Privacy

PRIVACY STATEMENT PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679

1. Subject of processing

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 containing EU provisions on the protection of natural persons with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation, hereinafter referred to as the “Regulation” or “GDPR”) and in accordance with Italian Legislative Decree no. 196 of 30 June 2003, as amended (hereinafter referred to as the “Privacy Code”) we inform you that the personal data of natural persons involved and/or interested on various grounds in the National Operational Programme on Enterprises and Competitiveness 2014/2020 (hereinafter referred to as “NOP E&C”) and the National Operational Programme SME Initiative 2014/2020 (hereinafter referred to as “NOP SME Initiative”) and all the activities connected with them, including interaction with the websites www.ponic.gov.it and www.iniziativapmi.gov.it, are processed in accordance with the confidentiality obligations envisaged in the aforementioned legislative provisions.

Personal data are processed respecting the human dignity, fundamental rights and freedoms of individuals.

2. Subjects dealing with processing

The data controller is the Italian Ministry of Economic Development (hereinafter referred to as “Ministry”) with registered office in Rome, Via V. Veneto 33, 00187 (urp@MiSE.gov.it) that performs the tasks assigned to it, inter alia, through the General Management of the Directorate-General for Incentives to Enterprises (hereinafter referred to as “DGIAI”) pursuant to article 5 of the Directive of the Minister of Economic Development of 28 January 2019.

The Data Protection Officer may be contacted at the following email address: protezionedati@mise.gov.it and at the certified e-mail address: protezionedati@pec.mise.gov.it.

Personal data are also processed by the Italian National Agency for Inward Investment and Economic Development – Invitalia, an in-house organisation within the Ministry that, acting as Data Processor in accordance with art. 28 of the Regulation, having been duly appointed under prot. no. 2114 of 27 July 2021, provides the Ministry with technical support and guidance as referred to in Axis V of the EC NOP.

Personal data supplied by data subjects may also be processed by staff authorised specifically or as each case arises who are instructed on the basis of express instructions regarding the processing purposes and procedures, by companies, bodies or subjects appointed as Data Processors pursuant to article 28 GDPR, which, on behalf of the Data Controller, provide specific processing services or activities connected with, instrumental to or backing up such services, adopting all appropriate technical and organisational measures to safeguard the rights, freedoms and legitimate interests of data subjects recognised by law, as well as subjects instructed to provide IT solutions to manage website development and maintenance activities.

The updated list of the Data Processors and subjects authorised to process data is kept at the registered office of the Data Controller and may be obtained from the Data protection officer at the addresses indicated above.

Personal data may be shared, for official purposes, with subjects to whom such data must be disclosed, by operation of legislation and regulations or by public subjects in the performance of the official tasks assigned to them (for example, the European Commission, auditing authorities and certification authorities of the NOP E&C and the NOP SME Initiative, supervisory authorities carrying out inspections or conducting auditing or control activities, public security authorities, judicial authorities and bodies set up by the judicial police specialising in investigations into financial operations).

3. Legal basis of processing

The lawfulness of the processing of personal data is based (i) pursuant to article 6, paragraph 1, letter a) GDPR, on the data subject’s express consent; (ii) pursuant to article 6, paragraph 1, letter b) GDPR, on the performance of a contract to which the data subject is a party or the implementation of pre-contractual measures taken at the data subject’s request; (iii) pursuant to article 6, paragraph 1, letter c) GDPR, on compliance with a legal obligation to which the Ministry is subject; (iv) pursuant to article 6, paragraph 1, letter e) GDPR and article 2 ter of the Privacy Code, on the performance of tasks carried out in the public interest or in any event connected with the exercise of public powers.

Special categories of personal data may be processed pursuant to article 9, paragraph 2, letter g) of the Regulation and article 2-sexies, paragraph 2, letter m) of the Privacy Code, that is, on important grounds of public interest[1] on the basis of European Union legislation or internal rules (legislative provisions or, when envisaged by the law, regulations).

4. Purposes of processing

Personal data transmitted to the Ministry via messages and/or the completion and submission of forms, are processed in order to satisfy requests made by data subjects, to prepare an administrative procedure and in the performance of legal, accounting and tax obligations.

