Pursuant to Art. 13 EU Regulation 2016/679 (GDPR)


This information describes the methods of processing of personal data collected through the following websites:,, (hereinafter, the “Websites”) and is provided by Confezioni Mario De Cecco S.p.a. as the Data Controller (hereinafter, the “Data Controller”), with registered office in San Giovanni Teatino (CH), via Pietro Nenni 61 – 66020, contactable at the following e-mail address:


  1. Categories of data processed

The personal data processed by the Data Controller are:

– data for creating the account (not mandatory) such as first name, last name, email address;

– data to complete the purchase order such as first name, last name, company, country/region, city, zip code, address, email, tax code, VAT number, phone number;

– data related to the credit cards used such as card number, first and last name, validity date, etc;

– browsing data such as personal information about visits to the Web Sites, including – but not limited to – traffic data, location data, etc. Cookies may also be saved, as described in more detail in the Cookie Policy;

– data provided voluntarily by users such as information provided by users in sending the contact forms in the “Contact” section (first name, last name, company, email and telephone).


  1. Legal basis for processing

Personal data will be collected and processed on the following legal grounds and for the following purposes:

(a) Compliance with a legal obligation (Art. 6, para. 1 (c) of the GDPR):

– Fulfillment of an obligations provided for by Laws, Regulations and Community legislation, or by provisions issued by Authorities or supervisory and control bodies in relation to or in any case connected with the existing and/or future legal relationship.

(b) Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR):

– Performance of activities prior to the conclusion of a contract;

– fulfillment of contractual obligations and legal negotiations and in particular of the concluded contract (e.g. execution of the order, including sending functional communications, after-sales support, etc.);

– management of administrative, accounting, tax and financial processes related to the provision of the supplied product;

– protection of contractual rights or otherwise arising from the relationship between the parties.

(c) Legitimate interest of the Data Controller (Art. 6(1)(f) of the GDPR):

– Performance of audits aimed at preventing fraudulent activities through the use of credit cards;

– internal audits.

(d) Exercise of a legal right:

– the Holder, within the terms permitted by Article 130, paragraph 4 of Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018, uses the email addresses provided at the time of purchase to send commercial communications for the purpose of direct sales of products or services similar to those already purchased.

(e) Additional purposes subject to the consent of the Data Subject (Article 6(1)(a) of the GDPR):

– (i) promotion and sale of products and services, sending of advertising, informational and promotional material, periodic communication related to products and/or services of the Data Controller via telephone (calls, SMS, instant messaging), use of social networks and e-mail;

– (ii) offer of personalized products and services carried out through profiling and communicated through telephone, social networks and electronic mail. The profiling activity is carried out through analysis of consumption choices and data related to browsing the Websites and is aimed at subsequent personalized commercial activities.

  1. Nature of the provision of data

The provision of personal data for the purposes referred to in points a), b) and c) of the preceding paragraph, is obligatory because, the opposition of the Data Subject entails the impossibility of proceeding to the realization of the respective purposes and any related services.

The provision of personal data for the purposes referred to in points d) and e) of the previous paragraph is optional. The Data Subject may at any time request to withdraw the consent for the purpose referred to in point d) and object in relation to the purpose referred to in point e).


  1. Period of data retention.

Data are processed and kept for the time required by the purposes for which they were collected.


– personal data collected for purposes related to the performance of a contract between the Data Controller and the Data Subject will be retained until the performance of that contract is completed;

– personal data collected for purposes related to the legitimate interest of the Data Controller will be retained until such interest is satisfied. The Data Subject may obtain further information regarding the legitimate interest pursued by the Controller in the relevant sections of this document or by contacting the Controller;

– when processing is based on the consent of the Data Subject, the Controller may retain personal data until each specific consent is revoked.

In addition, the Controller may be obliged to retain personal data for a longer period in compliance with a legal obligation, by order of an authority, or to protect the rights of the data subjects and the Controller.

At the end of the retention period, personal data will be deleted. Therefore, at the expiration of this period the right of access, deletion, rectification and the right to data portability can no longer be exercised.


