Privacy Policy
1. About us
This communication has been provided – pursuant to art. 13 of European Regulation 2016/679 on the protection of personal data (the “Regulation” or the “GDPR”) and Italian Legislative Decree no. 196 of 30/06/2003 (the “Privacy Code”), as modified and supplemented by Italian Legislative Decree no. 101/2018, as amended and supplemented – by Chiorino S.p.A. (hereinafter also the “Company”) with registered office at via S. Agata 9, Biella (BI), Italy, as the Controller with regard to your personal data.
The purpose of this policy is to inform Data Subjects of the methods used to process their personal data.
The Data Protection Officer (DPO) is Howden Consulting s.r.l. and may be contacted by emailing privacy@chiorino.com.
2. The methods by which Personal Data is processed
The Personal Data provided or acquired shall be subject to processing based on the principles of correctness, lawfulness, transparency and the protection of confidentiality, pursuant to applicable laws and regulations. The Controller processes the Personal Data of users by adopting appropriate security measures designed to prevent unauthorised access to the Personal Data as well as its disclosure, modification, and destruction. Processing shall be carried out with IT and/or electronic means, with organisational methods and logic strictly related to the purposes indicated.
3. Tools used to process Personal Data
CONTACT FORM
The user, by completing the form with their Personal Data, consents to the use of such data in order to be able to respond to requests for information or for any other purpose that might be indicated at the top of the form. The Personal Data collected via the Contact Form: Email address, telephone number, first name, last name.
EMAIL ADDRESS MANAGEMENT
These services allow a database to be managed which contains email contacts, telephone contacts or any other types of contacts used to communicate with the user. These services may also permit Personal Data to be collected relating to the date and time the user viewed messages.
4. Types of personal data processed
The website provides informational content and, sometimes, interactive content.
This website uses cookies, that is, small text files, which can be used by websites to make the user experience more efficient and to personalise content and advertisements. Cookies can also be used to deliver social media network functions and analyse traffic (see the Cookie Policy)
When browsing this site, the Company may, then, acquire information about the visitor in the following ways:
Browsing data
During normal operation, the computer systems and software procedures used to operate this website acquire some Personal Data, the transmission of which is implicit in the use of internet communication protocols. This category of data includes: IP addresses, the type of browser used, the operating system, the domain name and the website addresses from which an access was made, information on the pages visited by the user within the site, the time of access, the length of time spent on individual pages, an analysis of the internal path taken as well as an analysis of other parameters relating to the user’s operating system and computing environment.
Other categories of personal data
This includes all the Personal Data provided by the visitor through the site when, for example:
- compiling a form to request a quote and/or information on the services offered and/or to request being contacted;
- writing to one of the email addresses indicated on our site to request information;
- accessing a reserved area and/or a service;
- compiling a form to submit a CV.
CONTENT ON EXTERNAL PLATFORMS
These services allow visitors to view content stored on external platforms directly from the pages of this website and to interact with such content. If one of these services is installed, it is possible that, even if a visitor does not use the service, it still might collect traffic data relating to the pages on which the service is installed.
This website uses:
YouTube (Google Ireland Limited)
Managed by Google, YouTube is a service which displays video content. It allows this website to integrate such content within its pages. Personal Data collected: Cookies and usage data. Place where processing is carried out: Ireland – Privacy Policy (https://policies.google.com/privacy?hl=en)
5. The purposes for which Personal Data is processed and the legal basis for doing so
Personal Data may be collected independently by the Controller or through third parties. In this case, the computer systems and software procedures used to operate this website acquire certain - specifically technical - pieces of Personal Data (such as, for example, the IP address, the type of browser used, the operating system, the domain name and the website addresses from which an access was made or to which an exit was made, etc.), the transmission of which is inherent to the normal operation of the internet. This Personal Data may only be processed in order to obtain anonymous statistics on how the site is used and/or to check its proper operation. Once processed, this data is deleted immediately.
The Personal Data, which the Data Subject chooses to provide voluntarily, shall be processed in compliance with the conditions of lawfulness pursuant to art. 6 of the GDPR and shall be processed to allow the website to provide its services, as well as for the purposes indicated below. In addition, the Personal Data shall be stored for the time necessary to fulfil the aforementioned purposes.
The Personal Data provided shall be processed for the following purposes:
- to provide the goods and/or service requested by the user, to manage the contracts agreed with the user, to fulfil the relative administrative, accounting, tax and legal obligations as well as to process any requests submitted by the user. The processing carried out for these purposes is necessary in order to fulfil contractual obligations or to satisfy a request made by the Data Subject and, as such, does not require any specific consent;
- to record the experience using our platforms, products and services which we offer and to ensure the proper operation of the web pages and their content. The processing carried out for these purposes is based on the Controller’s legitimate interest;
- to perform a softspam activity which allows the Controller to email users promotional messages regarding the products and/or services acquired without the need for the user’s express and prior consent, as provided for by art. 130, paragraph 4 of the Privacy Code and provided that the user has not exercised their right to object to this sort of processing. This processing is based on the Controller’s legitimate interest, as provided for by art. 130, paragraph 4 of the Privacy Code as amended by Italian Legislative Decree no. 101 of 2018;
- to perform statistical analysis on aggregate and anonymised data in order to analyse user behaviour with the aim of improving the products and services provided by the Controller as well as to meet the expectations of the users themselves. The processing carried out for these purposes is based on the Controller’s legitimate interest.
