Skip to main content

Privacy Policy

Informativa ai sensi del D. Lgs. 196/2003 e successive modifiche ed integrazioni e dell’Art. 13 del Regolamento (UE) n. 679/2016 (“GDPR”)

SAMI SRL safeguards the confidentiality of personal data and guarantees that they are protected against any event that might put them at risk of violation.

Pursuant to and for the purposes of the provisions of Legislative Decree 196/2003 and subsequent amendments and additions as well as the European Union Regulation no. 679/2016 (“GDPR”), and in particular Article 13 thereof, the following information is provided to the user (“Data Subject”) regarding the processing of his/her personal data.

This information notice (“Information Notice”), drawn up on the basis of the principle of transparency and all the elements required by the GDPR, is divided into individual sections, each of which deals with a specific topic in order to make it quicker, easier and easier to read.


Who we are and what data we process [Art. 13(1)(a); Art. 15(b) GDPR].

The processing of the personal data of the interested party is carried out by SAMI SRL (fiscal code IT00143190510) with registered office in Via Industriale n. 18 – 52011 Bibbiena (AR) – which, as Data Controller, can be contacted at the email address, collects and/or receives the information concerning the interested party, such as:

Personal data name, surname, physical address, nationality, province and municipality of residence, fixed and/or mobile telephone, fax, tax code/VAT, e-mail address(es), copy of identity document
Bank data IBAN and bank/postal data (except credit card number)
Telematics traffic data Log, source IP address

The Data Subject is not required to provide so-called “special” data, i.e., in accordance with the provisions of Article 9 of the GDPR, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data relating to the person’s health or sex life or sexual orientation. In the event that the service requested from the Controller requires the processing of such data, the interested party will first receive specific information and will be asked to give his/her consent.


For what purposes do we need the data of the Data Subject [Art. 13, para. 1, letter c) GDPR].

The personal data provided are necessary to allow the Data Controller to fully carry out its activities and fulfil the contractual relationships established or to be established. The personal data, freely provided by the interested party, will be processed lawfully and correctly for the provision of services and the supply of products offered by the Owner.

The legal bases for the processing of the data subject’s personal data are:

  • contractual obligations and fulfilments;
  • legal obligations;
  • legitimate interest of the Data Controller to carry out processing for the purpose of protecting the company’s assets and system security;
  • commercial consent and use of the service by the Data Subject.

The data subject’s data will be processed for the purpose of managing the service and fulfilling legal obligations, such as:

1 Performance of activities preliminary and consequent to the conclusion of a contract, to the management of the order, to the provision of the requested service 2 Invoicing of the amounts due, management of payment, fulfilment of any other obligation/service deriving from the contract 3 Fulfilment of regulatory obligations including accounting 3 Fulfilment of legal obligations, including accounting, administrative and tax obligations 4 Management of any complaints and disputes 5 Fraud prevention and management of late or non-payment 6 Protection and possible recovery of credit, directly or through third parties to whom the data necessary for these purposes will be communicated 7 Transfer of credit to authorised companies 8 Reporting and quality control 9 Communication and/or sending (by e-mail, text message, notification, post, telephone contact, etc.), also by automated means, of the data necessary to fulfil the contractual obligations. 9 Communication and/or sending (by e-mail, sms, notification, post, telephone contact, etc.), also by automated means, of information and material related to the management of the contract and the services envisaged by the same.

The Data Controller does not disseminate the data or use them for purposes other than those mentioned above.

Except as specified above, the personal data of the interested party, with the latter’s optional consent, may also be processed for purposes of commercial promotion, surveys and market research with regard to services offered by the Controller that are the same and/or different from those requested and/or purchased by the interested party. Such processing may be carried out automatically in the following ways:

  • e-mail;
  • text message
  • telephone contact

and may be carried out provided that the data subject has not withdrawn his/her consent for the use of the data.

The legal basis for such processing is the consent given by the data subject prior to the processing itself, which may be revoked by the data subject freely and at any time (see Section III).

IT security

The Data Controller, in line with the provisions of Recital 49 of the GDPR, processes, including through its suppliers (third parties and/or recipients), the personal traffic data of the Data Subject to the extent strictly necessary and proportionate to ensure network and information security, i.e. the ability of a network or an information system to resist, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity and confidentiality of the personal data stored or transmitted.

The Data Controller shall promptly inform the Data Subjects if there is a particular risk of a breach of their data without prejudice to the obligations arising from the provisions of Article 33 of the GDPR concerning personal data breach notifications.

The legal basis for such processing is compliance with legal obligations and the legitimate interest of the Data Controller in processing traffic for the purposes of protecting the company’s assets and system security.

Child protection

The Services offered by the Controller are reserved for persons legally capable of entering into contractual obligations, in accordance with the relevant national legislation.

