Skip to content

Privacy Policy

Privacy notice pursuant to Art. 13 of the Regulation (EU) 2016/79

WHY THIS INFORMATION?

Pursuant to Regulation (EU) 2016/679 (hereinafter “GDPR”), this page describes how personal data is processed. This information is provided pursuant to Article 13 GDPR. The information is not to be considered valid for other third-party websites that may be consulted through links on this website, for which no responsibility is accepted.

Processable personal data

  • Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific elements of their physical, physiological, genetic, mental, economic, cultural, or social identity (C26, C27, C30 GDPR); 
  • Data of contractors/users
  • Browsing data: the computer systems and software procedures used to operate this site acquire, during their normal functioning, certain personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of the computers and terminals used by users, the addresses in URI/URL (Uniform Resource Identifier/Locator) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters related to the user’s operating system and computing environment; 
  • Voluntarily provided data: the optional, explicit, and voluntary sending of messages to the contact addresses indicated on this site and/or the completion of data collection forms results in the subsequent acquisition of the sender’s address, which is necessary to respond to requests, as well as any other personal data provided. 

Information on the processing of personal data carried out through Social Media platforms 

With regard to the processing of personal data carried out by the managers of the Social Media platforms used by the Controller, please refer to the information provided by them through their respective privacy policies. The Controller processes personal data provided by users through the pages of the dedicated Social Media platforms, in order to manage interactions with users (comments, public posts, etc.) and in compliance with the current law. 

Specific Privacy Notices 

Specific privacy notices may be present on the website pages regarding particular services or data processing provided. 

COOKIES AND OTHER TRACKING SYSTEMS. WHAT ARE THEY? WHAT ARE THEY USED FOR? 

For cookies and other tracking systems, please refer to the cookie policy available in the footer of the website and at the following link. 

1.WHO IS THE DATA CONTROLLER? HOW CAN YOU CONTACT THEM?

The data Controller is EFIM–ENTE FIERE ITALIANE MACCHINE SPA, based in in viale Fulvio Testi 128, 20092 – Cinisello Balsamo (MI), represented by its current legal representative, who can be contacted for any information via e-mail: privacy@ucimu.it, phone: 02/262551.

HAS THE DATA PROTECTION OFFICER BEEN DESIGNATED? WHICH ARE THEIR CONTACTS?

The Controller has appointed its Data Protection Officer (DPO) pursuant to Articles 37, 38, 39 GDPR. The DPO is available at the HQ of the Controller – mentioned above – and via e-mail: rdpefim@ucimu.it

2. PURPOSES OF THE PROCESSING | LEGAL BASIS OF THE PROCESSING | DATA RETENTION | NATURE OF UNDERWRITING OF PERSONAL DATA

PURPOSES OF THE PROCESSINGLEGAL BASISDATA RETENTION  NATURE OF UNDERWRITING OF PERSONAL DATA
Website browsingThe data necessary for the use of web services are also processed for the purpose of:  – obtaining statistical information on the use of the services (most visited pages, number of visitors by time slot or daily, geographical areas of origin, etc.); – checking the proper functioning of the offered services.  The data will be used to ascertain responsibilities in the event of hypothetical cybercrimes against the site. The processing is necessary for the pursuit of the legitimate interest of the data controller or of third parties, provided that the interests or the rights and fundamental freedoms of the data subject, which require the protection of personal data, do not prevail, taking into account the reasonable expectations of the data subject and the activities strictly necessary for the operation of the site and navigation itself. 
(Art. 6, para. 1 point f and Rec. 47 of the GDPR) 
Data subjects are guaranteed the possibility to obtain, upon request, information on the balancing test carried out. 		The retention of browsing data will last for the duration of the browsing session. In any case, this data does not persist for more than seven days (unless necessary for the investigation of crimes by the judicial authority).








The provision of data is necessary for browsing the website. 















Use of cookies and comparable technologies.Please see the cookie policy in the website footer.For non-technical necessary cookies and comparable technologies, the processing is based on consent to the processing of personal data (Art. 6, para. 1 point a) and Rec. 42, Rec. 43 of the GDPR). Consent is provided through the banner and the site’s cookie policy. See the cookie policy in the website footer.See the cookie policy in the website footer.

