1. Foreword

The protection of your personal data and the security of your personal data are of great importance to Cromology Italia S.p.A.. For this reason, we collect and process your personal data with the utmost care and attention, adopting at the same time specific and adequate technical and organizational measures to guarantee the full security of the processing.

With this notice, Cromology Italia S.p.A., in its capacity as Data Controller, in compliance with the provisions of Regulation (EU) 2016/679 (hereinafter, “GDPR” or “Regulation”) and Legislative Decree n. 196/2003, as last amended by Legislative Decree n. 101/2018 (hereinafter, “Privacy Code”), wishes to inform you about the purposes and methods of the processing of personal data that will be acquired during your interaction with the websites listed below (hereinafter, also “Websites”) through the simple consultation of them and/or through the use of specific services made available to the user/visitor through the websites themselves.

This policy is provided for the following websites:

Please also read, if you have not already done so, the websites’ Cookie Policy.

2. Definitions

«personal Data»: any information relating to an identified or identifiable natural person («data subject»); an identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity;

 «processing»: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

«profiling»: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

«controller»: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

«processor»: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

«consent of the data subject»: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

3. Controller

The processing of your personal data is carried out, using manual and automated systems, by Cromology Italia S.p.A. (hereinafter also referred to as “Cromology” or “Controller“), with registered office in Porcari (LU), Via 4 Novembre, 4, 55016, as Controller pursuant to and for the purposes of the GDPR.

For any question or request related to the processing of your personal data you may contact the Company at any time by sending a request to the following references:


Business Name: Cromology Italia S.p.a.

Registered office adress: Porcari (LU), Via IV Novembre n. 4, 55016

Telephone: 800825161


Data protection officer:

4. Type of Data Processed, Purposes and Legal Basis of Processing

The personal data subject to processing will be:

  • Identification data
  • Navigation data
  • (with reference to the site where the possibility of transmitting applications for job positions is provided for) personal data included in the CV transmitted.

The data highlighted above (hereinafter also only “Data“) are collected:

  • during your navigation on the Websites listed above;
  • if you voluntarily decide to provide it in order to contact Cromology Italia S.p.A. through the information request form or for the further purposes specified below, or if you submit your application.

As a general rule, special categories of data under article 9 GDPR or data relating to criminal convictions and offences under article 10 GDPR will not be processed; should it be necessary to process your special data under article 9 GDPR they will only be processed on the basis of your specific consent.

In the table below you will find indications of (i) the purposes and (ii) the legal basis of the processing activities carried out by the Controller, associated with (iii) the specific website by mean of which the personal data is collected.

 PurposeLegal BasisWebsite
AMeasure your experience in using our web services, the services we offer, and to ensure the correct functioning of our web pages and their contents.The processing activity performed for these purposes is based on a legitimate interest of the Controller, and does not require specific consent from the data
BCarrying out direct marketing activities, such as the promotion of products or events carried out through letters, telephone, automated communication systems, e-mail, etc. market and user satisfaction surveys.The processing activity performed for these purposes are carried out with the specific and free consent provided by the user. Except for commercial communications relating to products and/or services similar to those already purchased and/or subscribed to by the user for which the processing is based on a legitimate interest of the Controller (so-called “Soft Spam”)  
CProfiling activities, also by means of automated activities aimed at the analysis of user preferences and choices.The processing activity performed for these purposes are carried out with the specific and free consent provided by the
DManagement of the pre-contractual and contractual relationship, including therefore the registration on the Site through the “contact us” form for requests or questions presented by the data subject. Profile creation for access to dedicated contents.The processing performed for these purposes are based on the contractual and pre-contractual relationships established with the user and does not require specific consent from the person
ESelection of candidates who send their CVs by filling in the appropriate form on the “work with us” page of the Site.Legitimate

Without prejudice to the freedom of the data subject to provide his/her personal data, please note that:

  • The provision of data for the purposes A), D) and E) referred to in paragraph 4 is necessary, and failure to provide the data will make it impossible to use the services offered by Cromology.
  • The provision of data for the purposes of points B) and C) referred to in paragraph 4 is optional. Failure to provide data does not make it impossible to use the services offered by Cromology.

5. Processors and recipients of data

Your personal data are processed exclusively by personnel of the Company specifically authorized and designated pursuant to art. 4, paragraph 10 of the Regulation and art. 2-quaterdecies of the Privacy Code, who have been adequately trained in relation to the regulatory requirements regarding privacy and process data following precise indications from the Controller.

Your personal data will also be transmitted to third parties that we use for the proper provision of our services and products. These subjects have been adequately selected by us and offer adequate guarantee of compliance with the rules on the processing of personal data.

In the event that these subjects process personal data with reference to which Cromology is to be qualified as the Controller pursuant to the Regulation, they have been appointed as Processors pursuant to art. 28 of the Regulation, and are required to carry out their activities according to the specific instructions given by the Company and under its control.

Such third parties may belong to the following categories:

– Cromology Group companies including subsidiaries and affiliates;

– collaborators, suppliers of the Data Controller: the Controller’s suppliers include, by way of example, banking and credit institutions, insurance companies, consultants, shipping managers, software suppliers and related assistance;

– financial administration and other national and/or international bodies for which mandatory communications are envisaged.

