Data controller

This policy applies to data’s processing activities performed on the website https://www.leonardocompany.com (“Website”). The controller of personal data (“Data”) is Leonardo S.p.A., VAT number 00881841001, with registered office in Rome, Piazza Monte Grappa, 4 - 00195, in the person of its legal representative pro tempore (“Data Controller” or “Company”). The Data Controller provides the following data protection notice pursuant to Articles 13 and 14 of the EU Regulation 679/2016 as amended and integrated from time to time (the “GDPR”) and to the international laws - European and Italian – complementing it as amended and integrated from time to time (collectively, together with the GDPR, the “Applicable Privacy Law”).

Purpose and legal basis of the Data processing

As better explained in the sections that allow users to join - by providing their personal data - to the services reserved for the Website’s users, the Data of the users concerned are processed on the basis of the requests expressly made by them, from time to time, through the Website. Specifically, all Data’s collection and subsequent processing activities are aimed at pursuing the following purposes:

• sharing contents available on the Website;
• customer relationship management. In particular, on the Website there are different forms of contact via email, through which the user can indicate his or her email in order to request information about products, or official communications from the Company. In both cases, the Website does not store the user’s Data as they are immediately transmitted to the relevant company departments;
• generic request of information;
• redirecting users to third party pages where they can access reserved areas of their interest. The Website does not allow access to any reserved area; should this occur, requests to the user to enter his/her Data for registration and subsequent processing will be managed by the third party supplier of the reserved access page, behind a specific information on the processing of personal data and subject to the specific consent of the data subject;
•  provide commercial information on the services carried out by the Data Controller and/or its  related companies;
• comply with  the obligations provided for by laws or applicable laws or regulations, as well as by decisions and guidelines issued by the competent supervisory and control authorities/bodies.

The Data Controller will not use the collected Data for purposes other than those related to the specific service mentioned above, to which the user has provided their consent, or only within the limits indicated in any further specific information form, accompanying the different and particular service requested by the user. 

Who processes your Data

For purposes related to the provision of the service to which the user has adhered, the Data might be accessible by third parties, such as affiliated companies, as well as consultants that assist the Data Controller in meeting users’ requests (e.g. law and tax firms), which will act, according to the specific case, as independent Data Controllers or as Processors, pursuant to Article 28 of the GDPR. Additionally, the Data will be transmitted to third parties to whom the communication of the data is necessary to comply with the applicable laws or regulations.

The updated list of Processors is available upon request at the following email addresses of the Data Controller: dpo.leonardo@leonardo.com, or dpo.leonardo@pec.leonardocompany.com.

Within the organisation of the Data Controller, the Data will be made available to people expressly authorised by the Data Controller itself are allowed to process personal data. Authorised people are identified among the personnel operating in one of the following areas: administration, communication, accounting and i technological maintenance of the information systems. These persons, appointed by the Data Controller as authorised to the processing, carry out processing activities necessary for the pursuing of the aforementioned purposes.

Unless otherwise stated in a specific information form, the Data will not be disseminated nor transferred to third countries outside the European Economic Area (EEA).

How we process Data
The Data:

• will be processed in the manners and according to the procedures that are strictly necessary to meet user requests and through the operations or set of operations set out in Article 4, paragraph 1, number 2 of the GDPR;
• will be also processed by using electronic or automated tools, as well as by using  paper/manual tools. In this regard, please note that Data will be stored in paper and electronic archives located at the Controller’s premises and in other servers within the European Economic Area.

The Data will be processed with rationales related to the specific purposes for which they have been collected, and in accordance with the Applicable Privacy Law, and for the purposes above mentioned of  specified from time to time in any further information notice provided to the user.
The Data will be processed for the time strictly necessary to pursue for which they have been  collected.

Categories of Data and optionality of consent
The Data that will be processed are those strictly necessary to meet users requests, as well as Data that are optionally provided by the user which are not strictly necessary to process the request. 
Should user refuse to provide his/her Data or consent to the processing of his/her Data, if required:

• in case of Data strictly necessary to meet user’s request, such refusal will make it impossible  for the Data Controller to meet the  requests;
• in case of Data optionally provided, such refusal will make it impossible  to provide at least part of the requested services or provide user with the commercial information regarding the services offered by the Data Controller and its affiliated companies. 

