Privacy policy

Information notice

Data controller

This policy applies to data’s processing activities performed on the website https://www.leonardo.com (“Website”). The controller of personal data (“Data”) is Leonardo S.p.A., VAT number 00881841001, with registered office in Rome, Piazza Monte Grappa, 4 - 00195, in the person of its legal representative pro tempore (“Data Controller” or “Company”). The Data Controller provides the following data protection notice pursuant to Articles 13 and 14 of the EU Regulation 679/2016 as amended and integrated from time to time (the “GDPR”) and to the international laws - European and Italian – complementing it as amended and integrated from time to time (collectively, together with the GDPR, the “Applicable Privacy Law”).


Purpose and legal basis of the Data processing

As better explained in the sections that allow users to join - by providing their personal data - to the services reserved for the Website’s users, the Data of the users concerned are processed on the basis of the requests expressly made by them, from time to time, through the Website. Specifically, all Data’s collection and subsequent processing activities are aimed at pursuing the following purposes:

  • sharing contents available on the Website;
  • customer relationship management. In particular, on the Website there are different forms of contact via email, through which the user can indicate his or her email in order to request information about products, or official communications from the Company. In both cases, the Website does not store the user’s Data as they are immediately transmitted to the relevant company departments;
  • generic request of information;
  • redirecting users to third party pages where they can access reserved areas of their interest. The Website does not allow access to any reserved area; should this occur, requests to the user to enter his/her Data for registration and subsequent processing will be managed by the third party supplier of the reserved access page, behind a specific information on the processing of personal data and subject to the specific consent of the data subject;
  •  provide commercial information on the services carried out by the Data Controller and/or its  related companies;
  • comply with  the obligations provided for by laws or applicable laws or regulations, as well as by decisions and guidelines issued by the competent supervisory and control authorities/bodies.

The Data Controller will not use the collected Data for purposes other than those related to the specific service mentioned above, to which the user has provided their consent, or only within the limits indicated in any further specific information form, accompanying the different and particular service requested by the user. 


Who processes your Data

For purposes related to the provision of the service to which the user has adhered, the Data might be accessible by third parties, such as affiliated companies, as well as consultants that assist the Data Controller in meeting users’ requests (e.g. law and tax firms), which will act, according to the specific case, as independent Data Controllers or as Processors, pursuant to Article 28 of the GDPR. Additionally, the Data will be transmitted to third parties to whom the communication of the data is necessary to comply with the applicable laws or regulations.

The updated list of Processors is available upon request at the following email addresses of the Data Controller: dpo.leonardo@leonardo.com, or dpo.leonardo@pec.leonardo.com.

Within the organisation of the Data Controller, the Data will be made available to people expressly authorised by the Data Controller itself are allowed to process personal data. Authorised people are identified among the personnel operating in one of the following areas: administration, communication, accounting and i technological maintenance of the information systems. These persons, appointed by the Data Controller as authorised to the processing, carry out processing activities necessary for the pursuing of the aforementioned purposes.

Unless otherwise stated in a specific information form, the Data will not be disseminated nor transferred to third countries outside the European Economic Area (EEA).


How we process Data
The Data:

  • will be processed in the manners and according to the procedures that are strictly necessary to meet user requests and through the operations or set of operations set out in Article 4, paragraph 1, number 2 of the GDPR;
  • will be also processed by using electronic or automated tools, as well as by using  paper/manual tools. In this regard, please note that Data will be stored in paper and electronic archives located at the Controller’s premises and in other servers within the European Economic Area.

The Data will be processed with rationales related to the specific purposes for which they have been collected, and in accordance with the Applicable Privacy Law, and for the purposes above mentioned of  specified from time to time in any further information notice provided to the user.
The Data will be processed for the time strictly necessary to pursue for which they have been  collected.


Categories of Data and optionality of consent
The Data that will be processed are those strictly necessary to meet users requests, as well as Data that are optionally provided by the user which are not strictly necessary to process the request. 
Should user refuse to provide his/her Data or consent to the processing of his/her Data, if required:

  • in case of Data strictly necessary to meet user’s request, such refusal will make it impossible  for the Data Controller to meet the  requests;
  • in case of Data optionally provided, such refusal will make it impossible  to provide at least part of the requested services or provide user with the commercial information regarding the services offered by the Data Controller and its affiliated companies. 


Browsing data
During their normal operation, the IT systems and software procedures used to operate the Website collect some personal data whose transmission is implicit in the use of Internet communication protocols. Such information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow the users to be identified.

This category of Data includes the IP addresses or the domain names of the computers used by users who connect to the Website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the means used in submitting the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response from the server (successful, error, etc.) and other parameters related to the operating system and the user’s computer environment.

This Data is used for the sole purpose of retrieving anonymous statistics on the use of the Website, and to check its correct functioning. Such data is immediately deleted after elaboration. Additionally, Data could be used to ascertain responsibility in case of hypothetical computer crimes against the Website; except for this eventuality, at present, the Data on Website do not persist for more than seven days.

