Privacy policy pursuant to Regulation (EU) 2016/679 (GDPR) and national legislation in force in Italy (D.Lgs.196/03)
1. General information
We hereby inform you that, for the purposes indicated below, we, as 'illycaffè S.p.A. (data controller, hereinafter also referred to as the "Company" or "illycaffè" for the sake of brevity), will process the personal data that you have provided to us in the form or following the provision of the form. Only the data necessary for the purposes stated in this information note will be requested and processed.
2. Purposes and legal basis
We may process data for the following purposes:
A. in order to allow you to create an illycaffè account (My account) that allows you to access, with the same identification data, specific services, reserved areas and/or specific functions (dedicated to My account holders) of our websites and applications and those of our subsidiaries, as well as to access a restricted area to view and manage your relationship with us and our subsidiaries and thus, for example, to view purchases, manage shipping addresses, manage data processing authorisations, view initiatives or sections in which the My Account holder is registered, update data, upload a profile photo that will not be visible to other users, etc. Our subsidiaries that provide products or services that are also accessible through My Account may access your My account data if you enter into contractual relations with them (e.g. make purchases or subscribe to or activate services provided by a subsidiary). The list of the subsidiaries that access My Account (independent data controllers for the activities they carry out) is available by contacting us at the addresses indicated in point 6 of the policy. The legal basis for processing is consent. You may at any time request the deletion of your account;
B. to carry out advertising communications/information on our and our partners’ products-services-initiatives and to make market research and/or interviews for the evaluation of our product-services, all from us to the addresses that you provided in the form or other contact details provided later (please note that the sending of SMS/MMS and e-mail will also be in electronically with the help of automated tools). Communications may also take place via push notifications if explicitly accepted. The consent can will be possibly requested at further stage also on the registration pages of affiliates companies . The activities in this point will not be carried out without your consent. The processing is based on the following legal basis: consent;
C. in order to create, on the basis of the information in our possession about you, a your profile (profiling) including the study of your consumption habits and choices derived also from the analysis of your product choices, aimed at carrying out specific marketing, promotion, direct sales and commercial communications activities by us, in accordance with the your specific needs that emerge from the profiling and also aimed at analysing the choices and consumption habits of illycaffè product customers to improve business development. Processing for this purpose will also take place in databases in automated form. We will be able to create both a profile of the individual user and of homogeneous classes of users. We may also combine and compare data from different databases of our partners (associated, subsidiary and parent companies of illycaffè S.p.A. resident in the European Union and associated, subsidiary and parent companies of the illy S.p.A. Group resident in the European Union). See also point 9 of the privacy policy. We will carry out marketing, promotion, commercial communication and direct sales activities only if you have consented to such processing.The processing is based on the following legal basis: consent. If you do not consent to the processing of your data for this purpose but authorise the use of profiling cookies in the appropriate section of the site, you may still be subject to the activities carried out by means of such cookies;
D. to be compliant with the requirements pursuant to the legislation in force, regulations or EU regulations. The processing is based on the following legal bases: the fulfillment of legal obligations;
E. for legitimate interests such as to assert or defend the rights of the Company. The processing is based on the following legal bases: the pursuit of legitimate interests.
3. Mandatory nature of the provision
The provision of the data required for the purposes set out in point 2(A) is optional, however, without providing this data, you will not be able to create a My Account and access its benefits. Consent (which you can always withdraw by contacting us at the addresses indicated in point 6) for the purposes indicated in point 2(A) is optional. However, without consent, you will not be able to create or maintain a My Account and access its benefits. We inform you that by clicking the flag in the box concerning the request to create an account, you consent to processing for this purpose.
Provision of data for the purposes described point 2(B) of this privacy policy and the relative consent (which you can always withdraw, thus opposing the processing of your data for these purposes, by contacting us at the addresses indicated in point 6) are not mandatory; failure to provide such data and the consent will have not consequences, except that you will not be subject to the activities indicated in the point on our part or you will not be subject to the addresses you have not provided. We inform you that, by clicking the flag in the box concerning the request to carry out what is indicated in point 2 (B), you consent to the processing for the purposes indicated in that point.
