Privacy Policy

Overview

This privacy notice explains how we collect, use, store, share, and protect personal data when you visit or interact with our website and services. We are committed to processing personal data in full compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), the ePrivacy Directive 2002/58/EC as amended and implemented in EU Member States, applicable national privacy laws, and relevant guidance issued by the European Data Protection Board (EDPB) and national supervisory authorities. This notice reflects the state of EU/EEA privacy guidance updated as of October 2025 and incorporates recent case law of the Court of Justice of the European Union (CJEU). We are transparent about our data processing activities and provide you with meaningful control over your personal information.

Definitions

For the purposes of this notice: “Personal data” means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Controller” means the natural or legal person which determines the purposes and means of the processing of personal data. “Processor” means the natural or legal person which processes personal data on behalf of the controller. “Services” refers to our website, applications, features, content, and related services that we offer or make available to you.

Data Controller

Viterbo Antica — VAT/Tax Code: 07045911000
Via San Tommaso, 73
Contact: info@bbviterboantica.com

Applicable Laws

All processing activities are carried out in strict compliance with the GDPR (Regulation (EU) 2016/679), the ePrivacy Directive (Directive 2002/58/EC) as implemented in the national laws of EU Member States, consumer protection rules under Regulation (EU) 2016/679, Directive 2005/29/EC on unfair commercial practices, and any sector-specific obligations applicable to our services. We also comply with national data protection laws implementing these European frameworks, including provisions on the confidentiality of electronic communications, direct marketing, cookies and similar tracking technologies. Our processing activities respect the fundamental rights and freedoms of data subjects as guaranteed by the Charter of Fundamental Rights of the European Union, in particular Article 7 (respect for private and family life) and Article 8 (protection of personal data). We follow recommendations and guidance issued by the European Data Protection Board, the former Article 29 Working Party, and competent national supervisory authorities.

Categories of Data We Process

Depending on how you interact with our website and services, we may process different categories of personal data, including: identification and contact data (such as full name, email address, phone number, postal address, username); account and authentication data (such as passwords, security questions, authentication tokens); technical data (such as IP address, browser type and version, operating system, device identifiers, unique device tokens, advertising identifiers, connection information, access logs, referrer URLs); usage and behavioural data (such as pages visited, features used, actions taken, click patterns, mouse movements, scroll depth, time spent on pages, search queries, interaction timestamps); geolocation data (such as precise GPS location when permission is granted, or approximate location derived from IP address); preference and settings data (such as cookie consent choices, marketing preferences, language preferences, accessibility settings, notification preferences); transactional and commercial data (such as purchase history, payment details, billing information, order records); communications data (such as customer support correspondence, feedback, survey responses, chat transcripts); and profile and derived data (such as inferred interests, preferences, demographic characteristics based on your interactions). Additional categories of information collected by specific third-party services integrated into our website are described in detail in the services and cookies table below, along with the respective purposes and legal bases.

Sources of Data

We collect personal data from various sources: (1) Data you provide directly: when you register for an account, fill out forms, subscribe to newsletters, make purchases, request information, participate in surveys, communicate with customer support, post content, take part in community features, or otherwise voluntarily submit information through our services. (2) Data we collect automatically: when you visit or use our services, we automatically collect certain technical and usage data via cookies, web beacons, pixels, local storage, server logs, and similar tracking technologies. This includes information about your device, browser, IP address, pages viewed, features used, timestamps, referrers, and browsing patterns. See our Cookie Notice for detailed information on cookies and similar technologies. (3) Data from third parties: we may receive personal data from trusted business partners, service providers, analytics providers, advertising networks, social media platforms (when you connect your account or interact with social features), payment processors, fraud prevention services, data enrichment providers, and publicly available sources (such as public registers, directories, publicly set social media profiles) where legally permitted and necessary for legitimate business purposes. (4) Combined sources: we may combine data collected from different sources to build a fuller picture of our users, improve our services, personalise experiences, and strengthen security, always in line with applicable data protection requirements.

