A. Who are we and why are we giving you this document?
The Mondadori Group, a group of companies subject to direction and coordination pursuant to Article 2359 of the Civil Code by its holding company Arnoldo Mondadori Editore S.p.A. (hereinafter “Mondadori Group”), has considered for many years the protection of its customers and users’ personal data of utmost importance, by ensuring that such personal data are processed, whether automatically or manually, in full compliance with the rights and safeguards provided by the General Data Protection Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “Regulation”) and any other laws and regulations concerning the protection of personal data.
For the purposes of this Notice “personal data” is defined in Article 4 (1) of the Regulation as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (hereinafter “Personal Data”).
The Regulation requires that before carrying out a “processing” of Personal Data - meaning, as defined in Article 4 (2) of the Regulation, “any operation or set of operations performed on personal data or sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (hereinafter the “Processing”) – the person to whom those Personal Data belong must be informed on the purposes for which those data are requested and how they are going to be used.
The purpose of this Notice is accordingly to provide you, straightforwardly and intuitively, with all the information you may need before providing your Personal Data so that you can understand and be informed on how your Personal Data will be processed as well as request and obtain clarifications and/or rectifications at any time. This Notice (hereinafter the “Notice”) has accordingly been drawn up on the basis of the Principle of Transparency and all the requirements set forth by Article 13 of the Regulation; it is arranged into different sections (“Sections” or individually “Section”) each of which deals with one specific topic, in order to make it simple, intuitive and easy to understand.
B. Who will process your Personal Data? The company which will be processing your Personal Data for the purposes provided by Section D of this Notice (and which will accordingly be the Data Controller as defined in Article 4(7) of the Regulation, “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and the means of the processing of personal data”) is:
- Arnoldo Mondadori Editore S.p.A., with its registered office Via Gian Battista Vico 42, 20123 – Milan administrative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code no. 07012130584 and VAT Code no. 08386600152
(hereinafter the “Data Controller”)
The Data Controller, for certain activities and purposes as per Section E, will act jointly with other companies that will be considered as Joint Controllers defined as “two or more companies that jointly defined porpoises and means of processing” according to Article 26 of the Regulation:
- Mondadori Libri S.p.A. with its registered office Via Gian Battista Vico 42, 20123 - Milano and administrative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT Code no. 08856650968
- Mondadori Education S.p.A. with registered office at Via Gian Battista Vico 42, 20123 – Milan, administrative office at Via
Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT no. 03261490969
- Rizzoli Education S.p.A. with registered office at Via Gian Battista Vico 42, 20123 – Milan, administrative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT no. 05877160159
- Giulio Einaudi Editore S.p.A. with its registered office and administrative office at in Via U. Biancamano 2, 10121 - Turin (TO), registered at the Companies’ Register of Turin, Tax Code no. 08367150151 and VAT Code no. 07022140011
- Mondadori Media S.p.A. with its registered office at Via Gian Battista Vico 42, 20123 - Milan and administrative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT Code no.08009080964
- Mondadori Retail S.p.A. with its registered office at Via Gian Battista Vico 42, 20123 - Milan and administrative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code no. 00212560239 and VAT Code no. 11022370156
- Mondadori Scienza S.p.A. with registered office at Via Gian Battista Vico 42, 20123 – Milan and administrative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT no. 09440000157
- Press-Di Distribuzione Stampa e Multimedia S.r.l. with its registered office at Via Gian Battista Vico 42, 20123 - Milan and administrative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT Code no. 03864370964
- Electa S.p.A. with registered office at Via Gian Battista Vico 42, 20123 – Milan, administrative and operative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code no. 01829090123 and VAT no. 09671010156
- Direct Channel S.p.A. with its registered office at Via Gian Battista Vico 42, 20123 - Milan and administrative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT Code no. 08696660151
- Adkaora S.r.l. with its registered office at Via Gian Battista Vico 42, 20123 - Milan and administrative office at Via Mondadori 1, 20054 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT Code no. 08105480969
(hereinafter jointly with Data Controller, the “Joint Controllers”)
The Joint Controllers entered into a joint controllership agreement, as provided by Article 26 of the Regulation, under which they agreed to:
- jointly determine certain purposes and means of the Personal Data Processing,
- jointly determine, in a clear and transparent way, the procedures to give you a prompt response if you wish to exercise your rights, as provided by Articles 15, 16, 17, 18 and 21 of the Regulation and in case of portability pursuant to Article 20 of the Regulation as better explained in Section I of this Notice;
- jointly define the parts of this Notice that are of common interest providing for all the information required by the Regulation.
VERSIONE 10/2021
C. Whom can you contact?
To facilitate dealings between the Data Controller and the data subjects, individually defined in Article 4 (1) of the Regulation as “ the identified or identifiable natural person” to whom the Personal Data refer (hereinafter the “Data Subject”), the Regulation requires, in some specific cases, the designation of a person responsible for control and support; one of that person’s tasks is to act as the point of contact for the Data Subject.
