Privacy Policy


1. Premise

Erion Compliance Organization S.C.A R.L. (hereinafter “ECO”) with registered and operating offices in Via Messina 38, 20154 Milan – Italy, recorded in Milan’s Register of Companies under VAT and Tax Code No. 11344540965 (hereinafter the “Data Controller” or “ECO”), considers  the protection of Personal Data of its and/or potential users of fundamental importance, ensuring that the processing of Personal Data, carried out by any means, both automated and manual, takes place in full compliance with the protections and rights recognized by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data, as well as on the free movement of such data (hereinafter the “Regulation”) and the other applicable regulations regarding the protection of Personal Data.
This information notice (hereinafter the “Privacy Policy”) has the purpose of describing the management methods of the website (hereinafter the “Website”) in reference to the processing of Personal Data of users/visitors who access it pursuant to the Regulation.
Unless otherwise specified and regulated by a specific notice pursuant to Article 13 of the Regulation, this Privacy Policy must also be considered as a document aimed at providing the information referred to in Articles 13 and 14 of the Regulation to those browsing the Website and interact with the Data Controller through the services offered by the Website.
Please note that this Privacy Policy is only applicable to this Website and not to any other websites possibly accessed by the user through links and/or banners on the Website

2. Type of data processed, purposes and legal basis of the processing.

The Website offers informative and, sometimes, interactive content. During site navigation, information regarding the user may be acquired by ECO as follows:

  • Navigation data. During normal operation, the IT systems and software procedures used to run the Website collect some Personal Data, which are implicitly transmitted through the use of internet communication protocols.
    This information may include, for example: IP addresses, browser type, operating system, domain name and website referring or exit pages, information on the pages visited by the user within the Website, access time, navigation length on each page, clickstream analysis and other parameters regarding the operating system and the user IT environment.
    These technical/IT data are collected and used exclusively on an aggregated and anonymous basis and may be used to ascertain liability in the event of hypothetical cybercrimes to the detriment of the Website.
  • Data voluntarily provided by the user/visitor. The Personal Data freely provided by the visitor to the Website in order, for example, to register and/or access a reserved area, use a form to request information about a specific service, write to an email address or call for a direct contact with an ECO officer, register for an event, seminar or course organized by ECO, receive ECO newsletters can be included in this type of data. The legal basis for the processing of such data is laid down in Article 6 (b) and (c) of the Regulation and is based on the pre-contractual or contractual relationship that arises with the interested party at the time of requesting a service.
    Moreover the Personal Data freely provided by the visitor to the Website in order to be involved in specific activities or initiatives, including promotional or with marketing purposes activities, such as the Stakeholders Network, can be included in this type of Data.
    The legal basis for the processing of such data is laid down in Article 6 (a) of the Regulation and is based on the interested party’s consent.

However, in some cases, your Personal Data may be processed through cookies. The processing of such Personal Data will be carried out based on the indications within each cookie policy present on the Website in the specific Cookie Policy section.

3. Data processing methods

The data processing will be performed through automated means using electronic procedures for the time strictly necessary and in compliance with Article 5 of the Regulation.
our Personal Data will be processed by the Data Controller exclusively for achieving the purposes for which the data were collected. In particular, your Personal Data will be processed for a period of time equal to the minimum necessary, as indicated in Recital 39 of the Regulation, i.e. until the termination of the contractual relationship between the data subject and Data Controller, without prejudice to an additional retention period that may be imposed by law as also provided for by Recital 65 of the Regulation.

4. Recipients of Personal Data

The Personal Data collected by the Website may be disclosed to specific subjects considered recipients of such Personal Data. According to Article 4(9) of the Regulation “recipient” means “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” (hereinafter “Recipients”).

With this in mind, in order to correctly perform all the processing activities necessary to pursue the purposes set out in this Privacy Policy, the following Recipients may be in a position to process your Personal Data:

  • third parties who perform part of the processing activities and/or related and instrumental activities on behalf of the Data Controller. These parties will be appointed as data processors, defined by Article 4(8) of the Regulation as “any natural or legal person, public authority, agency or other body that processes personal data on behalf of the Data Controller” (hereinafter the “Data Processor”);
  • individuals, employees and/or collaborators of the Data Controller, who have been entrusted with specific and/or more processing activities. These individuals have been given appropriate instructions on the safety and correct use of Personal Data and are defined, in accordance with Article 4(10) of the Regulation, “persons who, under the direct authority of the controller or processor, are authorized to process personal data” (hereinafter “Authorized Persons”);
  • if required by law or to prevent or suppress the commission of a crime, your Personal Data may be disclosed to public bodies or to the judicial authority without being defined as Recipients. In fact, in accordance with Article 4(9) of the Regulation, “public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients”. 

The updated list of Recipients is available on request by writing to:

5. Redirect to external websites

The Website could use social plug-ins. Social plug-ins are special tools that enable the incorporation of social network features directly into the Website (e.g. the “like” function of Facebook).
If social plug-ins are present on the Website, they are marked with the social network’s property logos.
When surfing a Website page, by interacting with the social plug-in (e.g. by clicking on the “like” button) or leaving a comment, the information will be directly transferred from the browser to the social network.
For further information about Personal Data’s purposes, the type and the means of collecting it, the processing, the use and the storage methods of your Personal Data by the social network platform, as well as the modalities through which exercise your rights, please consult the social network’s privacy policy.


6. Rights of the interested party

The data subject has the right to be informed, at any time, regarding which data are available to the Data Controller and how such data are used. Furthermore, he/she has the right to have such data updated, supplemented, corrected or erased, request their portability or restriction of processing in the cases provided for by the law and oppose their processing unless the Data Controller demonstrates compelling legitimate grounds for their processing. For exercising such rights, as well as for more detailed information about the subjects or categories of subjects to whom the data are communicated and/or transferred or who become aware of the data as controllers or processors, each interested party may contact Erion Compliance Organization S.C.A R.L.. The data subject may at any time revoke the consent already given, without prejudice to the lawfulness of the processing based on consent given before the revocation, by writing to: Erion Compliance Organization S.C.A R.L., Via Messina 38, 20154 Milan – Italy, email, phone +39 0250020350. Lastly, we remind you that you have the right to lodge a complaint with the competent Data Protection Authority if you consider that your rights have been infringed or if you had not received acknowledgment to your requests according to law. 

7. Privacy Policy changes

This Privacy Policy is applicable to the Website from its publication and may undergo changes over time – also related to the eventual entry into force of new sector regulations, to the updating or provision of new services or to technological innovations – for which the user/visitor is invited to periodically consult this page. 

Thank you for your attention!
Last update 29/06/2022