Mandatory and Optional Data

Whenever personal data is requested via forms or other interfaces, we clearly distinguish and indicate which data fields are mandatory (required) to provide the requested service and which are optional (voluntary). Mandatory fields are typically marked with an asterisk (*) or another clear visual indicator, and we explain why the information is necessary. Refusing to share optional data will not adversely affect your ability to use our services, receive support, or exercise your rights. However, failure to provide mandatory data may prevent us from fulfilling your request, completing a transaction, creating an account, responding to your inquiry, or providing certain features or services. In such cases, we will explain the consequences of not providing the requested information. The distinction between mandatory and optional data is based on the principles of necessity and proportionality under Article 5(1)(c) GDPR, ensuring that we collect only data that is adequate, relevant, and limited to what is necessary for the specified purposes.

Purposes of Processing

We process personal data for the following specific purposes: (1) Service delivery and provision: to provide, operate, maintain, and deliver our services, features, and functionalities; to create and manage user accounts; to process transactions and fulfil orders; to provide customer support and respond to requests and inquiries; to send service-related communications, notices, and updates. (2) Security and fraud prevention: to detect, prevent, and respond to security incidents, fraud, abuse, unlawful activity, and violations of our terms of service; to verify identity and authenticate users; to protect the rights, property, and safety of our organisation, users, and the public. (3) Analytics and performance measurement: to analyse usage patterns, measure effectiveness, understand user behaviour, monitor service performance, identify technical issues, and generate statistical insights; to conduct research and development. (4) Service improvement and innovation: to enhance existing features, develop new features and services, improve user experience, test new functionalities, and optimise our content, design, and offerings. (5) Personalisation and tailored experiences: to provide personalised content, recommendations, advertising, and experiences aligned with your interests and preferences, only where you have given the relevant consent or where permitted by applicable law. (6) Marketing and communications: to send promotional communications, newsletters, marketing materials, and information about products and services that may interest you, only with prior consent where required by law. (7) Compliance and legal obligations: to comply with legal obligations, regulatory requirements, court orders, governmental requests, and to enforce our legal rights and agreements. (8) Business operations: to manage our business operations, maintain records, conduct internal administration, and perform accounting and auditing functions. Each processing purpose is associated with a specific legal basis as detailed in the Legal Bases section below.

Legal Bases

Each processing activity relies on one or more of the following legal bases under Article 6(1) GDPR: (a) Consent (Article 6(1)(a) GDPR): for optional processing activities such as non-essential analytics, marketing cookies, marketing profiling, third-party advertising, optional service features, and marketing communications. Consent must be freely given, specific, informed, and unambiguous, provided by a clear affirmative action. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. (b) Contractual necessity (Article 6(1)(b) GDPR): where processing is necessary for the performance of a contract to which you are party (such as our Terms of Service) or in order to take steps at your request prior to entering into a contract. This includes processing necessary to provide requested services, create and manage accounts, process payments, and deliver purchased products or services. (c) Compliance with legal obligations (Article 6(1)(c) GDPR): where processing is necessary to comply with a legal obligation to which we are subject, such as tax and accounting requirements, regulatory compliance, responses to legitimate governmental requests, cooperation with law enforcement, and record-keeping obligations. (d) Legitimate interests (Article 6(1)(f) GDPR): where processing is necessary for the purposes of our legitimate interests or those of a third party, provided such interests are not overridden by your interests or fundamental rights and freedoms. We rely on legitimate interests for: security and fraud prevention; essential analytics to understand service performance and technical issues; network and information security; direct marketing to existing customers for similar products; business continuity and disaster recovery; the establishment, exercise, or defence of legal claims. Before relying on legitimate interests, we conduct and document a balancing test (Legitimate Interests Assessment) that weighs our interests against your rights, considers the nature and sensitivity of the data, implements appropriate safeguards, and follows the latest guidance from the EDPB and national supervisory authorities. (e) Vital interests (Article 6(1)(d) GDPR): in rare cases, where processing is necessary to protect the vital interests of data subjects or another natural person. (f) Public interest or official authority (Article 6(1)(e) GDPR): where applicable for processing carried out in the public interest or in the exercise of official authority. The specific legal basis for each processing purpose and service is indicated in the services and cookies table below.