The Mondadori Group has instituted the position of Data Protection Officer (the “DPO”). The DPO’s duties, under Article 39 of the Regulation, include the following:
- to provide information and advice to the Data Controller or the Data Processor and the employees who carry out processing in relation to their obligations pursuant to the Regulation and other European Union or Member State data protection provisions;
- to monitor compliance with the Regulation, with other European Union or Member State data protection provisions and with the policies of the Data Controller or the Data Processor in relation to the protection of personal data;
- to provide support for the management of the Data Subject’s requests;
- to cooperate with the Garante per la Protezione dei Dati Personali or other competent supervisory authority.
As provided for in Article 38 of the Regulation, you may contact the DPO if you have any questions about the processing of your Personal Data and/or want to exercise your rights as described in Section I of this Notice. You can do this by e-mailing dpo@mondadori.it or by writing to the Data Protection Officer of the Mondadori Group at the address of Arnoldo Mondadori Editore S.p.A., 1 via Mondadori, 20054 Segrate (MI), Italy.
You can find all the information about how your Personal Data are processed, together with the contact details made available to all Data Subjects by the Mondadori Group, in the “Privacy” section of the Websites at any time.
D. For which main purpose will be processed your Personal Data?
The Data Controller needs to process your Personal Data in order to allow you to register to one or more of its websites, ask information by using the contact form and/or subscribe to the newsletter service. The websites for which the Data Controller will collect your Personal Data are listed in the Electa section of the Mondadori Group Privacy Policy at the following link http://www.gruppomondadori.it/privacy-policy (hereinafter “Websites”). The Personal Data will be processed by the Data Controller for the following purposes: to allow you to register to the Websites, join in the events organized by the Data Controller, receive newsletters and use the services provided by each of Websites to which you are registered. Such Processing will be legally based on the contractual relationship between you and Data Controller further to your acceptance of Websites General Terms and Conditions.
Moreover, the Data Controller may process your Personal Data to comply with legal obligations and respond to requests from the competent authorities. In such cases, the Processing will be legally performed on the basis of the compliance with legal obligations to which the Data Controller is subject.
The Data Controller may also disclose o otherwise process your Personal Data in the context of transactions, contract assignments, transfers of business, transfers of business units and/or restructuring to carry out such transactions and comply with the contractual obligations arising therefrom. In such cases, the Processing will be legally performed on the basis of the legitimate interest of the Data Controller to carry out such transactions.
Furthermore, the Data Controller may process your Personal Data to establish, exercise or defend legal claims. Such Processing will be legally performed on the basis of the legitimate interest of the Data Controller to protect its rights.
The provision of the Personal Data marked with * is necessary to carry out the Processing for the purposes above. In case of failure to provide such Personal Data, the Data Controller will not be able to process your Personal Data and, as a consequence, to allow you to register to the
Websites and use any other services provided by the Websites which require the provision of your Personal Data. The Personal Data that will be collected for the purposes above include but are not limited to: first name, last name, home address, date and place of birth, e-mail address and telephone numbers.
Where you decide to access to the Websites by using a social login (e.g. Facebook, Google, Twitter profile), where allowed, the collection of your Personal Data will be done by the provider of the relevant social network that you use to access to our Websites.
You can read this Privacy Notice in the Privacy Section of every Websites.
E. Other purposes
The Data Controller, jointly with the Joint Controllers, may ask you further Personal Data, in addition to those referred to above, including but not limited to data related to your preferences, habits, needs and market choices.
Upon your explicit, free and unambiguous consent, as provided by Article 6 (1) point a) of the Regulation or, as specified below, on the basis of the legitimate interest, the Joint Controllers may process your Personal Data for the following purposes: i. Direct marketing: this definition refers to the intention of the Joint Controllers to carry out promotional and/or marketing activities addressed to you. This includes all the activities aimed at promoting products and/or services, sold and/or provided by the Joint Controllers on the basis of their legitimate interest to reach out their own business scope.
ii. Indirect marketing: this definition refers to the intention of the Joint Controllers to make promotional and/or marketing activities addressed to you on behalf of third parties. This includes all the activities aimed at promoting products and/or services, sold and/or provided by third parties that have a commercial relationship with the Joint Controllers, without any communication of your Personal Data to these latters. iii. Profiling: this definition refers to the intention of the Joint Controllers to profile you, analyse your preferences, habits and market choices even in connection with market researches and statistical analyses. This includes any form of automatic Personal Data Processing aimed at evaluating certain personal aspects including those regarding your professional level, economic status, personal preferences, interests, reliability, movements.
