1 – „Contact us” section privacy policy

When consulting the „Contact us” section of the website https://www.tomatopiu.com (hereafter also simply referred to as the  „section”), personal data may be processed in such a way as to identify parties to, or render them identifiable by, the company tomatopiu s.r.l. in its role as Data Controller. The information relating to the methods used for processing the personal data obtained from users who interact with the web services provided by this section is also provided, pursuant to art. 13 of the European Regulation n. 679/2016 (hereafter also referred to simply as „GDPR”), Data Controller.

The Data Controller is identified as the company tomatopiu s.r.l., VAT number: IT 03790430981, whose head offices are located in Borgosatollo (BS) at Via Ferri, 61/63/65, Post Code 25010.

2 – Data Protection Officer („DPO”).

The Data Protection Officer is responsible for playing an active role in ensuring the Data Controller, and all other subjects involved in processing personal data, comply with the provisions of the legislation pursuant to the general data protection regulations („GDPR”) at all times. Furthermore, he/she may act as a point of contact between the data subject and the Data Controller, if the former wishes to exercise the rights set out in paragraph 11 below. The DPO is identified as Mr. Daniele Rossi, who can be contacted at the addresses and as set out in paragraph 12.

3 – Type of data and processing purposes.

By filling in the appropriate fields, the user, or „data subject”, will be provided with the opportunity to obtain more information about tomatopiu s.r.l. products. In particular, data such as name, surname, e-mail address, company and title are collected; the user will also be asked whether he/she is visiting the Website in a private or professional capacity The Data Controller will use all the information and personal data provided by the data subject for the following purposes:

  • A) fulfilling the requests submitted by the data subject;
  • B) carrying out marketing and newsletter activities in order to provide the data subject with information regarding the initiatives and news proposed by the Data Controller.
4 – Profiling purposes

The Data Controller may use the data supplied by the data subject for profiling purposes. In fact, the Data Controller may use such data to evaluate the data subject on the basis of the information provided, thus allowing a more precise and exhaustive response to the requests submitted and – where necessary – improved targeting of marketing activities.

5 – Legal basis for processing

Please note that the information provided by the data subject will be processed pursuant to the provisions of Article No. 6 lett. a) of the GDPR, i.e. on the basis of the consent specifically and legitimately granted by the data subject – also pursuant to Article No. 7 GDPR – to exercise the activities referred to in lett. A) and B) set out in paragraph 3 above.

6 – Optional nature of the provision of data

Users are free decide whether or not to provide their personal data by compiling the fields in this section. It should be noted, however, that failure to provide such data may render it impossible for the company to provide the requested service.

7 – Method and place of processing

Personal data are processed – according to the provisions set out in the GDPR – on, among others, the following principles: lawfulness, correctness, transparency, suitability, relevance, minimization and security. Therefore, personal data are processed, either manually or by means of electronic or automated systems, only for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are used to prevent data loss, illicit or incorrect use and unauthorised access. Data transfer: Personal data will not be transferred to third countries or international organisations. However, the Data Controller reserves the right to use cloud services located within the European Union; in this case, the providers of the cloud computing service will be selected from those who provide adequate guarantees, as stipulated by Article No. 46 of the GDPR. In any event, if necessary, the Data Controller will also be permitted to transfer the servers outside the European Union, guaranteeing, a priori, that any transfer of such data will take place in accordance with the applicable legal provisions, subject to stipulation of the standard contractual clauses established by the European Commission.

8 – Duration of processing

The personal data indicated by the data subject will be kept for the time necessary to provide the services requested. If any data are found to be superfluous for the purposes for which they were collected, they will be deleted by the Data Controller without delay – in compliance with the so-called „principle of minimisation”. In any event, the collected data will not be kept for a time exceeding that established by the rules regulating administrative conservation. When expressly requested for marketing purposes, the data in question will be deleted immediately when the data subject requests that the respective service be discontinued by compiling the form at the foot of each newsletter.

9 – Security of processing

The data are collected by the Data Controller, pursuant to the provisions of the applicable legislation, with particular regard to the security measures set out in art. 32 GDPR regarding their processing by means of computerised, manual and automated systems and in accordance with logical procedures related to the purposes indicated in paragraph 3 and, above all, with the purpose of guaranteeing the security and confidentiality of the data.

10 – Categories of recipients

In the ambit of the purposes for which the data were collected, the Data Controller may also permit third parties to access the collected data in the role of data processors, subject to specific agreements, conventions or protocols. More specifically, the information relating to the data provided may be supplied, for example, to providers of IT services, such as direct marketing, internet service and cloud computing. Such data may also be divulged – within the ambit of the purposes for which they were collected – to parties assigned by the Data Controller to carry out logistics and warehouse activities on their behalf, as well as marketing, promoting, selling and delivering their products or services and conducting market analyses and surveys, in addition to any other parties that provide assistance and consultancy services, for example, legal, accounting, economic-financial, technical-organisational, data processing, banking, financial, insurance and debt collection services, as well as public authorities and supervisory and control bodies. Personal data may also be divulged to persons authorised by the Data Controller, or by the data processors, to process such data, including personnel responsible for processing orders, administration, IT systems and site management staff, as well as personnel responsible for providing site services and technical and commercial staff. The data subject may obtain an updated list of Data Processors and assigned personnel by submitting a specific request to the Data Controller, as indicated in Paragraph 12 below. In any event, the personal data collected on this Website will not be disclosed in any way other than those set out above.

11 – Rights of the Data Subject.

The Data Subject is entitled to exercise the rights set out in Article No. 15 of the GDPR; more specifically, the right to obtain confirmation from the Data Controller on whether the processing of personal data is ongoing and, if so, to obtain access to such personal data and the following information: the purpose of the processing, categories of personal data in question, recipients or categories of recipients to whom the personal data have been or will be divulged, in particular in the case of recipients in third countries or international organisations; when possible, the retention period of the personal data he/she has provided or, if this not possible, the criteria used to determine this period, the existence of the right of the data subject to request the Data Controller to correct or delete their personal data or limit the processing of personal data concerning him/her or to oppose their processing, and the right to lodge a complaint with a supervisory authority. If the data are not collected from the data subject, the latter will have the right to access all the information available regarding their origin, confirmation of the existence of an automated decision-making process, including the profiling processes referred to in Article No. 22 of the GDPR, and, at least in such cases, significant information on the logical procedures adopted, as well as the importance and expected consequences of such processing for the data subject. The data subject will have the right to withdraw their consent at any time, without prejudice to the lawfulness of the processing resulting from their prior consent. Where applicable, the data subject is also entitled to exercise the rights set out in Articles No. 16-21 of the GDPR (right of rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the Supervisory Authority.

12 – How to exercise your rights

Data subjects may exercise their rights at any time by sending: a registered letter, with return receipt, to the registered offices of the tomatopiu s.r.l. company or an email to gdpr@tomatopiu.com

13 – Data Controller and Data Protection Officer („DPO”) contact information.

The Data Controller is identified as the company tomatopiu s.r.l., VAT number: IT 03790430981, whose head offices are located in Borgosatollo (BS) at Via Ferri, 61/63/65, Post Code 25010.

The Data Protection Officer is identified as Mr Daniele Rossi. Both subjects (Data Controller and DPO) can be contacted by sending a registered letter, with return receipt, to the address of the registered office of the Data Controller, or by e-mail at gdpr@tomatopiu.com. The updated list of data managers and data processors is held at the Data Controller’s registered office.