Aside from browsing, personal data will be processed for: 

PURPOSES OF THE PROCESSINGLEGAL BASIS OF THE PROCESSINGDATA RETENTION NATURE OF UNDERWRITING OF PERSONAL DATA
A) CONTACTS/REQUEST INFORMATION, sending contact requests, information. 
Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at their request (Rec. 44). 
Art. 6, para. 1 point b) of the GDPR.		Maximum 12 months.The provision is necessary. 
Failure to provide the required data will result in the inability to be contacted and to receive information. 
B) SENDING informative and institutional e-mails concerning  exhibitions/events organised by Data Controller or similar eventsThe processing is necessary due to Data controller’s legitimate interest, provided that interests or fundamental rights and freedoms of data subjects are not prevailing (C47-C50) Art. 6 PAR. 1 lett. f) GDPRUntil opposition(opt-out)The provision is necessary. 
Failure to provide the required data will result in the inability to send informative and institutional e-mail  concerning  exhibitions/events organised by Data Controller or similar events
C) DIRECT MARKETING, for sending advertising or direct sales material or for carrying out market research, commercial and promotional communications, newsletters, by automated means (electronic mail, SMS) and traditional means (telephone and paper mail).Communications may contain promotional activities and/or logos of third-party partners and group companies. For a complete list of group companies and partners, interested parties can write to privacy@ucimu.itProcessing is based on consent to the processing of personal data (Rec. 42, Rec. 43).Art. 6 para. 1 point a) GDPR.Until consent is withdrawn (so-called opt-out).The provision is optional.
Failure to provide the necessary data will result in the ability to receive direct marketing communications.
D) COMMUNICATION / DATA SHARING to third parties (other UCIMU Group companies, for their direct marketing purposes).For a complete list of the group companies and of the partners, data subjects can write to privacy@ucimu.it Processing is based on consent to the processing of personal data (Rec. 42, Rec. 43).Art. 6 para. 1 point a) GDPR.Until consent is withdrawn.Please also refer to the notice for the personal data processing of third parties independent data Controller. The provision is optional.
Failure to provide the necessary data will result in the ability to communicate/transfer the data to third parties for their purposes.
E) MANAGEMENT OF YOUR REQUESTS and requests of other data subjects pursuant to art. 15 et seq. of the GDPR.Processing is necessary to fulfill a legal obligation to which the data controller is subject (Rec. 45). Art. 6 para. 1 point c) of the GDPR. 5 years from the closure of the request, unless there are disputes. The provision of personal data is mandatory, as it is essential for fulfilling legal obligations. 
F) DISPUTES PREVENTION AND MANAGEMENT of other legal aspects relating to the defence in case of labour disputes judgmentData controller’s legitimate interest, provided that interests or fundamental rights and freedoms of data subjects are not prevailing (C47-C50) Art. 6 PAR. 1 lett. f) GDPR10 years, except from objection and for the necessary time in case of judgmentThe provision of data is necessary. In case of lack, the data the Data Controller would not achieve his legitimate interest as stated for in this purpose. The refusal shall be balanced with the aforesaid data controller’s legitimate interest
Services related to the following purposes will be activated when the exhibitions, promoted by the Data Controller, are approaching
G) Registration to events organized by the Data Controller Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at their request (Rec. 44).Art. 6, para. 1 point b) of the GDPR.For the time strictly necessary for the holding of the event organized during the period of the fair.The provision is necessary.
Failure to provide the necessary data will result in the inability to register for the event organized by the Controller.
H) Handling of information, contact, service booking requests submitted via the “Esponi” areaProcessing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at their request (Rec. 44). Art. 6, para. 1 point b) of the GDPR.10 years for administrative purposes.The provision is necessary.
Failure to provide the necessary data will result in the inability to handling the requests.
I) Management of registration of Schools to events organized by the Controller Processing is necessary for the performance of a contract to which the data subject is a party. Art. 6, para. 1 point b) of the GDPR.Until the day following the visit. The provision is necessary.
Failure to provide the necessary data will result in the inability to handle the registration to the events organized by the Controller.

