Processing of personal data

“Processing of personal data” refers to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, even if not recorded in a database, such as collection, recording, organisation, structuring, storage, processing, selection, blocking, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

FARMAE’ S.p.A. pays the utmost attention to the protection of personal data, and has adopted adequate and necessary measures for the protection of data and their storage by applying reference domestic and European regulations and after reviewing all risks connected to the above-mentioned activities.

Access to certain sections of the website and/or any requests for information or services by website users may be subject to the entry of personal data, which will be processed by FARMAE’ S.p.A. in compliance with the General Data Protection Regulation (EU Regulation 2016/679) and domestic regulations in force, with which FARMAE’ S.p.A. has always complied.

This disclosure aims to inform users, even before accessing the various sections of the website and providing their data, about how FARMAE’ S.p.A. processes the personal data of users, and in any event users will be required to view it before providing their personal data by completing the forms made available in the various sections of the website, and provide their consent to data processing.

Processing will take place manually (e.g., collection of paper forms) and electronically, or in any event with the support of IT or automated instruments. 

According to the rules of the Code and the Regulation, the processing performed by the Data Controller will be inspired by the principles of fairness, lawfulness and transparency and the protection of confidentiality.


Subject of processing and collection methods

The Data Controller processes personal identifying data (such as name, surname, address, tax code, telephone number, email address) – hereinafter the “personal data” or “data” – provided by the Data Subject when entering into the contract for the services offered by the Data Controller.

The personal data processed will be collected directly from the Data Subject.

Aside from the personal data provided directly by the user, when connecting to the website, the IT systems and software procedures used for the functioning of the website indirectly acquire some personal data, the transmission of which is implicit in the use of internet communication protocols.


Primary purposes of the processing


The provision of data is optional but it is, in part, necessary (that is, for those data marked by an asterisk), so that FARMAE’ S.p.A. can meet the needs of users in terms of the functioning of the website.

As the personal data marked by an asterisk is necessary for the performance of the service requested, not providing them, or providing partial or inaccurate data, will make it impossible to provide that service; whereas not providing, or providing partial or inaccurate, optional personal data which is not necessary, will have no consequence.

The personal data will be processed primarily by the Data Controller exclusively 

  •  to meet the obligations set forth by statutory and/or fiscal legal standards;
  • to meet the obligations established by a domestic or international regulation, EU regulations or an order of the Authority f) to exercise the rights of the Data Controller, for example, the right to defence in of a legal claim.

Access, communication and distribution of personal data for the pursuit of the primary processing purposes. In all cases described above, for the pursuit of the primary purposes the data of the Data Subject may be made accessible and disclosed to: 

  • employees, workers and internal consultants responsible for administrative, secretarial, technical or other types of obligations and collaborators of the Data Controller who, operating under its direct authority, were appointed as data processors and have received adequate operating instructions in this regard;
  • third party companies or other parties (for example: professional firms, consultants responsible for performing legal and/or fiscal activities, parties that perform data processing and/or accounting activities and meet the resulting obligations on behalf of the Data Controller) that carry out activities on behalf of the Data Controller, in their capacity as external data processing managers and which, in turn, have provided adequate operating instructions in this regard to their own employees and data processing managers.

The Data Controller may also disclose the personal data externally to the following third parties, to which communication is necessary to perform the contract and meet the obligations it entails, pre-contractual and fiscal obligations and, more generally, for the fulfilment of obligations laid out by regulations in force.

From this perspective, the personal data may be disclosed by the Data Controller to the parties listed below:

  • the judicial authority and the police or other public administrations for the fulfilment of regulatory obligations;
  • companies that perform electronic communication device management and maintenance activities;
  • all natural persons and legal entities in cases in which this disclosure is necessary for the primary processing purposes.

Those parties will process the data in their capacity as autonomous data controllers. 

Exclusion of the need to obtain consent to the processing of personal data In all of the cases described above in Paragraphs 3.2 and 3.3 (for the case of communication to third parties), the Data Controller is not required to obtain specific consent to data processing as all of the processing described above pursues the primary purposes for which article 24 of the Privacy Code and article 6, paragraph 1, letters b), c), e) and f) of the Regulation exclude the need to obtain specific consent, either because the processing is necessary to meet an obligation set forth by law (and as a result federal and statutory rules), a regulation or EU law, or because the processing is necessary to meet obligations deriving from the contractual relationship to which the Data Subject is party or to fulfil specific requests of the Data Subject before the conclusion of the contract. 

