Information on personal data processing for users of the payment service

Version 1Last update on 04/2024

Pursuant to Articles 13 and 14 of EU Regulation 2016/679 (hereinafter referred to as the "Regulation"), also known as GDPR, Fabrick S.p.A. (hereinafter referred to as the "Controller") provides the following information regarding the characteristics of the processing it carries out.

1) Who is the Data Controller?

The Data Controller of personal data is Fabrick S.p.A. headquartered in Biella (BI) - 13900, at Piazza Gaudenzio Sella, No. 1.

2) How to contact the Data Protection Officer?

The Data Protection Officer (hereinafter "DPO" or "DPO - Data Protection Officer") can be contacted at the following addresses:

  • postal address: Piazza Gaudenzio Sella, No. 1, 13900 Biella - DPO
  • email address:

3) Which data are or can be subject to processing and what are the sources of the data?

The processing concerns the personal data of the user of payment services (hereinafter, the "Data Subject") and is carried out within the framework of the service enabling authorization, processing, and settlement of payments, through any payment instrument, between the merchant where an online purchase is made (hereinafter, the "Merchant") and the Data Subject making the purchase, allowing the Merchant to accept and collect electronic payments (hereinafter, the "Service").

 In particular, the Controller processes personal data belonging to the following categories:

  • identification, contact, and contractual data (such as: name, surname, email address);
  • data concerning payment transactions (such as: data of the card used for payment, beneficiary, object, and amount).

The aforementioned data are personally provided by the Data Subject through the completion of specific forms, for the purpose of entering payment transaction data, by the Controller or the Merchant, and subsequently communicated to the Controller by the latter.

4) On what legal bases and for what purposes are the data processed?

The processing of personal data is carried out, by the Controller and/or by third parties on behalf of the same, exclusively in the presence of one of the following legal bases and is limited to pursuing the related purposes:

  • performance of a contract to which the data subject is a party or performance of pre-contractual measures taken at the request of the same, pursuant to Article 6(1)(b) of the Regulation, in order to execute the Service;
  • compliance with a legal obligation to which the data controller is subject, pursuant to Article 6(1)(c) of the Regulation and, in particular, in order to comply with the obligations related to the Service (for example, where applicable: management of complaints, anti-money laundering, and counter-terrorism, etc.);
  • if the Merchant where the purchase is made has joined the fraud prevention service, legitimate interest of the data controller or third parties in preventing fraud in payments, pursuant to Article 6(1)(f) of the Regulation, in order to analyze the level of fraud risk of transactions.

With reference to the purposes indicated above, the provision of data is mandatory and the consent to processing by Data Subjects is not required; failure to provide one or more data will make it impossible to execute the Service.

5) To whom can personal data be disclosed?

Personal data may be known by the staff of the Controller authorized to process them in the course of their work duties or by subjects acting as data processors - specifically appointed pursuant to Article 28 of the Regulation - or independent data controllers. The various categories of recipients involved are as follows:

  • public bodies within the scope of legally required communications (e.g., supervisory authorities);
  • independent subjects (so-called acquirers) who manage payments with credit or debit cards belonging to national and international credit and debit circuits;
  • companies of the Sella Group, controlled or affiliated pursuant to Article 2359 of the Italian Civil Code, in the event of detection of transactions considered suspicious, as well as companies of the Sella Group providing the technological infrastructure for the provision of the Service and technical support activities;
  • if the Merchant has joined the fraud prevention service offered by the Controller, Riskified Ltd. whose privacy policy can be consulted at the following link

6) Can data be transferred to countries outside the European Economic Area?

For technical support activities aimed at investigating and resolving abnormal situations, and testing applications, the Controller may allow access to the data, in a tracked manner, to the Sella Group company based in India. Personal data are not stored at the foreign company but are remotely accessed while remaining within the Company's information system. The transfer takes place on the basis of standard contractual clauses approved by the European Commission.

