Privacy policy pursuant to Regulation (EU) 2016/679 (GDPR), national legislation in force in UK (Data Protection Act 2018), and national legislation in force in Italy (D.Lgs. 196/03)

1.    General information

illycaffè UK Limited ((hereinafter, also “illycaffè UK”) and illycaffè S.p.A. (hereinafter, also “illycaffè”) inform you (hereinafter, also referring to you as the “user”) that it will process the personal data you have provided for the purposes illustrated below. Only the data necessary for the purposes referred to in this policy will be requested and processed.

2.   Purposes and legal basis

The data will be processed by illycaffè UK:

A.    to enroll you in the ILLY LOVERS program as per the General Membership Conditions and to let you enjoy the dedicated benefits. The processing is based on the following legal basis: need for the performance of a contract;

The data will be processed by illycaffè UK and illycaffè:

B.    to fulfill an obligation established by law, by a regulation or by EU legislation (for this purposes the legal basis is the fulfillment of legal obligations) and for legitimate interests such as to assert or defend an illycaffè UK and illycaffè rights (for this purposes the legal basis is the fulfillment of legal obligations).

The data will be processed by illycaffè S.p.A:

C.    to deliver advertising communications and information on products, services, programs of illycaffè and its partners and to carry out market research and/or surveys regarding illycaffè products and services. For these purposes, illycaffè will use the e-mail address you provided in the registration form or other contact details provided also afterwards (please note that e-mails and SMS/MMS can also be sent through automated systems). The processing is based on the following legal basis: consent;

D.    to create a user target (targeting), based on the information collected by illycaffè about the user,  including the analysis of purchasing habits aimed at carrying out specific marketing and promotional activities, proposing direct sales and sending commercial communications, in accordance with the specific needs of the user which emerged from the targeting. For this purpose, the data will be processed also using databases and automated systems. Can be created a target both individual user and of homogeneous classes of users. In addition, it may also be possible to associate and compare data coming from different databases of illycaffè partners (subsidiaries or affiliates companies of illycaffè S.p.A. resident in the European Union and subsidiaries or affiliates companies of Gruppo illy S.p.A. resident in the Union European). Marketing and promotional activities, commercial communications and direct sales will be proposed to the user only if specific consent for such kind of processing has been given. The consent and provision of data for such purpose are optional; the processing is based on the following legal basis: consent.

3.   Mandatory provision of data

The provision of data is necessary for the purposes referred to in the previous point 2(A) and 2(B) of this policy. Any refusal to provide it in whole or in part may give rise to the impossibility for the Company to enroll you in the ILLY LOVERS program and let you enjoy the dedicated benefits. The provision of data for the purposes referred to in point 2 (C) of this policy and the consent to its processing are optional. In case consent and  provision is not given, there will be no consequences for the user besides the fact that they will not be subject to the activities referred to in point 2 (C) or will not be subject to the activities at the addresses not provided. Please note that even if the user consents to the processing for the purposes referred to in point 2(C) of this policy, they may revoke the consent given for any reason and object to the activities in question by contacting the data controller.

The provision of data for the purposes referred to in point 2(D) of this policy and the consent to its processing are optional. In case consent and provision is not given, there will be no consequences for the user besides the fact that they will not be subject to the activities referred to in point 2(C). Please note that even if the user consents to the processing for the purposes referred to in point 2(D) of this policy, they may revoke the consent given for any reason and object to the activities in question by contacting the data controller.

4.   Data addressee categories

The data collected and processed may be disclosed to public bodies and post offices (which can see the address for sending any written communications) for the purposes referred to in point 2(A) of this policy.

The data may be disclosed to lawyers or legal consultants, public bodies, judicial bodies, police forces and post offices (which can see the address for sending any written communications) for the purposes referred to in point 2(B) of this policy. For the purposes referred to in point 2(C) of this policy, the data may be disclosed to forwarding agents and post offices, for the dispatch of advertising material.

For the purposes referred to in point 2(D) of this policy, the data will not be disclosed to third parties. illycaffè UK and illycaffè will disclose only the data necessary for the pursuit of the purposes referred to in this policy. The data may be disclosed on behalf of illycaffè UK, each for own role, to all subjects delegated by illycaffè UK [employees in charge of the Program (also external to the Company), employees in charge of public relations (also external to the Company), administrative employees, the IT staff (also external to the Company, who can also carry out system administration duties being appointed as such in this case), consultants (also external to the Company) such as IT technicians who can also carry out system administration duties being appointed as such in this case or legal consultants, interns, website management staff (also external to the Company), marketers (also external to the Company), call center employees (also external to the Company), enveloping and shipping staff (also external to the Company), legal procedures employees (also external to the Company), staff of internal and external data controllers, internal auditor], internal and external data controllers (such as marketing companies, IT outsourcers, enveloping and shipping companies, call center companies, companies that support illycaffè UK in various activities). The data may be disclosed on behalf of illycaffè, each for own role, to all subjects delegated by illycaffè UK [employees in charge of public relations (also external to the Company), administrative employees, the IT staff (also external to the Company, who can also carry out system administration duties being appointed as such in this case), consultants (also external to the Company) such as IT technicians who can also carry out system administration duties being appointed as such in this case or legal consultants, interns, website management staff (also external to the Company), marketers (also external to the Company), call center employees (also external to the Company), enveloping and shipping staff (also external to the Company), legal procedures employees (also external to the Company), staff of internal and external data controllers, internal auditor], internal and external data controllers (such as marketing companies, IT outsourcers, enveloping and shipping companies, call center companies). The full list of data processors is available upon request to the illycaffè UK and illycaffè (by contacting them at the addresses indicated in point 6).

