Privacy policy pursuant to national legislation in force in UK (Data Protection Act 2018 and Uk GDPR)

1.    General information
We hereby inform you that, as illycaffè Uk Limited (hereinafter also referred to as "the Company" or "illycaffè", Data Controller) will process your data (provided by you and/or obtained by elaboration by the Company) as specified below. The data can also be found in the "My Account" section of illycaffè S.p.A. (as indicated in the specific information note on "My Account"). If you purchase as the legal representative of a company/company/entity, we will indicate the company/company/entity that you represent (which will in fact be the entity that will purchase) and your data will be processed by us only to identify you as the legal representative and for the purposes referred to in point 2 letter A, B, C. If you wish to save your data in your "My Account" by clicking on the "add to address book" button, you will be able to use them in the future without having to re-enter them. Please note that you only have to enter your own data (except as specified in point 3(e) below) and/or the data of the company/body/company you represent.

2.    Purposes and legal basis
illycaffè UK may process data for the following purposes:
A.    in order for you to subscribe to the Subscription in accordance with the General Terms and Conditions, enabling you to purchase the products you have chosen for the Subscription and thus for all administrative, accounting and contractual fulfilments. The processing is based on the following legal basis: necessity for the performance of contractual obligations;
B.    to be compliant with the requirements pursuant to the legislation in force, regulations or EU regulations. The processing is based on the following legal bases: the fulfillment of legal obligations;
C.    for legitimate interests such as to assert or defend the rights of the Company. The processing is based on the following legal bases: the pursuit of legitimate interests. when considering these legitimate interests, it was analysed that they do not compromise or interfere with the interests or fundamental rights and freedoms of the data subject (the legitimate interest was assessed on the basis of a Triple Test available by contacting the Company);
D.    in order to ensure, through the monitoring of transactions by the outsourcer Signifyd inc (www.signifyd.com/privacy/), maximum anti-fraud security and thus for our legitimate interests of prevent fraud and unlawful orders. The processing is based on the following legal basis: pursuit of legitimate interests; when considering these legitimate interests, it was analysed that they do not compromise or interfere with the interests or fundamental rights and freedoms of the data subject (the legitimate interest was assessed on the basis of a Triple Test available by contacting the Company).

3.    Mandatory provision of data
a)    The provision of the data indicated in the form as obligatory (those marked with an asterisk) and the indication of the product to be purchased and the method of payment, are necessary for the purposes of point 2(A) and therefore the refusal to provide this information, in whole or in part, may make it impossible for us to execute the contract and therefore to allow you to purchase illycaffè uk products. With regard to shipping data, if different from billing data, see point 3(E). As regards other data contained in the optional fields, see also what is reported below. Unless otherwise specified, the data in the optional fields may be provided on a voluntary basis and failure to provide such data will have no consequence other than not being able to use such data (which may still be useful for the purposes in question).
b)    The provision of the data requested for the purposes indicated in point 2(B) ((for which the provision of data is required as an obligation if provided for as such by law) and 2(C) is necessary and failure to provide such data will make it impossible to execute the purchase contract.
c)    As far as credit card information, your provision is optional and failure to make it impossible to pay by credit card.
d)    The provision of requested data in case of invoice request (such as that of the VAT and the company name) is optional, but failure to make it impossible to invoice with the data given, if required.
e)    The provision of data relating to alternative addresses to which to send the products, is optional, but failure to provide the data marked with an asterisk, will make it impossible to send the material to the address indicated. Please note that for these particular activities, you are obliged, under your own responsibility, to obtain the consent of the person whose data you indicate, to send the products to his/her address. In addition, for these activities you are obliged to inform the person whose details you provide that he or she will provide us with the details so that we can process them (through the persons in charge and data processors indicated who must have process of them in order to carry out the tasks assigned to them) in order to send the product to the address indicated, and also to inform him or her that we will provide him or her with specific information on data processing. You must also inform the person indicated that we may communicate the data to carriers and forwarding agents and that the provision of the data is optional and failure to provide it will make it impossible to send the products to the address indicated. You are obliged to obtain the consent  of the person whose data you are communicating to illycaffè, to the communication of the data to illycaffè and to their processing (and therefore registration in illycaffè databases) by illycaffè itself for the purposes indicated in this point. Your data will then also be known by those who receive the goods
f)    the provision of data for the purposes set out in point 2 (D) is necessary and failure to provide such data will result in the impossibility of executing the contract and therefore of allowing you to purchase illycaffè products.