Browsing data
During their normal operation, the IT systems and software procedures used to operate the Website collect some personal data whose transmission is implicit in the use of Internet communication protocols. Such information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow the users to be identified.

This category of Data includes the IP addresses or the domain names of the computers used by users who connect to the Website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the means used in submitting the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response from the server (successful, error, etc.) and other parameters related to the operating system and the user’s computer environment.

This Data is used for the sole purpose of retrieving anonymous statistics on the use of the Website, and to check its correct functioning. Such data is immediately deleted after elaboration. Additionally, Data could be used to ascertain responsibility in case of hypothetical computer crimes against the Website; except for this eventuality, at present, the Data on Website do not persist for more than seven days.

Data voluntarily provided from the user 
The Data generally requested to use the Website’s is biographical information and contact details. The optional, explicit and voluntary sending of emails to the addresses indicated on the Website by the user entails the subsequent acquisition of the sender's address, necessary to answer the user’s requests, as well as any further personal data included in the message. Specific summary information will be progressively reported or displayed on the pages of the Website prepared for particular services upon request or for registration in reserved areas of the Website. Normally, data belonging to particular categories pursuant to Article 9 of the GDPR will not be processed. However, a specific information notice will be provided and specific consent will be requested to the user, if data belonging to particular categories will be processed.

Cookies and other technologies information-reading/storing on the user's terminal
In this Website, the Data Controller can  use cookies (small text files transferred from the Website to the device used by the user for navigation) and other technologies of information-reading/storing  on the user's device such as fingerprinting, email-tracking or Clear GIF/Beacons. Their purpose is to analyse  user's access to  a specific Web page, in order to customise and streamline the user navigation experience and to enrich user profiling for advertising and/or commercial purposes.

The cookies may be "temporary" (also said session cookies, since they are deleted when the connection ends) or "permanent" (they remain stores on the user's hard disk, unless the user deletes them).

For further information on how to set cookie-usage preferences through your browser, please check out to the following instructions:

• Internet Explorer
• Firefox
• Chrome
• Safari

For further information relating to the kinds of cookies used by the Website, the functionalities that allow their enabling or disabling, please check out  the "Cookies Policy", which can be found here.

To exercise the  users’ rights regarding the use of cookies and other profiling tools, please contact the following e-mail address of the Data Controller DPO.leonardo@leonardo.com, as described  below.

Rights of the data subject

• With respect to the Data held by the Data Controller, users of the Website can exercise all rights set forth by the Applicable Privacy Law, in particular :Request the Data Controller to confirm the existence of a processing of his/her personal data, the origin of such data, the logic and purposes of the processing, the categories of subjects to whom the data may be communicated, as well as the identification details of the Data Controller and its Data Processor;
• request access to personal data, anonymisation, objection, rectification, updating, integration, erasure or limitation of the processing;
• object to the processing of personal data within the limits set forth by the Applicable Privacy Law;
• exercise the right to portability;
• withdraw his/her consent (where this is the necessary legal basis for the data processing) at any time without prejudice to the lawfulness of the data processing based on the consent before its withdrawal;
•  lodge a complaint with the Italian Data Protection Authority, following the procedures and the instructions published on its official website at garanteprivacy.it; 
• To exercise the rights set forth by the Applicable Privacy Law, please fill out the appropriate form, available at the following link, and send it to the following addresses:dpo.leonardo@leonardo.com, or dpo.leonardo@pec.leonardocompany.com.

For any communications, requests or reports regarding on data privacy, please refer to one of the mentioned email addresses.

Any corrections, erasures or limitations of Data processing carried out upon the user’s request - unless this proves impossible or involves a disproportionate effort - will be transmitted by the Data Controller to each of the recipients to whom the personal data have been disclosed. The Data Controller may communicate these recipients to the user if the latter so requests.

In order to become aware of any changes or amendments to  the privacy policies applied by the Data Controller, mainly resulting from regulatory developments, please consult this document on a regular basis.