Privacy policy



With specific reference to your personal data as defined under Article 4(1)(1) of Regulation (EU) 2016/679 (“General Data Protection Regulation - GDPR”) in your capacity as “Data Subject”, the enterprise, THD S.p.A., (VAT and Tax Identification Number 02111430357), acting through its pro tempore legal representative, based in Correggio (RE), via dell’Industria 1 in its capacity as “Controller” under Article 4(1)(7) of the GDPR, hereby provides you with this notice to inform you of its privacy policy and so you can understand how it manages your personal data when you use its services on (“Website”)

1. Nature and type of data that we collect and process.
1.1. Your data being processed are exclusively browsing data. Browsing data are those personal data whose transmission is implicit in the use of Internet communication protocols. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct operation

2. Who is the Data Controller?
2.1. The “Controller” of the processing of your personal data, as specified in Article 4(1)(7) of the GDPR is the enterprise, THD S.p.A.., (VAT and Tax Identification Number 02111430357), acting through its pro tempore legal representative, based in Correggio (RE), via dell’Industria 1; you can contact the Controller by email at
2.2. Il soggetto “Responsabile della protezione” dei Vostri dati personali ex art. 37 del Regolamento è lo studio BALDI & PARTNERS - via Giovanni Gutenberg ,3- 42124 Reggio Emilia, nella persona dell’avvocato Sara Mandelli che può essere da Voi contattato ai seguenti recapiti: tramite l’indirizzo email
2.3. Si comunica che eventuali variazioni ovvero aggiornamenti circa i dati relativi al soggetto poc’anzi specificato verranno idoneamente pubblicati all’interno del sito web dello scrivente Titolare.

3. Purposes of data processing
3.1. In accordance with Article 5(1)(b) of the GDPR, we hereby inform you that the Controller will process your personal data collected via the Website to:
a) improve the use of this Website;
b) enable browsing on this Website.

4. Legal basis and mandatory and/or optional nature of processing
According to the purposes specified in paragraph 3 above, the Controller processes your Personal Data according to the following legal basis:
Provision of Service: processing for this purpose is necessary to be able to provide you the Services of the website. You are not required to give your Personal Data to the Controller for this purpose, but failure to do so means we will not be able to provide you with the Service.

5. Recipients of your Personal Data
In order to pursue any of the purposes described in paragraph 3 above, the Controller will disclose your Personal Data to its collaborators, who will act as persons authorized to process personal data. Furthermore, for the purposes described in paragraph 3 above, your Personal Data will be processed by third parties belonging, by way of example, to the following categories:
a) any subsidiary, parent or associated company of the Controller, including: SPAL AUTOMOTIVE S.R.L., (VAT and Tax Identification Number 01755790357), based in Correggio (RE) ITALY, via Per Carpi, 26/B
b) entities providing IT system management services, including server hosting and backup services;
c) entities that provide the Controller with tax, legal, judicial and compliance advice;
The entities listed above operate, in some cases, independently as separate data controllers, and in other cases, as data processors specifically appointed by the Data Controller in accordance with Article 28 of the GDPR.
Disclosure of your data to the above categories does not require your consent, as it is based on the legitimate overriding interest of the Data Controller, given that such disclosure is necessary for the purposes mentioned in paragraph 3 above.

You can ask the Controller for the complete, updated list of the entities to which your Personal Data may be disclosed. Moreover, with regard to the Provision of the Italian Data Protection Authority (Garante) made on 27 November 2008 “Misure e accorgimenti prescritti ai titolari dei trattamenti effettuati con strumenti elettronici relativamente alle attribuzioni delle funzioni di Amministratori di sistema” (Measures and mechanisms required by data processing controllers using electronic media with regard to attributing the functions of system administrator), as Data Subject you may also ask the Controller the names of the System Administrators of the operating systems containing your personal data collected. The personal data processed by the Controller are not disclosed.

