Privacy Policy

INFORMATION ON THE PROCESSING OF PERSONAL DATA

Introduction

General data applicable to all information on the processing of personal data.

In this section you can find general information that applies to all the following disclosures.

CONTROLLER	CONTACT DETAILS	REFERENCE WEBSITES
Athics Srl	privacy@athics.ai	https://athics.ai https://crafter.ai https://portrait-profiling.ai

Data recipients (by categories)

• Authorised processors duly instructed and bound to confidentiality.
• Processors: service providers to whom the data may be transmitted and who process the data on behalf of the Controller on the basis of a legally binding agreement guaranteeing the protection of personal data. 
• Autonomous data controllers with sufficient guarantees to process data subjects’ data and with a valid legal basis for doing so (e.g. authorities and control and supervisory bodies, public or private entities entitled to request data, such as partners or suppliers).

Legitimate interests pursued by the Controller

The data controller may use its legitimate interest as the legal basis for a specific purpose by balancing its rights with those of the data subject, taking into account his or her ‘reasonable expectations’ in view also of the existing relationship with the data controller. When processing is based on the legitimate interest of the data controller, the data subject’s consent need not be required in order to pursue that specific purpose. The processing must not adversely affect the rights and freedoms of the data subject.

Transfers to third countries pursuant to Articles 46, 47, 49 GDPR

Transfers to third countries will take place in accordance with current legislation:

• in countries recognised as safe by the EU Commission
• in countries with which Europe has international data protection agreements
• with entities with which the Data Controller has entered into legally binding agreements providing adequate guarantees for the protection of the Data Subjects as required by law.

There are exceptions provided for:

• consent of the data subject
• by necessity and not repetitively for types and amounts of data that allow it. 

Further details on the location, appropriate safeguards and copy of the data can be requested from the Data Controller and/or will be provided in appropriate privacy policies.

Rights of Data Subjects

• Obtaining confirmation of whether or not processing is taking place and, if so, obtaining access to the data concerning the data subject
• Knowing the origin of the data processed by the Controller
• Verify the accuracy of the data concerning the person concerned
• Opposing, for legitimate reasons, the processing 
• Request the integration, deletion, updating, rectification, blocking of personal data processed in violation of the law, portability

Requests may be addressed to the Data Controller via the contact details in the header
or to the Data Protection Officer (DPO) at the following contact details: dpo@athics.ai

Data Subjects also have the right to

• Being informed of violations that may present a high risk for those concerned
• Complain to the competent supervisory authority in the Member State where they habitually reside or work or in the State where the alleged infringement occurred.

Consent

Where required, the free, optional and revocable consent of the data subject is collected for the processing of data for specific types of data or purposes.

Categories of personal data concerned

For some of the Data Controller’s activities, the personal information collected relates to common data (this could include identification and contact data etc.) and sometimes to data belonging to special categories within the meaning of Article 9 of the GDPR (only where there is an appropriate legal basis, e.g. when the data subject has given consent or the Data Controller needs to exercise employment and social security law rights). 

Additional Purposes

If the controller intends to further process personal data for a purpose other than that for which they were collected, the Controller shall, prior to such further processing, provide the data subject with information about that other purpose and any further information relevant to the new purpose.

Such communications may take place by updating the Privacy Policy and/or by Data Subject’s contacts. 

Version and date

V. June_2025

Below are the specific Privacy Policies:

Privacy Policy for Forms on the Controller’s Websites and/or for commercial communications and Newsletters
This Privacy Policy integrates the general data and is provided to the Data Subjects for the processing indicated below.  

Purposes and Legal Bases for Processing and Criteria for Determining the Period of Data Retention

CONTACT FORMS, COMMERCIAL COMMUNICATIONS VIA EMAIL AND NEWSLETTERS
The personal data subject to processing is provided by those who navigate on the site and interact with it. The data may concern identification and contact data (name, surname, e-mail address, etc.), special data (ex art. 9 GDPR) that may be spontaneously provided by filling in the contact form. 

The data subject’s personal data are processed for:

• Responding to requests or queries submitted by the User whose legal basis is the legitimate interest of the Controller to be identified in the reasonable expectation that the User expects his/her personal data to be used to respond to his/her contact request.
  
• Send communications of a commercial nature, by means of the contact details provided through the form and/or at conventions, events, trade fairs, where the Data Subject has provided their details (e.g. by means of a business card). These communications are aimed at promoting Products/Services provided by the Controller. The legitimate interest of the Data Controller in promoting its business with these types of Data Subjects is the legal basis of the processing, given the reasonable expectations of the same. In any case, the Data Subject, at the time of collection and when sending each communication for these purposes is informed of the possibility of opposing the processing (opt-out).

Processing will take place until the legitimate interest of the Data Controller ceases to exist or the Data Subject exercises his/her right to object.

• Sending e-mail newsletters containing updates, news, insights, events or initiatives promoted by the Controller. Processing is based on the explicit consent of the Data Subject freely given through the specific check-box on the registration form. The Data Subject may revoke consent at any time by clicking on the appropriate unsubscribe link present in every communication received.

The data retention period is:

• will last for the period necessary to respond to each individual request for information;
• 24 months from the provision of data or from the last contact/interaction with the Data Subject;
• Until consent is revoked for data relating to the sending of Newsletters.
  
  After the aforementioned retention periods have expired, the data will be destroyed, deleted or anonymised.

Version and date

V. June_2025

Cookies

This Privacy Policy integrates the general data and is provided to data subjects for the processing operations indicated at the following link Click here to view cookies

Candidate Privacy Policy

This Privacy Policy integrates the general data and is provided both to the Data Subjects who propose their candidature for a job position to the Controller and for the specific personnel searches that may be promoted by the Controller also with the support of specialised subjects.

