Privacy Policy


Stone Italiana S.p.A, in its status as Controller of the processing of your personal data in compliance with articles 13 and 14 of the European Regulation 2016/679, hereby informs you that the aforementioned legislation makes provisions for the protection of the respective parties with regard to the processing of personal data, and that such processing will be performed in accordance with principles of fairness, legality and transparency, protecting your confidentiality and your rights. The information and personal data provided by you or otherwise acquired during your use of the website will be processed in accordance with the legislative provisions contained in the aforementioned regulations and with the confidentiality obligations provided therein.


A) Website users of and app for IOS and Android

Specific summary information is progressively reported or displayed on the pages of the site prepared for specific services on request that require forms for data collection. We also inform you that, to provide a complete service, our website may contain links to other web sites which are not managed by Stone Italiana S.p.A. Stone Italiana S.p.A. is not responsible for errors, content, cookies, the publication of morally unlawful content, advertising, banners or files that do not comply with current legislation, neither for compliance with Privacy policy for other websites that are not operated by the Data Controller.

Type of data processed

  • Navigation data: the IP addresses or domain names of the computers and other devices utilized by users visiting the website; the addresses in URI (Uniform Resource Identifier) notation of the resources requested and any time indications of said resources; parameters regarding the operating system and the user’s computer system; the pages of origin and arrival; the Navigation index and identification behaviour collected while viewing website pages.
  • Personal data provided voluntarily by the user: the optional, explicit and voluntary despatch of e-mail messages to the addresses shown on this website, and the compilation of forms present on said website, entail the subsequent collection of the sender’s personal data (solely by way of example, name, surname, e-mail address). Specific summary information is shown on pages where web forms are present.

Purposes of processing: your data collected during browsing will be processed for the following purposes.

  1. carrying out operations closely connected to and essential for handling relations with the website’s users or visitors;
  2. collecting, storing and processing your data for statistical analysis, also in anonymous and/or aggregate form; statistical analyses performed to assess the quality of services offered by the website;
  3. sharing the interactions made, and the usage data for the pages on which cookies are installed for the integration of software products or functions, with social network managers;
  4. improving the browsing experience in order to present services and advertising messages that correspond to the preferences expressed during navigation.

The processing of data for the fulfilment of the purpose specified in point 1 is necessary to perform your request, and in the case of your refusal, this could limit and/or prevent comprehensive use of the functions and services present on the site. The legal basis for the processing of your data for the purposes specified in point 1 is the fulfilment of your request, in accordance with Article 6.1.b.) of the GDPR; if you refuse to provide said data, it would make it impossible for you to visit the website. Providing the data indicated in purposes 2, 3 and 4 is optional in terms of the legal basis of consent, and your refusal to the processing of your data would not compromise the functionality and services present on the website. The legal basis for the processing of your data for the purposes specified in points 2, 3 and 4 is optional, in accordance with Article 6.1.a). Consent is provided by means of the short policy notification by clicking on the words “ACCEPT COOKIES” included in the short policy notification. With regard to the optional consent, further information about the cookies present on the website is provided in the cookie policy document, which can also be accessed from the short policy notification. Providing the data indicated in purposes 2, 3 and 4 is optional in terms of the legal basis of consent, and your refusal to the processing of your data would not compromise the functionality and services present on the website. The legal basis for the processing of your data for the purposes specified in points 2, 3 and 4 is optional, in accordance with Article 6.1.a). Consent is provided by means of the short policy notification by clicking on the words “ACCEPT COOKIES” included in the short policy notification . With regard to the optional consent, further information about the cookies present on the website is provided in the cookie policy document, which can also be accessed from the short policy notification .

Browsing data is stored for the duration specified in the cookie policy that can be consulted on the website.


Your data is also collected by means of tools and services provided by third parties, and it is stored by said parties. For further information and to view the list, please refer to the “cookie policy” document.  Please note that Stone Italiana S.p.a. acts purely as an intermediary for the links included in the cookie policy and it cannot accept any responsibility in the event of changes that may be made.

