SDR PACK S.p.A.


POLICY RELATING TO THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 – 14 OF REGULATION (EU) 2016/679 AND CONSENT

Pursuant to Regulation (EU) 2016/679 (hereinafter Regulation or "GDPR") and the national legislation in force regarding the protection of personal data, this policy is provided: to natural persons operating in the name and on behalf of the Customers, to the Customer - if a natural person (e.g. sole proprietorship or professional), potential customers, users of the website (www.sdrpack.com), hereinafter also Data Subjects.

1.Data Controller:

SDR PACK S.p.A, with registered office in via Segafredo no. 6 in Rosà (VI), Tax Code 01447990282 – VAT no. 02485550244 Tel 0424 581990, e-mail: info@sdrpack.com

2.Type of data processed

Data provided voluntarily by the user

The personal data processed are collected directly from the Data Subjects or from the company for which they work, on the occasion of pre-contractual activities, the stipulation and performance of the contract. These common data are personal data (name and surname, etc.), contact details (telephone number, e-mail address, etc.). The Data Controller does not process any “sensitive” or “special” data (see art. 9 of the GDPR). The personal data are processed in compliance with the provisions of the GDPR and those of the current Privacy Regulations, using manual, paper, IT and data transmission tools, also automated and in accordance with the principles of fairness, lawfulness and transparency in order to guarantee the security and confidentiality of the data. In particular, the processing can take place through automated systems (such as e-mail or other types of electronic communication) and traditional systems.

Browsing data

During normal use, the computer systems and software procedures used to run this website acquire certain personal data (so-called “log files”), which are implicitly transmitted through the use of Internet communication protocols. This information is not collected in order to identify interested parties but,due to its nature, it might help to identify users through the processing and aggregation of data held by third parties.

This data category includes IP addresses or domain names of the computers employed by users who access the website, the URI (Uniform Resource Identifier) addresses of requested resources, the time of request, the method used to submit the request to a server, the size of the file obtained in reply, the numerical code indicating the response status given by the server (success, error, etc.) and other parameters concerning the operating system and the user’s computer environment.

Such data are used for the sole purpose of obtaining anonymous statistical information on website use and to check that the website is functioning properly. The data may be used to ascertain responsibility in the event of any cybercrimes committed against the website and may be disclosed to Judicial Authorities, if explicitly requested thereby.

This website uses Lead Champion, a service provided by ADChange Srl. Lead Champion collects and analyses data relating to legal entities in order to offer a Business Lead Generation and Marketing Business Intelligence service that automatically recognises the company name and profile of those visiting a website. 

3. Purpose, legal basis of the processing and mandatory provision of the data – The Data Controller processes the personal data:

  1. for purposes strictly related to the management and performance of contracts with Customers (e.g. acquisition of information prior to the stipulation of a contract, provision of services, management of subsequent requests, support, etc.) and for the management of offers (estimates). The provision of personal data for this purpose and the related processing are necessary to the extent that the Data Subjects deem it necessary to disclose them, to ensure the effectiveness of the pre-contractual, performance and support activities carried out by the Data Controller. Such processing operations do not require the consent of the Data Subjects. The legal basis of the processing is the need to stipulate or execute a contract;
  2. in the case of a sole proprietorship or professional, for the purpose of protecting the Data Controller’s assets and rights, such as the acquisition of information relating to the solvency thereof or debt collection. The data are necessary for stipulating the contract. The legal basis of the processing is the legitimate interest of the Data Controller and consent is not required;
  3. for direct/indirect marketing purposes (non-exhaustive example list): sending commercial information and newsletters, communication of promotional initiatives and events organised by the Data Controller or industry partners.

The provision of personal data for these purposes is not mandatory and the related processing requires the consent of the data subjects. Failure to give consent will not affect the service provided but will make it impossible for the Data Controller to send you commercial communications. The legal basis of the processing is the consent expressed.

4. Categories of recipients of the personal data
The personal data, within the limits and for the purposes indicated, may be disclosed or become known to and therefore be processed by:

  1. employees and consultants of the Data Controller,
  2. agents,
  3. companies that provide IT services (website management, internet services),
  4. companies specialising in marketing-related data, etc.),;
  5. forwarders or carriers for the goods to be delivered;
  6. companies specialised in systems to provide information on the solvency of Customers, debt collection companies and/or professionals;
  7. manufacturers of the goods supplied by the Data Controller;
  8. professional and consultants (e.g. lawyers, Board of Statutory Auditors, auditing firm or independent auditor,
  9. subjects who may access the data under the provisions of the law, or of EU regulations, within the limits established by law;

The complete list of recipients is available at the Data Controller’s registered office or may be requested therefrom by e-mail.

