Client and supplier policy

The Company Crippa s.r.l. con socio unico, as Data Controller of personal data pursuant to Article 4 of EU Regulation 2016/679 notifies you, pursuant to Article 13 of the Regulation, that it will process your personal data manually and/or electronically for the following purposes.


Data Controller of the user's personal data.

Crippa s.r.l. con socio unico is the Data Controller of the personal data transmitted, and is therefore responsible for the processing of data provided in accordance with applicable data protection law.  

Crippa s.r.l. con socio unico

VAT No. 02989810136

Headquarters: Arosio (CO), Via Buonarroti n. 3

Companies' Registry: COMO

Registration No.: 289716


Purposes of the data processing

The personal data provided will be processed for purposes of implementing contracts in force, including the pre-contractual phase (if any), and for the following purposes particular:

  • to transmit communications of various kinds and using various communications means (telephone, mobile phone, sms, e-mail, fax, postal services);
  • to make requests or process requests received;
  • to exchange information for purposes of implementing the contract, including pre- and post-contractual activities;
  • to carry out all management and administrative verification activities;
  • to carry out all activities in compliance with tax or accounting obligations.

Non-provision of one's personal data will make it impossible for us to implement contracts and associated compliance obligations, or to properly manage reciprocal business dealings.


Legal basis

The provision of data for the aforementioned purposes is voluntary. Non-provision of one's personal data could, however, make it impossible for us to give effect to existing contracts and associated compliance obligations.


Recipients of personal data

The personal data may be notified to third parties, for technical and operational reasons that are necessary and strictly related to the aforementioned purposes and, in particular, to the following categories of person/entity:

  1. bodies, professional persons, companies or others whom we appoint to handle data processing operations related to the fulfilment of contractual, administrative, accounting and management obligations associated with the contractual relationship in place;
  2. to public authorities and administrations for purposes related to the fulfilment of legal obligations, or to persons/entities who are entitled to access such data under EU legal or regulatory provisions;
  3. to banks, financial institutions or other entities to whom the aforementioned data must be communicated so as to enable us to comply with our contractual obligations to you;
  4. to legal consultants, accountants and labour law experts, in order to examine and resolve any legal problems associated with the contractual position in place.


Data retention period

Personal data are retained only for as long as necessary for the purposes for which they are processed, including post-contract, to facilitate compliance with all obligations associated with or arising from the relationship, or for specific periods provided for by EU and domestic legal and regulatory provisions (e.g. accounting and tax rules, etc.).

The data processed will be checked on an annual basis, and a decision made as to whether they may be erased if they are no longer necessary for the purposes envisaged.


Transfer of data

The Data Controller does not transfer personal data to third countries or to international organisations.


Rights of the data subject

Pursuant to Article 13.2 and Articles 15 to 21 of the Regulation, please note that the data subject is entitled to exercise the following rights pertaining to the processing of personal data: 

a) to obtain access to personal data and to the following information:

- confirmation as to whether or not one's personal data is being processed; 

- the purposes of the data processing operations;

- the categories of personal data;

- the recipients or categories of recipients to whom the personal data have been or will be communicated;

- if the data are not collected from the data subject, all available information as to their origin; 

- the existence of an automated decision-making process, including profiling;

- a copy of the personal data that are subject to data processing operations. 

b) Right to have one's personal data rectified and supplemented;

c) Right to have one's data erased ("right to be forgotten") for any one of the following reasons:

1. the personal data are no longer necessary in view of the purposes for which they were originally collected or otherwise processed; 

2. the data subject revokes his/her consent to the processing of personal data, and no other legal basis exists for the data processing;

3. the data subject objects to the data processing and no legitimate overriding reason exists to carry out the data processing;

4. the personal data have been processed unlawfully; 

5. the personal data must be erased in order to ensure compliance with a legal obligation under the law of the European Union or of the Member State to which the Data Controller is subject.

If the Data Controller has disclosed personal data and is obliged to erase them, then the Data Controller shall inform other Data Controllers involved in processing the personal data, of the data subject’s request to erase any link, copy or reproduction of his/her personal data.

d) Right to limit the data processing, in the event that:

1. The data subject disputes the accuracy of the personal data, for the period of time which the Data Controller requires in order to verify the accuracy of such personal data; 

2. The data processing is unlawful and the data subject opposes the erasure of the personal data, requesting instead that their use should be limited; 

3. Although the Data Controller has no further need of the personal data for data processing purposes, nevertheless the data subject requires them in order to ascertain, exercise or defend a right or entitlement in legal proceedings;

4. The data subject has opposed the data processing, pending an assessment of whether the Data Controller's legitimate reasons can take precedence over those of the data subject.

e) Right to submit a complaint to the Italian Data Protection Authority, following the procedures and guidelines published on its official website,

f) Right to portability of the data i.e. the right to receive - in a format that is structured and in common use and readable on an automatic device - personal data pertaining to him/her that have been supplied to a Data Controller and, as relevant, to transmit this data to another Data Controller if the processing is based on consent or on a contract and the data processing is carried out by automated means. The data subject is entitled to have his/her personal data transmitted directly from one Data Controller to another, if it is technically possible to do so.

g) Right to oppose personal data processing operations at any time, particularly where the data processing is not justified by the Data Controller's legitimate interests, clarifying the reasons for the objection.

h) Right to withdraw one's consent at any time; obviously, in a context where it becomes impossible to comply with legislative or contractual provisions in circumstances where the data processing is regulated by those provisions.

The exercise of the data subject's rights is not subject to any limitation of form, and is free.


How data subjects can exercise their rights

The Data Subject can exercise his/her rights at any time by sending an e-mail to


Data Controller

The Data Controller is Crippa s.r.l. con socio unico

Contact details. certified electronic mail: – Telephone: 031.760200