Privacy and Cookie Policy



  • Company name: SIFARMA SPA con Socio Unico
  • Address: Via Filippo Brunelleschi 12 – 20146 MIlano
  • Telephone number: +39 02 422015 1
  • E-mail address:
  • Common name of data controller: SIFARMA


Data collection and use will be performed on the following types of data:

  • personal information: name, surname, tax code, etc.
  • contact details: telephone number, e-mail address, etc.
  • bank details: IBAN, credit card number, etc.
  • data relating to criminal convictions and offences: personal data relating to the criminal record, data to any administrative sanctions due to a criminal offence and any related pending charges, data on the status of defendant or suspect in accordance with Articles 60 and 61 of the code of criminal procedure; that is personal data relating to criminal convictions and crimes or to related security measures

Data is collected for the following purposes:

a. Establishment and execution of the contractual relationship
- Post-sales assistance
- Customer Management
- Quality Management
- Planning of activities
- Customer satisfaction degree survey
- Customer invoicing records
b. To comply with regulations in force
c. If necessary, to ascertain, exercise or defend the rights of the Data Controller in and outside a judicial court
d. Marketing: e.g. to send text messages and e-mails, make telephone calls and send traditional mail for promotional and commercial offers related to services / products offered by the Company or to inform of company events, as well as to carry out market studies and statistical analysis
e. Eventi aziendali, noncheĢ realizzazione di studi di mercato e analisi statistiche
f. Profiling: analysis of preferences, habits, behaviours or interests of the customer for the purpose of sending personalised advertising information.


The applicable legal bases for data collection and use identified in the GDPR are:

  • The execution of a contract that involves you
  • The need to fulfill law obligations
  • Optional consent, withdrawable at any time without prejudice to you, also as regards the use of data occurred before consent withdrawal


The data retention period can be as follows:

  • 10 years after the termination of the contract
  • In the event of litigation, for the duration of the dispute and for the terms of appealing to any related judicial sentence
  • For marketing purposes: 60 months since data collection and, in any case, for a period of time not exceeding the time needed to meet the objectives for which data were collected and used and in compliance with terms established by law
  • For profiling purposes: 60 months since data collection and, in any case, for a period of time not exceeding the time needed to meet the objectives for which data were collected and used and in compliance with terms established by law.

Once the aforesaid retention period is over, the data will be destroyed, deleted or made anonymous, according to the technology means available for performing these purposes.


The provision of data for the purposes described in sections a), b) and c) above is mandatory. Failure to provide data will lead to the impossibility to proceed with the contractual relationship.


Data may be transmitted to subjects other than the Data Controller. The data may also be transmitted to subjects who process them on behalf of the Data Controller acting as Data Processors according to a legally binding agreement that ensures data protection.

Third parties that may be provided with the data, e.g.:
a. IT companies (e.g. providers of data back-up, e-mail, WEB/cloud computing, hosting, network monitoring, e-mail sending, website maintenance services, etc.)
b. consultants (e.g. for payroll services, medical services, workplay safety consultancy services, professional services, etc.)
c. police and local authorities, security patrol services, public or private entities that have the right to demand data
d. other Entities of the Company

The list of data processors is constantly updated and available at the Data Controller's headquarters.


Data may be processed by employees based on their work duties, after being authorised and adequately instructed on data processing.



Data subjects have the following rights:
a. Right to access:
- The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling (and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject); where personal data are transferred to a third country, which are the appropriate safeguards.
- The data subject shall have the right to obtain from the data controller a copy of the personal data undergoing processing. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
b. Right to erasure in the following cases: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing; d) the personal data have been unlawfully processed; e) the personal data have to be erased to comply with a legal obligation to which the data controller is subject; f) the personal data have been collected in relation to the offer of internet-based services.
d. Right to restriction of processing when the accuracy of the personal data is contested by the data subject; when the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; when the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; when the data subject has objected to processing (pending the verification whether the legitimate grounds of the data controller override those of the data subject).
e.  Right to object, on grounds relating to his or her particular situation, at any time to processing of personal data (when processing is necessary for the performance of a task carried out in the public interest or for a legitimate interest of the controller, including profiling), except for the prevalence of other public interest rights or law obligations.
f. Where personal data are processed for direct marketing purposes carried out through automated methods (e-mail, etc.), the data subject shall have the right to object to processing of personal data for such marketing, which includes profiling related to such direct marketing.
g. Right to data portability, that is the data subject shall have the right to receive his or her personal data in a structured, commonly used and machine-readable format, in case the processing is carried out by automated means. The right to data portability includes the right to have the personal data transmitted directly from one data controller to another, where technically feasible.
h. As regards the cases described in sections b), c) and d), the data controller shall inform each of the recipients to whom the personal data have been transmitted of any rectifications, deletions or restriction of data processing performed unless this proves impossible or involves a disproportionate effort.
i.  For further information, please refer to the company policy regarding the processing of personal data in the workplace, available from the Data Controller.

