Privacy policy


Pursuant to article 13 EU Regulation 2016/679

Waterhouse S.p.a. welcomes You to the website (the “Website”) and, with the present document (the “Policy”), wishes to inform You about the purposes and modalities of the processing of Your personal data and Your rights as an interested party.

This Policy includes the description of all the processing carried out by the Controller, hereby defined as such, through the Website. The purpose of the processing will depend on the service You require.

  1. Who is the Controller of the Processing

The Controller is Waterhouse S.p.a., legal headquarters in Rome, via Nazionale, 172, in person of the pro tempore legal representative. 

Waterhouse S.p.a. is a company of the Magister Group S.p.A. which has its legal headquarter in Rome, Via Nazionale, 172.

You will be able to contact the Controller for the application of Your rights listed in next point 7; furthermore, You will be able to receive every type of information writing to the address:

  1. What personal data do we collect

2.1 Browsing data

The computer systems and software procedures responsible for the operation of this website acquire, in the course of their normal exercise, certain personal data whose transmission is implicit in the use of Internet communication protocols.

These information are not gathered to be associated to identified subjects, but they may, for their own nature, allow to identify the users.

This category of data includes IP addresses or domain names of computers used by users who connect to the website, the URI strings (Uniform Resource Identifier) of the requested resources, the hour of the request, the method used to request the service to the server, the dimension of the file received, the numerical code that indicates the state of the answer given by the server (positive end, error, etc…) and other parameters regarding the computer system and the user’s computer environment.

These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to control its proper functioning and are deleted after processing. The data could be used to ascertain liability in the event of hypothetical computer crimes against the site.

2.2 Data voluntarily given by the user

The optional, explicit and voluntary sending of emails to the addresses indicated on this site and the compilation of the “format” (windows) involves the subsequent acquisition of the email address, necessary to respond to requests, and any other personal data communicated spontaneously to the Controller.

Unless You communicate additional personal data for the management of Your request, for the purposes indicated in this Policy, the Controller will process the following personal data:

  • personal data: first name, last name, address, telephone number, email and other addresses;
  • data of the CV given by You to the Controller;
  • data given by You through Your communication to the Controller.

To process Your request, including the handling of Your application, the Controller could process some particular categories of personal data, likely to reveal membership to trade unions (hiring, request for deduction for union shares), adhesion to political party, religious belief (should You request to support some religious festivities) as well as health condition.

Specific summary information will progressively be reported or displayed on the pages of the website prepared for particular services on request.

 2.3 Cookie

Through the Website, the Controller will also process Your personal data through the use of cookies.

For such processing, the Controller invites You to view the Cookie Policy in this link.

  1. Purpose of processing and legal ground

This point 3 presents a description of the possible purposes of the processing pursued by the Controller, according to the service You request.

3.1 Requests through the Website

 Your personal data may be processed by the Controller to satisfy the requests written to the addresses available on the website or filled out on the  windows on the Website.

Failure to provide the requested data will make it impossible for the Controller to accomplish Your request.

The legal ground of the processing is the necessity to accomplish Your request, as per article 6, paragraph 1, letter b), GDPR. Therefore, the acquisition of Your prior consent to the processing is not necessary.

For the purposes of processing Your request, the Controller may also process particular categories of personal data communicated by You to the Controller. For the processing of such particular categories of personal data, the Controller requires Your explicit consent.

The data collected for this purpose will be processed for the time strictly necessary to satisfy Your request and subsequently kept for 10 years after the processing of the request.

 3.2 Regulatory compliance

To process Your requests, the Controller may also process the personal data provided by You for the fulfillment of related legal obligations established by national or community laws and/or regulations.

In such case, the legal ground for the processing is the need to fulfill  a legal obligation, in accordance with article 6, paragraph 1, letter c), GDPR. Therefore, the acquisition of Your prior consent to the processing is not necessary.

Your personal data are processed for the time necessary for the fulfillment of legal obligations and, subsequently, exclusively kept for 10 years in compliance with the limitation period provided by the Italian Civil Code.

3.3 Website management

Your personal data described in points 2.1 and 2.3 above will also be processed by the Controller to manage the Website, carry out anonymous statistical analysis regarding the use of the website to check its proper functioning and/or to ascertain liability in case of hypothetical computer crimes against the Website.

In any case, these data are processed anonymously and are immediately deleted after the elaboration.

The legal ground of the processing is the legitimate interest of the Controller to ensure the proper use of the Website and to prevent any possible cyber crime, in compliance with article 6, paragraph 1, letter f), GDPR. Therefore, it will not be necessary to obtain Your consent.

Your personal data will be immediately made anonymous and deleted at the end of Your browsing session. However, should a violation be detected, Your personal data will be kept for as long as necessary for the management of the dispute.

3.4 Commercial communication and newsletter

If You wish to be updated on the latest news of the products and services offered by the Magister Group, You can join our marketing initiatives by allowing the Controller to send You the newsletter and further commercial communications concerning the products and services of the Magister Group.

