, as well as any other personal data entered.

Specific policies

Specific policies may be presented in the pages of the Website in relation to particular services or processing of Data provided by the User or the Data Subject.


This Application uses Cookies. To learn more and for a detailed cookie notice, you may consult our Cookie Policy.

Curriculum Vitae

We also have a policy for the processing of personal data contained in the CVs that we receive. This policy is automatically transmitted to the User when he or she sends a CV to one of our e-mail addresses.


3. Legal basis and purpose for processing and legitimate interest

Pursuant to art. 6, paragraph 1, letter b, the personal data voluntarily provided will be processed for the following purposes, until you object:

  • browsing this Website;
  • any contact request, with the sending of information requested by you;
  • possible sending of curriculum vitae;
  • possible filling in of data collection forms in dedicated areas.


4. Data processing and storage method

The processing will be carried out in automated and manual form, with methods and tools aimed at ensuring maximum security and confidentiality, by persons specifically appointed to do so in compliance with the provisions of art. 32 of Regulation (EU) 2016/679. The data will be stored for a period not exceeding the purposes for which the data was collected and subsequently processed. The processing connected to the web services offered by this Website will be physically put in third-party hosting.


5. Scope of communication, dissemination and transfer of data abroad

Your Data, object of processing, will not be disclosed and may be communicated to companies contractually linked to Exa srl within the European Union, in accordance with and within the limits of art. 44 of Regulation (EU) 2016/679, in order to comply with contracts or related purposes.

Your data may be communicated to third parties belonging to the following categories:

  • firms or companies in the context of assistance and consultancy relationships;
  • competent authorities, to fulfil legal obligations and/or provisions by public bodies, on request.

The subjects belonging to the above categories carry out the function of Data Processor, or they operate in total autonomy as separate Data Controllers. The list of processors is constantly updated and is available at the corporate headquarters of Exa MP srl, Via Cappucini, 2 – 20122 Milan, Italy.


6. Automated process and profiling

The processing of your Data will not be subject to automated processing nor profiling activities.


7. Nature of the provision and refusal

Apart from what specified about navigation data, the User is free to provide their personal data. The provision of data is optional but necessary.

Failure to provide the data marked with the symbol *, may make it impossible to obtain what is required or to use the Data Controller’s services.


8. Minors

This Website and the Data Controller’s services are not intended for children under the age of 18. The Data Controller does not knowingly collect any personal information about minors. In the event that information on minors is involuntarily recorded, the Data Controller shall delete it in a timely manner, at the Users’ request.


9. Rights of the Data Subject

You can assert your rights as expressed in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, by contacting the Data Controller calling our headquarters at +39 0575 315354 or sending an e-mail to, or by mail to the Company’s registered office in Via Donat Cattin, 123 – 52100 Arezzo, Italy.

Pursuant to article 13, paragraph 2, and articles 15 to 22 of the Regulation, we inform you that with regard to the processing of your personal data you may exercise the following rights:

  • Right to access the personal data and the following information:

– the confirmation as to whether personal data concerning him or her are being processed;

– the purposes of the processing;

– the categories of personal data concerned;

– the recipients or categories of recipient to whom the personal data have been or will be disclosed;

– where the personal data are not collected from the Data Subject, any available information as to their source;

– the existence of automated decision-making, including profiling;

– a copy of personal data object of the processing

  • Right to rectification and the right to have incomplete personal data completed;
  • Right to erasure (‘right to be forgotten’) where one of the following grounds applies:

– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– the Data Subject withdraws consent to the data processing and where there is no other legal ground for the processing;

– the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;

– the personal data have been unlawfully processed;

– the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject.

Where the Controller has made the personal data public and is obliged to erase the personal data, the Controller shall inform other controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

  • Right to restriction of processing where one of the following applies:

– the accuracy of the personal data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the personal data;

– the processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;

– the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;

– the Data Subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the Data Subject.

  • The right to lodge a complaint with a Supervisory Authority for the protection of personal data, following the procedures and indications published on the official Website of the Authority:
  • Right to data portability:  The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or a contract and the processing is carried out by automated means. In exercising his or her right to data portability, the Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  • Right to object at any time to processing of personal data, including profiling based on those provisions:

– the processing takes place on the basis of the legitimate interest of the Controller, after the grounds for the opposition have been explained;

– where personal data are processed for direct marketing purposes.

  • The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, but shall not apply if the decision: is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller, or is authorised by Union or Member State law to which the Controller is subject or is based on the Data Subject’s explicit consent.
  • Right to withdraw consent at any time.

The exercise of the rights is not subject to any form of restriction and is free of charge.


10. Changes to the Privacy Policy

The Data Controller reserves the right to modify, update, add or remove parts of this privacy policy at its own discretion and at any time. The Data Subject shall be required to check any changes periodically. In order to facilitate this verification, the policy will indicate the date on which it was last updated. The use of the Website after the publication of the changes is an acceptance of the policy.


Date of last update: 25/05/2018