PRIVACY NOTICE FOR VISITORS TO THE WEBSITE THDSHOWROOM.THDLAB.COM ON THE PROCESSING OF DATA PURSUANT TO ART. 13 OF REG. EU NO. 679/2016



With specific reference to personal data as defined by art. 4 paragraph 1 no. 1) of the EU Regulation no. 679/2016 (hereinafter “Regulation”) concerning you as a “Data Subject” collected through the website   thdshowroom.thdlab.com (hereafter "website"), the company THD S.p.A., (C. f. and VAT no. 02111430357), represented by its legal representative pro tempore, located in Correggio (RE), via per Carpi 15/B, as “Controller” according to art. 4 paragraph 1 no. 7) of the Regulation, provides you with this notice pursuant to Article 13 GDPR (in short, “Notice”) which will allow you to understand our privacy policy and comprehend how your personal information is processed.


1. Who is the Data Controller.

1.1. The “Controller” of your personal data processing as outlined in art. 4 paragraph 1 no. 7) of the Regulation is THD S.p.A., (C. f. and VAT no. 02111430357), represented by its legal representative pro tempore, located in Correggio (RE), via per Carpi 15/B, which can be contacted through the following: via email : privacy@thdlab.com

1.2. The Data Protection Officer (DPO) pursuant to art. 37 of the GDPR, appointed by the Controller, can be contacted at the following address: dpo@thdlab.com

1.3. Please be informed that any changes or updates to the data concerning the aforementioned individuals will be suitably published within the website of the Controller.


2. Nature and type of your data collected and processed.

Your Personal Data may be collected in relation to the possible execution of the processing purposes specified in the following point 3.

The Personal Data processed are as follows:


2.1. Browsing data

The computer systems and software procedures used to operate the Site acquire, during their normal operation, certain Personal Data whose transmission is implicit in the use of Internet communication protocols. These are information that is not collected to be associated with identified data subjects but which, by their nature, could, through processing and associations with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of computers used by users who connect to the Site, addresses in URI notation (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.), and other parameters concerning the user's operating system and IT environment. These data are used only to obtain anonymous statistical information on the use of the Site and to check its correct functioning, to identify anomalies and/or abuses, and are deleted immediately after processing. The data may be used to ascertain responsibility in case of hypothetical cyber crimes against the site or third parties: except for this eventuality, currently the web contact data do not persist for more than 60 days.

3. Purpose of processing.

In accordance with art. 5 paragraph 1 letter b) of the Regulation, we inform you that your personal data will be processed by the Controller for the following purposes:

3.A. To provide Services or to allow navigation through this website (“Service Provision“);

4. Legal basis and mandatory or optional nature of processing

The legal bases used by the Controller to process your Data, according to the purposes indicated in the previous Paragraph 3, are as follows:

Service Provision: processing for this purpose is necessary in order to provide you with the requested Services. In accordance with article 13 paragraph 2) letter e) of the GDPR, the CONTROLLER informs you that any failure to communicate (even partial) your personal data, clearly requested as obligatory within one or more appropriate forms present on the Site, may result in the impossibility, on the part of the CONTROLLER, to properly and fully execute the processing purpose referred to in art.3.A of this notice.

5. Recipients of Your personal data

To pursue the purposes described in the previous point 3, the personal data processed will be known by the employees of the Controller who will operate as subjects authorised for the processing of personal data.

Furthermore, to pursue the purposes described in the previous point 3, your personal data will be processed by third parties belonging, by way of example, to the following categories:

a) Subsidiaries, parent companies or related parties to the Controller, such as: Spal Automotive s.r.l., via per Carpi 26/b – 42015 Correggio (RE) VAT no. 01755790357

b) entities that provide services for the management of the IT system, including server hosting and backup services;

c) entities that provide the Controller with consultancy in fiscal, legal, judicial and compliance matters;

The entities belonging to the categories listed above operate, in some cases, in full autonomy as distinct data controllers, in other cases, as data processors specifically appointed by the Controller in compliance with article 28 GDPR.

