Privacy policy pursuant to Regulation (EU) 2016/679 (GDPR) and national legislation in force in Italy (D.Lgs.196/03)
1. General information
We hereby inform you that, for the purposes indicated below, we, as 'illycaffè S.p.A. (data controller, hereinafter also referred to as the "Company" or "illycaffè" for the sake of brevity), will process the personal data that you have provided to us in the form or following the provision of the form. Only the data necessary for the purposes stated in this information note will be requested and processed.
2. Purposes and legal basis
We may process data for the following purposes:
A. in order to allow you to create an illycaffè account (My account) that allows you to access, with the same identification data, specific services, reserved areas and/or specific functions (dedicated to My account holders) of our websites and applications and those of our subsidiaries, as well as to access a restricted area to view and manage your relationship with us and our subsidiaries and thus, for example, to view purchases, manage shipping addresses, manage data processing authorisations, view initiatives or sections in which the My Account holder is registered, update data, upload a profile photo that will not be visible to other users, etc. Our subsidiaries that provide products or services that are also accessible through My Account may access your My account data if you enter into contractual relations with them (e.g. make purchases or subscribe to or activate services provided by a subsidiary). The list of the subsidiaries that access My Account (independent data controllers for the activities they carry out) is available by contacting us at the addresses indicated in point 6 of the policy. The legal basis for processing is consent. You may at any time request the deletion of your account;
B. to carry out advertising communications/information on our and our partners’ products-services-initiatives and to make market research and/or interviews for the evaluation of our product-services, all from us to the addresses that you provided in the form or other contact details provided later (please note that the sending of SMS/MMS and e-mail will also be in electronically with the help of automated tools). Communications may also take place via push notifications if explicitly accepted. The consent can will be possibly requested at further stage also on the registration pages of affiliates companies . The activities in this point will not be carried out without your consent. The processing is based on the following legal basis: consent;
C. in order to create, on the basis of the information in our possession about you, a your profile (profiling) including the study of your consumption habits and choices derived also from the analysis of your product choices, aimed at carrying out specific marketing, promotion, direct sales and commercial communications activities by us, in accordance with the your specific needs that emerge from the profiling and also aimed at analysing the choices and consumption habits of illycaffè product customers to improve business development. Processing for this purpose will also take place in databases in automated form. We will be able to create both a profile of the individual user and of homogeneous classes of users. We may also combine and compare data from different databases of our partners (associated, subsidiary and parent companies of illycaffè S.p.A. resident in the European Union and associated, subsidiary and parent companies of the illy S.p.A. Group resident in the European Union). See also point 9 of the privacy policy. We will carry out marketing, promotion, commercial communication and direct sales activities only if you have consented to such processing.The processing is based on the following legal basis: consent. If you do not consent to the processing of your data for this purpose but authorise the use of profiling cookies in the appropriate section of the site, you may still be subject to the activities carried out by means of such cookies;
D. to be compliant with the requirements pursuant to the legislation in force, regulations or EU regulations. The processing is based on the following legal bases: the fulfillment of legal obligations;
E. for legitimate interests such as to assert or defend the rights of the Company. The processing is based on the following legal bases: the pursuit of legitimate interests.
3. Mandatory nature of the provision
The provision of the data required for the purposes set out in point 2(A) is optional, however, without providing this data, you will not be able to create a My Account and access its benefits. Consent (which you can always withdraw by contacting us at the addresses indicated in point 6) for the purposes indicated in point 2(A) is optional. However, without consent, you will not be able to create or maintain a My Account and access its benefits. We inform you that by clicking the flag in the box concerning the request to create an account, you consent to processing for this purpose.
Provision of data for the purposes described point 2(B) of this privacy policy and the relative consent (which you can always withdraw, thus opposing the processing of your data for these purposes, by contacting us at the addresses indicated in point 6) are not mandatory; failure to provide such data and the consent will have not consequences, except that you will not be subject to the activities indicated in the point on our part or you will not be subject to the addresses you have not provided. We inform you that, by clicking the flag in the box concerning the request to carry out what is indicated in point 2 (B), you consent to the processing for the purposes indicated in that point.
