Notice pursuant to Article 13, Regulation (EU) 2016/679 (GDPR) 

Agorà Security S.r.l. (hereinafter “Agorà Security” or “Controller”), with registered office in Viale Sant' Agostino, 136, 36100 Vicenza (VI), Italy, Tax Code and VAT No.: 04450760246, a company that provides consultancy services and solutions in IT security, cybersecurity, and data protection, provides you with this notice pursuant to Article 13 of Regulation (EU) 2016/679 (in short, “GDPR”).

(a) Identity and contact details of the Data Controller

Agorà Security S.r.l.

Viale Sant' Agostino, 136, 36100 Vicenza (VI), Italy

Tax Code and VAT No.: 04450760246

Email: privacy@agorasecurity.it

(b) Contact details of the Data Protection Officer (DPO)

The Data Controller has not appointed a Data Protection Officer (DPO) as it does not fall within the categories of subjects obliged to do so under Art. 37 of the GDPR. For any matter concerning the processing of your personal data, you can contact the Controller at the contact details indicated in point (a).

(c) Purposes of the processing for which the personal data are intended and their legal basis

Your personal data will be processed for the following purposes:

  • To provide feedback to commercial information requests: to manage and respond to requests for information, quotes, or any other communication sent through the website contact forms, via email, or telephone.
    • Legal basis: performance of pre-contractual measures (Art. 6, para. 1, lett. b, GDPR).
  • Provision of requested services: for the fulfillment of contractual obligations arising from the provision of consultancy services in IT security and data protection offered by Agorà Security.
    • Legal basis: performance of a contract to which you are a party (Art. 6, para. 1, lett. b, GDPR).
  • Administrative and accounting management: to comply with tax, accounting, and administrative obligations related to the services provided.
    • Legal basis: compliance with a legal obligation to which the Data Controller is subject (Art. 6, para. 1, lett. c, GDPR).
  • Recruitment and personnel selection: for managing applications (unsolicited or in response to specific announcements) received through the "Work with us" section of the site or other channels, including the evaluation of curricula vitae (CVs), the organization of interviews, the verification of the information provided (within the limits permitted by law and subject, if necessary, to your consent for specific checks such as references), the creation of a candidate profile, and the management of the entire selection process for current and future open positions at Agorà Security.
    • Legal basis: consent of the data subject (Art. 6, para. 1, lett. a, GDPR).
  • Sending of informational and promotional communications (Direct Marketing): to send you newsletters, updates on Agorà Security services, invitations to events, webinars, or other commercial and promotional communications via email.
    • Legal basis: explicit consent (Art. 6, para. 1, lett. a, GDPR).
  • Marketing profiling and statistical analysis of visitors: through cookies, some information about visitors is collected for various purposes, better specified in the specific notice (https://www.agorasecurity.it/it/cookie-policy)
    • Legal basis: explicit consent (Art. 6, para. 1, lett. a, GDPR).

(d) Categories of personal data processed

Within the scope of the purposes of processing highlighted in the preceding paragraph (c), the following will be processed:

  • Common data:
    • Identification and contact data: name, surname, email address, telephone number, company name (if applicable), company role.
    • Curricular data (CV/Resume data) (for personnel selection purposes): information relating to your education, academic and professional training, previous work experience, language and professional skills, qualifications, and any other information voluntarily included by you in your curriculum vitae (e.g., photograph, if provided).
    • Navigation data: IP addresses, domain names of computers used by users connecting to the site, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and IT environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning and is deleted after processing. For more details, please refer to the Cookie Policy.
    • Data voluntarily provided by you: any other personal data voluntarily provided by you in messages sent to the Controller's contact details, or by filling in the free-text fields of the contact forms on the site, or attached to your CV (e.g., cover letter).
  • Special categories of personal data (formerly sensitive data): only if communicated by the user for recruitment and personnel selection purposes.

(e) Categories of recipients of personal data

The personal data provided by you may be made accessible or communicated to:

  • Employees and collaborators of the Controller: duly authorized for processing and instructed on personal data protection.
  • Third-party companies or other subjects (Data Processors): who carry out outsourced activities on behalf of the Controller, in their capacity as data processors pursuant to Article 28 GDPR, such as, for example:
    • Providers of technical services for the management and maintenance of the website and information systems (e.g., hosting providers, email service providers).
    • Companies offering services for sending newsletters and marketing communications (subject to your consent).
    • Consultants and freelancers (e.g., accountants, lawyers) for administrative, tax management, or legal protection.
    • Platforms for statistical analysis of website usage (e.g., Google Analytics, subject to anonymization or pseudonymization of data, if configured).
  • Judicial or supervisory authorities, administrations, public bodies and organizations (national and foreign): should this be required by law or by an order thereof.

The updated list of Data Processors may always be requested from the Data Controller. Your personal data will not be subject to indiscriminate disclosure.

(f) Transfer of personal data abroad

The management and storage of personal data take place on servers located within the European Union owned and/or available to the Controller and/or appointed third-party companies, duly designated as data processors.

Should it become necessary, for technical or operational needs, to transfer personal data to countries outside the European Union or the European Economic Area, such transfer will take place exclusively in compliance with applicable legal provisions, by entering into, if necessary, agreements that ensure an adequate level of protection (e.g., Standard Contractual Clauses approved by the European Commission) and/or on the basis of other safeguards provided by the GDPR (e.g., adequacy decisions of the European Commission).

