Privacy policy pursuant to national legislation in force in UK (Data Protection Act 2018 and Uk GDPR)
1. General information
We hereby inform you that, as illycaffè Uk Limited (hereinafter also referred to as "the Company" or "illycaffè", Data Controller) will process your data (provided by you and/or obtained by elaboration by the Company) as specified below. The data can also be found in the "My Account" section of illycaffè S.p.A. (as indicated in the specific information note on "My Account"). If you purchase as the legal representative of a company/company/entity, we will indicate the company/company/entity that you represent (which will in fact be the entity that will purchase) and your data will be processed by us only to identify you as the legal representative and for the purposes referred to in point 2 letter A, B, C. If you wish to save your data in your "My Account" by clicking on the "add to address book" button, you will be able to use them in the future without having to re-enter them. Please note that you only have to enter your own data (except as specified in point 3(e) below) and/or the data of the company/body/company you represent.
2. Purposes and legal basis
illycaffè UK may process data for the following purposes:
A. to fulfill obligations arising from the purchase contract, and therefore also for administrative-accounting purposes and for the order management. About the credit card information is you also refer to the contents of the payment section of the site; the processing is based on the following legal basis: need for the performance of a contract;
B. to be compliant with the requirements pursuant to the legislation in force, regulations or EU regulations. The processing is based on the following legal bases: the fulfillment of legal obligations;
C. for legitimate interests such as to assert or defend the rights of the Company. The processing is based on the following legal bases: the pursuit of legitimate interests.
D. in order to ensure, through the monitoring of transactions by the outsourcer Signifyd inc (www.signifyd.com/privacy/), maximum anti-fraud security and thus for our legitimate interests of prevent fraud and unlawful orders. The processing is based on the following legal basis: pursuit of legitimate interests;
3. Mandatory provision of data
a) The provision of the data indicated in the form as obligatory (those marked with an asterisk) and the indication of the product to be purchased and the method of payment, are necessary for the purposes of point 2(A) and therefore the refusal to provide this information, in whole or in part, may make it impossible for us to execute the contract and therefore to allow you to purchase illycaffè uk products. With regard to shipping data, if different from billing data, see point 3(E). As regards other data contained in the optional fields, see also what is reported below. Unless otherwise specified, the data in the optional fields may be provided on a voluntary basis and failure to provide such data will have no consequence other than not being able to use such data (which may still be useful for the purposes in question).
b) The provision of the data requested for the purposes indicated in point 2(B) ((for which the provision of data is required as an obligation if provided for as such by law) and 2(C) is necessary and failure to provide such data will make it impossible to execute the purchase contract.
c) As far as credit card information, your provision is optional and failure to make it impossible to pay by credit card.
d) The provision of requested data in case of invoice request (such as that of the VAT and the company name) is optional, but failure to make it impossible to invoice with the data given, if required.
e) The provision of data relating to alternative addresses to which to send the products and/or to the person to be given a gift, is optional, but failure to provide the data marked with an asterisk, will make it impossible to send the material to the address indicated and/or indicate the person indicated as the gift recipient. Please note that for these particular activities, you are obliged, under your own responsibility, to obtain the consent of the person whose data you indicate, to send the products to his/her address and/or to indicate him/her as the recipient of the gift. In addition, for these activities you are obliged to inform the person whose details you provide that he or she will provide us with the details so that we can process them (through the persons in charge and data processors indicated who must have process of them in order to carry out the tasks assigned to them) in order to send the product to the address indicated and/or indicate him/her as the gift recipient, and also to inform him or her that we will provide him or her with specific information on data processing. You must also inform the person indicated that we may communicate the data to carriers and forwarding agents and that the provision of the data is optional and failure to provide it will make it impossible to send the products to the address indicated and/or to indicate the person as the recipient of the gift. You are obliged to obtain the consent of the person whose data you are communicating to illycaffè, to the communication of the data to illycaffè and to their processing (and therefore registration in illycaffè databases) by illycaffè itself for the purposes indicated in this point. Your data will then also be known by those who receive the goods
f) the provision of data for the purposes set out in point 2 (D) is necessary and failure to provide such data will result in the impossibility of executing the contract and therefore of allowing you to purchase illycaffè products.
4. Data addressee categories
The data may be communicated by us for the purposes indicated in point 2(A) (communicating only the data that is necessary for the pursuit of such purposes) to: banks for the payments due, carriers and forwarding agents, post offices, distributors, companies to which the contracts may be transferred in accordance with the provisions of the purchase contract (in this case, in fact, with the transfer of the contract, there will also be the transfer of the data relating to the contract and its execution and management), lawyers and legal consultants, auditing companies where they have not been appointed as data processors, public bodies.
