Data Controller

The Data Controller, i.e. the entity that determines the purposes of processing personal data and the means by which they are processed, is Star Progetti Tecnologie Applicate S.p.A. (hereinafter «Star Progetti» or the «Company»), with registered administrative office in Via Cassino d’Alberi, 17, 20067 Tribiano (Milan) Italy, VAT no. IT12124050159, to whom you may apply to exercise rights laid down in the GDPR.

The Data Controller can be contacted by sending an email to

Sources and categories of processed data, the nature of data provision and processing methods

Personal data subject to processing are collected mainly from the Data Subject (hereinafter «Customer»).

Star Progetti processes the following categories of data:

– common data: personal data (including your name, surname, date of birth, tax code and home address/residence), contact data (telephone number, e-mail address and certified e-mail address), payment and billing data (such as bank details, VAT number and SDI code for electronic invoicing);

Customers are required to provide data so that the Company is able to properly execute the contract. Any refusal to provide such data makes it impossible for the Company to properly manage these aspects and therefore renders establishing and maintaining a contract impossible.

Personal data are processed in compliance with Data Protection Laws using manual, paper-based, computerised and telematic tools to safeguard the security and confidentiality of data, with particular attention paid to the technical and organisational security measures adopted.

Purposes of processing and legal bases

The personal data you provide may only be used for the following purposes:

  1. managing contractual relationships. In particular, data will be processed to establish a customer database; administrative management of contracts, including the management of invoices; responding to requests from Data Subjects to send information or material. For this processing purpose, consent is not required as the legal basis for said processing is the correct implementation of the provisions of the contract in place/being concluded with the customer;
  2. compliance with legal obligations, such as fiscal, administrative and accounting obligations related to the contract and in accordance with Regional and State obligations. For this processing purpose, consent is not required as the legal basis for said processing is the need to comply with the legal obligations to which the Company is subject;
  3. sending commercial information or communications relating to products or services offered by Star Progetti similar to those purchased (so-called soft-spam) via the e-mail address provided at the time of purchase. For this processing purpose, consent is not required as said processing is necessary for the pursuit of the legitimate interest of Star Progetti to keep its customers updated about products offered by the Company which are similar to those sought-after (legal basis: Art. 6 (1)(f) regarding legitimate interests, Recital 47 of the GDPR, and Art. 130 (4) of Legislative Decree 196/2003). The Data Subject has the right, at any time and free of charge, to object to said processing in accordance with the procedures outlined in the section entitled «Rights of the Data Subject» or by clicking «Unsubscribe» in any communication forwarded to them.
  4. Carrying out credit assessments (with exclusive reference to legal persons), including through relevant institutions/associations that process information for statistical purposes. For this processing purpose, consent is not required as said processing is necessary for the pursuit of the legitimate interest of the Company to protect its economic and financial interests and to verify the reliability of its customers (legal basis: Art. 6 (1) (f) of the GDPR regarding legitimate interests).
  5. Data collected will be used to determine levels of customer satisfaction and carry out market research, but only when express consent is provided. Expressed consent can be withdrawn at any time, except for data processing carried out before consent is withdrawn, in accordance with the procedures outlined in the section entitled «Rights of the Data Subject».

Disclosure and circulation of data

Data may only be made known to authorised, specifically-tasked individuals (in full compliance with security measures and confidentiality obligations), pursuant to Art. 29 of the GDPR and 2quaterdecies of the Italian Data Protection Code, working in corporate Marketing, Commercial, Sales and IT departments and administrative offices. To this end, data may be sent to external parties acting as independent Data Controllers or Data Processors, pursuant to Art. 28 of the GDPR, who carry out duties strictly related to and instrumental to the management of the contractual relationship.

Personal data provided may be disclosed, by way of example, to the following types of entities:

  • professional consultancy firms in the field of accounting and tax;
  • bodies and associations that the Company is part of;
  • commercial agents holding company mandates;
  • public or private entities for correct compliance with legal obligations;
  • companies that develop and/or manage databases that are designed to protect against credit risks and are accessible by third-party companies.

For an updated list of entities to which your personal data may be disclosed, you can send an email to the Data Controller’s email address or to, ensuring that the reason for the request is properly specified. Data will not be disclosed or transferred to a third country (or area outside the European Economic Area) or international organization. If it is necessary to transfer data to a third country located outside the European Economic Area, the Company guarantees that any such transfer will only take place if an Adequacy Decision has been made by the European Commission or other appropriate safeguards set forth by Data Protection Laws apply (e.g. the stipulation of standard contractual clauses with the entity receiving the data).

Retention period or criteria used to establish said period.

Data will be retained in compliance with statutory and tax obligations (e.g. statutory obligation to keep accounting records and additional corporate correspondence for 10 years) and for a period of time that does not exceed the time needed for the purposes for which they were collected or subsequently processed. Data may be retained even after the termination of the contractual relationship to ensure that all obligations related to or arising from the collaborative relationship are fulfilled (e.g. managing potential litigation initiated with the customer).

Personal data will be retained for the time necessary to carry this out. Data may be retained by way of:

  • storage within CRM hardware or software systems belonging to the Data Controller or its officials;
  • archiving in accordance with the Digital Administration Code; in this case, the Data Controller will only use accredited entities in compliance with Art. 29 of the DAC if this cannot be carried out using our own applications systems.

Rights of the Data Subject

The Data Subject enjoys a number of rights, including the right to:

  • obtain confirmation from the Data Controller that personal data relating to them are being processed or not and, if so, gain access to said personal data and information, as provided for by Art. 15 of the GDPR;
  • request that the Data Controller rectifies incorrect data concerning them;
  • have personal data concerning them erased if they are no longer necessary for the purposes for which they were collected or otherwise processed, i.e. if additional conditions set forth in Art. 17 of the GDPR apply, while the conditions referred to in Art. 17, paragraph 3 do not apply;
  • request that the Data Controller limits processing when: a) the Data Subject contests the accuracy of the personal data, for the period of time needed for the Data Controller to verify the accuracy of said personal data; b) the processing is unlawful but the Data Subject objects to the personal data being deleted and instead requests that restrictions are applied or asks for the data to be processed for the purpose of establishing or defending their rights in court;
  • receive their personal data in a structured, commonly used and machine-readable format; if this right is exercised, you will have the right to request that the Data Controller sends this data directly to another controller;
  • oppose processing based on an automated decision-making process related to a natural person, where profiling is also included;

For any of these requests, to oppose to the sending of communications relating to products or services similar to those purchased and to withdraw express consent, the Data Subject may get in touch via the Data Controller’s email address: With regard to data processing that the Data Subject deems non-compliant with the law, a complaint can be made to the competent supervisory authority, which, in Italy, is the Italian Data Protection Authority. Alternatively, the Data Subject may lodge a complaint with the Data Protection Authority of the EU state in which they live or ordinarily work, or at the place where the alleged infringement occurred.