Privacy notice – Abuse – MONDADORI DIGITAL S.p.A.

A. Introduction

This Privacy notice is provided with reference to the personal data processing activities carried out by the Data Controller (as defined below), a company belonging to the Mondadori Group - a corporate group consisting of the parent company Arnoldo Mondadori Editore S.p.A. and its subsidiaries in accordance with article 2359 of the Italian Civil Code (hereinafter referred to as the "Mondadori Group") for the management of your abuse report request pursuant to EU Regulation 2022/2065 Digital Services Act (hereinafter, "DSA").

B. Data controller

The company which will process your Personal data for the purposes set out in section C of this Privacy notice and which, therefore, will act as data controller (hereinafter, the "Data Controller") is Mondadori Digital S.p.A. with registered office in Via Gian Battista Vico 42, 20123 – Milan, registered at the Companies' Register of Milan, Tax code and VAT number no. 14371170961.

Contact details:

The Data controller can be contacted via following channels:

• by writing to the Privacy Office of the Mondadori Group (ufficio Privacy del Gruppo Mondadori, Arnoldo Mondadori Editore SpA, Via Mondadori 1, 20054 – Segrate (Milan), Italy);
• by e-mailing privacy@mondadori.it with "alla cortese attenzione dell'ufficio Privacy del Gruppo Mondadori".

Moreover, in order to facilitate relations between you and the Data controller, EU Regulation 2016/679 (hereinafter "GDPR") has provided, in certain specific cases, for the appointment of a supervisory and support figure who, among the various tasks entrusted to them, also acts as a point of contact with the Data Subject.

The Mondadori Group has adopted the position of "Data Protection Officer" ("DPO").

Pursuant to and for the purposes set out in Article 39 of the GDPR, the DPO is called upon to carry out, inter alia, the following activities:

• inform and advise the Data controller, the Data processor and the employees performing the Processing on the obligations arising from the GDPR and from other provisions of the EU or Member State relating to the protection of Personal data;
• monitor and supervise compliance with the GDPR, applicable regulations on the protection of Personal data and the policies and procedures adopted by the Data controller;
• provide support in feedback to the data subject;
• cooperate with the competent Authority for the Protection of Personal Data.

As provided for in Article 38 of the GDPR, you can freely contact the DPO for all matters relating to the processing of Personal data and/or if you wish to exercise your rights as provided in the section F of this Privacy notice, by sending a written communication to the e-mail address dpo@mondadori.it.

C. Purposes for which the Data controller will process your Personal data

C1) Personal data collected through reports is processed for the following purposes:

1. Evaluate and manage reports of illegal or abusive content in accordance with the DSA;
2. carry out the necessary checks;
3. comply with the obligations of the DSA, with particular regard to "notice-and-take-down" mechanisms, transparency, and reporting;
4. notify you of the decision, if necessary.

The processing of your Personal data for this purpose will be carried out pursuant to and in accordance with Article 6(1)(c) of the GDPR.

C2) The Data controller may process your Personal data in order to comply with legal obligations and to respond to requests from competent authorities. In this case, the processing of your Personal data will be based on the fulfilment of legal obligations to which the Data controller is subject. The processing of your Personal data for this purpose will be carried out pursuant to and in accordance with Article 6(1)(c) of the GDPR.

The Personal data that will be processed for the purposes described above will be those indicated in the form, including, but not limited to: e-mail address.

D. Data recipients

Your Personal data may be disclosed to specific parties in order to correctly perform all processing activities necessary to pursue the purposes set out in this Privacy notice. In particular, the following parties may process your Personal data:

• natural persons to whom the Data controller entrusts specific processing operations on your Personal data (e.g. administrative, tax and legal management of the contract), who act under the direct authority of the Data controller and comply with its instructions. Such natural persons are appointed as persons authorised to process by the Data controller;
• third parties who carry out part of the processing activities and/or activities connected and instrumental thereto on behalf of the Data controller by virtue of a contract with the latter (e.g. software houses, companies offering IT maintenance and development services). These subjects are appointed as Data processors;
• third parties who may process your Personal data within the scope of the purposes set out in this Privacy notice in their capacity as independent data controllers (e.g. public and private entities, including but not limited to, third party companies, associations, public organisations, insurance companies, consulting firms, freelance professionals, credit institutions, etc.).

E. Data retention period of your personal data

One of the principles applicable to the processing of your Personal data concerns the limitation of the storage period, regulated in Article 5(1)(e) of the GDPR.

In light of this principle, your Personal data will be processed only to the extent necessary for the purposes set out in section C of this Privacy notice. In particular, your Personal data will be processed and then stored for the minimum period of time necessary, namely: the Data controller will process your Personal data for the entire duration of the report management process. Without prejudice to any further retention periods that may be imposed by law, as also provided for in Whereas 65 of the GDPR.

F. Your rights

As provided for in the GDPR, you may exercise the following rights against the Data controller at any time:

• Right of access: you have the right to obtain from the Data controller confirmation as to whether or not Personal data relating to you are being processed (or the existence of an automated decision-making process) and if so, to obtain access to and/or a copy of such Personal data (Art. 15 of GDPR).
• Right to rectification: you can obtain the rectification or supplementation of your Personal data that is inaccurate, partial and/or incomplete (Art. 16 of GDPR).
• Right to erasure ("right to be forgotten"): under certain circumstances, you have the right to have your Personal data deleted without undue delay (Art. 17 of GDPR).
• Right to restriction: under certain circumstances, you may obtain the restriction of processing (e.g. if you object to the processing, if you exercise your right to rectification, and/or if the processing is unlawful). In the event of a restriction on processing, your Personal data will only be processed, except for storage, with your consent or for the establishment, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of substantial public interest. We will, in any event, inform you before such restriction is lifted (Art. 18 of GDPR).
• Right to data portability: you may, at any time, request and receive all your Personal data processed by the Data controller in a structured, commonly used and machine readable format or request its transmission to another data controller without hindrance (Art. 20 of GDPR).
• Right to object: you have the right to object at any time, on grounds relating to your particular situation, to the processing of Personal data concerning you. In the event of an objection, the Data controller will refrain from the processing to which you object, unless it can be shown that there are compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of a legal claim (Art. 21 of GDPR).

To exercise all your rights, simply contact the Data controller at the contact details given in section B of this Privacy notice.

You also have the right to lodge a complaint with the supervisory authority: without prejudice to your right to appeal in any other administrative or judicial forum, if you consider that the processing of your Personal data is in breach of the applicable legislation and/or that your rights have not been fulfilled, you may lodge a complaint with the Italian Data Protection Authority or other competent supervisory authority.

G. Where your Personal data will be processed

Your Personal data will be processed by the Data controller within the territory of the European Union. If, for technical and/or operational reasons, it becomes necessary to use parties located outside the European Economic Area, the Data controller undertakes to ensure that the level of protection of your Personal data is substantially equivalent to that provided by the GDPR and European data protection legislation. Any possible transfer of data will be regulated in accordance with Chapter V of the GDPR, basing such transfers on: (a) European Commission adequacy decisions; (b) standard contractual clauses drafted by the European Commission; (c) the adoption of corporate binding rules (BCRs). In any case, you can request more details from the Data controller if your Personal data have been processed outside the European Economic Area.

Glossary

In application of the principle of transparency, we provide below a short glossary containing some key words used by the GDPR and their definition.

• Personal data: "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
• Data subject: the natural person to whom the personal data relate.
• Processing: "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".
• Data controller: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law".
• Data processor: "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".