Data voluntarily provided from the user 
The Data generally requested to use the Website’s is biographical information and contact details. The optional, explicit and voluntary sending of emails to the addresses indicated on the Website by the user entails the subsequent acquisition of the sender's address, necessary to answer the user’s requests, as well as any further personal data included in the message. Specific summary information will be progressively reported or displayed on the pages of the Website prepared for particular services upon request or for registration in reserved areas of the Website. Normally, data belonging to particular categories pursuant to Article 9 of the GDPR will not be processed. However, a specific information notice will be provided and specific consent will be requested to the user, if data belonging to particular categories will be processed.


Cookies and other technologies information-reading/storing on the user's terminal
In this Website, the Data Controller can  use cookies (small text files transferred from the Website to the device used by the user for navigation) and other technologies of information-reading/storing  on the user's device such as fingerprinting, email-tracking or Clear GIF/Beacons. Their purpose is to analyse  user's access to  a specific Web page, in order to customise and streamline the user navigation experience and to enrich user profiling for advertising and/or commercial purposes.

The cookies may be "temporary" (also said session cookies, since they are deleted when the connection ends) or "permanent" (they remain stores on the user's hard disk, unless the user deletes them).

For further information on how to set cookie-usage preferences through your browser, please check out to the following instructions:

For further information relating to the kinds of cookies used by the Website, the functionalities that allow their enabling or disabling, please check out  the "Cookies Policy", which can be found here.

To exercise the  users’ rights regarding the use of cookies and other profiling tools, please contact the following e-mail address of the Data Controller DPO.leonardo@leonardo.com, as described  below.


Rights of the data subject

  • With respect to the Data held by the Data Controller, users of the Website can exercise all rights set forth by the Applicable Privacy Law, in particular :Request the Data Controller to confirm the existence of a processing of his/her personal data, the origin of such data, the logic and purposes of the processing, the categories of subjects to whom the data may be communicated, as well as the identification details of the Data Controller and its Data Processor;
  • request access to personal data, anonymisation, objection, rectification, updating, integration, erasure or limitation of the processing;
  • object to the processing of personal data within the limits set forth by the Applicable Privacy Law;
  • exercise the right to portability;
  • withdraw his/her consent (where this is the necessary legal basis for the data processing) at any time without prejudice to the lawfulness of the data processing based on the consent before its withdrawal;
  •  lodge a complaint with the Italian Data Protection Authority, following the procedures and the instructions published on its official website at garanteprivacy.it; 
  • To exercise the rights set forth by the Applicable Privacy Law, please fill out the appropriate form, available at the following link, and send it to the following addresses:dpo.leonardo@leonardo.com, or dpo.leonardo@pec.leonardo.com.

For any communications, requests or reports regarding on data privacy, please refer to one of the mentioned email addresses.

Any corrections, erasures or limitations of Data processing carried out upon the user’s request - unless this proves impossible or involves a disproportionate effort - will be transmitted by the Data Controller to each of the recipients to whom the personal data have been disclosed. The Data Controller may communicate these recipients to the user if the latter so requests.

In order to become aware of any changes or amendments to  the privacy policies applied by the Data Controller, mainly resulting from regulatory developments, please consult this document on a regular basis.

Data Protection Notice

Leonardo S.p.A., with registered office in Rome (00195), Piazza Monte Grappa, 4, email leonardo@pec.leonardo.com, represented by its pro tempore representative, as a data controller of your personal data (the “Data Controller”) provides you with the following data protection notice according to Articles 13 and 14 of the Regulation (EU) 2016/679 (the “GDPR”) and the data protection laws applicable from time to time regarding the protection of personal data (collectively the “Privacy Law”).

The Data Controller appointed a Data Protection Officer (DPO), as set forth by the GDPR, which supervises, monitors, and provides for specialized consultancy in the field of data protection. The DPO may be contacted for any assistance to the following email address: DPO.leonardo@leonardo.com.
 

  1. Categories of Data Subjects involved and Personal Data Processed

This data protection notice is intended for persons who, for different reasons, have had, have or intend to have professional, commercial or business relations with one or more of the Italian and/or, foreign legal entities belonging to the Leonardo Group (hereinafter only the "Group"), including, by way of example but not limited to individuals operating on their own or as contact persons of legal entities qualified as customers, suppliers (, partners or other counterparties of the Group or individuals who have come into contact with the Group (other than those registered in the Leonardo Single Supplier Register) and any other subject who may be relevant, for any reason whatsoever, with respect to the ethical and reputational checks, because, for example, they attended an event or other initiative organized by the Group, etc. (collectively, the "Data Subjects").

General personal data such as name and surname, tax code, VAT number, residence, domicile, place of work, e-mail address or certified email address, telephone number, company, role and/or company classification, etc., could be processed (the "Data").