Recipients and Data Transfers

Personal data may be disclosed or shared with the following categories of recipients, strictly limited to what is necessary for the stated purposes: (1) Service providers and processors: third-party vendors, contractors, and service providers that process data on our behalf under written data processing agreements (hosting providers, cloud storage, CDN services, email delivery, payment processors, analytics providers, customer support platforms, security services). (2) Business partners: trusted partners with whom we collaborate to provide services, fulfil orders, or offer integrated features, subject to contractual confidentiality and data protection obligations. (3) Advertising and marketing partners: where you have provided consent, we may share data with advertising networks, marketing platforms, and social media services for targeted advertising and marketing purposes. (4) Professional advisors: lawyers, accountants, auditors, insurers, and other professional advisors when necessary for business operations or legal compliance. (5) Competent authorities: law enforcement, regulators, courts, government agencies, and other public authorities when required by law, in response to legal proceedings, to protect rights and safety, or to comply with regulatory obligations. (6) Corporate transactions: in connection with any merger, sale, acquisition, restructuring, or asset transfer, potential buyers or investors may receive personal data subject to confidentiality obligations. (7) With your consent: other third parties where you have provided specific consent or at your direction. Where recipients are located outside the European Economic Area (EEA), international data transfers occur only when: (i) the European Commission has issued an adequacy decision recognising that the destination country provides an adequate level of protection (Article 45 GDPR); or (ii) appropriate safeguards are in place, such as the European Commission’s Standard Contractual Clauses (Article 46 GDPR), Binding Corporate Rules, approved codes of conduct, or certification mechanisms; and (iii) additional technical, organisational, and contractual measures are implemented in line with the latest EDPB recommendations (notably following the CJEU’s Schrems II decision) to ensure a level of protection essentially equivalent to that in the EU. We assess the legal regime of destination countries and implement supplementary measures where necessary. Details of specific international transfers and safeguards are available upon request.

Processors and Authorized Personnel

Access to personal data is strictly controlled and limited on a need-to-know basis. Only authorised personnel who have been properly trained on data protection principles, confidentiality obligations, security procedures, and relevant policies have access to personal data. All employees, contractors, and other personnel with access to personal data are bound by contractual confidentiality obligations and are subject to disciplinary action in case of violations. We implement role-based access controls, authentication mechanisms, activity logging, and periodic access reviews. External service providers, vendors, and other third parties that process personal data on our behalf (“processors”) operate under written data processing agreements (DPAs) that fully reflect the requirements of Article 28 GDPR. These contracts require processors to: process data only on documented instructions; implement appropriate technical and organisational security measures; maintain confidentiality; assist with data subject rights requests; assist with security incidents and data breach notifications; delete or return personal data upon termination of the engagement; demonstrate compliance through audits and inspections; and engage sub-processors only with prior authorisation and under equivalent contractual obligations. We conduct due diligence assessments of processors prior to engagement, regularly monitor and evaluate their compliance with contractual obligations, review audit reports and security certifications, and maintain an up-to-date record of processors and processing activities as required by Article 30 GDPR.

Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons. Our security measures include: (1) Technical measures: encryption of personal data in transit using TLS/SSL and at rest using industry-standard algorithms; secure authentication mechanisms including strong password policies, multi-factor authentication, and session management; access controls with role-based permissions, least-privilege principles, and periodic access reviews; network security including firewalls, intrusion detection and prevention systems, network segmentation, and security monitoring; logging and monitoring of accesses, activities, security events, and anomalies; periodic vulnerability assessments, penetration testing, and security audits; secure software development practices, code reviews, and security testing; data backup and recovery procedures to ensure availability and resilience; pseudonymisation and anonymisation where appropriate to reduce risks. (2) Organisational measures: data protection policies, procedures, and guidelines; data minimisation and storage limitation principles applied throughout the data lifecycle; staff training and awareness on data protection, security, and confidentiality; incident response procedures and data breach management; periodic compliance assessments and internal audits; vendor management and third-party security assessments; business continuity and disaster recovery planning; privacy by design and by default embedded into systems and processes; documented Data Protection Impact Assessments (DPIAs) for high-risk processing activities. (3) Physical measures: physical access controls to facilities and server rooms; environmental controls and monitoring; secure disposal of media and equipment. We regularly test, assess, and evaluate the effectiveness of these technical and organisational measures, update them to address evolving threats, and maintain alignment with industry best practices and regulatory guidance.