Provision of data for the purposes described point 2(C) of this privacy policy and the relative consent (which you can always withdraw, thus opposing the processing of your data for these purposes, by contacting us at the addresses indicated in point 6) are not mandatory; failure to provide such data and the consent will have not consequences, except that you will not be subject to the activities indicated in the point on our part or will not be subject to the addresses not provided. We inform you that, by clicking the flag in the box concerning the request to carry out what is indicated in point 2 (C), you consent to the processing for the purposes indicated in that point.
The provision of the data requested for the purposes of points 2(D) and 2(E) is necessary and, consequently, a possible refusal to provide them, in whole or in part, may result in the impossibility of creating or maintaining a My account and/or being subject to the activities indicated in this information notice.
4. Data addressee categories
We will not communicate the data to third parties, for the purposes indicated in point 2(A), above except for specific services, for which you will be subject to specific conditions and for which you will be asked for explicit consent where necessary, and except for access to the data by the subsidiaries as indicated in point 2(A).
For the purposes indicated in point 2(B), we may communicate the data to the postal service/ express couriers (as the address is visible when sending any written material), in case of sending paper communications.
For the purposes indicated in point 2(C), we will not communicate the data to third parties.
For the purposes of point 2(D) of this privacy policy, we may communicate the data to public authorities, the judiciary, the police.
For the purposes of point 2(E) of this privacy policy, we may communicate the data to lawyers, solicitors, public authorities, the judiciary, the police, the post office (as the address is visible when sending any written material).
We will only communicate data that is indispensable for the purposes indicated in this policy privacy
The data may also be disclosed on our behalf, each for his or her role, to all subjects delegated by us to process the personal data data, (legal affairs officers, including those external to the Company, marketing officers, including those external to the Company, site management officers, including those external to the Company, consultants, including those external to the Company -e.g. legal consultants, IT technicians who may sometimes also perform the duties of system administrator and are in this case appointed system administrators, quality and website management officers-, information systems officers, who may sometimes also perform the duties of system administrators and are in this case appointed system administrators, public relations employees, including those from outside the Company, shipping and envelope employees, including those from outside the Company, internal auditors, interns, employees of data processors) in addition to the data processors also delegated by us, such as, for example, enveloping and shipping companies, IT outsourcing companies, marketing consulting companies and, more generally, consultancy companies/firms that perform activities instrumental to those of illycaffè, such as, for example, legal and communications consultancy companies/firms. You can always ask us for the list of data processors by contacting us at the addresses given in point 6.
5. Data retention
We will be conserved the personal data for the entire period necessary for the pursuit of the purposes indicated in this policy privacy. The data retention period is as follows:
- for legal obligations, regulations and community regulations, for the periods imposed by these regulatory sources;
- for the purposes described in point 2(A), until the withdrawal of consent or request for cancellation of dta or My account without prejudice to retention for evidential purposes for the period provided for by law;
- for the purposes indicated in point 2(B) until consent is revoked or the request for cancellation is made, without prejudice to retention for evidential purposes for the period provided for by law;
- for the purposes referred to in point 2(C) until revocation of the consent/request for deletion or for a maximum of 12 months from their registration, without prejudice to their actual transformation into an anonymous form which does not allow, even indirectly or by linking other databases, the identification of the data subjects;
in any case, all data may be conserved for a period necessary to assert or defend a company right according to Italian and European regulations.
6. Data Controller and Data Protection Officer
The Data Controller is illycaffè S.p.A., having its registered office in via Flavia 110, Trieste, phone number +39.040.3890.111, fax number +39.040.3890.490, e-mail: infoprivacy@illy.com. There is also a Data Protection Officer available at the email address dpo@illy.com and at the addresses of the Company.
