The user has to read carefully the Privacy Policy that is made to comply art. 12, 13 e 14 of the European GDPR (General Data Protection Regulation) to be fully aware about personal data collection, use and keeping related to the activities you can find below:

  • Web data;
  • Web site cookies;
  • Contacts and data voluntary transmitted by the user through our web site;
  • Software download area;
  • Customers’ and suppliers’ data;
  • Marketing, promotional and advertising activities.


Sierra Spa, part of Giordano Riello International Group (from now on Group) as the responsible of the above-mentioned data, makes this communication available.


Every company inside the Group can have a legitimate need to share personal data of customers and suppliers with other companies of the Group also with a centralized database.
The company can transfer personal data to suppliers or third parties that cooperate in supplying services, always in respect of the privacy agreement and where it is required with the user’s approval. Data’s will be made available exclusively within the purpose of this agreement. Third parties qualified for information sharing are:
  • Banks and financial institutes;
  • External consultants and companies that monitors technical activities (collection of technical and financial activities, management of IT systems, insurances, credit management and protection);
  • External consultants and companies that support in the compliance of laws and regulations (business consultants, notaries, lawyers, labour consultants);
  • Public Authorities and local authorized fiscal assistants;
  • Public and private funds of social security;


The regulations grants a number of rights related to personal data. The company undertakes the responsibility to manage and protect personal data accordingly to the privacy regulation with all the future modifications. For more information, please refer to the National Authority for the Protection of Personal Data. Please find a description of the granted rights:
1. Right to be informed The user has the right to receive clear information about how personal data are treated and personal rights toward the collection. This is one of the purposes of this communication.
2. Right to access personal data the user has the right to access his personal data (if they are for any reason being treated) and other information (similar to those given with this communication). The purpose is to make the user aware of the data and give him the possibility to check that they are used in conformity to the Privacy Regulation.
3. Right to modification the user has the right to correct the information in case they are incorrect or incomplete.
4. Right of cancellation also known as “the right to be forgotten” allows the possibility to ask for personal data to be cancelled in case there is no longer need for conservation or use. It is not a general right of cancellation, some exceptions are possible.
5. Right of data treatment limitation the user has the right to stop further use of the information. When the data treatment is limited, the company can keep the information without further use. The company keeps a list of persons that have required the stop to grant the respect of each request also in the future.
6. Right of data portability the user has the right to obtain e re-use his personal data for other personal purposes. For example, when changing a supplier, this right allows easily, quickly and safely moving, transferring or copying the data from IT system to IT system.
7. Right of objection to the data treatment The user has the right to oppose to data treatment for direct marketing purposes (made only if authorized) and to all related legitimate interests of the Company.
8. Right to send claims The user has the right to send a claim the National Privacy Authority on how data is treated and used.
9. Right to cancel the authorization if the user has given the authorization to use his rights for any activity, he has the right to withdraw the approval (this will not make illegal the previous activities made by the Company). This includes the right to withdraw the approval for marketing activities purposes.
For additional information, please contact Sierra Spa, Via Cà Magre 45, Isola della Scala, Verona, Italy; mail:


Personal data is the sum of information that allows (directly like name and surname or indirectly together with other information) to identify the user as a person.

4.1. Navigation Data

IT systems and software procedures of web sites collect, during their regular use, some personal data that are implicitly transferred through internet communication protocols. These data are not specifically collected to identify a user but with further elaboration could be possible to do it. In this category, we have IP addresses or domain roots of the PCs used by the users as well as URI, time of the request, server status message, and parameters of the OS

Purpose and legal context of the data treatment Data are collected to obtain anonymous stats on the use of the web site and to check its proper working. They could also be used to identify illegal cyber-attacks (legitimate rights of the Owner).
Timing for keeping Data are kept for a short period, expect for necessary investigation activities.
Giving of the data Data are not given from the user but automatically acquired from IT systems.

4.2 Cookie

Cookie are small text files sent by the web sites and stored into user’s devices that will be re-transmitted to web sites during a future visit. Third party’s cookie are set by a different web site compared to the one being visited by the user. This is because on every site can be present elements (pictures, maps, sounds, specific links etc.) that are located on a different server.

Based on their duration, there can be “section cookie” (temporary and automatically cancelled by the device at the end of the session) or “persistent cookie” (they remain on the device until they are expired or cancelled by the user).

Cookie are used for different purposes. First, they are used to optimize the navigation, to prevent abuses and to monitor different reserved session without having to insert username and password multiple times.

Cookie can be read exclusively by the web site that has generated them. They cannot be used to obtain any data from the user’s device or transfer viruses. Some functions of the cookie could be done by other technologies, for this reason in this communication we refer to all cookie and related technologies.

Use of the cookie in this Web Site

This web site can use “session cookie” or “persistent cookie”. The type of cookie are “technical” and meant for:
a) The customization of the user interface (e.g. to register user’s preferences like language and products’ guide);
b) The authentication and the management of a session (e.g. To identify and validate the user to access the Support Area);

Third party’s cookie

This Web Site does not allow the transmission to the user’s device of third party’s cookie.


