NOTICE PURSUANT TO ARTICLE 13 OF EU REGULATION 679/2016
Website and contact section
Ver. April 2026
Introduction
For Kedrion S.p.A., the security of your personal data is particularly important; for this reason, such data are collected and processed with the utmost care and attention, while specific organizational and technical measures are adopted to ensure full security of the processing.
We therefore inform you, pursuant to Article 13 of European Regulation 2016/679 (in English, “General Data Protection Regulation” and hereinafter also “GDPR”) and Legislative Decree 196/2003 (the so-called “Privacy Code”), as amended by Legislative Decree 101/2018 (hereinafter also the “Applicable Law”), that the processing of personal data described in this Notice takes place in a manner suitable to guarantee its security and confidentiality.
Accordingly, this information does not concern other websites, pages, online services or social networks that may be reached through links contained within the website but referring to external resources.
We inform you from now that, should you transmit personal data relating to third parties, you undertake to inform such persons of the processing of personal data referred to in this Notice and, where necessary, to obtain their consent to such processing.
1. Data Controller
The Data Controller is Kedrion S.p.A., with registered office at Loc. Ai Conti snc, Castelvecchio Pascoli, 55051 – Barga (LU), Italy.
Contact details: e-mail: [email protected]
2. Contact details of the Data Protection Officer
The Data Protection Officer (the “DPO”) may be contacted by data subjects for all matters relating to the processing of their personal data and the exercise of rights arising from the GDPR at the following contact details: a) e-mail: [email protected], b) telephone number: […]
3. Purposes and legal bases of processing, nature of the provision of data
| Purpose of processing | Legal basis of processing | Nature of the provision of data | |
| a) | Browsing the website, obtaining anonymous statistical information on its use, as well as monitoring its proper functioning and identifying any malfunctions and/or misuse. | Legitimate interest of the Data Controller pursuant to Article 6(1)(f) of EU Regulation 679/2016. | Necessary in order to browse the website; failure to provide the data makes it impossible to browse the website. |
| b) | Handling your contact request submitted by e-mail to Kedrion S.p.A. or through the relevant contact form. | Performance of pre-contractual measures pursuant to Article 6(1)(b) of EU Regulation 679/2016. | Necessary in order to contact the Data Controller; failure to provide the data makes it impossible to send the contact request. |
| c) | To establish, exercise or defend a right of the Data Controller. | Legitimate interest of the Data Controller pursuant to Article 6(1)(f) of EU Regulation 679/2016. | Where personal data are provided for the purposes set out above, they may also be processed for these purposes. |
Cookies
With regard to cookies, please refer to the cookie policy available on this website.
4. Personal data processed
The personal data processed in connection with browsing the website include parameters relating to the operating system and IT environment you are using, including the IP address, location (Country), the computer’s domain names, the URI (Uniform Resource Identifier) addresses of the resources requested on the website, the time of the requests, the method used to submit requests to the server, the size of the file obtained in response to a request, the numerical code indicating the status of the response given by the server (successful, error, etc.), and so on. This information is collected by the website and allows it to function.
The personal data processed in relation to the “contacts” section are: first name, last name, e-mail address, and any other information voluntarily sent by you to the Data Controller.
The same categories of personal data may also be processed, where necessary, to establish, exercise or defend a right in judicial or extrajudicial proceedings.
5. Retention period of personal data
Personal data relating to browsing purposes are deleted immediately after processing, unless it is necessary to identify those responsible in the event of hypothetical cyber offences to the detriment of the website or third parties.
Personal data relating to contacts are processed for the time necessary to handle your request and in any event for no longer than one year from receipt thereof.
Where necessary for the protection of a right of the Data Controller, personal data will be retained for the entire duration of the out-of-court procedure and/or judicial proceedings and for the time necessary to enforce any resulting measure.
6. Recipients of personal data
The following categories of persons may have access to personal data:
a. Within the organizational structure of the Data Controller, within the limits and in accordance with their respective duties, and only where necessary for the pursuit of the purposes indicated above, the persons designated as processors pursuant to Article 2-quaterdecies of Legislative Decree 196/2003 or the persons authorized to process data pursuant to Article 29 of EU Regulation 679/2016. Such persons act on the basis of specific instructions provided by the Controller in order to process your personal data securely;
b. Entities appointed as data processors pursuant to Article 28 of EU Regulation 679/2016 which process personal data on behalf of the Controller for specific purposes (e.g., website support and hosting service providers). Such entities act on the basis of a specific contract aimed at processing your personal data securely.
You may request the complete list of such persons by sending a request to the Data Controller at the contact details indicated in this notice.
If necessary to protect a right or interest of the Data Controller, or where required by law, your personal data may be disclosed to administrative and judicial authorities, acting as independent data controllers.
7. Transfer of personal data to countries outside the EEA
The Data Controller may transfer personal data to countries outside the EEA to companies belonging to the Kedrion Group, in compliance with the safeguards provided for by applicable law.
Should any of the third parties described in the preceding paragraph be established in, or use cloud services located in, countries outside the European Union, please note that such countries offer an adequate level of data protection, as established by specific decisions of the European Commission.
Transfers of personal data to third parties resident or located in countries that are not members of the European Union and that do not ensure adequate levels of protection will be carried out only with the data subject’s consent or following the execution between the Company and such parties of specific agreements containing safeguard clauses and appropriate guarantees for the protection of personal data, the so-called “standard contractual clauses”, also approved by the European Commission, or where the transfer is necessary for the conclusion and performance of the contract between the Company and the data subject or for handling the data subject’s requests.
8. Rights of the data subject
Please note that you are entitled to exercise the following rights in relation to the personal data covered by this notice, as provided for and guaranteed by the Regulation:
a. Right of access and rectification (Articles 15 and 16 of the Regulation): you have the right to access your personal data and request that they be corrected, amended or supplemented. If you wish, we will provide you with a copy of the data we hold about you.
b. Right to erasure (Article 17 of the Regulation): in the cases provided for by applicable law, you may request the erasure of your personal data. Once we have received and assessed your request, we will cease the processing and erase your personal data where the request is found to be legitimate.
c. Right to restriction of processing (Article 18 of the Regulation): you have the right to request restriction of the processing of your personal data in the event of unlawful processing or if the accuracy of the personal data is contested by the data subject.
d. Right to data portability (Article 20 of the Regulation): you have the right to request and obtain your personal data from the Data Controller in order to transmit them to another controller, in the cases provided for by the above article.
e. Right to object (Article 21 of the Regulation): you have the right to object at any time to the processing of your personal data carried out on the basis of our legitimate interest, by explaining the reasons justifying your request; before accepting it, the Company must assess the reasons for your request.
f. Right to lodge a complaint (Article 77 of the Regulation): you have the right to lodge a complaint with the competent Data Protection Authority if you believe that a violation of your rights relating to the processing of your personal data has occurred or is ongoing.
You may exercise your rights at any time by writing to the Data Controller at the contact details indicated in this notice.
9. Organizational and technical security measures pursuant to Article 32 of EU Regulation 679/2016
The Company adopts adequate and preventive security measures aimed at safeguarding the confidentiality, integrity, completeness and availability of the data subject’s personal data. Technical, logistical and organizational measures are put in place with the objective of preventing damage, including accidental loss, alteration, improper use and unauthorized access to the processed data.
10. Changes to this notice
This privacy notice may be amended and supplemented over time as may be necessary due to new legislative measures on personal data protection or changes/evolution in the Controller’s operations.