The communication of your data to the entities belonging to the categories listed above, operating as independent controllers, does not require your consent, being based on the prevailing legitimate interest of the Controller, given that such communications are necessary for the pursuit of the purposes mentioned in the previous point 3.

The complete and updated list of subjects to whom your personal data may be communicated can be requested from the Controller.

In addition, pursuant to the measure of the Data Protection Authority of 27 November 2008 concerning “Measures and precautions prescribed for data controllers carrying out processing with electronic tools in relation to the attribution of system administrator functions”, as a data subject you may also request from the Controller the identity of the system administrators operating on the operating systems where your personal data are held.

The personal data processed by the Controller are not disclosed.

Transfer of personal data outside the European Union

THD S.p.A. does not intend to transfer your data to a country not belonging to the European Union. However, if THD S.p.A. proceeds with the transfer of your data outside the European Union in execution of the purposes listed above, the Controller will carry out such transfer only after verifying the existence of one of the guarantees provided by articles 44 and following GDPR, to ensure an adequate level of protection of your data.

6. Period of retention of collected and processed personal data.

Personal Data processed for the purpose of Service Provision will be retained by the Controller for the time strictly necessary for the aforementioned purpose. In any case, since these Personal Data are processed to provide you with Services, the Controller may retain them for a longer period, particularly as may be necessary to protect the interests of the Controllers from potential claims related to the Services.

7. Ways in which personal data will be processed

The processing of your personal data will take place by paper, computer and telematic tools, with logic strictly related to the indicated purposes and, in any case, with methods appropriate to guarantee their security and confidentiality in accordance with the provisions of article 32 GDPR.

8. Rights of the Data Subject.

8.1. In relation to your personal data subject to processing by THD S.p.A. Controller, we inform you that you have the right to exercise the following rights, enshrined in articles 15 to 22 GDPR and, in particular:

• right of access – article 15 GDPR: right to obtain confirmation of whether or not personal data concerning you are being processed and, if so, obtain access to your personal data – including a copy of them – and receive the communication, among others, of the following information:

• purpose of processing

• categories of personal data processed

• recipients to whom they have been or will be disclosed

• period of retention of data or the criteria used

• rights of the data subject (rectification, deletion of personal data, restriction of processing and right to object to processing

• right to lodge a complaint

• right to receive information on the origin of my personal data if they have not been collected from the data subject and the existence of automated decision-making, including profiling;

• right to rectification – article 16 GDPR: right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the integration of incomplete personal data;

• right to erasure (right to be forgotten) – article 17 GDPR: right to obtain, without undue delay, the erasure of personal data concerning you, when:

• the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

• you have withdrawn your consent and there is no other legal basis for processing;

• you have successfully objected to the processing of personal data;

• the data has been processed unlawfully;

• the data must be erased to comply with a legal obligation;

• the personal data have been collected concerning the offer of information society services referred to in Article 8, paragraph 1, GDPR.
The right to erasure does not apply to the extent the processing is necessary for compliance with a legal obligation or for the execution of a task carried out in the public interest or for the establishment, exercise or defence of legal claims.

• right to restriction of processing – article 18 GDPR: right to obtain the restriction of processing, when:

• the data subject contests the accuracy of personal data;

• the processing is unlawful and the data subject opposes the erasure of personal data and requests instead the restriction of their use

• the personal data are required by the data subject for the establishment, exercise or defence of legal claims;

• right to object: right to object to the processing of personal data concerning you, unless compelling legitimate grounds of the Controller continue the processing.

• right to data portability – article 20 GDPR: right to receive, in a structured, commonly used and machine-readable format, the personal data concerning you provided to the Controller and the right to transmit them to another controller without hindrance, where the processing is based on consent and is carried out by automated means. In addition, the right to have your personal data transmitted directly from one controller to another where technically feasible;

• right to lodge a complaint with the Authority for personal data protection, Piazza Venezia n.11, 00187, Rome (RM).

8.2. In accordance with art. 12 paragraph 1 of the Regulation THD S.p.A. undertakes to provide you with the communications referred to in articles 15 to 22 of the Regulation in a concise, transparent, intelligible, easily accessible format and with clear and simple language: such information will be provided in writing or by other means where appropriate electronically or, upon your request, it will be provided orally, provided the identity of the data subject is verified by other means.