Purposes and Legal Bases for Processing and Criteria for Determining the Period of Data Retention

The personal data of the person concerned are processed for the following purposes:

1. Examination of the candidate’s profile and assessment and organisation of meetings and interviews
2. Preparation of recruitment documentation in case of positive evaluation
3. If necessary, to ascertain, exercise or defend the Controller’s rights in or out of court

The applicable legal bases for processing identified by the GDPR are:

1. Performance of pre-contractual activities
2. Legal Obligations  
3. Legitimate interest of the Controller for a better organisation of the activity (e.g. communication via the telephone number provided also via SMS)

The data retention period is:

• 24 months from the provision of data with regard to the candidates’ Curriculum Vitae. 
• 10 years for data strictly necessary to ascertain, exercise or defend the Controller’s rights in or out of court.
  

After the above-mentioned retention periods have expired, the data will be destroyed, deleted or anonymised.

Source of personal data originated

Personal data are generally collected from the data subject but, in some cases, come from publicly accessible sources such as university databases or from agencies that process data in order to enable data subjects to receive job offers.

Version and date

V. June_2025

Privacy Policy on contractual relations

This Privacy Policy integrates the general data and is given to the Data Subjects for the processing indicated.

Purposes and Legal Bases for Processing and Criteria for Determining the Period of Data Retention

The purposes of the processing are related to the presentation of the Controller’s Services, business proposals (made or received), negotiation and conclusion of agreements.

The legal bases applicables are:

• need for the exercise of pre-contractual and contractual measures
• consent (where necessary will be requested)
• legitimate interest of the data controller in a smoother organisation of its work.

The criterion identified for the storage of such data is linked both to compliance with current tax and administrative regulations as well as to keeping a profitable network of business contacts up to date and constant.

Source of personal data originated

Data not collected from the data subject come from publicly accessible sources such as company websites and are used in accordance with the principle of purpose.

Social-media research may be conducted on some professional figures to better identify their professional role.

Certain Data Subjects/Referents may be introduced to the Controller through partners or collaborators.

Contractual referral

The Parties undertake that the personal data provided to each other shall be processed in accordance with the European Data Protection Regulation 2016/679 (“GDPR”), Legislative Decree No. 196/2003 (“Privacy Code”) and subsequent amendments and additions, as well as within the limits set out below.

Among the possible actions to be taken, should the type of relationship between the Parties concretise the case envisaged by Article 28 GDPR, is the signing of a Data Controller – Data Processor Agreement. The Parties undertake as of now to fulfil this possible obligation in an annex “DPA ex art. 28 GDPR – Controller -Processor Agreement”.

The Parties mutually acknowledge, in their capacity as Data Controllers, that such personal data shall be processed for the purpose of entering into and executing the contractual relationship, i.e. for purposes strictly connected with and instrumental to the performance of any pre-contractual activities, the management of the contractual relationship (e.g. administrative and accounting activities), the fulfilment of contractual obligations as well as to comply with legal obligations, and shall be retained for the needs inherent to the performance of the Contract and in any case for the time necessary to fulfil the legal or regulatory obligations of the Data Controller. 

The data shall be processed only by the Parties, by persons specifically authorised by them or by other third parties which the Parties themselves make use of, specifically appointed as Data Processors, as well as by autonomous Data Controllers with an adequate legal basis (e.g. by the Authorities in case of request). Personal data not will be subject to dissemination in the sense of publication unless the processing is required by the consent of the Data Subject, by the nature of the Contract or by the legal obligations to which the Data Controller is subject.

This is without prejudice to the right of the Parties to possibly transfer the data outside the territory of the European Union, to those states that ensure the same level of security and guarantee in data processing as well as full compliance with the provisions of the GDPR. 

Version and date

V_June_2025

CHATBOT Privacy Policy (AI Assistant)

This Privacy Policy integrates the general data and is provided to the Data Subjects who navigate on the Controller’s websites. Its purpose is to illustrate the types and methods of use of the chatbot (AI Assistant) on Athics’ websites, to provide information on the type of data collected, the purposes pursued and the relative legal basis.

What are chatbots in question? 

The term chatbot refers to the virtual assistant on Athics’ websites, placed at the user’s disposal to request information on Athics’ Activities/Services and to improve the user experience on the Controller’s websites.

Purposes and Legal Bases for Processing and Criteria for Determining the Period of Data Retention

1. “Customer care pre-sale” – user enquiries about services offered by the Controller (AI solutions, details of services, locations or any other information about the organisation);
2. “Customer post-sale” – responding to requests or questions submitted by the user/customer regarding the products/services purchased;
3. ‘Product recommendations‘ – assisting the user to identify the product most in line with their needs;
4. Collection of data from users (leads) who interact with the chatbot to send commercial communications.

The legal bases applicables are:

1. Legitimate interest of the Data Controller or execution of pre-contractual measures taken at the request of the Data Subject;
2. Legitimate interest of the data controller or performance of a contract to which the data subject is party;
3. Legitimate interest or execution of pre-contractual measures taken at its request;
4. Legitimate Interest.

The maximum data retention period for:

• information relating to the purposes of ‘Customer care pre-sale‘, ‘Product recommendations‘ is 24 months after the provision of data;
• information relating to ‘Customer post-sale‘ purposes for the duration of the existing contract with the Data Subject;
• information for sending communications of a commercial nature: 24 months from the provision of the data or from the last contact/interaction with the Data Subject;

After the above-mentioned retention periods have elapsed, the data will be destroyed, deleted or anonymised.

Version and date

V_June_2025