Provision of data for the purposes described point 2(C) of this privacy policy and the relative consent (which you can always withdraw, thus opposing the processing of your data for these purposes, by contacting us at the addresses indicated in point 6) are not mandatory; failure to provide such data and the consent will have not consequences, except that you will not be subject to the activities indicated in the point on our part or will not be subject to the addresses not provided. We inform you that, by clicking the flag in the box concerning the request to carry out what is indicated in point 2 (C), you consent to the processing for the purposes indicated in that point.
The provision of the data requested for the purposes of points 2(D) and 2(E) is necessary and, consequently, a possible refusal to provide them, in whole or in part, may result in the impossibility of creating or maintaining a My account and/or being subject to the activities indicated in this information notice.
4. Data addressee categories
We will not communicate the data to third parties, for the purposes indicated in point 2(A), above except for specific services, for which you will be subject to specific conditions and for which you will be asked for explicit consent where necessary, and except for access to the data by the subsidiaries as indicated in point 2(A).
For the purposes indicated in point 2(B), we may communicate the data to the postal service/ express couriers (as the address is visible when sending any written material), in case of sending paper communications.
For the purposes indicated in point 2(C), we will not communicate the data to third parties.
For the purposes of point 2(D) of this privacy policy, we may communicate the data to public authorities, the judiciary, the police.
For the purposes of point 2(E) of this privacy policy, we may communicate the data to lawyers, solicitors, public authorities, the judiciary, the police, the post office (as the address is visible when sending any written material).
We will only communicate data that is indispensable for the purposes indicated in this policy privacy
The data may also be disclosed on our behalf, each for his or her role, to all subjects delegated by us to process the personal data data, (legal affairs officers, including those external to the Company, marketing officers, including those external to the Company, site management officers, including those external to the Company, consultants, including those external to the Company -e.g. legal consultants, IT technicians who may sometimes also perform the duties of system administrator and are in this case appointed system administrators, quality and website management officers-, information systems officers, who may sometimes also perform the duties of system administrators and are in this case appointed system administrators, public relations employees, including those from outside the Company, shipping and envelope employees, including those from outside the Company, internal auditors, interns, employees of data processors) in addition to the data processors also delegated by us, such as, for example, enveloping and shipping companies, IT outsourcing companies, marketing consulting companies and, more generally, consultancy companies/firms that perform activities instrumental to those of illycaffè, such as, for example, legal and communications consultancy companies/firms. You can always ask us for the list of data processors by contacting us at the addresses given in point 6.
5. Data retention
We will be conserved the personal data for the entire period necessary for the pursuit of the purposes indicated in this policy privacy. The data retention period is as follows:
- for legal obligations, regulations and community regulations, for the periods imposed by these regulatory sources;
- for the purposes described in point 2(A), until the withdrawal of consent or request for cancellation of dta or My account without prejudice to retention for evidential purposes for the period provided for by law;
- for the purposes indicated in point 2(B) until consent is revoked or the request for cancellation is made, without prejudice to retention for evidential purposes for the period provided for by law;
- for the purposes referred to in point 2(C) until revocation of the consent/request for deletion or for a maximum of 12 months from their registration, without prejudice to their actual transformation into an anonymous form which does not allow, even indirectly or by linking other databases, the identification of the data subjects;
in any case, all data may be conserved for a period necessary to assert or defend a company right according to Italian and European regulations.
6. Data Controller and Data Protection Officer
The Data Controller is illycaffè S.p.A., having its registered office in via Flavia 110, Trieste, phone number +39.040.3890.111, fax number +39.040.3890.490, e-mail: infoprivacy@illy.com. There is also a Data Protection Officer available at the email address dpo@illy.com and at the addresses of the Company.
