(pursuant to art. 13 of Italian Legislative Decree 30/06/2003 no. 196 and subsequent amendments and additions and of art. 13 of European Regulation no. 2016/679)
B&B Italia S.p.A., with registered office in Via Durini 14 - 20122 Milan, Tax code and VAT number 07122350965, (hereinafter "B&B"), as Data Controller, pursuant to and in accordance with art. 13 of Italian Legislative Decree no. 196 of 30.6.2003 (hereinafter "Privacy Code") and art. 13 EU Regulation no. 2016/679 (hereinafter "GDPR"), informs you, in your capacity as a Data Subject (as defined in art. 4 of the Privacy Code and art. 4 of the GDPR), that your personal data will be processed in full compliance with current legislation on the protection of personal data and with the implementation of all security, technical and organisational measures deemed appropriate for the protection of the aforementioned data.
1. Data processed:
The data processed are the following data related to you: name, surname, email address, domicile/residence address, telephone number, profession, behaviour data, purchase choices/preferences, company to which you belong.
To better understand the above, please note that personal data are defined by current European legislation as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
The processing of your data is carried out by means of the operations specified in art. 4 of the Privacy Code and art. 4 no. 2) of the GDPR and specifically, by way of example: collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Purposes and Legal Basis of the Processing:
Your data will be processed for the following purposes:
a. Without your express consent (art. 24 of the Privacy Code and art. 6 of the GDPR) - because the processing in question is necessary to be able to respond to your express request - for the following Purposes:
(i) Fulfil the requests for information you have made.
(ii) Allow and manage your Registration on the Website, as well as the performance of the activities provided to you by virtue of your Registering on the Website.
b. Only with your informed, specific and separate consent (art. 23 and 130 of the Privacy Code and art. 6 and 7 of the GDPR) - because the processing in question requires Your Consent - for the following Purposes:
(i) to profile activities, like the analysis of habits and consumption choices mainly dealing with: the data entered during the registration phase, purchase data, the data you supplied during surveys and market research.
(ii) To send informative and promotional communications, also of a commercial nature, newsletters, advertising material and/or offers for products and services, even personalised, and perform statistical and/or market studies and research both with traditional methods of contact (mail, telephone call with operator) and automated methods (email, fax, text message, multimedia message, call without operator) from Italy or from abroad (even from countries not belonging to the European Community) by B&B.
(iii) To send informative and promotional communications, also of a commercial nature, newsletters, advertising material and/or offers for products and services, even personalised, and perform statistical and/or market studies and research both with traditional methods of contact (mail, telephone call with operator) and automated methods (email, fax, text message, multimedia message, call without operator) from Italy or from abroad (even from countries not belonging to the European Union) by parent companies, subsidiaries and/or affiliates companies, as well by entities contractually linked to B&B that manage the distribution and sale of B&B products and services (including any B&B distributors).
4. Data provided and consequences of refusal:
The provision of data for the purposes referred to in letter a., point (i) of article 3) above, while optional is necessary to be able to correctly fulfil your requests, and therefore the lack of consent will preclude the possibility of providing you with an adequate response.
The provision of data for the purposes referred to in letter a., point (ii) of article 3) above, while optional is necessary to be able to correctly fulfil your request for registration on the Website, and therefore the lack of consent will preclude the possibility for you to properly complete the procedure of Registering on the Website.
Providing your data and consent to their processing for the purposes referred to in letter b), points (i), (ii) and (iii) of art. 3 above, is optional. However, your refusal and/or providing incorrect and/or incomplete information could prevent the development of profiles, the analysis of your preferences and also prevent the development of so-called marketing activities including market and statistical studies and research.
If you give your consent you have the right to withdraw it at any time. We remind you that the withdrawal of consent, pursuant to and by effect of art. 7 of the GDPR, does not prejudice the lawfulness of the processing based on the consent you gave before withdrawal.
5. Method of Processing
6. Data storage:
The data will be stored at the Data Centre located in Italy.
Your personal data and contact details will be used and stored for the purposes referred to in art. 3) above for a period not exceeding 5 (five) years. Your purchasing data will be used and stored for the purposes referred to in art. 3) above for a period not exceeding 2 (two) years.
In order to guarantee the updating and correctness of the data as well as any consent you may have expressed, B&B will send you a communication every 12 months in order to remind you the methods and contacts – as specified in articles 11), 12) and 13) below - with which you can manage your registration.
