Privacy Policy

MailUp S.p.A., with its registered office in Via Pola 9, 20124 Milan (Italy), (hereinafter, “MailUp”), undertakes to protect the privacy of the people it does business with and processes the Personal Data used in its activities with the utmost care.
As confirmation of our commitment to compliance with all regulations on the Processing of Personal Data, in compliance with articles 13 and 14 of EU Regulation 2016/679 (hereinafter, the “Regulation”), we hereinafter provide you with information on your rights as established under the Regulation, and how to exercise such rights without difficulty.


The terms “Processing”, “Data Controller”, “Data Processor”, “Personal Data” (including “Special Categories of Data”), “Data Subjects”, “Third Parties”, “Recipients”, “Third Countries”, “Personal Data Breach”, “Supervisory Authority”, are understood as having the meaning attributed by current legislation on the Protection of Personal Data, to which we refer you.
According to art. 4 of EU Regulation 2016/679, “Processing” specifically refers to any operation or series of operations performed on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of availability, alignment or combination, restriction, erasure or destruction.
“Personal Data” means any information concerning an identified or identifiable natural person (“Data Subject”).

Data Controller and Data Protection Officer

MailUp, as identified in the opening to this Privacy Policy, is the Data Controller for all Personal Data processed.
You can contact MailUp’ Data Protection Officer (“DPO”) at the following address:

Type of Personal Data (what data we process).

As Data Controller, we process Personal Data concerning your Legal Representatives, attorneys and/or personnel responsible for management/execution of the contract (hereinafter, “Data Subjects”), including their names, telephone numbers, e-mail addresses, if applicable, any data for the purpose of hirer or chain liability, and any data from legal representatives for economic/financial assessments, in compliance with the Regulation and current domestic legislation, including any provisions issued by the Supervisory Authority as applicable.
In specific terms, the Data Controller mainly processes the following types of Personal Data:

  • identification and contact data (e.g. name, surname, telephone contacts);
  • data concerning registration in professional registers and boards;
  • images (e.g. photos on identity documents; images recorded by CCTV cameras);
  • any other data provided by your Company or the Data Subjects themselves.

The Data Controller may likewise process data concerning any criminal offences and convictions where the processing is indispensable for fulfilling or requiring the fulfilment of specific obligations or performing specific tasks provided for by law (e.g. Codice degli Appalti).

Data Source (where the processed data are collected).

The data are collected directly from the Data Subject or from third parties to fulfil legal or contractual obligations, as well as from databases.

Purpose (what the Processing is for).

The Data Controller processes data from Data Subjects in the performance of its economic and commercial activities for purposes associated with the selection, establishment, management and execution of contractual relations (including management of pre-contractual relations and/or inclusion on the list of suppliers). The data are processed to fulfil legal and regulatory obligations (e.g. fiscal and accounting obligations, occupational health and safety, obligations assumed under tender contracts); administrative management of contracts, including invoicing and payments; receipt of goods and/or services at our premises; management of disputes and the protection of corporate assets.
Data from the Data Subjects may also be processed for periodic assessments of the ethical and legal requirements established by the Data Controller in its Code of Ethics, or for verifying the effective application of the Organizational Framework pursuant to Legislative Decree 231/2001.

Lawful Basis for Processing (conditions for lawful Processing).

Data Processing for the purposes described above is lawful because:

  • necessary for the execution of a contract to which the Data Subject is party;
  • necessary for compliance with legal obligations to which the Data Controller is subject;
  • necessary to pursue the Data Controller’s legitimate interest in the correct management and execution of pre-contractual and contractual relations, in all phases of such relations, or the protection of corporate assets (e.g. hirer or chain liability).

The Controller may also process data relating to criminal convictions and offences (so-called judicial data) where the processing is necessary to fulfil or require the fulfilment of specific obligations or perform specific tasks provided for by law (e.g. Codice degli Appalti).

Need to provide (what happens if you refuse to provide data).

You are only required to provide the data necessary for compliance with a legal obligation.
However, if you do not provide your data, we will not be able to manage our pre-contractual and contractual obligations in the correct manner.

Processing methods (how the data are processed).

The Data Controller and authorised persons will process the Data using mainly electronic and manual means, according to the principles of fairness, transparency and good faith established by current Personal Data Protection legislation, protecting the privacy of the Data Subjects to whom the data refers through technical and organizational measures able to guarantee adequate security (for example, preventing unauthorized access except as required by law, or restoring access to the data in case of physical or technical incident).

Categories of Recipients (to whom we communicate the data to).

The Personal Data is not distributed indiscriminately to third parties, but for the fulfilment of the purposes indicated above it may be disclosed to specific categories of Recipients, including duly authorized and instructed employees, companies belonging to the Group, consultants and third party providers of services to the Data Controller (e.g. consulting companies) who process data on behalf of the Data Controller as Data Processors, other subjects, both public and private, to whom the data must be disclosed by law, as well as to any subjects who qualify as Independent Data Controllers.
Considering the international presence of MailUp, certain Personal Data may be shared with Recipients outside the European Economic Area.
MailUp ensures that the processing of your Personal Data by such recipients is conducted in compliance with the applicable legislation. Indeed, all transfers are made applying adequate guarantees, such as adequacy decisions, Standard Contractual Clauses approved by the European Commission, or other guarantees. More information on these matters are available from MailUp by writing to:

Data Subject Rights (what rights you can exercise).

With regard to the Personal Data Processing described herein, Data Subjects may exercise the rights established by the Regulation (articles 15-21) and current national legislation, including:

  • the right to confirmation of the existence of your Personal Data and to access the content (right of access);
  • the right to update, amend and/or correct your Personal Data (right to rectification);
  • the right to demand erasure or limitation to the Processing of Personal Data processed in breach of the law, including data no longer required for the purposes for which it was collected or otherwise processed (right to be forgotten and right to restriction);
  • the right to object to Processing (right to object);
  • the right to withdraw your previously given consent, if the Processing is based on consent, without prejudice to the lawfulness of the Processing based on the consent given prior to withdrawal;
  • in the cases contemplated, to right to receive copy of the data provided for the purposes of the contract in electronic format, and to request transfer of said data to another Data Controller (right to data portability);
  • the right to lodge complaint with the Supervisory Authority or Judicial Authorities in case of breach of Personal Data Protection legislation.

To exercise said rights and for more information on the Processing of your Personal Data, as Data Subject you can write to

Data retention (how long your data are stored for).

In compliance with the applicable Personal Data Protection legislation, we will keep your Personal Data for the time necessary to fulfil the purposes outlined above, which is 10 years for data collected during the supplier selection process with negative outcome, or 10 years after the successful conclusion of the selection process, if no other tasks are assigned within said lapse of time. For managing contractual relations, only the Personal Data instrumental in the fulfilment of civil and fiscal obligations will be kept for the entire duration of the contract, in compliance with said obligations (for example, the civil obligation to keep invoices and company documentation for at least 10 years).
In any case, we will store your Personal Data only for the time strictly necessary for the purposes for which it was processed, in compliance with the principle of storage limitation.