top of page

PRIVACY POLICY

1. DATA CONTROLLER

The Data Controller is:

Dr. Riccardo Tomesani


VAT No.: 13801210967
Tax Code: TMSRCR64E11F205Z
Registered Office: Via Roma 13, 20054 Segrate (MI), Italy
Email: info@tomesanipr.com | Website: www.tomesanipr.com

As the Data Controller, the Professional Studio ensures the protection of personal data provided during navigation and use of this website, safeguarding its confidentiality and guaranteeing compliance with current legislation and the required level of protection against any event that could pose a risk of data breach.

As required by Article 13 of the European Union General Data Protection Regulation (GDPR), the Data Controller informs you that the personal data collected through this website are processed using electronic and/or telematic tools for the purposes described below.

 

2. PURPOSE, LEGAL BASIS, DATA RETENTION, AND TYPES OF DATA PROCESSED

A) Processing Related to Website Use

Scope and Purpose of Processing:
Pursuant to Article 6 of EU Regulation 679/2016 (as amended by Legislative Decree 101/2018), personal data are processed for the following purposes:

a) Website interaction and navigation:

  1. To enable browsing and use of this website, including the necessary technical maintenance and assistance;

  2. To allow the Data Controller to respond to requests submitted via the website.

Legal Basis and Nature of Data Provision:
The legal basis for processing, as per Art. 6 para. 1 letter f) GDPR, is the Data Controller’s legitimate interest in ensuring website functionality and responding to user interactions.
The processing is legally based on the contractual relationship established when you interact with the site.

Types of Data Processed:
The website processes the following categories of personal data:

Navigation Data:
This includes IP addresses or domain names of users’ devices, URI/URL addresses, the time of request, the method used to submit the request to the server, the size of the response file, the numeric response code (success, error, etc.), and technical parameters of the user’s operating system and IT environment. These data, required for web services, are also used to:

  • Gather statistical information on website usage (e.g., most visited pages, user geography, etc.);

  • Ensure proper functioning of services.

User-Provided Data:
This includes any data you submit via the “Contact” form or when creating an account in the “Join Club Nove25” section.

Derived Data:
Automatically collected information such as IP address, browser type, operating system, access times, and previously visited pages.

Third-Party Data:
This website does not transfer personal data to third parties.

Data Retention:
Data are retained in accordance with each cookie’s lifespan.

B) Data Processing for Professional Activities

a) Contractual Purposes

Purpose:
To enable the purchase of products/services and respond to customer inquiries, requiring the collection of personal data through subscription or purchase forms.

Legal Basis:
Performance of pre-contractual and contractual obligations under Article 6, para. 1, letter b) GDPR.
Failure to provide data will prevent service provision.

Data Types:
Identification and contact data: name, surname, email, phone number, tax code, city, country, and any additional data provided by the customer.

Retention Period:
Throughout the contractual relationship and for 10 years thereafter.

b) Operational and Communication Activities

Purpose:

  • Building and maintaining PR relationships (media, influencers, clients, partners);

  • Producing and disseminating press releases and content across digital/traditional channels;

  • Monitoring campaign effectiveness using analytics and SEO tools;

  • Managing brand reputation with the public and stakeholders both online and offline.

Legal Basis:
Performance of pre-contractual or contractual obligations (Art. 6, para. 1, letter b) GDPR).

Data Types:
Name, surname, email, phone number, tax code, city, country.

Retention Period:
For the duration necessary to complete campaigns, and no longer than 24 months.

c) Legal Compliance

Purpose:
To issue invoices, receive payments, and comply with contractual, tax, and legal obligations.

Legal Basis:
Compliance with a legal obligation (Art. 6, para. 1, letter c) GDPR).
Failure to provide data will prevent service provision.

Data Types:
Name, surname, email, phone number, tax code, city, country.

Retention Period:
For the duration of the contractual relationship and 10 years thereafter.

d) Legal Defense

Purpose:
To assert or defend the rights of the Data Controller in legal proceedings.

