Privacy policy pursuant to Regulation (EU) 2016/679 (GDPR) and national legislation in force

1.   General information

illycaffè S.p.A. (hereinafter also referred to as the "Company" or "illycaffè") hereby informs you that it will process the data you have provided in the form or after filling your form for the purposes listed in the following paragraphs. illycaffè may only require and process data which are instrumental to achieve the aims of this privacy policy.

2.   Purposes

illycaffè may process data for the following purposes:

A.   to access and make you enjoy the services of illycaffe websites, including interactive, provided in the Terms of Use and in any Terms of purchase contained in the various sections of the site by logging with the same credentials. In some cases, it may be required to give any further information that will be processed with your consent where required; among the services there is also the Facebook “Custom Audiences” feature (for further information please refer to: https://www.facebook.com/help/381385302004628;

B.   to carry out advertising communications/information on products-services-initiatives of illycaffè and its partners and market research and/or interviews for the evaluation of product-services of illycaffè, all by illycaffè to the addresses that you provided in the form or other contact details provided later (please note that the sending of SMS/MMS and e-mail will also be in electronically with the help of automated tools);

C.   in order to create, based on the information about the user in possession of illycaffè, a user profile (profiling) including the study of habits and consumer choices also deriving from analysis of the choices of products aimed at specific activities of marketing, promotion, direct marketing and business communications by illycaffè S.p.A., in accordance with the user's specific needs emerged from the profiling and also designed to analyze the choices and consumer habits of customers of illycaffè products. The processing for this purpose will also take place in databases in an automated modality. Can be created a profile both individual user and of homogeneous classes of users. In addition, it may also be possible to associate and compare data coming from different databases of illycaffè partners (subsidiaries or affiliates companies of illycaffè S.p.A. resident in the European Union and subsidiaries or affiliates companies of Gruppo illy S.p.A. resident in the Union European). Marketing activities, promotion, commercial communications and direct sales will be conducted only if the user has agreed to the processing for this purpose. Consent and provision of data for this purpose are optional and the user is free to purchase, register without agreeing to the data processing for this purpose. The only consequence of this lack will be that the user will not be subject to the activities indicated in this point;

D.   to be compliant with the requirements pursuant to the legislation in force, regulations or EU regulations and for legitimate interests such as to assert or defend the rights of the Company.

3.   Mandatory nature of the provision

Provision of data for the purposes described in point 2, letter A, of this privacy policy is optional and failure to provide them makes impossible to access and enjoy the services of illycaffè websites (including the impossibility of buying in the shop) with the same credentials. The consent for the purposes described in point 2, letter A, of this privacy policy is always not mandatory, but the lack of it makes impossible to access and possibly enjoy the services of the illycaffè websites (including the impossibility of buying in the shop) with the same credentials.  Provision of data for the purposes described point 2, letter B, of this privacy policy and the relative consent are not mandatory; failure to provide such data and the consent will have not consequences, except that you won’t receive any information (without any consequence on other purposes). Additionally, if you agreed to the data processing for the purposes described in point 2, letter B, of this privacy policy, you may cancel you consent at any time and without having to justify your decision (to unsubscribe) by sending a notice to the Data Controller.

As regards the purposes set out in point 2, letter C of this information, please refer to the same.

Data provision for the purposes described in point 2, letter D, of this privacy policy is necessary; should data not be provided, your request may not be fulfilled and relations may be truncated.

4.   Data recipient categories

Data, collected and processed for the purposes described in point 2, letter A, of this privacy policy will not be disclosed unless provision is made for special services, submitted to specific conditions and for which your explicit consent will be required where necessary. For the purposes indicated in point 2, letter B and C of this information, the data will not be disclosed. For the purposes of point 2, letter D, of this privacy policy, illycaffè may disclose data to lawyers, solicitors, public authorities, the judiciary, the police, the post office (as the address is visible when sending any written material). illycaffè will only disclose data which are essential for the achievement of each of the aims of the privacy policy. The data may be disclosed on behalf of illycaffè, each for own role, to all subjects delegated by illycaffè (legal staff also external to the Company, marketing staff also external to the Company, staff in charge of the website also external to the Company - such as legal advisors, IT experts that may also perform the role of system administrators, and appointed as such, quality service staff and staff in charge of the administration of the website – IT system staff which may also be system administrators, and which are appointed as such, external relations staff also external to the Company, staff in charge of mailing and enveloping also external to the Company, internal auditors, trainees, staff of internal and external data processors) and to internal and external data processors (such as enveloping and shipping companies, IT outsourcers, marketing companies and more in general consultants performing instrumental activities such as legal and communication advisors). The list of Data Processors is always available by contacting the Data Controller.