3. TO WHOM WILL PERSONAL DATA BE COMMUNICATED? RECIPIENTS OF THE DATA

Personal data will be communicated to entities that process the data as independent data controllers or as data processors (Article 28 GDPR) and will be handled by individuals (Article 29 GDPR) acting under the authority of the data Controller and the processors based on specific instructions provided regarding the purposes and methods of processing. The data will be communicated to recipients belonging to the following categories: 

  • UCIMU’s Group companies;
  • Subjects who provide services for the management of the information system used by the data Controller and telecommunications networks; 
  • Subjects and organizations who collaborate with the Controller for the organization, planning, development, and execution of the activities related to the events organized by Data Controller;
  • Companies who provide the system for the sending of promotional communications/newsletter, etc;
  • Freelancers who collaborate with the Controller;
  • Subjects dedicated to the maintenance activities and / or updating of this website;
  • Competent authorities for fulfilment of legal obligations and / or provisions of public bodies, upon request.

The list of the processors is available contacting the Controller using the contact details provided above.

The list of the processors art. 28 is available writing to privacy@ucimu.it or to the other contact details provided above.

4. WILL DATA BE TRANSFERRED TO NON-EEA COUNTRIES?

Personal data will not transferred outside of the EEA. In the case of transferring outside of the EEA. 

 5. IS THERE AN AUTOMATED PROCESS?

Personal data will be processed manually, electronically, and automatically. It is clarified that no fully automated decision-making processes are carried out. 

6. WHAT ARE YOUR RIGHTS? HOW CAN YOU EXERCISE THEM?

The data subjects may exercise their rights as expressed in articles 15 and following of the GDPR, contacting the DPO at the e-mail address: rdpefim@ucimu.it  or addressing the Data Controller at the e-mail address: privacy@ucimu.it or writing to the contact mentioned above.

The Controller guarantees to data subjects the possibility to request, at any time, the access to their personal data (art. 15), the rectification (art. 16), the erasure (art. 17), the restriction of processing (art. 18). The Controller communicates (art. 19), to each of the recipients to whom the personal data were transmitted, any rectification or erasure or restriction of processing. The Controller shall disclose such recipients to data subjects who request it.

The Controller guarantees the right to portability (art. 20) and, in case of requests pursuant to art. 20, will provide to the data subjects the data in a structured, commonly used and automatic machine-readable format.

It is recognised to the data subjects the right to object (art. 21), at any moment, to the data processing based on the legitimate interest, writing to the above-mentioned contacts with the object “objection”. In case of exercise of the right to object to the processing based on the legitimate interest, the Controller recognizes to the data subjects the possibility to obtain, upon request, information regarding the performed balancing test.

It is recognized the right to withdraw the given consent, without prejudice to the lawfulness of the processing based on the consent given before withdrawal. 

In order not to receive automatic direct marketing communications (electronic mail, SMS type messages, instant messages) the data subjects are invited to write an e-mail to the address privacy@ucimu.it with the object “erasure from automated” or to use our automatic erasure systems provided for e-mails only (opt-out).

In order not to receive traditional direct marketing communications (phone calls with operators and postal mails) the data subjects are invited to write an e-mail to the address privacy@ucimu.it with the object “erasure from traditional”. 

In order not to receive any marketing communication the data subjects are invited to write an e-mail to the address privacy@ucimu.it  with the object “marketing erasure”. 

In the case where the data subjects consider that the processing of personal data executed by the Controller occurs in violation of what is provided by the Regulation (EU) 2016/679, they are free to present a claim to the National Supervisory Authority, particularly in the member State where they reside or work, or in the place where the presumed violation of the Regulation occurred (Italian Supervisory Authority https://www.garanteprivacy.it/), or to take legal action before the competent judicial authorities.

7. CHANGES TO THE NOTICE

The Controller may change, modify, add, or remove any part of this privacy notice. To facilitate the review of any changes, the notice will include the date of the last update.

Last update September 2025