INFORMATION ON THE PROCESSING OF PERSONAL DATA
pursuant to articles 13 and 14 of Regulation 679/2016/EU (“GDPR”)
version 1.0 of 10 January 2022
In its capacity as owner of the www.caffemauro.com website (the “Website”) and of the data processed for it, Caffè Mauro S.p.A. informs every user of the Website (also the “Data Subject”) that the personal data supplied when accessing and interacting with the Website will be processed in compliance with the following instructions.
1. Data controller and other subjects
The data controller is Caffè Mauro S.p.A., with registered office in Zona Industriale snc, 89018 – Villa San Giovanni (RC), Tax Code, VAT no. and registration number in the register of companies held by the Chamber of Commerce of Reggio Calabria (RC) 00090620808, registered in the Economic and Administrative Repertory under no. RC-44427, in the person of its legal representative pro-tempore, tel. +39 0965 3333, fax +39 0965 757000, e-mail firstname.lastname@example.org, certified e-mail email@example.com (hereinafter also the “Data Controller”).
2. Purposes and methods of processing – Legal basis of processing
The Data Controller processes the personal data of the Data Subject as indicated below in order to pursue the following purposes:
(i) for access to and browsing of the Website or for the fulfilment of any other requirement of the General Terms and Conditions of Use of the Website;
(ii) to sign up to the Website or to purchase goods or services through the Website and, consequently, to carry out any activity related, particularly, to the selection of products, the sending and/or acceptance of orders, shipping, delivery and/or the possible exercise of the right of withdrawal and the consequent withdrawal of the goods, as well as the fulfilment of any other requirement of the General Terms and Conditions of Sale of the Website;
(iii) to comply with the obligations envisaged by regulations and by the applicable national and supranational legislation;
(iv) to send commercial communications about the products and services of the Website and/or of Caffè Mauro S.p.A. and/or third parties, as well as special offers, promotions, news and coupons, to carry out market research, by means of automated systems, e-mail, sms, mms, fax, or similar, and/or via postal service (so-called marketing purposes), only with the specific consent of the data subject;
(v) to analyse preferences and consumption habits, to process the personal preferences and interests of the Data Subject by means of automated systems and to transmit personalised offers through the Website (so-called “profiling” purposes), only after the specific consent of the data subject has been given;
(vi) for the transfer and/or disclosure of data to third parties operating in the following sectors: food, publishing, cinema, music, entertainment, including sports, home and furniture, stationery, health and wellness, baby care, so that such third parties can use the data for their own marketing purposes or those of third parties falling within the above categories (so-called “disclosure to third parties”), only with the specific consent of the data subject;
(vii) to send communications aimed at the promotion or direct sale of products or services similar to those already purchased/used by the user (so-called “soft spamming”), without affecting the user’s right to object at any time;
(viii) for the collection, storage and processing of data for the purposes of statistical analysis in anonymous or aggregate form.
The processing of the personal data of the Data Subject for the purposes indicated above under sections (i), (ii) and (iii) finds its legal basis in article 6, paragraph 1, letters b) (fulfilment of pre-contractual and contractual obligations) and c) (fulfilment of pre-contractual and contractual obligations) of the GDPR.
The processing of the Data Subject’s personal data for the purposes referred to under sections (iv), (v) and (vi) above finds its legal basis in article 6, par. 1, letter a) of the GDPR (consent of the Data Subject). In this case, consent is optional and may always be withdrawn.
The processing of the Data Subject’s personal data for the purpose indicated under section (vii) above finds its legal basis in article 6, par. 1, letter f) of the GDPR (legitimate interest of the Data Controller). The legitimate interest of the Data Controller, as governed by article 130, paragraph 4, of Legislative Decree 196/2003 and subsequent amendments and additions, consists in the Data Controller’s intention to use the Website both to inform the Data Subject about its products and activities and to offer information to provide a pleasant and complete browsing experience.
