as per Article 13 of EU Regulation 2016/679, General Data Protection Regulation (“Regulation” or “GDPR”)

This information notice is provided according to Article 13 of EU Regulation 2016/679, General Data Protection Regulation (“GDPR”) in relation to the processing of personal data collected within or through the website and any subdomain (the “Website”), owned and managed by ILLVA Saronno S.p.A..

Third-party websites that are possibly linked to in this Website are regulated by a separate privacy policy and they are in no way linked to this information notice.

This information notice applies to all users interacting with the pages of the Website.

All users are invited to read this information carefully.



Via Archimede, 243
21047 Saronno (VA)
VAT no. 02649100126
(“Company” or “Data Controller”)



In addition to the provisions set forth in other pages (with particular reference to the “Cookie”), by the Website and the use of the respective features and/or subscription to services offered therein, the following data can be collected and processed:

  • browsing information: they are data that the server collects automatically at every access to the Website, such as IP addresses or domain names of computers used by the users to connect to the Website, URI addresses (Uniform Resource Identifiers) of requested resources, the time of the request, the method used to submit the request to the server, the dimension of the files obtained as an answer, the code number which indicates the answer status supplied by the server (i.e. good result, mistake, etc.) and other parameters related to the operating system and to the users’ IT environment;
  • personal data voluntarily provided by the users: such as name, surname, email address, additional contact data and further data and information provided in messages sent to the contact details of the Company or by filling in the electronic forms therein published.

The Website does not contain any information or feature or service directly offered to users of minor age.
Minors shall not provide information or personal data without the consent of those having parental responsibility.
Users of minor age are invited not to provide any personal data without prior authorization of their parents or by those exercising parental responsibility. In case the Company will be notified that personal data have been provided by a minor, the Company will immediately delete said data or request appropriate consent by the parents (or by the holder of parental responsibility), reserving the right to prevent any access to the services offered on the Website to any user who hided the minor age or who communicated personal data without consent of the parents (or of the holder of parental responsibility).



The processing of personal data is exclusively carried out for the following purposes:

(i) fulfilment of contractual or pre-contractual obligations (art. 6 lett. B) GDPR) – for the execution of services or for providing information requested through the Website and/or through electronic forms herein posted and for fulfilling all obligations arising out of pre-contractual or contractual relationships with the user and for managing interactions with the users. It is included the newsletter service “ILLVA NEWS” and, consequently, the processing of personal data of the user who spontaneously subscribes to this service, for managing the service and sending the related communications;

(ii) fulfilment of legal obligations (art. 6 lett. c) GDPR)- for the fulfilment of obligations set forth by national and/or European laws or regulations in force, included the Tax area, as well as the fulfilment of orders of the competent entities or authorities;

(iii) on the basis of a legitimate interest of the Company (art. 6 lett. d) GDPR) for the legal defence of a right or interest before any competent authority or entity (even with respect to cybercrime).



The provision of data for the purposes set out in paragraphs (i) (fulfilment of contractual obligations) above is purely optional. However, since the processing of data for such purposes is necessary in order to allow subscribing to the newsletter and for using the online services offered through the Website, the missing, partial or incorrect provision of data will prevent the user, as the case maybe, from registering to the newsletter or from using the services provided online and, in general, will prevent the handling of users’ specific requests.



Data can be communicated to the following categories of subjects (“recipients”):

  • to all those parties (including Public Authorities) having access to the personal data according to law or administrative provisions;
  • to all those public and/or private parties, individuals and/or legal entities to which data must be communicated in compliance with the contract or applicable law.

In addition to the above, in order to pursue the mentioned purposes, personal data may be disclosed to Company’s staff that has been expressly authorized (in particular belonging to the IT and administration offices) and/or to third parties operating on behalf of the Company, such as, by way of example and not limited to:

  • companies, consultants or professionals in charge of the set-up, maintenance, updating and, in general, the management of the Website;
  • companies or professionals in charge of the development and realization and/or of the transmission of informative documents and communications;
  • legal and tax professionals and consultants, statutory auditors and auditing companies or professionals, members of the supervisory body, that will process the personal data in their quality as data processors on behalf of the Company or as independent data controller, as the case maybe and on the basis of the specific relationships with the Company.

In case of transfer of personal data in countries outside the European Union, conditions and requirements set out in the GDPR will be duly complied with. The data will be transferred, therefore, on the basis of requirements provided by GDPR, such as – for example – the adoption of Standard Contractual Clauses approved by the European Commission or by using third parties having operating in countries for which the European Commission issued an adequacy decision.



Personal data will be retained for the entire duration of the contractual relationship and, subsequently, for the period of time allowed by applicable law on statutory or time limitation periods (also with respect to administrative and tax purposes) and, in general, for the time necessary for the exercise of Company’s rights in relation to claims raised by public authorities, public and private entities and subjects.



As a data subject, the user may ask to the Data Controller to exercise the following rights:

Right to access

The user may ask whether or not his/her personal data are processed and, if so, have access to that data and to specific information on the processing, such as information on the purposes, on the categories of personal data concerned, on the existence of other rights as set out below. The user may also request copy of his/her personal data.

Right to rectification

The user has the right to request and to have his/her data rectified in case of inaccuracy or incompleteness.

Right to erasure

The user has the right to have his/her data erased without undue delay if, inter alia, (i) such data are no longer necessary in relation to the initial purposes for which they were collected, (ii) he/she objects to the processing of his/her personal data (as indicated below) and there is no other legitimate and prevailing reason for processing, (iii) user’s data are unlawfully processed, (iv) data shall be deleted for the fulfilment of a legal obligation. This right does not apply if the processing is necessary for, among other purposes, the performance of a legal obligation or for the establishment, exercise or defence of legal claims before the court.

Right to restriction of processing

The user has the right to obtain the restriction of processing, meaning that the processing activity will be suspended for a period of time. The circumstances under which this right can be exercised include cases in which the accuracy of personal data was contested but a period of time is necessary to verify the accuracy of such data.

Right to object

Users have the right to object at any time, for reasons related to their particular situation, to the processing based on a legitimate interest of the Data Controller, unless the Data Controller can demonstrate legitimate and mandatory grounds for processing that prevail on the interests, rights and fundamental freedoms of the data subject or that the data are necessary for the establishment, exercise or defence of legal claims before the court.

Right to data portability

In relation to the cases of (amongst the others) processing carried out by automated means, processing based on consent or based on the fulfilment of contractual obligations, the user has the right to request and receive personal data in a structured, commonly used and machine-readable format and to transmit the data to another data controller. He/she has also the right to request the direct transmission from a data controller to another data controller, where technically feasible, without prejudice to the possibility to obtain the erasure of the data, as indicated above.

The user has the right to present a claim before the Supervisory Authority ( in the cases referred to by Article 77, GDPR, and then when the user believes that the data are processed infringing the law.

The above rights can be exercised by sending without any formality a request to the Data Controller. The request can be sent to the Data Controller via mail or e-mail to the following address


This Privacy Policy can be amended and updated, also depending on modifications of the applicable law provision. The Data Controller therefore invites users to periodically visit the present page for becoming aware of any change or update.


Last update: September 2022.