Privacy Policy
Pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.
Data Controller
| Company Name | Genius Construction & Service S.R.L. |
| Registered Office | Piazza A. Diaz, 1 – 20123 Milan (MI), Italy |
| Operational HQ | Via del Commercio, 2 – 27028 San Martino Siccomario (PV), Italy |
| VAT Number | IT12359040966 |
| Phone | 0382 1476455 / +39 344 432 6323 |
| info@gcs-srl.com | |
| Website | www.gcs-srl.com |
Scope and Data Collected
This policy applies to personal data collected by Genius Construction & Service S.R.L. (hereinafter GCS) through the website www.gcs-srl.com and in the context of commercial relationships with clients, suppliers, and partners operating in the construction, industrial, and commercial sectors.
The data GCS may collect includes:
- Contact data: first name, last name, company name, email, phone number, address
- Professional data: role, company, VAT or tax code (for contractual relationships)
- Communication content: messages and documents submitted via the contact form or by email
- Navigation data: IP address, browser type, pages visited, date and time of access — collected automatically by the website's systems
GCS does not collect special categories of data under Art. 9 GDPR (e.g. health, biometric, or political data) nor data relating to persons under 18 years of age.
Purposes and Legal Basis
| Purpose | Legal basis (Art. 6 GDPR) | Retention |
|---|---|---|
| Responding to contact requests and enquiries | Art. 6(1)(b) – Pre-contractual measures | 12 months from last contact |
| Performance of contracts (construction, supply, design) | Art. 6(1)(b) – Contractual necessity | 10 years from end of relationship |
| Tax, accounting, and statutory obligations | Art. 6(1)(c) – Legal obligation | 10 years (Civil Code, Arts. 2220 & 2946) |
| Workplace safety and site access management | Art. 6(1)(c) – Legal obligation (D.Lgs. 81/2008) | As required by law |
| Technical management and website security | Art. 6(1)(f) – Legitimate interest | 30 days (access logs) |
| Sending commercial communications (newsletter) | Art. 6(1)(a) – Consent | Until consent is withdrawn |
Recipients and Transfers
Personal data is not sold or transferred to third parties for marketing purposes. Data may be shared exclusively with:
- IT and hosting providers — management of website and email infrastructure
- Accounting, tax, and legal advisors — for statutory compliance purposes
- Subcontractors and technical firms — for operational site management, limited to the data strictly necessary
- Public bodies and supervisory authorities — INPS, INAIL, Cassa Edile, local municipalities, etc., when required by law
All third parties processing data on behalf of GCS are appointed as data processors pursuant to Art. 28 GDPR. Data is not transferred outside the European Economic Area.
Data Retention
Data is retained only for as long as strictly necessary to fulfil the purposes for which it was collected and in compliance with applicable legal obligations. Upon expiry of the applicable retention period, data is securely deleted or anonymised. For specific retention periods, please refer to the table in Section 3.
Cookies and Third-Party Services
The website uses technical cookies, necessary for the functioning of its pages, and anonymous analytics cookies to measure traffic (e.g. Google Analytics). Profiling or marketing cookies are only activated upon explicit consent via the banner displayed on first visit.
Cookie preferences can be managed or withdrawn at any time via the Cookie Settings panel in the website footer, or through your browser settings.
The website may embed content from third-party services — Google Maps for directions, Elementor as the page-building system — each subject to their own privacy policies. GCS is not responsible for processing carried out by such parties.
Security
GCS implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, or destruction, including: SSL/TLS encryption of communications, role-based access controls, regular system updates, periodic backups, and contractual confidentiality obligations for employees and collaborators.
In the event of a personal data breach that may pose a risk to the rights of data subjects, GCS will notify the supervisory authority within 72 hours and inform the affected individuals where required by Art. 34 GDPR.
Data Subject Rights
Access
Obtain confirmation of processing and receive a copy of your personal data.
Rectification
Request correction of inaccurate or incomplete data.
Erasure
Request deletion of data where no legal basis for processing remains.
Restriction
Request restriction of processing in certain cases provided for by the GDPR.
Portability
Receive your data in a structured, machine-readable format.
Objection
Object to processing based on legitimate interest or for direct marketing purposes.
To exercise your rights, send a request to info@gcs-srl.com with the subject "GDPR Data Subject Request". GCS will respond within 30 days, extendable to 90 days in cases of particular complexity. You may also lodge a complaint with the Italian Data Protection Authority (Garante) at www.garanteprivacy.it.
Governing Law and Updates
This policy is governed by Italian law and European data protection law. Any dispute shall be subject to the jurisdiction of the competent Italian courts, without prejudice to the right to lodge a complaint with the supervisory authority.
GCS reserves the right to update this policy to reflect regulatory or operational changes. The updated version will be published on this page with the revision date. The current version is dated May 2026.
