WHY THIS NOTICE?
Redo S.r.l. (hereinafter, the Company), P. IVA: 11601770966, with registered office in Corso Garibaldi, 49, Milano, acknowledges the central role of personal data in the socio-economic ecosystem in which it operates, as well as the critical issues related to their use in the provision of services that involve the non-incidental use of artificial intelligence systems. Accordingly, the Company is fully aware of the importance of clear and transparent communication in order to mitigate risks to the rights and freedoms of all natural persons whose personal data are processed. Furthermore, privacy legislation (in particular Regulation (EU) 2016/679, the “General Data Protection Regulation” – GDPR) requires us to provide you with the following information regarding the processing of your personal data, pursuant to Articles 13 and 14. For these reasons, Redo S.r.l., Corso Garibaldi, 49 – 20121, Milano (MI), as the “Data Controller,” hereby provides this privacy notice to describe the modalities for processing your personal data in connection with its website.
The Role of the Company
It is important to emphasize from the outset that the Company, in the course of its activities, operates both as a Data Controller and as a Data Processor. Since, pursuant to Articles 13 and 14 of the GDPR, the obligation to provide information on processing lies exclusively with the Data Controllers, this document will concern solely the processing activities for which the Company acts as Data Controller. These include activities related to service registration and the operation of the website, concerning the personal data of natural persons who access the site either as visitors or as operators with login credentials, for the purpose of accessing the services provided. However, in the interest of transparency and in the spirit of fair cooperation with the Data Controllers, the Company considers it useful to provide clients with information regarding processing activities carried out in its capacity as Data Processor. These include activities arising from the provision of its typical services (quality checks, enhancement, augmentation of training data, initial model training or re-training, processing and returning of inferences for the purposes chosen by the clients from those available, and retention of original database files for training). To this end, upon request by the client-Controllers, the Data Protection Impact Assessment (DPIA) prepared following the impact assessment pursuant to Article 35 GDPR is available. Extracts of the document may also be made available to third parties, upon request, in the interest of maximum transparency. It should be noted, however, that with regard to processing carried out as a Data Processor, the Company does not determine the specific purposes and categories of personal data used from time to time (which partly depend on the discretionary choices of the clients), the final retention periods of the data, the entities with whom the Controllers choose to share them, or numerous other relevant aspects of processing, except for those specifically related to the technical characteristics of the services provided. Furthermore, the Company cannot directly or autonomously respond to data subject requests, as it does not know the identity of the individuals involved, operating solely on information that is not attributable to specific natural persons (data pseudonymized at source and therefore anonymous from the Company’s perspective, which does not possess, nor can it possess, legal or technical means to re-identify the data subjects). Nonetheless, the aforementioned DPIA contains information regarding technical “by design” measures adopted to facilitate the exercise of data subject rights by client-Controllers, in particular with respect to the explainability of AI model inferences and the human oversight of processes (“human-in-the-loop” supervision), in compliance with Article 22 GDPR as well as related regulations on Artificial Intelligence (Reg. (EU) 2025/1689 and sector-specific regulations, e.g., EBA). Finally, it should be noted that operations carried out by the Company for the purpose of developing additional AI models for its own interest are normally performed using synthetic data or data subjected to processes (embedding) that render them fully anonymous and not attributable to identified or identifiable natural persons, and therefore do not constitute processing of personal data within the meaning of Article 4(2) GDPR. Should personal data be used in the future for the purposes described in this paragraph, it will be the responsibility of the Data Controller (whether the Company, the client, or, in the case of joint controllership, the party designated under the agreements to assume the obligation) to inform the data subjects and to ensure the existence of the necessary legal bases.