Skip to content
Home » Privacy Policy

Privacy Policy

Rottapharm Biotech S.r.l.  (“RB”) wishes to inform you that, this privacy statement pursuant to Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, so-called “GDPR“) provides information about the processing and protection of your personal data collected automatically or provided by you during your visit to the website (hereinafter “Site”).


  1. Data Controller and contact details of the Data Protection Officer (DPO)

The Data Controller is Rottapharm Biotech Srl (hereinafter “RB” or “Data Controller“), in the person of the legal representative, in Via Valosa di Sopra 9, 20900 Monza (MB), Italy, VAT n. 12961590150, Tel. 039 9066001, e‑mail rpd‑


Due to the processing activities carried out by RB, the Data Controller deemed it necessary to designate, pursuant to Art. 37 of the GDPR, a DPO who can be contacted at the following address:


  1. Purposes, legal basis and retention periods

To allow you to use the Site, the Data Controller needs to know and process some of your personal data. By “personal data” we mean any information related to an identified or identifiable natural person (“Data Subject”), such as, for example, name and contact details.

The personal data processed by the Data Controller are exclusively those provided by you during navigation. Your personal data may be processed using suitable paper, and IT tools.

The types of data processed for the simple navigation of the Site, are specified below: for further details, please refer to the specific information for “cookies”.


Navigation Data

The information systems and software procedures used to run this Site acquire some personal data as part of their standard functioning. The transmission of such data is an inherent feature of Internet communication protocols.

Please note that such information is not collected for the purpose of being associated with data subjects, however it might allow user identification per se after being processed and matched with data held by third parties.

This data category includes IP addresses and/or the domain names of the computers used by any user connecting with this Site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of such requests, the method used for submitting a given request to the server, the returned file size, the numerical code relating to server response status (successfully performed, error, etc.), and other parameters related to the user’s operating system and the computer environment.

These data are used by the Data Controller only to obtain anonymous statistical information on the use of the Site and to check its correct working.

These data could also be used to establish liability if computer crimes against RB are committed.


Data Provided Voluntarily

The optional, explicit and voluntary sending of e-mails to the addresses indicated on this Site entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as to any other personal data included in the communication. Certain pages of the Site will ask you to provide personal information in application forms. In this case, in accordance with Art. 13 of the GDPR, you will be provided with the information notice regarding the processing of personal data in relation to the specific purposes pursued.



Information regarding the cookies used on this Site is available at the.


  1. Personal Data provision

The provision of personal data is optional, and the interested party has always the right to refuse such use of their personal data by the Data Controller.


  1. Categories of recipients of personal data

The data processed will not be disclosed to third parties. However, your personal data may be processed by external parties appointed by RB as data processors after having received adequate operating instructions, such as:

  • companies in charge of the maintenance/management of the Site and the electronic and/or telematic tools used by the Data Controller.

Your personal data may also be communicated to third parties, independent data controllers, such as for example:

  • supervisory and control authorities and bodies and, in general, public or private entities entitled to request the data;
  • persons, companies, associations, or professional firms (lawyers, accountants, auditors).


The list of the recipients of the data is constantly updated and can be found easily and free of charge by sending a written communication to the Data Controller at the address indicated above or an e-mail to the address

Any communication of personal data will take place in full compliance with the legal provisions of the GDPR and the technical and organizational measures prepared by the Data Controller to ensure an adequate level of security.


  1. Transfer of personal data outside the European Union

The Data Controller may transfer your personal data to third countries if required by law.

In case of transfer of your personal data outside the European Union, we undertake to:

  • include the standard contractual data protection clauses approved by the European Commission for the transfer of personal information outside the EEA in our contracts with such third parties (these are the clauses approved under 46.2 of the GDPR; or
  • make sure that the third country where the personal information will be transferred has been assessed by the European Commission as having an adequate level of protection pursuant to 45 of the GDPR.


  1. Automated decision-making processes

The Data Controller does not use any automated decision-making process, including the profiling referred to in Art. 22, paragraphs 1 and 4, of the GDPR, without your consent.

Furthermore, as required by Art. 22, paragraph 3, of the GDPR, the Data Controller implements the most appropriate measures to protect your rights, your freedom, and your legitimate interests (see also paragraph 8 “Rights of the Data Subject”).


  1. Retention period of personal data

The Data Controller intends to keep your personal data for no longer than necessary and only for the purposes for which your personal data are collected and processed.

The Data Controller undertakes to process your personal data in compliance with the principles of adequacy, relevance, and data minimization, as required by the GDPR, periodically verifying the need for their retention. Once the purpose for collecting and processing your data has been achieved, RB will delete data from its systems and registers and/or will take appropriate measures to make your data anonymous and not identifiable.

The above does not apply only in case RB needs to keep the data to fulfill regulatory obligations, or to establish, exercise or defend legal claims.


  1. Rights of the Data Subject

In relation to the processing of personal data carried out through the Site, as a Data Subject, you may at any time exercise the rights provided for by the GDPR, in particular request to:

  • access your personal data, obtaining evidence of the purposes pursued by the Data Controller, the categories of data involved, the recipients to whom it may be communicated, the applicable retention period, the existence of automated decision-making processes, including profiling, and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject if not already indicated in the text of this Policy;
  • obtain, without undue delay, rectification of any inaccurate personal data concerning you; in the cases provided for by law, obtain the erasure of your data;
  • obtain restriction of processing or object to the same, when admitted on the basis of the legal provisions applicable to the specific case. Be aware that it is always possible to object to any direct marketing actions;
  • in the cases provided for by law, obtain portability of the data you have provided to the Data Controller, i.e. receive it in a structured, commonly used and machine-readable format and also request to transmit such data to another data controller, if technically feasible.

In addition, if you deem it appropriate, you may lodge a complaint with the Supervisory Authority (Personal Data Protection Authority).

Please note that for the processing of personal data where consent is the legal basis, you may withdraw it at any time by addressing your request via email to the DPO, or by using, where present on the Site, appropriate means to withdraw/provide consent in relation to specific processing.

Regarding the use of cookies, to change the status of consents, please refer to that indicated in the Cookie Policy.

For further information concerning your rights and the privacy provisions in general, please visit the Site of the Personal Data Protection Authority at


  1. Changes to this Privacy Policy

The Data Controller reserves the right to make changes to this Privacy Policy at any time, publishing them on this page. So please look at this page and check the bottom for the date of the most recent change made.