7. Rights
Please note that the GDPR provides that you may request (by contacting us at the contact details set out in point 6) access to and rectification of your personal data, erasure of your data or limitation of the processing concerning you, data portability; you may also have the opportunity, again by contacting us, to oppose the processing of your data and to exercise the other rights contained in Chapter 3 Section 1 of the GDPR, including the right to withdraw consent, where applicable: the withdrawal of consent shall not affect the lawfulness of the processing based on the consent given before the withdrawal.
8. Complaints
If you consider that the processing of your personal data is in violation of the GDPR and Nationals privacy regulations, you can always address a complaint to the Italian Data Protection Authority whose contacts are available on the website www.garanteprivacy.it.
9. Logic used for profiling
The profiling referred to in point 2(C) takes place on our part through the analysis, also in an automated manner, of your data and your characteristics (for example, age, geographical area, sex, adhesion to an event, adhesion to particular initiatives, purchase of certain products, completion of questionnaires, actions carried out during navigation on our websites if you have accepted the profiling cookies on our websites). We then create a consumer profile that is also included in specific groups (clusters). Profiling has the purposes indicated in point 2(C); such processing, however, does not represent a particular risk for you, given the type of basic profiling that does not require data of a particularly sensitive nature or that would allow the detailed reconstruction of particularly confidential aspects of your private life. You will always have the right to obtain human intervention, to express your opinion, to obtain an explanation of the decision made and to contest the decision.
10. Processing procedures
Data may be processed on paper, manually, with IT and electronic means (therefore, illycaffè may file data both on paper and IT support). We have implemented safety measures to prevent any data loss, illegal use of data, misuse or unauthorised access. We will conserve and process the personal data, in compliance with its confidentiality requirements and with the applicable local provisions (i.e. in compliance with the principles of fairness, lawfulness, transparency, and protection of the confidentiality and the rights of those concerned) strictly in line with the aims set forth in this privacy policy. We will process personal data exclusively to achieve the aims described in this privacy policy. Data will be filed at illycaffè S.p.A. offices in Europe and at the appointed data processors (as well as third parties who receive data as independent data controllers as described in point 4 of this privacy policy). Data will be entered in databases, including IT databases.
11. Transfer of data outside the European Union
11.1 In case of access to the services offered by illy caffè North America INC, illycaffè UK Ltd and illycaffè Sud America Comercio, Exportação e Importação Ltda, the data in My account may be viewed remotely also by these companies (for the purposes indicated in point 2(A) and therefore by non-EU countries (USA, Brazil and United Kingdom). All this will take place either because it is necessary for the conclusion or performance of a contract entered into between the data controller and another natural or legal person in favour of the data subject, or on the basis of standard contractual clauses indicated by the European Commission and/or the competent supervisory authority and provided for by the GDPR (art. 46, par. 2, lett. c) to guarantee the transfer (a copy of which is available by contacting us at the addresses indicated in point 6) where in the countries indicated there is no specific adequacy decision for which the non-EU state is deemed to provide the same guarantees provided by European law.
11.2 Moreover, only for technical assistance needs, the data may be sent to companies operating outside the European Union that are specifically appointed as data processors, undertaking to comply with all the requirements of European legislation, including by signing the appropriate Contractual Clauses indicated by the European Commission and/or the competent supervisory authority and provided for by the GDPR (art. 46, par. 2, lett. c), (a copy of which is available by contacting us at the addresses indicated in point 6) where in the countries indicated there is no specific adequacy decision for which the non-EU state is deemed to provide the same guarantees provided by European law.; the data are only a copy of those contained in the European servers and a copy of the same can therefore always be found at illycaffè S.p.A.
Privacy policy updated to 1st of August 2022. This update is part of a policy of constant revision of the information. The versions of the previous disclosures can be obtained by contacting the Data Controller (e-mail infoprivacy@illy.com).