Privacy Policy

NOTICE PURSUANT TO ARTICLE 13 EU REGULATION 2016/679 ("GDPR") 

Pursuant to GDPR, we provide you the deserved information concerning processing of collected personal data in connection with your navigation on the website www.octa-group.com (the 'Website').

The Data Controller

The Data Controllers, with regard to the data processed through the Website, are the companies of the OCTA Group (the "OCTA Group"), namely:

• OCTA S.p.A. ("OCTA"), parent company, with registered office in Milan, via Vittor Pisani no. 20, VAT no. 12999580967, in the person of its legal representative pro tempore. OCTA can be contacted at the e-mail address info@octa-group.com.

• Crippa S.r.l. ("CRIPPA"), with registered office in Arosio (CO), Via M. Buonarroti no. 3, VAT no. 02989810136, in the person of its legal representative pro tempore. CRIPPA can be contacted at the following e-mail address: privacy@crippa.it;

• C.M.S. Costruzione Macchine Speciali S.r.l. ("CMS"), with registered office in Alonte (VI), Via dell'Industria n. 37/A, VAT registration number 02040500247. CMS can be contacted at the e-mail address privacy@cms-italy.com;

• SMI S.r.l. - Sistemi Meccanici Industriali ("SMI"), with registered office in Varmo (UD), Via dell'Olmo n. 2, VAT registration number 03054740307, in the person of its legal representative pro tempore. SMI can be contacted by e-mail at privacy.smi@smisrl.it.

OCTA, CRIPPA, CMS and SMI (the "Joint Controllers"), in relation to the personal data collected through the Website, jointly determine the purposes and means of processing, thus assuming the status of joint controllers, pursuant to art. 26 GDPR. The Joint Controllers have determined by internal agreement their respective responsibilities with regard to compliance with the obligations deriving from the legislation in force, the essential contents of which can be consulted at the end of this notice.

The Data Protection Officer

CRIPPA and SMI have appointed their own Data Protection Officer in accordance with Articles 37, 38 and 39 GDPR, who can be contacted respectively at the e-mail addresses dpo@crippa.it and dpo.smi@smisrl.it, or by writing to the DPO at the companies' headquarters.

Type of data processed

Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can directly or indirectly be identified, in particular by reference to an identifier such as a name, an identification number, a location data, an online identifier or to one or more specific factors to the physical, physiological, genetic, mental, economic, cultural or social identity (C26, C27, C30).

Browsing data: computer systems and procedures software preceded to the operation of the Website, acquire, during their normal exercise, some personal data whose transmission is implicit using Internet communication protocols. This category includes: IP addresses, URI/URL (Uniform Resource Identifier/Locator), time of request, type of request, outgoing packet size, server status of response (received, error, etc…) and other parameters related to the operating system.

Data provided by data subject: the optional, explicit and voluntary sending of messages to contact-addresses, as well as compilation and forwarding of forms, involves the acquisition of sender’s personal data necessary to reply, as well as all the personal data included in messages themselves.

Cookies: for cookies and other comparable technologies, see the cookie policy in the footer of the Website.

Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data (Art. 9 GDPR), might be provided and processed when applying via the work with us area.

Cookies: for cookies and other comparable technologies, see the cookie policy in the footer of the Website.

Social media: In relation to the processing of personal data carried out by social media operators, where data subjects click on the relevant link, please refer to the information provided by the latter through their respective privacy policies.

Purpose of processing, legal basis and data retention period

Purpose A): Website navigation

LEGAL BASIS: legitimate interest of Joint Controllers, pursuant to Article 6, par. 1 (f) and recital 47 GDPR. The processing is necessary for the purposes of the legitimate interests pursued by the Joint Controllers or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Activities strictly necessary for the operation of the Website and the provision of the platform navigation service. For non-technical cookies and assimilated technologies, the legal basis is consent, ex art. 6 par. 1 (a) GDPR (see cookie policy in the Website footer).

DATA RETENTION: up to the duration of the browsing session (except for any need to ascertain criminal offences by the judicial authorities). For cookies and similar technologies, see the cookie policy in the Website footer.

