Data Protection & Privacy

Privacy Policy – CERTIFICATO IWZ

This Privacy Policy explains how we collect, use, protect and share personal data when you visit our websites, contact us or use our certification and training services. It applies to activities carried out by CERTIFICATO IWZ – FZCO and by the Italian branch IWZ CERT SRL in connection with our accredited certification and related services.

Transparency, security and compliance with GDPR and other applicable regulations are at the heart of our approach to data protection.

Last updated: November 2025

GDPR compliant information International certification body Confidentiality & impartiality

1. Data controllers & contact details

For the purposes described in this Privacy Policy, personal data are processed by the following entities, acting as data controllers or joint controllers depending on the specific service and geographical area.

1.1 CERTIFICATO IWZ – FZCO (main certification body)

Data Controller for international certification activities and the main website

Name: CERTIFICATO IWZ – FZCO
Address: DSO–IFZA Properties, Dubai Silicon Oasis, Dubai, UAE
Email: info@certificatoiwz.ae
Phone: +971 50 247 5030

1.2 IWZ CERT SRL – Italian branch

Data Controller / Joint Controller for activities targeting EU users and Italian clients

Name: IWZ CERT SRL – Italian branch
Address: Corso Del Popolo 133, 30172 Venezia (VE), Italy
Email (EU enquiries): info@certificatoiwz.org

For privacy-related questions you may contact either address. Requests from EU data subjects are normally handled by IWZ CERT SRL, in coordination with CERTIFICATO IWZ – FZCO where necessary.

2. What personal data we collect

We collect only the data that are necessary to provide our services, maintain website security and comply with accreditation and legal requirements. Depending on how you interact with us, we may process:

2.1 Data you provide directly

  • Identification and contact details (e.g. name, surname, email address, phone number, organisation, role) when you submit contact, offer or training request forms, register for a course, or write to us by email.
  • Professional information (e.g. company name, VAT/Tax ID, sector, certification scheme of interest, experience as auditor/consultant) for certification, hiring and professional development activities.
  • Content of communications (messages, attachments, CVs, company profiles) sent through forms or directly via email.
  • Portal data (login credentials and activity logs) when you use reserved areas, where available.

2.2 Data collected automatically or from third parties

  • Technical data (IP address, browser type, device, pages visited, access times) collected via security tools and analytics services to protect the site and understand its use.
  • Cookie-related information (preferences, analytics, marketing cookies) in line with our Cookie Policy (EU).
  • Data from certification activities (e.g. contact details of client representatives, audit team, witnesses) gathered during audits, assessments and related communications.
  • Information from public or third-party sources (e.g. regulators, accreditation bodies, complainants) strictly limited to what is needed to manage certifications, complaints and appeals.

4. Cookies & similar technologies

Our websites use cookies and similar technologies to ensure basic functionality, save your preferences, analyse aggregated traffic and, where applicable, support marketing campaigns. Non-essential cookies are used only with your consent, which can be managed at any time via the cookie banner or the link provided in the footer.

Detailed information (types of cookies, purposes, duration and how to manage consent) is available in our dedicated Cookie Policy (EU).

5. Who we share your data with

We do not sell your personal data. We may share them only with carefully selected recipients where necessary and proportionate to the purposes described above.

5.1 Service providers & partners

  • Technical and hosting providers that manage our websites, email services, document management and security tools.
  • Professional consultants (e.g. legal, IT, compliance) supporting us in operating as an accredited certification body.
  • Partner companies that work with us on certification or training projects, bound by confidentiality and data protection agreements.

5.2 Authorities & accreditation bodies

  • Public authorities when required by law or by a legitimate request.
  • Accreditation bodies and impartiality committees that oversee our activities and may access documentation as part of their supervisory role.
  • Complaint and appeal management, where sharing information is needed to properly assess and respond to the case.

Whenever possible, we inform clients in advance about disclosures required by accreditation rules or law, unless we are legally prevented from doing so.