The legal ground for sending commercial communications and newsletters is Your express consent, which the Controller requires from You on all pages of the website where it is possible to join such service, in compliance with article 6, paragraph 1, letter a), GDPR.

Your personal data will be processed until You decide to revoke Your consent or oppose the processing.

Right to object to direct marketing activities

We inform You that, at any time, You have the right to object to direct marketing activities by getting in touch with the Controller using one of the addresses listed in point 1 of this Policy or clicking on the link displayed on every communication of the Controller. 

  1. Consequences to the refusal of giving personal data

The conferment of Your personal data is optional and does not affect Your ability to browse the Website. However, the conferment of data is a necessary requirement for the management of requests made by You. Therefore, the failure to provide the requested data will make it impossible for the Controller to offer the specific service requested.

  1. How do we process Your personal data

The processing of Your personal data will take place, in compliance with the arrangement of the GDPR, through paper, computer and telematic instruments, with logics strictly related to the stated purposes and, however, in such a way as to ensure their security and confidentiality in accordance with Article 32 GDPR.

  1. To whom Your personal data may be communicated and who may hear about them

In order to pursue the purposes described in point 3 above, Your personal data will be known to the employees, the assimilated personnel and the collaborators of the Controller, who will act as authorised persons for the processing of personal data.

Furthermore, Your personal data will be processed by third parties who belong to these categories:

  1. subjects who provide IT system management services and storage of processed personal data;
  2. subjects who provide legal and/or tax advice;
  3. security and control authorities.

The above-mentioned subjects operate, in some cases, in total autonomy as separate Controller of the processing; in other cases, as responsible of the processing appointed by the Controller in accordance with article 28 GDPR.

The complete and up-to-date list of these subjects can be asked to the email address

The personal data processed by the Controller will also be transferred outside the European Union for archiving purposes. Anyway, the Controller assures that Your personal data will be transferred to third countries  according to an adequacy decision of the European Commission, in accordance with Article 45 GDPR, subject to standard contractual clauses in accordance with Article 46 GDPR, or in the case of any of the derogations specifically provided for in Article 49 GDPR.

Your personal data will not be diffused.

  1. Your rights as interested party

In relation to the processing described in this Policy, as an interested party, You may, under the conditions provided by the GDPR, execute the rights set out in Articles 15 to 21 of the GDPR and, in particular, the following rights:              

  • right of access – article 15 GDPR: The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
  1. the purposes of the processing
  2. the categories of personal data concerned
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed
  4. the envisaged period for which the personal data will be stored
  5. the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data or to object to such processing
  6. the right to lodge a complaint
  7. the right to request information on my personal data if they were not collected from the data subject
  8. the existence of automated decision-making process, including profiling;
  • right to rectification – article 16 GDPR: the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her;
  • right to erasure (right to be forgotten) – article 17 GDPR: right to obtain from the Controller the erasure of personal data concerning You, when:
  1. the data are no longer necessary in relation to the purpose for which they were collected or processed;
  2. You withdraw Your consent and there is no legal ground for the processing;
  3. You object to the processing;
  4. the data have been unlawfully processed,
  5. the data have to be erased for compliance with a legal obligation;
  6. the personal data have been collected in relation to the offer of information society services referred to in article 8, paragraph 1, GDPR.

            The right to erasure does not apply to the extent that processing is necessary for compliance with a legal obligation, for the performance of a task carried out in the public interest, for the establishment, exercise or defence of legal claims;

  • Right to restriction of processing – article 18 GDPR: right to obtain restriction of processing when:
  1. the accuracy of the data is contested by the subject;
  2. the processing is unlawful, the subject opposes the erasure of the personal data, and requests the restriction of their use;
  3. the personal data are required by the subject for the establishment, exercise or defence of legal claims;
  4. the subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the data subject;
  • right to data portability – article 20 GDPR: right to receive, in a structured and machine-readable format, the personal data concerning You and have the right to transmit those data to another controller without hindrance, if the processing of your data is based upon consent and is carried out by automated means. Furthermore, the right to obtain the personal data transmitted directly from one controller to another, where technically feasible;
  • right to object – article 21 GDPR: right to oppose, at any time, to the processing of personal data concerning You, which is based on the condition of legitimacy of the subject, including profiling, except in the case of legitimate reason – that prevail on interests, on rights and freedom of the interested party or the verification, the exercise or defense of a right in judicial branch – for the Controller to continue the processing;
  • right to withdraw Your previously given consent;
  • submit a complaint to the data protection Authority whose headquarters is currently Piazza Venezia, 11, 00187, Rome (RM).

The rights listed above may be exercised towards the Controller by writing to the addresses of point 1.

The Controller will take charge of your request and he will give you, without unjustified delay, and within a month, the information regarding Your request. 

The exercise of Your rights as an interested party is free, according to article 12 GDPR. However, in the case of manifestly unfounded or excessive requests, including their repetitiveness, the Controller could charge You a reasonable fee, in light of the administrative costs incurred to manage Your request, or deny the satisfaction of Your request.

In addition, we inform You that the Controller may ask You further information necessary to confirm Your identity.