Navigate to...
Immediate Maximum: Il tuo partner ideale per investimenti sicuri e redditizi

Privacy

WELCOME

Welcome to the website www.farfisa.com (hereinafter also referred to as "the Website").

This privacy notice aims to specifically and comprehensively illustrate how your personal data are processed during your visit to and use of the website www.farfisa.com.

This notice, together with other information provided by Aci s.r.l. on the Website and its official channels, constitutes an integral part of the overall Privacy Policy of Aci s.r.l..

DATA CONTROLLER

The Data Controller of the Website and of the data processing is Aci s.r.l. (hereinafter also “the Controller”), with registered office in Osimo (AN) in Via Ezio Vanoni, 3 · 60027 Osimo (An) · ITALY, C.F.: 00759300676, P. I.V.A.: 001309100426, T +39 071.7202038, email: privacy@farfisa.com, acifarfisa@pec.farfisa.com.

SOURCE OF DATA

With regard to the processing described in this privacy notice, the data subject provides the data to the Controller.

DATA PROCESSORS AND THIRD-PARTY RECIPIENTS OF DATA

The Controller has also appointed external Processors to whom certain processing activities have been partly delegated, providing them, on a case-by-case basis, with specific instructions regarding the processing of data subjects’ personal data, each within the limits of their respective competences.

As required by the Transparency Guidelines WP 260/2017, where the Controller chooses to specify categories of processors and, more generally, recipients of data, it must justify why it considers this approach appropriate and, in any case, the reference to categories must not be generic but specific, referring to the activities performed, sector, industry, and territorial location of the identified recipients by category

In this perspective, the Controller deems the approach by categories of communication recipients correct in this case, as providing a nominative list of suppliers and subcontractors would be excessive and would make the privacy notice prone to obsolescence in case of any changes.

The appointed Processors are entities providing instrumental services to the Controller’s business and belong to the following categories:

  • legal and tax consultancy firms (accountants),
  • companies providing management or hosting services,
  • technology and web services companies (mailing list services, marketing automation),
  • shipping services (e.g., couriers and freight forwarders).

The list of external processors pursuant to Art. 28 GDPR, subject to continuous updating, is available at the Controller’s registered office.

In the aforementioned cases, Aci s.r.l. may communicate your personal data to these categories for the data processing activities it carries out.

Besides the Processors, the Controller may communicate data to autonomous third-party Controllers when such communication is mandatory by law or necessary for the Controller to properly fulfill contractual services (e.g., credit institutions for payment processing), pre-contractual or post-contractual obligations (e.g., technical assistance, customer support requests, or complaint handling).

As required by the WP 260/2017 Guidelines, the following indications are provided regarding the recipients of the data communication based on the relevant obligations (mandatory indication – where possible – of entities and subjects receiving data communication, including external processors, joint controllers, and internal managers):

  • Public Authorities for the performance of institutional functions within the limits established by law or regulations;
  • Third-party service providers when communication is necessary for the provision of website functions or the fulfillment of contractual obligations with the Controller, for compliance with legal obligations or for the protection of our rights;
  • Authorized personnel.

Where necessary, recipients have been appointed as data processors. Personal data will not be sub-ject to dissemination.

PROCESSING – PURPOSES – LEGAL BASES – RETENTION

A) SECTION “REQUEST INFORMATION”

Data processed: first name, last name, email address, postal address, telephone number.

Purpose: Visitors to the Website can contact Aci s.r.l. not only through traditional channels (tele-phone, email) but also via the “Request Information” section accessible from this link, where users can fill out a contact form to request information or assistance from Aci s.r.l. In this case, the data are voluntarily entered and provided by the user who chooses to contact the Data Controller. The fields allow the insertion of identifying and contact data as well as the subject of the request.

Legal basis:

  1. Pre-contractual/contractual measures (Art. 6(1)(b) GDPR): for example, purposes such as requests for quotes, assistance regarding products already purchased or payments, complaints, offers, or correspondence from suppliers and generally any communication addressed to the company. Where the data subject has an ongoing contractual relationship, data will be processed for the duration of the contract and, thereafter, for a maximum of 10 years; otherwise, they will be deleted after 6 months.
  2. Legitimate interest (Art. 6(1)(f) GDPR): for example, the necessity for the Data Controller to: defend its own rights; respond to a request.

Retention period: Unless other legal bases justify further retention, data collected for pre-contractual purposes or to respond to requests will be retained, in the absence of contract conclusion, for six months, while in case of an existing contract with the Data Controller, for ten years following its termination.