The provision of personal data for the aforementioned purposes is optional, explicit and voluntary, but if such data are not supplied, the Data Controller will be unable to achieve its official objectives, nor perform the tasks assigned to it, thereby prejudicing the supply of services connected with them.

Personal data, provided by the data subject of his or her own free will, are also processed by the Data Controller for the following purposes:

a) to obtain information for statistical purposes or to carry out anonymous research into the use of the website and thereby assess user satisfaction and approval, to identify preferred pages so that the most appropriate content can be provided and ensure that the site is functioning correctly and check that the services offered are operating correctly. The data may be used to identify those responsible in the event of IT crime against the site;

b) to handle requests for assistance/information from users, with the data subject’s express consent, and manage dealings with data subjects. The user must not send names or other personal data relating to third parties which are not strictly necessary;

c) to handle requests from users to take part in promotional and informative events, exhibitions, etc., with the data subject’s express consent;

d) to promote, with the data subject’s express consent, the project financed by European structural and investment funds through communication activities connected with NOP E&C and NOP SME Initiative;

e) to send the official newsletter, with the data subject’s express consent, containing information and updates on European structural and investment funds, new opportunities for funding under the NOP E&C and NOP SME Initiative schemes and initiatives and events organised by the Ministry and also to increase the accessibility of the activities carried out and results obtained in funded projects.

Express consent given by the data subject, for each of the purposes described under letters b) to e) above, may be withdrawn at any time, without prejudice to the lawfulness of the processing based on the consent given prior to the withdrawal.

5. Type of data processed

Personal data

Any information relating to an identified or identifiable natural person. A natural person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, image, voice, location data, a digital identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Navigation data

During their normal operation, the IT systems and software procedures which operate this Website acquire certain personal data, the transfer of which is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of the devices used by users who connect to the site, as well as Uniform Resource Identifiers/Locators (URI/URL) of the requested resources, the time of the request, the method utilised in presenting a request to the server, the size of the file obtained in response, the numerical code specifying the state of the response provided by the server (positive outcome, error, etc.) and other parameters concerning the operating system and the user’s IT environment.

6. Data processing procedures

Personal data are processed in accordance with the principles of lawfulness, fairness and transparency and are obtained and stored with the use of manual, IT and electronic tools, including automated systems, designed to guarantee that data remain secure and confidential in the manner envisaged by current legislation and regulations.

7. Data Storage Period

Personal data will be stored for the time necessary to fulfil obligations connected with the handling of a request from the data subject and to deal with any subsequent operations in accordance with provisions regulating the storage of administrative documents (see Ministry IT Protocol Management Manual and Data storage plan).

If litigation is brought before the courts during the ordinary storage period, processing may be prolonged beyond the deadline indicated, throughout the proceedings and until the term for an appeal to be lodged has elapsed.

The above is subject to any further document storage obligations envisaged by the law.

Once the aforementioned storage period has elapsed, the data will be destroyed, erased from the systems or rendered anonymous in keeping with the technical erasure and backup procedures followed.

8. Place of processing

Data are processed and filed at the Italian Ministry of Economic Development - Directorate-General for Incentives to Enterprises - Viale America 201, 00142 Rome, at the head office of Invitalia, of any Data Processors based within the European Union or of external companies, including those operating through Cloud services certified by AgID, which provide the Ministry with services connected with the technical management of the IT platforms dedicated to the supply of services to back up the various stages in the handling of incentives.

If, for technical and/or operating reasons during the processing of data, the services of subjects based outside the European Union or the European Economic Area are required or it is necessary that certain data collected be transferred to Cloud technical systems and services located outside the European Union or the European Economic Area, the data will be processed in accordance with the provisions of the GDPR. All the necessary precautions will be taken and the conditions referred to in Chapter V of the GDPR will be met to ensure that the personal data are protected, basing the transfer: a) on adequacy decisions regarding third country recipients expressed by the European Commission; b) on appropriate safeguards expressed by the third party recipient pursuant to art. 46 of the GDPR; c) on the safeguards referred to in art. 49 of the GDPR. In any event, the data subject will be given a reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

