Privacy Policy

pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)
Website www.zuccatobiotech.it

ZUCCATO HC S.r.l., with registered office at Via della Consortia no. 2 – 37127 Verona (VR), Tax Code and VAT no. 01725500233 (hereinafter, for brevity, “ZUCCATO HC” or the “Controller”), recognises the importance of personal data protection and considers its safeguarding one of the main objectives of its business activity.

This Privacy Policy is provided with reference to the website www.zuccatobiotech.it (hereinafter, the “Website”), relating to Zuccato Biotech, the regenerative medicine division of ZUCCATO HC S.r.l. It is hereby specified that Zuccato Biotech is not an independent legal entity but represents an internal organisational division of ZUCCATO HC, dedicated to the field of regenerative medicine and related medical devices. Any reference to “Zuccato Biotech” contained in this Privacy Policy or on the Website shall therefore be understood as referring to ZUCCATO HC S.r.l., the sole legal entity acting as data controller.

Before disclosing any personal data, ZUCCATO HC invites users to carefully read this Privacy Policy (hereinafter also the “Privacy Policy”), as it contains relevant information on the protection of personal data and on the security measures adopted to ensure its confidentiality, in full compliance with Regulation (EU) 2016/679 (hereinafter, “GDPR” or “Applicable Legislation”), Legislative Decree no. 196 of 30 June 2003, as amended by Legislative Decree no. 101 of 10 August 2018 (“Privacy Code”), and the measures issued by the Italian Data Protection Authority.

This Privacy Policy applies exclusively to the Website and not to any other websites that may be visited by the user through external links, to which their respective privacy policies apply. It shall be deemed to be provided, pursuant to Article 13 GDPR, to all subjects who access and interact with the Website.

ZUCCATO HC has also deemed it appropriate to comply with Recommendation no. 2/2001 on the minimum requirements for collecting personal data online in the European Union, adopted on 17 May 2001 by the Article 29 Working Party, as well as with the Guidelines of the European Data Protection Board (EDPB) on consent, transparency and cookies.

ZUCCATO HC informs users that the processing of personal data shall be based on the principles of lawfulness, fairness, transparency, purpose limitation, storage limitation, minimisation, accuracy, integrity and confidentiality, in accordance with the provisions of the Applicable Legislation.

1. Data Controller and Data Protection Officer (DPO)

The Data Controller of the personal data collected through the Website is:

ZUCCATO HC S.r.l., with registered office at Via della Consortia no. 2 – 37127 Verona (VR), Italy – Tax Code and VAT no. 01725500233 – e-mail: privacy@zuccatohc.it – certified e-mail (PEC): pec@pec.zuccatohc.it.

The Controller may be contacted at any time to receive information regarding the processing of personal data, to exercise the rights recognised by the Applicable Legislation or to report any issues.

The Controller has appointed a Data Protection Officer (Data Protection Officer – DPO), namely Avv. Enrico Sinigaglia, who may be contacted at the dedicated e-mail address: dpo@zuccatohc.it. Any request or report relating to the processing of personal data may be addressed to the DPO, including the exercise of the rights set out in Articles 15-22 GDPR.

2. Categories of personal data subject to processing

“Personal Data” means any information relating to an identified or identifiable natural person, with particular reference to identifiers such as a name, an identification number, location data, an online identifier or one or more elements characteristic of their physical, physiological, genetic, mental, economic, cultural or social identity.

Through the Website, ZUCCATO HC may collect the following categories of personal data:

2.1. Browsing data

The IT systems and software procedures used to operate the Website acquire, during their normal operation, certain data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified.

This category includes the IP addresses or domain names of the devices used to connect to the Website, the URI/URL addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment.

These data are used solely to obtain anonymous statistical information on the use of the Website, to check its proper functioning, to ensure system security and to ascertain any liability in the event of cybercrimes against the Website or third parties. Browsing data are retained for the time strictly necessary to pursue the aforementioned purposes and, as a rule, for no longer than 7 days, without prejudice to any need to investigate offences by the Judicial Authority.

2.2. Data voluntarily provided by the user

Through the Website, the user may voluntarily provide personal data such as, by way of example, name, surname, professional qualification, organisation of affiliation, e-mail address, telephone number and any other information contained in communications sent via the “Contact Us” form or via direct e-mail to the addresses published on the Website, in particular info@zuccatobiotech.it.