For the purposes indicated in point 2(B), the data may be communicated (communicating only the data that are necessary for the pursuit of such purposes) to judicial authorities, tax police and public security authorities and to public bodies if there is an obligation to do so.
For the purposes referred to in point 2(C), the data may be communicated (communicating only such data as may be necessary for the pursuit of such purposes) to judicial authorities, tax police and public security authorities and to public bodies where there is an obligation to do so, as well as to law firms and legal advisers and to the postal service (which may see the address for sending any written communications).
For the purposes set out in point 2(D), transaction data (name, surname, contact details, date and time of purchase, type of product, price, payment method) may be communicated to Signifyd inc, the company managing the anti-fraud system.
Only the data necessary for the pursuit of the individual purposes indicated will be communicated.
The data may also be disclosed on our behalf, each for his or her role, to all persons delegated by us (administrative staff, shipping and enveloping staff, including those external to the Company, marketing and site management staff, including those external to the Company, computer technicians responsible for managing information systems, public relations staff, legal staff, members of the Board of Directors and of the Board of Auditors, internal auditors, stagiaires, freelancers and consultants-contractors also external to the Company who act under the direct responsibility of the Company, such as, for example, IT technicians , quality consultants, legal consultants and auditors, collaborators of the data processors) and the data processors (e.g. companies-professionals-studies that carry out activities that are instrumental to those of illycaffè S.p.A., such as, for example, marketing activities, mailing and enveloping activities or call centres, auditing activities and management of relations with the public, IT outsourcing companies, including those resident in other countries, companies that collaborate in the management of the illycaffè Uk organisation) appointed by us. The list of those data processors is always available by contacting us at the addresses indicated in point 6.
5. Data retention
We will be conserved the personal data for the entire period necessary for the pursuit of the purposes indicated in this policy privacy. The data retention period is as follows:
- for legal obligations, regulations and community regulations, data may be retained for the periods imposed by these regulatory sources;
- for contractual purposes until the end of the relationship and even after the end of it for the period determined by British laws, including in tax matters;
- for the purposes indicated under 2(D) until the conclusion of the order and, if necessary, for a period necessary to assert or defend a right of the company under applicable law
in any case, all data may be retained for a period necessary to assert or defend a company right according to British and European regulations.
6. Data Controller
The Data Controller is llycaffè UK Limited a company duly incorporated and validly existing under the laws of England & Wales, whose registered office is at Unit 7 – 8 Osyth Close Brackmills Northampton NN4 7DY, Ph: +44(0)1604 821234, e-mail sales.uk@illy.com.
7. Rights
Please note that the GDPR Uk provides that you may request (by contacting us at the contact details set out in point 6) access to and rectification of your personal data, erasure of your data or limitation of the processing concerning you, data portability; you may also have the opportunity, again by contacting us, to oppose the processing of your data and to exercise the other rights contained in Chapter 3 Section 1 of the GDPR UK, including the right to withdraw consent, where applicable: the withdrawal of consent shall not affect the lawfulness of the processing based on the consent given before the withdrawal
8. Complaints
If you consider that the processing of your personal data is in violation of the GDPR UK and Nationals privacy regulations, you can always address a complaint to the British Supervisory Authority (for illycaffè UK) whose references can be found on the website https://ico.org.uk/.
9. Processing procedures
Data may be processed on paper, manually, with IT and electronic means (therefore, illycaffè UK may file data both on paper and IT support). illycaffè UK has implemented safety measures to prevent any data loss, illegal use of data, misuse or unauthorised access. Data will be retained and processed by illycaffè UK in compliance with its confidentiality requirements and with the applicable local provisions (i.e. in compliance with the principles of fairness, lawfulness, transparency, and protection of the confidentiality and the rights of those concerned) strictly in line with the aims set forth in this privacy policy. Data will be processed by illycaffè UK exclusively to achieve the aims described in this privacy policy. Data will be filed at illycaffè UK offices and at the appointed data processors (as well as third parties who receive data as independent data controllers as described in point 4 of this privacy policy). Data will be entered in databases, including IT databases.
10. Transfer of data outside the UK
Only for technical assistance needs, the data may be sent to companies operating outside the UK that are specifically appointed as data processors or are autonomous data controllers (Signifyd inc), undertaking to comply with all the requirements of European legislation, including by signing the appropriate Contractual Clauses indicated by the European Commission and/or the competent supervisory authority and provided for by the UK GDPR (art. 46), (a copy of which is available by contacting us at the addresses indicated in point 6) where in the countries indicated there is no specific adequacy decision for which the non-UK state is deemed to provide the same guarantees provided by UK law.
Privacy policy updated to 03/11/2022. This update is part of a policy of constant revision of the information. The versions of the previous disclosures can be obtained by contacting the Data Controller (e-mail sales.uk@illy.com)