Legal Policies

Privacy Policy

1. General information

1.1. Controller

The controller within the meaning of Art. 4 No. 7 of the GDPR, the Legislative Decree 196/2003 and subsequent amendments (“Privacy Code”), and other applicable laws or provisions governing data protection is:

Kastner Milano S.r.l., Via Senato 45 – 20121 Milan,

VAT number 05357990968

Phone number: +39 0245477170

E-mail address: federica.giacomotti@kastner.agency

Further details can be found in our imprint.

1.2. Data Protection Officer

You can reach and contact our data protection officer at the following address:

Gero Wilke
datalegis GmbH
Bismarckallee 10
79098 Freiburg im Breisgau
Germany

Phone: +49 761 45892723
E-Mail: datenschutz@kastner.agency

1.3. General principles of processing

With reference to the definition in Art. 4 No. 1 of Regulation (EU) 2016/679 (hereinafter referred to as: "General Data Protection Regulation" or "GDPR" for short), the term "personal data" means all data that can be related to you personally. This includes, for example, your name, address, email addresses and user behavior. With regard to the other terms, in particular the terms "processing", "controller", "processor" and "consent", we refer to the statutory data protection definitions in Art. 4 of the GDPR.

We only process personal data to the extent necessary to provide our website and the content and services we offer. The processing of personal data only takes place regularly if you have given us your consent within the meaning of Art. 6(1)(a) of the GDPR (where applicable) or if the processing is permitted by legal regulations, in particular by one of the legal bases mentioned in Art. 6(1)(b), (c), and (f) of the GDPR.

The purposes of the processing of personal data are explained in the following sections for each of the aforementioned data processing operations. If we process personal data for a different purpose that does not correspond to the purpose for which the personal data was originally collected, we will inform you of this again.

If we use contracted service providers or wish to use your data for advertising purposes, we will inform you in detail below about the respective processes.

Please note that you are not legally obliged to provide personal data. However, we sometimes need your personal data to provide our website and the content and services we offer. We will inform you about this in detail below. Please also note that if you do not provide us with the required data, you may not be able to use our website and/or the content and services we offer. However, failure to provide voluntary information will not result in any disadvantages.

In some cases, we use external service providers who have been carefully selected and commissioned by us to process personal data. These service providers are bound by our instructions and are regularly monitored by us. You will find more detailed information in the following sections.

Your personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by national or European regulations to which we are subject; in these cases, the legal basis for further storage is Art. 6(1)(c) of the GDPR in conjunction with the respective national or European regulation. In this case, the data will be blocked or erased when the storage period prescribed in the respective regulations has expired. The latter does not apply if further storage of the data is necessary for the conclusion or fulfillment of a contract; in these cases, the legal basis for further storage is Art. 6(1)(b) of the GDPR.

If third parties to whom we transfer data are based in a country outside the European Union (EU) and the European Economic Area (EEA), we will inform you separately in the following sections. We only process data in third countries if there is an adequate level of data protection within the meaning of Art. 44 to 49 of the GDPR.

1.4. Your rights

You have the following rights vis-à-vis us with regard to your personal data:

the right of access by the data subject (Art. 15 of the GDPR),
the right to rectification (Art. 16 of the GDPR),
the right to erasure ("right to be forgotten") (Art. 17 of the GDPR),
the right to restriction of processing (Art. 18 of the GDPR),
the right to object to processing (Art. 21(1) of the GDPR),
the right to data portability (Art. 20 of the GDPR).

You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us (Art. 77 of the GDPR). In Italy, the competent supervisory authority is the Italian Data Protection Authority (https://www.garanteprivacy.it/home).

Please also note that the exercise of your rights may be subject to limitations or exclusions in the cases provided for by current legislation, including the cases referred to in Article 2-undecies of the Privacy Code.

1.5. Objection to the processing of your personal data and withdrawal of consent

You can withdraw any consent you have given us to process your personal data at any time. The revocation affects the permissibility of the processing of your personal data after its pronouncement to us.

With regard to the processing of your personal data, you can object to the processing if this processing is carried out on the basis of a balancing of interests. In this context, we ask you to explain the reasons arising from your particular situation as to why you object to the processing of your personal data by us. In the event that your objection is justified, we will examine the situation. We will then either no longer process your personal data, adjust the further data processing if necessary or state compelling reasons worthy of protection as to why we continue to process your personal data.

You can also object to the processing of your personal data for the purposes of advertising and data analysis at any time.

You can send your revocation of the consent or objection to the processing of your personal data using our contact details above.

