General Data Protection Regulation

Qboxmail and personal data protection

The protection of personal data is a core value for Qboxmail.

In order to guarantee its customers compliance with the GDPR and other applicable regulations, as well as maximum data security, Qboxmail has adopted a data protection management model to bring its business processes and information systems in line with these provisions.

This page provides information on how Qboxmail processes personal data, both as a data controller and as a data processor on behalf of its customers, in accordance with the principles of clarity and transparency required by the GDPR.

What is the GDPR?

The General Data Protection Regulation (GDPR) is the European Regulation that standardises the data protection laws in Europe. It became effective on 25 May 2018 and requires all legal entities, as part of their business activities, to ensure an adequate level of data protection and to comply with its provisions.

Some definitions and roles of the GDPR

To fully understand the following information, we provide definitions of the key terms used by the GDPR and clarify their meaning.
The GDPR also distinguishes certain roles assumed by legal entities in the processing of personal data. In fact, a legal entity may process data as a data controller, data processor, joint controller or an authorised processor.

Personal data are considered to be any information concerning an identified or identifiable natural person. For example, personal data are first name and surname, address, telephone number, tax code, email address, photographs, profession, salary, bank details, health condition, etc.
Personal data do not include data relating to companies and other legal persons, such as the company name, registered office, VAT number, balance sheet data, company email addresses such as info@nomesocietà.it etc. However, personal data include data relating to natural persons working at that company, such as legal representatives, employees, external professionals, etc.
Data is only personal when it can be traced back to a natural person, even by making a reasonable effort. Completely anonymous data is not subject to the regulation.

Personal data can be defined as common and special (so-called “sensitive data”). Both types of data are subject to the GDPR. However, sensitive data require extra security and special processing.
Sensitive data includes data relating to the health, sexual life and orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (art. 9 of the GDPR).
Data of a special nature are also considered data relating to criminal convictions and offences or connected to security measures.
All other personal data are considered to be common data.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by electronic or automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making the data available, alignment or combination, restriction, erasure or destruction.

A Data Controller is the natural or legal person who determines the purposes and means of the processing of personal data.
Each company is therefore the controller of personal data relating to its customers, employees and suppliers.
In the case of a company, the data controller is not its legal representative, but the company itself.

Joint data controllers are two or more data controllers who jointly determine the purposes and means of processing.

The data processor is a natural or legal person who processes personal data on behalf of the data controller.
When a company outsources activities involving the processing of personal data to an external provider (e.g. labour consultants, accountants, IT service providers, hosting providers, etc.), the latter assumes the role of data controller.
Pursuant to article 28 of the GDPR, a data controller may only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures. The relationship between data controller and data processor must also be governed by a contract (Data Processing Agreement) or other legal act under Union or Member State law.
The obligation to provide information to data subjects and to ensure that they can exercise their rights is not incumbent on the data processor but only on the data controller.

Authorised processors are natural persons who act under the direction and authority of the data controller or data processor (e.g. employees) and who are required to process personal data in order to carry out the tasks and duties assigned to them.

Qboxmail as data controller

Qboxmail acts as data controller when it processes personal data on its own behalf and for its own purposes.
For example, as data controller, Qboxmail processes the personal data of its customers and suppliers for accounting purposes and for the performance of the respective contracts. Similarly, as data controller, Qboxmail processes the personal data of its employees for the proper performance of employment contracts, compliance with security regulations, training, etc.

Qboxmail data controller

Click on the following link to access information on how Qboxmail processes personal data in its capacity as data controller.

Customer policy (articles 13 and 14 GDPR)


Supplier policy (articles 13 and 14 GDPR)


In addition to the data of its customers, suppliers and employees, as data controller, Qboxmail processes certain personal data of users of its services, even if they are not directly contracted to it. The processing of this data is necessary to ensure the proper functioning and security of its web platforms.
To find out how Qboxmail processes the personal data of users of its services, please consult the following policy.

Policy for services users (articles 13 and 14 GDPR)


Qboxmail as Data Processor

Qboxmail acts as a Data Processor when it processes personal data on behalf of and as instructed by its customers. In particular, Qboxmail acts as a data processor when it processes data on behalf of its customers in providing email management and hosting services and other related services. When Qboxmail’s customers are themselves data processors, Qboxmail acts as a sub-processor.