ZUCCATO HC will process such data in compliance with the Applicable Legislation, assuming that the data refer to the user or to third parties who have expressly authorised the user to provide them on the basis of an appropriate legal basis. In such cases, the user acts as an independent data controller for third-party data, assuming all legal obligations and responsibilities, and hereby grants ZUCCATO HC the broadest indemnity against any dispute, claim or request for compensation for damages made by third parties whose personal data have been processed through the Website in violation of the Applicable Legislation.

The user is expressly invited not to communicate, through the Website or contact channels, data belonging to the special categories referred to in Article 9 GDPR, in particular health-related data, or identifying data of patients, except where strictly necessary for the medical device vigilance purposes referred to in paragraph 2.4 below. In the event that such data are transmitted, responsibility for the lawfulness of the disclosure, including any legal bases and information obligations towards the data subject, shall remain with the sending user.

2.3. Data collected through cookies and similar technologies

The Website uses cookies and similar technologies. Detailed information on the types of cookies used, their purposes, retention periods and the methods for giving, changing or withdrawing consent is provided in the specific Cookie Policy, to which full reference is made and which forms an integral part of this Privacy Policy.

2.4. Data relating to medical device vigilance

Due to the activity carried out by ZUCCATO HC in the medical device sector and, in particular, in regenerative medicine, by way of example: PBMNC High Q Cell®, ADSC Lipo-Stem®, RGTA Cacipliq20®, GLASS AktiBone®, the Controller may receive — including through the Website or the contact addresses published on it — reports of incidents, serious incidents, complaints or field safety corrective actions pursuant to Regulation (EU) 2017/745 (MDR), from healthcare professionals, healthcare facilities or other economic operators.

Such reports may involve the processing of the reporter’s personal data, e.g. name, qualification, contact details, organisation of affiliation, and, in some cases, health-related data concerning patients involved in the incident. Such processing is carried out in compliance with legal obligations provided for by the MDR and by the relevant national legislation, Legislative Decree no. 137 of 5 August 2022 and Legislative Decree no. 46 of 24 February 1997, where applicable, and is based on Articles 6(1)(c) and — with regard to health-related data — 9(2)(i) GDPR, namely reasons of public interest in the area of public health, including ensuring high standards of quality and safety of medical devices.

Data collected as part of vigilance activities may be disclosed, in compliance with legal obligations, to the competent authorities, including the Ministry of Health, national health authorities and EUDAMED, and to the manufacturer of the device involved, within the limits strictly necessary.

3. Purposes, legal bases and retention period

Personal data collected through the Website shall be processed by ZUCCATO HC for the purposes set out below, on the basis of the corresponding legal bases and for the retention periods indicated below:

a) to perform a contract to which the user is a party or to take pre-contractual measures at the user’s request, by way of example: management of contact, information or quotation requests submitted via the “Contact Us” form or via direct e-mail;

b) to allow possible access to reserved areas of the Website, in performance of contractual or pre-contractual obligations;

for the purposes under a) and b), the legal basis is identified in Article 6(1)(b) GDPR and the data shall be retained until the request has been answered; in the event of continuation of the contractual relationship, for a period not exceeding 10 years from the conclusion of the contract, without prejudice to any longer limitation periods provided for by law;

c) to carry out research and statistical analyses on aggregated or anonymous data, without the possibility of identifying the user, aimed at measuring the functioning of the Website, traffic, usability and user interest;

this activity does not involve the processing of personal data;

d) to ensure the security of the Website, prevent abuse, fraud and cyber incidents, and protect the integrity of systems and networks;

e) to establish, exercise or defend a right in judicial, administrative or out-of-court proceedings, or whenever judicial authorities exercise their functions;

for the purposes under d) and e), the legal basis is identified in the legitimate interest of the Controller pursuant to Article 6(1)(f) GDPR, respectively: protection of the security of the Website and IT systems; protection of its rights in court. The data shall be retained for a period not exceeding 10 years from the last interaction, or for the longer period necessary to settle any disputes and for the expiry of limitation periods;

f) to comply with legal obligations to which ZUCCATO HC is subject, including tax, accounting, administrative, medical device vigilance and anti-money laundering obligations;

for this purpose, the legal basis is identified in Article 6(1)(c) GDPR and the data shall be retained for the periods provided for by the individual regulations, generally 10 years, extended to at least 15 years for vigilance documentation relating to medical devices, pursuant to Article 10(8) MDR;

g) to manage reports of incidents, complaints and field safety corrective actions relating to medical devices, as described in paragraph 2.4 above;

for this purpose, the legal basis is identified in Article 6(1)(c) GDPR and, for any health-related data, in Article 9(2)(i) GDPR;

h) to install cookies and similar technologies other than technical cookies, such as non-anonymised analytics cookies, profiling cookies and third-party cookies, where the user has given consent through the dedicated banner;

for this purpose, the legal basis is identified in the consent of the data subject pursuant to Article 6(1)(a) GDPR and Article 122 of Legislative Decree 196/2003, as supplemented by the Cookie Guidelines of the Italian Data Protection Authority of 10 June 2021. Consent may be withdrawn at any time in accordance with the methods indicated in the Cookie Policy.