9. Rights of data subjects

Data subjects may exercise the rights envisaged in Chapter III “Rights of data subject” in the Regulation to the extent and subject to the conditions provided therein, by email to the address comunicazionepon@mise.gov.it:

access to data (art. 15): the data subject has the right, at all times, to obtain from the data controller confirmation as to whether or not his or her data are being processed, and, where that is the case, access to the relevant information, also remotely, to be informed of which data and for what purposes they have been utilised, to whom they have been disclosed, the period of time for which they will be stored or the length of time envisaged. The right of access allows the data subject to monitor the consent he or she has given by obtaining the information requested, seeing that the data in question concern and shall continue to concern him/her. The data subject also has the right to receive a copy of the personal data being processed;
right to rectification (art. 16): the data subject is entitled to obtain the rectification of inaccurate personal data concerning him/her without undue delay and/or the completion of incomplete personal data, also by providing a supplementary statement;
right to erasure or “right to be forgotten” (art. 17): the data subject has the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay and the data controller has the obligation to erase personal data without undue delay;
restriction of processing (art. 18): the data subject has the right to obtain restriction of processing from the data controller. This right may be exercised when the underlying conditions for the lawfulness of the processing have been breached, as an alternative to the erasure of the data, until such time that the data controller receives a request to rectify the data or an objection to processing;
data portability (art. 20): the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another data controller without hindrance from the controller to whom the data were supplied;
right to object (art. 21): the data subject has the right to object to the processing of personal data, at any time, on grounds relating to his or her particular situation. The Data Controller, in any event, weighs up the compelling interests and legitimate grounds for proceeding with processing (including, for example, establishment, exercise or defence of legal claims, etc.);
right to lodge a complaint with the Italian Data Protection Authority: without prejudice to any other administrative or judicial remedy, the data subject shall have the right to lodge a complaint with the Italian Data Protection Authority if the data subject considers that the processing of personal data by the Data Controller infringes data protection legislation.

10. Revising this privacy policy statement

This privacy policy statement may be revised in order to comply with current national and European data protection legislation and/or adapt to new systems or internal procedures adopted or, in any event, for any other reason that it deems appropriate and/or necessary.

This privacy statement may therefore be modified at any time in the future, without prior notice. The data subject is therefore invited to consult this page on the website on a regular basis.

Date of last revision: 6 April 2022

[1] Art. 2-sexies, paragraph 2, letter m) of Italian Legislative Decree no. 196 of 30 June 2003, as amended and supplemented, recognises as “important” the public interest related to the processing operations carried out by subjects who perform tasks in the public interest or connected with the exercise of public powers in the granting, payment, modification and withdrawal of economic benefits, allowances, gifts, other types of payment and certification.

COOKIE POLICY STATEMENT

1. Cookie Policy

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016 containing EU provisions on the protection of natural persons with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation – GDPR) hereinafter referred to as the “Regulation”, and in accordance with Italian Legislative Decree no. 196 of 30 June 2003, as amended by Italian Legislative Decree no. 101 of 10 August 2018, and the Decision of the Italian Data Protection Authority (Garante per la protezione dei dati personali) no. 229 of 8 May 2014 “Simplified arrangements to provide information and obtain consent regarding the use of cookies”, published in the Official Gazette no. 126 of 3 June 2014, this page contains the privacy statement for the giving of consent to the use of cookies on the website of the National Operational Programme on Enterprises and Competitiveness 2014/2020 and the National Operational Programme SME Initiative 2014/2020 (hereinafter referred to as “NOP E&C” and “NOP SME Initiative”) accessible online at the following addresses: www.ponic.gov.it and www.iniziativapmi.gov.it.

2. About cookies

Cookies are short text strings which the sites visited by the user sends to his or her terminal (usually to the browser), where they are stored and then re-transmitted to the same sites when the user visits them again in the future.

