STI Logo

Information for Customers and Suppliers

STI CORPORATE S.P.A. wishes to inform you that Regulation (EU) 2016/679 ("GDPR") provides new regulations for the protection of individuals and other subjects regarding the Processing of personal data.

According to the mentioned regulations, such Processing will adhere to the principles of lawfulness, fairness, and transparency, ensuring the protection of privacy and rights, as outlined in Article 5 of the GDPR.

Please be informed that the undersigned is an active part of the corporate group made up by the companies STI CORPORATE S.P.A., STI ENGINEERING S.R.L., STI DIGITAL S.R.L., and STI ENGINEERING D.O.O., which jointly act as Data Controllers, having collectively determined the purposes and means of the processing as regulated by existing intra-group agreements. 

In accordance with Article 13 of the GDPR, the following information is provided: 


The Data Controller is STI CORPORATE S.P.A. with registered office at Viale Giovanni Paolo II, 3 – 33100 Udine, to which inquiries can be directed via email at or by calling 0432.941303.


"Data" refers to those related to natural persons processed by the Company for the conclusion and execution of the contractual relationship with its customers/suppliers. This includes data of the legal representative of the company signing the contract on behalf of the customers, as well as employees/consultants of the customer/supplier involved in contract-related activities. Data related to special categories, as per occupational health and safety regulations, may also be processed. The data may include any judicial data found in public databases.


·    Purposes related to the establishment and execution of the contractual relationship between our Company and its customer/supplier.

·    Administrative and accounting fulfillments.

·    Compliance with legal obligations, regulations, or orders from authorities.

·    Assertion, exercise, and/or defense of the Company's rights in legal proceedings.

·    Sending emails, mail and/or SMS and/or phone contacts, newsletters, commercial communications, and/or advertising material about products or services offered by the Data Controller and assessing the satisfaction level regarding service quality.


The contractual period, and after the termination of the contractual relationship, for a period of 10 years or as otherwise determined by the current applicable regulations. Longer or specific retention periods may apply according to sector-specific regulations or regulations useful for the potential defense of the Company in legal proceedings. In case of judicial litigation, throughout its duration, until the expiration of the terms for challenging actions.

For commercial communications, data will be kept for two years after the termination of the contractual relationship or until your dissent is expressed.

After the specified retention periods, the data will be destroyed, deleted, or anonymized, in line with the technical procedures for deletion and backup.


Processing activities are necessary for the execution of a contract or to fulfill a legal obligation to which the data controller is subject. It is always possible to request clarification from the Data Controller regarding the specific legal basis for each processing. Any commercial communications, in an existing B2B relationship, fall under the legitimate interest of the Data Controller, as per the guidelines of the supervisory authority and the GDPR considerations, as soft spam.


The provision of data is mandatory as it is strictly necessary to carry out the specified purposes. Failure to provide data will make it impossible to achieve the aforementioned purposes.


Data may be communicated to external parties acting as independent Data Controllers or Data Processors appointed by the Data Controller under Article 28 of the GDPR. These may include, for example, public entities, public authorities, consultants, and service providers of various kinds. The complete list of Data Recipients and Data Processors appointed by the Data Controller is always available at the Data Controller's registered office.


Data may be processed by employees of the company functions dedicated to pursuing the aforementioned purposes, who have been expressly authorized to process data and have received adequate operational instructions.


Pursuant to Articles 44 and onwards of the GDPR 2016/679, some of your personal data may be communicated to recipients and data processors (the latter duly appointed by the Data Controller) located in non-European Third Countries, always in accordance with principles of lawfulness, fairness, transparency, and the protection of your confidentiality.


Concerning personal data, the data subject can exercise the rights provided for in Articles 15 and onwards of the GDPR, specifically:

Right of Access (art. 15) – It consists of obtaining confirmation from the Data Controller as to whether or not personal data concerning him or her are being processed and, in this case, obtaining access to the same data and to certain information (explicit in the cited article) regarding the data in question. Right of Modification (art. 16) - It consists in giving the interested party the possibility to modify their data if they are inaccurate. Right of Cancellation (art. 17) - Possibility for the interested party to delete their data held by the owner when, for example, consent to processing is revoked or the pursued purpose has been achieved or when it is unlawful. Obviously, it will not always be possible to comply with the cancellation request. This happens, for example, when the data is used to fulfill a legal obligation or is necessary for the defense of a right in court. Right to object (art. 21) - The possibility of objecting to processing must be guaranteed when the legal basis is legitimate interest or the execution of a task of public interest. This right also has its limits as there may be cases in which the legitimate interest of the owner prevails over that of the interested party, it will be essential to carry out the right balance, or the processing is necessary for a task of public interest or the assessment, defense or exercise of a right before a judge. Right to portability (art. 20) – provides that, if processing is based on contract or consent, in the event of a request, the interested party is provided with his/her personal data in a structured format readable by an automatic device (json , xml, csv), this right applies only to data provided spontaneously and not to inferred or derived data. Right of revocation (art. 7) - In case of signing any form of consent to the processing requested by the Data Controller, please note that the interested party can revoke it at any time, without prejudice to the mandatory obligations established by the legislation in force at the time of the revocation request.

The interested party has the right to lodge a complaint with the competent Supervisory Authority in the Member State in which he habitually resides or works or in the State in which the alleged violation occurred.

All the aforementioned rights can be exercised by sending a specific request to the Data Controller via the contact channels indicated in this information.

Udine, 02/01/2024

Download PDF