2. Processing of personal data when using our website

Below we inform you about the collection and processing of personal data when using our website www.kastner-milano.agency/ :

2.1. Processing of personal data when using our website for information purposes

If you visit our website without registering or otherwise providing us with information ("informational use" of the website), we only collect the personal data that your web browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to enable you to view our website and to ensure stability and security:

IP address
Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred in each case
Website from which the request comes
Browser
Operating system and its interface
Language and version of the browser software.

The aforementioned data is also stored in log files on our servers. This data is not stored together with your other personal data.

The collection and temporary storage of the IP address is necessary to enable the delivery of our website to your end device. For this purpose, your IP address must be stored for the duration of your visit to our website. The storage of the above-mentioned data in log files serves to ensure the functionality and optimization of our website and to ensure the security of our information technology systems. This data is not analyzed for marketing purposes. Our legitimate interest in data processing lies in the aforementioned purposes. The legal basis for the collection and temporary storage of the aforementioned data and log files is Art. 6(1)(f) of the GDPR.

We store the above data on servers of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, a provider with server locations in Germany, with whom we have concluded an order processing contract in accordance with Art. 28 of the GDPR. This ensures that the standards and regulations of European data protection law are complied with.

The aforementioned data for the provision of our website is deleted when the respective session has ended. The data in log files is deleted after seven days at the latest. The collection of the above data for the provision of our website and the storage of this data in log files is absolutely necessary for the operation of our website. For this reason, there is no possibility of objection to this processing.

2.2. Cookies

In addition to the above-mentioned data, we use technical aids for various functions when using our website, in particular cookies, which can be stored on your end device. Cookies are small text files that are stored on the storage medium of your end device, for example on a hard disk, and through which certain information flows to us as the body that sets the cookie. Cookies cannot execute programs or transfer viruses to your end device.

This website uses technically necessary cookies. The technical structure of our website requires the use of certain technologies, in particular cookies. Without them, our website cannot be viewed or used in a complete and/or error-free manner. For instance, some website features require that your web browser can be recognised even after a webpage change. This technical cookie category also includes functional cookies that allow users to browse the website according to a series of criteria selected by them (e.g. language). These are generally temporary cookies that are deleted at the end of the visit to the website, at the latest when the browser is closed. It is not possible to disable these cookies if you wish to use our website. In accordance with applicable legislation, your consent is not required for the use of technically necessary cookies. These cookies are used exclusively to enable the transmission of communications over an electronic communications network or to provide a service explicitly requested by the user. In other words, these are essential tools for the proper functioning of the website or for enabling the user to carry out the activities requested.

Our website uses the following technical cookie:

Name: NEXT_LOCALE

Purpose: Setting the user's language

Expiry: Session (or if the user manually changes the language for 1 year)

This website does not use profiling cookies (i.e. cookies designed to create user profiles in order to send messages in line with the preferences expressed while browsing the site) or third-party cookies.

The technical cookie mentioned above is stored on your end device and transmitted from there to our server.

2.3. Other functions and offers on our website

In addition to the aforementioned informational use of our website, we offer various services that you can use if you are interested. This usually requires the provision of further personal data. We require this data to provide the respective service. The above data processing principles apply.

In some cases, we use external service providers who have been carefully selected and commissioned by us to process this data. These service providers are bound by our instructions and are regularly monitored by us.

Insofar as personal data is passed on to third parties in the course of services that we offer together with partners, you can find more detailed information in the following descriptions of the individual services.

If these third parties are based in a country outside the European Economic Area, you can find more detailed information about the consequences of this international transfer in the following descriptions of the individual services.

3. Contacting us

If you contact us by e-mail, the personal data contained in your message will be stored solely for the purpose of responding to your enquiry. Personal data may be shared with service providers supporting our activities (e.g. IT service and electronic communications network providers).

The processing of personal data is for the sole purpose of processing your requests. If your e-mail is aimed at concluding a contract or executing or managing an existing contractual relationship, then Article 6(1)(b) of the GDPR applies, in which case this constitutes the legal basis for processing. Otherwise, our legitimate interest in processing the data lies in these purposes (Art. 6(1)(f) of the GDPR). If, instead, you have given your consent (where required), the legal basis for the processing of this data is Article 6(1)(a) of the GDPR.

Without affecting compliance with the retention obligations provided for by law, the data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected, i.e. they will only be retained for the time necessary to satisfy your request. You may withdraw your consent to the processing of your personal data (where consent has been given) at any time, without prejudice to the lawfulness of the processing carried out up to that point. Details on withdrawing your consent are available in Section 1 of our Privacy Policy. Furthermore, you may withdraw or object to the storage of your personal data at any time by sending a communication to our e-mail address. Please note that in this case, your request cannot be processed further. You may also communicate your revocation or objection by sending an e-mail to our e-mail address indicated above.