Qboxmail as data processor

Whenever Qboxmail acts as a data processor or sub-processor for one of its customers, this relationship must be governed by a Data Processing Agreement (or a contract appointing a data processor) pursuant to article 28 of the GDPR.

Qboxmail has its own Data Processing Agreement template, which allows its customers to comply with the provisions of article 28 of the GDPR.

Data Processing Agreement


Data Protection Officer

In order to guarantee itself and its customers maximum security in the processing of personal data and compliance with the GDPR, Qboxmail has appointed a Data Protection Officer (or DPO), who can be contacted at the following email address:

The Data Protection Officer is the main point of contact between data subjects and Qboxmail with regard to the processing of personal data. Therefore, customers, suppliers, employees and all interested parties may contact the DPO directly for matters relating to the processing of their personal data.

Qboxmail and the GDPR

Qboxmail follows and puts into practice a path of analysis, adaptation and continuous improvement of its IT systems and its privacy management model. It organises staff awareness-raising and training programs to guarantee its customers and users maximum protection of the personal data entrusted to it and compliance with the regulations.

Privacy by default and by design

Our software has always been designed and developed by following the principles of “Data protection by default and by design”.

Data encryption and security

We use encryption of data in transit to guarantee a high level of protection in order to minimise the risk of loss of confidentiality.

Log storage in accordance with the law

We ensure that system logs are kept and stored in accordance with the provisions of the Italian Data Protection Authority regarding system administrators. A procedure has also been implemented to digitally sign the log files and give them a certain date.

Data export

POP and IMAP features allow administrators to export customer data at any time during the contractual period. Logs of the accesses and audits can be exported in CSV format.

Data deletion

Customers can delete their data at any time. When a definitive deletion request is sent (such as the cancellation of an email account), the data will be removed from every system within 60 days unless otherwise required by law.

Encryption of data in transit

We always make encryption available to protect data in transit. Webmail, POP, IMAP, and SMTP services are accessible by default via TLS.

Vulnerability management

We use internally developed tools to detect software vulnerabilities early on and carry out periodic tests for possible violations.

Processing register

We have set up a register of the processing operations carried out, both as data controller and as data processor, which we can make available in case of a request from the supervisory authority.

Personnel training

All Qboxmail employees have undergone in-house training on the requirements of the GDPR and are constantly updated and made aware of the security and confidentiality of the data we process.

Rights of the data subject

The data subject has the right to obtain confirmation from the data controller as to whether personal data concerning him or her are being processed and that said data are processed by the latter pursuant to article 15 of EU Reg. 2016/679.

The data subject also has the right to obtain the rectification of inaccurate personal data concerning him or her and the integration of incomplete data pursuant to article 16 of EU Reg. 2016/679.

The data subject has the right to obtain the erasure of data that are no longer necessary in relation to the purposes for which they were collected or otherwise processed, of data processed based on his or her consent when the latter is withdrawn, of data that has been unlawfully processed, etc. In order to know the other cases in which the data may be erased, the data subject may refer to article 17 of EU Reg. 2016/679.

The data subject has the right to obtain the restriction of the processing of his or her data in the cases set forth in article 18 of EU Reg. 2016/679, the portability of his or her data in the cases set forth in article 20 of EU Reg. 2016/679, as well as the right to object to the processing of his or her data in the legitimate interest of the data controller or based on public interest, as allowed by article 21 of EU Reg. 2016/679.

If the data subject believes there has been a breach in the processing of his or her data, he or she may lodge a complaint whit the Data Protection Authority.
The request for cancellation or opposition to the processing of data necessary for the performance of the contract may make it impossible for Qboxmail to fulfil the contractual obligations. The data subject may not object to the processing or request the erasure of data that Qboxmail must process in order to fulfil accounting and tax obligations or other legal obligations.

The data subject may at any time withdraw consent he or she may have given for the processing of his or her personal data for marketing purposes without this entailing any prejudicial consequences or preventing performance of the contract.

As data controller, Qboxmail may not respond to requests made by data subjects for exercising their rights. In that case, data subjects must contact the data controller.

To exercise your privacy rights, send an email to with your request.

We use cookies to provide you a better browsing experience, by continuing you accept their use. For more information visit the Privacy policy page.