NATURE OF CONFERRAL: navigation data are necessary in order to allow navigation of the website. For cookies and similar technologies see the cookie policy in the Website footer. 

Purpose B): use of cookies other than technical cookies and similar technologies

LEGAL BASIS: consent of Data Controllers, pursuant to Article 6, par. 1 (a) GDPR and recitals 42 and 43 GDPR.

DATA RETENTION: see the cookie policy in the footer of the Website.

NATURE OF CONFERRAL: see the cookie policy in the footer of the Website.

Purpose C): handling service requests

Joint Controllers process the personal data provided by the data subject, either by e-mail to the addresses indicated on the Website or by filling in the contact forms on the Website, in order to fulfil requests for information or assistance.

LEGAL BASIS: the processing is necessary for the purposes of the legitimate interests pursued by Joint Controllers, pursuant to Article 6, par. 1 (f) and recital 47 GDPR, as well as for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, pursuant to Article 6, par. 1 (b) and recital 44 GDPR.

DATA RETENTION: for the time necessary to fulfil the request and for a maximum of 12 months, without prejudice to any further storage that may be necessary to protect the rights of Joint Controllers.

NATURE OF CONFERRAL: the provision of data is mandatory or optional depending on the purpose for which the data is processed. Whether data marked with an * ar not provided, Joint Controllers won’t be able to supply their service. 

Purpose D): direct marketing

Joint Controllers process personal data, with the consent of the data subject, to send newsletters, promotional and advertising material, commercial offers and invitations regarding OCTA Group or its member companies, through automated means of e-mail, as well as by paper mail and operator phone calls. In order to compare and, if necessary, improve the results of the automated communications, Joint Controllers use systems with reports. Thanks to the reports, it will be possible to know, for example: the number of readers, openings, unique 'clickers' and 'clicks', the devices and operating systems used to read the communication, details of user activity, details of e-mails sent, delivered and not delivered, as well as those forwarded.

LEGAL BASIS: consent of the data subject, pursuant to Article 6, par. 1 (a) and recitals 42 and 43 GDPR.

DATA RETENTION: until consent is revoked (opt-out).

NATURE OF CONFERRAL: the conferment is optional and, where lacking, personal data won’t be processed for such purpose. 

Purpose E): non-automated profiling

Joint Controllers process personal data, with the consent of the data subject, to carry out analyses, evaluations and to subdivide the data subjects into homogeneous groups by characteristics, also on the basis of area and sector, for a better management of services, as well as to send personalised promotional communications.

LEGAL BASIS: the processing is based on the consent of the data subject, pursuant to Article 6, par. 1 (a) and recitals 42 and 43 GDPR.

DATA RETENTION: until consent is revoked (opt-out) and, in any case, up to a maximum of 12 months.

NATURE OF CONFERRAL: the conferment is optional and, where lacking, personal data won’t be processed for carrying out analyses and/or sending targeted communications.

Purpose F): recruitment through the 'Work with us' area.

Joint Controllers process the data of the data subject for i. recruitment purposes, for the management of applications in response to job offers published on the Website as well as for any positions other than those for which the person concerned spontaneously applied; ii. data storage also for future selections; iii. interviews and any video interviews. 

LEGAL BASIS: processing is necessary for the execution of pre-contractual measures also adopted on data subject’s request, pursuant to Article 6, par. 1 (b) and recital 44 GDPR.

DATA RETENTION: maximum 12 months. In principle, data collected during the process will be deleted as soon as it becomes clear that no job offer will be made or that the offer will not be accepted by the candidate.

NATURE OF CONFERRAL: the conferment is optional and, where lacking, personal data won’t be processed for such purpose. 

Purpose G): handling requests to exercise the rights of data subjects, pursuant to Articles 15 et seq. GDPR

LEGAL BASIS: the processing is necessary for compliance with a legal obligation to which Joint Controllers are subject, pursuant to Article 6, par. 1 (c) GDPR. 

DATA RETENTION: 5 years from the closing of the request, except in the case of litigation.