5. Data retention period
The personal data in question are processed for the entire duration of the commercial relationship and even subsequently for a maximum of 10 years; for marketing purposes not based on the Controller’s legitimate interest, the data are processed and retained until the consent is revoked. Data used to obtain anonymous statistical information on the use of the website and to check that it is functioning properly are retained for 12 months. 

The data used to ascertain liability in case of any cybercrimes against the website and shared with the Judicial Authorities (purpose of protecting the Controller’s assets and rights, in the case of a sole proprietorship or professional) will be retained until the end of the related litigation, without prejudice to further retention, possibly until the deadline envisaged by mandatory legal rules. 


Data processed for pre-contractual purposes (e.g. for the management of offers and estimates, pre-contractual support) are processed until the possible objection of the data subject, if the Controller deems that its interest does not prevail over that of the counterparty.

6. Transfer of the data abroad
The processing is normally carried out in Italy; for specific business processes personal data may be transferred to non-EEA countries, in which case data protection is assured by specific contractual clauses. 

In the case of transfer to the USA, the transfer is guaranteed by the Adequacy Decision of the EU Commission with regard to the US legislation including the EU-USA Convention with the title Trans-Atlantic Data Protection Framework.

7. Automated decision-making processes
Any automated decision-making process that affects the rights of the data subjects, including profiling, with the exception of any profiling cases mentioned in our Cookie Policy, is excluded.

8. Rights of the data subject
The Data Controller hereby informs you that, with reference to the data provided, as a Data Subject you have the following rights:

  1. to access to data and obtain a copy: obtain confirmation from the Data Controller that the processing of your Personal Data is in progress and, if that is the case, obtain access to the Personal Data and the information required by art. 15 of the GDPR, including, but not limited to: the purposes of the processing, the categories of Personal Data processed, etc.;
  2. rectification: obtain from the Data Controller the rectification of your inaccurate Personal Data as well as, taking into account the purposes of the processing, the supplementation thereof, if they are incomplete, providing adequate documentation;
  3. erasure of personal data: ask the Data Controller to delete your Personal Data, if one of the reasons provided for by art. 17 of the GDPR exists, including, by way of example, if the Personal Data are no longer necessary with respect to the purposes for which they were collected or otherwise processed or if the consent on which the processing of your Personal Data is based has been revoked by you and there is no other legitimate reason for the processing. The Data Controller may not delete your Personal Data: if the processing is necessary, for example, for the fulfilment of a legal obligation, for the establishment, exercise or defence of a right in court;
  4. restriction of processing: obtain the restriction of processing of your Personal Data where one of the following cases provided for by art. 18 of the GDPR applies, including, for example: the dispute regarding the accuracy of your Personal Data, for the period necessary for the Data Controller to carry out the appropriate checks; the right to object to the processing, pending the appropriate checks by the Data Controller on the prevalence of the reasons that legitimise the processing;
  5. the portability of electronic data that are subject to automated processing: obtain from the Data Controller a copy of the Personal Data provided by you in a structured, commonly used and machine-readable format by an automatic device (example: computer and/or tablet); transmit your Personal Data to another subject, Data Controller, without hindrance from the Data Controller and on the basis of your precise authorisations and indications;
  6. object to the processing: stop the processing if this is carried out for the pursuit of a legitimate interest of the Data Controller (including profiling activities), unless there are legitimate reasons to proceed with the processing (reasons prevailing on the interests, rights and freedoms of the data subject), or the processing is necessary for the establishment, exercise or defence in court of a right;
  7. revocation of consent to processing, without prejudice to the lawfulness of the treatment based on the consent acquired before the revocation;
  8. to submit a complaint to the competent supervisory authority: (Italian) Data Protection Authority.

9. Contact information
For any clarification and to exercise their rights, the data subjects may contact the Data Controller by writing to:

SDR PACK SpA
Via Segafredo, 6 - 36027 Rosà (VI)
or by writing an e-mail to
sacchettificiodirosa@pec.it