8.3. In accordance with art. 12 paragraph 3 of the Regulation, the Controller informs you that it undertakes to provide you with information on the action taken on a request under articles 15 to 22 GDPR without undue delay and, in any event, no later than one month from receipt of the request; this period may be extended by two months, if necessary, in view of the complexity and number of requests.

8.4. In order to exercise the rights better illustrated in this article, the Data Subject may use the contact details specified in art. 1 of this “Notice”.

8.5. The exercise of your rights as a data subject is free of charge pursuant to article 12 GDPR. However, in case of manifestly unfounded or excessive requests, also due to their repetitiveness, the Controller may charge you a reasonable fee, taking into account the administrative costs incurred to manage your request, or deny the satisfaction of your request.

Please be informed, finally, that the Controller may request further information necessary to confirm the identity of the data subject.


Correggio (RE), 10 January 2026

THD S.p.A.
(As the Data Controller)

PRIVACY NOTICE FOR VISITORS OF THE THDSHOWROOM.THDLAB.COM SITE ON THE PROCESSING OF DATA PURSUANT TO ART. 13 OF REG. EU NO. 679/2016



With specific reference to personal data as defined in art. 4 paragraph 1 n. 1) of EU Regulation no. 679/2016 (hereinafter “Regulation”) concerning you as the “Data Subject” collected through the website   thdshowroom.thdlab.com (hereinafter "site"), the company THD S.p.A. (Tax Code and VAT No. 02111430357), through its legal representative pro tempore, with registered office in Correggio (RE), via per Carpi 15/B, as the “Data Controller” under art. 4 paragraph 1 n. 7) of the Regulation, provides you with this notice pursuant to Article 13 GDPR (hereinafter, “Notice”) to inform you about our privacy policy and help you understand how your personal information is handled.


1. Who is the Data Controller.

1.1. The “Data Controller” of your personal data under art. 4 paragraph 1 n. 7) of the Regulation is the company THD S.p.A., (Tax Code and VAT No. 02111430357), represented by its legal representative pro tempore, with registered office in Correggio (RE), via per Carpi 15/B, who can be contacted through the following email address: privacy@thdlab.com

1.2. The Data Protection Officer (DPO) under art. 37 of the GDPR, appointed by the Controller, can be contacted at the following address: dpo@thdlab.com

1.3. Please note that any changes or updates regarding the data of the aforementioned subjects will be appropriately published on the website of the Controller.


2. Nature and type of your collected and processed data.

Your Personal Data may be collected due to the potential execution of the processing purposes specified in the following point 3.

The Personal Data processed are as follows:


2.1. Browsing data

The IT systems and software procedures underlying the operation of the Site acquire, during their normal operation, some Personal Data whose transmission is implicit in the use of Internet communication protocols. These are information that is not collected to be associated with identified data subjects, but that, by their very nature, could, through processes and associations with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users who connect to the Site, the addresses in URI notation (Uniform Resource Identifier) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the server's response (successful, error, etc.), and other parameters relating to the user's operating system and IT environment. These data are only used to obtain anonymous statistical information about the use of the Site and to check its correct operation, to identify anomalies and/or abuses, and are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical cybercrimes to the detriment of the site or third parties: except for this eventuality, at present, the web contact data does not persist for more than 60 days.

3. Purpose of the processing.

In compliance with art. 5 paragraph 1 letter b) of the Regulation, we inform you that your personal data will be processed by the Controller for the following purposes:

3.A. To provide Services or allow navigation on the present Website (“Provision of the Service“);

4. Legal Basis and optional or compulsory nature of the processing

The legal bases used by the Controller to process your Data, according to the purposes indicated in Paragraph 3 above, are as follows:

Provision of the Service: the processing for this purpose is necessary to be able to provide you with the requested Services. Pursuant to art. 13 paragraph 2) letter e) of the GDPR, the Controller informs you that the failure to communicate (even partially) your personal data, which are unequivocally requested as mandatory within one or more specific forms present on the Site, may result in the Controller's inability to perform correctly and completely the processing purpose as per art.3.A of this notice.