A summary table of the processing purposes is provided below:

Purpose Legal basis (GDPR) Nature of provision Retention period
(a) Response to contact, information, quotation or technical-commercial support requests (“Contact Us” form, e-mail, telephone) Article 6(1)(b) – performance of pre-contractual measures and/or of a contract Optional; failure to provide the data prevents a response Until the response has been provided; in the event of continuation of the relationship, up to 10 years from the conclusion of the contract
(b) Compliance with legal obligations (tax, accounting, medical device vigilance, anti-money laundering, etc.) Article 6(1)(c) – legal obligation Mandatory where required by law Terms provided for by the individual regulations, generally 10 years; for vigilance documentation, up to 15 years pursuant to Article 10(8) MDR
(c) Medical device vigilance: management of incident reports, complaints, field safety corrective actions (FSCA) Article 6(1)(c) – legal obligation (Reg. EU 2017/745); Article 9(2)(i) for any health-related data Mandatory for the purposes of reporting At least 15 years from the cessation of distribution of the device
(d) Security of the Website, prevention of abuse, fraud and cyber incidents, integrity of systems Article 6(1)(f) – legitimate interest in system security and protection of company assets Necessary for use of the Website Security logs: maximum 12 months; other data: up to 10 years from the last interaction
(e) Exercise or defence of a right in judicial, administrative or out-of-court proceedings Article 6(1)(f) – legitimate interest in protecting its rights Necessary in the event of litigation For the duration of the litigation and until expiry of limitation periods
(f) Aggregated and anonymous statistical analyses on Website use Processing not involving personal data, anonymous data
(g) Installation of cookies and similar technologies other than technical cookies Article 6(1)(a) – consent, Article 122 of Legislative Decree 196/2003 and Italian Data Protection Authority Guidelines of 10.6.2021 Optional, withdrawable at any time Duration indicated in the Cookie Policy

The provision of personal data for the purposes listed above is optional, but failure to provide such data may make it impossible to respond to the user’s requests or to comply with legal obligations to which ZUCCATO HC is subject. For purposes based on consent, refusal to provide consent does not entail any adverse consequence other than ZUCCATO HC’s inability to pursue the specific purpose.

4. Processing methods and security measures

Personal data are processed using manual, IT and telematic tools, with logic strictly related to the purposes indicated and, in any case, in such a way as to ensure the security and confidentiality of the data, in accordance with the principles set out in Articles 5 and 32 GDPR.

ZUCCATO HC adopts appropriate technical and organisational measures — taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, as well as the risk to the rights and freedoms of data subjects — in order to ensure an adequate level of security, including, by way of example: encryption of data in transit, access control through individual credentials, backup and disaster recovery systems, segregation of environments, training of authorised personnel, access logging and security incident management procedures, data breaches, pursuant to Articles 33 and 34 GDPR.

ZUCCATO HC, as an economic operator pursuant to Regulation (EU) 2017/745 and — where applicable — as a relevant entity pursuant to Directive (EU) 2022/2555 (NIS 2) and the related Legislative Decree no. 138 of 4 September 2024, also implements proportionate cyber risk management measures, under the supervision of the National Cybersecurity Agency (ACN) within the scope of its respective competence.

The data are processed exclusively by authorised personnel, duly instructed pursuant to Articles 29 GDPR and 2-quaterdecies of the Privacy Code, and by external parties appointed as data processors pursuant to Article 28 GDPR.

ZUCCATO HC declares that it does not carry out, through the Website, automated decision-making processes — including profiling — that produce legal effects concerning the data subject or similarly significantly affect them pursuant to Article 22 GDPR.