Furthermore, if the Merchant has joined the fraud prevention service, some data will be transferred outside the European Economic Area and, specifically, to Israel, to the company Riskified Ltd., for the purpose of analyzing the level of fraud risk. The transfer is permitted because the European Commission has recognized Israel as a third country that ensures an adequate level of protection for personal data.

7) How long are the data stored?

Personal data are processed and stored for the period necessary to achieve the purpose of providing the Service, without prejudice to the retention periods provided by law and for the Controller's or third parties' own defensive purposes, until the expiry of the applicable statutory limitation period. In particular, in compliance with the provisions of the Bank of Italy for the retention and availability of documents, data, and information for the fight against money laundering and terrorism financing, where applicable, data relating to the execution of the Service (identification and contact data and data relating to payment transactions) are retained for ten years from the closure of the relationship with the Merchant. At the end of the retention period, personal data relating to Data Subjects will be stored in a form that does not allow their identification (for example: irreversible anonymization), unless their processing is necessary for one or more of the following purposes:

  • resolution of pre-litigation and/or litigation initiated before the expiration of the retention period;
  • follow-up to investigations/inspections by internal control functions and/or external authorities initiated before the expiration of the retention period;
  • follow-up to requests from Italian and/or foreign public authorities received/notified to the Controller before the expiration of the retention period.

8) What are the rights granted to Data Subjects?

Data Subjects have the right to exercise specific rights regarding data protection, as listed below:

  • right of access: right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed and, if so, to access them (without prejudice to the rights of others);
  • right to rectification: right to obtain from the Controller the rectification of inaccurate personal data without undue delay, as well as the completion of incomplete personal data, also by providing a supplementary statement;
  • right to erasure ("right to be forgotten"): right to obtain from the Controller the erasure of personal data without undue delay. The Controller has the obligation to proceed with the aforementioned erasure if, for example:
    1. the personal data are no longer necessary for the purposes of the processing;
    2. the personal data have been unlawfully processed;
    3. the personal data must be erased to comply with a legal obligation; legale;
  • Right to restriction of processing: The right to obtain from the Controller the restriction of processing. The Controller is obligated to proceed with the aforementioned restriction in the following cases:
    1. The accuracy of personal data is contested (for the period necessary for the Controller to verify the accuracy of such personal data);
    2. The processing is unlawful, and the Data Subject has objected to the erasure of personal data and has requested the restriction thereof;
    3. The personal data (although no longer necessary for the purposes of processing) are required for the establishment, exercise, or defense of legal claims;
    4. Investigations are ongoing regarding the possible overriding interests of the Controller if the Data Subject has exercised the right to object as described below;
  • Right to data portability: The right to receive personal data in a structured, commonly used, and machine-readable format and to transmit such data to another controller, only in cases where the processing is based on consent or on a contract and only for data processed through electronic means;
  • Right to object to processing: The right to object at any time to the processing of personal data based on the legitimate interest of the Controller, unless the Company demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defense of a legal claim. Additionally, to object at any time to the processing of personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing;
  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, if the Data Subject believes that the processing concerning them violates the Regulation, they have the right to lodge a complaint with the supervisory authority of the Member State where they habitually reside or work, or of the State where the alleged violation occurred.

To exercise these rights and for any information regarding the processing of personal data, a request can be sent to the following addresses:

  • postal address: Piazza Gaudenzio Sella No. 1, 13900 Biella;
  • email addresses:

The Controller provides information regarding the action taken regarding the request without undue delay and no later than one month after receiving it.

If the exercise of the aforementioned rights could result in actual and concrete prejudice to the interests protected under anti-money laundering and counter-terrorism provisions, pursuant to Article 2-undecies of the Privacy Code, the scope of these rights and certain related obligations of the Controller may be limited. In such circumstances, the exercise of the same rights may be delayed, restricted, or excluded, to the extent and within the limits necessary and proportionate. If the conditions are met, you will receive a reasoned communication without delay.