5. Recipients of your personal data

For the purposes described in point 3 above, the personal data processed will be known by the employees of the Controller who will operate as subjects authorised to process personal data.

Moreover, for the purposes described in point 3 above, your personal data will be processed by third parties belonging, for example, to the following categories:

a) Affiliates, parent companies, or subsidiaries of the Controller, such as: Spal Automotive s.r.l., via per Carpi 26/b – 42015 Correggio (RE) VAT No. 01755790357

b) subjects providing services for the management of the IT system, including server hosting and backup services;

c) subjects providing the Controller with consultancy in fiscal, legal, judicial, and compliance matters;

The subjects belonging to the above categories operate, in some cases, in total autonomy as separate data controllers, in other cases, as data processors specifically appointed by the Controller in compliance with article 28 GDPR.

The communication of your data to the subjects belonging to the above categories, operating as independent data controllers, does not require your consent, as it is based on the predominant legitimate interest of the data controller, given that such communications are necessary for the pursued purposes mentioned in point 3.

The complete and updated list of subjects to whom your personal data may be communicated can be requested from the Controller.

Additionally, pursuant to the Decision of the Data Protection Authority dated November 27, 2008, regarding “Measures and arrangements prescribed to controllers carrying out processing with electronic instruments concerning the allotment of tasks of System Administrators”, as a data subject, you can also request from the Controller the identity of the System Administrators who operate on the operating systems where your personal data are present.

The personal data processed by the Controller are not subject to dissemination.

Transfer of personal data outside the European Union

THD S.p.A. does not intend to transfer your data to a non-EU country. However, should THD S.p.A., in execution of the above-listed purposes, proceed with the transfer of your data outside the European Union, the Controller will carry out such transfer only after verifying the existence of one of the guarantees provided for by articles 44 et seq. GDPR, so as to ensure an adequate level of protection of your data.

6. Retention period of collected and processed personal data.

The Personal Data processed for the purpose of Providing Services will be retained by the Controller for the time strictly necessary for this purpose. In any case, as such Personal Data is processed to provide you with the Services, the Controller may retain them for a longer period, particularly as necessary to protect the Controllers' interests against potential claims related to the Services.

7. How personal data will be processed

The processing of your personal data will take place through paper, IT, and telematic tools, with logic strictly related to the indicated purposes and, in any case, suitable to guarantee their security and confidentiality in compliance with the provisions of article 32 GDPR.

8. Rights of the Data Subject.

8.1. Regarding your personal data processed by THD S.p.A., you are hereby informed that you have the right to exercise the following rights, as set out in articles 15 to 22 of the GDPR, in particular:

• right of access – article 15 GDPR: the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to your personal data – including a copy thereof – and communication, among others, of the following information:

• purposes of the processing

• categories of personal data processed

• recipients to whom they have been or will be disclosed

• data retention period or the criteria used

• data subject’s rights (rectification, deletion of personal data, restriction of processing, and objection to processing)

• right to lodge a complaint

• right to receive information on the origin of their personal data if they were not collected from the data subject or the existence of automated decision-making, including profiling;

• right to rectification – article 16 GDPR: right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data;

• right to erasure (right to be forgotten) – article 17 GDPR: right to obtain, without undue delay, the erasure of personal data concerning you, when:

• the data are no longer necessary for the purposes for which they were collected or otherwise processed;

• you have withdrawn your consent and there is no other legal ground for the processing;

• you have successfully objected to the processing of personal data;

• the data have been unlawfully processed;

• the data must be erased to comply with a legal obligation;

• the personal data have been collected in relation to the offer of information society services referred to in article 8, paragraph 1, GDPR.
The right to erasure does not apply to the extent that the processing is necessary for the fulfillment of a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise, or defence of legal claims.

• right to restriction of processing – article 18 GDPR: the right to obtain restriction of processing when:

• the data subject contests the accuracy of the personal data;

• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead

• the personal data are required by the data subject for the establishment, exercise, or defence of legal claims;

• right to object: right to object to the processing of personal data concerning you, unless there are legitimate grounds for the Controller to continue the processing.