7. Rights
Please note that the GDPR provides that you may request (by contacting us at the contact details set out in point 6) access to and rectification of your personal data, erasure of your data or limitation of the processing concerning you, data portability; you may also have the opportunity, again by contacting us, to oppose the processing of your data and to exercise the other rights contained in Chapter 3 Section 1 of the GDPR, including the right to withdraw consent, where applicable: the withdrawal of consent shall not affect the lawfulness of the processing based on the consent given before the withdrawal.
8. Complaints
If you consider that the processing of your personal data is in violation of the GDPR and Nationals privacy regulations, you can always address a complaint to the Italian Data Protection Authority whose contacts are available on the website www.garanteprivacy.it.
9. Logic used for profiling
The profiling referred to in point 2(C) takes place on our part through the analysis, also in an automated manner, of your data and your characteristics (for example, age, geographical area, sex, adhesion to an event, adhesion to particular initiatives, purchase of certain products, completion of questionnaires, actions carried out during navigation on our websites if you have accepted the profiling cookies on our websites). We then create a consumer profile that is also included in specific groups (clusters). Profiling has the purposes indicated in point 2(C); such processing, however, does not represent a particular risk for you, given the type of basic profiling that does not require data of a particularly sensitive nature or that would allow the detailed reconstruction of particularly confidential aspects of your private life. You will always have the right to obtain human intervention, to express your opinion, to obtain an explanation of the decision made and to contest the decision.
10. Processing procedures
Data may be processed on paper, manually, with IT and electronic means (therefore, illycaffè may file data both on paper and IT support). We have implemented safety measures to prevent any data loss, illegal use of data, misuse or unauthorised access. We will conserve and process the personal data, in compliance with its confidentiality requirements and with the applicable local provisions (i.e. in compliance with the principles of fairness, lawfulness, transparency, and protection of the confidentiality and the rights of those concerned) strictly in line with the aims set forth in this privacy policy. We will process personal data exclusively to achieve the aims described in this privacy policy. Data will be filed at illycaffè S.p.A. offices in Europe and at the appointed data processors (as well as third parties who receive data as independent data controllers as described in point 4 of this privacy policy). Data will be entered in databases, including IT databases.
11. Transfer of data outside the European Union
11.1 In case of access to the services offered by illy caffè North America INC, illycaffè UK Ltd and illycaffè Sud America Comercio, Exportação e Importação Ltda, the data in My account may be viewed remotely also by these companies (for the purposes indicated in point 2(A) and therefore by non-EU countries (USA, Brazil and United Kingdom). All this will take place either because it is necessary for the conclusion or performance of a contract entered into between the data controller and another natural or legal person in favour of the data subject, or on the basis of standard contractual clauses indicated by the European Commission and/or the competent supervisory authority and provided for by the GDPR (art. 46, par. 2, lett. c) to guarantee the transfer (a copy of which is available by contacting us at the addresses indicated in point 6) where in the countries indicated there is no specific adequacy decision for which the non-EU state is deemed to provide the same guarantees provided by European law.
11.2 Moreover, only for technical assistance needs, the data may be sent to companies operating outside the European Union that are specifically appointed as data processors, undertaking to comply with all the requirements of European legislation, including by signing the appropriate Contractual Clauses indicated by the European Commission and/or the competent supervisory authority and provided for by the GDPR (art. 46, par. 2, lett. c), (a copy of which is available by contacting us at the addresses indicated in point 6) where in the countries indicated there is no specific adequacy decision for which the non-EU state is deemed to provide the same guarantees provided by European law.; the data are only a copy of those contained in the European servers and a copy of the same can therefore always be found at illycaffè S.p.A.
Privacy policy updated to 1st of August 2022. This update is part of a policy of constant revision of the information. The versions of the previous disclosures can be obtained by contacting the Data Controller (e-mail infoprivacy@illy.com).
