Privacy policy

Information on the subject of personal data protection

Art. 13 Reg. EU 679 of 27th April 2016

Pursuant to Article 13 of the "European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data" (hereinafter "GDPR"), ABOCA S.p.A. Società Agricola (hereinafter ABOCA) with legal headquarters in Aboca 20, Sansepolcro 52037 (AR) – Arezzo Italy, in its capacity as Data Controller, is required to provide users who connect to the domains and (regardless of the purpose of the connection) with certain information regarding the processing of personal data carried out on these sites.

This document is the "Privacy Policy" (subject to any appropriate future updates) of this website and of the Aboca Museum App. For the purposes of this notice, and without prejudice to the definitions set out in Article 4 of the GDPR, the following definitions shall apply:

The domains; the domains, which can be accessed via the world wide web service of the internet, at the addresses and, comprising the data, the applications (Aboca Museum App), the technological resources, the human resources, the organisational rules and the procedures for the acquisition, storage, processing, exchange, retrieval and transmission of the information.

 Places where data is collected: areas within the domains and and the Aboca Museum App where personal data is collected.

  1. Warnings and Protection of Minors

Personal data will be processed in accordance with the principles of lawfulness, correctness and transparency. Personal data will be collected for specific, explicit, legitimate purposes (purpose limitation) and will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation). They will always be up-to-date and accurate and will not be stored for longer than is necessary for the purpose of fulfilling the Contract, without prejudice to the fulfilment of legal and tax obligations that set longer retention periods (storage limitation). The personal data will be processed in a manner that ensures that they are secure, confidential and unavailable to unauthorised third parties (integrity and confidentiality). If not expressly indicated, the provision of personal data through the collection points present on the sites and is restricted to persons over the age of 18.

  1. Reference standards and legal basis of the processing.

These processing operations, which shall be described in detail below, have their legal basis in the rules governing your right to protection of your personal data, your right to confidentiality, and finally in the rules allowing you to express or revoke, at any time, your informed consent to the processing operations, namely:

EU General Regulation 679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

Your informed consent, expressed in accordance with the current legal provisions concerning the protection of personal data (Art. 6 GDPR).

The fulfilment of contractual obligations undertaken by ABOCA on your behalf at the time of your subscription to the Service (Art. 6 GDPR);

Fulfilment of obligations or orders to which the Data Controller is bound by law or by order of the Authority (Art. 6 GDPR).

III. - Nature of the data being processed.

III.1. The optional, explicit and voluntary sending of electronic mail to the addresses indicated on this domain lead to the subsequent acquisition of the sender's address, which is necessary in order to respond to requests, as well as any other personal data included in the communication. Specific summary information will be progressively reported or displayed on the pages of the site designated for particular services upon request. Furthermore, where required by law, consent to the processing of your personal data will be requested from time to time.

III.2. - Provided that your consent is given, where necessary, the following categories of your personal data will or may be processed for the purposes indicated.

(a). - Common personal data, identification data.

Such as First name and Surname, Year of Birth, Sex, Address, City, Province, email address, telephone number, postcode, links to the profiles of the following social networks: Facebook, Instagram and Twitter.

(b). - Technical processing.

Data of a technical nature generated independently (in particular, IP addresses, log files relating to navigation on the Site and purchases made) are also processed.

ABOCA will retain, within the terms of the law, the log files and IP addresses used when making an online purchase, in order to prevent and detect possible fraud during online transactions.

Such personal data will be used exclusively for the control of network traffic to the domain

This information is not compiled in order to be associated with identified interested parties, but it could, by its very nature, allow users to be identified through processing and association with data held by third parties. This data is used solely for the purpose of obtaining anonymous statistical information on the use of the site and to check that it is functioning correctly, and is deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical cyber crimes against the site: currently, other than for this eventuality, the data on web contacts do not persist for more than seven days.

Credit card data.

To make a payment on the Site, the user must enter his or her credit or debit card reserved data (card number, holder, expiry date, security codes). Such data will not be processed by the Company that owns the Site but acquired by the provider of the payment service that will act as the autonomous Data Controller, without transiting through ABOCA’s server. The data will be acquired in encrypted format and in accordance with the security requirements of the Payment Card Industry (PCI) certification and the Data Security Standard (DSS), the purpose of which is to ensure that critical Cardholder Data is always secure. The payment service provider uses the TLS (Transport Layer Security) cryptographic protocol, providing authentication, data integrity, confidentiality and a higher level of security during transactions.

(c). - Cookies.

