Privacy Policy

This document, pursuant to Regulation (EU) 2016/679 – GDPR, contains the information required in relation to the processing activities carried out by ACN on the Personal Data collected through this website.

1. Data Controller

The Data Controller is the Agenzia per la Cybersicurezza Nazionale (National Cybersecurity Agency), hereinafter also referred to as “ACN” or “the Agency”, with registered office at Corso d’Italia No. 41, Rome.

2. Data Protection Officer

ACN has appointed a Data Protection Officer (DPO), who may be contacted for further information regarding the processing of personal data by ACN and for exercising the rights provided by the applicable legislation (see below), by writing at the physical address of the Agency or the following email address: dpo@acn.gov.it.

3. Purposes and Legal Basis of Data Processing

In light of the tasks assigned to ACN by Law-Decree No. 82 of 14 June 2021, converted with amendments by Law No. 109 of 4 August 2021, for the protection of national security and national interests in the cyber domain, the Personal Data collected through the website shall be processed for the institutional purposes of the Agency.
The legal basis for processing is the performance of tasks carried out in the public interest or in the exercise of official authority (Article 6(1)(e) GDPR).

4. Categories of Data

Depending on the specific activities performed by ACN, Personal Data resulting from navigating this website may be processed.

5. Cookies

This website does not use profiling cookies and uses the following technical cookies:

• Browsing or session cookies, which ensure normal navigation and use of the website by storing the user’s navigation preferences;
• Functionality cookies, which allow the user to navigate according to a set of selected criteria (e.g., language, the appearance of pop-ups) in order to improve the service provided.

These cookies are installed directly by the Data Controller and are used to facilitate navigation. Once stored in the user’s browser, they are retained for 1 year, without prejudice to the user’s ability to delete them at any time, following the instructions provided in the section “How to disable and delete cookies”.

The website also uses first-party analytical cookies which collect, in anonymized form (by masking portions of the user’s IP address), statistical and aggregated information about users’ browsing behaviour (e.g., number of pages visited, number of accesses, time spent on the website). These cookies are treated as technical cookies and therefore do not require user consent. Once stored in the browser, such analytical cookies may be retained for up to 12 months, without prejudice to the user’s option to disable them at any time, following the instructions provided in the section “How to disable and delete cookies”.

How to disable and delete cookies
Some browsers allow you to set rules to manage cookies on a site-by-site basis, offering more granular control over privacy. Preferences can be managed at the following pages, depending on the browser used:

• Microsoft Edge
• Apple Safari
• Google Chrome
• Mozilla Firefox
• Opera

For browsers not listed above, please consult the relevant documentation to determine how to manage cookies.

6. Methods of Processing

The Personal Data processing activities described above are carried out by ACN using automated or manual means.

7. Categories of Recipients of the Processed Data

For the purposes outlined above, ACN may disclose the processed data to specific categories of recipients, who may act as independent Data Controllers (e.g., public authorities) or as Data Processors pursuant to Article 28 of the GDPR.
Disclosure to such recipients is carried out in order to perform a contract, comply with legal or regulatory obligations (national or EU), fulfil specific international agreements (protocols, agreements, treaties), or comply with any other binding normative act.

8. Transfer of Data to Third Countries

ACN does not envisage transferring the processed Personal Data to countries outside the European Economic Area (EEA), except for certain navigation data that are automatically blocked by the system because they are associated with access attempts deemed unlawful (e.g., botnets used for DDoS attacks), which may be transmitted to the United States for advanced security analysis.
Should such transfers occur, they will fully comply with applicable data protection legislation, as they are carried out within the scope of a security service provided by a supplier adhering to the “Data Privacy Framework” adequacy decision adopted by the European Commission on 10 July 2023.

9. Data Subject Rights

Data subjects may exercise the following rights under the GDPR:

• Right of access: the right to obtain confirmation from the Data Controller as to whether personal data concerning them are being processed and, where that is the case, to access information such as the purposes of processing, the categories of data concerned, the recipients or categories of recipients to whom the data have been or will be disclosed, and the storage period (Art. 15 GDPR);
• Right to rectification: the right to obtain the rectification of inaccurate Personal Data (Art. 16 GDPR);
• Right to erasure: the right to obtain the deletion of Personal Data where the purposes for which they were processed no longer apply (Art. 17 GDPR);
• Right to withdraw consent, where consent is the sole legal basis of the processing;
• Right to restriction of processing: the right to obtain restriction of processing where one or more situations referred to in Article 18 GDPR apply;
• Right to object: the right to object to processing on grounds relating to the data subject’s particular situation (Art. 21 GDPR);
• Right to data portability: the right to receive personal data in a structured, commonly used and machine-readable format, and to transmit such data to another Data Controller without hindrance from ACN (Art. 20 GDPR).

If data subjects believe that processing infringes the GDPR, they may lodge a complaint with the competent supervisory authority (in Italy, the Garante per la protezione dei dati personali: protocollo@gpdp.it – Art. 13(2)(d), Art. 77 GDPR) and/or seek judicial redress.

10. Data Retention Period

Personal Data processed by ACN shall be retained for a period of 12 months.

Last revision: 9 January 2026