Your California Privacy Rights for California Consumer in US
We have adopted the following disclosures to comply with the California Consumer Privacy Act of 2018, as amended, its implementing regulations (“CCPA”) and other California privacy laws. Any terms defined in the CCPA, other California privacy laws, or in our Privacy Policy have the same meaning when used in this Notice.
This California Privacy Notice (“Notice”) applies to “Consumers” as defined by the California Consumer Privacy Act (“CCPA”) as a supplement to the other privacy policies that we issue in the web site for the data process in Italy.
Consistent with the CCPA, job applicants, current and former employees and contractors, and subjects of certain business-to-business communications acting solely in their capacity as representatives of another business, are not considered Consumers for purposes of this Notice or the rights described herein.
Do We “Sell” Your Personal Data?
We do not sell your name, address, phone number, or email address. However, on certain occasions, we also sell information to third parties. An external party may be considered a third party either because the purpose of sharing the personal data is not an enumerated business purpose under California law, or because our contract does not restrict them from using personal data for other purposes. To “sell” personal data means to disclose it to an external party for monetary or some other type of benefit doesn’t always mean that money is exchanged to be considered a “sale.” We may “sell” the following information:
• Personal Identifiers: We provide your IP address and device ID to our online advertising partners.
• Internet or Other Electronic Network Activity Information: We provide information about your Internet or other electronic network activity information to our online advertising partners.
• Inferences about You: Inferences drawn to create a profile about you and your consumer preferences or characteristics. We provide these observations to our advertising partners.
How to Exercise Your Rights Under the CCPA
Under the CCPA you have the right to find out about the personal data that we have collected and how that information has been used or disclosed. You also have the right to request that we delete your personal data. If you wish to exercise any of the rights listed below, or if you would like additional information, please contact us at infoprivacy@illy.com.
The Right to Access and Know About Personal Data Collected, Disclosed, or Sold
You have the right to request that we disclose to your certain information about our collection and use of your personal data over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
• The categories of personal data we collected about you.
• The categories of sources for the personal data we collected about you.
• Our business or commercial purpose for collecting or selling that personal data.
• The categories of third parties with whom we share that personal data.
• The specific pieces of personal data we collected about you (also called a data portability request).
• If we disclosed your personal data for a business purpose, identifying the personal data categories that each category of recipient obtained.
For data portability requests, we will select a format to provide your personal data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
The Right to Request Deletion of Your Personal Data
Subject to certain exceptions, you have the right to request that we delete any or all of the personal data that we collected from you and retained over the past 12 months. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal data from our records, unless an exception applies. You may request that only a portion of your personal data be deleted.
We may deny all or part of your deletion request if retaining your personal data is necessary for us or our Service Providers to:
• Complete the transaction for which we collected the personal data, provide a service that you requested, take actions reasonably anticipated based on our ongoing business relationship with you, or otherwise perform our agreement with you;
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
• Debug products to identify and repair errors that impair existing intended functionality;
• Exercise free speech or ensure the right of another consumer to exercise their right of free speech or other right provided for by law;
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
• Comply with law or a legal obligation; or
• Otherwise use your personal data internally, in a lawful manner that is compatible with the context in which you provide the information.
The Right to Opt-Out of the Sale of Your Personal Data
The CCPA provides you with the right to opt out and stop businesses from selling your personal data. This right applies to all California consumers ages 16 or older and may be exercised at any time.
If you are 16 years of age or older, you have the right to direct us to not sell your personal data at any time (the "right to opt-out"). Our Sites and products are not intended for minors. We do not sell the personal data of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the "right to opt-in") from either the consumer who is at least 13 but not yet 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to the sale of their personal data may opt-out of future sales at any time.
How to exercise this right:
• By sending an email to infoprivacy@illy.com, providing details of your request.
The Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights, and will not engage in the following behaviors:
• Denying you goods or services
• Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties
• Providing you a different level or quality of goods or services
• Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services
Exercising Your Rights
When you exercise these rights and submit a request to us, we will verify your identity by asking for information about your relationship with us, such as your name, email address on file, billing or shipping address, phone number, or order number.