• right to data portability – article 20 GDPR: the right to receive, in a structured, commonly used, and machine-readable format, the personal data concerning you that you have provided to the Controller and the right to transmit it to another controller without hindrance, where the processing is based on consent and is carried out by automated means. Furthermore, the right to have your personal data transmitted directly from one controller to another where technically feasible;

• the right to lodge a complaint with the Data Protection Authority, Piazza Venezia n.11, 00187, Rome (RM).

8.2. Pursuant to art. 12 paragraph 1 of the Regulation, THD S.p.A. undertakes to provide you with the communications referred to in articles 15 to 22 of the Regulation in a concise, transparent, intelligible, and easily accessible way, using clear and plain language; such information shall be provided in writing or by other means, including, where appropriate, electronically or, upon request of the data subject, orally, provided that the data subject's identity is proven by other means.

8.3. Pursuant to art. 12 paragraph 3 of the Regulation, the Controller informs you that it undertakes to provide you with the information relating to action taken on a request pursuant to articles 15 to 22 of the GDPR without undue delay and, in any event, within one month of receipt of the request; this period may be extended by two months where necessary, taking into account the complexity and number of requests.

8.4. In order to exercise the rights better explained in this article, the Data Subject may refer to the contact details specified in art. 1 of this “Notice”.

8.5. The exercise of your rights as a data subject is free of charge pursuant to article 12 GDPR. However, in the case of manifestly unfounded or excessive requests, including due to their repetitiveness, the Controller may charge you a reasonable fee in light of the administrative costs incurred to handle your request, or refuse to satisfy your request.

Please be aware that the Controller may require additional information necessary to verify the identity of the data subject.


Correggio (RE), 10 January 2026

THD S.p.A.
(As the Data Controller)

PRIVACY NOTICE FOR VISITORS TO THE SITE THDSHOWROOM. THDLAB.COM ON THE PROCESSING OF DATA IN ACCORDANCE WITH ART. 13 OF REG. EU NO. 679/2016



With specific reference to personal data as defined by art. 4 paragraph 1 no. 1) of Regulation EU no. 679/2016 (hereinafter “Regulation”) concerning you as a “Data Subject” collected through the website   thdshowroom.thdlab.com (hereafter "website"), the company THD S.p.A., (C. f. and VAT No. 02111430357), by its legal representative pro tempore, with its registered office in Correggio (RE), via per Carpi 15/B, as the “Data Controller” under art. 4 paragraph 1 no. 7) of the Regulation, provides you with this notice pursuant to Article 13 GDPR (in short, “Notice”), which will allow you to learn about our privacy policy and understand how your personal information is handled.


1. Who is the Data Controller.

1.1. The “Data Controller” of your personal data under art. 4 paragraph 1 no. 7) of the Regulation is the company THD S.p.A., (C. f. and VAT No. 02111430357), by its legal representative pro tempore, with its registered office in Correggio (RE), via per Carpi 15/B, which can be contacted at the following details: via email : privacy@thdlab.com

1.2. The Data Protection Officer (DPO) ex art. 37 of the GDPR, appointed by the Controller, can be contacted at the following address: dpo@thdlab.com

1.3. Please note that any changes or updates regarding the data of the specified parties will be suitably published on the Data Controller’s website.


2. Nature and type of your data collected and processed.

Your Personal Data may be collected for the purposes specified in the following point 3.

The Personal Data processed are as follows:


2.1. Browsing data

The computer systems and software procedures used to operate the Site acquire, in the course of their normal operation, certain Personal Data whose transmission is implicit in the use of Internet communication protocols. This involves information that is not collected to be associated with identified data subjects but which, by its very nature, could, through processing and associations with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the Site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters relating to the user’s operating system and IT environment. This data is used solely to obtain anonymous statistical information on the use of the Site and to monitor its correct operation, to identify anomalies and/or abuse, and is deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site or third parties: apart from this possibility, the data on web contacts do not persist for more than 60 days.

