Information on data processing and protection

Information on data processing and protection
(information to customers – Articles 13 and 14 GDPR)

Pursuant to and for the effects of the combined provisions of the European Regulation 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) and of the Legislative Decree 196/2003 and subsequent amendments (Legislative Decree. 101/2018), the company PANIFICIO NOMELLI SNC NOMELLI GRAZIANO & C in the person of the legal representative Mr. Nomelli Graziano, as Data Controller (hereinafter “Owner”), informs of the following.

Art. 1. Data Controller (the person or company who decides how and why to process the data).
Via Panoramica, 53 – 25040 – Corteno Golgi (BS); Tax code 02944670179 and VAT no. 00708960984
E-mail address:, PEC address:

Art. 2. Purpose and legal basis of the processing: why the data are processed and what is the reason for the processing
As part of one’s work, the acquisition and processing of personal data of customers, including banks, are necessary to correctly execute the provision of the service and / or product requested (by signing the quote, order and / or contract ) and to fulfill the related obligations provided for by the civil and fiscal regulations, therefore consent is not required.
The purposes for which the specific and explicit consent of the interested parties is not required are:
– provide the requested product / service;
– issue estimates, formulate contract proposals, issue invoices, respond to requests from interested parties (for example requests received by e-mail, telephone);
– fulfill the pre-contractual, contractual and tax obligations consequent to this activity of the Data Controller;
– fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority;
– exercise the rights of the owner, for example any right of defense in court.
The refusal to provide all or some of the data requested for the purpose a) and / or the indication of incomplete and / or untrue data by the interested parties prevents the Data Controller from fulfilling its obligations.

The legal basis that legitimizes the processing of data is:
• execution of a contract of which the interested party is a party and / or the fulfillment of legal obligations.

Art. 3. Processing methods: how the data is processed
The Data Controller to achieve the purposes of Art. 2 processes common data (e.g. name, surname, company name, e-mail address, telephone number, PEC address, SDI code, bank and payment references, tax code, VAT number).

Unless voluntary communications from the interested parties, the Data Controller does not process particular data pursuant to Art. 9 of the GDPR (e.g. data relating to health, political affiliation, trade union membership, etc.) and / or judicial data pursuant to Art. 10 of the GDPR (e.g. data referring to criminal convictions and / or offenses).

The data are processed within the limits strictly necessary to achieve the purposes referred to in the previous Art. 2, also with the aid of electronic or, in any case, automated means (IT tools) and the processing can also be carried out through the website of the Data Controller. .
In any case, the data processing is carried out with the adoption of all suitable measures to guarantee the security and confidentiality of the personal data of the interested parties, in particular in compliance with the security measures referred to in art. 32 of the GDPR and according to the principles of lawfulness, necessity and proportionality.

Art. 4. Data retention: where and for how long the data is kept
The data are processed and stored at the offices of the Data Controller and on the company tools used (eg computers). All data (paper and digital) are protected by adequate security systems in order to guarantee their confidentiality and protection. All data are physically stored in Italy. Some digital files are stored in cloud systems. The suppliers have been selected in order to guarantee data protection and confidentiality. These devices are physically located within the European Union.
The Data Controller will keep personal data for the time necessary to fulfill the purposes referred to in the previous Art. 2, in particular for the entire duration of the contractual relationship with customers, to fulfill the obligations imposed by current tax and anti-money laundering legislation. Personal data may be kept for a longer period in the event of any disputes, for the entire duration of the same, to allow the exercise of the Data Controller’s right of defense in judicial and extrajudicial proceedings.
The data collected and processed with reference to Art. 2 will be kept for 10 (ten) years from the end of the contractual relationship to process any requests from interested parties.

Art. 5. Data communication and transmission: to whom the data is communicated
The data are not subject to communication and disclosure to third parties, except for the obligations deriving from the law. In fulfillment of these obligations, the personal data, including banking, of customers may be transmitted to third parties who carry out the processing on behalf of the Data Controller in their capacity as external managers appointed pursuant to art. 28 GDPR (by way of example, the accountant for billing data, IT consultants for the technical assistance relationship, etc.).
Personal data may also be disclosed to credit institutions, insurance companies, law firms for the management of any disputes and the exercise of the Data Controller’s right of defense, to the competent public security authorities for investigation and inspection activities. , to employees and / or collaborators of the Data Controller in carrying out their normal work and / or collaboration activities, as persons authorized to process.
The updated list of these subjects is however available at the offices of the Data Controller.
No data is resold to third parties.

Art. 6. Rights of interested parties (Articles 15 and following of the GDPR).
Art. 15 Right of access, including the right to obtain an indication of the retention period of personal data envisaged, or if it is not possible, the criteria used to determine this period. Right to obtain information on the origin of the data collected, as well as the purposes and methods of treatment. Right to lodge a complaint with the Supervisory Authority at any time (Privacy Guarantor: Piazza Venezia nr. 11, 00187 ROME, Tel. +39 06 696771 – PEC:; Art. 16 Right of the interested party to obtain the updating, correction or integration of personal data; Art. 17 Right to cancellation and right to be forgotten; Art. 18 Right to limitation of treatment, when foreseen; Art. 19 Obligation of the holder to notify the rectification, cancellation and / or limitation; Art. 20 Right to data portability, if the technology in place allows it; Art. 21 Right to object, at any time for reasons connected to your particular situation, in the event that the processing is carried out in the exercise of public authority or in the performance of a task of public interest or if the legitimate interest is based of the owner; Art. 22 Right to obtain information on the existence of an automated decision-making process, including profiling.

Art. 7. Instances of the interested parties: how the rights can be exercised
The requests relating to the exercise of the rights referred to in the previous Art. 6 may be presented by the interested parties to the Data Controller by registered letter or PEC (certified electronic mail) to the addresses indicated in the previous Art. 1.
In all cases, interested parties must attach their own valid identity document to the request.