The personal data is processed using manual and electronic tools and is stored in the electronic database provided for this purpose and, if necessary, in any paper archives kept at the headquarters of the Data Controller and/or recipients (including any suppliers of the latter) which the Data Controller uses to pursue its purposes.
The personal data contained in the aforementioned automated information systems, as well as that stored in the Data Controller’s archives, is processed in compliance with the provisions of national legislation on the protection of individuals with regard to the processing of personal data and the GDPR on security measures, so as to minimise the risks of destruction or loss, unauthorised access or processing that does not comply with the purposes of collection.
3. Type of personal data processed – Data retention periods
The Data Controller uses the Website to process personal data of a technical nature, generated independently by the IT devices in use ( particularly IP addresses, log files relating to browsing on the Website). This information is not collected to be associated with identified Data Subjects, but by its very nature could, through processing or association with data held by third parties, allow the identification of the Data Subject. This data is used to allow the normal use of the Website and to check its correct operation and is usually deleted immediately after processing.
The Data Controller also processes personal data freely uploaded onto the Website by the Data Subject, including that required to purchase products sold through the Website (such as, personal data (name, surname, tax code), contact data (residence and/or domicile, email, telephone numbers) and billing data.
Confidential credit card data, freely supplied by the Data Subject to make purchases on the Website (card number, holder name, expiry date, security codes), will be acquired directly from the payment service provider who will act as an independent data controller and will not be collected and/or processed in any way by the Data Controller. The data will be acquired in encrypted format and in compliance with the security requirements envisaged by the most well-known reference frameworks (NIST, ENISA, ISO 27001).
The Data Controller also processes the e-mail addresses entered voluntarily by the Data Subject for the purpose of requesting the newsletter service. This personal data will be stored for the time that the newsletter service is provided or until the Data Subject exercises their right to object to it in compliance with the procedures indicated below, and never for longer than 24 months from the date it was entered.
Personal data will be kept for the time necessary to achieve the above-mentioned purposes, as well as to fulfil the legal obligations imposed for said purposes, and never for longer than 24 months from the last purchase made by the user on the Website.
Data of minors
The Data Controller does not collect personal data relating to minors under the age of fourteen. Where necessary, and as long as the Data Controller has been informed about the minor’s age, the Data Controller will give specific instructions to the minor and/or the persons exercising parental authority to ensure that the minor does not provide information on the Website and/or will do everything reasonably possible to obtain the consent of the minor’s parents to the processing of such data, if required by law. The Data Controller encourages parents to teach their children safe and responsible use of their personal data on the Internet, and to supervise the activities carried out on the Website and on the Internet in general, by the minors over whom they have parental authority.
4. Provision of data and consent to data processing – Consequences in the event of failure to provide data
With reference to the purposes referred to under section (i) of art. 2 above, the processing of the personal data of the Data Subject is carried out by means of computer systems and software procedures used to operate the Website which, as described above, in the course of their normal operation acquire certain personal data the transmission of which is implicit in the use of Internet communication protocols (in particular, IP addresses, log files relating to browsing the Website, etc.). If the Data Subject does not intend to provide such data, they are invited to immediately close the browser and/or leave the Website.
With reference to the purposes referred to under sections (iv), (v) and (vi) of art. 2 above, the provision of data is optional, as it is related to the request freely expressed by the user, it being understood, however, that failure to provide the personal data in question for said purposes will not make it impossible for the Data Subject to browse the Website and purchase the products sold on the Website.
With reference to the purpose referred to under section 2(vii) above, consent to the processing is not required under current legislation, notwithstanding, the Data Subject’s right to object to the sending of communications in the manner set out below at any time.
5. Scope of knowledge of the data
The personal data provided by the Data Subject for the purposes described in art. 2 above, may be brought to the attention of or disclosed to the following:
(i) employees or collaborators of the Data Controller, for the performance of administrative, IT or logistical support, communication and marketing activities;
(ii) public and private subjects, natural persons and legal entities (e.g.: companies offering IT services, communication and marketing consulting firms, etc.) which the Data Controller uses to pursue the purposes indicated in art. 2;
(iii) to all those subjects (including the Public Authorities) who have access to the data by virtue of regulatory or administrative measures.