Your Personal Data will be processed for the purposes as per point (ii) and (iii) upon your explicit consent in accordance with all the requirements provided for by Article 7 of the Regulation, so that the Processing of your Personal Data for these purposes will be lawful.
With reference to direct marketing as per point (i), according to Article 6 (1) point f) of the Regulation, the Joint Controllers shall carry out such activities on the basis of their legitimate interest, without the need to obtain your consent and subject to the exercise of your right to object to such Processing as provided for in Recital 47 of the Regulation according to which “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. It will be possible to carry out such activities further to the assessment carried out by the Joint Controllers on the prevalence of their own legitimate interests with respect to your interests, rights and fundamental freedoms in accordance with the applicable legislation.
You may be contacted in different ways for the purposes of direct, indirect marketing and profiling, as per points (i), (ii) and (iii) through automatic means (e-mails) or traditional means (where allowed, calls with operator or mailing). In any case, as better explained in the following Sections H and I, you can object to the Processing and/or withdraw your consent to the Processing or part thereof.
With respect to calls, we inform you that the Joint Controllers will only process your Personal Data upon a prior check at the Opposition Register as regulated by the Presidential Decree September 7 th, 2010, no. 178 and further amendments.
VERSIONE 10/2021
F. To whom may your Personal Data be disclosed?
Your Personal Data may be disclosed to specific persons regarded as “Recipients” of such Personal Data; Article 4 (9) of the Regulation defines a “recipient” as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. In order to correctly carry out all the Processing activities for the purposes mentioned in this Notice, your Personal Data may be processed by the following Recipients:
- third parties which perform part of the Processing and/or activities connected with or instrumental to the Processing on behalf of the Data Controller. Each of such persons has been designated as a “Data Processor”, meaning “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller” (Article 4 (8) of the Regulation);
- individuals employed or contracted by the Data Controller and engaged for carrying out one or more specific Processing activities. These individuals have been given specific instructions concerning the safety, security and proper use of Personal Data, and are defined, pursuant to Article 4 (10) of the Regulation, as “persons who, under the direct authority of the controller or the processor, are authorised to process the personal data” (“Authorized Persons”);
- third parties which carry out Processing activities and/or activities connected with or instrumental to the Processing, as autonomous data controllers, including, but not limited to, consulting companies, consultants, banks and financial institutions, insurance companies, other external entities and/or companies belonging to the Mondadori Group;
- where required by the law or necessary for the prevention, investigation, detection or prosecution of criminal offences, your Personal Data may be disclosed to public authorities or to courts without such public authorities or courts being regarded as Recipients: under Article 4 (9) of the Regulation, “public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients”.
G. For how long will your Personal Data be processed?
One of the principles that applies to the Processing of your Personal Data is the storage limitation. Such principle is provided for by Article 5 (1)(e) of the Regulation, which reads “personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.” In the light of this principle, your Personal Data will be processed by the Data Controller for no longer than is needed for the purposes set out in Section D of this Notice. Specifically, your Personal Data will be stored for the shortest time necessary, as indicated in Recital 39 of the Regulation; that is, up to ten years after the termination of the contractual relationship between you and the Data Controller, without prejudice to a further period of time that may be required or allowed in accordance with statutory or regulatory provisions, as provided for in Recital 65 of the Regulation. As regards the processing carried out for the purposes under Section E of this Notice, the Joint Controllers may lawfully process your Personal Data until you communicate, using one of the channels provided for in this Notice, that your wish to object to the Processing and/or withdraw your consent to one or all the purposes for which it was requested. Should you exercise you right to object or withdraw your consent, the Joint Controllers will be required to immediately stop processing your Personal Data for such purposes.
H. Is it possible to withdraw the consent given?
In accordance with the Regulation, if you have given your consent to the Processing of your Personal Data for one or more of the purposes for which it was sought, you may, at any time, withdraw it, in whole or in part, without affecting the lawfulness of the Processing based on consent given before its withdrawal.
The procedure to withdraw consent is very simple and straightforward: you only have to contact the Data Controller and/or the Joint Controllers and/or the DPO by means of the contact channels provided in Section C of this Notice.
In addition to the above, if you happen to receive advertising emails from the Joint Controllers that are no longer of interest to you, you may simply click on the unsubscribe button at the bottom of such emails to receive no further communications or, if there is no button, using the additional contact channels made available by the Data Controller or the Joint Controllers.
I. Which are your rights?
In accordance with the Regulation, you can exercise at any time towards the Data Controller and/or the Joint Controllers the following rights:
- Right of access: you will be entitled, under Article 15 (1) of the Regulation, to obtain from the Data Controller and/or the Joint Controllers confirmation as to whether or not your Personal Data are being processed, and, where that is the case, access to the Personal Data and the following information: (a) the purposes of the Processing; (b) the categories of Personal Data concerned; (c) the Recipients or categories of Recipient to whom the Personal Data have been or will be disclosed, in particular Recipients in third countries or international organizations; (d) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the Data Controller rectification or erasure of Personal Data or restriction of the Processing of your Personal Data, or to object to such Processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the Personal Data are not collected from the Data Subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
- All this information can be found in the Privacy section of the website www.mondadori.it .