At the expiration of the storage period the data will be erased and eliminated from any paper and/or digital support in a secure manner and in full compliance with the Data Protection regulations in force from time to time, or will be made anonymous by B&B for the sole purpose of carrying out statistical and/or historical analysis, therefore without any possibility for B&B and/or third parties to identify the data subjects.
7. Security Measures:
We care about protecting your information. We therefore commit to taking all reasonable measures to protect any personal information that we have stored against misuse, loss or unauthorised access. To this purpose, we have implemented a series of specific technical and organisational measures. Measures are included to deal with any suspected data breaches.
8. Parties authorised to process data:
For the proper execution of the Processing referred to in this Privacy Information Notice, your data will be accessible to:
a. Employees of B&B Italia S.p.A., expressly appointed and authorised by the Data Controller to perform the processing in question.
b. Suppliers of B&B Italia S.p.A. that provide services connected to and necessary for the aforementioned purposes, like, in particular, the following companies: Develon Digital S.r.l., which on behalf of B&B Italia S.p.A. provides: Services for the management, maintenance and hosting of the Website; MailUp S.p.a., which sends information and commercial communications on behalf of B&B Italia S.p.A.; AXIS communications S.r.l., which provides hosting services for a section of the Website reserved for Dealers and the management of invitations and participation in B&B Events on behalf of B&B Italia S.p.A. These Suppliers operate under specific agreements for the processing of data, stipulated with B&B Italia Spa pursuant to and for the purposes of art. 29 of the Privacy Code and art. 28 of the GDPR. A list of such third parties is always available at the registered office of the Data Controller.
c. The Consultants of B&B Italia Spa who provide assistance regarding legal, tax, accounting and organisational aspects. These Consultants operate under specific agreements for the processing of data, stipulated with B&B Italia Spa pursuant to and for the purposes of art. 29 of the Privacy Code and art. 28 of the GDPR. A list of such third parties is always available at the registered office of the Data Controller.
d. Parent companies, subsidiaries, investee and/or affiliated companies as well as entities contractually linked to B&B that manage the distribution and sale of B&B products and services (including any B&B distributors) for the purposes described in letter b), point (iii) of art. 3 above.
9. Disclosure and Dissemination of the data:
The Data Controller can disclose your data to Supervisory Bodies and/or to Judicial Authorities as well as to all other parties to whom the disclosure is mandatory by law for the accomplishment of said purposes. Your data will not be disseminated and/or disclosed in any other way.
10. Data transfer:
The management and storage of personal data will be carried out on servers located within the European Union belonging to the Data Controller and/or appointed third-party companies and duly designated as External Data Processors. In any case, it is understood that a subsequent and possible transfer of data outside the European Union will take place in accordance with the applicable legal provisions - including articles 44, 45 and 46 of the GDPR - as well as with the adequacy decisions adopted by the European Commission and also, if necessary and in the absence of adequacy decisions, stipulating agreements that guarantee an adequate level of protection and/or implementing the standard contractual clauses provided by the European Commission.
In detail, in case of any subsequent transfer of data in the United States, it will take place towards to those companies that have joined the so-called "Privacy Shield", in compliance with the decision of the European Commission that recognised the Agreement entitled "EU-US Privacy Shield" as having an appropriate level of protection of personal data transferred from the European Union to organisations resident in the United States that self-certify in the system and the subsequent Authorisation to transfer data abroad through the agreement called "EU-US Privacy Shield" adopted by the Italian Data Protection Authority on 27 October 2016.
11. Rights of the data subject:
In your quality as a data subject, you are entitled to the rights set forth in art. 7 of the Privacy Code and articles 13 et seq. of the GDPR.
