Privacy Policy

Privacy Policy

Pursuant to Article 13 of EU Regulation No. 2016/679 (hereinafter the "GDPR") Swarm Markets S.r.l., as data controller, hereby informs you that the data provided by users (the "Data Subject" or the "User") through the website https://docs-it.swarm.com (the "Website") will be processed in the following manner and for the following purposes, regardless of the manner and instrument used.

1. Data Controller

The Data Controller is Swarm Markets S.r.l. (hereinafter referred to as "Company" or also the "Data Controller"), having its registered office in 20121 Milano, Via del Lauro n. 9.

The Data Controller provides the following e-mail address for any communication: privacy-it@swarm.com.

The Data Controller has appointed a Data Protection Officer (DPO) (Andre Stahl, Landstr. 37, 9490 FL-Vaduz) who can be contacted at: privacy-it@swarm.com.

The Data Controller may designate one or more data processors pursuant to Article 28 of the GDPR, who, on behalf of the Data Controller, provide specific processing services or related, instrumental or support activities by adopting all those technical and organisational measures that are appropriate to protect the rights, freedoms and legitimate interests recognised by law to the Data Subjects.

1. Description of the processing

The processing shall relate to individual operations, or to a set of processing operations (such as, but not limited to: collection, recording, organisation, storage, processing, communication, modification, selection, use) of the following data (the “Personal Data” or also the “Data”) relating to you.

1. Processing methods

The processing of Personal Data:

1. shall be carried out by means of the operations indicated in Article 4 no. 2) of the GDPR, namely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of Data.

2. will be carried out in compliance with the principles of correctness, lawfulness and transparency, with manual, paper, computer, telematic, automated tools, also suitable for storing, managing or transmitting the data, in any case suitable to guarantee the security and confidentiality of the Data.

1. Security measures

The Data Controller has adopted a variety of security measures consistent with the measures expressed in Article 32 GDPR to protect Data against the risk of loss, misuse or alteration. The processing is carried out using IT and/or telematic tools, with organisational methods and logic strictly related to the purposes indicated.

1. Access to Data and communication

The Data may be made accessible for the purposes set out in Article 2 above:

1. to employees, collaborators, associates and partners of the Data Controller, in their capacity as persons in charge and/or internal data processors and/or system administrators, in any country (in accordance with the provisions of Article 8 below);

2. to third party companies or other entities performing outsourcing activities on behalf of the Data Controller, in their capacity as data processors.

Without the express consent of the Data Subject, the Data may not be transferred to third parties for their use for their own purposes, and therefore outside the access referred to in this Article 7.

In any case, the Data shall not be disclosed, unless this is necessary to fulfil obligations provided for by law or regulations.

1. Transfer of Data

The management and storage of the Data will take place primarily in Europe, on servers of third-party companies appointed and duly appointed as data processors.

The Data Controller may also provide access to the Website and to the services therein indicated in other countries, in which case the transfer of Data to such countries is strictly limited to the actual need to be aware of it. The Data Controller will take the necessary measures to protect Users' Personal Data and prevent unauthorised access.

Personal Data may be transferred to systems used by the Data Controller and/or third-party companies duly appointed as data processors also outside the European Union.

In the event that such transfer takes place towards countries that do not provide the same level of protection as provided by the GDPR or applicable legislation, or in any event an adequate level of protection for personal data, the Data Controller will ensure that each recipient undertakes specific contractual obligations in accordance with applicable data protection legislation (including the signing of the Standard Contractual Clauses "SCC" approved by the European Commission Pursuant to Art. 49 GDPR, in the absence of an adequacy decision pursuant to Article 45(3) GDPR, or adequate safeguards pursuant to Article 46 GDPR, including Binding Corporate Rules, the Data Controller will proceed to the transfer of personal data to a Third Country after obtaining specific consent from the Data Subject.

In any case, the User may request further information regarding the transfer of Personal Data by writing to the e-mail address privacy-it@swarm.com.

1. Data retention and deletion

The retention period of Personal Data is indicated in the table in Section 2 above.

At the end of the retention period, the Personal Data will be deleted. Therefore, at the end of this period, the User will no longer be able to exercise his or her right of access, cancellation, rectification and the right to Personal Data portability.