Legal Basis:
Legitimate interest of the Data Controller (Art. 6, para. 1, letter f) GDPR), balanced with the rights of the data subject.

Data Types:
Name, surname, email, phone number, tax code, city, country, and any other data required for litigation.

Retention Period:
For the duration of the contractual relationship and 10 years thereafter.

e) Marketing and Newsletters

Purpose:
To carry out promotional and/or marketing activities, including the sending of newsletters and commercial communications, subject to specific consent.

Legal Basis:

  • Legitimate interest (Art. 6, letter f) GDPR): to promote products and services;

  • Consent (Art. 6, letter a) GDPR): for voluntary, explicit, and unequivocal acceptance.

Data Types:
Name, surname, email, phone number, tax code, city, country.

Retention Period:
24 months from data collection.

f) PURPOSE: Contract Execution with Suppliers

Purpose:

  • To ensure the proper execution of contracts and supply services, including:

    • Managing contractual and pre-contractual relationships with the Controller;

    • Managing financial and commercial relationships;

    • Managing personal data of the legal representative of the supplier (legal entity);

    • Carrying out preliminary evaluations of services proposed by potential suppliers;

    • Entering supplier data into the Controller’s IT databases.

Legal Basis and Nature of Data Provision:
The legal basis is the performance of pre-contractual measures adopted at the request of the data subject and/or the execution of a contract in which the data subject is involved (Art. 6(1)(b) GDPR).
Refusal to provide personal data will make it impossible for the Controller to provide the service.

Data Types:
Identification and contact data: name, surname, email address, phone number, tax code, city.

Data Retention Period:
For the entire duration of the contractual relationship and 10 years following its conclusion.

g) PURPOSE: Legal Obligations

Purpose:

  • Recording invoices and receiving payments;

  • Fulfilling pre-contractual, contractual, and tax obligations related to customer relationships;

  • Complying with obligations set forth by law, regulations, EU legislation, or orders from authorities.

Legal Basis and Nature of Data Provision:
Legal obligation incumbent upon the Controller (Art. 6(1)(c) GDPR).
Refusal to provide personal data will make it impossible for the Controller to provide the service.

Data Types:
Identification and contact data: name, surname, place and date of birth, email address, phone number.

Data Retention Period:
For the entire duration of the contractual relationship and 10 years following its conclusion.

h) PURPOSE: Legal Defense

Purpose:
To exercise the Controller’s rights, including defense in legal proceedings.

Legal Basis and Nature of Data Provision:
The Controller's legitimate interest (Art. 6(1)(f) GDPR), fairly balanced with the rights of the data subject.

Data Types:
Identification and contact data: name, surname, email address, phone number, tax code, city, country of residence, and any other data necessary for litigation.

Data Retention Period:
For the entire duration of the contractual relationship and 10 years following its conclusion.

i) PURPOSE: Legal Compliance – Potential Recruitment

Purpose:
To fulfill legal obligations in relation to a possible future employment relationship.

Legal Basis and Nature of Data Provision:
Compliance with a legal obligation (Art. 6(1)(c) GDPR).

Data Types:
Contact information (e.g., address, email, phone number); data relating to education, professional experience, and previous roles.

Data Retention Period:
12 months from data collection, unless an employment relationship is established.

l) PURPOSE: Legal Defense (Job Candidates)

Purpose:
To protect the rights of the Controller and exercise the right of defense in case of disputes.

Legal Basis and Nature of Data Provision:
Legitimate interest of the Controller (Art. 6(1)(f) GDPR), balanced with the rights and freedoms of the data subjects.

Data Types:
Contact information (e.g., address, email, phone number); data relating to education, professional experience, and any other data necessary for legal defense.

Data Retention Period:
12 months from data collection, unless an employment relationship is established.

 

3. DATA PROCESSING METHODS AND COLLECTION

The processing of personal data is carried out through operations including: collection, recording, organization, storage, consultation, processing, modification, selection, retrieval, comparison, use, interconnection, blocking, communication, deletion, and destruction.

