According to Regulation (EU) 2016/679 on the protection of personal data (for the sake of brevity “GDPR”), the information disclosed concerns the conferment and processing of personal data of those who, for whatever reason, have relations or contacts with Cepra S.r.l. and/or in relation to which the latter processes personal data.



According to Articles 4, paragraph 7 and 24 of the GDPR, the Data Controller is Cepra S.r.l., in the person of the legal representative, Tax Code/VAT number 04701000152, with registered offices in Assago (MI), Via 1 Strada F 3, (hereinafter, for the sake of brevity, “CEPRA”). The company may be contacted in writing at the email-address: This email address is being protected from spambots. You need JavaScript enabled to view it. or by mail at the address mentioned above.



Depending on the case, CEPRA may process personal data:

  1. for purposes connected to the obligations established by laws, regulations, EU regulations, as well as by instructions given by the competent authorities/supervisory and control bodies, as well as to exercise the Data Controller rights (including, by way of example, the right of defence in court);
  2. for purposes strictly related and/or needed to comply with contractual and pre-contractual obligations deriving from relations with CEPRA and/or concerning the services offered by the same;
  3. for promotional and/or marketing purposes, such as sending, by e-mail, mail and/or telephone, newsletters, trade magazines (such as, among others, Xylon), commercial communications and/or advertising material (including any catalogues, brochures and propaganda), market studies or surveys, including those for foreign markets, technical and advertising films, as well as to communicate information on events (including Xylexpo and other trade fairs, including non-sector events, meetings, debates, conferences, congresses and the like) organised by CEPRA and the services offered by the latter.

The legal bases of processing for the purposes a) and b) above are Articles 6.1.b) and 6.1.c) of the Regulation. The legal basis of processing for the purposes c) is Article 6.1.a) of the Regulation.



The data that CEPRA processes may include: a) personal data; b) contact data; c) as well as any other data strictly connected to providing you with the services offered by CEPRA. It should be noted that CEPRA does not require and does not process special customer data (that is, personal data suitable for detecting racial and ethnic origin, religious, philosophical or other convictions, political opinions, accession to parties, unions, associations or organisations of a religious, philosophical, political or trade union nature, as well as personal data suitable for detecting health status and sexual orientation); however, if CEPRA needs to process this data in order to offer you the CEPRA services, the latter will expressly ask you for your written consent.



The provision of data for the purposes referred to in point 2, letters a) and b) is mandatory. Any refusal to communicate the data for such purposes, or in any case partial or incorrect provision of the same, will make it impossible for CEPRA to fulfil its obligations. However, the provision of data for the purposes referred to in paragraph 2, letter. c) is optional. Therefore, you may decide not to provide any data or to subsequently deny the possibility of processing data already provided. I this case, CEPRA will not be able to send you communications and/or commercial/advertising material, including the catalogues illustrating the CEPRA products. According to Article 7, paragraph 3 of the GDPR, you have the possibility to withdraw your consent at any time.



Personal data will be made accessible under the liability of the Data Controller:

  1. to subjects (CEPRA employees) that are authorised by the same according to Article 29 of the GDPR;
  2. in the case of inspections and/or checks (if requested), to all inspection bodies responsible for checking and inspecting the regularity of legal obligations;
  3. to companies/professional firms that provide assistance, advice and collaboration to the Data Controller, in accounting, administrative, tax, legal, tax and financial matters, who are appointed for this purpose as External Data Processors;
  4. to third party service providers who are appointed, if necessary, as External Data Processors. The dissemination of data to these parties is required for the provision of services/goods by CEPRA;
  5. to public administrations for the performance of institutional functions within the limits established by law or regulations.

The updated list of External Data Processors can be requested from the Data Controller, and is available at CEPRA's registered office.



The processing of personal data will be based on principles of correctness, lawfulness, transparency and will be carried out through the operations indicated in Article 4, No. 2, of the GDPR. This, among other things, includes the collection, registration, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Personal data will be subject to paper, electronic and/or automated processing. The data is kept and checked by adopting appropriate preventive security measures aimed at minimising the risks of loss and destruction, unauthorised access, unauthorised processing and processing that does not comply with the purposes for which the consent to the collection is given.



The collected data is stored on servers located in Italy and the European Union. For strictly organisational/business needs, CEPRA could transfer some data to countries located outside the European Union. In this case, the Data Controller hereby ensures that all guarantees will be taken to make the transfer secure and to ensure that the processing of personal data complies with the requirements of the Regulation (such as for example the consent of the data subjects, the adoption of Standard Clauses approved by the European Commission, selection of subjects adhering to international programs for free circulation of data (e.g. EU-USA Privacy Shield) or operating in countries considered safe by the European Commission. On this point, the Data Controller will, at the request of the data subject, issue the necessary information (including, if needed, a copy of all the relevant documentation). Furthermore, the Data Controller reserves the possibility to use in cloud services. In this case, the suppliers of these services will be selected from among those that offer suitable guarantees.



In compliance with the provisions of the GDPR, the data subject has the right, where applicable, to ask the Data Controller to access the data (Article 15), correct the data (Article 16), delete the same or the right to be forgotten (Article 17), the limitation of the processing of personal data (Article 18), the right to data portability (Article 20) or to object to processing (Article 21), in addition to the right to not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or significantly affects his or her person (Article 22). Requests may be submitted in writing to the Data Controller to the address of the registered office and the e-mail address indicated in point 1.

Moreover, the data subject has the right to lodge a complaint with the supervisory body responsible for data protection (Article 77 of the Regulation) if the same feels that the processing carried out by the Data Controller did not comply with the regulation. For more information, consult the Privacy Guarantor’s website at



The Data Controller will keep the personal data for the time strictly necessary to fulfil the purposes for which it was collected and conferred (as provided for in paragraphs 2 and 4 above). Personal data may be kept for a longer period in compliance with a legal obligation (also of a fiscal nature) or by an order issued by an authority. Subsequently, the data will be deleted, rendered inactive, or made anonymous