INFORMATION ON THE PROCESSING OF PERSONAL DATA
pursuant to Article 13 of Regulation (EU) 2016/679
(General Data Protection Regulation – GDPR)

GENERAL INFORMATION
In compliance with Articles 12 and 13 of Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”), this page describes the processing of personal data carried out by Fratelli Tanzi S.p.A., based in Felino (PR), via G. Galilei 4/C, tax code and VAT no. 00744410341 (hereinafter referred to as the “Company” or “Data Controller”) regarding the data subjects involved in the treatments listed below (“data subjects”).

This website privacy policy does not refer to other data processing performed by browsing websites accessed via links possibly present on this website.

The Data Controller guarantees that all personal data processing activities will be carried out in accordance with the principles of lawfulness, transparency and fairness, purpose and storage limitation, data minimization, accuracy, integrity, and confidentiality.

TYPES OF PROCESSING

CONTACT REQUEST DATA
The management of contact requests sent to the references indicated on this website (https://www.fratellitanzi.it/it/pages/83-contatti) may result in the acquisition of personal data of the data subject/user.

Purpose of the processing
(Art.13, para. 1, letter c), GDPR)
The personal data collected is used solely to respond to the requests sent and to communicate with the data subject during any subsequent phases.
Some data may be mandatory and will be marked with an asterisk.

Categories of personal data

• personal data (first name, last name);
• contact data (phone number; email address);
• any other data/information included in the request.

Lawfulness of the processing
(Art.13, para. 1, letter c), GDPR)
Processing is carried out in order to perform a service requested by the data subject (Art. 6, para. 1, letter b), GDPR).

Scope of communication
(Art.13, para. 1, letters e) and f), GDPR)
Data is processed exclusively by authorized and trained staff. It may also be processed by other parties engaged by the Data Controller for purposes connected to the processing itself (e.g. website management support; consulting firms): these parties act as data processors and have signed specific agreements with the Data Controller pursuant to Art. 28, para. 3, GDPR.
In any case, the collected personal data will not be communicated to third parties, disseminated or transferred outside the European Union/European Economic Area.

Processing methods
(Recital 39, GDPR)
Personal data is processed lawfully, fairly and transparently, in accordance with the principles laid down by applicable legislation. The processing is carried out using both digital and paper tools.
Taking into account the nature and characteristics of the processing, the Data Controller has adopted technical and organizational security measures to limit or eliminate the risk of data loss, misuse, or unauthorized access.

Data retention period
(Art.13, para. 2, letter a), GDPR)
Data is retained for the time strictly necessary to manage the relationship with the requester.

Nature of provision
(Art.13, para. 2, letter e), GDPR)
Data is provided voluntarily by the data subject. However, failure to provide it may impair the ability to handle the request and send a response.

CLIENTS AND SUPPLIERS AND RELATED CONTACTS
In the context of activities related to contractual relationships with clients and suppliers, personal data of these individuals (and/or their representatives/contacts) may be processed.

Purpose of the processing
(Art.13, para. 1, letter c), GDPR)
Data is processed in order to:

• establish contractual/professional relationships,
• fulfill pre-contractual, contractual and legal obligations related to current or future relationships and manage related communications,
• exchange communications related to the contractual relationship between the parties,
• fulfill obligations required by laws, regulations, EU legislation or Authority orders,
• exercise the legitimate interests or rights of the Data Controller (e.g. legal defense; debt recovery; operational, administrative and accounting needs).

Categories of personal data

• personal data (first name, last name, tax code/VAT number);
• contact data (phone number; email/PEC address; residence/legal address);
• professional data (data relating to the company the data subject works for);
• banking and payment data.

Lawfulness of the processing
(Art.13, para. 1, letter c), GDPR)
Processing for these purposes is carried out under several legal bases:

• performance of contracts or pre-contractual measures (Art. 6, para. 1, letter b), GDPR);
• fulfillment of legal obligations (Art. 6, para. 1, letter c), GDPR);
• legitimate interests of the Data Controller (e.g. exercising or defending rights in court) (Art. 6, para. 1, letter f), GDPR).

Scope of communication
(Art.13, para. 1, letters e) and f), GDPR)
Data is processed exclusively by authorized and trained staff. It may also be processed by other parties engaged by the Data Controller for related purposes (e.g. tax/legal consultants; public bodies and authorities, etc.). In some cases, these parties act as data processors and have signed specific agreements with the Data Controller pursuant to Art. 28, para. 3, GDPR. In specific cases (e.g. investigations), personal data may be made available to competent authorities.
In any case, personal data will not be communicated to third parties, disseminated or transferred outside the European Union/European Economic Area.

Processing methods
(Recital 39, GDPR)
Personal data is processed lawfully, fairly and transparently, in accordance with the principles laid down by applicable legislation. The processing is carried out using both digital and paper tools.
Taking into account the nature and characteristics of the processing, the Data Controller has adopted technical and organizational security measures to limit or eliminate the risk of data loss, misuse or unauthorized access.

Data retention period
(Art.13, para. 2, letter a), GDPR)
Data is retained for the time strictly necessary to comply with contractual or legal obligations.

