Pursuant to Article 13 of the European Union Regulation no. 2016/679 on the Protection of Personal Data (hereinafter also referred to as “General Data Protection Regulation” or “GDPR”), prior to processing personal data (hereinafter also “Personal Data “or” Data “), the Company as data controller is required to provide the Data Subject (user of the website with a set of specific information on how the Company will use, hold and retain the data collected through the website and process it by means of IT and/or telematic tools for the purposes herein stated.

To this end, Colorobbia Consulting S.r.l. (hereinafter referred to also as “Colorobbia Consulting” or “the Owner” or “the Data Controller” or “the Company”) set this information out below in this Privacy Policy.


  1. Data controller and Data Protection Officer

The Data Controller is Colorobbia Consulting S.r.l., the registered office of which is at Via Pietramarina n. 53, 50059 Sovigliana, Vinci (Florence) Italy, VAT-Id 03795100480.
The Company has designated Data Processor Officer pursuant to Art. 37 ff. of the GDPR.
With regard to all issues related to processing of personal information, the Data Subject may contact the data protection officer by emailing at:
For detailed information on the rights of the Data Subject, please refer to the Section “Rights of the Data Subject” of this privacy statement.

  1. Legal bases on which we process your personal data and purpose of Processing

Data provided or collected when browsing the website will be processed by the Data Controller in accordance with the regulations in force.

Our processing is based on the lawful bases that are necessary for us to process your personal data, namely: provision of services offered by the Company, management and facilitation of the website, management of protected areas on the site, Data subject explicit consent, where requested and given, to the processing of the Personal Data.

The processing of your data by Data Controller is aimed at pursuing the following purposes;

1)Access to the area “Contacts“: section of the hyperlink– domain owned by the Company, here Data Controller, to allow you to request information about the services offered;

2) “Processing of requests for information”: if you choose to contact us using the appropriate e-mail addresses or telephone contacts mentioned on the website, the Data you provide may be processed by the Data Controller to fulfil your request and provide you with the necessary information; 

  1. Nature of the processing

With the exception of those data that are necessary and essential to execute electronic and IT protocols, users may provide personal data for the purposes referred to in point 1) and 2) freely and optionally. However, if the Data Subject does not provide the information requested, the Company will not be able to handle any requests submitted or to be submitted by the user.

In this context, be aware that personal data may also be processed for the fulfilment of obligations established by law, legislation and, in general, by regulations in force and applicable from time to time.


  1. What type of information is collected from you

The Data Controller will process those data provided by the user when browsing the website and/or by acceptance of the services offered by BiomediCOL. 

  1. How we process your Personal Data and how long we retain your information

Your personal information will be processed by the Controller in compliance with the provisions as set forth by applicable law on data protection. Data processing will take place through electronic and/or IT means and organizational and logical procedures strictly correlated with the purposes for which Information is collected. In addition, the Controller has implemented appropriate security measures intended to protect against unauthorised access, disclosure, alteration or destruction, loss or unlawful use and misuse of your personal information.

Despite this, the Company cannot guarantee that the measures implemented for the security of the site and the transmission of data and information are able to limit or exclude any risk of unauthorized access or disclosure of Data by users’ devices. Therefore, we recommend users of the site to install adequate software protecting data during transmission across the network (i.e. updated antivirus) and their Internet Provider to have appropriate data transmission security measures in place.

Furthermore, the Company undertakes to process the Personal data according to the principles of lawfulness, fairness and transparency, to collect it to the extent necessary and adequate for the processing and to limit access to authorised personnel only. Data that you provide to us will be managed and held in archives or on servers which are located within the European Union, owned by the Data Controller and/or by third party companies appointed as External Data Processors, and, in any case, currently seated in Italy.

Your Personal Information will be retained for as long as needed or permitted in light of the purposes for which it was obtained and, in any case, in accordance with the regulations in force.