3. Purpose of processing.

In accordance with art. 5 paragraph 1 letter b) of the Regulation, we inform you that your personal data will be processed by the Data Controller for the following purposes:

3.A. To provide the Services or allow navigation on this website (“Provision of Service“);

4. Legal Basis and mandatory and optional nature of processing

The legal bases used by the Data Controller to process your Data, according to the purposes indicated in the previous Paragraph 3, are as follows:

Provision of Service: the processing for this purpose is necessary in order to provide you with the services requested. In accordance with art. 13 paragraph 2) letter e) of the GDPR, the CONTROLLER informs you that any failure to communicate (even in part) your personal data, unequivocally requested as mandatory within one or more specific forms present on the Site, may result in the impossibility, on the part of the CONTROLLER, to execute, correctly and comprehensively, the purpose of processing referred to in art.3.A of this notice.

5. Recipients of your personal data

For the pursuit of the purposes described in the previous point 3, the personal data processed will be known by employees of the Data Controller who will operate as persons authorized to process personal data.

Furthermore, for the pursuit of the purposes described in the previous point 3, your personal data will be processed by third parties belonging to, for example, the following categories:

a) Companies controlled, controlling or connected to the Data Controller, such as: Spal Automotive s.r.l., via per Carpi 26/b – 42015 Correggio (RE) VAT No. 01755790357

b) Subjects providing services for the management of the IT system, including hosting and backup services;

c) Subjects providing the Data Controller with consultancy in tax, legal, judicial matters, and compliance;

The subjects belonging to the above categories operate, in some cases, in full autonomy as separate controllers of the processing, in other cases, as processors appointed by the Controller in compliance with article 28 GDPR.

The communication of your data to the subjects belonging to the above categories, operating as independent controllers, does not require your consent, being based on the prevailing legitimate interest of the Data Controller, given that such communications are necessary for the pursuit of the purposes mentioned in the previous point 3.

The complete and updated list of subjects to whom your personal data may be communicated can be requested from the Data Controller.

Furthermore, pursuant to the Personal Data Protection Authority’s measure of 27 November 2008 concerning “Measures and precautions prescribed for data controllers conducting processing with electronic instruments relating to the allocation of System Administrator functions,” as a data subject you may also request from the Data Controller the identity of the Systems Administrators operating on the operating systems where your personal data is located.

Personal data processed by the Data Controller is not subject to dissemination.

Transfer of personal data outside the European Union

THD S.p.A. does not intend to transfer your data to a country not belonging to the European Union. However, where, in carrying out the above-mentioned purposes, THD S.p.A. were to proceed with the transfer of your data outside the European Union, the Controller will carry out such transfer only after verifying the existence of one of the guarantees provided by articles 44 et seq. GDPR, to ensure an adequate level of protection for your data.

6. Duration for which the collected and processed personal data is stored.

The Personal Data processed for the purpose of Service Provision will be retained by the Controller for the time strictly necessary for the said purpose. In any case, since such Personal Data is processed to provide you with the Services, the Controller may retain them for a longer period, particularly to the extent necessary to protect the interests of the Controllers from potential claims concerning the Services.

7. How personal data will be processed

Your personal data will be processed using paper, electronic, and telematic tools, with logic strictly related to the indicated purposes and, in any case, with methods suitable to ensure their security and confidentiality in accordance with the provisions of article 32 GDPR.

8. Rights of the Data Subject.

8.1. Regarding your personal data processed by THD S.p.A., we inform you that you have the right to exercise the following rights, as enshrined in articles 15 to 22 of the GDPR, and in particular:

• right of access – article 15 GDPR: the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where it is, access to your personal data – including a copy of the same – and communication, among others, of the following information:

• purposes of the processing

• categories of personal data processed

• recipients to whom these have been or will be disclosed

• retention period of the data or criteria used

• data subject's rights (rectification, deletion of personal data, limitation of processing, and right to object to processing

• right to lodge a complaint

• right to receive information on the origin of my personal data if they were not collected from the data subject the existence of automated decision-making, including profiling;