Automated Decision-Making and Profiling

We may use profiling, meaning any form of automated processing of personal data to evaluate certain personal aspects, in particular to analyse or predict aspects concerning your preferences, interests, behaviour, location, or movements. Profiling activities may include: analysing your usage patterns to recommend content or products; segmenting users for marketing purposes; personalising website content and user interfaces; predicting interests based on browsing history and interactions. Profiling is carried out only when based on a valid legal basis (typically your consent or our legitimate interests after a balancing test) and with appropriate safeguards. Automated decision-making refers to decisions taken solely by automated means without any human involvement. We do not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you (as defined in Article 22 GDPR) unless: (i) it is necessary for entering into or performing a contract between you and us; (ii) it is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights, freedoms, and legitimate interests; or (iii) it is based on your explicit consent. Where automated decision-making is used, we implement appropriate safeguards including: providing meaningful information about the logic involved; ensuring the availability of human intervention; allowing you to express your point of view and contest the decision; performing periodic accuracy and bias assessments. You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, and you can exercise this right by contacting us as indicated in the “How to Exercise Your Rights” section.

Retention

Personal data are retained only for as long as necessary to achieve the purposes for which they were collected, in accordance with the storage limitation principle under Article 5(1)(e) GDPR. Our retention periods are based on: (1) Purpose-based retention: data are kept for as long as needed to provide services, maintain accounts, fulfil contractual obligations, and achieve the purposes described in this notice. (2) Legal and regulatory retention requirements: some data must be kept for specific periods to comply with legal obligations such as tax laws (typically 7–10 years for financial records), accounting requirements, regulatory obligations, labour laws, and other statutory retention duties. (3) Legal claims and litigation: data may be retained longer where necessary for the establishment, exercise, or defence of legal claims, typically until the expiration of applicable limitation periods. (4) Consent-based retention: where processing is based on consent, data are retained until consent is withdrawn, unless another legal basis applies or statutory retention obligations require continued storage. (5) Legitimate-interest retention: where based on legitimate interests, data are retained for as long as the legitimate interest persists and is not overridden by your rights. Specific retention periods include: account data retained while your account is active and for a limited period after closure; transactional records retained in accordance with applicable financial and tax regulations; marketing consent records retained for the period required by law to demonstrate compliance (typically 3–5 years after withdrawal); consent management records (cookie consents) retained as required by law and applicable guidance (typically 6–24 months); access logs and security data typically retained for 6–12 months unless a longer retention is required for security investigations; cookies and similar technologies follow the duration indicated in the cookies tables and our Cookie Notice. At the end of the applicable retention periods, personal data are securely deleted, destroyed, or anonymised (rendered non-identifiable) so that they can no longer be attributed to an identifiable individual. We conduct periodic reviews of retained data to ensure compliance with retention policies and the deletion of data no longer needed. Detailed retention schedules for specific data categories and processing activities are available upon request.

Data Subject Rights

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data: (1) Right of access (Article 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and information about the processing including purposes, categories of data, recipients, retention periods, and sources of the data. (2) Right to rectification (Article 16 GDPR): You have the right to obtain without undue delay the rectification of inaccurate personal data and the completion of incomplete personal data. (3) Right to erasure / right to be forgotten (Article 17 GDPR): You have the right to obtain the erasure of personal data concerning you without undue delay where: the data are no longer necessary in relation to the purposes; you withdraw consent and there is no other legal ground; you object to processing based on legitimate interests and there are no overriding legitimate grounds; the data have been unlawfully processed; erasure is necessary to comply with a legal obligation; or the data were collected in relation to the offer of information society services to a child. This right does not apply where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or other exceptions under Article 17(3). (4) Right to restriction of processing (Article 18 GDPR): You have the right to obtain restriction where: you contest the accuracy of the data (for the period necessary for verification); processing is unlawful and you oppose erasure and request restriction instead; we no longer need the data but you require them for legal claims; or you have objected to processing pending verification of whether our legitimate grounds override yours. (5) Right to data portability (Article 20 GDPR): You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used, machine-readable format and to transmit those data to another controller, where processing is based on consent or contract and is carried out by automated means. (6) Right to object (Article 21 GDPR): You have the right to object at any time to processing of your personal data based on legitimate interests or the performance of a task carried out in the public interest, on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims. You have an absolute right to object to processing for direct marketing purposes, including profiling related to direct marketing. (7) Right to withdraw consent (Article 7(3) GDPR): Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent prior to withdrawal. (8) Right not to be subject to automated decisions (Article 22 GDPR): You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you, subject to certain exceptions. (9) Right to lodge a complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

