Pursuant to the European Regulation no. 679/2016

Tobanelli S.p.a. as Data Controller, pursuant to Legislative Decree 30 June 2003, n. 196 – Privacy Code (hereinafter the “Code”) amended and updated by Legislative Decree 101/2018, of articles 4, n. 7), 13, 14 and 24 of the EU Regulation no. 679 of 27 April 2016 relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data (hereinafter, “GDPR”), informs you that for the establishment and execution of ongoing relationships is in possession of personal data relating to you.

The GDPR was born with the intention of standardizing European Union legislation, ensuring greater control over how personal data is processed. Following the entry into force, which took place on 25 May 2018, the Company has embarked on a process of adapting internal processes and policies to protect all information that our Company will come into possession of.

To comply with the obligations deriving from the new privacy legislation in relation to your data, we invite you to take note of the following information and to express your consent to the processing of personal data.

This statement describes what types of information we collect, how it is used, what we share with other organizations, how the rights regarding the information in our possession can be exercised and how to contact us.

  1. Type of data

Personal information may be collected through the website, applications, social networks, direct contact or through third parties.

Data categories:

Identity data: name, surname, username or similar identifier and title.
Contact information: billing address, delivery address, email address and telephone numbers.
Financial data: the details of the bank account and payment card collected exclusively for the purpose of managing the commercial part.
Marketing and communication data: preferences in receiving marketing communications and from third parties and communication preferences.
Particular categories of personal data: sensitive (eg health data, political, religious beliefs ..) and judicial (criminal and administrative convictions).

  1. Processing methods

Only information that is necessary for the purpose for which it was collected is processed. The processing is carried out by means of the operations or set of operations indicated in art. 4 paragraph 2, GDPR: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, communication, cancellation and destruction of data. The data will be processed in written form and / or on magnetic, electronic or telematic support, even when the data are communicated to the subjects indicated in this information, who in turn are committed to processing them using only methods and procedures strictly necessary for the specifications. purpose of data processing and legal basis. The processing is carried out by persons in charge and collaborators within their respective functions and in accordance with the instructions received, always and only for the achievement of the specific purposes, scrupulously respecting the principles of confidentiality and security required by the aforementioned law.

Personal data is used exclusively for the purposes and legal basis indicated below:


Use and process personal information. Provide technical product support. Manage the relationship, including order fulfillment.

Provide information about our company, its products and services
Provide newsletters or email updates to the user.
Inform about special offers, products or services.
Measuring the interest of customers and suppliers.
Improve our products, services and the website.
Provide requested information, products or services.
Fulfill obligations deriving from any contracts entered into.
Respond to a binding request from a public authority or court.
Contact the person concerned in case of an urgent Field Safety Notice.


Processing is necessary for the execution of a contract or to enter into a contract.

Consent – which can be withdrawn at any time.

Legitimate interest in the business – you have the right to object to the processing, which can be exercised at any time.

Processing is necessary to comply with legal and regulatory obligations.

In rare cases of vital interest.

  1. Communication of data

We do not share information with third parties, however, we may from time to time disclose information to the following categories of companies or organizations to which we pass the responsibility of managing services on our behalf: support service providers, customer contact centers, agencies and consultants direct marketing, market research and market analysis service providers, legal advisors and other professionals.

We work to ensure that all third-party partners handling information comply with data protection legislation and protect information just as we do. We disclose to them only the personal information STRICTLY necessary to provide the service they are undertaking on our behalf.

We will anonymize the information or use specific aggregate data sets where possible.

  1. Retention terms

We do not store personal information in an identifying format for longer than necessary. For customers or suppliers, we keep personal information for a longer period than the treatment of potential customers / suppliers. In the case of an ongoing relationship (for example a customer), we keep personal information for 10 years from the date in order to establish, bring or defend any legal claims. Promotional and marketing information will be kept for a maximum period of 24 months.

  1. Rights of the interested party

The interested party can assert their rights, as provided for by articles 15-23 GDPR in particular:

. Request a copy of the information we have in our possession;

. Correct and update their information;

. Withdraw consent;

. Right to object and to request the deletion of data or the limitation of use, where there are no legitimate reasons to continue to use and process your information and / or in the absence of consent to direct marketing activities;

. Right to data portability;

. Right to lodge a complaint with the competent Supervisory Authority (Privacy Guarantor)

You can exercise the above rights and / or manage the information by contacting us at the following references:

Post office: Via Fusina n. 142 – 25081 Bedizzole (BS)


In the event of a request for access or information, we inform you that, if the request is unfounded or excessive, we can charge a fee or refuse to act.

  1. Data transfer

The personal data we collect may be transferred to, and stored in, a destination outside the European Economic Area (EEA), for the purposes described above. We will take all steps reasonably necessary to ensure that personal data is treated securely and in accordance with this Privacy Policy and data protection legislation.

To the extent that it is necessary to transfer personal data outside the European Union, we will ensure that adequate protection measures are in place to protect the privacy and integrity of such data, including the European Union model clauses under the article 46 “Subject transfer and adequate guarantees”.

  1. Consent to treatment

Pursuant to Articles 13 and 14 of the GDPR and pursuant to Article 6 of the GDPR, personal data, including “sensitive” and “judicial”, will be processed for the purposes provided for by the processing and / or delivered to third parties, who carry out activities necessary for the execution of the service.

The interested party also confirms the commitment to promptly communicate any corrections, variations and / or additions to the data in our possession.