Information regarding the processing of personal data pursuant to Article 13 and 14 of the Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)

  1. Data Controller

Pastificio Lucio Garofalo S.p.A. - Via dei Pastai 42, 80054 Gragnano (NA)

Data Controller's email address:

  1. Collected Data

The Personal Data collected through this Application, independently or via third parties (Xister Reply S.r.l.), are: Cookies, usage data, User's first name, last name, and email (collectively, "Data").

Personal Data may be freely provided by the User or, in the case of Usage Data, collected automatically during the use of this Application. Consent to Data collection from this Application is optional. However, if the User refuses to provide the aforementioned Data, then it may be impossible for this Application to provide the Service.

This Application uses Cookies. For more information and details, the User may consult Cookie Policy. This Application and the related third-party service providers may use Cookies or other tracking tools. Unless otherwise specified, this is intended to provide the Service requested by the User, in addition to other purposes as described in this document and in the Cookie Policy.

  1. Purposes of Data Processing

The Data are collected for the following purposes:

3.1 Interaction with social networks and external platforms, also through Facebook's "Like" button and social widgets (Facebook, Inc.)

These services allow for interacting with social networks or other external platforms directly from the pages of this Application. The interaction and information obtained from this Application are in any case subject to the User's privacy settings relative to each social network. If an interaction service with social networks is installed, then the service may still collect traffic data for the pages in which it is installed, even if the Users do not utilize the service.

Facebook's "Like" button and social widgets are services provided by Facebook, Inc. for interacting with the Facebook social network.

Personal Data collected: Cookies and User data.

Processing location: USA – Privacy Policy.

3.2 Statistics, also through Google Analytics (Google, Inc.)

The services contained in this section allow the Data Controller to monitor and analyze traffic data in order to keep track of User behavior.

Google Analytics is a web analysis service provided by Google, Inc. (“Google”). Google uses the Personal Data collected to track and analyse the use of this Application, creating reports and sharing them with other services developed by Google.

Google may use Personal Data to contextualise and customise the ads on its own advertising network.

Collected Personal Data: Cookies and User Data.

Processing location: USA – Privacy PolicyOpt Out.

3.3 Contact with the User via Mailing List or Newsletter

By subscribing to a mailing list or newsletter, the User's email address is automatically added to a contact list. Such a list may receive emails containing information related to this Application, including commercial and promotional information. The User's email address may also be added to this list after registering to this Application or after making a purchase.

Collected Personal Data: First Name, Last Name, and Email.

3.4 Displaying content from external platforms, including YouTube Video Widget (Google, Inc.)

These services allow you to view and interact with content hosted on external platforms directly from the pages of this Application.

If this type of service is installed, then it is possible that the service itself will still collect data traffic for the pages in which it is installed, even if the Users do not utilize this service.

YouTube is a service run by Google, Inc. for viewing video content. It allows this Application to integrate such content within its own pages.

Collected Personal Data: Cookies and User Data.

Processing location: USA – Privacy Policy.

  1. Legal Base of Processing

Your free and informed consent gives a legal base to the processing. Therefore, the processing of your Data will take place only after such a consent. The consent will be obtained prior to the data collection through an appropriate form.

  1. Procedures for Processing Collected Data

Processing procedures

The Data Controller uses appropriate security measures for protecting against unauthorized access, modification, dissemination, or destruction of Data. 

The processing is carried out using IT and/or telecommunication tools within organizational procedures and on the basis of principles strictly related and limited to the stated purposes. In addition to the Data Controller, in some cases, other parties involved in the organization of this Application (administrative, commercial, marketing, legal, system administrators) or external parties (such as suppliers of third party technical services, postal couriers, hosting providers, IT agencies/companies) may have access to the Data. Such parties are appointed as Data Protection Officers by the Data Controller for this purpose pursuant to Article 28 of the GDPR. The updated list of Data Protection Officers can be requested from the Data Controller.

Storage period

Personal Data will be held by the Data Controller in full compliance with the principles of necessity, minimization, and storage limitation through the adoption of technical and organizational measures adequate to the level of processing risk. This will not exceed the amount of time it takes to fulfill the objectives for which the data are processed.


  • Data collected for purposes related to the execution of a contract between the Data Controller and the User will be retained until the execution of such a contract is completed;

  • Data collected for purposes related to the Controller's legitimate interest will be retained until this interest is fulfilled.

When processing is based on the User's consent, the Controller may retain Personal Data as long as such consent is not waived. In addition, the Data Controller may be required by law or by order of an authority to retain Personal Data for a longer period of time.

At the end of the storage period your Personal Data will be deleted. Therefore, upon expiry of this period, the access, cancellation, correction, and Data transferability rights may no longer be exercised.

  1. Data Transfer Abroad

User Data will be transferred to Google and Facebook in the USA. This transfer is based on the European Union's decision from July 12, 2016 regarding what is known as the Privacy Shield, which is the agreement regulating the transfer of data between the European Union and the United States.

  1. User Rights

Users may exercise all rights towards the Data Controller, as referred to in Articles 15 et seq. of the GDPR that are relevant to them, including the right to ask the Data Controller at any time to access, correct, delete, or limit the processing of Data, as well as to object to their processing. Furthermore, Users can always file a complaint with the Data Protection Authority or any other qualified supervisory authority for the protection of Personal Data.

How to exercise rights

To exercise User rights, Users can direct a request to the Data Controller through contact details specified in this document. The request should indicate the source. Requests will be filed free of charge and processed by the Data Controller as soon as possible, within one month.


  1. Additional information on processing

Legal defense

The User's Personal Data may be utilized by the Data Controller in legal proceedings or their preparatory stages for defending against the User's misuse of this Application or related Services.
The User acknowledges that the Controller may be obliged to disclose Data by order of the public authorities.

Specific information

Upon request of the User, in addition to the information contained in this privacy policy, this Application may provide Users with additional and contextual information about specific services, or the collection and processing of Personal Data.

System and maintenance log

This Application and any third-party services used by it may collect system Logs, which are files that record interactions and may also contain Personal Data, such as the User IP address, for operational and maintenance purposes.

Information not contained in this policy

Further information in relation to the processing of Personal Data may be requested at any time from the Data Controller through the contact details.

Response to "Do Not Track" requests

This Application does not support "Do Not Track" requests.

Some involved third-party services may support such a request. Please consult their respective privacy policies for further information.

Modifications to this disclosure

The Data Controller reserves the right to modify this disclosure at any time. The Data Controller will inform Users on this page and, if possible, on this Application. Further, if technically and legally feasible, the Data Controller will send a notification to Users through one of the available contact details. Please consult this page regularly, referring to the date of the last modification as indicated at the bottom.

Some change may affect processing where consent is the legal base. In such a case, and if necessary, the Data Controller shall obtain the User's consent again.

Pastificio Lucio Garofalo S.p.A.
Via dei Pastai, 42 80054 Gragnano (NA) Italia
  + 39 081 8011002    + 39 081 8012937