B) “Contact us” section – users By filling in the forms accessible in the “Contact us” section, your data (name, surname, e-mail address, city) will be used to reply to your request for information. The provision of data for these purposes is the fulfilment of your request. The legal basis for the processing is Art. 6.1.b) of the GDPR. Your data, subject to your consent given by ticking the appropriate marketing box, shall be used for the sending of commercial and advertising information and promotional communications relating to Stone Italiana S.p.A.’s activities and products by traditional means (e.g. telephone contact, individual e-mails etc.) or automated contact methods (e.g. automated e-mail campaigns, social networks, etc.), software systems managed by third parties, also through their inclusion in the Controller’s corporate CRM in full compliance with the principles of lawfulness and fairness and with the provisions of law. The provision of your data for this purpose is optional and does not compromise the response to your request for information. The legal basis for the processing is Art. 6.1.a.) of the GDPR. You may object to the processing at any time by using the link at the bottom of the email or by sending a request to the Data Controller at the contact details indicated in this notice. Your data will be retained for the time necessary to provide the service you have requested and for marketing purposes until you decide to unsubscribe or object to the processing. 

C) Dispatch communications to the Company The Company shall process the user’s personal data in relation to the optional, explicit and voluntary sending of e-mail, certified and/or ordinary e-mail sent to the Company’s contact data, which may also be indicated on the website.  In particular, personal and contact data will be processed, as well as content sent by the user, by means of voicemail, multimedia tools, social networks, WhatsApp and other similar applications.  The purpose is to enable interested parties to communicate with the Company. The legal basis for processing is the fulfilment of a contract. Depending on the subject matter and type of messages, the time taken to respond to the user’s requests may vary. In any case, the storage time may not exceed 10 years. Provision is mandatory in order to initiate a relationship.

D) Employment opportunities

The Company collects data from individuals interested in applying for positions within the Company. The Company processes the CV, identification and contact information necessary to assess the application and re-contact the candidate if the profile is of interest. Data may be collected either as a result of sending unsolicited applications by letter or e-mail, or through online application functions.

The purpose of the processing is to manage the application and perform staff search and selection activities, based on the possible establishment of a collaborative relationship. The legal basis for processing is the fulfilment of a contract. Data is retained for up to 24 months after it has been provided. Provision is mandatory for the assessment of the application.

E) Customer and supplier data processing

The Company processes personal data of customers and suppliers in order to:

executing contractual/professional relationships;

fulfilling pre-contractual, contractual and tax obligations arising from existing relationships, as well as handling the necessary communications related to them;

  • fulfilling obligations under the law, a regulation, EU legislation or an order from the Authorities;
  • The purpose is the execution of the contract with the customer/supplier and the management of administrative and accounting obligations.
  • The legal basis of the processing is the contract concluded between the Company and the customer/supplier.

Data is retained for the duration of the contract and for up to 10 years after the conclusion of said contract, for obligations linked to ascertainment purposes. Provision is mandatory for the execution of the contract.

F) Newsletter Service

The newsletter periodically offers a selection of information about our products, news about our company or other themes. The newsletter may present advertisements from the Group’s business partners.

The purposes are to provide the editorial newsletter service and to inform the user about the services, products, promotions and events offered by the Owner and its business partners; tools for anonymous and aggregate analysis of the performance of each marketing campaign may be used. The legal basis for processing may be, depending on the case, the agreement between the data controller and the subscriber to the service, or the user’s consent, provided for example when registering on the site, or when signing up for events or activities.

Storage period: data is stored for the duration of the service, until terminated.

Provision: mandatory, but only in order to receive the newsletter.

