Privacy Policy


The company CEBORA S.p.A, with registered office in Via Andrea Costa, 24 City Cadriano di Granarolo 40057,  VAT IT 00521371203  (hereinafter, "Controller"), as data controller, according to D.Lgs. 2003/196 art. 13 (hereinafter, "Privacy Code") and Regulation (EU) 2016/679 art. 13 (hereinafter, "GDPR") informs you that your data will be processed in the manner and for the following purposes:

  1. Object of the Processing

The Controller processes personal identification data (such as for example name, surname, company name, address, telephone number, e-mail address, password, bank and payment details) - hereinafter, "personal data" or "data") from You supplied in occasion of the conclusion of contracts for the services of the Controller.

  1. Purpose of the processing

Your personal data are processed:

  1. A) without your express consent (Article 24 letter a), b), c) Privacy Code and art. 6 lett. b), e) GDPR), for the following Service Purposes:

         - finalize contracts for the Controller services;

        - fulfill the pre-contractual, contractual and tax obligations deriving from existing relations with you;

        - fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority (such as concerning the anti-money laundering);

       - exercise the rights of the Controller, for example the right of defense in court;

Please note that your data will be communicated to third party suppliers of the products, exclusively for the purpose of providing the guarantee of the products purchased.

  1. B) Only subject to your specific and distinct consent (Privacy Code articles 23 and 130 and GDPR article 7, for the following Marketing Purposes:

- send via e-mail, mail and / or sms and / or telephone contacts, newsletters, commercial communications and / or advertising material concerning products or services offered by the Controller and recognition of the satisfaction level on the quality of services;

  1. Processing methods

The processing of your personal data is made though the operations indicated in Privacy Code art. 4 and 2) GDPR and more precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data are subjected to both paper and electronic and / or automated processing.

The Controller will process the personal data for the time necessary to fulfill the aforementioned purposes and anyway for no more than 10 years from the termination of the Service Finality relationship and no later than 2 years from the collection of data for the Marketing Purposes.


  1. Access to data

Your data may be made accessible for the purposes referred in art. 2.A) and 2.B):

- to employees and collaborators of the Controller, in their quality of authorized persons and / or Processor and / or system administrators;


  1. Data communication

Without the need for express consent (according to Privacy Code Article 24 letter a), b), d) and GDPR art. 6 let. b) and c), the Controller may communicate your data for the purposes as refers to art. 2.A) to Supervisory Bodies, Judicial Authorities, to insurance companies for the provision of insurance services, as well as to those subjects to whom the communication is compulsory by law for the fulfillment of said purposes. These subjects will process the data in their quality of independent data controllers. Your information will be communicated to Distributors exclusively in order to provide a warranty. Your information will not be disseminated.

  1. Data transfer

Personal data may be stored on servers located either within the European Union or outside, according to limits and conditions described by art. 42 and ss. of lgs. 196/03 and art.44  and ss. of 2016/679 EU Regulation, in order to comply to purposes related to the mentioned transfer. In particular, personal data will be transferred to: - in respect of third parties who collaborate with the Data Controller for the performance of contractual and pre-contractual obligations between the parties (art. 43 lett. b d. lgs. 196/03 e art. 49 comma 1 lett. b) e c) Reg. UE 2016/679; - third countries for which an adequacy assessment has taken place (Art. 44 b) d. lgs. 196/03 and art. 45 Reg. UE 2016/679); -  third parties who have contractually bound themselves to the respect of the principles in force in this matter (Data Transfer Agreement) (Art. 44 lett. a) d. lgs. 196/03 e art. 46 comma 2 lett. c) del Reg. UE 2016/679); - to third countries or international organisations which have provided adequate guarantees and with which the person concerned has enforceable rights and means of remembrance (Art. 46 Reg. EU 2016/679).

  1. Nature of the data provision and consequences of refusal to reply

The data provision for the purposes referred to in art. 2.A) is compulsory. In their absence, we cannot guarantee the services of the art. 2.A).

The data provision for the purposes referred to in art. 2.B) is optional. You can therefore decide not to give any data or to subsequently deny the possibility of processing data already supplied: in this case, you will not receive any newsletters, commercial communications and advertising material concerning the Services offered by the Controller. However, you will continue to be entitled to benefit the Services referred to in art. 2.A).


  1. Rights of the data subject

In your capacity of data subject, you have the rights expressed in the Privacy Code art. 7 and GDPR art. 15 and precisely the rights of:

  1. obtain confirmation of the existence or not of personal data concerning you, even if not yet registered, and their communication in an intelligible form;
  2. obtain the indication: a) of the personal data origin; b) of the processing purposes and methods; c) of the logic applied in case of processing carried out with electronic instruments; d) of the identification details of the owner, the managers and the designated representative according to Privacy Code art. 5, paragraph 2 and GDPR art. 3, paragraph 1; e) the subjects or subjects categories to whom the personal data may be communicated or who may become aware of it in their capacity as designated representative in the territory of the State, managers or persons authorized;

iii. obtain: a) updating, rectification or, when interested, integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case where such fulfillment is impossible or involves an use of means manifestly disproportionate to the protected right;

  1. to object, in whole or in part: a) for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the collection purposes; b) to the processing of personal data concerning you for the purpose of sending advertising material or direct sales or for carrying out market research or commercial communication, with the use of automated call systems without the intervention of an operator by e-mail and / or through traditional marketing methods by telephone and / or paper mail. Please note that the right of opposition of the data subject, as aforesaid in point b), for direct marketing purposes with automated methods extends to traditional ones and that in any way the possibility remains for the data subject to exercise the right to object even only partially. Therefore, the data subject can decide to receive only communications using traditional methods or only automated communications or none of the two types of communication.


Where applicable, it also has the rights referred to in GDPR Articles 16-21 (Right to rectification, right to erasure/“right to be forgotten”, right to restriction of processing, right to data portability, right to object), as well as the right to complaint to the Data Protection Authority.


  1. How to exercise rights


You can exercise your rights at any time by:

- sending a registered mail with return receipt to Cebora S.p.A. Via Andrea Costa, 24, 40057 Granarolo dell'Emilia BO, Italia;

- sending an email to


  1. Controller, Processors and authorized persons


The Data Controller is Cebora S.p.A.

The updated list of data processors and authorized persons is kept at the registered office of the Data Controller.