While navigating on the Website, the user may also receive cookies on his or her terminal sent from different sites or web servers (known as “third parties”), which may house certain elements (such as, for example, images, maps, sounds, specific links to pages in other domains) found on the Website being visited.
Depending on their intended purposes, cookies used are subdivided into:

Technical cookies, used solely for the purpose of transmitting an electronic communication, to ensure that the website is viewed correctly and to optimise the user’s navigation experience. In addition, they are used to distinguish the various users connected so that the right user can be provided with the service requested (Login), and for site security purposes. Some of these cookies are deleted when the browser is closed (session cookies), others have a longer duration (for example, cookies required to store the user’s consent to the use of cookies, which have a 1-year duration). They are not used for any further purposes and are normally installed directly by the data controller or operator of the website. Consent is not required for this type of cookie.
Analytics cookies, used directly by the site’s manager to collect information, in aggregate form, on the number of users and how they access and use the website. They are assimilated to technical cookies if the service is anonymised and, therefore, are subject to the same rules regarding privacy statements and consent as those applying to technical cookies.
Profiling cookies, used to track users when they browse the Internet and to create profiles of their habits and preferences. Cookies are subdivided, on the basis of their duration, into persistent cookies, saved on the user’s device until they expire, unless removed by him/her, and session cookies, which are not stored permanently on the user’s device and disappear when the browser is shut down. These cookies require the data subject’s consent.
Function cookies, which allow users to navigate on the basis of a series of selected criteria (for example, language, products selected for purchase) in order to improve the service provided.
Third-party cookies, installed when using the website, but using IT systems over which we have no direct control and for purposes and adopting data processing procedures which are also beyond our direct control.
- Google Inc.: For information regarding the use of data and processing by Google, we suggest that you take a look at the Google privacy statement and Procedures adopted by Google to utilise data when partners’ websites or apps are used.
- Google Analytics: used to analyse the use of the website by users, to put together reports on site activities and user behaviour, check how often users visit the site, how the site is tracked and which pages are visited most frequently. The information is combined with that collected from other sites in order to obtain a comparative picture of the use of the site, alongside other sites in the same category. Data collected: browser identifier, date and time of interaction with the site, page of origin, IP address. Data processing location: European Union, as the anonymisation of the service has been enabled.

The data collected cannot be used to identify users personally, and are not cross-referenced with other information relating to that person. They are processed in aggregate form and anonymised (truncated to the last octet). On the basis of a specific agreement (DPA), Google Inc. (data processor) is prohibited from crossing such data with those obtained from other services.

3. Categories of cookies used on the website

The NOP E&C/NOP SME Initiative site uses the following types of cookies:

Technical Cookies
Analytics Cookies
Profiling Cookies
Functional cookies
Third-party cookies

When browsing this website, third-party cookies may be installed on the user’s terminal. In fact, certain features (such as content vocalisation and video display) are achieved by using the services of third parties that produce technical cookies.

The third parties involved are listed below, with details then given in table form:

The user may refuse to use cookies and may, at any time, withdraw consent already given. As cookies are connected to the browser used, they can be disabled directly by the browser, refusing/withdrawing consent to use cookies, or by means of the banner at the foot of the page.

Disabling cookies may prevent certain features of the site from being used correctly, in particular services provided by third parties may no longer be accessible, and it may therefore not be possible to view YouTube videos or other video sharing services; social network social buttons and Google maps.

Instructions on how to disable cookies can be found on the following web pages:

doubleclick.net - https://tools.google.com/dlpage/gaoptout
google-analytics.com - https://tools.google.com/dlpage/gaoptout
linkedin.com - https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
twitter.com - https://help.twitter.com/it/safety-and-security/privacy-controls-for-tailored-ads
youtube.com - https://tools.google.com/dlpage/gaoptout