In any case, the Company undertakes to avoid processing of personal data for an indefinite period and to verify, periodically, the actual interest of the Data Subject


  1. Data recipients and Data Processors

Your Personal Data will not be in any way disclosed by transmission, dissemination or otherwise made available to third parties, except for those cases provided for by law and, in any event, in compliance with the procedures set forth in the applicable regulation. Your Personal Data will be processed by the Company’s employees to the extent and according to the purposes for which it is processed. Some Data may also be processed by third parties, acting as External Data Processor, that are appointed or may be appointed by the Controller for the management of contractual relationship, provision of the services and for organizational requirements as to corporate business. In particular, Personal Data may be shared, including but not limited to, with:

a) private or public third parties, authorised to process Personal Data by virtue of laws, regulations or community legislation, to the extent provided for by said regulations;

b) third parties that need to process Personal Information for purposes related to contractual relationship between the parties, to the extent strictly necessary for the performance of the tasks assigned (such as, for example, banks and credit institutions, technical service providers, hosting providers, IT companies, communication agencies, mail carriers and shipping companies);

c) consultants, to the extent strictly necessary for the performance of professional task assigned.
An updated list of the appointed External Data Processors is made available to the Data Subject at the headquarters of the Data Controller upon prior request to be emailed at:


  1. Transfers of personal data to third countries

Your Personal Data will not be transferred outside the European Union. It being understood, however, that the Controller, if necessary, shall be entitled to move server’s location in non-EU third countries. In this case, the Data Controller ensures from now on that the transfer of personal data outside the European Union will take place in accordance with provisions set forth in article 44 et seq. of the GDPR and other applicable regulations, by stipulating, if required, related agreements that ensure an adequate level of protection.


  1. Rights of the Data Subject


The GDPR gives the Data Subject specific rights that help him/her be in control of his/her personal data, namely:

a) pursuant to art. 15, the data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, to obtain access to the personal data and the following information: i) the purposes of the processing ii) the categories of personal data concerned; iii) the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organizations; iv) where possible, the envisage period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; v) the existence of the right of the Data Subject to request from the Data Controller rectification or erasure of Personal Data or restriction of processing of personal data concerning the data subject or to object to such processing; vi) the right to lodge a complaint with a supervisory authority, pursuant to articles 77 ff. of the GDPR; vii) if the Data is not collected from the Data Subject, all information available on their origin; viii) the existence of automated decision-making process, including profiling referred to in Article 22, paragraphs 1 and 4 of the GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisage consequences of such processing for the data subject; ix) where personal data are transferred to a third country or to an international organisation the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer of Personal Data to a third country or an international organisation;

b) the Data Subject shall also have (where applicable) the possibility of exercising the rights pursuant to articles 16-21 of the GDPR (right to rectification, right to erasure, right to restriction of processing, right to Data portability, right to object).

The Data Subject may at any time exercise the above-mentioned rights and request a copy of an updated list of the Data processors by emailing at:

Colorobbia Consulting undertakes to provide information on action taken on a request to the Data Subject within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In any case the Data Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Information on the action taken on a request shall be provided in writing or by electronic means. In the event of a request for rectification, erasure and restriction of processing, the Data Controller shall inform about said requests received by the Data Subject to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may charge a reasonable fee.


Pursuant to Art. 37 of the GDPR, The Company has designated La Badessa Pietro as its DPO – Data Processor Officer. With regard to all issues related to processing of personal information, the Data subject may contact the data protection officer via email at:


  1. Changes to this privacy policy

The Data Controller reserves the right to make changes to this Privacy Policy from time to time. Any new version of this Policy will be published on the site so please check this page on a regular basis. The “Last Updated” legend at the bottom of this Privacy Policy indicates when this statement was last revised. In case of non-acceptance of the changes made to this Privacy Policy, the Data Subject shall have the right to obtain from the controller the deletion of his/her personal data. Unless otherwise specified, our processing of your information collected up to the time of the last update will be governed by the practices set out in the previous Privacy Policy version.


This Privacy Policy was last updated on 23/12/2022