Privacy Notice
This privacy notice, provided pursuant to Regulation (EU) 2016/679 (hereinafter, also "Regulation" or "GDPR"), describes the processing of personal data of users (hereinafter, "Data Subject(s)" or generically "User(s)") who browse the website dx.pagopa.it (hereinafter, also the "Site"), managed by PagoPA S.p.A. (hereinafter, also the "Company" or the "Controller" or the "Site Manager").
The validity of the information contained in this page is limited to the Site and does not extend to other websites that may be accessible through hyperlinks, even if managed by the Company.
Data Controller
The data controller is PagoPA S.p.A., with registered office in Rome, Piazza Colonna n. 370, ZIP - 00187, registration number in the Rome Business Register, Tax Code and VAT number 15376371009. PEC pagopaspa@pec.pagopa.it.
Data Protection Officer
PagoPA S.p.A. has appointed its own Data Protection Officer (DPO), pursuant to art. 37 of the Regulation, who can be contacted through the dedicated form or by regular mail at the address: Via Sardegna n. 38 - 00187, ROME (operational headquarters of the company).
Data Categories and Purposes
a. Navigation Data
The computer systems responsible for operating the Website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This category of data includes IP addresses or domain names of devices used by Users, URI/URL (Uniform Resource Identifier/Locator) addresses of requested resources, the time of the request, the type of request made (requested resource and operation name), the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the User's operating system and computing environment.
Such data, necessary for the use of the Website's functionalities, are also processed in order to control the correct functioning of the systems and services offered by the Website (diagnostics), as well as for security reasons and to protect the Company's rights.
The Controller stores anonymous data relating to the ways and times of Users' interaction with the Website and the devices used (browser, operating system, screen resolution, source URL, pages viewed, actions performed on user interface elements, time intervals between one action and the next, etc.) for the purpose of improving the Website itself through statistical analysis of aggregated data using Azure Application Insights.
b. Data Communicated by the User
The voluntary, explicit and optional sending of messages to the Company's contact addresses, or the completion and forwarding of forms present on the Company's websites, involves the acquisition of the sender's contact data, necessary to respond, as well as all personal data provided in the communications.
Such data are processed exclusively to respond to Users' requests.
All the personal data listed above may also be processed by the Controller for the assessment, exercise or defense of a right in court.
In case you are entering personal data of third parties, we invite you to obtain specific authorization to proceed from such person.
Legal Basis for Processing
The Company processes personal data as Data Controller based on the performance of a task of public interest pursuant to art. 6, paragraph 1, lett. e), of the GDPR concerning, in particular, the management of the technical documentation website for developers. For analytics processing, it is also based on the free and specific consent of the User, given through the cookie banner.
Categories of Recipients
The Company may communicate some personal data to subjects it uses, as processors pursuant to art. 28 of the Regulation, for carrying out certain processing activities or to other recipients, to whom the communication is necessary for the execution of a task of public interest or to comply with a legal obligation. The personal data collected are also processed by personnel in charge of processing, who act based on specific instructions given by the Controller.
For the provision of analytics services, the Company uses Microsoft Azure Application Insights, appointed as Data Processor pursuant to art. 28 GDPR.
Transfers to Third Countries
To ensure the operability of its products and services, the Company uses third-party suppliers, appointed pursuant to art. 28 GDPR, who present sufficient guarantees to implement adequate technical and organizational measures, such as to ensure the protection of the data subject's rights.
Some of these suppliers may transfer data outside the European Economic Area. In such circumstances, the Company, in compliance with personal data protection regulations and in particular articles 44 to 49 of the GDPR, periodically carries out appropriate impact assessments on personal data transfers and implements or updates, where necessary, the mechanisms and measures that ensure an adequate level of protection of data subjects' rights and the lawfulness of the transfer. In case no suitable transfer mechanism or measure is available, PagoPA will not transfer personal data.
Retention Period
Personal data relating to Users are processed for the time strictly necessary to pursue the purposes for which they were collected. In compliance with the principles of proportionality and necessity, data are not retained for periods longer than those essential for achieving the above-mentioned purposes and therefore for the diligent performance of activities, in particular:
- navigation data are processed to serve the website, but are not stored in log form;
- analytics data are stored in aggregated and anonymous form for a maximum period of 24 months;
- data communicated by the User are retained for the time necessary to manage the request and, in any case, up to 10 years, the ordinary prescription term pursuant to article 2946 of the Civil Code.