ORGANISATION	COOKIE	DETAILS	TYPE	PROCESSING OF PERSONAL DATA	LEGAL BASIS
doubleclick.net	IDE	Used by Google DoubleClick to record and produce reports on user behaviour on the website after displaying or clicking one of the advertiser’s ads and thereby assess the efficiency of an ad and present ads targeted at the user.	Third-party profiling cookies	Policy: https://policies.google.com/technologies/types?hl=it	Performance of a legal obligation Legitimate interest Execution of a contract
	r/collect	This cookie is used to send data on the visitor’s device and behaviour to Google Analytics. It tracks the visitor on various devices and marketing channels.	Used to verify whether the user’s browser supports cookies.	Policy: https://policies.google.com/technologies/partner-sites?hl=it	Performance of a legal obligation Legitimate interest Execution of a contract
	test_cookie	Used to verify whether the user’s browser supports cookie	Third-party profiling cookies	Opt-out: https://tools.google.com/dlpage/gaoptout
analytics.google.com	NID	Records an unequivocal ID that identifies the device of a user returning to the site. The ID is used for targeted ads.	Third-party profiling cookies	Policy: https://policies.google.com/technologies/types?hl=it	Performance of a legal obligation Legitimate interest Execution of a contract
	_ga	Records an unequivocal ID used to generate statistical data on how the visitor uses the website.	First-party technical cookies	Policy: https://policies.google.com/technologies/partner-sites?hl=it
	_gat	Used by Google Analytics to restrict the frequency of requests	First-party technical cookies	Opt-out: https://tools.google.com/dlpage/gaoptout
	_gid	Records an unequivocal ID used to generate statistical data on how the visitor uses the website.	First-party technical cookies
	collect	Used to send data regarding the user’s device and behaviour to Google Analytics. It tracks the user on marketing devices and channels.	Third-party profiling cookies
linkedin.com	lidc	Used by the LinkedIn social network service to track the use of integrated services.	Third-party profiling cookies	Policy: https://www.linkedin.com/legal/cookie-policy	Performance of a legal obligation Legitimate interest Execution of a contract
linkedin.com	lidc		Third-party profiling cookies	Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
ponic.gov.it	ASP.NET_SessionId	Preserves the user’s statuses on the different website pages.	First-party technical cookies	Cookie: http://www.ponic.gov.it/sites/PON/Privacy	Performance of a legal obligation Legitimate interest Execution of a contract
	CookieConsent	Memorises the status of the user’s consent to cookies for the current domain	First-party technical cookies
	JSESSIONID	Preserves the user’s statuses on the different website pages.	First-party technical cookies
twitter.com	local_storage_support_test	The cookie is used in context with the local storage function in the browser. This function allows the website to load faster by pre-loading certain procedures.	Third-party profiling cookies	Policy: https://twitter.com/it/privacy	Performance of a legal obligation Legitimate interest Execution of a contract
twitter.com	__widgetsettings	Used by the Twitter social network service to track the use of integrated services.	Third-party profiling cookies	Opt-out: https://help.twitter.com/it/safety-and-security/privacy-controls-for-tailored-ads
youtube.com	yt-player-headers-readable	Used to determine optimal video quality on the basis of the visitor’s device and network settings.	Third-party profiling cookies	Policy: https://policies.google.com/technologies/partner-sites?hl=it	Performance of a legal obligation Legitimate interest Execution of a contract
	GPS	Records an unequivocal ID on mobile devices to allow tracking on the basis of the GPS geographic position.	Third-party profiling cookies	Opt-out: https://tools.google.com/dlpage/gaoptout
	PREF	Records an unequivocal ID used by Google for statistics linked to how the visitor uses YouTube videos on different websites.	Third-party profiling cookies
	VISITOR_INFO1_LIVE	Attempts to estimate the user’s connection speed on pages with integrated YouTube videos.	Third-party profiling cookies
	YSC	Records an unequivocal ID for statistics linked to which YouTube videos have been viewed by the user.	Third-party profiling cookies
	yt-remote-cast-installed	Stores the user’s video reader preferences using the incorporated YouTube video	Third-party profiling cookies
	yt-remote-connected-devices	Stores the user’s video reader preferences using the incorporated YouTube video	Third-party profiling cookies
	yt-remote-device-id	Stores the user’s video reader preferences using the incorporated YouTube video	Third-party profiling cookies
	yt-remote-fast-check-period	Stores the user’s video reader preferences using the incorporated YouTube video	Third-party profiling cookies
	yt-remote-session-app	Stores the user’s video reader preferences using the incorporated YouTube video	Third-party profiling cookies
	yt-remote-session-name	Stores the user’s video reader preferences using the incorporated YouTube video	Third-party profiling cookies