Disclosure regarding the processing of personal data pursuant to art. 13 of EU Reg. 2016/679

Dear user,

Protecting your personal data is very important to us, and we want you to feel comfortable with how we protect your privacy on an ongoing basis. That is why we wish to share information with you that will help you to understand how we process your personal data, above all those we collect from you for the purposes indicated hereunder.

We want you to know that your personal data will be processed in compliance with the provisions of the European Regulation on the protection of personal data (Reg. EU 2016/679, hereinafter “GDPR”) as well as current and applicable privacy laws (Italian Legislative Decree 196/2003 as amended, hereinafter “Privacy Code”), and in any case in compliance with the principles of lawfulness, fairness and transparency. This disclosure is provided pursuant to article 13 of the GDPR. Please read it before you provide your personal data or use our services.

Data Controller and contact details

Your personal data will be processed by F.lli De Cecco di Filippo Fara San Martino S.p.A. (hereinafter “De Cecco”) with registered office in Via F. De Cecco, Zona Industriale, 66015, Fara San Martino (CH), Italy, tel. 08729861, as Data Controller.

The Data Protection Officer (DPO) and contact details

De Cecco has a Data Protection Officer. Our Data Protection Officer is Mr Giulio Maria Garofalo, lawyer, email [email protected].

Purposes for which personal data are processed, the data processed and the legal basis for such processing

The personal data necessarily requested (i.e. first name, last name, city, country, email address, contact reasons) or any further data you optionally provide to Customer Service (i.e. purchase order number or data related to the same, telephone contact or any allergies to substances potentially contained in De Cecco products) may be processed for the following purposes:

1. Request for information/customer support. These data will be processed to the extent strictly necessary in order to process your request and follow up on all relevant operational and/or verification activities. Providing your data for this purpose is mandatory. Should you fail to provide these data, you will be unable to submit the request for information and/or support or receive the relevant feedback. The processing of such data will take place to follow up on your pre-contractual requests or to execute the contract (art. 6, par. 1, lett. B GDPR).
2. Compliance with legal obligations. Your personal data may also be processed in order to comply with legal obligations or specific sector regulations (art. 6, par. 1, lett. C GDPR). Apart from the data voluntarily provided by a Data Subject, De Cecco does not process any so-called special data concerning the Data Subject (art. 9, par. I GDPR) and invites Data Subjects, where possible, not to communicate this type of data, which will, in any case, only be processed in the presence of a lawful legal basis pursuant to the aforementioned article of EU Reg. 2016/679.
3. Exercise of rights in court. Your personal data may be processed by the Data Controller in order to initiate or manage a dispute (in or out of court) or a complaint arising due to or in connection with the request for information and/or support or with the product purchase agreement (art. 6, par. 1, lett. F GDPR).

Personal data processing method

Your personal data will be processed with the aid of computerised and telematic tools. In any case, data will be processed using technical and organisational security measures appropriate to the processing risk in question, in accordance with the provisions of article 32 of the GDPR.

Personal data retention period

Your personal data will be retained for the time strictly necessary to attain the above purposes and, specifically:

• for the purpose of requesting information, your personal data will be retained for a maximum of 6 months after their collection;
• for customer support purposes, your personal data will be retained for a maximum of 3 years after their collection;
• to fulfil legal obligations, data will be retained in accordance with the terms of the applicable legislation;
• to defend rights in a court of law, data will be kept for a period of 10 years after the final ruling has been issued.

Disclosure and dissemination of personal data

Your personal data will not be disclosed to unspecified recipients, but may be made accessible to the following categories of parties:

• Employees of and/or contractors engaged by De Cecco or De Cecco Group companies;
• External companies which offer services related to the purposes (e.g. hosting services, etc.) acting as Data Processors, pursuant to article 28 of the GDPR. The updated list of Data Processors is available from the Data Controller.
• Public authorities (e.g. judicial authorities in the case of a legal dispute)
• Charities or charitable associations (in the case of Mutual Aid applications)

Transfer of data to non-EU countries

Personal data will not be transferred outside the EU

Rights of the Data Subject

As Data Subject, you may exercise, where the conditions are met, your rights pursuant to articles 15 et seq. of the GDPR. In particular:

1. the right of access: the Data Subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, to access the personal data and the following information, (i.e. purposes of processing, categories of personal data, the recipients to whom the personal data are or will be disclosed, the retention period, any available information as to the source of the data if they are not collected from the Data Subject, the appropriate safeguards relating to the transfer if personal data are transferred to a non-EU country), and to obtain a copy of the personal data processed;
2. the right to rectification: the Data Subject shall have the right to have, without undue delay, inaccurate personal data concerning him or her rectified, and to have incomplete personal data completed.
3. the right to erasure: the Data Subject shall have the right to have personal data concerning him or her erased without undue delay, where one of the following grounds applies:
   • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
   • the Data Subject may withdraw consent forming the basis of the processing, and where there is no other legal ground for the processing;
   • the Data Subject may object to the processing if there are no overriding legitimate grounds for processing;
   • the personal data have been unlawfully processed;
   • the personal data have to be erased for compliance with a legal obligation in EU law;
   • the personal data have been collected in relation to the provision of information society services referred to in article 8.
4. The right to restrict processing: the Data Subject shall have the right to have processing restricted where the following applies:
   • if the Data Subject challenges the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of such personal data;
   • if processing is unlawful and the Data Subject objects to the erasure of the personal data and instead requests the restriction of their use;
   • although the Data Controller no longer needs them for processing purposes, the personal data are necessary for the establishment, exercise or defence of legal claims in a court of law;
   • if the Data Subject has objected to processing pending verification of whether the legitimate grounds of the Data Controller override those of the Data Subject.
5. the right to data portability: the Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format, and have the right to transmit these data to another Controller;
6. the right to object to processing: the Data Subject may object to the processing of his or her personal data: a) on grounds relating to his or her particular situation, to be specified in his or her request; b) (without having to provide reasons for the objection) when the data are processed for direct marketing purposes.

These rights may be exercised by sending us a specific request by email to [email protected].

If you believe that the processing of your personal data is in breach of the provisions of the current privacy law, you may lodge a complaint with the Data Protection Supervisory Authority, as set forth by article 77 of the GDPR, or commence proceedings before the competent courts.