1. General information
We hereby inform you that, for the purposes indicated below, we, as 'illycaffè S.p.A. (data controller, hereinafter also referred to as the "Company" or "illycaffè" for the sake of brevity), will process the personal data that you have provided to us in the form or following the provision of the form. Only the data necessary for the purposes stated in this information note will be requested and processed.
2. Purposes and legal basis
We may process data for the following purposes:
A. in order to allow you to create an illycaffè account (My account) that allows you to access, with the same identification data, specific services, reserved areas and/or specific functions (dedicated to My account holders) of our websites and applications and those of our subsidiaries, as well as to access a restricted area to view and manage your relationship with us and our subsidiaries and thus, for example, to view purchases, manage shipping addresses, manage data processing authorisations, view initiatives or sections in which the My Account holder is registered, update data, upload a profile photo that will not be visible to other users, etc. Our subsidiaries that provide products or services that are also accessible through My Account may access your My account data if you enter into contractual relations with them (e.g. make purchases or subscribe to or activate services provided by a subsidiary). The list of the subsidiaries that access My Account (independent data controllers for the activities they carry out) is available by contacting us at the addresses indicated in point 6 of the policy. The legal basis for processing is consent. You may at any time request the deletion of your account;
B. to carry out advertising communications/information on our and our partners’ products-services-initiatives and to make market research and/or interviews for the evaluation of our product-services, all from us to the addresses that you provided in the form or other contact details provided later (please note that the sending of SMS/MMS and e-mail will also be in electronically with the help of automated tools); the consent can will be possibly requested at further stage also on the registration pages of affiliates companies . The activities in this point will not be carried out without your consent. The processing is based on the following legal basis: consent;
D. to be compliant with the requirements pursuant to the legislation in force, regulations or EU regulations. The processing is based on the following legal bases: the fulfillment of legal obligations;
E. for legitimate interests such as to assert or defend the rights of the Company. The processing is based on the following legal bases: the pursuit of legitimate interests.
3. Mandatory nature of the provision
The provision of the data required for the purposes set out in point 2(A) is optional, however, without providing this data, you will not be able to create a My Account and access its benefits. Consent (which you can always withdraw by contacting us at the addresses indicated in point 6) for the purposes indicated in point 2(A) is optional. However, without consent, you will not be able to create or maintain a My Account and access its benefits.
The provision of the data requested for the purposes of points 2(D) and 2(E) is necessary and, consequently, a possible refusal to provide them, in whole or in part, may result in the impossibility of creating or maintaining a My account and/or being subject to the activities indicated in this information notice.
4. Data addressee categories
We will not communicate the data to third parties, for the purposes indicated in point 2(A), above except for specific services, for which you will be subject to specific conditions and for which you will be asked for explicit consent where necessary, and except for access to the data by the subsidiaries as indicated in point 2(A).
For the purposes indicated in point 2(B), we may communicate the data to the postal service/ express couriers (as the address is visible when sending any written material), in case of sending paper communications.
For the purposes indicated in point 2(C), we will not communicate the data to third parties.
We will only communicate data that is indispensable for the purposes indicated in this policy privacy
The data may also be disclosed on our behalf, each for his or her role, to all subjects delegated by us to process the personal data, (legal affairs officers, including those external to the Company, marketing officers, including those external to the Company, site management officers, including those external to the Company, consultants, including those external to the Company -e.g. legal consultants, IT technicians who may sometimes also perform the duties of system administrator and are in this case appointed system administrators, quality and website management officers-, information systems officers, who may sometimes also perform the duties of system administrators and are in this case appointed system administrators, public relations employees, including those from outside the Company, shipping and envelope employees, including those from outside the Company, internal auditors, interns, employees of data processors) in addition to the data processors also delegated by us, such as, for example, enveloping and shipping companies, IT outsourcing companies, marketing consulting companies and, more generally, consultancy companies/firms that perform activities instrumental to those of illycaffè, such as, for example, legal and communications consultancy companies/firms. You can always ask us for the list of data processors by contacting us at the addresses given in point 6.