- Right of rectification: under Article 16 of the Regulation you have the right to obtain from the Data Controller and/or the Joint Controllers without undue delay the rectification of inaccurate Personal Data concerning you. Taking into account the purposes of the Processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
- Right to erasure: under Article 17 (1) of the Regulation you have the right to obtain from the Data Controller the erasure of your Personal Data without undue delay and the Data Controller and/or the Joint Controllers shall have the obligation to erase your Personal Data without undue delay where one of the following grounds applies: (a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) you have withdrawn the consent on which the Processing of your Personal Data is based, and there is no other legal ground for their Processing; (c) you have objected to the Processing pursuant to Article 21(1 or 2) of the Regulation and, in cases under Article 21 (1), if there are no longer any overriding legitimate grounds for the Processing of your Personal Data; (d) your Personal Data have been unlawfully processed; (e) your Personal Data have to be erased for compliance with a legal obligation in European Union or Member State law to which the Data Controller and/or the Joint Controllers are subject.
- In certain cases, as provided for in Article 17 (3) of the Regulation, the Data Controller and/or the Joint Controllers are allowed not to erase your Personal Data if their Processing is necessary, for instance, for exercising the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest; for archiving, scientific or historical research purposes in the public interest; or for the establishment, exercise or defence of legal claims.
VERSIONE 10/2021
- Right to restriction of processing: you will be entitled, under Article 18 of the Regulation, to restriction of Processing where one of the following applies: a) you have contested the accuracy of your Personal Data (the restriction will be for a period enabling the Data Controller and/or the Joint Controllers to verify the accuracy of the Personal Data); b) the Processing is unlawful but you oppose the erasure of your Personal Data and request that their use be restricted instead; c) although the Data Controller and/or the Joint Controllers no longer need them for the purposes of the Processing, your Personal Data are required for the establishment, exercise or defence of legal claims; d) you have objected to the Processing under Article 21 (1) of the Regulation pending verification whether the legitimate grounds of the Data Controller and/or the Joint Controllers override your own.
- If the Processing is restricted your Personal Data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important reasons of public interest. We shall in any case notify you before the restriction is lifted.
- Right to data portability: under Article 20 (1) of the Regulation you will be entitled at any time to ask for and receive all your Personal Data processed by the Data Controller and/or the Joint Controllers in a structured, commonly used and machine-readable format or to ask for it to be transmitted to another data controller without hindrance. In such cases you will need to provide us with full and accurate details of the new data controller to which you would like your Personal Data to be transferred, and to give us your authorization in writing.
- Right to object: under Article 21of the Regulation, you will be entitled to object at any time to the Processing of your Personal Data a) if they are processed for purposes of direct marketing including profiling to the extent that it is related to such direct marketing, or b) on grounds relating to your particular situation, if the Processing is based on the legitimate interests of the Data Controller, the Joint Controllers or third parties, unless the Data Controller and/or the Joint Controllers demonstrate compelling legitimate grounds for the Processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims
To exercise any of the above rights you may contact the Data Controller and/or the Joint Controllers using the channels provided in Section C of this Notice.
You are reminded that you can also contact the Mondadori Group’s DPO at any time, as explained in Section C of this Notice.
You also have the right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Garante per la Protezione dei Dati Personali or other competent supervisory authority if you believe that the Processing of your personal data by the Data Controller and/or Joint Controllers is in violation of the Regulation and/or other applicable laws.
J. Where will your Personal Data be processed?
Your Personal Data will be processed by the Data Controller and/or the Joint Controllers within the European Union.
In case for technical and/or operational issues, it is necessary to engage persons outside the European Union, those persons, where they process Personal Data on behalf on the Data Controller and/or the Joint Controllers, will be appointed as Data Processors in accordance with Article 28 of the Regulation; the transfer of your Personal Data to those persons, which will be limited to the performance of specific Processing activities, will be carried out in accordance with the provisions of Chapter V of the Regulation. All the necessary safeguards will accordingly be taken to guarantee the protection of your Personal Data; to such extent the transfer in question will be based on: (a) decisions of the European Commission as to the adequacy of the recipient non-EU country in question; (b) standard contractual clauses provided for by the European Commission; (c) binding corporate rules.
You may get further details from the Data Controller and/or the Joint Controllers whenever your Personal Data have been processed outside the European Union, by asking for the indication of the specific safeguards in place.
VERSIONE 10/2021