G) Whistleblowing

G.1) Categories of personal data processed and purposes of processing

According to the approach of the above-mentioned Policy, personal data may be acquired by the Company insofar as they are contained in whistleblowing reports, or in the acts and documents annexed thereto, received by it through the channels envisaged by the above-mentioned Policy. The receipt and handling of such reports may give rise, depending on their content, to the processing of the following categories of personal data: a) common personal data referred to in Article 4, point 1, of the GDPR, including, for example, personal details (name, surname, date and place of birth), contact details (landline and/or mobile telephone number, postal/email address), job role/occupation; b) ‘particular’ personal data under Article 9 of the GDPR, including, for example, information relating to health conditions, political opinions, religious or philosophical beliefs, sexual orientation or trade union membership; (c) ‘judicial’ personal data referred to in Article 10 of the GDPR, relating to criminal convictions and offences, or related security measures. With regard to the aforementioned categories of personal data, we emphasise the importance that the reports forwarded should be free of information that is manifestly irrelevant for the purposes of the reference discipline, inviting the reporting parties in particular to refrain from using personal data of a ‘particular’ and ‘judicial’ nature unless deemed necessary and unavoidable for the purposes thereof, in compliance with Article 5 of the GDPR.   The aforesaid information will be processed by the Company – the Data Controller – in accordance with the provisions prescribed by Legislative Decree no. 24/2023 and, therefore, in general, in order to carry out the necessary preliminary activities aimed at verifying the grounds of the reported facts and the adoption of the consequent measures. In addition, the data may be used by the Data Controller for purposes connected with the need to defend or ascertain its rights in the context of judicial, administrative or extrajudicial proceedings and in the context of civil, administrative or criminal litigation arising in connection with the report made. 

G.2) Legal basis of the processing of personal data

The legal basis for the processing of personal data is mainly constituted by the fulfilment of a legal obligation to which the Data Controller is subject – Art. 6, par. 1, lett. c) of the GDPR – which, in particular, by virtue of the aforementioned legislation, is required to implement and manage information channels dedicated to receiving reports of unlawful conduct detrimental to the integrity of the Company and/or the public interest. In the cases contemplated by the same regulation, a specific and free consent may be requested from the reporting person – pursuant to Article 6(1)(a) of the GDPR – where it is deemed necessary to disclose his/her identity. The processing of ‘special’ personal data, which may be included in the reports, is based on the fulfilment of obligations and the exercise of specific rights of the Data Controller and the Data Subject in matters of labour law, pursuant to Art. 9, par. 2, lett. b) of the GDPR. With regard to the purpose of establishing, exercising or defending a right in court, the relevant legal basis for the processing of personal data is the legitimate interest of the Data Controller in this regard, referred to in Art. 6, par. 1, lett. f) of the GDPR; for the same purpose, processing of personal data of a “particular” nature, if any, is based on Art. 9, par. 2, lett. f) of the GDPR.

G.3) Nature of personal data provision

The provision of personal data is compulsory since, in accordance with the Company’s Whistleblowing Policy, anonymous reports, i.e. reports from which it is not possible to determine the identity of the reporter, are not taken into account. The personal data provided will be processed to manage the report within the limits and with the confidentiality guarantees imposed by the reference legislation.

G.4) Personal data retention period

The reports received by the Company, together with the acts and documents enclosed, will be kept for the time necessary for their management and, in any case, as provided for by the legislation, for a period not exceeding five years from the date of communication of the final outcome. After this period, the reports will be immediately removed from the system. Consistent with the indications provided in paragraph 1, personal data included in reports that are manifestly irrelevant to the purposes of the alerts will be immediately deleted.

H) Video surveillance

Video surveillance equipment is installed at the Zimella premises. Purpose: protection of persons and safety and protection of Company and third party assets.

The legal basis of the processing is the legitimate interest:

  • Protection of persons and property against possible aggression, theft, robbery, damage, vandalism.
  • Aiding the possible exercise, in civil or criminal proceedings, of the right of defence on the basis of useful images in the event of unlawful acts.