5.   Data retention

The data will be retained for the whole period necessary for the purposes stated in this policy. The data retention period is as follows:

-       for legal obligations, regulations and EU legislation, the data may be kept for the terms provided for by each regulatory source;

-       for the purposes referred to in point 2(A) of this policy, the data may be kept for the terms established by law or up to the withdrawal of the Member from the ILLY LOVERS program without prejudice to the retention in accordance with the law;

-       for the purposes referred to in point 2(C) of this policy, the data may be kept until the withdrawal of consent or the request for cancellation without prejudice to retention to demonstrate the consent previously given as provided for by law;

-       for the purposes referred to in point 2(D) of this policy, the data may be kept until the withdrawal of the consent or the request for cancellation or for a maximum of 12 months from the registration, except for real anonymization which does not allow, even indirectly or crossing the information with other databases, to identify the data subjects;

in any case, all data can be kept for a period necessary to assert or defend a company right based English, Italian and European regulations.

6.   Data Controller and Data Protection Officer

The data controller for the purposes indicated to the point 2(A), 2(B)  is illycaffè UK Limited a company duly incorporated and validly existing under the laws of England & Wales, whose registered office is at Unit 7 – 8 Osyth Close Brackmills Northampton NN4 7DY, Ph: +44(0)1604 821234, e-mail sales.uk@illy.com.. The data controller for the purposes indicated to the point 2 (B), 2 (C), 2(D)  is illycaffè S.p.A. with headquarters in via Flavia 110, Trieste, phone +39  0403890111, fax +39 0403890490, e-mail infoprivacy@illy.com. There is also a Data Protection Officer available at the e-mail dpo@illy.com and at the Company’s addresses.

7.   Rights

We inform you that the GDPR allows the data subject to request to the Data Controller (at the contacts mentioned above) full access to personal data and its correction, cancellation or limitation of the processing and to object to the processing, in addition to exercising the right to data portability, as well as other rights provided for by Chapter 3 of the GDPR, including that of revoking consent, where envisaged: the revocation of consent does not affect the lawfulness of the processing based on the consent given before the revocation.

8.   Complaints

The data subject can always lodge a complaint with the British Supervisory Authority whose references can be found on the website https://ico.org.uk/ and with the Italian Data protection Authority whose references can be found on the website www.garanteprivacy.it.

9.   Profiling

The processing of data for the purposes referred to in point 2(D) of this policy can be considered as targeting. The profiling is based on consumers data in order to better understand their consumption habits and direct their purchases with targeted communications and to create a customer experience. The data are extracted and processed through software that creates a consumption target consisting in the indication of the actions carried out (e.g. participation in an event or program, purchase of certain products, filling out questionnaires) and on the analysis of certain characteristics that help define the customer category (e.g. age). However, this kind of processing does not constitute a particular risk to users’ privacy considering the type of basic targeting, that does not require data of a particularly delicate nature or that allows the detailed reconstruction of particularly reserved aspects of private life. Also, no legal effects are produced as a consequence of targeting that may affect the data subject and no decision is made on the basis of automated processing which is used only to create promotional messages in line with the tastes and habits of the user. Furthermore, the employees in charge of communication always filter out personal data when sending promotional content to the defined groups. The data subject always has the right to ask for human intervention, to express his opinion, to receive an explanation of the decision made and to contest the decision.

10.          Processing procedures

We inform you that such data will be processed and stored by illycaffè UK and illycaffè manually, on paper, computerized or telematic systems. Protection systems are in force to ensure confidentiality. All data will be stored and processed confidentially in compliance with all applicable regulations (in particular, the principles of correctness, lawfulness, transparency, and protection of confidentiality and rights) and strictly for the purposes referred to in this policy. The data will undergo only the operations necessary for the purposes referred to in this policy. The data will be stored by the data processors appointed by illycaffè UK and illycaffè as well as the third parties to whom the data is transmitted in compliance with this policy. The data may also be organized in databases (also electronic ones).

Policy updated on 09/30/2020.