For the type of cookies used in the Web Site it is not requested the approval from the users. The access and the navigation of the contents gives implicit authorization to receive cookie. Anyway, it is possible for the user to decide if he does not want to receive them, following the appropriate procedure in browsers.

4.3 Contacts and data voluntary transmitted from user through the web site

The voluntary and explicit transmission of the user regarding:
  • Form fill in for info request;
  • E-mail or ordinary post sending to contacts’ data;
  • Job applications.

May generate the future acquisition and use of personal data within the purpose of necessary activities. Personal data will be anyway kept for a time that is compatible with the purpose of their use.

4.4 Software Download Area

The Company collects personal data to register the user to the web site and to access specific services like: Technical documentation, Software, Technical Drawings, Publications.

Purpose and jurisdiction Access the Software Download Area of the web site (contract and legitimate interest).
Time of conservation Timing in compliance with the purpose of the collection.
Transmission Compulsory to obtain access.

4.5 Customer’s and suppliers’ data use

Data are used to:

  • End contractual and professional relationship;
  • Properly manage contract and fiscal obligations with relevance to the active relationship and do the necessary communications;
  • Comply to law, regulations, and authorities
  • Put in practice a legitimate interest or a right as the Responsible of the Data (e.g. right to defend in court, debt collection, internal operations).

4.6 Marketing, promotional and advertising activities

Data are used to:

Purpose and jurisdiction Marketing, promotional and advertising activities for products and services of the company via automatic systems (fax, post, email). Jurisdiction is given by the approval.
Time of conservation Kept until the approval is removed. The Company can keep the data to protect from future responsibilities but will not be allowed to use them for the same purpose.
Transmission Explicit or facultative approval.


In some cases, some data can be managed, after receiving the approval of the user in order to elaborate and send marketing communications. In the majority of the cases, it is within the legitimate interest of the Company to collect and use personal data, as described in point 4, in order to give the best possible experience to the user and to better understand the customers to improve marketing activities.

The collection and the storage of the date will be made manually or digitally, always strictly in respect of the purpose of the collection/storage and in a way to always grant security and privacy.


The Company is requested by the law to answer to give information or reply free of charge, except when requests and questions are baseless or in excess (mainly for being repetitive). In this case, the Company can decide to charge a reasonable cost (based on the administrative real costs) or refuse to give any reply.

Please evaluate properly the request before sending it. The Company will reply as soon as possible, generally within one month from the request. In case of a longer time, the company will contact the user.


This policy is valid from August 1st 2018. The Company reserves the right to modify or update, partially or totally also to comply future modifications of the regulation. The Company suggests the user to regularly visit this section to be aware of the most recent version of this Policy and to be always up to date with the collection and the use of data made by the Company.


1) «Personal data»: any information regarding a person identified or identifiable (“Interested”); we consider identifiable a person that can be identified, directly or indirectly, with specific regard to a name, an ID number, location, online ID or to one or more elements related to his physical, physiological, genetic, psychic, economic, cultural or social identity.

2) «treatment»: any operation or sum of operations made with or without automatic systems or applied to personal data like collection, organization, conservation, modification, extraction, use, communication, diffusion, comparison, interconnection, limitation, cancellation or destruction.

3) «Data controller»: the physical or juridical person, Public Authority, the service or any other organization that individually or collectively determine the purpose and the way personal data are treated. When the purpose or the way personal data are treated are defined by the Law of the Union or from the union members, the controller of the data and all applicable criteria are defined by the Union or from the single Members.

4) «Responsible of data treatment»: the physical or juridical person, Public Authority, the service or any other organization that manages personal data on behalf of the data controller.

5) «Recipient»: the physical or juridical person, Public Authority, the service or any other organization that receive communication about personal data, whether third party’s or not. Authorities that receive information following specific surveys and in compliance to the law of the Union of its Member States are not considered as recipients. The treatment of the data in this case is subject to applicable laws for data protection based on the purpose of the treatment.

6) «third party»: the physical or juridical person, Public Authority, the service or any other organization that is not the interested person, the data controller, the responsible of the treatment or the persons under the direct authority of the data controller. ;

7) «Approval of the interested person»: any explicit, free, specific, fully aware and unequivocal approval given by the interested person with a declaration or a positive action to the fact that his own personal data will be treated.

8) «Violation of personal data»: security violation that generates accidentally or illegal data destruction, loss, modification or unauthorized disclosure or access to personal data.

9) «Control authority»: the public independent authority made by a Member State with regard to Art. 51.

10) «interested authority of control»: A control Authority interested by the personal data treatment because:
a. the data controller or the Responsible of data treatment is established in the territory of the Member State of that control authority;
b. The interested person resides in the Member State of the Control Authority are or are likely to be substantially influenced by the treatment;
c. a claim has been filed with this Control authority.