Personal Data will be stored by means of computerised archives, including portable devices, adopting appropriate measures to guarantee their security and to allow access to them exclusively to personnel authorised by the Data Controller and strictly for the purposes indicated above.

1. To whom we may disclose Personal Data

For the purposes set out above, Personal Data may be made accessible or communicated to:

1. employees and contractors of the Data Controller, in their capacity as authorised processors, within the scope of their respective duties and in accordance with their instructions. These individuals are in any case subject to the obligations of confidentiality and privacy;

2. to third parties carrying out outsourcing activities on behalf of the Data Controller whose activities are connected, instrumental or in support of those of the Data Controller (e.g. management software);

3. to all those public and/or private entities, natural and/or legal persons (such as, by way of example, legal, administrative and tax consultancy firms, funds or funds, including private welfare and assistance funds, Judicial Offices, Chambers of Commerce), if the communication is necessary or functional to the proper fulfilment of the contractual obligations undertaken, as well as the obligations arising from the law;

4. to all those entities (including Public Authorities) that have access to Personal Data by virtue of regulatory or administrative measures;

In any case, the Personal Data collected will not be disclosed except for the purposes listed above.

1. Rights of the data subject

The Data Subject may exercise the rights provided for by the GDPR within the limits and under the conditions laid down therein:

1. access to the Data: the Data Subject has the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning him/her is being processed and, if so, to obtain access to the Personal Data in a commonly used electronic format and certain information on the processing (e.g. purposes, categories of Data processed, recipients, transfers outside the EU, implementation of profiling activities, etc.);

2. rectification of Data: the Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning him/her without undue delay and/or the integration of incomplete Personal Data, also by providing a supplementary declaration;

3. deletion of Data or "right to be forgotten": the Data Subject has the right to obtain from the Data Controller the deletion of Personal Data concerning him/her without undue delay and the Data Controller has the obligation to delete Personal Data without undue delay;

4. limitation of processing: the Data Subject has the right to obtain from the Data Controller the limitation of the processing;

5. portability of the Data: the Data Subject has the right to receive in a structured, commonly used and machine-readable format the Personal Data concerning him/her provided to the Data Controller and has the right to transmit such Data to another data controller without hindrance from the data controller to whom he/she provided them;

6. objection to processing: the Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of Personal Data concerning him or her pursuant to Article 6(1)(e) or (f) of the GDPR, including profiling on the basis of those provisions.

By virtue of the type of service offered, the Company cannot guarantee the full exercise of certain Data Subject Rights - such as the right to erasure - with respect to Personal Data processed through the blockchain. In fact, the Data entered within a blockchain is an integral part of the logical ledger and cannot be modified and/or deleted in any way.

1. Right to complain

Data Subjects who believe that the processing of their Personal Data is in breach of the provisions of the GDPR have the right to lodge a complaint with the Italian Data Protection Authority (Garante Privacy) by email, at garante@gpdp.it or urp@gpdp.it, by fax 06.696773785, or by post to the Garante Privacy per la protezione dei Dati Personali, based in Rome (Italy), Piazza Venezia n. 11 - Cap 00187, or alternatively by bringing a claim before the Judicial Authority.

1. How to exercise rights

The Data Subject may exercise its rights at any time by sending:

1. an e-mail to privacy-it@swarm.com;

2. a registered letter with return receipt to Swarm Markets S.r.l., with registered office in 20121 Milano, Via del Lauro n. 9.

The Data Controller undertakes to provide the Data Subject with information regarding the action taken in respect of a request to exercise rights without undue delay and, in any case, at the latest within a period of 30 (thirty) days from receipt of the request itself, extendable up to 3 months only in particularly complex cases.

Any rectification or cancellation or limitation of processing carried out at the express request of the Data Subject (unless this proves impossible or involves a disproportionate effort) shall be communicated by the Data Controller to each of the recipients to whom the Personal Data have been transmitted. The Data Controller may inform the Data Subject of the contact details of the recipients, if so requested.

1. Amendments to this policy

This privacy policy may be subject to changes and additions over time, as necessary due to new legislation on the protection of Personal Data, or due to the evolution/modification of the Data Controller's services. The User may at any time request the Data Controller to receive the updated privacy policy. Whenever possible, the Data Controller will endeavour to inform the Data Subject of the changes made to the privacy policy and their consequences, acquiring, if necessary, the User’s consent to carry out new processing activities.

Date of update: July 2024.