5.   Data retention

Data will be retained by illycaffè for the entire period necessary for the pursuit of the purposes contained in this information. The data retention period is as follows:

-       for legal obligations, regulations and community regulations, data may be retained for the periods imposed by these regulatory sources;

-       for the purposes described in point 2 letter A of this policy, the data can be retained until the withdrawal of consent or request for cancellation;

-       for the purposes described in point 2 letter B of this policy, the data can be retained until the withdrawal of consent or request for cancellation without prejudice to the conservation in accordance with the law to prove the consent previously given;

-       for the purposes described in point 2 letter C the data can be retained until the withdrawal of consent or request for cancellation not exceeding 12 months from their registration, save the effective transformation into anonymous form that does not allow, even indirectly or by linking other databases, to identify the data subjects;

in any case, all data may be retained for a period necessary to assert or defend a company right according to Italian and European regulations.

6.   Data Controller and Data Protection Officer

The Data Controller is illycaffè S.p.A., having its registered office in via Flavia 110, Trieste, phone number +39.040.3890.111, fax number +39.040.3890.490, e-mail: infoprivacy@illy.com. There is also a Data Protection Officer available at the email address dpo@illy.com and at the addresses of the Company.

7.   Rights

We inform you that the GDPR provides the possibility for the data subject to ask the Data Controller (at the above addresses) to access personal data and to correct or cancel them or limit their processing or to oppose their processing, in addition to exercising the right to data portability, as well as other rights contained in Chapter 3 of the GDPR including the revocation of consent, where provided: the withdrawal of consent does not affect the lawfulness of the processing based on consent given before revocation.

8.   Complaints

The data subject can always lodge a complaint with the Italian Data Protection Authority, whose references can be found on the website www.garanteprivacy.it

9.   Legal Basis

The legal basis is based on the fulfillment of legal obligations (Italian and European laws) as well as on the legitimate interests of the Data Controller in the relationship with the user. Furthermore, for the purposes for which consent is provided, the legal basis is the consent itself.

10.  Profiling

The processing of data for the purposes referred to in point 2 letter C of this privacy policy can be considered profiling. Profiling is based on consumer data in order to better understand his consumption habits and direct his purchases with targeted communications. The data are extracted and processed through software that create a consumption profile consisting in the indication of the actions carried out (adherence to an event, accessions to specific initiatives, purchase of certain products) and in the analysis of specific characteristics that can make better understand the customer category (e.g. age). This processing, however, does not constitute a particular risk for the data subject considering the type of basic profiling that does not require data of a particularly delicate nature or that allows the detailed reconstruction of particularly reserved aspects of private life. Moreover, they are not produced based on profiling, legal effects that affect the person concerned or that significantly affect his person, as no decision is made based on automated processing which is used only to send advertising material in line with the tastes and habits of the interested party. However, everything is always filtered by physical subjects who send it to the defined groups. The interested party always has the right to obtain human intervention, to express his opinion, to obtain an explanation of the decision obtained and to challenge the decision.

11.  Processing procedures

Data may be processed on paper, manually, with IT and electronic means (therefore, illycaffè may file data both on paper and IT support). illycaffè has implemented safety measures to prevent any data loss, illegal use of data, misuse or unauthorised access. Data will be retained and processed by illycaffè in compliance with its confidentiality requirements and with the applicable local provisions (i.e. in compliance with the principles of fairness, lawfulness, transparency, and protection of the confidentiality and the rights of those concerned) strictly in line with the aims set forth in this privacy policy. Data will be processed by illycaffè exclusively to achieve the aims described in this privacy policy. Data will be filed at illycaffè S.p.A. offices in Europe and at the appointed data processors (as well as third parties who receive data as independent data controllers as described in point 4 of this privacy policy). Data will be entered in databases, including IT databases.

We remind you that only for technical assistance needs data may be sent to companies outside the European community who are specifically designated as data processors by committing to comply with all the requirements of European legislation, also by signing the appropriate Contractual Clauses indicated by the Data Protection Authority; the data are only a copy of those contained in the European servers and the copy of the same is always available at illycaffè S.p.A..

N.B. The consent can only be given by persons over 14 years, if the subject is under 14, he cannot use what is provided for in the purposes for which consent is required (e.g. receiving commercial communication, profiling, ...).

This privacy policy is updated as at 25/09/2019. Such update is carried out inside of policy of constant review of the informative ones. The versions of the previous policy statements are available writing to Data Controller (e-mail dpo@illy.com).