Information to Data Subjects - Privacy Policy of the Website

Dear User, when you access and navigate on this website (hereinafter 'Website') some of your personal data is acquired, stored, and managed (in technical terms 'processed') through the device you are using, also by analyzing and saving your IP address, browsing data, 'cookies' and other online identifiers such as 'pixels'. In light of these processing activities, in compliance with the applicable legislation that requires the protection, confidentiality and security obligations on your data, KARTELL S.p.A. clarifies below the purposes and means defined in its capacity as Data Controller.

Data processing operations will be performed as Data Controller by KARTELL S.p.A., with legal seat in Noviglio (MI), via delle Industrie n.1, VAT IT 11349160157.

KARTELL S.p.A. can be contacted at the following addresses:

• by writing an e-mail to privacy@kartell.it;
• by hard mail, at the address of the legal seat as provided above

The categories of data processed through the Website are:

• information related to the User's browsing activities, including the so-called online identifiers and data related to the device in use;
• personal identification and contact data provided freely by the User on the Website, including those necessary for the conclusion of the purchase of goods and services, even without registration (‘purchase as guest’), such as: name, surname, e-mail address, telephone number;
• personal data necessary for the management of shipping methods and systems, such as: address of residence or domicile, destination address of purchased goods;
• personal data necessary for the management of payment methods and systems, such as: bank card number and data, bank account data, account data of the chosen payment system (i.e. PayPal);
• personal data obtained from third parties or sources, in connection with specific initiatives or purposes promoted by the Data Controller;
• other categories of data, specifically identified, in case of further implementation of purposes on the Website.

Purposes	Legal basis	Data retention period
User access to the pages of the Website, to its functionality and content such as, for example, products catalogs	6 (1) (b) performance of pre-contractual activities	for the duration the User remains on the Website, and in any case for a maximum of 24 months after it.
Feedback to requests of contact or information sent by the User, including through the digital assistant service (‘KAssistant’)	6 (1) (f) exercise of legitimate interest, aimed at maintaining relations with Users of the Website	for a maximum of 10 years from the last interaction between the user and the Data Controller.
User registration aimed at booking an appointment at one of the Data Controller’s store	6 (1) (b) performance of pre-contractual activities	for a maximum of 6 months from the interaction between the user and the Data Controller.
Registration, access and use by the User of the eCommerce shop, even in case of ‘purchase as a guest’, including the activities of purchasing, payment, product management and delivery, management of returns and refunds	6 (1) (b) performance of pre-contractual and contractual activities, also for the purpose of enabling, facilitating or simplify the purchase	for as long as necessary to achive the purpose, up to a maximum of 10 years after the User has been deleted from the eCommerce.
Management of the User's shopping cart with regard to the so-called abandoned checkout functionality as a result of interrupted purchase flow or eCommerce shop anomalies	6 (1) (f) exercise of legitimate interest, aimed at promoting the recovery of purchase interactions interrupted for technical reasons	for as long as necessary to achive the purpose, up to a maximum of 7 days after the interruption due to technical reasons
Management of tax documentation related to purchases through eCommerce shop	6 (1) (c) to fulfill a legal obligation to which the Data Controller is subject (in particular, accounting and tax obligations)	for a maximum of 10 years after the last purchase made.
Managing unsolicited contacts from Users by sending Curriculum Vitae and/or other communications	6 (1) (b) performance of pre-contractual activities	for a maximum of 12 months from the ending of the selection process, safe for further retention needs or User’s consent.
Analysis of the usage statistics and improvement of the functionality of the Website by technologies involving data processing activities in accordance with 2002/58/EC Directive	6 (1) (a) User consent	until the expiry of the longest retained online ID (cookie or other technology as stored), save for User’s requests of cancellation and/or anonymization activities.
Analysis of the usage statistics and improvement of the functionality of the Website by technologies involving data processing activities in accordance with 2002/58/EC Directive	6 (1) (f) exercise of legitimate interest, aimed at improving its products and services	only for the period necessary for complete anonymization of the collected data.
Recontacting the User by e-mail following the purchase of goods or services offered by the Data Controller, aimed at the proposed sale of additional similar goods or services	6 (1) (f) exercise of legitimate interest, aimed at promoting its sales of goods and services in compliance with the limits set by Art. 130, par. 4, Legislative Decree 196/2003 (so-called "soft spam")	for a maximum of 24 months from the last purchase made by the User, subject to the right of objection expressed by the user expressed in any manner.
User contact as a result of events or meetings within which the Data Controller or third parties have collected personal contact data	6 (1) (a) User consent or, alternatively, 6 (1) (f) exercise of legitimate interest, aimed at maintaining contact with the User who has expressed interest in the goods and services offered	until consent is withdrawn or for up to 3 months after reception of the data in the case of the exercise of legitimate interest, subject to the right of opposition expressed by the user expressed in any manner.
User subscription to the newsletter and subsequent management of related commercial communications of special offers, promotions and news, by means of both automated and non-automated systems (so-called marketing purposes)	6 (1) (a) User consent	until the user withdraws consent, and then no later than 2 months afterwards for technical and procedural purposes of the Data Controller.
Locating the store closest to the User using geolocation tools	6 (1) (a) User consent	until the end of the duration of the online ID related to the requested functionality.

