The GDPR (General Data Protection Regulation) is a European Union regulation (EU Regulation 2016/679) that came into effect on May 25, 2018. Its purpose is to protect personal data and ensure its free circulation within the European Union.
It applies to any entity processing the personal data of individuals residing in the EU, regardless of where they are geographically located (whether inside or outside the EU). Therefore, businesses or organizations offering goods or services to individuals in the EU or monitoring their behavior must comply with the rules set out by the GDPR.

The DORA Regulation (Digital Operational Resilience Act) is an EU regulation (EU Regulation 2022/2554) designed to strengthen digital operational resilience in the financial sector. It becomes binding on January 17, 2025, and is part of the EU’s strategy to regulate technological risks and ensure the security and continuity of the financial ecosystem in an increasingly digital environment.
The regulation applies to various players in the financial system, such as banks, insurance companies, asset management firms, investment firms, trading platforms, central counterparties, central securities depositories, credit rating agencies, and payment service providers. ICT providers offering services to these entities will also need to comply with the regulation, as applicable.

The NIS 2 Directive (EU Directive 2022/2555) is an EU regulation aimed at improving the security of networks and information systems within the European single market. It is an evolution of the previous NIS Directive (Network and Information Security), adopted in 2016, to address growing cybersecurity threats and new technological challenges.
The directive, transposed into Italian law with Legislative Decree 138/2024, sets out stringent requirements to enhance the resilience of critical infrastructures and to prevent and mitigate incidents related to cybersecurity.
It applies to two main categories of entities:
• Essential entities (e.g., energy, transportation, healthcare, financial infrastructures, water supply, space, digital infrastructures, and public administration);
• Important entities (e.g., food industry, research, waste disposal, chemicals, postal and logistics services).

The main difference between the Data Controller and Data Processor under the GDPR lies in their roles and responsibilities in managing and protecting personal data.
The Data Controller is the individual, legal entity, public authority, agency, or any other body that determines the purposes and means of processing personal data. In other words, it is the entity that decides why and how personal data should be processed.
The Data Processor is an individual or legal entity that processes personal data on behalf of the Data Controller. In other words, the Processor executes the data processing based on the instructions provided by the Data Controller. The Processor does not independently decide the purposes and means of processing but follows the instructions set by the Data Controller.

Diennea acts as a Data Controller when processing personal data for its own purposes, such as when processing personal data of its employees and suppliers for administrative and accounting purposes or when processing customer data collected through its own digital channels for independent marketing and profiling activities. On the other hand, Diennea acts as a Data Processor when processing personal data on the magnews Platform (such as message content, email addresses, phone numbers, IP addresses, and data generated by the use of the Platform) for the purpose of sending messages on behalf of our clients.

To facilitate the contractual negotiation with our clients and ensure uniformity, as well as the highest compliance standards in information security and personal data protection, our Data Processor appointment model is available at the following link: click here. It is also included in the commercial offer for the provision of the magnews Platform usage license.

Given the high volume of clients and types of requests, we are unable to complete each individual assessment questionnaire requested by clients. However, detailed information about the infrastructure and procedures Diennea applies to help clients independently complete the assessment questionnaire can be found on the following pages: https://www.magnews.com/security/data-protection-cybersecurity/ .
At the Client’s request and subject to definition of the modalities and timing, Diennea is willing to allow the Client to carry out physical audits/maintenance inspections at its operational sites.

In case of communications received in your mailbox, you should check whether the sender of the communication can be traced back to the domains @diennea.com, @magnews.com or @tbd.it. If this is the case, Diennea is processing the personal data of the recipient of the communication as Data Controller. The recipient can exercise their rights under the GDPR by contacting us via email at privacy@diennea.com or dpo@diennea.com.
If the email originates from a different domain, Diennea may be acting as the Data Processor and the recipient should contact the client directly to exercise their privacy rights.
In case the recipient suspects they have received unwanted communication from Diennea on behalf of one of our clients, they can fill out the abuse report form. The information provided will help us verify the report and trace the origin of the message, and we will follow up with our client to ensure the report is handled.

As part of providing the magnews Platform service, Diennea acts as a Data Controller, for example, when processing personal data of its consultants and suppliers for administrative and accounting purposes, or when processing personal data collected through its digital channels for independent marketing and profiling purposes. As a general rule, Diennea does not transfer client data outside of the EEA for service provision.
However, transfers of data outside the EEA may occur in specific instances, such as through the use of web application firewall solutions for security and verification purposes or through other treatments that the Data Controller may perform.
When acting as a Data Processor, Diennea generally does not transfer client data outside the EEA. However, upon explicit client request, certain services or additional features requiring data transfers outside the EEA may be enabled on the magnews Platform (e.g., web application firewall solutions). Clients can consult the list of Sub-Processors that may be employed by Diennea within the Data Processing Agreement or through this link: https://www.diennea.com/en/legal-and-privacy-documents/.

The service provision for the magnews Platform is governed by the General Terms and Conditions, which can be found at this link: https://www.diennea.com/en/general-terms-of-service-gts/, as well as the Special Terms available at: https://www.magnews.com/special-service-conditions-magnews-platform/.

Diennea provides guarantees regarding the availability of the magnews Platform service in terms of platform operation, support, and maintenance. The Service Level Agreements for the platform can be consulted here: https://www.magnews.com/magnews-service-level-agreement-sla/.

The magnews Platform privacy policy is available at the following link: https://www.magnews.com/platform-privacy-policy/.