The personal data of minors will not be processed by the Data Controller without the prior authorisation of the holder of parental responsibility.

Communication to third-party recipients and categories of recipients [Art. 13(1)(e) GDPR].

The personal data of the Data Subject will be processed exclusively by persons authorised to process them and by any persons designated as Data Processors in compliance with the GDPR in order to correctly carry out all the processing activities necessary to pursue the purposes set out in this Information Notice. Such persons will be sensitised to the respect and protection of the dignity and confidentiality of the data subjects, as well as adequately trained and periodically updated on privacy rules.

Personal data may be communicated to third parties whose activity is necessary for the execution of the contractual relationship established and to fulfil certain legal obligations; specifically:

Third-party suppliers * Administrative, accounting and contractual performance related tasks. Provision of the requested services and performances, assistance, maintenance, provision of additional services, related to the requested performance
Credit and digital payment institutions, banking/postal institutions Management of receipts, payments, reimbursements related to the service requested
External professionals/consultants and consulting companies Provision of services and services requested, fulfilment of legal obligations, exercise of rights, protection of contractual rights, debt collection
Financial administration, public bodies, judicial authorities, other authorities Fulfilment of legal obligations, defence of rights
Persons formally delegated or having recognised legal status Legal representatives, curators, guardians, etc. to whom the right to access personal data is acknowledged by the legislation in force

* The Data Controller imposes on all the aforesaid subjects and on the Data Processors the observance of security measures equal to those adopted by it for the processing of the data of the Data Subject; the perimeter of action of the Data Processor is however limited to the processing operations connected with the service requested.

The Data Controller does not transfer the personal data of the Data Subject to countries where the GDPR is not applied (non-EU countries) unless specifically indicated otherwise, for which the Data Subject will be informed in advance and, if necessary, his/her consent will be requested.

The legal basis for such processing is the fulfilment of the services inherent to the relationship established, compliance with legal obligations and the legitimate interest of the Controller in carrying out processing necessary for such purposes.


What happens if the Data Subject does not provide his/her data indicated as necessary for the performance of the service requested? [Art. 13, para. 2, letter e) GDPR].

The collection and processing of personal data is necessary in order to carry out the services requested and/or the provision of the service also requested. In the event of failure to provide such data, the Owner will not be able to proceed with the contract or provide the service requested.

What happens if the data subject does not consent to the processing of personal data for sales promotion activities, including for services other than those purchased or provided?

If consent to the processing of personal data for further purposes is requested, failure to provide such consent will prevent such processing, but will not affect the provision of the services requested, nor for those for which the data subject has already provided consent, if requested.

In the event that the data subject has given consent and subsequently withdraws it or objects to the processing for commercial promotion activities, his or her data will no longer be processed for such purposes, but will continue to be processed for the provision of the services requested.

How we process the data of the Data Subject [Art. 32 GDPR].

The data will be processed by manual, electronic, computerised and telematic means with logic strictly related to the purposes of processing and will be stored both on computer and on paper or other suitable media.

The Data Controller provides for the use of appropriate security measures in order to preserve the confidentiality, integrity and availability of the personal data of the Data Subject and imposes similar security measures on third party suppliers and any Managers.

Where we process the data of the data subject.

The Data Subject’s personal data are stored in paper, computer and electronic files located in countries where the GDPR applies (EU countries).

Per quanto tempo vengono conservati i dati dell’Interessato? [Art. 13, co. 2, lett. a) GDPR]

The data subject’s personal data shall be processed for the entire duration of the contractual relationship and in any case for a period of time equal to the minimum necessary, i.e. until the termination of the contractual relationship of the data subject with the Controller. Such data will also be kept for the period necessary to pursue the above purposes.

If the data subject decides to give his or her optional consent to the marketing and/or profiling purposes, the personal data of the data subject will be kept, unless the consent is revoked, for a period of time not exceeding that necessary to achieve the purposes.

If the interested party sends the Controller personal data that is not requested or necessary for the performance of the service and/or the contract or for the provision of the service requested, the Controller cannot be considered the owner of this data and will delete it as soon as possible.

Irrespective of the data subject’s decisions, personal data shall in any case be stored in accordance with the terms provided for by current legislation and/or national regulations, for the exclusive purpose of guaranteeing the specific fulfilment of certain contracts and/or services.

In addition, personal data will in any case be kept for the fulfilment of obligations (e.g. fiscal and accounting) that remain even after the termination of the contract (art. 2220 c.c.); for these purposes the Data Controller will keep only the data necessary for the relative pursuit.

This is without prejudice to cases in which the rights arising from the contract need to be asserted in court, in which case the data subject’s personal data, only those necessary for such purposes, will be processed for the time necessary for their pursuit.

