Preamble
This document governs the processing of personal data of individuals who receive a service from the Data Controller, as defined below, within the scope of a commercial relationship with the same (hereinafter referred to as “Data Subjects”). The personal data relating to the Data Subjects that the Data Controller becomes aware of (hereinafter, “Personal Data”) are processed in accordance with Regulation (EU) 2016/679 on the protection of personal data (hereinafter, “Privacy Regulation” or “GDPR”), national legislative measures adopted in implementation of the Privacy Regulation, decisions and codes of conduct issued by the European Data Protection Board and the Italian Data Protection Authority, and any other applicable or subsequently issued legal provisions (hereinafter collectively, the “Privacy Legislation”).
Definitions
Personal Data: refers to data relating to individuals communicated to the Company. This includes but is not limited to: name, surname, place and date of birth, residence and domicile address, work location, company name, VAT number, tax code, landline or mobile phone number, fax number, email address, certified email address (PEC), employer, job title and/or position, bank details, etc. Personal Data may also relate to individuals connected to the Entity and its affiliates (e.g., clients, suppliers, employees, etc.).
Special Categories of Data: data relating to criminal convictions and offenses, also referred to as “judicial data,” such as records in the criminal registry (e.g., final criminal convictions, conditional release, bans or obligations to stay in a location, alternative detention measures), or the status of being a suspect or accused person.
Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Subject: the natural person to whom the personal data being processed refers.
What data is collected and how
Data processed and method of collection
BLUSURVEY SRL processes your personal data voluntarily provided by you (verbally, via business cards, email, document delivery, through the Data Controller’s website, etc.).
The Company will process your personal data in compliance with the GDPR, assuming that such data refer to you, your company, or third parties (including family members) who have expressly authorized you to provide them based on a suitable legal basis that legitimizes their processing. In such cases, you act as an independent Data Controller and assume all resulting legal obligations and responsibilities.
You therefore agree to indemnify and hold harmless BLUSURVEY SRL from any claims, actions, or demands made against it by third parties whose personal data have been processed at your request and/or pursuant to your mandate.
Processing methods
The collection and processing of your personal data by the Data Controller are carried out in accordance with the principles of lawfulness, fairness, and transparency, and in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.
Collected data will be processed using electronic, automated, IT, and telematic tools, or paper-based methods, closely related to the purposes for which the data were collected, and always in a secure manner and for the time strictly necessary to achieve those purposes. Data may be retained longer only to comply with legal obligations or as permitted under Italian law to protect the interests of the Data Controller.
Please refer to our dedicated cookies page for more information.
More details on data processing methods and retention times can be obtained by contacting the Company using the details listed in section 4.
Who may receive, process, or use personal data
Data Controller
The Data Controller under the Privacy Legislation is:
BLUSURVEY SRL
Via Lemonia, 58 – 40133 Bologna
a.panti@blu-survey.com
s.carletti@blu-survey.com
+39 051 998 9531
VAT No.: 04088931201
Data Processors and other parties to whom Personal Data may be disclosed
Without prejudice to legal and/or contractual obligations, your collected and processed data may be shared, solely for the purposes specified, with the following categories of recipients:
Employees and collaborators of the Controller, as authorized persons committed to confidentiality or subject to an appropriate legal obligation of confidentiality;
Individuals, companies, professional firms, or other third parties with whom the Controller maintains relationships necessary for its business or legal obligations, and who have been formally appointed for specific purposes and durations as Data Processors;
Judicial or supervisory authorities, administrations, public bodies, and agencies in the exercise of their official duties.
The Controller ensures that the processing of your data by the above recipients complies with applicable laws.
Without requiring express consent, the Controller may communicate your data for the above purposes to supervisory bodies, judicial authorities, insurance companies for insurance services, banks and credit institutions, consultants and professionals, and third parties such as data storage and exchange platforms you have specified. These entities will act as independent data controllers.
Place of processing and possible data transfers
Processing of Personal Data is carried out at the Company’s registered office as stated in section 4, and is handled by the Company’s authorized personnel. Personal Data will not be disseminated.
Legal basis and purpose of processing
Your personal data will be processed for the purposes and corresponding legal bases summarized in the table below:
| Section & Type | Purpose | Legal Basis |
|---|---|---|
| Section I – Data processed without explicit consent | Fulfilling pre-contractual and contractual obligations from a professional engagement; handling any client requests; acquiring preliminary information before contract conclusion; performing contract obligations; providing a service or enabling its provision to BLUSURVEY SRL | Execution of a contract or pre-contractual measures at your request (Article 6(1)(b) GDPR) |
| Administrative and management purposes, fulfilling legal obligations (e.g., accounting, tax, anti-money laundering), EU regulations or authority orders | Compliance with legal obligations (Articles 6(1)(c) and 10 GDPR) | |
| Establishing, exercising, or defending legal claims | Legitimate interest of the Controller (Article 6(1)(f) GDPR) | |
| Section II – Data voluntarily provided | Use of logos and personal data of employees for advertising purposes; Use of anonymous aggregated data for statistical purposes | Consent of the data subject or legitimate interest (Article 6(1)(a) GDPR) |
Providing your personal or your organization’s data for the purposes outlined in Section I is mandatory. Failure to provide, partially provide, or refusal to process such data will result in the Controller being unable to fulfill your requests, contractual obligations, legal duties, or comply with authorities’ requirements.
Providing data for the purposes in Section II is optional. You may choose not to give consent or withdraw it at any time after giving it.
During processing for the purposes in Section I, the Company may become aware of special categories of personal data. Therefore, you are asked to provide explicit written consent to process such data. You have the right to revoke your consent at any time without affecting the legality of prior processing.
Data storage and transfer
Your personal data is stored on servers located at the Controller’s registered office (section 4) within the European Union.
However, if necessary, the Controller may relocate servers outside the EU. In that case, the Controller guarantees that any data transfer will be made in compliance with applicable legal provisions.
Rights of Data Subjects
In accordance with the GDPR, you have the right to:
Access – confirm whether your personal data is being processed and, if so, receive details about the processing (Article 15 GDPR);
Rectification – correct inaccurate or incomplete personal data without undue delay (Article 16 GDPR);
Erasure – delete your personal data without undue delay in the cases specified in the GDPR (Article 17 GDPR);
Restriction – limit the processing of your data under certain conditions (Article 18 GDPR);
Portability – receive your data in a structured, commonly used, machine-readable format and transmit it to another controller (Article 20 GDPR);
Objection – object to the processing of your personal data unless there are legitimate grounds for the Controller to continue (Article 21 GDPR);
Withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal;
Lodge a complaint with the Supervisory Authority – file a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), located at Piazza di Monte Citorio n.121, 00186, Rome (RM), Italy.
Copyright © 2025 | BLUSURVEY S.R.L. | P.Iva/Vat: 04088931201 | Credits | Privacy Policy | Cookie Policy