Given the Data Controller’s strong commitment to the principles of minimization, proportionality, and other GDPR-imposed principles, processing carried out for legitimate interests is considered proportionate to the rights of the data subject. In particular, those intending to send requests for information, curricula vitae, or other documents containing personal data are invited to carefully consider the information provided in this document concerning the processing of their data contained in the transmitted documents. Only in this way will data processing be performed knowingly and consciously. The Data Controller specifically informs that the GDPR and the Privacy Code (Legislative Decree 196/03 and subsequent amendments) provide that sensitive and socalled “special catego-ries” of data (i.e., personal data revealing racial or ethnic origin, political opinions, religious or philo-sophical beliefs, or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, data concerning health, sexual life, or sexual orientation) may normally be lawfully processed only with the consent of the data subject or other specific legal bases. However, in the case of unsolicited submission of curricula vitae, prior consent cannot be obtained from individual users who first contact the Data Controller. For this reason, and because the Data Controller is committed to lawful and transparent processing of information, all those intending to transmit their data are advised not to include any sensitive and/or special category data in their submissions or, alternatively, to provide their explicit consent by means of a signed declaration attached to the email along with an identity document.

With regard to processing deriving from the use of forms contained in the “Request Information” section, the user is naturally free to provide personal data, and failure to use this platform will in no way affect Aci s.r.l.’s compliance with obligations arising from existing contractual sources, other legitimate interests, or legal requirements. The failure to provide the above personal data may only result, in these cases, in Aci s.r.l.’s inability to respond to the users’ requests.

B) “CUSTOMER SATISFACTION” SECTION

Data processed: type of customer, email, first and last name, company name, email, address.

Purpose: Through the Website, at the page “Customer satisfaction”, it is possible to communicate to the Data Controller your degree of satisfaction regarding the products purchased, so that the Data Controller may take it into account to offer the Customer new solutions or provide additional services beyond those already purchased.

Legal basis: The legal basis for this processing is the following: Consent (Art. 6(1)(a) GDPR) – which will always be expressly given (by means of an “opt-in” option), freely, voluntarily, revocable at any time, informed, and granular by the user.

Retention period: Unless other legal grounds apply, data collected for this purpose will be deleted 24 months after provision.

C) “SUBSCRIBE TO THE NEWSLETTER” SECTION

Data processed - email, identifying and contact data.

Purpose - On the Website, the User may also, based on an additional express, free, informed, and always revocable consent, subscribe to Aci s.r.l.’s newsletter to receive commercial information, offers, and promotions.

The purpose, in this case, is direct marketing, which is the basis of the Data Controller’s promotional activities.

With your optional consent, given by selecting the specific consent box available in the dedicated sections of the Website (opt-in) or by ticking the appropriate box in paper-based privacy notices, we will process your data for marketing purposes (sending advertising materials, conducting market research, commercial communication, customer satisfaction surveys) and send advertising information, offers, and promotions related to our products and services via mail, email, and/or SMS/MMS.

You may freely and without charge revoke your consent to the processing of personal data for marketing purposes at any time, also selectively (for example, by communicating that you no longer wish to receive communications by email but want to receive communications by other contact methods).

With regard to promotional communications sent by email, you may revoke your consent to the processing of your email address for marketing purposes also by clicking on the unsubscribe link (opt-out) included in each promotional email.

For transparency purposes, and as required by the WP259 Guidelines on consent pursuant to the Regulation issued by the European Data Protection Board, as an exception to the rule of granularity of consent (i.e., requesting as many consents as there are purposes and distinct processing operations), it is noted that these Guidelines authorize a single consent “covering multiple processing operations, where such processing operations pursue a set of unified purposes.” Furthermore, according to Recital 32 of the Regulation, a single consent may apply “to all processing activities carried out for the same purpose or purposes.” The purposes specifically indicated above objectively refer to the pursuit of a unified purpose, even if the processing operations differ, which is commercial promotion and marketing in a broad sense. Consequently, by providing a single consent to Marketing Purposes processing, the data subject specifically acknowledges the homogeneous and diverse promotional, commercial, and marketing purposes detailed above (including related administrative and management activities) and expressly authorizes such processing and purposes, whether the means used for Marketing Purposes processing are telephone operators or other non-electronic, non-online, or not supported by automatic, electronic, or telematic mechanisms and/or procedures, or whether the means used are email, fax, SMS, MMS, automated systems without operator intervention, and similar, including electronic platforms and other telematic means.

Marketing Purposes processing includes both the processing and purposes pursued by the Controller during the contract term and those following contract termination, for any reason, aimed at sending unsolicited communications inviting the data subject to renew the contract using any of the above means (telephone operator, non-electronic or non-telematic means, or not supported by automat-ic/electronic/telematic mechanisms or procedures, email, fax, SMS, MMS, automated systems with-out operator intervention, and similar, including electronic platforms and other telematic means).

Naturally, the data subject’s right to object to the processing of their personal data for “direct mar-keting” purposes through the above-mentioned automated contact methods shall in any case extend to traditional methods as well, and even in that case, it remains possible to partially exercise this right, either with respect to certain means or specific processing operations.