4.    Data addressee categories
The data may be communicated by us for the purposes indicated in point 2(A) (communicating only the data that is necessary for the pursuit of such purposes) to: banks for the payments due, carriers and forwarding agents, post offices, distributors, companies to which the contracts may be transferred in accordance with the provisions of the purchase contract (in this case, in fact, with the transfer of the contract, there will also be the transfer of the data relating to the contract and its execution and management), lawyers and legal consultants, auditing companies where they have not been appointed as data processors, public bodies.
For the purposes indicated in point 2(B), the data may be communicated (communicating only the data that are necessary for the pursuit of such purposes) to judicial authorities, tax police and public security authorities and to public bodies if there is an obligation to do so.
For the purposes referred to in point 2(C), the data may be communicated (communicating only such data as may be necessary for the pursuit of such purposes) to judicial authorities, tax police and public security authorities and to public bodies where there is an obligation to do so, as well as to law firms and legal advisers and to the postal service (which may see the address for sending any written communications).
For the purposes set out in point 2(D), transaction data (name, surname, contact details, date and time of purchase, type of product, price, payment method) may be communicated to Signifyd inc, the company managing the anti-fraud system.
Only the data necessary for the pursuit of the individual purposes indicated will be communicated.
The data may also be disclosed on our behalf, each for his or her role, to all persons delegated by us (administrative staff, shipping and enveloping staff, including those external to the Company, marketing and site management staff, including those external to the Company, computer technicians responsible for managing information systems, public relations staff, legal staff, members of the Board of Directors and of the Board of Auditors, internal auditors, stagiaires, freelancers and consultants-contractors also external to the Company who act under the direct responsibility of the Company, such as, for example, IT technicians , quality consultants, legal consultants and auditors, collaborators of the data processors) and the data processors (e.g.  companies-professionals-studies that carry out activities that are instrumental to those of illycaffè S.p.A., such as, for example, marketing activities, mailing and enveloping activities or call centres, auditing activities and management of relations with the public, IT outsourcing companies, including those resident in other countries, companies that collaborate in the management of the illycaffè Uk organisation) appointed by us. The list of those data processors is always available by contacting us at the addresses indicated in point 6.

5.    Data retention
We will be conserved the personal data for the entire period necessary for the pursuit of the purposes indicated in this policy privacy. The data retention period is as follows:
-    for legal obligations, regulations and community regulations, data may be retained for the periods imposed by these regulatory sources;
-    for contractual purposes until the end of the relationship and even after the end of it for the period determined by British laws, including in tax matters;
-    for the purposes indicated under 2(D) until the conclusion of the order and, if necessary, for a period necessary to assert or defend a right of the company under applicable law
in any case, all data may be retained for a period necessary to assert or defend a company right according to British and European regulations.

6.    Data Controller
The Data Controller is llycaffè UK Limited a company duly incorporated and validly existing under the laws of England & Wales, whose registered office is at Unit 7 – 8 Osyth Close Brackmills Northampton NN4 7DY, Ph: +44(0)1604 821234, e-mail sales.uk@illy.com.
The offer is not specifically addressed to persons in the European Union.
However, as a precautionary measure, the company has appointed illycaffè S.p.A. with registered office in via Flavia 110 Trieste, as the Data Controller's Representative in the European territory for subjects located in the European Union.

7.    Rights
Please note that the GDPR Uk provides that you may request (by contacting us at the contact details set out in point 6) access to and rectification of your personal data, erasure of your data or limitation of the processing concerning you, data portability; you may also have the opportunity, again by contacting us, to oppose the processing of your data and to exercise the other rights contained in Chapter 3 Section 1 of the GDPR UK, including the right to withdraw consent, where applicable: the withdrawal of consent shall not affect the lawfulness of the processing based on the consent given before the withdrawal.

8.    Complaints
If you believe that the processing of your data is in violation of the provisions of the GDPR, you have the right to lodge a complaint with the Uk Data Protection Authority (whose contact details can be found at https://ico.org.uk/), as provided for in Article 77 of the Uk GDPR, or to take appropriate legal action (Article 79 of the Uk GDPR).  
In addition, he/she may also appeal to the Supervisory Authority of the state in which he/she normally resides or works or, for persons in the European Union, also to the italian authority  (whose contact details can be found at www.garanteprivacy.it).

9.    Processing procedures
Data may be processed on paper, manually, with IT and electronic means (therefore, illycaffè UK may file data both on paper and IT support). illycaffè UK has implemented safety measures to prevent any data loss, illegal use of data, misuse or unauthorised access. Data will be retained and processed by illycaffè UK in compliance with its confidentiality requirements and with the applicable local provisions (i.e. in compliance with the principles of fairness, lawfulness, transparency, and protection of the confidentiality and the rights of those concerned) strictly in line with the aims set forth in this privacy policy. Data will be processed by illycaffè UK exclusively to achieve the aims described in this privacy policy. Data will be filed at illycaffè UK offices and at the appointed data processors (as well as third parties who receive data as independent data controllers as described in point 4 of this privacy policy). Data will be entered in databases, including IT databases.

10.    Transfer of data outside the UK
The data may be known and therefore transferred outside the European Union to IT companies providing IT services on behalf of the Company that are specifically appointed as data processors or autonomous data controllers (e.g. Signifyd inc). These parties undertake to comply with all the requirements of Uk legislation, also by signing the appropriate Contractual Clauses and provided for by the Uk GDPR (Art. 46, par. 2, lett. c), a copy of which is available by contacting us at the contact details indicated in point 6, where in the countries indicated there is not a specific adequacy decision for which the non-EU state is deemed to provide the same guarantees provided by Uk law;
The data are also transferred to the European Community, which offers the same guarantees provided by the GDPR UK GDPR.
All the guarantees provided by law are adopted. The list of the subjects and therefore of the countries to which the data could be transferred can be found by contacting the Company at the addresses given in point 6.

Privacy policy updated to 25/01/2023. This update is part of a policy of constant revision of the information. The versions of the previous disclosures can be obtained by contacting the Data Controller (e-mail sales.uk@illy.com)