Nature of provision
(Art.13, para. 2, letter e), GDPR)
Providing the data is mandatory in order to fulfill the purposes described above.

WEBSITE BROWSING
The IT systems and software procedures used to operate this website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of the computers used by users connecting to the site, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the server's response (successful, error, etc.), and other parameters related to the user’s operating system and IT environment.

Purpose of the processing
(Art.13, para. 1, letter c), GDPR)
These data are used solely to gather anonymous statistical information on the use of the site and to check its correct functioning. The data may also be used to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the site (legitimate interest of the Data Controller).

Lawfulness of the processing
(Art.13, para. 1, letter c), GDPR)
The processing is necessary for the legitimate interest of the Data Controller in protecting its IT systems and evaluating the use and functioning of the website (Art. 6, para. 1, letter f), GDPR).

Scope of communication
(Art.13, para. 1, letters e) and f), GDPR)
The data are processed exclusively by authorized and trained personnel. They may also be processed by other parties engaged by the Data Controller for purposes connected to the processing itself (e.g. IT system or website management support). In some cases, these parties act as data processors and have signed specific agreements with the Data Controller pursuant to Art. 28, para. 3, GDPR.
The data may be communicated to the competent authorities in specific cases.
In any case, personal data will not be disclosed to third parties, disseminated or transferred outside the European Union/European Economic Area.

Processing methods
(Recital 39, GDPR)
Personal data is processed lawfully, fairly and transparently, using IT and automated tools and in compliance with the principles established by the applicable regulations.
Taking into account the nature and characteristics of the processing, the Data Controller has adopted technical and organizational security measures to limit or eliminate the risks of data loss, misuse, or unauthorized access.

Data retention period
(Art.13, para. 2, letter a), GDPR)
Data are generally retained for the time necessary to fulfill the aforementioned purposes, for short periods of time, except in the case of any extensions related to investigation activities.

Nature of provision
(Art.13, para. 2, letter e), GDPR)
The provision of data is implicit in accessing and browsing the website.

COOKIES
For more general information on cookies and how to enable or disable them, please visit the Cookie Policy.

VIDEO SURVEILLANCE
Video surveillance systems are installed at the premises of the Data Controller.

Purpose of the processing
(Art.13, para. 1, letter c), GDPR)
The video surveillance systems are installed in compliance with applicable regulations, based on an assessment of the lawfulness and proportionality of such processing, to protect the company’s assets and the safety of individuals present on the premises. The presence of the systems is clearly indicated in accordance with the applicable guidelines, including the use of specific signs.

Lawfulness of the processing
(Art.13, para. 1, letter c), GDPR)
The processing is necessary for the legitimate interest of the Data Controller in protecting the company’s assets and the individuals present on the premises (Art. 6, para. 1, letter f), GDPR).

Scope of communication
(Art.13, para. 1, letters e) and f), GDPR)
The data are processed exclusively by authorized and trained personnel. They may also be processed by other parties engaged by the Data Controller for related purposes (e.g. video surveillance maintenance): these parties act as data processors and have signed specific agreements with the Data Controller pursuant to Art. 28, para. 3, GDPR.
In specific cases (e.g. investigations), the recordings may be made available to competent authorities.
In any case, personal data collected through video surveillance systems will not be disclosed to third parties, disseminated, or transferred outside the European Union/European Economic Area.

Processing methods
(Recital 39, GDPR)
Personal data are processed lawfully, fairly and transparently in accordance with the applicable principles. Image processing is carried out using IT and automated systems.
Considering the nature and characteristics of the processing, the Data Controller has implemented technical and organizational security measures to limit or eliminate the risks of data loss, misuse, or unauthorized access.

Data retention period
(Art.13, para. 2, letter a), GDPR)
Recordings are retained for a maximum period of 72 hours.

RIGHTS OF THE DATA SUBJECT
Under the conditions set forth by current legislation, the data subject has the right to exercise the following rights by contacting amministrazione@fratellitanzi.it:

• Right of access (Art. 15 of the GDPR): to obtain confirmation as to whether or not personal data concerning them are being processed and, if so, access to such data;
• Right to rectification (Art. 16 of the GDPR): to obtain the correction and/or integration of inaccurate or incomplete personal data;
• Right to erasure (Art. 17 of the GDPR): to obtain, where applicable by law, the deletion of personal data;
• Right to restriction of processing (Art. 18 of the GDPR): to request limitation of data processing in specific cases;
• Right to data portability (Art. 20 of the GDPR): to receive, in certain cases and for data provided by the data subject only, the personal data in a structured, commonly used and machine-readable format;
• Right to object (Art. 21 of the GDPR): to object at any time, for reasons related to their particular situation, to the processing of their personal data carried out by the Data Controller for the pursuit of legitimate interest.

If the data subject believes that the processing of their personal data is in violation of the GDPR, they have the right to lodge a complaint with the Data Protection Authority in accordance with the procedures established by that authority or to seek judicial remedy.

This privacy notice was last updated on April 8, 2025.