INFORMATION NOTICE PURSUANT TO ART. 13 AND 14 OF REG. (EU) 2016/679 (“GDPR”)

Please find below the information required by the GDPR concerning the processing of personal data provided as part of the registration to the e-commerce portal (“Portal”) and the use of the related services by users (“User/s”) – in particular, the purchase of Benetton gift cards (also in favor of a third party beneficiary, “Beneficiary”) - as better regulated by the general terms and conditions available on the Portal.

1.     Categories and source of the data processed

As indicated in the terms of use, to purchase gift cards on the Portal, the User must register by completing the appropriate form, entering their first and last name, email address, and phone number, and creating a password. During the purchase process, they will also need to provide the necessary payment information (first and last name, address, phone number, credit card details, and, if an invoice is requested, the tax code).

If the User decides to gift the gift card to a Beneficiary, he/she will provide the data to Amilon for delivery purposes (name, surname, email address) together with an “inscription” for him/her.

Information on the processing of navigation data and those relating to the use of cookies can be consulted in the “privacy e cookie policy” made available in the cookie banner that appears at the first access and in the footer of the Portal .

2.     Identity and contact details of the controller

The controller is Amilon Srl, Tax ID and VAT number 05921090964, with registered office in via Natale Battaglia 12, Milan, e-mail address privacy@amilon.it (“Amilon” or “Data Controller”).

3.     Contact details of the data protection officer (DPO)

The DPO can be contacted at the e-mail address dpo-ext@amilon.it .

4.      Purpose of processing, legal basis and retention times

why is personal data processed?

what is the condition that makes the processing lawful?

how long do we keep personal data?

a.      To allow the registration on the Portal and the use of the related services.

a.         The execution of a contract of which the User is a party (or for which the contract is concluded, in the case of the Beneficiary), pursuant to art. 6.1, lett. b) of the GDPR.

For the entire duration of the contractual relationship with Amilon (registration on the Portal) and, as an ordinary limitation period, for the following 10 years.

In the event of litigation, the data are kept until the deadlines for the appeal are exhausted.

b.      To establish, exercise or defend the rights of Amilon .

In order to mitigate the risk of payment fraud on the Portal, the following are provided for:

-           the identification of Users (via e-mail confirmation);

-           the verification of credit or debit card data entered during the purchase process by the User.

The pursuit of the legitimate interest of the Data Controller, pursuant to art. 6.1, lett. f) of the GDPR.

c.       To fulfill administrative-accounting, tax and other legal obligations, in accordance with the requirements of current legislation.

The fulfillment of a legal obligation to which the Data Controller is subject , pursuant to art. 6.1, lett. c) of the GDPR.

The data will be kept for 10 years, as a general ten-year retention period prescribed by law.

d.      To send – to the e-mail address provided by the User – promotional communications regarding products supplied by Amilon similar to those purchased on the Portal (e.g., regarding the addition of a new gift card in the catalogs of Amilon e-commerce sites or relating to a particular discount applied to a certain brand of gift cards sold therein).

The cd. "soft spam" pursuant to art. 130, c. 4 of d. lgs. 196/2003 ("Privacy Code").

Until the possible opposition of the data subjects (by clicking on the "unsubscribe" link present in each communication).

Once the storage terms indicated above have elapsed, the data will be destroyed, deleted or made anonymous, compatibly with the technical timing of cancellation and backup.

5.      Provision of data

The provision of data marked with and asterisk in the aforementioned form is necessary for registration on the Portal or with the purchase of gift cards.

Therefore, failure to provide such data will make it impossible for the User to use the services offered by Amilon on the Portal.

6.      Categories of data recipients

The data may be communicated to other third parties operating as independent data controllers, such as, for example, public authorities and professional firms, entitled to receive them. Furthermore, the data will be disclosed to the so-called acquirer, i.e. the payment service provider handling the payment.

The data may also be processed, on behalf of the Data Controller, by third parties, designated as data processors pursuant to art. 28 of the GDPR, which carry out activities functional to the pursuit of the aforementioned purposes (e.g., IT service providers, customer care and marketing).

Furthermore, the data are processed by Amilon employees - belonging to the company departments responsible for pursuing the aforementioned purposes - who have been expressly authorized to process and who have received adequate operating instructions.

7.      Rights of data subjects

The data subjects (i.e., the subjects to whom the data refer; that is, User and Beneficiary) can exercise the rights referred to in articles 15-22 of the GDPR, by sending a communication to the contact points indicated in par. 2.

In particular, the data subjects can:

-         obtain from the Data Controller confirmation that personal data concerning them are being processed and, in this case, access to them and to the information referred to in art. 15 of the GDPR (purpose of processing, categories of personal data, etc.);

-         obtain the rectification of inaccurate data or the integration of incomplete data pursuant to art. 16 of the GDPR;

-         obtain the erasure of data in the cases provided for by art. 17 of the GDPR;

-         obtain the limitation of processing (i.e. the temporary subjecting of data to storage only), in the cases provided for by art. 18 of the GDPR;

-         object, for reasons related to their particular situation, the processing carried out for the legitimate interest of the owner, pursuant to art. 21 of the GDPR;

-         if the processing is based on consent or contract and is carried out with automated tools, the data subject may request to receive the data in a structured format, commonly used and readable by automatic device, as well as, if technically feasible, to transmit them to another holder without hindrance ("right to portability") pursuant to art. 20 of the GDPR.

As indicated above, data subjects may, at any time, object the processing for direct marketing purposes (also by clicking on the "unsubscribe" link in each e-mail communication).

In any case, the data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State where they habitually reside or work or in the State where the alleged infringement occurred.