We try to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.
Any disclosures we provide will only cover the 12-month period preceding your verifiable request's receipt. The response we provide will also explain the reasons we cannot comply with your request, if applicable.
Authorized Agents
You may authorize a natural person, or a business entity registered with the California Secretary of State, to act on your behalf to make a request to know about personal data collected or to delete your personal data.
To facilitate such an authorization, you must (i) verify your identity to us and provide that authorized agent written permission to make such a request or (ii) provide the authorized agent with power of attorney in your behalf pursuant to the California Probate Code sections 4000 to 4465.
The authorized agent must include those authorizations in your verifiable consumer request.
Notice of Financial Incentive
We will not discriminate against you in any manner prohibited by the CCPA because you exercise your CCPA rights. However, we may charge a different price or rate, or offer a different level or quality of goods or services, to the extent that doing so is reasonably related to the value of the applicable data. In addition, we may offer you financial incentives for the collection, sale, retention, and use of your personal data as permitted by the CCPA; such offers may result in reasonably different prices, rates, or quality levels. The material aspects of any financial incentive will be explained and described in our program terms. For details of our current financial incentive program and its terms, including how to opt-in or withdraw from your opt-in, and program benefits, refer to the program terms and conditions.
We do not assign a monetary value to the personal data that we collect from you and strive only to use that information to further our business in accordance with our Privacy Policy; to the extent that we are required to assign a monetary value to your personal data, it is equal to the value of the discount or financial incentive that we have provided to you.
Please note that participating in incentive programs is entirely optional; participants affirmatively opt into the program, and can opt out of the program (i.e., terminate participation and forgo the ongoing incentives) by following the instructions in the program’s description and terms. We may add or change incentive programs and / or their terms by posting a notice on the program descriptions and terms linked to above, so check them regularly.
Children Under the Age of 16
We do not knowingly collect, solicit, or share personal data from children under the age of 16. If we have knowledge that a child under 16 has submitted personal data in violation of this Policy, we will delete that information as soon as possible. If you believe we may have obtained information in violation of this Policy, please email us at infoprivacy@illy.com.
Questions about the CCPA
If you have questions or concerns regarding this statement, you should first contact us via email at infoprivacy@illy.com.
Changes to this Privacy Policy
We reserve the right to amend this Privacy Notice at our discretion and at any time. When we make changes to this Notice, we will post the updated Notice on the Site and update the Notice’s effective date. Your continued use of our Site following the posting of changes constitutes your acceptance of such changes. If we are required by applicable data protection laws to obtain your consent to any material changes before, they come into effect, then we will do so in accordance with law.
California Shine the Light Law
If you are a California resident and have an established business relationship with us and want to receive information about how to exercise your third-party disclosure choices, you must send a request to the following address with a preference on how our response to your request should be sent (email or postal mail). You may contact us in two ways:
You may send an email to infoprivacy@illy.com, or
You may contact us at:
ILLY CAFFÈ S.p.A via Flavia 110 Trieste (Italy)
Attn: Your California Privacy Rights
c/o Privacy Administrator
For requests sent via email, you must put the statement “Your California Privacy Rights” in the subject field of your email. All requests sent via postal mail must be labeled “Your California Privacy Rights” on the envelope or post card and clearly stated on the actual request. For all requests, please include your name, street address, city, state, and zip code. (Your street address is optional if you wish to receive a response to your request via email. Please include your zip code for our own recordkeeping.) We will not accept requests via the telephone or by facsimile. We are not responsible for responding to notices that are not labeled or not sent properly, or do not have complete information.
If you are a California resident under the age of 18, and a registered user of any Site where this Privacy Policy is posted, California Business and Professions Code Section 22581 permits you request and obtain removal of content or information you have publicly posted. To make such a request, please send an email with a detailed description of the specific content or personal data to infoprivacy@illy.com. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information you have posted and that there may be circumstances in which the law does not require or allow removal even if requested.