5. Data retention
We will be conserved the personal data for the entire period necessary for the pursuit of the purposes indicated in this policy privacy. The data retention period is as follows:
- for legal obligations, regulations and community regulations, for the periods imposed by these regulatory sources;
- for the purposes described in point 2(A), until the withdrawal of consent or request for cancellation of data or My account without prejudice to retention for evidential purposes for the period provided for by law;
- for the purposes indicated in point 2(B) until consent is revoked or the request for cancellation is made, without prejudice to retention for evidential purposes for the period provided for by law;
- for the purposes referred to in point 2(C) until revocation of the consent/request for deletion or for a maximum of 12 months from their registration, without prejudice to their actual transformation into an anonymous form which does not allow, even indirectly or by linking other databases, the identification of the data subjects;
in any case, all data may be conserved for a period necessary to assert or defend a company right according to Italian and European regulations.
6. Data Controller and Data Protection Officer
The Data Controller is illycaffè S.p.A., having its registered office in via Flavia 110, Trieste, phone number +39.040.3890.111, fax number +39.040.3890.490, e-mail: firstname.lastname@example.org. There is also a Data Protection Officer available at the email address email@example.com and at the addresses of the Company.
Please note that the GDPR provides that you may request (by contacting us at the contact details set out in point 6) access to and rectification of your personal data, erasure of your data or limitation of the processing concerning you, data portability; you may also have the opportunity, again by contacting us, to oppose the processing of your data and to exercise the other rights contained in Chapter 3 Section 1 of the GDPR, including the right to withdraw consent, where applicable: the withdrawal of consent shall not affect the lawfulness of the processing based on the consent given before the withdrawal.
If you consider that the processing of your personal data is in violation of the GDPR and Nationals privacy regulations, you can always address a complaint to the Italian Data Protection Authority whose contacts are available on the website www.garanteprivacy.it.
9. Logic used for profiling
The profiling referred to in point 2(C) takes place on our part through the analysis, also in an automated manner, of your data and your characteristics (for example, age, geographical area, sex, adhesion to an event, adhesion to particular initiatives, purchase of certain products, completion of questionnaires, actions carried out during navigation on our websites if you have accepted the profiling cookies on our websites). We then create a consumer profile that is also included in specific groups (clusters). Profiling has the purposes indicated in point 2(C); such processing, however, does not represent a particular risk for you, given the type of basic profiling that does not require data of a particularly sensitive nature or that would allow the detailed reconstruction of particularly confidential aspects of your private life. You will always have the right to obtain human intervention, to express your opinion, to obtain an explanation of the decision made and to contest the decision.
10. Processing procedures
11. Transfer of data outside the European Union
11.1 In case of access to the services offered by illy caffè North America INC, illycaffè UK Ltd and llycaffè Sud America Comercio, Exportação e Importação Ltda, the data in My account may be viewed remotely also by these companies (for the purposes indicated in point 2(A) and therefore by non-EU countries (USA, Brazil and United Kingdom). All this will take place either because it is necessary for the conclusion or performance of a contract entered into between the data controller and another natural or legal person in favour of the data subject, or on the basis of standard contractual clauses indicated by the European Commission and/or the competent supervisory authority and provided for by the GDPR (art. 46, par. 2, lett. c) to guarantee the transfer (a copy of which is available by contacting us at the addresses indicated in point 6) where in the countries indicated there is no specific adequacy decision for which the non-EU state is deemed to provide the same guarantees provided by European law.
11.2 Moreover, only for technical assistance needs, the data may be sent to companies operating outside the European Community that are specifically appointed as data processors, undertaking to comply with all the requirements of European legislation, including by signing the appropriate Contractual Clauses indicated by the European Commission and/or the competent supervisory authority and provided for by the GDPR (art. 46, par. 2, lett. c), (a copy of which is available by contacting us at the addresses indicated in point 6) where in the countries indicated there is no specific adequacy decision for which the non-EU state is deemed to provide the same guarantees provided by European law.; the data are only a copy of those contained in the European servers and a copy of the same can therefore always be found at illycaffè S.p.A.