6. Data retention

Personal data are kept only for the time necessary to fulfil the purposes for which they were collected, and in line with applicable legal and accreditation requirements. Indicatively:

  • Certification-related data (contracts, audit reports, communications) are retained for the period required by accreditation rules and applicable law.
  • Contact and request forms (e.g. information requests, training enquiries) are typically retained up to 24 months from the last interaction, unless they lead to a contractual relationship.
  • Portal and account data are stored for as long as the account is active and for a reasonable period thereafter, or until deletion is requested where possible.
  • Cookie-related data are retained according to the durations shown in the Cookie Policy or until consent is withdrawn.

When the retention period expires, data are securely deleted, anonymised or archived with restricted access where required by law.

7. Your rights under data protection law

If you are in the European Union or if EU data protection law applies, you have a number of rights regarding your personal data under Articles 15–22 of the GDPR.

Right of access (Art. 15 GDPR)

You can ask us to confirm whether we process your personal data and, if so, receive a copy of such data and information on how they are processed.

Right to rectification (Art. 16 GDPR)

You may request the correction of inaccurate or incomplete personal data concerning you, so that our records are accurate and up to date.

Right to erasure & restriction (Art. 17–18 GDPR)

In certain cases, you can ask us to delete your personal data or to restrict processing (for example when you contest accuracy or object to processing). These rights may be limited where data must be kept to comply with legal or accreditation obligations.

Right to object (Art. 21 GDPR)

When processing is based on our legitimate interests, you can object on grounds relating to your particular situation. We will stop processing unless we can demonstrate compelling legitimate grounds or the data are needed for legal claims.

Data portability & consent withdrawal (Art. 20 & 7 GDPR)

Where processing is based on consent or on a contract and carried out by automated means, you may request your data in a structured, commonly used and machine-readable format, or ask us to transmit them to another controller where technically feasible. You may also withdraw your consent at any time for processing based on consent.

You also have the right to lodge a complaint with your local Data Protection Authority. In Italy this is the Garante per la protezione dei dati personali ( www.garanteprivacy.it ), or with the authority of the country where you live or work.

8. Data security & international transfers

8.1 How we protect your data

  • Access controls and authentication for staff and collaborators.
  • Technical measures such as encryption and secure connections.
  • Regular backups and monitoring of systems for security purposes.
  • Confidentiality agreements and training for people who handle data.

While no system can guarantee absolute security, we continuously work to maintain a level of protection appropriate to the risks associated with our activities.

8.2 International data transfers

As an organisation active in multiple countries, some data may be processed or accessed from outside the European Economic Area (EEA), for example in the United Arab Emirates. In such cases, we adopt appropriate safeguards, such as contractual clauses and organisational measures, to ensure a level of protection consistent with applicable data protection laws.

9. Automated decision-making & profiling

We do not carry out automated decision-making processes or profiling that produce legal effects concerning you or similarly significantly affect you in the sense of Article 22 GDPR.

10. How to contact us & exercise your rights

10.1 Contact for privacy requests

To exercise your rights or ask any question about this Privacy Policy, you can write to:

For EU and Italian data subjects:
IWZ CERT SRL – Italian branch
Corso Del Popolo 133, 30172 Venezia (VE), Italy
Email: info@certificatoiwz.org

For international enquiries:
CERTIFICATO IWZ – FZCO
DSO–IFZA Properties, Dubai Silicon Oasis, Dubai, UAE
Email: info@certificatoiwz.ae
Phone: +971 50 247 5030

One click to exercise your rights

You can send us a request directly from your email client, specifying which right you wish to exercise. Attach any document that helps us identify you (if needed) and describe your request clearly. We will respond as soon as reasonably possible and in any case within the time limits established by law.

Request access to my data Correct my data Request erasure Withdraw consent

10.2 Updates to this Privacy Policy

We may update this Privacy Policy to reflect changes in our services, in applicable law or in how we process personal data. The updated version will replace previous versions and will be published on this page with the indication of the latest revision date. Where appropriate, we may also provide a specific notice (for example via banner or email).

Certificato IWZ is an independent third-party management systems certification body, forming part of the international Certificato IWZ network and operating in Europe through IWZ Cert Srl, in accordance with the requirements of ISO/IEC 17021-1.
Search