How to Exercise Your Rights

To exercise any of your data protection rights, submit your request by: (1) emailing the contact address indicated in the Data Controller section above; (2) using the dedicated contact form available on our website; (3) sending a written communication to the postal address indicated in the Data Controller section; or (4) contacting our Data Protection Officer if appointed. Your request should clearly identify which right(s) you wish to exercise and provide sufficient information to allow us to identify you and locate your personal data. We will respond to your request without undue delay and in any event within one month of receipt, in accordance with Articles 12 and 15–22 GDPR. This period may be extended by two months where necessary, taking into account the complexity and number of requests. If we extend the response period, we will inform you of the extension and reasons for the delay within one month of receiving the request. To ensure security and protect against fraudulent requests, we may ask for additional information to verify your identity before responding to your request, particularly for access, erasure, or portability requests. This is a security measure to ensure that personal data are not disclosed to unauthorised persons. Where we have reasonable doubts concerning your identity, we may request further information necessary to confirm your identity. We provide information and respond to requests free of charge. However, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may: (i) charge a reasonable fee taking into account the administrative costs of providing the information or taking the requested action; or (ii) refuse to act on the request. In such cases, we will demonstrate why the request is manifestly unfounded or excessive. If we decide not to take action on your request, we will inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Withdrawal of Consent and Cookie Management

You have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. You can change and manage your consent choices and preferences at any time through the following methods: (1) Cookie preferences interface: access the cookie consent management tool displayed in the footer of our website or available via a dedicated preferences button. This tool allows you to review, enable, or disable different categories of cookies and modify your consent choices. (2) Browser settings: you can configure your web browser to refuse all or some cookies, to alert you when cookies are set, or to delete cookies that have already been set. Note that disabling cookies may affect the functionality of our website and limit your ability to use certain features. Instructions for managing cookies in popular browsers are available in their respective help sections. (3) Opt-out mechanisms: for specific services, analytics or advertising partners, you may use their opt-out mechanisms; links are provided in the services and cookies table below and in our Cookie Notice. (4) Email preferences: you can unsubscribe from marketing emails by clicking the unsubscribe link included in each marketing communication or by changing your email preferences in your account settings. (5) Account settings: if you have an account, you can manage communication preferences, privacy settings, and data sharing options in your account settings. Note that withdrawing consent or opting out of certain processing does not affect: processing necessary to perform a contract with you (such as providing core services you requested); processing based on legal obligations; processing based on legitimate interests (although you may have the right to object); and the lawfulness of processing carried out before consent withdrawal. Even if you opt out of marketing communications, we may still send you service-related, transactional, and administrative messages necessary for your use of the services. Withdrawing consent for essential cookies required for the operation of the service may result in limited functionality or unavailability of certain features.

Children’s Data

Our services are not intended for, directed to, or designed to attract minors below the age required by applicable law to provide valid consent to the processing of personal data. In the European Union, that age is generally 16, although Member States may set a lower age by law (not below 13). We do not knowingly collect, use, or disclose personal data of children under the applicable age of consent without verifiable parental or guardian consent. Where processing children’s personal data is necessary for the provision of information society services, it is lawful only when consent is given or authorised by the holder of parental responsibility over the child, and we have made reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility, taking into account available technology. If we become aware that we have inadvertently collected personal data from a child below the applicable age without proper authorisation, valid parental consent, or another lawful basis, we will promptly: (i) delete the information as soon as possible; (ii) not use or disclose the information for any purpose; (iii) cease any profiling or tracking activities; (iv) investigate how the data were collected and take steps to prevent recurrence; and (v) take any further measures necessary to comply with applicable laws and supervisory guidance. We encourage parents and guardians to monitor their children’s online activities and to help enforce this notice by instructing children never to provide personal information through our services without permission. If you have reason to believe that a child below the applicable age has provided personal data to us, please contact us immediately using the details provided in this notice and we will take appropriate action.

