Doc. 07/05/05 Customer policy

Customer information pursuant to EU Reg. 2016/679

1. Data Controller

Data controller is CQOP SOA SpA, contactable by email:

2. Data Protection Officer (DPO)

CQOP SOA SpA is not among the entities required to appoint the Data Protection Officer.

3. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing  

The processing is aimed at fulfilling the following purposes by CQOP SOA SpA:

  1. institutional qualification activity for performers of public works performers required in order to fulfil legal obligations necessary for the execution of this contract (Legislative Decree 50/2016; DPR 207/2010; ANAC Manual, guidelines and provisions);
  2. processing of data for promotional purposes (keeping the Company updated on the evolution of the legislation and on CQOP activity).


CQOP SOA SpA processes personal data collected from interested parties or third parties by adopting the appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of personal data.

Processing is carried out by means of paper, digital and/or telematic tools, with organisational methods and logics strictly related to the purposes indicated.

5. Categories of data processed

CQOP SOA SpA, for the purposes indicated in point 3, processes the following categories of data:

  • Personal data relating to the organizational and legal structure of the Company, as identified by current legislation (e.g.: Owners, Legal Representatives, Technical Directors, company contacts, Supervisory Bodies, etc.)
  • Particular data referred to in art. 9 of the EU Reg. 2016/679 (Libro unico del lavoro – Company Employment Register)
  • Personal data relating to criminal convictions and offenses and related security measures pursuant to art. 10 of EU Reg. 2016/679 (verification of general requirements of Legislative Decree 50/2016)

In any case, CQOP SOA SpA ensures that the minimum data will be processed in order to guarantee the qualification activity, in compliance with the specific legislation.

6. Recipients or categories of recipients of personal data

Personal data may be processed by internal personnel or by third parties, for the performance of the following activities:

  1. Information and communication to the National Anti-Corruption Authority and other inspection and supervisory entities for whom the communication/information of data is mandatory (personal data, including those mentioned in art.9 and/or 10 of EU Reg. 2016/679);
  2. Litigation and acquisition of technical consultation relating to qualification activities such as law firms and freelancers, (personal data, including those mentioned in art.9 and/or 10 of EU Reg. 2016/679);
  3. Fulfilment of accounting and tax obligations and any related legal and administrative needs (eg: credit institutions for banking operations, law firms and freelancers, sector-specific inspection and regulatory bodies) relating only to common personal data;
  4. IT system management (personal data, including those mentioned in art.9 and/or 10 of EU Reg. EU) 2016/679)
  5. Paper archive management (personal data, including those mentioned in art.9 and/or 10 of EU Reg. 2016/679)

7. Length of data retention

Personal data processed are kept for the time necessary to carry out the certification process and, after the certification has been issued, for a minimum of 10 years in accordance with current legislation. The maximum data retention period is 20 years, save any explicit request by the interested party and impediments related to the structure of the management systems used and the logistical organization of the paper archives.

8. Transfer of personal data to a third country or to an international organization

Personal data is not transferred to third countries or to international organizations.

9. Fundamental rights of the interested party and the possibility of exercising them

Those interested in the handling of personal data, pursuant to what is defined in articles 15 to 21 of EU Reg. 2016/679, have the right to:

  1. obtain access to any personal data and information relating to them managed directly by CQOP SOA SpA or by the third parties mentioned above;
  2. obtain correction of inaccurate personal data, without undue delay and upon explicit request;
  3. obtain deletion of processed personal data;
  4. request restrictions on its processing;
  5. request the portability of personal data, processed by automated means, in a structured format, commonly used and readable by an automatic device.
  6. Clarification: not applicable to paper archives and registers; in the current state of the Qualification legislation, transfers of data/documents to another SOA are possible only in the event of suspension and forfeiture of the authorization, bankruptcy or termination of the activity of CQOP SOA SpA;
  7. exercise the right of opposition, within the limits of the legitimate interest of the Data Controller and the obligations imposed by current legislation;
  8. right not to be the subject of decisions based solely on automated data processing (including profiling), which may have legal effects on the person. Not applicable as CQOP SOA SpA does not carry out automated decision-making processes, including profiling.

In cases where the interested parties exercise their rights, CQOP SOA SpA will process the request within one month of receiving it.

If the requests are repetitive or unfounded, CQOP SOA SpA reserves the right to request a contribution towards costs from the interested party or refuse the request. In the event of rectification, cancellation or limitations of data processing, CQOP SOA SpA will inform the aforementioned third-party companies and the recipients of the processing, if requested.

10. Right to withdraw consent 

The withdrawal of consent can be exercised only for data processed for promotional purposes.

11. Right to lodge a complaint with a supervisory authority

Interested parties have the right to lodge a complaint/report with the Italian Data Protection Authority [Garante per la protezione dei dati personali].

12. Existence of legal or contractual obligations or requirements necessary for the conclusion of a contract 

Failure to provide the personal data referred to in point 3 a) makes it impossible for CQOP SOA SpA to execute the contract.

Last updated: 1/1/2021