(g) Personal data retention period

Personal data collected for the purposes indicated in the preceding section (c) will be processed and stored for a period not exceeding the achievement of the purposes for which they are processed and in any case according to the following terms:

  • For responding to your requests (point c.1): for the time strictly necessary to provide feedback and, in the event of a subsequent establishment of a contractual relationship, for the duration thereof and according to the provisions of the next point. In the absence of a contractual relationship, up to 12 months from the request to manage any further contacts or clarifications, unless you request deletion.
  • For the provision of requested services and administrative management (points c.2 and c.3): for the entire duration of the contractual relationship and, after termination, for 10 years (ordinary statute of limitations and for tax and accounting obligations), subject to different legal obligations or needs for legal protection.
  • For recruitment and personnel selection (point c.4):
    • Non-selected candidates for the specific position or unsolicited applications: personal data and curricula vitae will be kept for a maximum period of 6 months from their receipt or from the last significant contact with the candidate (e.g., CV update, interview). This period is considered appropriate to allow the Controller to evaluate the candidate's profile also for any future job positions that may open up and that are compatible with their professional profile, unless you request early deletion pursuant to Art. 17 GDPR. At the end of this period, if an employment/collaboration relationship has not been established or your new consent for further retention has not been given, the data will be deleted.
    • Selected and hired candidates: personal data collected during the selection process will be transferred to the employee/collaborator's personnel file and kept according to the provisions of the specific privacy notice provided to staff at the time of hiring and, in any case, for the entire duration of the employment relationship and for the applicable legal terms following its termination (generally, 10 years for civil, tax, and social security purposes, and for legal defense).
  • For direct marketing purposes (point c.4): until you withdraw your consent.
  • For website improvement and statistical analysis (point c.5): navigation data are generally stored for short periods, except for possible extensions related to investigation activities. For cookies, please refer to the retention times specified in the Cookie Policy.

At the end of the retention period, personal data will be deleted, destroyed, or anonymized, without prejudice to further retention needs provided for by law.

(h) Rights of the data subject

In accordance with the provisions of Chapter III, Section I, GDPR, you may exercise the rights indicated therein and in particular:

  • Right of access (Art. 15 GDPR): Obtain confirmation as to whether or not personal data concerning you are being processed and, if so, receive information relating, in particular, to: purposes of processing, categories of personal data processed, retention period, recipients to whom they may be communicated.
  • Right to rectification (Art. 16 GDPR): Obtain, without undue delay, the rectification of inaccurate personal data concerning you and the completion of incomplete data.
  • Right to erasure ('right to be forgotten') (Art. 17 GDPR): Request, without undue delay, the erasure of personal data concerning you, in the cases provided for by the GDPR.
  • Right to restriction of processing (Art. 18 GDPR): To require the Controller to restrict processing, in the cases established by the GDPR.
  • Right to data portability (Art. 20 GDPR): Receive in a structured, commonly used and machine-readable format the personal data concerning you provided to the Controller, and have them transmitted to another controller without hindrance, in the cases provided for by the GDPR.
  • Right to object (Art. 21 GDPR): Object to the processing of personal data concerning you based on the legitimate interest of the Controller or for direct marketing purposes, unless there are compelling legitimate grounds for the Controller to continue processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
  • Right not to be subject to automated individual decision-making (Art. 22 GDPR): Obtain human intervention, express his or her point of view and contest decisions based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except in cases permitted by law.
  • Right to withdraw consent: Where processing is based on consent (Art. 6, para. 1, lett. a, or Art. 9, para. 2, lett. a, GDPR), you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): Lodge a complaint with the Data Protection Authority (Piazza Venezia n. 11 - 00187 Rome; Tel. (+39) 06.696771; Email: protocollo@gpdp.it; Certified Email (PEC): protocollo@pec.gpdp.it; website www.garanteprivacy.it).

You may exercise your rights by sending a written request to the Data Controller at the contact details indicated in point (a) of this notice, or, if present, to the DPO's email address indicated in point (b).

(i) Nature of data provision and consequences of refusal

The provision of personal data for the purposes referred to in points (c.1), (c.2), and (c.3) is necessary to be able to follow up on your requests and for the performance of contractual and legal obligations. Any refusal to provide them would make it impossible for Agorà Security to follow up on your requests or to comply with contractual and legal obligations.

The provision of data for marketing purposes (point c.4) is optional and any refusal will not affect the provision of other services.

As regards navigation data and cookies (point c.5), please refer to the specific Cookie Policy for management and deactivation methods.

(j) Methods of processing

The processing of your personal data is carried out by means of the operations indicated in Article 4(2) of the GDPR - performed with or without the aid of IT systems - and precisely: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction.

In any case, the logical and physical security of the data and, in general, the confidentiality of the personal data processed will be guaranteed, by implementing all necessary and appropriate technical and organizational measures to ensure a level of security appropriate to the risk, pursuant to Art. 32 of the GDPR.

(k) Changes to the Privacy Notice

This Privacy Notice may be subject to changes and updates. In case of substantial changes, the Controller will inform you by publication on the website or other suitable means. It is advisable to regularly consult this section of the site to check the most updated version.


Last updated: 08/05/2025