pursuant to art. 13 of EU Regulation 2016/679 (GDPR)


Who decides the purposes and means of the processing?

Mosaico+ S.r.l. con socio unico è il titolare del trattamento, is the data controller, which means that it is the subject who determines the purposes and means of the processing (processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, storage, organisation, consultation, use, erasure of data) of personal data (personal data means any information relating to an identified or identifiable natural person. By way of example, a name, an identification number, location data, one or more factors specific to the physical, economic, cultural or social identity of that natural person).
Below you can find the contact details of  Mosaico+ S.r.l. con socio unico:
Address: Viale Jenner 4 – 20159 Milan, Italy
Telephone and Fax: +39 0536 995811 e +39 0536 995899

In the present information notice, Mosaico+ S.r.l. con socio unico (M+) is also referred to as the “Company” or “Controller“.


What kind of data do we collect?

We collect various personal data, to fulfill the processing purposes listed in the following paragraph. We process only common personal data, including:

  • identification and contact,i.e., user’s first and last name and e-mail (username)
  • data spontaneously provided by the user while using the services;
  • navigation data within the website, using tracking tools such as technical cookies, analytics, profiling cookies; for further information on cookies, please refer to the cookie policy.

*Personal data can be classified into two types: common data and special categories of personal data (also known as “sensitive data”). Special categories of data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning a person’s health, sex life or sexual orientation. Common data are, by exclusion, all other data, e.g. name and surname, contact details, postal address, bank details, etc.


For what purpose do we process users’ data?

The processing of user’s data is carried out for different purposes (personal data may only be collected for specified, explicit and legitimate purposes, and subsequently processed in a manner compatible with those purposes):

  1. marketing: sending of advertising and promotional material, both through automated and traditional means, related to services and products offered by the Company, invitation to events, market research, statistical analysis. Depending on the user’s preferences, this activity may also include sending a periodical Newsletter;
  2. profiled marketing / profiling: analysis of the user’s preferences, habits, behaviour, interests deduced from the data provided by the user and his/her interaction with the site, in combination with the data collected via cookies, to send personalised commercial communications and/or to carry out targeted promotional actions;
  3. fulfilment of legal obligations provided for by applicable national and supranational regulations;
  4. ascertainment, exercise or defence of the Controller’s rights in court and/or out-of-court procedures.


What condition makes the processing lawful?

The processing must be founded on an adequate legal basis*to be lawful:

1. and 2.consent of the data subject, pursuant to art. 6, par. 1, lett. a) GDPR;
3.compliance to a legal obligation to which the Controller is subject, pursuant to art. 6, par. 1, lett. c) GDPR;
4.legitimate interest of the Controller or of a third party, pursuant to art. 6, par. 1, lett. f) GDPR.

* Processing may only be carried out if certain conditions, alternative to each other and known as legal bases, are in place. In the processing of common data, the controller may rely on the following legal bases:

  • consent of the data subject;
  • performance of a contract to which the data subject is party or of pre-contractual measures taken at the request of the data subject;
  • fulfillment of a legal obligation;
  • safeguard of the the vital interests of the data subject or of another natural person;
  • necessity for the performance of a task carried out in the public interest;
  • legitimate interest of the data controller.


How long do we retain personal data?

1. until revocation of the data subject’s consent (marketing registry) and for a maximum period of 24 months (information related to campaigns sent to the user);
2. until revocation od the data subject’s consent (profiling registry) and for a maximum period of 12 months (information connected to the user’s behaviour, preferences and interests);
3. for the time required by the applicable legislation;
4. for the entire duration of judicial or extrajudicial litigation (until the time limit for appeals is exhausted).


Is the provision of personal data necessary?

For some of the processing purposes listed above, it is necessary for the user to provide their data, without which we will not be able to provide our services; for others, the provision of data is optional. In particular, the provision of data marked with an asterisk (*) in the form is mandatory for the purposes of creating the account itself. Consent to marketing and profiling is optional and revocable at any time (consent to the processing of personal data, in order to be compliant, must be free, specific, informed, unequivocal and expressed through a positive action by the data subject. The interested party has the right to revoke his/her/their consent at any time), in the appropriate section of your profile, or by contacting the Controller at the following e-mail address


To whom could we communicate personal data?

The user’s data may be communicated to subjects acting as controllers such as, by way of example, authorities and supervisory and control bodies, persons, companies, associations or professional firms providing assistance and consulting services, and in general by public and private subjects entitled to request the data. The user’s data may be processed, on behalf of the Data Controller, by subjects appointed as Processors (The Data Processor is the subject who processes data on behalf of the Controller. For example, when M+ enters into a contract with a supplier, if the latter is required to process personal data belonging to M+ in order to perform its services, it must also sign the Data Processing Agreement, undertaking to process personal data in compliance with the instructions received), who are given appropriate operating instructions.

These subjects are essentially included, by way of example, in the following categories:
a) companies that provide e-mail and hard-copy sending services;
b) companies that provide website and information system maintenance services;
c) companies that provide management and maintenance services for the Controller’s database;
d) companies that provide marketing automation platform management services.
For a complete list of the Processors, please send a request to


Who is authorised to process the data?

Personal data may be processed by the employees of the Company functions deputed to the pursuit of the aforementioned purposes, who have been expressly authorised to process the data and who have received adequate operating instructions pursuant to art. 29 of the GDPR and 2 quaterdecies of Legislative Decree 196/2003, as amended and adapted by Legislative Decree 101/2018.


Could data be transferred to countries outside the EU?

There will be no transfer of data outside the European Economic Area (EEA)* as regards the processing related to the creation and use of the services available.
The transfer of personal data to countries outside the European Economic Area may result in a reduction of the level of data protection, due to the less strict legal provisions in force in those countries. For this reason, the transfer can only take place under certain conditions, outlined in the GDPR.


What are the data subject’s rights?

By contacting the Company by e-mail at users may request access to the data concerning them, their rectificationintegration or deletion, the restriction of processing in the cases provided for by Article 18 GDPR as well as opposition to processing in cases of legitimate interest of the data controller.
Data subjects also have the right, in the event that the processing is based on consent or contract and is carried out by automated means, to receive the data in a structured, commonly used and machine-readable format, as well as, if technically feasible, to transmit them to another data controller without hindrance.
Data subjects have the right to withdraw their consent at any time, as well as to object – for reasons related to their particular situation – to processing carried out in pursuit of the legitimate interests of the data controller. Data subjects may withdraw and manage their consents via the channels indicated, or by contacting the Controller by e-mail at

Such withdrawal shall not affect the lawfulness of the processing based on the consent given before the withdrawal.
Finally, data subjects have the right to lodge a complaint with the competent supervisory authority.