Privacy Policy

Information for Consortium Members pursuant to art. 13 and 14 of the General Data Protection Regulation (“GDPR”)

Dear Consortium Member, even if the European legislation on the protection of personal data (European Regulation 679/2016 or GDPR) does not apply to the processing of personal data relating to legal entities, in particular companies with legal status, including the name and form of the legal entity and related contact details, with a view to transparency, CONAI hereby provides the public of the current or consortium companies information required by art. 13 and 14 of the GDPR concerning the collection and processing of the information that CONAI directly acquires from Consortium Members or from public or private, national or foreign bodies, information and data also of a public nature, since it can be obtained from the Register of companies or of a private nature, related to the flow of packaging in and out of the national territory and to the economic operators involved.

Data Controller

The Data Controller, i.e. the entity responsible for making decisions regarding the purposes, methods and security of personal data, is CONAI, Via Pompeo Litta 5, 20122 – Milan. Tel +39.02.540441. Fax +39.02.54122648

Processing purposes and methods and related legal grounds

Personal data and other information (mainly qualifying as “data related to the performance of economic activities”) referable to Consortium Members or related to their customers/suppliers and representatives/declarants, collected (also through electronic communications) during adhesion/withdrawal, audits/inspections or due to the receipt/processing of periodic reports, option declarations and other forms of data collection, are processed on CONAI premises exclusively for the purpose of allowing the proper performance of the activities required by domestic and EU legislation in the field of packaging and packaging waste and by the provisions of the Articles of Association and Regulations, in particular for the purposes of liquidation, assessment and collection of contributions due. Omitted or incorrect communication of mandatory data may result in administrative sanctions.

The legal grounds for processing out by CONAI are specific legal and statutory provisions and legal obligations.

The data collected is processed using mainly computerised methods and with a logic fully compliant with the purposes to be pursued, also through:

  • verification of the data contained in the declarations with other data held by CONAI;
  • verification/exchanges of data contained in the declarations and/or other forms envisaged by the CONAI Guide with the data held by other entities, acquired pursuant to the law or specific agreements.

The data filed in the Register of Companies or in other public registers, lists, deeds or documents are in the public domain, without prejudice to the limits and the procedures that the laws, regulations or EU legislation establish for the disclosure and publicity of data.

Within CONAI, the persons who may become aware of the data are appointed “data processors” or “persons in charge” of processing and have access to the data according to a precise distribution of tasks and responsibilities.

It may happen that, for the achievement of its purposes, the consortium entrusts data processing to external parties which it trusts, which are assigned specific tasks of a technical or organisational nature (for example, data entry or documentation storage); these entities are formally bound to comply with current legislation on the protection of personal data, where applicable.

Recipients and categories of data processed

The information and personal data held by CONAI may be disclosed to third parties, which make a legitimate and justified request, in the presence of a law or regulation, or when, for the performance of institutional functions of CONAI or of such parties, the Consortium has established institutional interactions/collaborations with the same for monitoring, control, study or research activities on the management of packaging and packaging waste,

or, without prejudice to the communication or dissemination of data requested, in compliance with the law, by police forces, judicial authorities, information and security bodies or other public entities for State defence or security purposes or for the prevention, ascertainment or repression of crimes.

Transfer abroad

Personal data acquired by CONAI is not transferred outside the European Union. Period of retention of personal data and criteria used

The personal data subject to processing is collected in documents whose retention is in compliance with the obligations of the law and the Articles of Association.

Rights of data subjects

The Regulation recognises data subjects a series of rights that CONAI undertakes to guarantee.

  • Right of access: Art.15 of the European Regulation allows you to obtain from the Data Controller confirmation of whether or not data is being processed and, if so, obtain access to such data.
  • Right of correction: Art. 16 of the European Regulation allows you to obtain from the Data Controller the correction of inaccurate personal data concerning you without undue delay. Taking into account the processing purposes, data subjects have the right to obtain the integration of incomplete personal data, also by providing an additional declaration.
  • Right of deletion: Art. 17 of the European Regulation allows you to obtain from the Data Controller the deletion of personal data concerning you without undue delay in the presence of one of the reasons envisaged by the regulation.
  • Right of restriction: Art. 18 of the European Regulation allows you to obtain from the Data Controller the restriction of processing in the presence of one of the cases envisaged by the regulation.
  • Right of objection: Art. 21 of the European Regulation allows you to object at any time, for reasons connected with your particular situation, to the processing of your personal data pursuant to Article 6, paragraph 1, points e) or f), including profiling on the basis of these provisions.
  • Right to portability: Art. 20 of the European Regulation allows you to receive the personal data concerning you which you have provided to a Data Controller in a structured, commonly used and machine-readable format and have the right to transmit such data to another Data Controller without hindrance from the Data Controller to which the personal data was provided according to the conditions established by the regulation
  • Right of withdrawal of consent: Art. 7 of the European Regulations allows you to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before withdrawal.
  • Right to complain: Art. 77 of the European Regulation, if you believe that the processing that concerns you is in violation of the regulation, recognises you the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you normally reside, work or of the place where the alleged violation occurred.

Further information

Further information, the privacy policy and this information sheet are available on our website at

A complete extract of the above mentioned legal articles is available from the Legal and Corporate Affairs Department. This department can provide you with any explanations regarding the exercise of your rights; requests can be sent in writing, accompanied by a valid identity document, to the General Data Processor, at the business offices in Via Litta 5, Milan.


The protection of the data concerning you and compliance with the principles established by the regulation, with particular reference to the principle of transparency, are values of primary importance for us. We would be grateful if would help us by reporting any points in this document which are unclear or suggesting improvements to the contact details of the Data Processor as indicated above.