  1. Methods of data processing

The Data Controller takes appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of personal data. The processing is carried out by means of computer and/or telematic tools, with organizational methods and logics strictly related to the indicated purposes.

In addition to the Data Controller, in some cases, other subjects involved in the organization of the company or external subjects – also appointed, if necessary, Data Processors by the Data Controller – may have access to the data. The updated list of Data Processors can always be requested from the Data Controller.


  1. Recipients or categories of recipients of processed data

Within the scope of the above-mentioned purposes, the Data Controller may communicate the data to: specially authorized company personnel (administrative, sales, marketing, legal, system administrators) or external parties (such as third party technical service providers, hosting providers, IT companies, communication agencies, legal service providers, etc.) also appointed, if necessary, Data Processors/Authorized Persons by the Data Controller.

Recipients will have access to personal information only to the extent required by the performance of their duties and may not use it for any other purpose. Recipients will be held to contractual obligations of confidentiality. Personal information remains under the control of the Data Controller, which has systems in place to ensure that personal information is adequately protected.

In addition, the data may be disclosed for legislative purposes to the relevant authorities.

An up-to-date list of Data Processors/Authorized Persons may always be obtained from the Data Controller.

Personal data will be processed within the European Union. There are no plans to transfer or assign the data outside the EU and, if not, the transfer can only take place if the Data Controller complies with the conditions set out in Chapter V of the GDPR.


  1. 1. The Data Protection Officer (DPO) and his contact details

Confezioni Mario De Cecco S.p.a. has decided to employ a Data Protection Officer. The Personal Data Protection Officer (DPO) is Dr. Caterina del Federico, who can be reached at the email address


  1. Rights of the Data Subject

At any time, the Data Subject may exercise certain rights with respect to the data processed by the Data Controller. In particular, the Data Subject has the right to:

– withdraw consent at any time. The Data Subject may withdraw the consent to the processing of his/her Personal Data previously given;

– object to the processing of his or her data. The Data Subject may object to the processing of his/her data when it is done on a legal basis other than consent;

– access to personal data. The Data Subject has the right to obtain information on the data processed by the Controller, on certain aspects of the processing and to receive a copy of the processed data;

– verify and request rectification. The Data Subject may verify the correctness of his or her data and request that it be updated or corrected;

– obtain the restriction of processing. When certain conditions are met, the Data Subject may request the restriction of the processing of his/her data. In this case, the Data Controller will not process the data for any purpose other than its storage period;

– Obtain the deletion or removal of their personal data. When certain conditions are met, the Data Subject may request the deletion of his or her data from the Data Controller;

– receive their data or have their data transferred to another Data Controller. The Data Subject has the right to receive his or her data in a structured, commonly used and machine-readable format and, where technically feasible, to have it transferred unimpeded to another Data Controller. This provision is applicable when the data are processed by automated means and the processing is based on the consent of the Data Subject, a contract to which the Data Subject is a party or contractual measures related thereto.

lodge a complaint. The Data Subject may bring a complaint to the competent personal data protection supervisory authority or take legal action.

It is the right of the Data Subject to lodge a complaint with the Personal Data Protection Authority:

Garante per la Protezione dei Dati Personali

Piazza Venezia, 11 – 00187 Roma


Fax: +39 06 696773785

Telephone: +39 06696771

The Interested Party is invited to check the Guarantor’s website for any updates to the above-mentioned contact information.

To exercise their rights, the Interested Party may address a request to the following email address: Requests are filed free of charge and processed by the Data Controller as soon as possible, in any case within one month.

Withdrawal of consent does not affect the legitimacy of the processing carried out prior to it.


  1. Cookie policy

This site uses tracking tools. To learn more, the Data Subject may consult the Websites’ Cookie Policy.


  1. Changes to the Privacy Policy

The Data Controller may amend this policy periodically. If this happens, the Data Subject will be informed by means of a notice to the indicated e-mail address if the change significantly affects the protection of his/her personal data.