4. Third-party services

4.1. Use of Notion

We use the services and functions of "Notion", a productivity tool from Notion Labs, Inc, 548 Market St #74567, San Francisco, CA 94104-5401, USA (hereinafter "Notion"). Notion is a database-based multifunctional application for digital work that includes various components and functions such as notes, databases, Kanban boards, wikis, calendars and reminders. Among other things, it enables users to create notes, manage tasks and organize projects, as well as combine such components for these purposes. These systems can be used both individually and in collaboration with others.

We use Notion as a "digital home" and as a project management tool, in particular for the structured recording of information on projects and tasks. In this context, we collect and process the data of the contact persons involved in the project as well as their contact details (telephone numbers and e-mail addresses).

We use Notion to offer you – and ourselves – a more intuitive and flexible tool for managing projects and activities. The processing of personal data through Notion is based on our legitimate interest in ensuring efficient and easily accessible project management in accordance with Art. 6(1)(f) of the GDPR.

To the extent that you have given us your consent (where required), the legal basis for the processing of such data is Art. 6(1)(a) of the GDPR. If the use of Notion is instead aimed at executing or managing a contractual relationship between you and us, the legal basis is Art. 6(1)(b) of the GDPR. Personal data processed through Notion is stored only for the time necessary to achieve the purposes for which it was collected. In any case, this is without prejudice to legal obligations that impose different storage periods.

To ensure that Notion processes the personal data transmitted exclusively in accordance with our instructions and in compliance with current data protection legislation, we have signed an agreement on the processing of personal data pursuant to Art. 28 of the GDPR.

We would like to point out that it cannot be entirely precluded that Notion may also process personal data outside the EU or the EEA, such as in the USA. Insofar as Notion also processes personal data outside the EU or the EEA in the USA, data transfers are carried out on the basis of the EU Commission's adequacy decision of July 10, 2023 (further information can be found on the following EU website: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en) and thus on the basis of Art. 45 GDPR.

Notion has submitted to the EU-US Data Privacy Framework concluded between the European Union and the USA and has certified itself. As a result, Notion undertakes to comply with the standards and regulations of European data protection law. Further information is available on the following website relating to the EU-US framework for the protection of personal data under the heading Notion Labs, Inc.: https://www.dataprivacyframework.gov/.

In addition, we have concluded a contract with Notion including the new standard contractual clauses adopted by the EU Commission on June 4, 2021 within the meaning of Art. 46(2)(c) of the of the GDPR (further information can be found on the following EU websites: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and https://ec.europa.eu/germany/news/20210604-datentransfers-eu_de) in order to ensure an adequate level of data protection for the processing of personal data in the third country.

Information from the third-party provider: Notion Labs, Inc, 548 Market St #74567, San Francisco, CA 94104-5401, USA.

Further information on the use of data by Notion, on setting and objection options and on data protection can be found on the following Notion websites:

Privacy policy: https://www.notion.so/notion/Privacy-Policy-3468d120cf614d4c9014c09f6adc9091
General information on the GDPR: https://www.notion.so/de-de/help/gdpr-at-notion
General information on security and data protection: https://www.notion.so/de-de/security
Contract for order processing including the EU standard contractual clauses: https://www.notion.so/notion/Data-Processing-Addendum-361b540101274b1fa7e16b90402b0d99
Cookie policy: https://www.notion.so/notion/Cookie-Notice-bc186044eed5488a8387a9e94b14e58c

5. Processing of personal data in connection with job applications

If you wish to apply for jobs advertised by us, it is necessary to provide personal data. This data may include personal details (such as first name, surname, address, date of birth) and contact details (such as telephone number or e-mail address) as well as data relating to your educational and/or professional background such as school grades.

The data required to complete the application process is indicated in the relevant job advertisement or is otherwise marked as mandatory. The submission of additional data is optional. We do not use third parties to evaluate your application. However, your data may be shared with service providers who support our activities (e.g. IT service and electronic communications network providers).

The processing of personal data is used exclusively to process your application and manage the related selection process.

The legal basis for the processing of such data is Art. 6(1)(b) of the GDPR (performance of steps at the request of the data subject prior to entering into a contract) and, for the processing activities that are not strictly necessary for the performance of such steps, Art. 6(1)(f) of the GDPR (legitimate interest). Any processing of special categories of personal data shall be carried out pursuant to Article 9(2)(b) of the GDPR, in accordance with the provisions of the general authorisation pro tempore in force issued by the Italian Data Protection Authority, containing prescriptions concerning the processing of special categories of data in the context of labour relations.

Personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the event that the application process for the job advertisement for which you are applying has been completed, we will delete your data immediately, otherwise after six months at the latest.

Your data will not be deleted if, in certain specific cases, the processing and storage of your personal data is necessary for the establishment, exercise or defence of legal claims. In this case, we have a legitimate interest in the further processing and storage of your personal data. The legal basis is Art. 6(1)(f) of the GDPR. Your personal data will not be erased even if we are obliged by law to continue storing your personal data.

You have the right to withdraw your consent to the processing of your personal data at any time, where you have given it. In particular, you have the option of withdrawing your application at any time. You should only provide us with the personal data that is necessary for participation in the application process and its implementation. There is no legal or contractual obligation to provide data. However, we would like to point out that we cannot carry out the application process without this data and cannot consider your application. You also have the right to have your personal data modified or updated at any time. You may withdraw your consent by sending an e-mail to the e-mail address indicated in Section 1 of this Privacy Policy.

6. Note on our presence in social networks

We have presences on the following social media platforms:

Facebook (operator in the EU: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; US parent company: Meta Platforms, Inc., 1601 Willow Road Menlo Park, California 94025, USA; privacy policy: https://www.facebook.com/privacy/policy)
Instagram (operator in the EU: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; US parent company: Meta Platforms, Inc., 1601 Willow Road Menlo Park, California 94025, USA; Privacy Policy: https://privacycenter.instagram.com/policy/)
Twitter (operator in the EU: Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland; US parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; privacy policy: https://twitter.com/de/privacy)
LinkedIn (operator in the EU: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; US parent company: LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, 94085 California, USA; privacy policy: https://de.linkedin.com/legal/privacy-policy)
XING (operator: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; information on data protection and privacy policy: https://privacy.xing.com/de and https://privacy.xing.com/de/datenschutzerklaerung)

However, we do not use any social media plugins on our website, only links to the aforementioned social network. Data is not transmitted to the social media platforms when you visit our website.

We use the technical platform and services of the aforementioned third-party providers for these information services.

We would like to point out that you use these social media platforms and their functions on your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating).

The data collected about you in this context is processed by the provider's platform and may be transferred to countries outside the European Union, in particular the USA. According to its own information, the respective provider maintains an appropriate level of data protection that corresponds to that of the former EU-US Privacy Shield. Insofar as the respective provider has submitted to the EU-U.S. Data Privacy Framework concluded between the European Union and the USA and has certified itself, any data transfers are based on the adequacy decision of the EU Commission of July 10, 2023 and thus on the basis of Art. 45 of the GDPR. In other cases, we have concluded the standard contractual clauses with the provider’s companies as a precautionary measure.

We do not know how the respective social media platform uses the data from your visit to our account and interaction with our posts for its own purposes, how long this data is stored and whether data is passed on to third parties. For further information in this regard, please refer to the privacy policy provided by the providers of these platforms.

Data processing may differ depending on whether you are registered and logged in to the social network or whether you visit the site as a non-registered and/or non-logged-in user. When you access a post or the account, the IP address assigned to your end device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your device can be used to track how you have moved around the network.

Buttons integrated into websites enable the provider's platform to record your visits to these websites and assign them to your respective profile. This data can be used to tailor content or advertising to you. If you want to avoid this, you should log out or deactivate the "stay logged in" function, delete the cookies on your device and restart your browser.

We only process the data from your use of our service that you provide to us and that requires interaction. For example, if you ask a question that we can only answer by email, we will store your information in accordance with the general principles of our data processing, which we describe in this privacy policy. The legal basis for the processing of your data on the social media platform is then Art. 6(1)(f) of the GDPR. If you have given us your consent (where required), the legal basis for processing this data is Art. 6(1)(a) of the GDPR. Insofar as your request is aimed at concluding a contract, the legal basis for the processing of your personal data is Art. 6(1)(b) of the GDPR.

To exercise your rights as a data subject, you can contact us or the provider of the social media platform. If one party is not responsible for responding or must receive the information from the other party, we or the provider will then forward your request to the respective partner. Please contact the provider and operator of the social media platform directly if you have any questions about profiling and the processing of your data when using the social media platform. If you have any questions about the processing of your interaction with us on our website, please write to the contact details we have provided above.

What information the social media platform receives and how it is used is described by the provider of the respective social media platform in its privacy policy listed above. There you will also find information about contact options and the settings options for advertisements.

7. Status of and changes to our privacy policy

We always keep our privacy policy up to date. This privacy policy has the following status: September 15, 2025.

If we further develop our website, services and offers, it may be necessary to adapt and amend our privacy policy. The same applies if legal or official requirements change.