If the User wish to receive more information about the balance between the legitimate interests pursued by the Data Controller and the fundamental rights and freedoms of the natural person, he/she can contact the Data Controller at the addresses indicated, and in particular at the e-mail address provided, having the right to receive adequate feedback as soon as possible and in any case within the time required by law.

In the event of litigation with the User or with third parties, or control of the competent Authorities, the conservation may be extended until the expiry of the last applicable prescription period.

The User's personal data will not be disseminated in any way, except for the acquisition of express and prior consent or within the limits of what is provided for or imposed by law.

The provision of personal data from time to time indicated as mandatory is necessary to pursue the related purposes: not providing such data makes it impossible to proceed with the related processing.

The provision of other personal data is optional: failure to provide such additional data may make it impossible to access all or part of the Website's functions or characteristics. With respect to so-called marketing and profiling purposes, as well as in relation to so-called "online identifiers" that are not merely technical, consent to the processing of personal data is optional: there is no legal or contractual obligation on the user to provide such data for such a purpose and/or to give consent to the processing of his or her personal data for such a purpose.

The Website does not process any personal data through automated decision-making processes, in accordance with current legislation, and in particular in accordance with Article 22(1) and (4) of the GDPR.

In any case, any automated processing will not have a legal effect on the person concerned or significantly affect him/her, unless specific informed consent is acquired and in any case within the limits of the law.

Within the limits of the obligations, tasks or purposes indicated above, personal data may be made available and / or communicated to:

• employees and / or collaborators of the Data Controller;
• other third parties who provide management, maintenance or intervention services on the Site and / or on other tools used by the Data Controller;
• Judicial, administrative and / or public security authorities.

The complete list of Data Processors and other third parties to whom the data are made available and / or communicated can be requested from the Data Controller at any time, at the indicated references.

Personal data will be transferred to countries outside the European Economic Area for technical purposes, in any case to entities based in countries recognized as ‘adequate’ by the European Commission, including members of the ‘EU-US Data Privacy Framework’, or to entities that have entered into specific Standard Contractual Clauses based on the current text approved by the European Commission.

The User, as a "Data Subject" according to the GDPR, can at any time exercise the rights attributed to him by the European Regulation n.2016/679. In particular, the User has the right to:

• access his/her personal data;
• obtain the correction or cancellation of the same or the limitation of the processing that concerns him/her;
• oppose the processing;
• obtain his/her data portability, where provided by the law;
• withdraw consent, where provided: the withdrawal of consent does not affect the lawfulness of the processing based on the consent given before the revocation;
• lodge a complaint with the supervisory authority. For Italy - as the Data Controller’s home state - the supervisory authority is the ‘Autorità Garante per la protezione dei dati personali’ based in Rome (www.gpdp.it).

The exercise of the aforementioned rights can take place by sending a request to the Data Controller's references, as indicated above, and in particular to the e-mail address privacy@kartell.it