Privacy policy pursuant to Regulation (EU) 2016/679 (GDPR) art 13.

1.   General information

Pettenon Cosmetics S.p.A. SB (hereinafter also referred to as the “Company” or “Pettenon” for short) informs you that for the purposes indicated below, it will process your personal data (or that of the company it represents if acting on its behalf) provided by you. Only the data necessary for the pursuit of the purposes indicated in this statement will be requested and processed. Please note that you will only have to provide your data and/or the data of the company you represent. If you are acting on behalf of a Company/Company, the activities envisaged in this information notice will be carried out on behalf of the Company using the data you have provided and you therefore consent to the processing (where consent is required) on behalf of the Company you represent.

2.  Purposes and legal basis

We may process data for the following purposes:

A. In order for the Company TO BE ABLE TO ANALYSE the request and respond to you. The processing is based on the following legal basis: consent;

B. to BE COMPLIANT WITH THE REQUIREMENTS PURSUANT TO THE LEGISLATION IN FORCE, REGULATIONS OR EU REGULATIONS. The processing is based on the following legal bases: the fulfillment of legal obligations;

C. for legitimate interests such as to ASSERT OR DEFEND THE RIGHTS OF THE COMPANY. The processing is based on the following legal bases: the pursuit of legitimate interests; in considering these legitimate interests, it was analysed that they do not compromise or interfere with the interests or fundamental rights and freedoms of the data subject (the legitimate interest was assessed on the basis of a Triple Test available by contacting the Company).

3.  Mandatory nature of the provision

You will be free or not to disclose your personal data for the purposes set out in point 2(A) of the information notice as well as you will be free to give or not to give your consent, but without the provision and consent, the Company will not be able to respond to your request.

The provision of the data requested for the purposes of points 2(B) and 2(C) is necessary and, consequently, a possible refusal to provide them, in whole or in part, will result in the impossibility, for you, to being subject to the activities indicated in the point 2(A).

4. Data addressee categories

For the purposes set out in point 2(A), the data will not be communicated to third parties unless such communication is necessary on the basis of the request (e.g. to post office/courier services in the case of a request for the dispatch of paper material.
For the purposes of point 2(B) of this privacy policy, we may communicate the data to public authorities, the judiciary, the police.

For the purposes of point 2(C) of this privacy policy, we may communicate the data to lawyers, solicitors, public authorities, the judiciary, the police, the post office (as the address is visible when sending any written material).
We will only communicate data that is indispensable for the purposes indicated in this policy privacy.

The data may also be disclosed on our behalf, each for his or her role, to all subjects delegated by us to process the personal data data, (public relations staff also external to the Company, information systems staff also external to the Company and who may sometimes perform the duties of system administrators and are in that case appointed as such, consultants also external to the Company – such as computer technicians who may sometimes perform the duties of system administrators and are in that case appointed as such, legal consultants – trainees, website management staff also external to the Company, employees of the department dealing with the matters covered by your request, legal staff, employees of the data processors) in addition to the data processors also delegated by us, such as, for example, IT outsourcing companies and, more generally, consultancy companies/firms that perform activities instrumental to those of illycaffè, such as, for example, legal and communications consultancy companies/firms. You can always ask us for the list of data processors by contacting us at the addresses given in point 6.

5. Data retention

We will be conserved the personal data for the entire period necessary for the pursuit of the purposes indicated in this policy privacy. The data retention period is as follows:

– for legal obligations, regulations and community regulations, for the periods imposed by these regulatory sources;

– or the purposes indicated in point 2(A), for 6 months from the final answer to the request without prejudice to conservation for the purposes indicated in points 2(B) and 2(C);

In any case, all data may be retained for a period necessary to assert or defend a right of the company under Italian civil and criminal law, and therefore for a maximum of 10 years from the termination of the relationship, except in the event of litigation or disputes that require a further retention period an with the reservation of further storage if required by the local regulations applicable to the persons concerned.

6. Data Controller and Data Protection Officer

The Data Controller is Pettenon Cosmetics S.p.A. SB., having its registered office in Via del Palù, 7d, 35018 San Martino di Lupari PD, Tel. +39 049 99888, FAX +39 049 9988809, privacy@pettenon.it. There is also a Data Protection Officer available at the email address dpo@pettenon.it  and at the addresses of the Company.

7.  Rights

Please note that the GDPR provides that you may request (by contacting the Company at the contact details set out in point 6) access to and rectification of your personal data, erasure of your data or limitation of the processing concerning you, data portability; you may also have the opportunity, again by contacting the Comapny, to oppose the processing of your data and to exercise the other rights contained in Chapter 3 Section 1 of the GDPR, including the right to withdraw consent, where applicable: the withdrawal of consent shall not affect the lawfulness of the processing based on the consent given before the withdrawal.

8. Complaints

If you believe that the processing of your data is in breach of the provisions of the GDPR, you have the right to lodge a complaint with the Italian Supervisory Authority (whose contact details can be found at www.garanteprivacy.it), as provided for in Article 77 of the GDPR, or to take appropriate legal action (Article 79 of the GDPR).
You may also contact the Supervisory Authority of the state in which you normally reside or work.
The list of supervisory authorities can be found at www.garanteprivacy.it/home/footer/link
The Supervisory Authority can be contacted at the contact indicated on the website www.ico.org.uk

9. Processing procedures

Data may be processed on paper, manually, with IT and electronic means (therefore, the Company may file data both on paper and IT support). We have implemented safety measures to prevent any data loss, illegal use of data, misuse or unauthorised access. We will conserve and process the personal data, in compliance with its confidentiality requirements and with the applicable local provisions (i.e. in compliance with the principles of fairness, lawfulness, transparency, and protection of the confidentiality and the rights of those concerned) strictly in line with the aims set forth in this privacy policy. We will process personal data exclusively to achieve the aims described in this privacy policy. Data will be filed at Company offices in Europe and at the appointed data processors (as well as third parties who receive data as independent data controllers as described in point 4 of this privacy policy). Data will be entered in databases, including IT databases.

Privacy policy updated to 1 april 2024.
This update is part of a policy of constant revision of the information. The versions of the previous disclosures can be obtained by contacting the Data Controller (e-mail infoprivacy@illy.com).