• right to rectification – article 16 GDPR: the right to obtain, without undue delay, the correction of inaccurate personal data concerning you and/or the completion of incomplete personal data;

• right to erasure (right to be forgotten) – article 17 GDPR: the right to obtain, without undue delay, the deletion of personal data concerning you, when:

• the data is no longer necessary concerning the purposes for which they were collected or otherwise processed;

• you have withdrawn your consent and there is no other legal basis for the processing;

• you have successfully objected to the processing of personal data;

• the data has been unlawfully processed;

• the data must be deleted to comply with a legal obligation;

• personal data were collected about the offer of information society services referred to in article 8, paragraph 1, GDPR.
The right to erasure does not apply to the extent that the processing is necessary for the fulfilment of a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims.

• right to restriction of processing – article 18 GDPR: the right to obtain the restriction of processing, when:

• the data subject disputes the accuracy of the personal data;

• the processing is unlawful, and the data subject opposes the erasure of the personal data and requests instead that its use be restricted;

• the personal data is necessary for the data subject for establishing, exercising or defending legal claims;

• right to object: the right to object to processing personal data concerning you, except where there are legitimate reasons for the Controller to continue the processing.

• right to data portability – article 20 GDPR: the right to receive, in a structured, commonly used and machine-readable format, the personal data concerning you provided to the Controller and the right to transmit it to another controller without impediments, provided that the processing is based on consent and is carried out by automated means. Additionally, the right to obtain that your personal data be transferred directly from the Controller to another controller where technically feasible;

• right to lodge a complaint with the Data Protection Authority, Piazza Venezia n.11, 00187, Rome (RM).

8.2. In accordance with art. 12 paragraph 1 of the Regulation, THD S.p.A. commits to providing you with the communications referred to in articles 15 to 22 of the Regulation in a concise, transparent, intelligible, easily accessible form, and with clear and plain language: such information will be provided in writing or by other means if applicable, including electronic means, or orally if requested by the data subject, provided that the identity of the data subject is confirmed by other means.

8.3. In accordance with art. 12 paragraph 3 of the Regulation, the Controller informs you that it commits to providing you with the information regarding the action taken concerning a request under articles 15 to 22 of the GDPR without undue delay and, in any case, no later than one month from receipt of the request; this period may be extended by two months, if necessary, taking into account the complexity and the number of requests.

8.4. To exercise the rights better illustrated in this article, the Data Subject may make use of the contact details specified in art. 1 of this “Notice”.

8.5. The exercise of your rights as a data subject is free of charge pursuant to article 12 GDPR. However, in the case of manifestly unfounded or excessive requests, also due to their repetitive nature, the Controller may charge you a reasonable fee, considering the administrative costs incurred to handle your request, or refuse satisfaction of your request.

Finally, we inform you that the Controller may request further information necessary to confirm the identity of the data subject.


Correggio (RE), 10 January 2026

THD S.p.A.
(As the Data Controller)

About THD

Back on top

The contents of this site are solely for informative purposes and should under no circumstances replace the advice, diagnosis, or treatment prescribed by your attending physician. Always consult with your doctor regarding any information related to diagnosis and treatments, and adhere diligently to their instructions.

Cookie policy

Terms of Use

Privacy Policy

THD S.p.A. - Via per Carpi, 15/B - 42015 Correggio (RE) - Italy - Tax Code, VAT and Company Register - 02111430357 - Business Register RE - 252392 - Share Capital € 4,000,000.00 fully paid up.

Copyright © THD SpA

About THD

Back on top

The contents of this site are solely for informative purposes and should under no circumstances replace the advice, diagnosis, or treatment prescribed by your attending physician. Always consult with your doctor regarding any information related to diagnosis and treatments, and adhere diligently to their instructions.

THD S.p.A. - Via per Carpi, 15/B - 42015 Correggio (RE) - Italy - Tax Code, VAT and Company Register - 02111430357 - Business Register RE - 252392 - Share Capital € 4,000,000.00 fully paid up.

Copyright © THD SpA

Cookie policy

Terms of Use

Privacy Policy

Cookie policy

Terms of Use

Privacy Policy