To exercise your rights, you can contact the Data Controller in accordance with Article 28 of EU Regulation 2016/679: Sifarma Spa, Via Filippo Brunelleschi 12, 20146 Milan, Italy (in the person of the Legal Representative o by writing to the following email address: Data subjects have the right to lodge a complaint with the competent Supervisory Authority in the Member State in which they normally reside or work or the Member State where the alleged violation has occurred.


Personal data not collected from the data subject originates from:

  • Data derived from requests for commercial information
  • Data derived from requests for information and marketing profiling




Cookies are made up of portions of code installed within the browser that help the Data Controller deliver the service, based on the purposes described. Some of the purposes for installing Cookies could, moreover, require the consent of the user.
Cookie installation based on user content, such consent can be revoked freely at any time by following the instructions provided in this document.


Activities strictly necessary for the functioning of the service
This Website uses Cookies to save the User's session and to carry out other activities that are strictly necessary for the operation of this website, for example in relation to the distribution of traffic.

Activity regarding the saving of preferences, optimisation, and statistics
This website uses Cookies to save browsing preferences and to optimise the User's browsing experience. Such Cookies include, for example, those used for setting the language and currency preferences or for managing statistics by the Owner of the site.

Other types of Cookies or third parties that install Cookies
Some of the services listed below collect statistics in an anonymized and aggregated form and may not require the consent of the User or may be managed directly by the Owner - depending on how they are described - without the help of third parties.


These cookies are provided by and processed by third parties to generate specific advertising messages based on the  user’s navigation preferences and interests. Such cookies do not, however, utilise user's sensitive data.
Should the services described below include services managed by third parties, such parties may - in addition to what is specified below and with no knowledge of such activity by the Data Processor - keep track of user activities. For further information on this matter, please read the privacy policy for the services described below.

The services contained in this section enable the Data Processor to monitor and analyze web traffic and can be used to keep track of User behaviour.

In addition to what is specified in this document, the User can manage preferences for Cookies directly from within their own browser and prevent – for example – third parties from installing Cookies.
Through browser preferences, it is also possible to delete Cookies installed in the past, including the Cookies that may have saved the initial consent for the installation of Cookies by this website.
Users can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses: Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Internet Explorer.

With regard to Cookies installed by third parties, Users can manage their preferences and withdrawal of their consent by clicking the related opt-out link (if provided), by using the means provided in the third party's privacy policy, or by contacting the third party.

Cookies can be disabled by following the instructions provided on the specific webpage made available by EDAA (European Interactive Digital Advertising Alliance

These solutions may prevent the user from using or viewing sections of the Website.

Since the installation of third-party Cookies and other tracking systems through the services used within this Website cannot be technically controlled by the Owner, any specific references to Cookies and tracking systems installed by third parties are to be considered indicative. In order to obtain complete information, the User is kindly requested to consult the privacy policy for the respective third-party services listed in this document.

Given the objective complexity surrounding the identification of technologies based on Cookies, Users are encouraged to contact the Owner should they wish to receive any further information on the use of Cookies by this Website.

First-party cookies Technical  - PHPSESSID Session
Third-party cookies Google Analytics Analytics - _gid Please see:
Third-party cookies Google Analytics Analytics - _ga Please see:


Personal Data (or Data)
Personal data is any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a person.

Usage Data
Information collected automatically through this Website (or third-party services employed in this Website), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Website, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

The individual using this Website who, unless otherwise specified, coincides with the Data Subject.

Data subject
The physical person to whom the Personal Data  refer to.

Data Processor
The physical or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

Data Controller (or Owner)
The physical person or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Website. The Data Controller, unless otherwise specified, is the Owner of this Website.

Small sets of data stored in the User's device.


This privacy statement has been prepared in conformity with a number of regulations, including articles 13 and 14 of Regulation (EU) 2016/679.