NATURE OF CONFERRAL: the provision of personal data is necessary in order to fulfil legal obligations.

Treatment modes

Your data will not be disseminated and will be subject to traditional manual and electronic processing. The data subject won’t be subject to a decision based solely on automated processing

Data transfer

The personal data collected for the purposes described in this notice will not be communicated and/or transferred to companies and/or entities located in countries outside the UE, with exception for the purpose B) - use of cookies other than technical cookies and similar technologies, for which there may be a transfer to the United States, under the conditions provided by Article 44 GDPR (General principle for transfers) and specifically according to art. 45 (Transfers on the basis of an adequacy decision).

Persons who have access to the data.

Provided data will be processed by: person acting under authority of the Joint Controllers (art. 29 Reg. UE 2016/679); autonomous data controllers; third parties who carry out activities on behalf of Joint Controllers and who are therefore classified as data processors (art. 28 GDPR), who will process the data, for the purposes indicated above, in compliance with the provisions of the GDPR and the directives received. Data will be shared with: group companies; subjects providing services for information system management and communication networks (including e-mail boxes, newsletter and Website); freelancers, offices or companies in the context of assistance and consultancy; competent authorities for compliance with legal obligations and/or provisions of public bodies, upon request.

Rights of the data subject

The data subject may exercise, at any time, the following rights, provided for in Articles 15 et seq. GDPR: right of access (Art. 15), right to rectification (Art. 16), if the data are incorrect or incomplete, right to erasure (Art. 17), right to restriction of processing (Art. 18). The data controller shall inform each of the recipients to whom the personal data have been transmitted of any rectification, erasure or restriction of processing carried out (Art. 19). Jont Controllers shall inform the data subject of these recipients if the data subject so requests.  In the cases provided for, the data subject has the right to data portability (Art. 20), which in this case will be provided in a structured, commonly used and machine-readable format. He/she has the right to object (Art. 21), at any time, to the processing of data based on legitimate interest, and in cases where the legal basis is consent, he/she has the right to revoke the consent given without prejudice to the lawfulness of the processing based on the consent before revocation.

In order to make it easier for data subjects to exercise their rights under the data protection legislation, the Joint Controllers have agreed to designate a point of contact at the parent company OCTA. It will then be OCTA, which can be contacted at any time at info@octa-group.com, that will respond to their requests in the interest of the OCTA Group. In order to enable OCTA to meet the requests of interested parties, the other Joint Controllers have undertaken to forward any requests received to OCTA and to provide OCTA with the necessary cooperation in handling them. 

In compliance with the provisions of the GDPR, data subjects may also exercise their rights directly against each Joint Controller.

To stop receiving automated direct marketing communications (e.g. e-mails), simply write an e-mail at any time to info@octa-group.com with the subject line 'unsubscribe from automated' or use the automatic unsubscribe systems provided for e-mails.

To stop receiving traditional direct marketing communications (telephone calls, paper mail), simply write an e-mail at any time to info@octa-group.com with the subject line 'unsubscribe from traditional'.

To revoke your consent to profiling, please send an email to info@octa-group.com with the subject 'no profiling'.

If the data subject considers the processing conflicting with GDPR, he/she may contact the Joint Controllers at info@octa-group.com. In addition, the data subject has the right to lodge a complaint with a supervisory authority.

Privacy Policy Updates

Joint Controllers retains the right to modify and update this statement at his own discretion, in any moment, including as a result of any subsequent regulatory changes and/or additions. The most recent version of the policy is always available on the Website.

Last review: August 2024

Essential contents of the joint controller agreement

• OCTA S.p.A. ("OCTA"), with registered office in Milan, Via Vittor Pisani 20, VAT no. 12999580967, in the person of its legal representative pro tempore;

• Crippa S.r.l. ("CRIPPA"), with registered office in Arosio (CO), Via M. Buonarroti no. 3, VAT no. 02989810136, in the person of its legal representative pro tempore;

• C.M.S. Costruzione Macchine Speciali S.r.l. ("CMS"), with registered office in Alonte (VI), Via dell'Industria n. 37/A, VAT registration number 02040500247, in the person of its legal representative pro tempore;

• SMI S.r.l. Sistemi Meccanici Industriali ("SMI"), with registered office in Varmo (UD), Via dell'Olmo n. 2, VAT registration number 03054740307, in the person of its legal representative pro tempore.