Retention period: data are retained for 24 hours and then destroyed.

Retention period: data are retained for 24 hours and then destroyed. The provision of data is compulsory if you are travelling through areas subject to video surveillance, duly indicated by appropriate signs.


Your personal data will be processed using manual, electronic and/or telematic means, through the use of cookies (as described in the cookie policy available on the website) with electronic calculation equipment comprising third party software, and automated means of contact (e.g. automated campaigns for despatching e-mail messages, SMS, automated telephone contacts, instant messaging, social networks, etc.), in compliance with the procedures specified in articles 6, 32 of the GDPR and with the adoption of the appropriate security measures. In order to assess and if necessary to improve the results attained by communications, the Controller utilizes systems for sending newsletters and promotional communications with reports. The Report gives the Controller information such as: the number of readers, the number of communications opened, the unique “clickers” and clicks; the devices (iPhone, Blackberry, Nokia…) and operating systems (Windows, Apple, Linux, Android…) used to read the communication; details of the activities of individual users; detail of e-mails sent per date/hour/minute; details of e-mails that are delivered and those undelivered; the list of recipients who have unsubscribed from the newsletter; those who have opened an e-mail or clicked on a single link; users encountering problems in viewing the message; link tracking (i.e. the number of clicks made on the links in the message); click tracking (which links were clicked and by whom). All this data is used for assessing, and possibly improving, the results attained by the communications.


The processing of personal data included in the reports forwarded in accordance with the “Whistleblowing Policy” shall be carried out by the Company’s “appointees” and shall be based on the principles of fairness, lawfulness and transparency, pursuant to Article 5 of the GDPR.

Personal data may be processed by analogue and/or computerised/telematic means, functional to storing, managing and transmitting them, in any case in application of appropriate physical, technical and organisational measures to guarantee their security and confidentiality at every stage of the procedure, including the filing of the report and related documents – without prejudice to the provisions of Article 12 of Legislative Decree no. 24/2023 – with particular reference to the identity of the whistleblower, the persons involved and/or in any case mentioned in the reports, the content of the reports and related documentation.


Stone Italiana S.p.A. may also provide links to other social media platforms leading to servers installed by individuals or organizations over which it has no control. Stone Italiana S.p.A does not provide any indication of, nor can it accept any responsibility for, the accuracy, or any other aspects, of the information available on these websites. The link to a third-party website can in no way be considered as a validation, neither by Stone Italiana S.p.A. nor by any such third party, of the products and services provided by other websites or third parties. Stone Italiana S.p.A. does not issue declarations or guarantees regarding the use or storage of user data on third-party websites. Users are advised to perform a detailed examination of the privacy policy that governs third party websites linked to our website in order to have a complete view of the ways in which your personal data may be used.


Your data will be processed by appropriately-appointed personnel and will be communicated externally, to Companies acting as independent Data Controllers or Data Processors:

  • external service providers;
  • technical support service providers;

The complete list can be requested by writing to the Data Controller’s contact details.


In addition to the aforementioned internal figures specifically authorised by the Data Controller, the personal data collected may also be processed, within the scope of the “Whistleblowing Policy” and in pursuance of the purposes indicated, by the following third parties, formally designated as Data Processors if the conditions provided for by Article 28 of the GDPR are met:

  • providers of consulting services and assistance in the implementation of the “Whistleblowing Policy”;
  • IT Companies and professionals with regard to the application of adequate technical-informatics and/or organisational security measures on the information processed by the corporate system;

If necessary, personal data may be transmitted to the Judicial Authorities and/or Police Bodies who request it in the context of judicial investigations.

Personal data will be processed within the European Economic Area (EEA) and stored on servers located there.

Under no circumstances will personal data be disseminated.

There are no transfers of data outside the European Economic Area.


