Customer Privacy Policy

Information pursuant to Articles 13 and 14 of the General Data Protection Regulation 2016/679 (‘GDPR’)

1 – Owner

The data controller is UNI Ente Italiano di Normazione, with registered office in Via Sannio 2 20137 Milan. The data controller has appointed a Data Protection Officer, who can be contacted by email at

2 – Purpose

The data requested with this form are collected and processed for the following purposes:

2.1 – Handling of your order and delivery of the products or services requested, in particular the online sale of products and services on, including consultation of standards.

2.2 – Sending information and promotional material on UNI standards, products and services (newly published standards, training courses, webinars, promotional campaigns, etc.).

3 – Legal Bases

For the purpose mentioned under 2.1 the legal basis for the processing is the contractual fulfilment of the purchase of goods or services by you.

For the purpose referred to in Section 2.2, the legal basis for processing is your explicit consent, without which the personal data you provide will not be used for that purpose.

4 – Communications to Third Parties and Dissemination

The personal data provided (e.g. name, surname, full address, telephone, fax, email) may be disclosed to external third parties when required by law.

5 – Obligation

For the purposes of point 2.1, the disclosure of personal data is obligatory. Failing this, it will not be possible to proceed with the customer contractual relationship.

For the purposes of point 2.2, processing will only be carried out with your explicit consent.

6 – Rights of the data subject

As a data subject, you have the rights under Art. 15 GDPR and in particular the rights to:

  1. obtain confirmation of the existence or non-existence of personal data concerning him/her, even if not yet recorded, and their communication in intelligible form;
  2. obtain information on: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the event of processing carried out with the aid of electronic instruments; d) the identification details of the data controller, data processors and any representative designated pursuant to Art. 3.1, GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it in their capacity as designated representative in the territory of the State, data processors or persons in charge of processing;
  3. obtain: a) the updating, rectification or, where interested therein, the integration of the data; b) the cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including those the conservation of which is not necessary in relation to the purposes for which the data were collected or subsequently processed c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
  4. object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection; b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys, by automated calling systems without human intervention, by e-mail. It should be noted that the data subject’s right to object, as set out in point b) above, for direct marketing purposes by means of automated methods extends to traditional methods and that, in any event, the data subject’s right to object may be exercised even in part. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither type of communication.

In addition, you have the rights set out in Articles 16-21 of the GDPR (right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to complain to the Data Protection Authority.

7. Ways of exercising rights

You may exercise your rights under point 6 at any time by sending an email to

8. Retention Period

Personal data collected for the purpose mentioned in section 2.1 will be kept for a maximum of twelve years in accordance with legal obligations.

The processing referred to in Section 2.2 will be carried out until consent is revoked, without prejudice to the lawfulness of the previous processing and the use of the data for other purposes with other legal bases.

9. Existence of automated decision-making processes

No automated decision-making process will be based on the data communicated for the processing that is the subject of this notice.