Privacy notice provided in accordance with Article 13 of the GDPR Arnoldo Mondadori Editore S.p.A.

A. Introduction

This Privacy Notice relates to the processing of your personal data carried out by the Data Controller (as defined below) on the website (hereinafter the “Website”) that you are currently browsing.

B. Data Controller

The company that will process your personal data for the purposes set out in Section D of this Policy, in its capacity as data controller (the “ Data Controller”), is Arnoldo Mondadori Editore S.p.A., with its registered office at Via Gian Battista Vico 42, 20123 Milan, and administrative headquarters at Via Mondadori 1, 20054 Segrate (MI), registered with the Milan Companies Register, Tax Code No. 07012130584 and VAT No. 08386600152. Arnoldo Mondadori Editore S.p.A. is the parent company of the Mondadori Group (the “Mondadori Group”), namely the group of companies comprising Arnoldo Mondadori Editore S.p.A. itself and its subsidiaries within the meaning of Article 2359 of the Italian Civil Code.

C. Contact channels

The Data Controller can be contacted via the following channels:

- by writing to the Mondadori Group’s Data Protection Office at the parent company Arnoldo Mondadori Editore S.p.A., Via Mondadori 1, 20054 – Segrate (Milan);

- by sending an email to the address privacy@mondadori.it for the attention of the Mondadori Group’s Data Protection Office.

The Data Controller has appointed a “Data Protection Officer” (“DPO”) in accordance with Article 37 of the GDPR. The DPO can be contacted regarding any matters relating to the protection of personal data via the following channels:

- by email to dpo@mondadori.it, and/or - by post, addressed to the attention of the Mondadori Group’s Data Protection Officer at Arnoldo Mondadori Editore S.p.A., Via

Mondadori 1, 20054 Segrate (MI).

  1. D. The purposes for which the Data Controller will process your personal data
  2. D1) The Data Controller will collect and process your personal data to enable you to browse the website www.gruppomondadori.it. Your personal data will be processed for this purpose in accordance with Article 6(1)(b) of the GDPR.
  3. D2) The Data Controller may process your personal data in order to comply with legal obligations and respond to requests from the relevant authorities. In that case, the processing of your personal data will be based on the fulfilment of legal obligations to which the Data Controller is subject. Your personal data will be processed for this purpose in accordance with Article 6(1)(c) of the GDPR.
  4. D3) The Data Controller may also disclose or otherwise process your personal data in connection with extraordinary transactions, transfers of contracts, businesses or business units, and corporate reorganisation and restructuring, in order to complete and manage such transactions or to fulfil its contractual obligations arising from such transactions. Your personal data will be processed for this purpose in accordance with Article 6(1)(f) of the GDPR.
  5. D4) The Data Controller may process your personal data to establish, exercise and defend its rights in court (e.g.in the event of cybercrimes committed against the Website). Your personal data will be processed for this purpose in accordance with Article 6(1)(f) of the GDPR. The personal data that will be processed for the purposes set out above includes, but is not limited to: IP address, the domain name of the computer used to connect to the Website, the time of day the request was made to the server, the method used to submit the request to the server, and other parameters relating to the operating system and the IT environment.

E. Parties to whom your personal data may be disclosed

Your personal data may be disclosed to specific parties in order to carry out all the processing activities necessary to achieve the purposes set out in this Privacy Notice. In particular, the following parties may process your personal data:

F. Retention periods for your personal data

One of the principles applicable to the processing of your personal data concerns the limitation of the retention period, as set out in Article 5(1)(e) of the GDPR. In accordance with this principle, your personal data will be processed only to the extent necessary to achieve the purposes set out in section D of this Policy. In particular, your personal data will be processed and then stored for the purposes set out in section D1) of this policy for a period of time no longer than is strictly necessary, i.e. for a maximum of thirty days. This is without prejudice to any further retention periods that may be required by law, as also provided for in Recital 65 of the GDPR.

G. Your rights

As provided for in the GDPR, you may exercise the following rights vis-à-vis the Data Controller at any time:

To exercise all your rights, simply contact the Data Controller using the contact details provided in Section C of this Policy. You also have the right to lodge a complaint with the supervisory authority: without prejudice to your right to seek redress through any other administrative or judicial channel, should you consider that the processing of your personal data is in breach of applicable legislation and/or that your rights have not been upheld, you may lodge a complaint with the Italian Data Protection Authority or another competent supervisory authority.

H. Where your personal data will be processed

Your personal data will be processed by the Data Controller within the European Union. Should it become necessary, for technical and/or operational reasons, to engage service providers located outside the European Economic Area, the Data Controller undertakes to ensure that the level of protection afforded to your personal data is substantially equivalent to that provided for by the GDPR and European data protection legislation. Any transfer of data will be governed in accordance with the provisions of Chapter V of the GDPR, and such transfers will be based on: (a) adequacy decisions concerning third countries issued by the European Commission; (b) standard contractual clauses drawn up by the European Commission; (c) the adoption of binding corporate rules, known as corporate binding rules. In any case, you may request further details from the Data Controller if your personal data has been processed outside the European Economic Area.

Glossary

In accordance with the principle of transparency, we have provided below a brief glossary containing some key terms used in the GDPR and their definitions.