What are the rights of the Data Subject? [Art. 15 – 20 GDPR].

The Data Subject has the right to obtain the following from the data controller:

  1. confirmation as to whether or not personal data relating to him are being processed and, if so, to obtain access to the personal data and the following information:
  2. the purposes of the processing;
  3. the categories of personal data concerned;
  4. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organisations;
  5. where possible, the proposed period of retention of personal data or, if this is not possible, the criteria used to determine that period;
  6. the existence of the data subject’s right to request from the data controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her or to object to the processing of such data;
  7. the right to lodge a complaint with a supervisory authority;
  8. where the data are not collected from the data subject, all available information on their origin;
  9. the existence of automated decision-making, including profiling, and, at least in such cases, meaningful information about the logic used, as well as the importance and expected consequences of such processing for the data subject;
  10. the adequate safeguards provided by the third country (non-EU) or international organisation to protect any data transferred.
  11. the right to obtain a copy of the personal data undergoing processing, provided that this right does not violate the rights and freedoms of others; in case of further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs;
  12. the right to obtain from the data controller the rectification of inaccurate personal data concerning him without undue delay;
  13. the right to obtain from the Data Controller the deletion of personal data concerning him/her without undue delay, if the reasons provided for in Article 17 of the GDPR exist, including, for example, if they are no longer necessary for the purposes of the processing or if the processing is assumed to be unlawful, and provided that the conditions provided for by law are met, and in any case if the processing is not justified by another equally legitimate reason;
  14. the right to obtain from the Data Controller the restriction of the processing, in the cases provided for by Article 18 of the GDPR (e.g. where the Data Subject has contested the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy thereof). The Data Subject must also be informed, in an appropriate timeframe, of when the period of suspension has expired or the cause of the processing restriction has ceased to exist, and therefore the restriction itself lifted;
  15. the right to obtain communication from the Controller of the recipients to whom requests for possible rectification or erasure or restriction of processing have been transmitted, unless this proves impossible or involves a disproportionate effort;
  16. the right to receive, in a structured, commonly used and machine-readable format, personal data concerning him or her and the right to have such data transmitted to another data controller without hindrance by the data controller to whom he or she has provided them, in the cases provided for in Article 20 of the GDPR, and the right to obtain the direct transmission of personal data from one data controller to another, if technically feasible.

For any further information and in any case to send the request, the interested party should contact the Data Controller at the email address In order to guarantee that the aforementioned rights are exercised by the Data Subject and not by unauthorised third parties, the Data Controller may ask to provide any further information necessary for this purpose.

How and when can the Data Subject object to the processing of his/her personal data? [Art. 21 GDPR] </strong

For reasons relating to the particular situation of the Data Subject, he or she may object at any time to the processing of his or her personal data if it is based on legitimate interest or if it is for commercial promotion activities, by sending a request to the Data Controller at

The Data Subject shall have the right to the erasure of his/her personal data if there is no legitimate reason for the Data Controller to do so other than that which gave rise to the request, and in any event if the Data Subject has objected to the processing for commercial promotion purposes.

Who can the Data Subject complain to? [Art. 77 GDPR].

Without prejudice to any other administrative or judicial action, the Data Subject may lodge a complaint with the competent supervisory authority on Italian territory (the Italian Data Protection Authority) or with the authority that performs its duties and exercises its powers in the Member State where the breach of the GDPR occurred.

For details on how to submit a report and/or complaint to the Garante for the protection of personal data on Italian territory, the data subject may consult the website.

Data Controller.

The data controller is SAMI SRL (tax code IT00143190510) with registered office in Via Industriale n. 18 – 52011 Bibbiena (AR) – tel. +39 0575 536366 – email: – in the person of its legal representative pro tempore.

The names of the designated data processors can be verified by contacting the company at the above-mentioned addresses.

Any update of this Policy will be communicated promptly and by appropriate means. It will also be communicated if the Controller will process the data of the Data Subject for purposes other than those set out in this Policy before doing so and following the expression of the relevant consent of the Data Subject, where necessary.



General information, deactivation and management of cookies.

Cookies are data that are sent from the website and stored by your internet browser on your computer or other device (e.g. tablet or mobile phone). Technical cookies and third party cookies may be installed by our website or its subdomains.

However, you can manage or request the general deactivation or deletion of cookies by modifying the settings of your Internet browser. This deactivation, however, may slow down or prevent access to certain parts of the site.

The settings for managing or deactivating cookies may vary depending on the internet browser you are using, so please consult your device manual or the “Help” function of your internet browser for more information on how to do this.

Below are links explaining how to manage or disable cookies for the most popular internet browsers:

– Internet Explorer:

– Google Chrome:

– Mozilla Firefox:

– Opera:

– Safari:

Technical cookies

The use of technical cookies, i.e. cookies that are necessary for the transmission of communications over electronic communication networks or cookies that are strictly necessary for the provider to provide the service requested by the customer, allows our website to be used safely and efficiently.