In order to comply with privacy obligations simplification principles pursuant to the General Provision of the Data Protection Authority dated 15.5.13 cited above, the Controller informs the Customer that the specific consent formula available according to the consent collection procedure adopted from time to time will be unified and comprehensive and will refer to all possible marketing processing means listed above, without prejudice to the data subject’s right to express a different choice regarding the use of certain means and not others for receiving marketing communications, by simply sending an email to the Controller.

To proceed with Marketing Purposes processing, it is mandatory for each Data Controller to obtain from the data subject an informed, free, unequivocal, specific, separate, explicit, documented, prior, and fully optional consent.

In a spirit of absolute transparency, the Controller summarizes in greater detail the purposes of the processing:

  • to send advertising and informational materials (e.g., newsletters), promotional or otherwise commercial solicitations;
  • to carry out direct sales or placement activities of the Controller’s products or services;
  • to send commercial information or conduct interactive commercial communications also pursuant to Legislative Decree 206/05 by means of email;
  • to perform studies, research, and market statistics, even in identifiable form.

By giving optional consent, the data subject specifically acknowledges and authorizes such pro-cessing and/or processing aimed at the homogeneous but distinct purposes set forth here. In any case, even where the data subject has given consent to authorize the Controller to pursue all Marketing Purposes, they will remain free at any time to revoke it via our website by accessing their personal area with their credentials. Following any revocation of consent by the data subject, the Controller will promptly remove and delete the data from databases used for Marketing Purposes processing and will notify any third parties to whom the data were communicated for such deletion purposes.

Legal basis - The legal basis is consent (Art. 6(1)(a) GDPR) – which will always be expressly given (by means of an “opt-in” option), freely, voluntarily, revocable at any time, informed, and granular by the user.

Retention period - Aci s.r.l., in full compliance with the data minimization principle, will process data for this purpose until consent is revoked or, in any case, for no longer than 24 months, at which point the User will be automatically unsubscribed from the newsletter and may request a new subscription with renewed and autonomous consent.

Effects of failure to provide consent - Failure to give consent for newsletter subscription will not in any way have detrimental effects on the User, nor will it prevent the Controller from processing data on other legal bases.

E) COOKIES (REFERENCE)

The Controller has prepared a specific privacy notice relating solely to the use of cookies and specif-ic technologies, available here.

PLACE OF PROCESSING AND TRANSFER OF DATA OUTSIDE THE EEA

The Farfisa website uses the hosting service of Vianova s.p.a., acting as Data Processor, whose do-main and server information can be consulted at this link: https://whois.domaintools.com/farfisa.com.

Data processing may also take place, for each area of responsibility, at other entities (e.g., Facebook, TeamViewer, Paypal), specifically appointed as Data Processors (where required by the GDPR) or operating as independent Data Controllers.

In some cases, data may be transferred outside the European Economic Area: for example, this may happen if some providers (e.g., Google) use servers located outside that area. The Controller ensures, in any case, to select Providers who guarantee that the transfer occurs under at least one of the conditions provided for by Chapter V of the GDPR.

For greater transparency, below is a link to the European Commission adequacy decision related to EU-USA data transfers, the socalled "Data Privacy Framework," a self-certification system ensuring that US companies adhering to it comply with data protection standards recognized as adequate by the European Union and to which most of the Controller’s partners adhere (e.g., Google, Face-book): Adequacy Decision.

Also provided here is a link to the standard contractual clauses applied at European level in the case of cross-border data transfers, which some of our partners have adopted: Standard contractual clauses.

SECURITY MEASURES

The Controller processes personal data based on security obligations relating to data processing pursuant to Article 32 GDPR.
To ensure an adequate level of data protection aimed at limiting the risk of improper or unlawful use, technical and organizational measures have been implemented respecting internationally recognized standards, including, by way of example:

  • HTTPS protocols for browsing;
  • encryption where possible;
  • protection of IT systems through updated professional antivirus and firewalls;
  • backup procedures;
  • periodic changes of access credentials;
  • ongoing training;
  • physical security measures for storing paper documents;
  • proper supplier selection.

The list of security measures is available at the Controller's registered office.

DATA SUBJECT RIGHTS

The Data Subject has the following rights:

Right of Access

  • The Data Subject may request at any time information about the data processed by the Controller.
  • Such information includes, among other things, the categories of data processed, the purposes of processing, the origin of the data if collected from third-party sources, as well as the recipients to whom the Controller may transfer the data, if applicable.
  • The Data Subject may receive a free copy of the data. For additional copies, the Controller reserves the right to charge a fee.

Right of Rectification

  • The Data Subject may request correction of their data.
  • The Controller adopts adequate measures to ensure that data is kept accurate, complete, up-to-date, and relevant, based on the most recent information.
  • To rectify their data, including changes to consents previously granted for secondary processing purposes, the Data Subject may also access their personal area using their credentials.