OCTA, CRIPPA, CMS and SMI, together, are hereinafter referred to as the "Parties" or "Joint Controllers" and each individually as a "Party" or "Joint Controller".

FOREWORD

• The Parties are part of the OCTA Group, an industrial cluster specialising in the production of tube bending machines, tube shaping machines, automatic loading and unloading systems and work islands for metal tube processing.

• There is a close functional and organisational link between the Parties, which have in common and share, in a broad sense, aims and objectives, as well as the tools and resources necessary or useful to pursue them, including in the area of personal data processing.

• The Parties, although they are autonomous legal entities, therefore constitute, with regard to certain processing operations, a single group or system (the 'OCTA Group'), to which the name of the website www.octa-group.com (the 'Website') refers, so that these companies can only be considered and examined jointly with regard to the role assumed in the processing of data through the aforementioned website.

• Specifically, the Parties jointly determine the purposes of processing the personal data of users browsing the Website, thus assuming the status of joint controllers, pursuant to Article 26 EU Regulation 2016/679 (the 'GDPR');

• The Parties have signed a joint controller agreement, defining their respective responsibilities for compliance with their obligations under EU Regulation 2016/679.

ESSENTIAL CONTENTS

1. With regard to the website, there is co-ownership with reference to the following processing operations: Website navigation; use of cookies other than technical cookies and similar technologies; marketing; management of requests for information or assistance; recruitment through the 'Work with us' area; handling requests to exercise the rights of data subjects, pursuant to Articles 15 et seq. of EU Reg. 2016/679.

2. There is also a legitimate interest on the part of the Joint Controllers to pass on the personal data of employees, customers and suppliers within the OCTA Group, also for purposes other than purely internal administrative purposes. 

3. The data processed are those listed in the privacy policy (personal data, navigation data, data communicated voluntarily, any special data for possible applications via the work with us area).

4. The Joint Controllers have agreed to designate a point of contact for the data subjects at the parent company OCTA, for the exercise of the rights under Art. 15 et seq. of the GDPR.

5. In order to enable OCTA to meet the requests of the interested parties, the other Joint Controllers have undertaken to forward any requests received to OCTA and to provide OCTA with the necessary cooperation in handling them.

6. In compliance with the provisions of the GDPR, data subjects may also exercise their rights directly against each Joint Controller.

7. Interested parties may also contact CRIPPA's DPO at dpo@crippa.it and SMI's DPO at dpo.smi@smisrl.it. 

8. The Joint Controllers have agreed that OCTA is responsible for providing the data subjects with information on the processing carried out in co-ownership (Articles 13 and 14 of the Regulation).

9. In compliance with the principles set out in Article 32 GDPR, the Joint Controllers undertake to take the appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in order to protect the personal data collected, processed or used in the context of the co-ownership relationship. 

10. The Joint Controllers have agreed that OCTA is responsible for fulfilling its obligations to notify the Garante per la protezione dei dati personali and to inform the data subjects of any data breaches occurring on the Website, except for breaches inherent to the 'instruments' of processing that are under the sole control of one single Joint Controller.

11. CRIPPA and SMI have designated their own Data Protection Officer (DPO), who can be contacted at the e-mail addresses dpo@crippa.it and dpo.smi@smisrl.it respectively. The other Joint Controllers have undertaken to designate a DPO in the event that joint processing requires such designation under the GDPR.

12. Each Joint Controller has undertaken to carry out any transfers of personal data to non-EU/EEA countries or international organisations only in accordance with the provisions of the Data Protection Legislation, ensuring that the level of protection of natural persons guaranteed by the Regulation is not adversely affected by such transfers, giving prior notice to the other Joint Controllers and ensuring that the information to be provided to data subjects is kept up to date