Technical cookies are essential for the proper functioning of our website and are used to allow users normal navigation and the possibility of using the advanced services available on our website. The technical cookies we use can be divided into session cookies, which are only stored for the duration of browsing until the browser is closed, and persistent cookies, which are stored in the memory of the user’s device until they expire or are deleted by the user. Our website uses the following technical cookies:

– cookies to save the session and to carry out other activities strictly necessary for its operation (e.g. in relation to traffic distribution);

– cookies to save browsing preferences and optimise the browsing experience (e.g. those for setting the language and currency);

Third-party cookies

Third party cookies may be installed: these are analytical and profiling cookies sent from the websites of these third parties outside our site. Third-party analytical cookies are used to collect information about user behaviour on the site. This information is collected anonymously in order to monitor the performance and improve the usability of the site. Third-party profiling cookies are used to create profiles of users in order to provide advertisements in line with the choices made by users.

The use of these cookies is governed by the rules laid down by the third parties themselves, therefore, we invite you to read the privacy notices and the indications to manage or disable the cookies, information published on the web pages of these third parties.

If a service for interacting with social networks is installed, it is possible that, even if users do not use the service, it will collect traffic data relating to the pages on which it is installed.

+1 button and Google+ social widgets (Google Inc.)

The +1 button and Google+ social widgets are services for interaction with the Google+ social network, provided by Google Inc.

Personal data collected: Cookies and Usage data.

Place of processing : USA – Privacy Policy

Linkedin social button and widgets (LinkedIn Corporation)

The Linkedin social button and widgets are services for interaction with the Linkedin social network, provided by LinkedIn Corporation.

Personal data collected: Cookies and Usage data.

Place of processing : USA – Privacy Policy

Facebook Like button and social widgets (Facebook, Inc.)

The Facebook ‘Like’ button and social widgets are services for interacting with the Facebook social network, provided by Facebook, Inc.

Personal data collected: Cookies and Usage data.

Place of processing : USA – Privacy Policy

Tweet button and Twitter social widgets (Twitter, Inc.)

The Tweet button and Twitter social widgets are services for interaction with the social network Twitter, provided by Twitter, Inc.

Personal data collected: Cookies and Usage data.

Place of processing : USA – Privacy Policy

Profiling cookies

Profiling cookies may be installed by the Data Controller(s), by means of so-called web analytics software, which are used to prepare detailed analysis reports in real time relating to information on: visitors to a website, search engines of origin, keywords used, language of use, most visited pages.

They may collect information and data such as IP address, nationality, city, date/time, device, browser, operating system, screen resolution, navigation source, pages visited and number of pages, duration of visit, number of visits. The user’s consent may not be required for this type of cookie.

Google Analytics (Google Inc.)

Google Analytics è un servizio di analisi web fornito da Google Inc. (“Google”). Google utilizza i Dati Personali raccolti allo scopo di tracciare ed esaminare l’utilizzo di questa Applicazione, compilare report e condividerli con gli altri servizi sviluppati da Google.

Google may use Personal Data to contextualise and personalise ads in its advertising network.

Personal data collected: Cookies and Usage data.

Place of processing : USA – Privacy PolicyOpt Out

How to control the receipt of cookies.

The user can block or limit the reception of cookies through the options of their browser.

In Internet Explorer, click on “Tools” in the menu bar and then on the sub-heading “Internet Options”. Then go to the settings on the ‘Privacy’ tab to change your cookie preferences.

In Firefox, click on “Tools” in the menu bar and then on the sub-heading “Options”. Then go to the “Privacy” settings to change your cookie preferences.

On Chrome, type “chrome://settings/content” in the address bar (without quotes) and change the cookie settings as desired.

In Safari, select the “Preferences” item and then choose “Privacy”. In the Block Cookies section, specify how Safari should accept cookies from websites.

If you use Safari on mobile devices, such as the iPhone and iPad, you need to do the following: go to the “Settings” tab on your device and then find “Safari” in the menu on the left. From here, under ‘Privacy and Security’, you can manage your Cookie options.

To disable cookies from external services, you need to adjust their settings.

Since the installation of Cookies and other tracking systems by third parties through the services used in this Application cannot be technically controlled by the Owner, any specific reference to Cookies and tracking systems installed by third parties is to be considered indicative. For complete information, please consult the privacy policy of any third party services listed in this document.

Given the objective complexity associated with the identification of technologies based on cookies and their close integration with the operation of the web, the User is invited to contact the Data Controller if he/she wishes to receive any further information on the use of cookies and any use of the same – for example by third parties – carried out through this website.