Data are processed using both manual and electronic/telematic tools with organizational methods closely related to the stated purposes, ensuring the security, integrity, and confidentiality of the data in accordance with the organizational, physical, and logical measures outlined in Articles 24, 25, and 32 of the GDPR.

Personal data may be collected directly by the Controller or by third parties expressly authorized by the Controller, or communicated by the Controller to such third parties for the purposes outlined in this privacy notice.

The Controller periodically verifies that no unnecessary data are processed, collected, stored, or retained for purposes not specified in this policy.

 

4. ACCESS TO DATA BY AUTHORIZED PERSONNEL

Personal data may be made accessible, solely for the purposes outlined in this privacy policy:

  • To employees and collaborators of the Controller, auxiliaries, third parties working for the Controller, and companies engaged in outsourcing relationships, in their capacity as authorized persons, internal data processors, or system administrators;

  • To third-party companies or individuals performing outsourced services on behalf of the Controller, in their capacity as external data processors.

 

5. DISCLOSURE OF PERSONAL DATA

Personal data may be disclosed to specific individuals or entities considered recipients, defined as any person, authority, agency, or other body that receives personal data, regardless of whether it is a third party.

To properly perform all data processing activities needed to achieve the purposes of this policy, the following recipients may process your personal data:

  • Third parties who perform some of the processing activities or related/supporting functions on behalf of the Controller. These have been designated as data processors;

  • Individuals, employees, or collaborators of the Controller who have been assigned specific roles in handling personal data and instructed in appropriate security measures.

If required by law or to prevent/repress criminal acts, personal data may be disclosed to public authorities or the judiciary, although they are not formally classified as "recipients" under the GDPR.

Without requiring specific consent, the Controller may disclose your data for the purposes described to supervisory bodies, judicial authorities, insurance companies (for service provision), or other parties for whom such communication is legally required.

Data recipients may include:

  • IT and technical support providers;

  • Professional firms providing accounting, legal, tax, administrative, financial, or debt collection services;

  • Providers of IT infrastructure and web services;

  • Banks and payment service providers acting as data processors for payment handling;

  • Consultants, within the limits of their professional responsibilities.

An up-to-date list of all data processors and authorized personnel is available at the Controller’s registered office and can be obtained via email request (see Section 1).

Some of these entities may process your data as independent data controllers.

Your data will not be publicly disclosed.

Data may also be shared in the following cases:

Legal Obligations or Rights Protection:
If deemed necessary to respond to legal proceedings, investigate or address violations of policies, or protect the rights, property, and safety of others, information may be disclosed as required or permitted by applicable law. This may include sharing data with fraud prevention agencies and credit risk entities.

Third-Party Service Providers:
We may share information with third parties performing services on our behalf, such as data analysis, email delivery, hosting, customer support, and marketing assistance.

Cookies and Tracking Technologies:
We may use cookies, web beacons, tracking pixels, and other technologies to personalize and enhance your website experience. Personal data is not collected through tracking technologies by default. Most browsers accept cookies automatically, but users can delete or refuse cookies, understanding that doing so may impact site functionality. Web beacons cannot be declined, but their effectiveness may be reduced by blocking cookies or adjusting browser settings to prompt for individual cookie consent.

​​​

6. THIRD-PARTY WEBSITES

The site contains links to third-party websites and applications of interest, including external services, that are not affiliated with us.

 

7. PERSONAL DATA RETENTION PERIOD

Personal data is primarily stored using both paper and digital procedures in Italy, within the European Union, and also outside the Data Controller’s headquarters, in full compliance with the provisions and requirements necessary for the security and proper location of data storage units. Digital storage methods are limited to document transmission and are carried out in full compliance with the relevant legal and security requirements (secure PCs and backup tools), as well as for the security of paper archives.

The Data Controller will process personal data for as long as necessary to fulfill the purposes outlined above and, in any case, no longer than the termination of the relationship conducted for Service Purposes. It is considered that the Data Controller will process the personal data for the time indicated in paragraph no. 2 of this privacy notice.

