Policy for data protection  

in accordance with art. 24 of “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”).



We have built our success by ensuring our customers and all our stakeholders maximum protection of their assets, including their personal data.

Protecting the personal data of all our data subjects is mandatory for us. We therefore ask the same commitment to all our stakeholders (suppliers, collaborators, business partners, consortium members, investee and associated companies).


Our business context

Our mission is to provide professional services to companies (advisory, professional training, audit and business assurance). The main processing purposes consist in the management of contractual relationships aimed at the procurement of goods and services from suppliers or the provision of services to customers.

We typically process personal data from the following categories of data subjects:


1.     Suppliers and Collaborators;

2.     Attendees in events;

3.     Navigators of the company website;

4.     Our Consortium companies and our Business Partners.

The data are processed in paper and electronic form.

The legal basis of the processing is mainly of a pre-contractual, contractual or mandatory nature.

The personal data processed are mainly personal data, contact data, professional data, organizational data and administrative data. In some cases, data relating to photo and video shooting may be processed, especially during events.

We do not process particular data in accordance with articles 9 and 10 of the GDPR. We do not process data of minors data subjects.

The data are processed within the European Union.

The data retention criteria mainly refer to contractual or mandatory requirements. The data may also be kept for historical or technical reasons (in the event that the deletion of the data could compromise the integrity and usability of the archives). In this case, the archived data are not subject to further processing.


The information and the consent

For each category of data subjects, we prepare information in accordance with article 13 of the GDPR. Where necessary, we request the consent to the processing in accordance with article 7 of the GDPR. All information are available on our website www.alpemi.it  


The principles for processing personal data

We process the personal data of the data subjects in accordance with the principles referred to in Article 5 of the GDPR and listed below:

1.     lawfulness, fair and transparency of the processing;

2.     specific, explicit, legitimate purposes;

3.     adequate, relevant and limited data to what is necessary with respect to the purposes for which they are processed ("data minimization");

4.     accurate and, if necessary, kept up to date; every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

5.     data stored in a form that allows the identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes subject to implementation of the appropriate technical and organisational measures required in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

6.     data processed in such a way as to ensure adequate security of personal data, including the protection, through appropriate technical and organizational measures, from unauthorized or illegal processing and from accidental loss, destruction or damage ("integrity and confidentiality").


Our accountability to the principles of the GDPR and risk assessment

We adopt a management model to ensure compliance with the requirements of the GDPR. This model is based on the ISO 27701 Personal Information Management System (PIMS) standard.

The management model for the protection of personal data includes the risk management framework for the protection of personal data based on the guidelines of the ISO 31000 standard.


Our objectives and our operational policies for the protection of personal data

We pursue the following personal data protection objectives:

1. integrity of personal data, which includes accuracy and completeness;

2. availability of personal data, which includes resilience and disaster recovery;

3. confidentiality of personal data.

To pursue these first-level objectives, we plan second-level objectives related to the correct adoption of operational controls ("technical organizational measures") applicable for the treatment of risks. This policy may therefore refer to more operational policies that address specific aspects of personal data protection.


Our Privacy Management System (PIMS)

In order to pursue our privacy compliance  objectives, we have adopted a privacy management  system compliant with the ISO 27701 standard.

Our Privacy Management System has been integrated into the more general corporate management system and has been planned in order to consider aspects of Governance and Internal Control System, Risk Management aspects (with reference to the guidelines of the ISO 31000 standard) and Compliance aspects (with reference to the guidelines of the ISO 19600 standard).

We are committed to adapting and continuously improving our Business Continuity Management System and to make aware and train our stakeholders on its correct application.

All those who process data on our behalf are trained and made aware by us in accordance with article 29 of the GDPR on the correct application of this policy and the operational policies referred to by it.  All suppliers of ours  processing  personal data on our behalf are appointed data processors in accordance with article 28 of the GDPR.


The penalties

Violations of this policy and of the Privacy Management System imply the application of disciplinary measures, including the termination of existing contractual relationships.


Data Controller

Data controller is Alpemi Consulting  with registered and operational headquarters in Corso Buenos Aires 47 - 20124 Milan (Italy).


Contact us

This information is available on the website of Alpemi Consulting   www.alpemi.it  

For any request for information regarding the processing of  your personal data,  for exercising your rights, for reporting vulnerabilities, violations of the principles for data processing, incidents,  you can contact our privacy manager to the following email address:  privacy@alpemi.it


Alpemi Consulting