Customer Privacy Policy

Information pursuant to Articles 13 and 14 of the General Data Protection Regulation 2016/679 (‘GDPR’)

1 – Data controller

The data controller is UNI Ente Italiano di Normazione with registered office in Via Sannio 2, 20137 Milan. The data controller has appointed a Data Protection Officer, who can be contacted at the email address

2 – Purpose

The data requested with this form are collected and processed for the following purposes:

2.1a (if you purchase UNI products/services) – Management of your order and delivery of the products or services requested, in particular the online sale of products and services on the website, including consultation of standards.

2.1b (if associating with UNI) – Management of the contractual relationship of association.

2.2 – Sending information and promotional material on UNI standards, products and services (newly published standards, training courses, webinars, promotional campaigns, etc.).

3 – Legal Bases

For the purpose of point 2.1a the legal basis for the processing is the contractual fulfilment relating to the purchase of goods or services by you.

For the purpose referred to in point 2.1b, the legal basis for the processing is the contractual fulfilment relating to the application for membership signed by the Member.

For the purpose of point 2.2, the legal basis for processing is your explicit consent, without which the personal data you provide will not be used for that purpose.

4 – Disclosure to third parties and dissemination

For the purpose of point 2.1a the personal data provided (e.g. first name, last name, full address, telephone, fax, email) may be disclosed to external third parties when required by law.

For the purpose of point 2.1b, the personal data provided (e.g. first name, last name, full address, telephone, fax, email) may be disclosed to external third parties for the contractually agreed dispatch of the periodical “Standard”, i.e. for the collection of any debts and when required by law. The personal data (first name, surname and address) of the “Natural Person Member” will be published on the website.

5 – Obligation

For the purposes of point 2.1, the disclosure of personal data is mandatory. Failing this, it will not be possible to proceed with the contractual customer and/or association relationship.

For the purposes of point 2.2, the processing will only be carried out with your explicit consent.

6 – Rights of the data subject

As a data subject, you have the rights set out in Art. 15 of the GDPR and in particular the rights to:

  1. obtain confirmation of the existence or otherwise of personal data concerning you, even if not yet recorded, and its communication in intelligible form;
  2. to obtain information on: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the event of processing carried out with the aid of electronic instruments; d) the identification details of the data controller, data processors and any representative designated under Art. 3.1, GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of the data in their capacity as designated representative in the territory of the State, data processors or persons in charge of processing;
  3. obtain: a) the updating, rectification or, where interested therein, integration of the data; b) the cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
  4. to object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection; b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys, by means of automated calling systems without human intervention, by e-mail. Please note that the data subject’s right to object, as set out in point b) above, for direct marketing purposes by means of automated methods extends to traditional methods and that, in any event, the data subject’s right to object may be exercised even in part. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither type of communication.

In addition, he/she has the rights set out in Articles 16-21 of the GDPR (right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to complain to the Data Protection Authority.

7. How to exercise your rights

You may exercise your rights under point 6 at any time by logging into your reserved area on the website or by sending a communication by email to

8. Storage Period

Personal data collected for the purpose set out in point 2.1a will be retained for a maximum of twelve years in accordance with legal obligations.

Personal data collected for the purpose of point 2.1b will be retained for at least fifteen years beyond the end of the association relationship.

The processing under item 2.2 will be carried out until consent is revoked, without prejudice to the lawfulness of the previous processing and the use of the data for other purposes with other legal bases.

9. Existence of automated decision-making processes

No automated decision-making processes will be based on the data communicated for the processing that is the subject of this notice.

10. Type of data processed (in the case of using UNI’s websites or other online resources)

Navigation data

The computer systems and software procedures used to operate this service acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This information is not collected in order to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the I.P. addresses or domain names of the computers used by users connecting to the site, the U.R.I. (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment.

This data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check the proper functioning of the Subscription service. The data in question could be used to ascertain liability in the event of any computer offences committed against the computer system providing the service covered by this contract: except in this case, data on web contacts to the service are generally stored only for the entire duration of the contract.