Personal Data collected for purposes related to the execution of a contract between the Data Controller and the User will be retained until the full execution of such contract.

The Data Controller may be authorized to retain Personal Data for a longer period if the User has given consent to such processing, provided that such consent is not withdrawn. Furthermore, the Data Controller may be obliged to retain Personal Data for a longer period if required to comply with a legal obligation or by order of an authority.

Once the retention period expires, the Personal Data will be deleted. Therefore, after the expiration of the retention period, the right to access, erasure, rectification, and data portability can no longer be exercised.

8. COOKIE BANNER TEXT

We use cookies to offer you the best possible experience on our website. By accepting, you agree to the use of such cookies (with personalized ads) as specified in the cookie policy.

Use the "Accept" button to consent. Close this notice to continue without accepting.

9. TRANSFER OUTSIDE THE EU/EEA

In managing customer relationships, no data transfers to third countries or international organizations are foreseen.

Should it become necessary to transfer personal data outside the European Union to countries not deemed adequate by the European Commission, the Data Controller will ensure that appropriate safeguards are in place to protect the personal data and that such transfers comply with applicable data protection laws.

Any transfer of data outside the EU will, in any case, be in compliance with the appropriate safeguards for the transfer, pursuant to the applicable legislation, particularly Articles 45 and 46 of the Regulation.

Consequently, where required by applicable data protection laws, the Data Controller will ensure that service providers sign the Standard Contractual Clauses approved by the European Commission.

10. DATA SUBJECT RIGHTS

As users, data subjects have the following rights:

  • Right of access: to their data, to obtain confirmation whether or not personal data concerning them exists, even if not yet recorded, and communication of such data in an intelligible form; to obtain information on:
    a) the source of the personal data;
    b) the purposes and methods of processing;
    c) the logic applied in case of processing using electronic tools;
    d) the identity of the data controller, processors, representatives and persons authorized to process the data;
    e) the entities or categories to whom the data may be communicated or who may become aware of it (Art. 15 GDPR).

  • Right to rectification: of inaccurate data, or integration of incomplete data (Art. 16 GDPR).

  • Right to erasure: of unlawfully processed data, including data that need not be kept for the purposes they were collected for (Art. 17 GDPR).

  • Right to restriction: of processing under certain circumstances (e.g., when accuracy is contested, processing is unlawful, or the user opposes processing) (Art. 18 GDPR).

  • Right to data portability: to receive personal data in a structured, commonly used format, readable by automatic devices, and to transmit it to another controller without hindrance, subject to the principles of transparency, lawfulness, and proportionality (Art. 20 GDPR).

  • Right to object: in whole or in part, for legitimate reasons to the processing of personal data concerning them, even if relevant to the purpose of collection, or for processing for purposes other than those intended (Art. 21 GDPR)

 

11. OBJECTION TO PROCESSING AND WITHDRAWAL OF CONSENT

As provided by the Regulation, if the user has given consent for one or more processing purposes, they may withdraw it at any time, in whole or in part, without affecting the lawfulness of processing based on consent before its withdrawal.

Consent may be revoked simply by contacting the Data Controller using the contact methods provided in this Privacy Notice.

Additionally, if a user no longer wishes to receive marketing emails, they may click “IF YOU NO LONGER WISH TO RECEIVE OUR NEWSLETTERS YOU CAN UNSUBSCRIBE BY CLICKING HERE,” which is included in such messages, or use the other contact methods provided.

  • Right to withdraw consent at any time, without affecting prior lawful processing.

  • Right to lodge a complaint with the relevant supervisory authority.

 

12. EXERCISING DATA SUBJECT RIGHTS

The user can exercise their rights at any time by sending a request via email to the address listed in point 1 of this privacy notice, by writing to the Data Controller’s Privacy Office, or by contacting the Privacy Office or the Data Controller directly.