Data Breach Management

We maintain comprehensive procedures and response plans to detect, assess, report, investigate, respond to, and mitigate personal data breaches in accordance with Articles 33 and 34 GDPR. A personal data breach means a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed. Our data breach management procedures include: (1) Detection and assessment: monitoring systems and security controls to detect potential breaches; procedures for employees, contractors, and processors to report suspected breaches; prompt assessment of the nature, scope, and potential consequences of the breach; determination of whether the breach is likely to result in a risk or high risk to the rights and freedoms of natural persons. (2) Notification to the supervisory authority (Article 33 GDPR): where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it. If notification is not made within 72 hours, we provide reasons for the delay. The notification includes: the nature of the breach including the categories and approximate number of data subjects and data records concerned; the name and contact details of our Data Protection Officer or other contact point; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its possible adverse effects. (3) Communication to data subjects (Article 34 GDPR): where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we communicate the breach to data subjects without undue delay, in clear and plain language. The communication describes the nature of the breach, provides contact details of our Data Protection Officer or relevant contact point, describes the likely consequences, and the measures taken or proposed to address the breach and mitigate its adverse effects. Communication to data subjects is not required if: we have implemented appropriate technical and organisational protection measures (such as encryption) rendering the data unintelligible to anyone not authorised to access it; we have subsequently taken measures which ensure that the high risk is no longer likely to materialise; or it would involve disproportionate effort, in which case we will issue a public communication or similar measure. (4) Internal documentation: we document all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken, to enable the supervisory authority to verify compliance with Article 33, even where notification is not required. (5) Investigation and resolution: conducting thorough investigations to determine root causes; implementing corrective and preventive actions to address vulnerabilities; reviewing and updating security measures and procedures; training and awareness to prevent future incidents. (6) Processor obligations: our data processing agreements require processors to notify us without undue delay after becoming aware of a personal data breach involving our data, enabling us to meet our notification obligations.

Data Protection Officer

Gianluca Bono — info@bbviterboantica.com

Contacting the Supervisory Authority

Under Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes data protection laws or that your privacy rights have been violated. You may lodge a complaint with a supervisory authority: (i) in the EU Member State of your habitual residence; (ii) your place of work; or (iii) the place of the alleged infringement. This right is without prejudice to any other administrative or judicial remedy, meaning you may lodge a complaint with a supervisory authority in addition to or instead of seeking remedies through the courts. The competent supervisory authority in each EU and EEA Member State is responsible for overseeing application of the GDPR, handling complaints, conducting investigations, and imposing administrative fines for violations. The supervisory authority with which the complaint has been lodged will inform you of the status and outcome of the complaint, including the possibility of a judicial remedy. Contact details, complaint forms, and procedures for all EU/EEA supervisory authorities are available on the European Data Protection Board (EDPB) website at https://edpb.europa.eu/about-edpb/about-edpb/members_en. We are committed to cooperating with supervisory authorities and resolving any complaints or concerns related to our data processing practices. If you have concerns, we encourage you to contact us first so we can attempt to resolve the issue directly. However, you always have the right to lodge a complaint with a supervisory authority.

Governance and Notice Updates

We are committed to maintaining an accurate, transparent, and up-to-date privacy notice that reflects our current data processing practices and complies with applicable legal requirements. We review and update this privacy notice at least annually, or more frequently when: (i) our processing operations, purposes, legal bases, or data flows change significantly; (ii) new services, features, or technologies are introduced; (iii) new legal requirements, regulations, or guidance take effect; (iv) case law from the Court of Justice of the European Union or national courts affects our processing activities; (v) the European Data Protection Board or national supervisory authorities issue new guidance, recommendations, or binding decisions; or (vi) any other circumstance requires updates to ensure continued alignment with the GDPR, the ePrivacy framework, national implementations, and sectoral regulations in force as of October 2025. When we make material changes to this privacy notice that may affect your rights or how we process your personal data, we will communicate updates through one or more of the following methods, as appropriate: (1) a prominent notice on our website or within our services; (2) direct email notification to registered users; (3) in-app notices or alerts; (4) a request to renew consent where processing is based on consent and changes affect the scope or purposes of processing; or (5) other appropriate means to ensure you are informed. For minor and non-material updates (such as formatting, clarifications, contact detail changes, or updates reflecting organisational changes that do not affect processing), we may simply update the notice and change the “last updated” date without separate notice. We encourage you to review this privacy notice periodically to stay informed about how we collect, use, and protect your personal data. The current version of this notice is always available on our website. Previous versions may be available upon request.

Services and Cookies

Last updated

This notice was generated on October 15, 2025 12:28 pm.