1. General information
We hereby inform you that, for the purposes indicated below, we, as 'illycaffè S.p.A. (data controller, hereinafter also referred to as the "Company" or "illycaffè" for the sake of brevity), will process the personal data that you have provided to us in the form or following the provision of the form. Only the data necessary for the purposes stated in this information note will be requested and processed.
2. Purposes and legal basis
We may process data for the following purposes:
A. in ORDER TO CARRY OUT MARKETING COMMUNICATIONS informing you about products, services, promotions and initiatives (including discounts dedicated to our users) regarding the illy brand and the brands whose products are sold on illycaffè websites and apps, to the e-mail address you have indicated in the form (please note that e-mails may also be sent electronically with the help of automated tools). Communications may also take place through push notifications of the illy app, if activated by you. The processing has consent as its legal basis;
B. to BE COMPLIANT WITH THE REQUIREMENTS PURSUANT TO THE LEGISLATION IN FORCE, REGULATIONS OR EU REGULATIONS. The processing is based on the following legal bases: the fulfillment of legal obligations;
C. for legitimate interests such as to ASSERT OR DEFEND THE RIGHTS OF THE COMPANY. The processing is based on the following legal bases: the pursuit of legitimate interests; in considering these legitimate interests, it was analysed that they do not compromise or interfere with the interests or fundamental rights and freedoms of the data subject (the legitimate interest was assessed on the basis of a Triple Test available by contacting the Company).
3. Mandatory nature of the provision
Provision of data for the purposes described point 2(A) and the relative consent (which you can always withdraw, thus opposing the processing of your data for these purposes, by contacting us at the addresses indicated in point 6) are not mandatory; failure to provide such data and the consent will have not consequences, except that you will not be subject to the activities indicated in the point.
The provision of the data requested for the purposes of points 2(D) and 2(E) is necessary and, consequently, a possible refusal to provide them, in whole or in part, will result in the impossibility, for you, to being subject to the activities indicated in the point 2(A).
4. Data addressee categories
For the purposes indicated in point 2(A), we will not communicate the data to third parties.
We will only communicate data that is indispensable for the purposes indicated in this policy privacy.
The data may also be disclosed on our behalf, each for his or her role, to all subjects delegated by us to process the personal data data, (legal and privacy affairs officers, including those external to the Company, marketing officers, including those external to the Company, site management officers, including those external to the Company, consultants, including those external to the Company -e.g. legal consultants, IT technicians who may sometimes also perform the duties of system administrator and are in this case appointed system administrators, quality and website management officers-, information systems officers, who may sometimes also perform the duties of system administrators and are in this case appointed system administrators, public relations employees, including those from outside the Company, shipping and envelope employees, including those from outside the Company, internal auditors, interns, employees of data processors) in addition to the data processors also delegated by us, such as, for example, enveloping and shipping companies, IT outsourcing companies, marketing consulting companies and, more generally, consultancy companies/firms that perform activities instrumental to those of illycaffè, such as, for example, legal and communications consultancy companies/firms. You can always ask us for the list of data processors by contacting us at the addresses given in point 6.
5. Data retention
We will be conserved the personal data for the entire period necessary for the pursuit of the purposes indicated in this policy privacy. The data retention period is as follows:
- for legal obligations, regulations and community regulations, for the periods imposed by these regulatory sources;
- for the purposes indicated in point 2(A), until you revoke your consent and/or request the deletion of your data (which you may do at any time, including by e-mail to email@example.com) without prejudice to retention for evidential purposes for the purposes indicated in point 2(B) and 2(C); by 31 December of the second year following the year of registration, you will in any case be sent a communication to understand whether you are still interested in being subject to the activities referred to in paragraph 2(A) and therefore to the retention of data by us for the purposes indicated in that paragraph and if such interest ceases, the data will be deleted without prejudice to the retention for the purposes indicated in point 2(B) and 2(C). If, on the other hand, there is still your interest in being subject to the activities referred to in point 2(A) and therefore to the retention of the data by us for the purposes indicated in that point, by 31 December of the second year from the communication, you will be sent a further communication of the same nature and so on until your interest remains;
In any case, all data may be retained for a period necessary to assert or defend a right of the company under Italian civil and criminal law, and therefore for a maximum of 10 years from the termination of the relationship, except in the event of litigation or disputes that require a further retention period an with the reservation of further storage if required by the local regulations applicable to the persons concerned.
6. Data Controller and Data Protection Officer
The Data Controller is illycaffè S.p.A., having its registered office in via Flavia 110, Trieste, phone number +39.040.3890.111, fax number +39.040.3890.490, e-mail: firstname.lastname@example.org. There is also a Data Protection Officer available at the email address email@example.com and at the addresses of the Company.
Please note that the GDPR provides that you may request (by contacting us at the contact details set out in point 6) access to and rectification of your personal data, erasure of your data or limitation of the processing concerning you, data portability; you may also have the opportunity, again by contacting us, to oppose the processing of your data and to exercise the other rights contained in Chapter 3 Section 1 of the GDPR, including the right to withdraw consent, where applicable: the withdrawal of consent shall not affect the lawfulness of the processing based on the consent given before the withdrawal.
If you believe that the processing of your data is in breach of the provisions of the GDPR, you have the right to lodge a complaint with the Italian Supervisory Authority (whose contact details can be found at www.garanteprivacy.it), as provided for in Article 77 of the GDPR, or to take appropriate legal action (Article 79 of the GDPR).
You may also contact the Supervisory Authority of the state in which you normally reside or work.
The list of supervisory authorities can be found at www.garanteprivacy.it/home/footer/link. The Supervisory Authority can be contacted at the contact indicated on the website www.ico.org.uk
9. Processing procedures
10. Transfer of data outside the European Union
The data may be disclosed and therefore transferred outside the European Union to IT companies that provide IT services on behalf of the Company, which are specifically appointed as data processors These parties undertake to comply with all the requirements of European legislation, including by signing the appropriate Contractual Clauses indicated by the European Commission and/or the competent supervisory authority and provided for by the GDPR (art. 46, par. 2, lett. c) (a copy of which is available by contacting us at the contact details indicated in point 6), where in the countries indicated there is no specific adequacy decision for which the non-EU state is deemed to provide the same guarantees provided for by European law; in any case, all the guarantees provided for by law are adopted. The list of subjects, and therefore of the states to which the data could be transferred, can be found by contacting the Company at the addresses given in point 6.