Privacy and data protection

WEBSITE PRIVACY POLICY

www.toscotec.com – Last updated: June 2026

This Website Privacy Policy is provided by Toscotec S.p.A. pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) and applicable Italian data protection laws. It describes how personal data are processed in connection with the browsing and use of the website www.toscotec.com (the “Website”).

This policy does not replace the specific privacy notices that apply to dedicated services or sections of the Website, including the “Job Offers/Career” section and any whistleblowing platform managed through separate channels. External websites, social media pages and third-party platforms linked from the Website are governed by their own privacy notices.

1. Data Controller

The Data Controller is Toscotec S.p.A., with registered office at Viale Europa 317/F, 55014 Marlia (LU), Italy, Tax Code/VAT no. 02094670466 (“Toscotec” or the “Controller”).

Privacy contact: privacy@toscotec.com – Certified Email (PEC): info@pec.toscotec.biz.

Toscotec has established an internal Privacy Committee that supports the monitoring of compliance with data protection legislation and internal privacy policies.

2. Categories of personal data processed

Depending on the way in which the Website is used, Toscotec may process the following categories of personal data:

Browsing and technical data: IP address, domain names of the devices used by users, URI/URL addresses of requested resources, time of request, method used to submit the request to the server, response status code, size of the file received, browser type, operating system, log data and other parameters relating to the user’s device and IT environment.
Data provided through contact or request forms: email address, full name, message content and any other information voluntarily included by the user in the form or in subsequent communications.
Newsletter data: email address, consent records, preferences and interaction data with communications, where such tracking is enabled and lawful.
Career data: personal data submitted through the “Job Offers/Career” section are governed by the dedicated candidate privacy notice.
Cookie and similar technology data: data collected through cookies, pixels, tags or similar technologies, as further described in the Cookie Policy.
Data relating to interactions with third-party links or platforms: when users access LinkedIn, YouTube, Voith Group websites, whistleblowing platforms or other third-party services through links available on the Website, those third parties may process personal data as independent controllers according to their own policies.

3. Purposes and legal bases

Personal data are processed for the purposes and on the legal bases indicated below.

Website operation, technical maintenance and security: to ensure Website functionality, monitor correct operation, prevent abuse, protect the Website and IT systems, and manage security incidents. Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR) and, where applicable, compliance with legal obligations (Article 6(1)(c) GDPR).
Handling contact requests and project or commercial enquiries: to reply to messages, requests for information and business contacts submitted by users. Legal basis: performance of pre-contractual measures requested by the data subject (Article 6(1)(b) GDPR) and/or legitimate interest in managing business communications (Article 6(1)(f) GDPR).
Newsletter and marketing communications: to send corporate news, event updates, product or service information and other promotional communications. Legal basis: user’s consent (Article 6(1)(a) GDPR), unless another lawful basis is specifically applicable under applicable law.
Recruitment: to manage applications submitted through the Career section. Legal basis: as specified in the dedicated candidate privacy notice.
Analytics and Website improvement: to measure Website performance and improve content and navigation. Legal basis: consent where analytics tools are not configured as technical or anonymised analytics; otherwise, legitimate interest or technical necessity, in accordance with applicable law and the Cookie Policy.
Compliance and defence of rights: to comply with legal obligations, respond to lawful requests from authorities, and establish, exercise or defend legal claims. Legal basis: legal obligation (Article 6(1)(c) GDPR) and legitimate interest (Article 6(1)(f) GDPR).

4. Nature of provision

Browsing data are automatically collected to enable the Website to function. Data submitted through forms are provided voluntarily; failure to provide data marked as mandatory may prevent Toscotec from responding to the request or providing the requested service. Newsletter subscription and consent to non-technical cookies are optional and may be withdrawn at any time.

5. Processing methods and security

Personal data are processed by electronic and, where necessary, paper-based means, using organisational and technical measures appropriate to the nature, scope, context and purposes of processing. Toscotec applies access controls, authentication procedures, confidentiality obligations, data minimisation and other safeguards designed to protect personal data against unauthorised access, loss, destruction, disclosure or alteration.

6. Recipients of personal data

Personal data may be processed by authorised personnel of Toscotec and may be disclosed, only where necessary, to the following categories of recipients:

IT, hosting, cybersecurity, web development and maintenance providers;
email, CRM, marketing automation and newsletter platform providers, acting as data processors where applicable;
companies of the Voith Group, where their involvement is necessary to handle the request or manage corporate processes;
consultants, professional advisers and service providers assisting Toscotec in legal, administrative, technical or organisational matters;
public authorities, supervisory bodies, courts or law enforcement agencies where disclosure is required by law or by a lawful order.

External service providers processing personal data on behalf of Toscotec are appointed as Data Processors pursuant to Article 28 GDPR and receive appropriate processing instructions. Personal data are not sold or disseminated.

7. International transfers

Personal data are processed mainly within the European Economic Area. Where the use of suppliers, platforms or Group systems involves a transfer of personal data outside the EEA, Toscotec ensures that the transfer takes place only in compliance with Chapter V GDPR, including on the basis of adequacy decisions, Standard Contractual Clauses approved by the European Commission, the EU-U.S. Data Privacy Framework where applicable, or other lawful safeguards.

8. Retention periods

Personal data are retained for no longer than necessary to achieve the purposes for which they were collected, subject to any longer period required to comply with legal obligations or to protect Toscotec’s rights. Indicatively:

Browsing and technical logs are retained for the time necessary to ensure Website operation and security and normally for no longer than 12 months, unless further retention is required for security investigations or legal claims.
Contact and information requests are retained for the time necessary to reply and manage the relationship and, normally, for up to 24 months from the last relevant interaction, unless a longer retention period is required for contractual, accounting or legal purposes.
Newsletter data are retained until consent is withdrawn or the user unsubscribes, without prejudice to the retention of evidence of consent and related records for accountability and legal defence purposes.
Candidate data are retained in accordance with the dedicated Career privacy notice.
Cookie consent preferences are retained in accordance with the Cookie Policy and the configuration of the consent management platform.

9. Rights of data subjects

Data subjects may exercise, where applicable, the rights provided for by Articles 15 to 22 GDPR: access, rectification, erasure, restriction of processing, data portability and objection. Where processing is based on consent, the data subject may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

Requests may be sent to privacy@toscotec.com. Data subjects also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) if they believe that the processing of their personal data infringes applicable data protection law.

10. Cookies and similar technologies

The Website uses cookies and similar technologies for technical, functionality, analytics and, where applicable, marketing purposes. Detailed information is provided in the Cookie Policy. Non-technical cookies and similar tracking technologies are activated only where a valid consent has been collected, unless otherwise permitted by applicable law.

11. Updates

Toscotec may update this Website Privacy Policy to reflect changes in the Website, services, technologies or applicable law. The updated version will be published on the Website with indication of the latest update date.

The Tissue Valley embraces the future with Tissue Planet – NextGen

Tissue Planet – Future Insights™: Toscotec gathers global Tissue industry leaders in Lucca

Project IMPACT – Low-CO₂ Emission Paper Production Plant