Users may also contact the Italian Data Protection Authority at Piazza Venezia 11, 00187 Rome, Tel: (+39) 06.696771, Fax: (+39) 06.69677.3785. General inquiries can be sent to:

 

13. CHANGES TO THIS PRIVACY POLICY

The Data Controller reserves the right to make changes to this Privacy Policy at any time by notifying users on this site. Please consult this page often, referring to the date of last modification indicated at the end. If the changes are not accepted, the user may request deletion of their personal data.

 

14. MATERIALS

All content on the websites (not uploaded by users) is part of the Data Controller’s own archive (including co-controllers), including images. Some photos are taken from online archives. Users uploading content for publication on the websites declare they hold the rights (including for commercial use) to the images uploaded and assume full responsibility for the legality and origin of such images.

 

15. PROCEDURE FOR WITHDRAWING CONSENT FOR DATA PROCESSING

Dear user, you may request the withdrawal of one or more privacy consents listed below by emailing the address in point 1 of this Privacy Policy and specifying which option(s) to revoke:

  • Withdrawal of email communications

  • Withdrawal of third-party marketing communications via email

Requests are usually processed within 48 hours.

HOW TO DISABLE COOKIES IN BROWSERS

Detailed browser-specific instructions are provided for:

16. DEFINITIONS AND LEGAL REFERENCES

  • Personal Data: Any information that identifies or makes a person identifiable, directly or indirectly.

  • Usage Data: Information collected automatically through this Application (or third-party services), e.g., IP addresses, browser type, pages visited, etc.

  • User: The individual using this Application.

  • Data Subject: The individual to whom the Personal Data refers.

  • Data Processor: The individual or entity processing personal data on behalf of the Controller.

  • Data Controller: The individual or entity determining the purposes and means of processing personal data.

  • This Application: The means (hardware or software) by which personal data is collected and processed.

  • Service: The service provided by this Application.

  • EU (European Union): Includes all EU and EEA member states.

  • Cookies: Tracking tools stored in the user’s browser.

  • Tracking Tool: Any technology used to track users, e.g., cookies, beacons, scripts, etc.

Legal references: This Privacy Policy is drafted in accordance with multiple legal systems, including Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR).

Unless otherwise stated, this Privacy Policy applies only to this Application.

17. ACCEPTABLE USE POLICY (AUP) FOR WEBSITE USERS

Prohibited Use

Users may not use the services to publish content or engage in activities that are illegal under applicable laws, harmful to others, or that may expose us to liability. This includes (but is not limited to):

  • Phishing or identity theft;

  • Distribution of viruses, worms, trojans, or other malware;

  • Sharing pornography or adult content, or offering escort services;

  • Promoting or facilitating violence or terrorism;

  • Violating others' intellectual property or proprietary rights.

Enforcement

User services may be suspended or terminated, with or without notice, in the event of a violation of this policy. Any violation may result in the immediate suspension or closure of your account.

Reporting Violations

To report a violation of this policy, please contact us as outlined in Section 12 of this notice.

We reserve the right to amend this policy at any time, and you will be promptly informed of any updates. To ensure you are aware of the latest changes, we recommend visiting this page regularly.

​​

18. DATA DELETION PROCEDURE

Request for Deletion of Personal Data

Users have the right to request the deletion of their personal data in accordance with Article 17 of the European Regulation 2016/679 (GDPR). To exercise this right, users may send a written request to the email address provided in Section 1 of this notice or use the form available on the website.

The request must include the following information:

  • Full name

  • Email address used for registration

  • A clear description of the deletion request

We are committed to responding to all deletion requests without undue delay and, in any case, within one month of receiving the request. If additional information is required to verify the user's identity, we reserve the right to extend the response time by up to two months, informing the user of the reason for the delay.

Please note that there may be circumstances in which we are unable to proceed with the deletion of data, such as when the data is necessary to fulfill legal obligations or for archiving purposes. In such cases, we will inform the user of the reasons we cannot fulfill the request.

Data Deletion Request Form
bottom of page