Furthermore, ABOCA processes data in an anonymous form and analyzes the data concerning the pages you visit on the domain, detected by means of cookies. Through these technologies (which allow us to understand your browsing preferences by checking the areas of the domain that you have visited previously) ABOCA can tailor its services to your needs, without making unnecessary registrations. (A cookie is a set of data that a website sends to the browser. The above data can also be stored on the computer by means of an anonymous tag that identifies the computer but not the user. Some ABOCA pages use cookies, sent by ABOCA or third parties, and other technologies to improve navigation of the Web site. You can set your browser to warn you before you receive a cookie, giving you the option of accepting it or not. It is also possible to disable cookies completely. Disabling cookies may cause some websites to not work properly.). For more detailed information on the use of cookies on the site, please consult the Cookies Policy available here.

(d). - particular categories of personal data.

In the event that the ABOCA domain is used to collect special categories of personal data pursuant to Article 9 of EU Reg. 679/2016, you will be informed in advance and given the opportunity to express your consent - in accordance with the law.

  1. - Nature of the provision of data and sources of the data.

Provision of your personal data is not usually compulsory, but in some cases it is necessary, and therefore compulsory, if you are to benefit from the services and functions of the site.

IV.1. - Data which must be provided.

IV.1.1. - The provision of certain personal data is necessary, and therefore compulsory, in order to fulfil your specific requests; you are always free not to provide your personal data, but in this case it may be impossible for the Data Controller to fulfil your requests, meet your requirements or make use of all the functions available on the website in their entirety.

IV.1.2. - It is necessary to provide personal identification data in order to:

(a). - register on the site and receive the desired information on ABOCA products, services and initiatives, along with other benefits.

IV.1.3. - This identification data will be processed both on paper and electronically, and will be kept by ABOCA exclusively for as long as the interested parties maintain their registration on the Site, or for a maximum of three years from the last action taken on  the Site. After these retention times, personal identification data will be automatically deleted.

IV.2. - Data used for authentication.

During the registration process, you will be able to decide on your access credentials, including your password, which only you will know. You will then be able to access the ABOCA website from a mobile device or desktop, by entering your personal authentication credentials in the fields provided, which you must keep safe.

We recommend that you choose a password that has at least the following characteristics: No less than eight characters long, including at least one special character. In the event that you forget your password, the recovery procedure includes a link to reset it independently. The authentication data will be encrypted from the moment they are first used and ABOCA will not have any knowledge of them.

IV.3. - Sources of the data. 

We will collect your data from you directly, through your interactions with 

  1. Purpose of the processing.

Besides the processing necessary in relation to legal obligations, regulations, or arising from orders of the Authority, ABOCA will also carry out, exclusively with your consent and as necessary, the operations necessary to allow you to benefit from the services and functions of the site; in particular:

the management of your relationship with ABOCA;

purposes strictly connected and instrumental to the management of the aforementioned relationship (e.g. for the acquisition of pre-contractual information and to perform services and operations, as contractually agreed);

the purpose of analysing the information obtained in order to propose, through ABOCA's newsletter and/or promotional or advertising information, ABOCA’s services and/or products, or the products of third parties, which ABOCA considers to be of interest to you, as well opinion polls carried out by ABOCA;

the purpose of monitoring the development of customer relations and the control of credit and fraud risks related to ABOCA services;

to fulfill specific requests of the person concerned.

  1. Methods of processing your personal data.

In relation to all the purposes indicated in the preceding paragraphs, your personal data will be subject to electronic and paper processing and processed by specific computational procedures in order to personalise the services that ABOCA is able to offer you. The data will be processed in a way that guarantees their logical and physical security and confidentiality, and may be carried out using manual, computerised and telematic tools for storing, transmitting and sharing the data. The logic of the processing will be strictly limited to the purposes for which it is intended.

VI.1. - Data retention Policy.

With regard to the purposes referred to in letter (V.3), i.e. the provision of commercial or promotional information, the relevant processing which, in compliance with the provisions of Prov. Doc. web 1103045 of the Italian Data Protection Authority, shall not concern sensitive data, shall be carried out by the data controller, subject to the expression of his/her consent, for no longer than 24 months from the collection exclusively on aggregated data.

VI.2. - Data security and retention.

VI.2.1. - your personal data will be stored within the European Union, the relevant security policies are reviewed in accordance with the relevant best practices.

VI.2.2. - Traceability of access and operations. Audit Log.

Each access of the data will be stored in special log tables. The relevant information will contain the timestamp of the access to the data, the identifier of the user who accessed the data, the type of data accessed, the user who owns the data, the operation performed and the application from which the query was accessed.

(E.6.) - Profiling, automated decision-making process.

