PRIVACY NOTICE FOR THE USE OF THE CORPORATE WI-FI NETWORK “GUESTG”

Ghella S.p.A., with registered office at Via Pietro Borsieri, 2/a - 00195 Rome, VAT no. 00898971007 and Tax Code 00462220583 (Tel: +39 06.456031), in its capacity as data controller (hereinafter the “Company” or the “Controller”), provides this privacy notice pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”) regarding the processing of personal data of guests and consultants who intend to access the corporate Wi-Fi network “GuestG”.

1. Purpose and Legal Basis of Processing
Personal data will be processed for the following purposes:

  • Provision of Internet access service via the “GuestG” Wi-Fi network;
  • Management of access requests through a registration system with approval from a corporate sponsor (employee);
  • Security and traceability of access, in compliance with corporate policies and legal obligations.

The legal basis for processing is:

  • The performance of a contract (Art. 6(1)(b) GDPR) for the provision of the service;
  • The legitimate interest of the Controller in network and information security (Art. 6(1)(f) GDPR).

2. Nature of the Provision
Providing the personal data requested for accessing the “GuestG” network is optional, but necessary to use the service. Failure to provide such data will make it impossible to access the “GuestG” network.

3. Types of Data Processed
The processed data may include:

a. Data collected directly from the user (via splash page/login):

  • Guest’s first and last name (if requested in the registration form)
  • Email address
  • Corporate sponsor (authorizing employee)

b. Technical data relating to the device and network usage:

  • MAC address
  • IP address
  • Timestamp and access logs
  • Authentication attempts to the splash page
  • Basic device information (e.g., client type, operating system)

c. Traffic analysis (in aggregated form):

  • Traffic volume per user/client
  • Connection duration
  • SSID used

4. Operating Procedures
Access to the “GuestG” network requires:

  • Completion of a registration form by the guest (entering personal data and email address);
  • Automatic sending of an authorization request to a corporate sponsor (employee);
  • Only upon approval, the guest will receive an email with access instructions.

5. Data Retention Period
Personal data collected through access and use of the “GuestG” network will be retained only as long as necessary to fulfill the purposes for which they were collected.

In particular:

  • Splash page access logs: stored for a maximum of 2 months;
  • Login/authentication attempts: logs retained for a maximum of 3 months;
  • Network management data (e.g., generated traffic information, connected devices, usage statistics): retained for a maximum of 14 months – unless extended for security reasons or in case of IT incidents, in compliance with applicable law.

At the end of the above periods, data will be automatically deleted or anonymized so as to prevent the identification of data subjects.

6. Data Recipients
Data may be processed by:

  • Staff specifically authorized by the Controller (e.g., IT department, cybersecurity personnel);
  • IT service providers acting as data processors (e.g., cloud service providers, Wi-Fi authentication system operators).

Data will not be disclosed or transferred outside the European Economic Area, unless appropriate safeguards in compliance with the GDPR are in place.

7. Data Subject Rights
The data subject may exercise the following rights at any time, free of charge and without formalities, under Articles 15 to 22 of the GDPR, including:
(i) Right of access (i.e., to obtain confirmation as to whether or not personal data are being processed and, if so, to access them and receive a copy);
(ii) Right to rectification or erasure, if conditions under Article 17 of the GDPR are met;
(iii) Right to restriction of processing, in the cases provided under Article 18;
(iv) Right to data portability, in the cases provided under Article 20, to receive data in a structured, commonly used, machine-readable format and transmit them to another controller.

The data subject also has the right to object at any time, for reasons related to their particular situation, to the processing of personal data under Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.
If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to such processing, including profiling related to direct marketing.
They may also withdraw consent at any time where processing is based on consent. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

8. Contact Details of the Controller and Exercising of Rights
Requests to exercise the rights indicated above may be sent by mail to:
“Ghella S.p.A., Via Pietro Borsieri, 2/a – 00195 Rome – Attn: Privacy Coordinator”
or by email to: privacy@ghella.com

Ghella has appointed a Data Protection Officer (DPO), who can be contacted by mail at the above address (Attn: DPO) or by email at dpo@ghella.com.

The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or with a different Supervisory Authority of the EU Member State where they reside or work, or where the alleged infringement occurred.

Last update: May 2025