The Personal Data collected by the Controller shall only be shared for the purposes listed above. We will not share or transfer Personal Data to any third party other than those indicated in this Privacy Policy.
In the course of our activities, and exclusively for the same purposes as those listed in this Privacy Policy, the Personal Data collected may be transferred to the following categories of recipients:
- specially trained personnel who are involved in the organisation of the website (administrative, sales, marketing, and legal personnel and system administrators);
- companies in the Group;
- service providers (such as, for example, suppliers of IT systems, cloud services providers, database providers, and consultants);
- Public Administration bodies for legal purposes;
- any public and/or private party to which disclosing Personal Data is necessary in relation to achieve the purposes listed above.
- An updated list of Processors is available at the Controller’s registered office and will be provided upon written request.
7. Protection of personal data
The Controller has implemented a number of suitable technical and organisational measures designed to provide an adequate level of security and confidentiality to Personal Data.
These measures take the following into account:
- the state-of-the-art of the technology;
- the costs of its implementation;
- the nature of the data;
- the risk involved in the processing.
8. Data retention periods
Without prejudice to a user’s right to object to the processing of their Personal Data and/or to request that such data be erased, the Company shall only store the Personal Data collected for the time needed to achieve the purpose(s) for which the same data was collected and received, or to meet any legal or regulatory requirements, as provided for by art. 5, paragraph 1, letter e) of the GDPR.
Specifically:
the Personal Data collected for contractual obligations shall be stored for the time necessary to fulfil the aforementioned purposes and as required by law;
the Personal Data collected for purposes attributable to the Controller’s legitimate interest shall be processed until the same legitimate interest has been satisfied. Users may obtain further information regarding the legitimate interest pursued by the Controller by contacting the Controller.
Personal Data may be stored by the Controller for a longer period in order to comply with a legal obligation or an order issued by a competent authority.
At the end of the retention period, the Personal Data shall be deleted and, therefore, the rights relating to the same may no longer be exercised.
9. Exercising a Data Subject’s rights
Data Subjects may exercise those rights to which they are entitled under articles 15-22 of European Regulation 679/2016. Specifically, Data Subjects have the following rights:
- THE RIGHT TO RECTIFICATION. The Data Subject has the right to obtain the rectification of the Personal Data that concerns them or that has been communicated to the Company. The Company shall make all reasonable efforts to ensure that the Personal Data in its possession is accurate, complete, updated and relevant, on the basis of the most recent information available;
- THE RIGHT TO RESTRICT PROCESSING. The Data Subject has the right to obtain a restriction on the processing of their Personal Data when:
- they contest the accuracy of their Personal Data and for the period in which the Controller verifies the accuracy of it;
- the processing is unlawful and the Data Subject requests processing to be restricted or their Personal Data to be deleted;
- the Company no longer needs to store the Personal Data collected;
- the Data Subject objects to the processing whilst the Controller checks whether its legitimate grounds prevail over those of the user.
- THE RIGHT OF ACCESS. The Data Subject may ask the Controller for information regarding their Personal Data and which has been stored by the Controller, including information on the categories of Personal Data that the Company holds or controls, the purpose(s) such data is used, where the data was collected (if not directly from the Data Subject), and the parties to which this data may have been communicated;
- THE RIGHT TO PORTABILITY. The Data Subject may ask the Company to transfer their Personal Data to another controller, where technically possible, provided that processing is based on the user’s consent or is necessary in order to fulfil a contract.
- THE RIGHT TO ERASURE. The Data Subject may obtain from the Controller the erasure of their Personal Data when:
- the Personal Data is no longer necessary for the purpose(s) for which the data was collected or otherwise processed;
- the Data Subject has exercised their right to object to further processing of their Personal Data;
- the Personal Data has been processed unlawfully.
- THE RIGHT TO OBJECT. The Data Subject may object, at any moment, to the processing of their Personal Data, provided that processing is not based on the Data Subject’s consent but, rather, on the Controller’s legitimate interest or that of a third party. In this case, the Company shall no longer process the Data Subject’s Personal Data unless it is possible to demonstrate compelling and legitimate reasons, or a prevailing interest, to continue processing, or in order to establish, or exercise or defend a legal right. In the event that a Data Subject objects to processing, they need to specify whether they wish their Personal Data to be erased or whether to restrict the processing of it.
- THE RIGHT TO LODGE A COMPLAINT. In the event of an alleged breach of current, applicable law regarding privacy, a Data Subject may submit a complaint to a supervisory authority either in their own country or in the place where the alleged breach took place.
Any future changes or supplements to the processing of Personal Data, as described in this Privacy Policy, shall be announced through the usual communication channels used by the Controller (for example, via this site).
Note that the Controller is not responsible for updating all the links given in this Privacy Policy. Hence, should any link fail to work and/or not be updated, users acknowledge and accept that they shall always have to refer to the document and/or the section of that website to which the link refers.
Privacy Policy updated 01.10.2025