In the event that the Data Subjects are potential contractual counterparties, including legal representatives or top managers of potential contractual counterparties, of the Group, the Data (possibly obtained also through due diligence activities entrusted to specialized third-party companies - collectively, the "Suppliers" - equipped with the necessary authorizations and legal licenses) could also include the information strictly necessary in order to carry out the appropriate assessments of professionalism, reputation and reliability.
 

  1. Purposes and Legal Basis of the Processing Activities

The Data may be processed:

  1. to manage the contractual relationship in place with the Data Subjects and/or with the organizations on behalf of which the Data Subjects act, and to send communications relating to this relationship. The legal basis for carrying out these processing activities is the performance, by the Data Controller, of specific contractual or pre-contractual obligations undertaken towards the Data Subjects and/or towards the legal entity in the interest of which the Data Subjects carry out the related work activity (Article 6 letter b of the GDPR), as well as in compliance with laws and regulations (national or EU), as well as orders or requests of judicial authorities, supervisory bodies and professional associations (Article 6, letter c, of the GDPR);
  2. to fulfill Group's procedures and any applicable legal standard or requirement (including legal, regulatory and safety standards) according to Article 6, letter c, of the GDPR;
  3. to fulfill the legal obligations regarding anti-corruption and anti-money laundering, as well as to carry out the checks and controls required by the Organizational, Management and Control Model of the Data Controller, the related Code of Ethics and Anti-Corruption Code of the Leonardo Group, adopted pursuant to Article 6 of Legislative Decree 231/2001, according to Article 10 of the GDPR;
  4. to protect the Group's reputation, market position and corporate assets, allowing it to interface only with Data Subjects with a proven reputation, reliability and professionalism, according to Article 6, letter f, of the GDPR;
  5. where the Data Subjects attended an event, conference, seminar, etc. organized by the Group, to send the Data Subjects invitations to similar events. The legal basis for carrying out this processing activity is the legitimate interest of the Data Controller and the Group to establish and maintain profitable and optimal professional relations with the Data Subjects (Article 6 letter f, of the GDPR).

The provision of Data is necessary for carrying out of the relationship between the Data Subjects and the Data Controller or one or more of the Group companies. Without the Data, it will not be possible for the Group to manage this relationship.
 

  1. Categories of recipients of the Data

The Data can be communicated to public bodies or private companies, which are authorized to receive them by any applicable law, as well as public and/or private entities which provide assistance and/or consulting services to the Data Controller and/ or to other Group companies.

The Data will be processed by authorized personnel of the Data Controller, according to the principle of necessity and according to the specific instructions of the Data Controller, and in order to guarantee their confidentiality. The Data will not be subject to dissemination. If, for the purposes described, the Data must be transferred to countries outside the European Economic Area or to international organizations, the Data Controller undertakes to comply with the provisions of the Privacy Law and to ensure that the recipient complies with the same standards set out in the Privacy Law.
 

  1. Methods of processing and data retention period

The processing of Data will be performed according to Privacy Law, and it shall be carried out with automated and/or manual systems, suitable to ensure the security of the processing. The processing of Data will be carried out according to the principles of proportionality and necessity, so that no unnecessary personal data will be collected and/or processed. The processing of Data will be fair and transparent, as well as in compliance with the adequacy of the security measures.

The Data will be retained for the time strictly necessary to pursue the purposes for which they were collected, unless the fulfilment of specific legal obligations and/or the protection of a right of the Data Controller does not require longer retention periods.
 

  1. Data Subjects’ rights

With respect to Data held by the Data Controller, the Data Subjects can exercise all the rights set forth by the Privacy Law. In particular, the Data Subjects can:

  1. request the Data Controller to confirm the existence of their Data, the origin of such data, the reason and purpose of their processing, the categories of subjects to whom the data may be transmitted, as well as the identification details of the Data Controller and of its data processors; 
  2. request access to Data, transformation into anonymous form, blocking, rectification, updating, integration, erasure of such data or limitation of their processing; 
  3. object to the processing according to the Privacy Law;
  4. exercise the right to portability, within the limits set forth in Article 20 of the GDPR;
  5. withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  6. lodge a complaint with the Italian Data Protection Authority, following the procedures and the instructions published on its official website (www.garanteprivacy.it).

The Data Controller points out that, pursuant to Article 23 of the GDPR, the exercise of these rights could be limited if such limitation is strictly necessary to safeguard, inter alia, national and/or public security, the prevention, investigation, detection and prosecution of crimes or the execution of criminal sanctions, etc.

Any amendment or erasure or limitation on processing carried out upon Data Subjects’ request, or due to the withdrawal of their consent - unless this appears to be impossible or involves a disproportionate effort - will be communicated by the Data Controller to each of the recipients to whom the relevant Personal Data have been transmitted. The Data Controller may inform the Data Subjects of these recipients upon request.

For the purpose of exercising the rights listed in paragraph above, as well as for any clarification, the Data Subjects can directly contact the Data Controller by sending an email to the following email address: dpo.leonardo@leonardo.com.