With the exception of the requirements set out in our cookie policy, we do not carry out any profiling operations in relation to the data collected through this website, other than those necessary to enable us to provide the services offered on the site.

 (E.7.) - Data Protection Impact Assessment.

ABOCA is carrying out specific evaluations in relation to the processing of personal data related to the operation of its website, using a specific assessment tool, made available by the French Data Protection Authority (Commission Nationale de l'informatique et des libertés) and a specific Privacy Impact Assessment (DPIA), the results of which will be available at the request of the interested party.

VII. - Data recipients and transfers abroad.

VII.1. - Data controllers and data processors.

The personal data referred to in this informative note may be disclosed to Data Processors or Persons in Charge of Processing as part of their role:

within ABOCA, qualified personnel, each within the limits of his or her competence and duties and on the basis of the tasks assigned and instructions given.

outside ABOCA, third parties, also specifically designated as data processors or persons in charge of the processing - which ABOCA uses for various services and exclusively to carry out these services - each within the limits of their own competences and duties and on the basis of the tasks assigned and the instructions given.

VII.2. - Communication (to specific external subjects) of the data.

ABOCA, for ordinary management, accounting and administrative activities, may communicate your personal data, after obtaining your consent in accordance with the law, where applicable, in compliance with security measures, to third party service providers for the sole purpose of performing the service you have requested, such as:  - postal service companies, - legal and notary firms, - consultants, including associated consultants, - other service companies, as well as other parties in compliance with any legal obligations (such as insurance companies, police authorities, judicial authorities, etc.). The list of these subjects to whom the data may be communicated is available at the headquarters of the Data Controller.

VII.3. - Transfer of personal data abroad.

ABOCA does not transfer personal data abroad on its own initiative. However, some third parties, service providers, may have their own servers physically located abroad (such as e-mail providers). In such cases, the transfer of data abroad will take place exclusively within and in compliance with Reg. EU 679/2016 Art. 44 ss.

VII.4. - Dissemination of the data (to unspecified external parties).

In no case may personal data be disclosed.

VIII. - Rights of the data subject.

Articles 15 to 22 of the GDPR give data subjects specific rights. Art. 15 of the GDPR gives you the right to access your personal data and to obtain a copy of it. The right to obtain a copy of the data must not prejudice the rights and freedoms of others.

By requesting access, the data subject has the right to obtain confirmation from ABOCA as to whether or not personal data relating to him or her are being processed and to be informed of the purposes and categories of data processed, the third parties to whom the data are communicated and whether the data are transferred to a non-EU country with appropriate safeguards. You also have the right to know how long your personal data will be stored, and you have the right to ask for inaccurate data to be corrected, incomplete data to be completed, and data to be deleted (right to be forgotten) under the conditions set out in Art. 17 of the GDPR, the limitation of processing, the withdrawal of consent, the portability of data and the right to object, at any time and without having to provide justification, to the processing for direct marketing purposes.

Rights may be exercised by e-mail to the address of ABOCA's Data Protection Officer, or by ordinary mail to the address indicated below. The Data Protection Officer may need to identify you by requesting that you provide a copy of your ID.

If a data subject considers that the processing of his or her personal data infringes the provisions of the GDPR or internal data protection legislation, he or she has the right to lodge a complaint with the Authority

for the Protection of Personal Data based in Rome, pursuant to art. 77 of the GDPR and/or to refer the matter to the Judicial Authority.

In order to exercise these rights, or to obtain any other information about them and, more generally, about the processing of your personal data, requests may be made via email to the following address:; - by ordinary mail to Aboca S.p.A., a company with registered offices in Loc. Aboca n. 20, - 52037 - Sansepolcro (AR), Italy.

  1. Withdrawal of Consent, Questions on Privacy, Access and Redress

You may withdraw your consent to the processing of your personal data at any time by informing us of your intention. If you have any questions or would like to have more information about the processing of your personal data or exercise the rights set out in point n.VI, you can send an email to the ABOCA website administrator by writing to You can also contact us at the same address for information regarding ABOCA's handling of information. Before ABOCA can provide or modify any information, you may need to verify your identity and answer some questions. We will respond as soon as possible.

  1. Data Controller.

The data controller is ABOCA with headquarters in Loc. Aboca 20, 52037, SANSEPOLCRO (AR).

  1. - Personal Data Protection Officer.

The DPO is Giuseppe Serafini, lawyer, with office in 06012 Città Di Castello (PG), Via S. Antonio nr. 7. email:

XI.1. - Data Processors.

The complete list of data processors is available at the company headquarters.

This mandatory information is subject to revision, according to any changes in the applicable legal provisions.