When the Data Subject does not intend to provide the personal data requested which are necessary on the basis of the foregoing, it will be impossible to guarantee the full and correct usability of the website.


Transfer of personal data to countries outside the European Union 

Please note that some personal data of the Data Subject may be transferred to third countries or third-party international organisations located outside the European Union solely to allow for the pursuit of the primary processing purposes.

From time to time, the prerequisite of the lawful transfer of personal data may be represented by: 

  1. the existence of adequacy decisions issued by the EU Commission for countries that can guarantee the same level of protection of the data transferred as that guaranteed in the European Union (with the result that it may be possible to transfer data without restrictions or consent, such as in the case of data transfers to Australia, Argentina, New Zealand, Uruguay, Israel, Hong Kong and Switzerland); 
  2. the need to fulfil obligations relating to the establishment of the contractual relationship, or to meet commitments assumed by the Data Controller in the interest and in favour of the Data Subject. 

The Data Controller therefore specifies that it is not necessary to obtain consent to proceed with processing represented by the transfer of personal data to third countries or to third-party international organisations located outside the European Union, based on the prerequisites of the lawfulness of the processing described above.


Methods, timing of storage of personal data and other information

The personal data will be processed primarily in automated form, with logics strictly correlated with the above-mentioned purposes by the Data Controller’s internal personnel and collaborators and by external parties expressly appointed as data processing managers.

Outside of these cases, the data will not be disclosed to third parties or disseminated except in the cases expressly required by domestic or European Union law.

The data will be processed for the entire duration of the contractual relationships established and also subsequently for the time in which the Data Controller will be subject to the storage obligations for fiscal and legal purposes or other purposes, established by law and/or regulations.


Data Controller, data processing manager and data processors

The Data Controller is FARMAE’ S.p.A., with registered office at Via Aurelia Nord 141 – 55049 Viareggio (LU), tax code and VAT no. 02072180504, email address:

The updated list of Data Processing Managers and Data Processors is available at the registered office of the Data Controller and may be consulted by sending an informal request, including via email to the following email address:


Rights of the Data Subject

Pursuant to article 7 of the Privacy Code and pursuant to articles 13, paragraph 2, letters (b) and (d), 15, 18, 19 and 21 of the Regulation, the Data Subject has the following rights: 

  1. the right to request from FARMAE’ S.p.A. in its capacity as Data Controller, access to the personal data, the rectification or deletion of the personal data or the limitation to the processing of personal data regarding him or her or to object to their processing, in the cases established;
  2. the right to submit in his or her capacity as Data Subject a complaint to the Personal Data Protection Authority by following the procedures and instructions published on the official website of the Authority at; 
  3. any rectifications or deletions or restrictions to processing performed at the request of the Data Subject – unless this is impossible or requires disproportionate effort – will be communicated by the Data Controller to each of the recipients to which the personal data were transmitted. The Data Controller may also notify the Data Subject of those recipients if the Data Subject so requests. 

In particular, the Data Subject may:

1) obtain confirmation of the existence or otherwise of his or her personal data, even if not yet registered, and the communication thereof in intelligible form; 

2) obtain an indication of: 

  1. the origin of personal data; 
  2. the purposes and means of processing; 
  3. the logic applied in the event of processing carried out with electronic instruments; 
  4. the identifying information of the Data Controller, data processors and the designated representative pursuant to article 5, paragraph 2 of the Privacy Code and article 3, paragraph 1 of the GDPR;
  5. the parties or categories of parties to which the personal data may be communicated or which could become aware of it as designated representatives within the territory of the State, as data processing managers or as data processors; 


3) obtain: a) the updating, rectification or, if he or she so desires, completion of the data; 

  1. the deletion, transformation into anonymous form or the blocking of data processed in breach of the law, including that which is not necessary to store in relation to the purposes for which the data were collected or subsequently processed; 
  2. the certification that the operations pursuant to letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data were communicated or distributed, unless this is impossible or requires the use of means that are obviously disproportionate with respect to the protected right;


4) object, all or in part:

  1. for legitimate reasons, to the processing of his or her data, even if pertinent to the purpose for which they were collected. 

Method for exercising rights by the Data Subject

The exercise of rights is not subject to any type of restriction and is free of charge. 

The address for the exercise of rights is: 

Otherwise, the Data Subject may, at any moment, exercise the rights by sending a registered letter with advice of receipt to the following address: FARMAE’ S.p.A., Via Aurelia Nord 141 – 55049 Viareggio (LU).

Cookie Policy