The website is not intended for use by minors of 14 years old and no data regarding minors of 14 years old is collected by the Data Controller. In the event that the Data Controller should become aware of the collection of said data (e.g. through the contact form), it will delete it immediately. The Company will reply to requests for information in compliance with the respective laws. Please note that in the case of a request for information, the person holding parental responsibility is required to provide us with consent for the collection of the minor’s personal data.


The Data Controller is Stone Italiana S.p.A., with registered office in Via Lavagno 213, 37040 Zimella – (Verona) – 0442 715715 in the person of its pro-tempore legal representative. You have the right to obtain, from the Controller, the erasure (right to be forgotten), restriction, updating, correction, portability, and opposition to the processing, of the personal data that regards you, and more in general you can exercise all the rights provided by articles 15 and following of the European Regulation 2016/679 by writing to The data subject has the right to lodge a complaint with the Supervisory Authority.


If you have any doubts about this Policy, please contact Stone Italiana S.p.A. by sending an e-mail to or by contacting the Data Controller at the Company contact details provided in this document.


Stone Italiana S.p.A. reserves the right to update this information in accordance with any changes in legislation that may arise, and in due consideration of suggestions made by employees, customers, collaborators and users. In case of changes made by Stone Italiana S.p.A., the Privacy Policy on the main privacy page and on the Homepage of the website will be promptly updated.


Each data subject has the right to exercise the rights referred to in Articles 15 et seq. of the GDPR, in order to obtain from the Data Controller, for example, access to their personal data, rectification or erasure of such data or restriction of the processing that concerns them, without prejudice to the possibility, in the absence of a satisfactory response, to lodge a complaint with the Data Protection Authority.

EU Regulation 2016/679: Articles 15, 16, 17, 18, 19, 20, 21, 22 – Rights of the data subject

  1. Data subjects have the right to obtain confirmation of the existence or not of personal data concerning them, even if not yet recorded, and their communication in an intelligible form, and the possibility of lodging a complaint with the Supervisory Authority.
  2. Data subjects have the right to be informed about:
  • the origin of the personal data;
  • the purposes and methods of processing;
  • the logic applied in the case of processing perfomed using electronic instruments;
  • the identification details of the Data Controller, the Data Processors and the designated representative in compliance with Article 5, Paragraph 2;
  • the subjects or categories of subjects to whom personal data may be communicated or who may acquire knowledge of it in their status as a designated representative in the territory of the State, as managers or as personnel authorized to process personal data.
  1. Data subjects have the right to obtain:
  • updating, rectification or, when they deem it necessary, the completion of data;
  • the erasure, transformation into anonymous format or the blocking of data processed in violation of the law, including data whose retention is not necessary with regard to the purposes for which the data was collected or subsequently processed;
  • notification that the operations specified in points a) and b) have been communicated, along with the respective content, to those to whom the data was notified or disclosed, unless this fulfillment proves impossible or involves a manifestly disproportionate use of resources when compared to the right upheld;
  • data portability.
  1. Data subjects have the right to object, in whole or in part:
  • to the processing of personal data concerning them, even if relevant to the purpose of collection, for legitimate reasons;
  • to the processing of personal data concerning them for the purpose of sending advertising or direct sales material or for performing market research or commercial communications.

In order to exercise these rights, it is necessary to submit a specific request in free form to the following address of the Data Controller:, or to send to the same address the form available on the website of the Data Protection Authority.

With regard to the Whistleblowing processing, please note that the aforementioned rights of data subjects may be restricted pursuant to and for the purposes of Article 2-undecies of Legislative Decree no. 196 of 30 June 2003 (“Privacy Code”, as amended by Legislative Decree no. 101/2018), for the time and within the limits in which this constitutes a necessary and proportionate measure, if their exercise may result in concrete and effective prejudice to the confidentiality of the identity of the reporting subjects.

In such cases, the persons concerned will in any case have the right to refer the matter to the Guarantor Authority so that the latter may assess whether the conditions for taking action under Article 160 of Legislative Decree no. 196/2003 are met.

Area Principale