Privacy policy

Documento informativo ai sensi e per gli effetti di cui all’art. 13 del Regolamento (UE) 2016/679 (GDPR)

WHY THIS INFORMATION?

Pursuant to Regulation (EU) 2016/679 (hereinafter "GDPR"), this page describes the methods of processing personal data. This notice is provided in accordance with Article 13 GDPR. This information notice shall not be considered valid for other third-party websites that may be consulted via links on this website, for which no responsibility is assumed.

Personal data that may be processed

Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity (Recitals 26, 27, 30 GDPR).
Data of contractors/users.
Browsing data: the IT systems and software procedures used to operate this website acquire, in the course of their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This category includes IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the server’s response (successful, error, etc.), and other parameters relating to the user’s operating system and IT environment.
Data voluntarily provided: the optional, explicit and voluntary sending of messages to the contact addresses indicated on this website and/or the completion of data collection forms entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included.

Information on the processing of personal data through Social Media platforms

With regard to the processing of personal data carried out by the operators of the Social Media platforms used by the Data Controller, please refer to the information provided by them through their respective privacy policies. The Data Controller processes personal data provided by users through dedicated Social Media platform pages in order to manage interactions with users (comments, public posts, etc.), in compliance with applicable regulations.

Specific notices

Specific information notices may be provided on the pages of the Website in relation to particular services or processing of data provided.

COOKIES AND OTHER TRACKING SYSTEMS. WHAT ARE THEY? WHAT ARE THEY FOR?

For information on Cookies and other tracking systems, please refer to the cookie policy available in the footer of the website and at the following link

1. WHO IS THE DATA CONTROLLER? HOW CAN YOU CONTACT THEM?

The Data Controller is ERBA IDEA S.R.L., with registered office in Milan (MI), via Bartolomeo Eustachi 23, postcode 20129, in the person of its pro tempore legal representative.

The Data Controller’s contact details are: info@erbaidea.com

2. PURPOSE OF PROCESSING, LEGAL BASIS, DATA RETENTION PERIOD, NATURE OF PROVISION OF DATA

PURPOSE OF PROCESSING	LEGAL BASIS	DATA RETENTION PERIOD	NATURE OF PROVISION OF DATA
Browsing of this website. The data necessary for the use of web services are also processed for the purpose of: obtaining statistical information on the use of services (most visited pages, number of visitors by time slot or day, geographical areas of origin, etc.); verifying the proper functioning of the services offered. The data may be used to ascertain liability in the event of hypothetical cybercrimes against the website.	The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by third parties, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, taking into consideration the reasonable expectations of the data subject and activities strictly necessary for the functioning of the website and for browsing itself. (Art. 6(1)(f) and Recital 47 GDPR) Data subjects are guaranteed the possibility to obtain, upon request, information regarding the balancing test carried out.	Data are retained for the duration of the browsing session. In any event, such data do not persist for more than seven days (except where necessary for the investigation of crimes by the judicial authorities).	The provision of data is necessary for browsing the website.
Use of cookies and similar technologies. Please refer to the cookie policy available in the footer of the website.	For non-technical cookies and similar technologies, processing is based on consent to the processing of personal data (Art. 6(1)(a) and Recitals 42, 43 GDPR). Consent is given through the website banner and cookie policy.	Please refer to the cookie policy available in the footer of the website.	Please refer to the cookie policy available in the footer of the website.

PURPOSE OF PROCESSING

LEGAL BASIS

DATA RETENTION PERIOD

NATURE OF PROVISION OF DATA

Browsing of this website.

The data necessary for the use of web services are also processed for the purpose of:

obtaining statistical information on the use of services (most visited pages, number of visitors by time slot or day, geographical areas of origin, etc.);
verifying the proper functioning of the services offered.

The data may be used to ascertain liability in the event of hypothetical cybercrimes against the website.

The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by third parties, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, taking into consideration the reasonable expectations of the data subject and activities strictly necessary for the functioning of the website and for browsing itself.

(Art. 6(1)(f) and Recital 47 GDPR)

Data subjects are guaranteed the possibility to obtain, upon request, information regarding the balancing test carried out.

Data are retained for the duration of the browsing session. In any event, such data do not persist for more than seven days (except where necessary for the investigation of crimes by the judicial authorities).

The provision of data is necessary for browsing the website.

Use of cookies and similar technologies.

Please refer to the cookie policy available in the footer of the website.

For non-technical cookies and similar technologies, processing is based on consent to the processing of personal data (Art. 6(1)(a) and Recitals 42, 43 GDPR).

Consent is given through the website banner and cookie policy.

Please refer to the cookie policy available in the footer of the website.