The list of “persons in charge of the processing of personal data” pursuant to art. 28 of the GDPR that may be appointed will be available at the Data Controller’s registered office or may be requested in writing at the contacts indicated above.
The personal data of the Data Subject is not subject to dissemination.
6. Transferral of data to non-EU countries
Users’ personal data acquired through the Website is processed at data centres located within the European Union.
With regard to the possible transferral of data to Third Countries, the Data Controller hereby informs you that data processing will take place in compliance with one of the methods permitted by the law in force, such as, for example, the adoption of Standard Contractual Clauses approved by the European Commission, the selection of subjects adhering to international programmes for the free circulation of data or operating in countries considered safe by the European Commission, and always in compliance with the provisions of articles 44-49 of the GDPR.
Further information can be obtained by submitting a written request to the Data Controller at the contact details given above.
7. Rights of the Data Subject
Pursuant to article 15 et seq. of the GDPR and current legislation, the Data Subject who is a natural person has the right to:
a) obtain confirmation of the existence or otherwise of personal data concerning them and their communication in intelligible form, receiving them in a structured, commonly used and readable format with the possibility of transmitting them to another data controller (“Right to portability”);
b) obtain indications: (i) on the origin of the personal data, purposes and methods of processing, the logic applied in the event of processing carried out with the aid of electronic instruments; (ii) on the identification details of the Data Controller, the Data Processor(s) and the Data Protection Officer (if any) appointed; (iii) on the subjects or categories of subjects to whom the data may be communicated or who may become aware of the data in their capacity as designated representative in the territory of the State, data processors or appointees;
(c) obtain (i) the update, rectification or integration of the data concerning them or, in the event of a dispute regarding the correctness of the data, the restriction of the processing of such data for the time necessary for the appropriate checks to be carried out, (ii) transformation into anonymous form or the blocking of data processed in breach of the law, including data whose retention is necessary in relation to the purposes for which such data was collected or subsequently processed, (iii) certification of the fact that the operations referred to in the preceding points, along with their contents, have been brought to the attention of those to whom the data was communicated or disseminated, unless this requirement proves impossible or involves the use of means manifestly disproportionate to the right protected;
d) object, in whole or in part (i) to the processing of data concerning them, even if it is pertinent to the purpose of collection, (ii) to the processing of personal data concerning them, where it is carried out for the purpose of commercial information or sending advertising materials or direct selling or for carrying out market research or commercial communication;
e) obtain cancellation without undue delay (“Right to be forgotten”) if the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, if it has been unlawfully processed or if the Data Subject (i) requests it or (ii) objects in whole or in part to the processing;
f) obtain the restriction of the processing if (i) the data is unlawfully processed but the Data Subject objects to its cancellation, (ii) the data is necessary to the Data Subject for the establishment, exercise or defence of a right, (iii) an assessment of the legitimate reasons for processing by the Data Controller is pending;
(g) for processing operations legally requiring consent, the Data Subject may withdraw such consent at any time, without affecting the lawfulness of the processing operations carried out before the withdrawal.
Without prejudice to any other administrative or jurisdictional recourse, the Data Subject shall also have the right to lodge a complaint (art. 77 GDPR) with the Privacy Guarantor (www.garanteprivacy.it), should they consider that the processing concerning them violates the regulations in force regarding the protection of personal data.
The aforementioned rights may be exercised by submitting a written request to the Data Controller at the address indicated in the epigraph or at firstname.lastname@example.org. With particular reference to the processing of personal data for the purposes referred to in article 2, section (iv), above, the Data Subject may also express their objection by clicking on the appropriate link at the bottom of any newsletter.
Caffè Mauro S.p.A.
The Data Controller