A specific and updated list of these subjects is available at the headquarters of the Controller, and can be consulted at the request of the interested party.

It is understood that your personal data will not be disclosed to third parties so that they can use them for their own promotional purposes and will not be disseminated in any way, except for all those subjects whose right to access such data is recognized by virtue of regulatory measures.

6. Extra-EU Data transfer

Personal data will be processed mainly within the European Union, but it may happen that they are transferred, for the pursuit of the purposes referred to in paragraph 4 above, to subjects located in third countries (non-EU) also for intra-group activities.

The transfer of your personal data to third parties resident or located in countries that do not belong to the European Union and that do not ensure adequate levels of protection will be performed only with your consent or after the conclusion of specific agreements between the Company and these subjects, containing appropriate safeguards and guarantees for the protection of your personal data so-called “standard contractual clauses”, also approved by the European Commission, or if the transfer is necessary for the conclusion and execution of a contract between you and the Company or for the management of your requests.

7. Data Retention

We inform you that your data will be stored for a limited period of time, which varies according to the type of processing activity and the specific purposes thereof, as indicated below:

  • Navigation data are deleted – except in the case of detection of illegal activity – no later than 24 hours after their collection;
  • Data collected for marketing purposes will be processed for a period not exceeding 48 months from the date of consent or its renewal, or from the last expression of interest in Cromology’s products and/or initiatives.
  • The data related to the contractual relationship will be kept for the entire duration of the same and at the end – limited to the data necessary at that point – for the fulfillment of any legal obligations and for the needs of protection, including contractual, connected with or arising from it; ordinarily, therefore, the data will not be kept beyond 10 years from the termination of the contractual relationship;
  • Data related to the receipt of CVs from candidates will be kept in the Company’s files for a maximum period of 24 months.

At the end of these periods, your data will be permanently deleted or, in any case, irreversibly anonymized by the Company.

8. Your rights

We inform you that you are entitled to exercise the following rights in relation to the personal data covered by this policy, as provided for and guaranteed by the Regulation:

  • Right of access and rectification (Articles 15 and 16 of the Regulation): you have the right to access your personal data and to request that it is corrected, amended or supplemented. If you wish, we will provide you with a copy of the data concerning you.
  • Right to erasure (Art. 17 of the Regulation): In the cases provided for by the Regulation in force you can ask for the cancellation of your personal data. Received and analyzed your request, it will be our care to cease the treatment and delete your personal data, if found legitimate.
  • Right to restriction of processing (Art. 18 of the Regulation): you have the right to request the restriction of the processing of your personal data in the event of unlawful processing or challenge of the accuracy of your personal data by the data subject.
  • Right to data portability (Art. 20 of the Regulation): You have the right to request and obtain, from the Controller, your personal data in order to transmit it to another Controller, in the cases provided for by the above-mentioned article.
  • Right to object (Art. 21 of the Regulation): You have the right to object at any time to the processing of your personal data carried out on the basis of our legitimate interest, explaining the reasons justifying your request; before accepting it, the Company will evaluate the reasons for it.
  • Right to lodge a complaint (Art. 77 of the Regulation): you have the right to lodge a complaint with the competent Authority for the protection of personal data if you believe that a violation of your rights has occurred or is underway with regard to the processing of your personal data.

With reference to any processing carried out on the basis of your consent, you may revoke this consent at any time, without affecting the lawfulness of the processing carried out before the revocation. Similarly, at any time (and therefore both at the time of providing data and subsequently) you may express your wish not to receive communications of a commercial nature sent to you pursuant to art. 130 of the Privacy Code (“Soft Spam”).

You may exercise your rights at any time with reference to the specific processing of your personal data by the Company.

Without prejudice to what has been expressed so far, we remind you that the above rights may also be exercised by anyone who has an interest of their own, or acts on your behalf, as your representative, or for family reasons deserving of protection, pursuant to art. 2-terdecies of Legislative Decree 101/2018.

These rights may be exercised by e-mail to the mailbox or by regular mail to the address of the Controller, as highlighted in paragraph 3.

Further information on the rights of the interested party may be obtained by asking the Controller for a full extract of the above-mentioned articles.

9. Security measures

The Company adopts adequate and preventive security measures to safeguard the confidentiality, integrity, completeness and availability of the personal data of the data subject. Technical, logistical and organizational measures are put in place to prevent damage, loss, even accidental, alteration, misuse and unauthorized use of data processed.

Moreover, the controllers cannot be held responsible for untrue information sent directly by the user (for example: correctness of the e-mail address or postal address), as well as information concerning the user that has been provided by a third party, even fraudulently.

10. Amendments to this policy

Our ever-evolving services may lead to changes in the characteristics of the processing of your personal data processing described so far. This privacy policy may be subject to changes and additions over time, as necessary, due to new legislation on the protection of personal data, or the evolution / modification of our services.

We therefore invite you to periodically check the contents of our privacy policy: where possible, we will try to promptly inform you of any changes made and their consequences.

The updated version of the privacy policy, in any case, will be published on the Company’s web page, indicating the date of its last update.

11. Date of last update