In addition to browsing, personal data will be processed for:

PURPOSE OF PROCESSING	LEGAL BASIS	DATA RETENTION PERIOD	NATURE OF PROVISION OF DATA
A) CONTACTS, sending contact requests and information inquiries.	The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Recital 44). Art. 6(1)(b) GDPR.	Up to 12months.	Provision of data is necessary. Failure to provide the required data will result in the impossibility of being contacted and receiving information.
B) DIRECT MARKETING, NEWSLETTER for the sending of advertising material or direct sales, or for carrying out market research, commercial and promotional communications, through automated means (e-mail). The Data Controller, in order to compare and possibly improve the results of automated communications, uses reporting systems. Through such reports, the Data Controller may, for example, be aware of: the number of readers, openings, unique clickers and clicks; the devices and operating systems used to read the communication; details on the activity of individual users; details of emails sent, delivered and not delivered, and those forwarded. All such data are used for the purpose of comparing and, where appropriate, improving the results of communications.	The processing is based on the consent to the processing of personal data (Recitals 42, 43). Art. 6(1)(a) GDPR.	Until consent is withdrawn (or opt-out).	Provision of data is optional. Failure to provide the necessary data will result in the impossibility of receiving direct marketing communications.
C) RESTRICTED AREA, to access the restricted area.	The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Recital 44). Art. 6(1)(b) GDPR.	Until termination of the contract and for the technical time necessary to disable credentials.	Provision of data is necessary. Failure to provide the required data will result in the impossibility of accessing the restricted area.
D) MANAGEMENT OF YOUR REQUESTS and requests from other data subjects, pursuant to Articles 15 et seq. of the GDPR (data subject rights).	The processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Recital 45). Art. 6(1)(c) GDPR.	5 years from the closure of the request, unless litigation arises.	Provision of personal data is mandatory, as it is indispensable for compliance with legal obligations.

3. TO WHOM WILL PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS

Personal data will be disclosed to entities that will process the data as independent Data Controllers or as Data Processors (Art. 28 GDPR), and will be processed by natural persons (Art. 29 GDPR) acting under the authority of the Data Controller and the Data Processors on the basis of specific instructions provided regarding the purposes and methods of processing.

The data will be disclosed to recipients belonging to the following categories:

Entities based in Italy that provide services for the website and communication networks, including email services, hosting and website management;
For direct marketing purposes, subject to prior consent, entities responsible for managing direct marketing activities;
For third-party marketing purposes, subject to prior consent, the categories of third parties listed above under the specific purpose (list available upon request);
Agents and/or Distributors, including those in non-EEA countries;
Competent authorities for compliance with legal obligations and/or provisions of public bodies, upon request.

The list of Data Processors pursuant to Art. 28 is available by writing to info@erbaidea.com or to the other contact details indicated above.

4. WILL DATA BE TRANSFERRED TO NON-EEA COUNTRIES?

Personal data will be transferred in accordance with Articles 44 et seq. of the GDPR, in particular:

pursuant to Art. 45 GDPR, to third countries or international organizations for which the European Commission has issued an adequacy decision;
to entities that have provided appropriate safeguards, through Standard Contractual Clauses (SCC) adopted by the European Commission (Art. 46(2)(c) and (d) GDPR) or entities adhering to the Data Privacy Framework (DPF) Program.

To obtain information regarding safeguards relating to data transfers outside the EEA, data subjects may write to info@erbaidea.com.

5. IS THERE AN AUTOMATED PROCESS?

Personal data will be subject to traditional manual, electronic and automated processing. It is specified that no fully automated decision-making processes are carried out.

With reference to profiling activities, where carried out on the basis of the explicit consent of the data subject as indicated in the purposes, such processing will be performed with human intervention. An operator will create the profile of the data subject and analyze their habits and consumption choices in order to improve the Data Controller’s commercial offering and services (non-automated profiling).

6. WHAT ARE YOUR RIGHTS? HOW CAN YOU EXERCISE THEM?

Data subjects may exercise their rights as set out in Articles 15 et seq. GDPR by contacting the Data Controller at the email address info@erbaidea.com or by writing to the contact details indicated above.

The Data Controller guarantees data subjects the right to request, at any time: access to their personal data (Art. 15), rectification (Art. 16), erasure (Art. 17), and restriction of processing (Art. 18).

The Data Controller communicates (Art. 19) to each recipient to whom the personal data have been disclosed any rectification or erasure or restriction of processing carried out. The Data Controller shall notify such recipients to data subjects upon request.

The Data Controller guarantees the right to data portability (Art. 20) and, in case of requests under Art. 20, will provide the data in a structured, commonly used and machine-readable format.

Data subjects have the right to object (Art. 21), at any time, to the processing of their data based on legitimate interest by writing to the contact details above with the subject line “objection”. In the event of exercising the right to object to processing based on legitimate interest, the Data Controller grants data subjects the right to obtain, upon request, information on the balancing test carried out.

Data subjects also have the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To stop receiving direct marketing communications and automated newsletters (email), data subjects may send an email to info@erbaidea.com with the subject line “unsubscribe from automated communications” or use the automatic unsubscribe systems provided in emails (opt-out).

If data subjects believe that the processing of personal data carried out by the Data Controller is in breach of Regulation (EU) 2016/679, they have the right to lodge a complaint with a supervisory authority, in particular in the Member State where they habitually reside or work, or where the alleged infringement occurred (Italian Data Protection Authority: https://www.garanteprivacy.it/), or to bring the matter before the competent courts.

7. CHANGES TO THIS PRIVACY NOTICE

The Data Controller may change, modify, add or remove any part of this Privacy Notice. In order to facilitate verification of any changes, the notice will contain the date of its last update.

Date of update: April 14, 2026