A. Introduction
This Privacy Notice relates to the processing of your personal data carried out by the Data Controller (as defined below) on the website (hereinafter the “Website”) that you are currently browsing.
B. Data Controller
The company that will process your personal data for the purposes set out in Section D of this Policy, in its capacity as data controller (the “ Data Controller”), is Arnoldo Mondadori Editore S.p.A., with its registered office at Via Gian Battista Vico 42, 20123 Milan, and administrative headquarters at Via Mondadori 1, 20054 Segrate (MI), registered with the Milan Companies Register, Tax Code No. 07012130584 and VAT No. 08386600152. Arnoldo Mondadori Editore S.p.A. is the parent company of the Mondadori Group (the “Mondadori Group”), namely the group of companies comprising Arnoldo Mondadori Editore S.p.A. itself and its subsidiaries within the meaning of Article 2359 of the Italian Civil Code.
C. Contact channels
The Data Controller can be contacted via the following channels:
- by writing to the Mondadori Group’s Data Protection Office at the parent company Arnoldo Mondadori Editore S.p.A., Via Mondadori 1, 20054 – Segrate (Milan);
- by sending an email to the address privacy@mondadori.it for the attention of the Mondadori Group’s Data Protection Office.
The Data Controller has appointed a “Data Protection Officer” (“DPO”) in accordance with Article 37 of the GDPR. The DPO can be contacted regarding any matters relating to the protection of personal data via the following channels:
- by email to dpo@mondadori.it, and/or - by post, addressed to the attention of the Mondadori Group’s Data Protection Officer at Arnoldo Mondadori Editore S.p.A., Via
Mondadori 1, 20054 Segrate (MI).
- D. The purposes for which the Data Controller will process your personal data
- D1) The Data Controller will collect and process your personal data to enable you to browse the website www.gruppomondadori.it. Your personal data will be processed for this purpose in accordance with Article 6(1)(b) of the GDPR.
- D2) The Data Controller may process your personal data in order to comply with legal obligations and respond to requests from the relevant authorities. In that case, the processing of your personal data will be based on the fulfilment of legal obligations to which the Data Controller is subject. Your personal data will be processed for this purpose in accordance with Article 6(1)(c) of the GDPR.
- D3) The Data Controller may also disclose or otherwise process your personal data in connection with extraordinary transactions, transfers of contracts, businesses or business units, and corporate reorganisation and restructuring, in order to complete and manage such transactions or to fulfil its contractual obligations arising from such transactions. Your personal data will be processed for this purpose in accordance with Article 6(1)(f) of the GDPR.
- D4) The Data Controller may process your personal data to establish, exercise and defend its rights in court (e.g.in the event of cybercrimes committed against the Website). Your personal data will be processed for this purpose in accordance with Article 6(1)(f) of the GDPR. The personal data that will be processed for the purposes set out above includes, but is not limited to: IP address, the domain name of the computer used to connect to the Website, the time of day the request was made to the server, the method used to submit the request to the server, and other parameters relating to the operating system and the IT environment.
E. Parties to whom your personal data may be disclosed
Your personal data may be disclosed to specific parties in order to carry out all the processing activities necessary to achieve the purposes set out in this Privacy Notice. In particular, the following parties may process your personal data:
- natural persons to whom the Data Controller entrusts specific processing operations relating to your personal data ( e.g. administrative, tax and legal management of the contract), who act under the direct authority of the Data Controller and in accordance with the instructions given by the Data Controller. These individuals are appointed by the Data Controller as authorised data processors;
- third parties who carry out part of the processing activities and/or activities related to and instrumental to such processing on behalf of the Data Controller pursuant to a contract with the latter (e.g. software houses, companies offering IT maintenance and development services). These parties are appointed as data processors; third parties who may process your personal data for the purposes set out in this Notice in their capacity as independent data controllers (e.g. public and private bodies, including, but not limited to, third-party companies, associations, public organisations, insurance companies, consultancy firms, self-employed professionals, credit institutions, etc.).
F. Retention periods for your personal data
One of the principles applicable to the processing of your personal data concerns the limitation of the retention period, as set out in Article 5(1)(e) of the GDPR. In accordance with this principle, your personal data will be processed only to the extent necessary to achieve the purposes set out in section D of this Policy. In particular, your personal data will be processed and then stored for the purposes set out in section D1) of this policy for a period of time no longer than is strictly necessary, i.e. for a maximum of thirty days. This is without prejudice to any further retention periods that may be required by law, as also provided for in Recital 65 of the GDPR.
G. Your rights
As provided for in the GDPR, you may exercise the following rights vis-à-vis the Data Controller at any time:
- Right of access : You have the right to obtain from the Data Controller confirmation as to whether or not your personal data are being processed (or whether automated decision-making is taking place) and, if so, to obtain access to and/or a copy of such personal data (Article 15 of the GDPR).
- Right to rectification : You have the right to have your personal data rectified or supplemented if it is inaccurate or incomplete (Article 16 of the GDPR).
- Right to erasure (known as the ‘right to be forgotten’): in certain circumstances, you have the right to have your personal data erased without undue delay (Article 17 of the GDPR).
- Right to restriction of processing : in certain circumstances, you may request that processing be restricted (e.g., if you have objected to the processing, if you have exercised your right to rectification, and/or if the processing is unlawful). Where processing is restricted, your personal data will be processed – except for storage – only with your consent, or for the establishment, exercise or defence of legal claims, or to protect the rights of another natural or legal person, or for reasons of substantial public interest. In any case, we will inform you before this restriction is lifted. (Art. 18 of the GDPR).
- Right to data portability : You may, at any time, request and receive all your personal data processed by the Data Controller in a structured, commonly used and machine-readable format, or request that it be transmitted to another data controller without hindrance (Article 20 of the GDPR).
- Right to object : You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data. If you object, the data controller will cease the processing to which you have objected, unless it can demonstrate that there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims (Article 21 of the GDPR).
To exercise all your rights, simply contact the Data Controller using the contact details provided in Section C of this Policy. You also have the right to lodge a complaint with the supervisory authority: without prejudice to your right to seek redress through any other administrative or judicial channel, should you consider that the processing of your personal data is in breach of applicable legislation and/or that your rights have not been upheld, you may lodge a complaint with the Italian Data Protection Authority or another competent supervisory authority.
H. Where your personal data will be processed
Your personal data will be processed by the Data Controller within the European Union. Should it become necessary, for technical and/or operational reasons, to engage service providers located outside the European Economic Area, the Data Controller undertakes to ensure that the level of protection afforded to your personal data is substantially equivalent to that provided for by the GDPR and European data protection legislation. Any transfer of data will be governed in accordance with the provisions of Chapter V of the GDPR, and such transfers will be based on: (a) adequacy decisions concerning third countries issued by the European Commission; (b) standard contractual clauses drawn up by the European Commission; (c) the adoption of binding corporate rules, known as corporate binding rules. In any case, you may request further details from the Data Controller if your personal data has been processed outside the European Economic Area.
Glossary
In accordance with the principle of transparency, we have provided below a brief glossary containing some key terms used in the GDPR and their definitions.
- Personal details: “any information relating to an identified or identifiable natural person (‘data subject’); a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity”.
- Data subject: the natural person to whom the personal data relate.
- Treatment: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
- Data controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be laid down by Union or Member State law”.
- Data processor: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.