Right of Integration

The Data Subject has the right to obtain the completion of incomplete personal data, also by providing a supplementary statement.

Right of Deletion

The Data Subject may request the deletion of their data. This may occur:

  • if the data are no longer necessary for the purposes for which they were collected or other-wise processed;
  • if the Data Subject withdraws consent on which the data processing is based, and no other legal basis exists;
  • if the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing, or if they object to processing for direct marketing purposes;
  • if the data have been unlawfully processed;
  • if the data must be deleted to comply with a legal obligation.

Exceptions remain if processing is necessary:

  • to comply with a legal obligation requiring data processing, particularly regarding document retention periods prescribed by law;
  • for the establishment, exercise, or defense of legal claims.

Right to Restriction

The Data Subject may obtain restriction of the processing of their data. This right can be exercised, for example:

  • if the accuracy of the data is contested, for the period necessary for the Controller to verify the accuracy;
  • if the processing is unlawful and the Data Subject opposes deletion, requesting restriction instead;
  • if the Controller no longer needs the data but the data are required for the establishment, exercise, or defense of legal claims;
  • if the Data Subject has objected to processing pending verification whether the Controller’s legitimate interests override theirs.

Right to Object

The Data Subject may object at any time, for reasons related to their particular situation, to the processing of their data pursuant to Article 6(1)(e) or (f) GDPR, or if the data are processed for direct marketing purposes.

In such case, the Controller will no longer process the Data Subject’s data unless the Controller demonstrates compelling legitimate grounds that override the interests, rights, and freedoms of the Data Subject, or if necessary for legal claims.

Right to Data Portability

  • The Customer has the right to receive a structured, commonly used, and machine-readable copy of the data previously provided directly to the Controller.
  • Only personal data that (a) relates to the Data Subject, and (b) has been provided by the Data Subject to the Controller is portable. Data portability includes the right of the Data Subject to receive a subset of their personal data processed by the Controller and to store it for further personal use. Such storage may be on personal media or private cloud, without necessarily transmitting the data to another Controller.
  • Portability is an integration and strengthening of the right of access to personal data, also provided under Article 15 of the Regulation.
  • If the Customer requests portability along with the direct transmission of their data to another Controller, this right is subject to technical feasibility: Article 20(2) GDPR provides that data may be transmitted directly from one Controller to another upon request of the Data Subject, where technically feasible.
  • Technical feasibility of transmission from one Controller to another must be assessed case by case. Recital 68 clarifies that Controllers are not obligated to adopt or maintain technically compatible processing systems.
  • Therefore, direct transmission can occur if secure communication between the systems of the two Controllers (sending and receiving) is possible and if the receiving system can technically receive incoming data.
  • If technical impediments prevent direct transmission, the Controller will fully inform the Data Subject and provide a detailed explanation.
  • Regarding interoperability of formats for portability, the Controller will comply with paragraph 1021(b) of Law 205/2017 (“presence of adequate infrastructure for interoperability of formats with which data is made available to Data Subjects”) within limits clarified by the WP242 guidelines on data portability issued by the European Data Protection Board (“The expectation is that the Con-troller transmits personal data in an interoperable format, but this does not impose any obligation on other Controllers to support such format”).
  • Controllers complying with portability requests have no specific obligation to verify data quality before transmission.
  • Portability does not impose any further obligation on the Controller to retain data beyond what is necessary or specified.
  • In particular, it does not require retaining personal data solely to comply with a potential portability request.
  • Exercising the right to data portability (or any other GDPR right) does not affect any other rights.
  • The Data Subject may continue to use and benefit from the service offered by the Controller even after a portability operation.
  • Portability does not automatically delete data stored in the Controller’s systems and does not affect the original retention period for the data transmitted.

Right to Withdraw Consent at Any Time

If processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing based on consent given before withdrawal.

Right to Lodge a Complaint with the Supervisory Authority

If the Data Subject considers the Controller’s response unsatisfactory to any request or complaint, they have the right to lodge a complaint with a competent data protection authority pursuant to Article 77 GDPR.

The Controller will normally process requests within 30 days. This period may be extended for reasons related to the specific right or complexity of the request.

In certain situations, due to legal obligations, the Controller may not be able to provide information about all data.

If the Controller must deny a request, it will explain the reasons for the refusal.

The Data Subject may exercise rights as long as processing by the Controller continues.

The address for exercising rights under Articles 15 to 22 of EU Regulation 2016/679 is: privacy@farfisa.com

Last update: August 5, 2025

Data Controller: ACI s.r.l.

ACI srl Via Ezio Vanoni, 3 · 60027 Osimo (An) · ITALY
T +39 071.7202038 | F +39 071.7202037 | P.I. 01309100426
info@farfisa.com