Transferring personal data outside the European Union

THD S.p.A. does not intend to transfer your personal data to any non-EU countries. However, if, in execution of the purposes listed above, THD S.p.A. should transfer your data outside the European Union, the Controller will proceed to carry out such transfer only after establishing that one of the conditions laid down in Articles 44 et seq. of the GDPR is met, in order to ensure an adequate level of protection of your personal data.

6. Period of storage of collected and processed personal data
6.1 In accordance with art. 13 (2)(a) of the GDPR, the Controller will store Personal Data collected for the purposes of Provision of Services for as long as strictly necessary to provide the services requested. In any case, since those Personal Data are processed to provide the Services, the Controller may store them for longer, particularly if this is necessary in order to protect the interests of the Controller from any complaints that may be made about the Services.

7. How will your Personal Data be processed?
7.1 Your data will be processed in both paper form and/or using electronic and/or computerized and/or telecommunications media and instruments; the logic involved and the procedures used are strictly connected to the purposes specified and, in any case, adopting methods that ensure the security and confidentiality of the data in compliance with the provisions of Article 32 of the GDPR.

8. Rights of the Data Subject
8.1. With regard to your Personal Data that are processed by the Controller THD S.p.A. We hereby inform you that you are entitled to exercise the following rights under Articles 15 to 21 of the GDPR and, in particular:

• Right of access – Article 15 of the GDPR: the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data – including a copy of them – and the following information:
a) the purposes of the processing
b) the categories of personal data processed
c) the recipients to whom the personal data have been or will be disclosed
d) the envisaged period for which the personal data will be stored or the criteria applied
e) the existence of the Data Subject's right to request from the controller rectification or erasure of personal data or restriction of processing
f) the right to lodge a complaint
g) where your personal data are not collected from you, any available information as to their source
h) the existence of automated decision-making, including profiling;

• right to rectification – Article 16 of the GDPR: the right to obtain without undue delay the rectification of inaccurate personal data concerning you and the right to have incomplete personal data completed;

• right to erasure (‘right to be forgotten’) – Article 17 of the GDPR: the right to obtain the erasure of personal data concerning you without undue delay, where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) you withdrew your consent and there is no other legal ground for the processing;
c) you successfully objected to the processing of your personal data;
d) your personal data have been unlawfully processed;
e) your personal data have to be erased for compliance with a legal obligation;
f) your personal data were collected in relation to the offer of services referred to in Article 8(1) of the GDPR. The right to erasure shall not apply to the extent that processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims.
g) right to restriction of processing – Article 18 of the GDPR: the right to obtain restriction of processing where one of the following applies:
d) the accuracy of the personal data is contested by the data subject;
e) the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
f) the personal data are required by the data subject for the establishment, exercise or defence of legal claims;
g) right to object – Article 21 of the GDPR: the right to object to the processing of your personal data unless the controller demonstrates compelling legitimate grounds for the processing;
h) right to data portability – Article 20 of the GDPR: the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance, where the processing is based on consent and the processing is carried out by automated means. In exercising your right to data portability, you also have the right to have the personal data transmitted directly from the Controller to another, where technically feasible;
i) right to lodge a complaint with the Italian Data Protection Authority (Garante), Piazza Venezia 11 , 00187 Rome (RM) - ITALY.

8.2. In accordance with Article 12(1) of the GDPR, THD S.p.A. undertakes to provide the communication under Articles 15 to 22 of the GDPR in a concise, transparent, intelligible and easily accessible form. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

8.3. In accordance with Article 12(3) of the GDPR, the Controller informs you that it undertakes to provide information on action taken on a request under Articles 15 to 22 of the GDPR to you without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

8.4. If you, the Data Subject want to exercise your rights as specified in more detail in this Article, you can use the contact information specified in Article 1 of this “Notice”.

8.5. Any action you take as Data Subject is provided free of charge, pursuant to Article 12 of the GDPR. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

Lastly, please note that the Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.

Correggio (RE), 24 November 2023

THD S.p.A.
(In its capacity as Data Controller)