Precisely, your rights include:
a. Pursuant to and for the purposes of art. 7 of the Privacy Code, the right to obtain confirmation of the existence or otherwise of personal data concerning you and their communication in intelligible form (e.g. in electronic format or on paper).
b. Pursuant to and for the purposes of art. 7 of the Privacy Code, the right to know: i) the categories of personal data; ii) the origin of the personal data, the purposes and methods of processing them and their storage period, or, if not possible, of the criteria used to determine the period; iii) the logic applied in case of processing carried out with the aid of electronic instruments; iv) the identification details of the Data Controller, the Processors and the designated Representative pursuant to art. 5, paragraph 2 of the Privacy Code and art. 3, paragraph 1 of the GDPR; v) the parties or categories of parties to whom the personal data may be disclosed or who can know them as designated Representative in the territory of the State, Data Processors or authorised persons to process personal data.
c. Pursuant to and for the purposes of art. 7 of the Privacy Code, the right to obtain: i) updating, rectification or, when interested, completion of data; ii) erasure, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; ii) the attestation that the operations referred to in points i) and ii) have been brought to the attention - also with regard to their content - of those to whom the data have been disclosed or disseminated, except in the case where such activity proves impossible or involves a use of means manifestly disproportionate to the protected right.
d. pursuant to and for the purposes of art. 7 of the Privacy Code, the right to object in whole or in part: i) for legitimate reasons to the processing of personal data concerning you, even if relevant to the purpose of collection; ii) to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by email and/or through traditional marketing methods by telephone and/or paper mail. It should be noted that the data subject's right of opposition set out in point ii) for the purposes of direct marketing through automated methods extends also to traditional methods, and that in any case the possibility remains open to the data subject to exercise his/her right of opposition even only partially. Therefore, the interested party may decide to receive only communications using traditional methods or only automated communications or neither of the two types of communication.
e. Pursuant to and for the purposes of art. 13 of the GDPR, the right to lodge a complaint with a competent authority.
f. Pursuant to and for the purposes of art. 15 of the GDPR, the right of access to information related to the processing of the data, including: the purposes for the processing; the categories of personal data processed; the envisaged period for wich the personal data will be stored or if not possible the criteria used to determine that period ; the recipients or categories to whom the data were or will be disclosed; any transfer of data to third countries; if the data were not collected from the data subject, the information available about the origin of the data; the existence of an automated decision-making process, the logic applied to the segmentation of users for profiling activities and the significance and envisaged consequences of such processing for the data subject.
g. Pursuant to and for the purposes of art. 16 of the GDPR, the right to obtain the rectification of inaccurate data and the completion of incomplete data.
h. Pursuant to and for the purposes of art. 17 of the GDPR, the right to request erasure and to obtain it in certain circumstances, including: the data are no longer necessary in relation to the purposes for which they were collected; personal data have been unlawfully processed; personal data must be erased as a consequence of a legal obligation established by the law of the European Union or theMember States to the Data Controller is subject ; the data subject has withdrawn consent. This right will not be possible if the data are necessary for the management of complaints.
i. Pursuant to and for the purposes of art. 18 of the GDPR, the right to obtain the restriction of processing in certaincircumstances , including: the personal data available to B&B are inaccurate; the data subject does not agree with the use of his/her data but opposes their erasure and therefore requires a restriction of their use; B&B no longer needs to keep the data but the data subject needs them for future complaints. In the event of a request for restriction, the data will be processed only for certain reasons other than storage, including: complaints by the interested party; consent expressed by the interested party; protection of the rights of other natural or legal persons or for reasons of public interest at the level of the European Union or of a certain Member State.
j. Pursuant to and for the purposes of art. 20 of the GDPR, the right to receive their data in a structured format that is commonly used and legible and to transmit them to another data controller in the cases provided for by the aforementioned law.
k. Pursuant to and for the purposes of art. 21 of the GDPR, the right to object - at any time and for reasons related to his/her particular situation - to the processing of personal data, including the processing of data for profiling and direct marketing purposes. In this case B&B shall no longer process the personal data unless for specific exceptions provided by the aforementioned law.
12. Data Controller:
The data controller is B&B Italia S.p.A. with registered office in Via Durini 14 - 20122 Milan, Tax code and VAT number 07122350965.
13. How to exercise your rights:
To exercise the rights referred to in art. 11) above, you can write to the Data Controller at the following addresses: B&B Italia S.p.A. - Strada Provinciale Novedratese 32, 15, 22062 – Novedrate (CO); email: firstname.lastname@example.org; Fax: 031 791 531.
14. Changes to this Policy:
This Information Privacy Notice may be subject to change. We therefore suggest you regularly check this Privacy Information Notice and refer to the latest version.
In the event that you do not accept the changes that have been made, at any time you can cancel your registration on the Website or modify and/or withdraw your previously given consents by writing to the contacts as mentioned above.
Last update: 25 May 2018