5. Recipients of personal data

Personal data may be disclosed, for the purposes referred to in paragraph 3 and in compliance with the principles of necessity and proportionality, to the following recipients or categories of recipients:

  • providers of services necessary for the delivery and functioning of the Website, by way of example: hosting providers, cloud services, e-mail services, IT maintenance, software development, technical analysis of the Website, appointed as data processors pursuant to Article 28 GDPR;
  • subjects carrying out professional activities on behalf of the Controller, by way of example: employment consultants, accountants, lawyers, auditing firms, privacy consultants, acting as independent data controllers or data processors;
  • manufacturers of the distributed medical devices, by way of example: OTR3, Noraker, Quantix, Biopsybell and other industrial partners, or other economic operators in the distribution chain, within the limits strictly necessary to comply with contractual or legal obligations, in particular in relation to medical device vigilance;
  • persons authorised to process personal data under the direct authority of the Controller, employees and collaborators, duly instructed and bound by confidentiality obligations;
  • public authorities and supervisory bodies, by way of example: Ministry of Health, Italian Medicines Agency, National Cybersecurity Agency, Italian Data Protection Authority, judicial authorities, notified bodies, where disclosure is required by the Applicable Legislation or ordered by the competent authority in the exercise of its functions.

Personal data shall not be disseminated, except in cases expressly provided for by law. The updated list of data processors is available from the Controller by writing to privacy@zuccatohc.it or dpo@zuccatohc.it.

6. Transfers of personal data outside the European Economic Area

Some of the personal data processed may be transferred to recipients located in countries outside the European Economic Area (EEA), particularly due to the use of cloud, e-mail or technical analysis services provided by international operators.

In such cases, ZUCCATO HC ensures that the transfer takes place in compliance with Articles 44 et seq. GDPR and, in particular, on the basis of one of the following conditions:

  • adequacy decision adopted by the European Commission pursuant to Article 45 GDPR;
  • Standard Contractual Clauses (Standard Contractual Clauses – SCC) adopted by the European Commission pursuant to Article 46(2)(c) GDPR, supplemented — where necessary following a Transfer Impact Assessment (TIA) — by additional measures, technical, contractual and organisational, suitable to ensure a level of protection essentially equivalent to that guaranteed within the Union, in accordance with the Schrems II case law, CJEU, C-311/18, and EDPB Recommendations 01/2020;
  • Binding Corporate Rules (Binding Corporate Rules – BCR) pursuant to Article 47 GDPR;
  • EU-U.S. Data Privacy Framework for transfers to certified US operators;
  • other appropriate safeguards or specific derogations provided for by Articles 46-49 GDPR.

The user may request a copy of the safeguards adopted for the transfer of their data outside the EEA by writing to privacy@zuccatohc.it or dpo@zuccatohc.it.

7. Rights of the data subject

Pursuant to Articles 15-22 GDPR, the data subject has the right to:

  • access their personal data and obtain a copy thereof, Article 15;
  • obtain rectification of inaccurate data or completion of incomplete data, Article 16;
  • obtain erasure, “right to be forgotten”, of their data in the cases provided for by law, Article 17;
  • obtain restriction of processing, Article 18;
  • receive their data in a structured, commonly used and machine-readable format, and transmit them to another controller, right to data portability, Article 20;
  • object to processing based on the legitimate interest of the Controller, on grounds relating to their particular situation, Article 21;
  • not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, Article 22;
  • withdraw consent given at any time, without affecting the lawfulness of processing based on consent before its withdrawal, Article 7(3).

Requests to exercise rights may be addressed, freely and free of charge, to the Controller at privacy@zuccatohc.it or to the Data Protection Officer at dpo@zuccatohc.it. The Controller shall respond without undue delay and, in any case, within one month of receipt of the request, which may be extended by a further two months in view of the complexity and number of requests, pursuant to Article 12(3) GDPR.

The data subject also has the right to lodge a complaint with the Italian Data Protection Authority, Piazza Venezia no. 11 – 00187 Rome – www.garanteprivacy.it, as well as to bring proceedings before the competent judicial authority, should they consider that the processing of their personal data has occurred in violation of the Applicable Legislation.

8. Changes to this Privacy Policy

ZUCCATO HC reserves the right to make changes to this Privacy Policy at any time, giving notice thereof through publication on the Website. Users are therefore invited to consult this page regularly, referring to the last update date indicated at the bottom. Any substantial changes that significantly affect ongoing processing operations shall be brought to the attention of data subjects through appropriate means.

9. Contacts

For any clarification, request for information or exercise of the rights referred to in Articles 15-22 GDPR, it is possible to contact:

Data Controller: ZUCCATO HC S.r.l. – Via della Consortia no. 2 – 37127 Verona (VR) – e-mail privacy@zuccatohc.it – certified e-mail (PEC) pec@pec.zuccatohc.it;

Data Protection Officer (DPO): Avv. Enrico Sinigaglia – e-mail dpo@zuccatohc.it.

Last updated: May 2026