Data Subject Rights
Users, pursuant to articles 15 and following of the Regulation, have the right:
- to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed and, in such case, to obtain access to personal data and receive a copy thereof;
- to obtain from the Controller the rectification of inaccurate personal data concerning them without undue delay, as well as to obtain the completion of incomplete personal data;
- to obtain from the Controller the erasure of personal data concerning them without undue delay, where the conditions are met;
- to obtain from the Controller restriction of processing, where the conditions are met;
- to receive in a structured, commonly used and machine-readable format the personal data concerning them provided to a data controller and has the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, where the conditions are met.
Users also have the right to object at any time, on grounds relating to their particular situation, to processing of personal data concerning them for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or for the purposes of the legitimate interests pursued by the Controller.
In case the processing is based on consent, Users have the right to withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.
For any request regarding the processing of personal data, please write using the dedicated form for managing data subject requests.
Should a User believe that processing of personal data violates the provisions of the Regulation, they have the right to lodge a complaint with the supervisory authority (in Italy, the Garante per la Protezione dei Dati Personali), or to resort to appropriate judicial venues.
Changes
The Controller reserves the right to make to this privacy notice, at its sole discretion, and at any time, all changes deemed appropriate or made mandatory by applicable laws from time to time. Therefore, Users are requested to consult this page, taking as reference the date of last modification indicated.
Cookies, Trackers and Other Stored Information
The Company does not store, without user consent, any information on the device, nor does it access it, except in cases where this is strictly necessary for the proper functioning of the Website.
Cookies and other tools (such as session storage and local storage, which, for simplicity, will hereinafter be referred to as cookies) that allow the storage, even temporary, of information, in the form of short text strings in the user's browser during navigation, can be:
- "first-party", if they are written and read directly by the website being visited, or "third-party" if they relate to services included in the website being visited managed by external suppliers;
- "session", if they are deleted at the end of the visit or at the latest when the browser is closed, or "persistent", if they have a predefined duration, allowing the website to access the information contained during subsequent visits;
- "strictly necessary", if they are essential for the proper functioning of the website (i.e. technical cookies), or "optional", if their absence does not compromise the browsing experience (e.g. "performance" or "functionality" cookies).
Based on the Cookie Guidelines and other tracking tools issued by the Italian Data Protection Authority on June 10, 2021, analytics cookies may be included in the category of technical cookies, and as such be used without prior acquisition of the data subject's consent, under certain conditions.
At any time it is possible to view the cookies stored on the device and delete them from the settings of the browser used for navigation. Deletion of strictly necessary cookies may cause Website malfunctions (e.g. interruption of an authentication session).
Below are listed the cookies used by this Website, divided by category, with specification of origin and duration.
Strictly Necessary Cookies
These cookies are necessary for our website to function and cannot be switched off. They are usually set in response to actions made by you, such as setting your cookie preferences. You can set your browser to block these cookies, but consequently some parts of the site will not work.
| Cookie | Host | Duration | Origin | Description |
|---|---|---|---|---|
| cookieConsent | dx.pagopa.it | 365 days | First party | Cookie necessary to store the consent given or denied by the user for individual categories of cookies used by the site. |
Performance Cookies (Analytics)
These cookies allow us to track some events during visits and traffic sources, so that we can measure and improve the performance of our site. They help us know which pages are most and least popular and see how visitors move around the site. All information collected through these cookies is aggregated and anonymous. If you do not allow their use, we will not be able to track your visit.
| Cookie | Host | Duration | Origin | Description |
|---|---|---|---|---|
| ai_session | dx.pagopa.it | 30 minutes | Third party (Azure) | Session cookie used by Azure Application Insights to track user sessions for analytics purposes. |
| ai_user | dx.pagopa.it | 365 days | Third party (Azure) | Cookie used by Azure Application Insights to identify unique users anonymously for analytics purposes. |
Last updated: September 11, 2025
PagoPA S.p.A. - Joint stock company with sole shareholder - Share capital of 1,000,000 euros fully paid up - Registered office in Rome, Piazza Colonna 370, ZIP 00187 - Registration number in Rome Business Register, Tax Code and VAT no. 15376371009