Privacy Policy pursuant to EU Regulation No. 2016/679 (“GDPR”)

This policy concerns the processing of browsing data (e.g., IP address) and data provided by the user through the voluntary submission of messages to the contact addresses published on the website https://brancainternational.com/ (“Website”); It also concerns the processing of personal data of certain data subjects (customers and suppliers) held by Branca International S.p.A. pursuant to the contract entered into with such data subjects or with the company of which such subjects are legal representatives or employees.

For cookies, please refer to the cookie policy published on the Website.

1. Data Controller 

The data controller for the processing of personal data is Branca International S.p.A. (“Brint”), Tax ID 80076740150; VAT No. 1061980154, with registered office in Milan, Via Broletto 35.

2. Nature of the Data 

The data processed by Brint consists of common data, personal and contact information (such as first name, last name, phone/mobile number, and e-mail address) and, where applicable, general data such as tax ID/VAT number, IBAN, financial and commercial information, etc. In addition, further data and information relating to contracts entered into with Brint and/or necessary for the purposes indicated in Article 3 below are processed.

3. Purposes of Processing

3.1.    The data referred to in Article 2 are processed by Brint, as applicable, for the following purposes:

1. a) performance of the contract; or
2. b) retention to protect the company’s interests in the event of a dispute; or
3. c) compliance with legal obligations.

3.2.    Furthermore, the processing is intended to ensure the proper and complete handling of any communication or request sent by the data subject to Brint using the contact details provided on the Website (e.g., requests for information, assistance, or an appointment).

4. Legal Bases for Processing

The legal bases for processing for the purposes set forth in Art. 3.1a) and 3.2 are, as applicable, the performance of the contract with respect to the contracting parties; the data controller’s legitimate interest in using the data of any data subjects who are part of the corporate structure of customers and suppliers to perform the contract in question.

The legal basis for processing for the purposes set forth in Article 3.1.b) is the data controller’s legitimate interest in retaining the data to protect the company’s interests in the event of a dispute.

The legal basis for processing for the purposes set forth in Article 3.1.c) is compliance with legal obligations arising from the existing contract.

5. Recipients of the Data

Personal data may be accessed and processed by expressly authorized Brint’s employees (so-called “data appointees”) and by external data processors appointed by Brint (such as other companies of the Branca Group), a list of whose names and contact details is available upon request. The data may also be disclosed to independent third-party data controllers (e.g., consultants) if this is necessary to pursue Brint’s legitimate interests.

6. Data retention

With regard to relationships with customers and suppliers, the data will be retained for as long as the contract signed by Brint with such parties is valid and enforceable. Subsequently, the data will be retained for a period of 10 years (a term consistent with the statute of limitations for legal claims) exclusively for the purpose of protecting the company’s interests and in compliance with legal obligations (e.g., retention of accounting records pursuant to Article 2220 of the Italian Civil Code) or, if necessary, for a longer period determined based on legitimate interests (e.g., pending litigation).

For the management of any messages sent to the contact addresses on the Website, the maximum retention period is 6 months.

7. Transfer of Data to non-EU Countries

Personal data may be transferred to non-EU Countries based on the conditions of lawfulness and appropriate safeguards set forth in Articles 45 et seq. of the GDPR, such as the standard contractual clauses approved by the European Commission. A list of the countries and appropriate safeguards may be provided to the data subject upon request.

8. Rights under the GDPR and how to exercise them 

In the cases provided for in Articles 15 et seq. of the GDPR, the data subject has the right to request to the data controller access to personal data, as well as the rectification or erasure of such data or the restriction of processing of data concerning him or her, in addition to the right to data portability. The data subject may, again in the cases provided for by the GDPR, object to the processing of data based on the data controller’s legitimate interest.

To exercise the rights provided for by the GDPR, the data subject may submit requests to the data controller by sending an email to the following address: diritti@branca.it.

The data subject also has the right to lodge a complaint with the Garante privacy or another competent supervisory authority, in accordance with the procedures provided for by law.