PRIVACY INFORMATION AND CONSENT TO PROCESSING OF PERSONAL DATA (pursuant to Articles 13 and 14 of EU Regulation 679 of 2016)

Pursuant to the provisions of EU Regulation 679 of 2016 on the protection of natural persons with regard to the processing of personal data, we inform you that ROBERTO COIN S.p.A. will access, collect and process the personal data you provide. Specifically, in compliance with the legislative procedures laid down in the General Data Protection Regulation (GDPR) and respecting the fundamental rights and freedoms of natural persons, we inform you that in this document we set out the modalities of the management of our website as regards the processing of the personal data of the users that consult it. You are requested to read the following privacy information, given as prescribed in Articles 12, 13 and 14 (if the personal data have not been obtained from the data subject but from other sources) of the GDPR as subsequently amended and added to, so that you can fully understand on what basis the personal data are collected, how they are used and stored and to whom they are disclosed, with particular regard to:

• website browsing data;
• website cookies;
• contacts and data provided voluntarily by the data subject who uses the website (e.g. to ask to receive newsletters, request information, obtain an online guarantee or register with/access the e-shop).

Definitions

1. “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. “controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for the nomination of the controller may be provided for by European Union or Member State law;
4. “processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
5. “data subject” means the natural person to whom the personal data processed refer. EU Regulation 679 of 2016 devotes particular attention to the rights that the data subject may exercise with respect to the data controller;
6. “recipient” means a natural or legal person, public authority, agency or other body, to whom or to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not regarded as recipients; the processing of these data by these public authorities complies with the applicable data protection rules according to the purposes of the processing;
7. “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons that, under the direct authority of the controller or processor, are authorised to process personal data;
8. “consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by an explicit affirmative action, signifies agreement to the processing of personal data relating to him or her;
9. “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed;
10. “supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51;
11. “supervisory authority concerned” means a supervisory authority which is concerned with the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority.

Data controller

This information is provided, in its capacity as controller of the processing of the personal data, by ROBERTO COIN S.p.A. (hereinafter also referred to as the Company), with its registered office at Viale Trieste 13, 3600 Vicenza, Italy, VAT No. and Tax Code 02193150246. In order to contact the controller, you may write to the address given above or to email address privacy@robertocoin.com.

Types of data processed, purpose of processing and legal basis

We inform you that ROBERTO COIN S.p.A. will process your personal data (hereinafter only the “Personal Data” – see Article 4.1 of the Regulation) after you have browsed the website.

What are the Personal Data?

Information that, directly or indirectly, enables the data subject to be identified as a natural person: “directly” means through his or her forename, surname and address; “indirectly” means when the Personal Data are processed together with other information.

Specifically, the Personal Data processed through the website are the following:

1. Browsing data

   The information systems and software procedures for the functioning of this website, during their normal operation, acquire some personal data whose transmission is implicit in the use of internet communication protocols. The information is not collected to be associated with identified interested parties, but could, by its nature, allow users to be identified through processing and association with data held by third parties. This category of data includes IP addresses or domain names of computers employed by users connecting to the site, the addresses of the requested resources in Uniform Resource Identifier (URI) notation, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.), the times of the beginning and end of the session and other parameters related to the operating system and the user’s IT environment.

   Purposes of and legal basis for the processing. The Personal Data are used for the sole purposes of gaining anonymous statistical information on the use of the site and checking that it functions correctly. The Personal Data could also be used in order to establish liability in the event of digital crimes against the site (controller’s legitimate interest).

   Storage period. The Personal Data are normally erased immediately after having been processed and are therefore stored for short periods of time, except for any extensions of the storage period required for investigations. In this event the Personal Data could be used by the competent authorities to establish liability should digital crimes have been committed against the site.

   Provision of Personal Data. The Personal Data are not provided by the data subject but acquired automatically by the site’s technological systems.

2. Cookies

   Cookies are small text files that websites visited by users send to their devices, in which they are memorised in order to be re-transmitted to the same websites on the next visit. Third-party cookies, on the other hand, are set by a website other than the site the user is visiting. This is because elements can be present on any website (images, maps, sounds, links to web pages of other domains, etc.) that reside on servers other than those of the websites visited.

   According to their duration, cookies may be either session cookies (i.e. temporary files that are automatically erased from a user’s device at the end of the browsing session) or persistent cookies (i.e. files that are stored on the device until they expire or are deleted by the user).

   Cookies are used for various purposes. Primarily, they are used to transmit the communication or provide the service required by the user; more precisely, they enable the website and optimise its functions, carry out digital authentication and prevent abuse, monitor sessions and enhance browsing experience, for example by keeping the connection to restricted areas active while the user browses the pages of the site without it being necessary for the user ID and password to be re-entered; and by storing specific information regarding users (including preferences and the type of browser and computer employed).

   Cookies may only be read or modified by the website that generated them; they cannot be used to retrieve any data from the user’s terminal and cannot transmit computer viruses. Some of the functions of a cookie can also be performed by other technologies; accordingly, in the context of our website privacy policy, in using the term “cookie” we intend to refer to cookies themselves and to all similar technologies.

   Use of cookies on this website: please refer to the full information regarding cookies under the heading “COOKIE POLICY” published on this website.

3. Data voluntarily provided by the data subject

   Except as stated for browsing data, the data subject is free to provide the Personal Data requested when carrying out the following operations:

   • compiling contact forms to request information or send messages of other kinds;
   • registering to receive marketing newsletters;
   • applying for an online warranty instead of a paper warranty;
   • registering with the e-shop or providing authentication data to obtain access to the e-shop.

   If the Personal Data referred to above are not provided, it may not be possible to render the service requested.

   The Personal Data, in any case, will be stored for as long as is compatible with the purpose for which they have been collected.

In detail:
Contacts form for the processing of client and supplier data
The Personal Data are processed in order to:

• give information;
• enter into contractual and professional relationships;
• fulfil pre-contractual, contractual and tax obligations arising from existing relationships and handle the necessary communications related thereto;
• fulfil obligations laid down by law, by a regulation, by European Union law or in an order from a public authority;
• exercise a legitimate interest or a right of the controller (e.g. the right of defence in a law court, in order to safeguard claims or to satisfy routine internal operational, management and accounting requirements).

Purposes of and legal basis for the processing: the purposes are administrative and accounting and the legal basis is consent (as regards a request for information), the performance of a contract or the controller’s legitimate interest.

Storage period: a time compatible with the purposes of collection.

Provision of the Personal Data: mandatory for entering into contact with the Company.

Marketing, promotional and advertising activities (newsletter) registration form

Purposes of and legal basis for the processing: marketing, promotional and advertising activities related to the controller’s products and services through automated systems (fax, hard copy mail, email), supplying news and the latest information on the activities of the controller and the submission of sale offers for the products marketed by the controller. The legal basis is consent.

Storage period: the Personal Data will be stored until consent is withdrawn. Once consent has been withdrawn, the controller will cease to use the data for these purposes, but may store them in order to protect itself against possible liabilities based on the processing.

Provision of the Personal Data: explicit and mandatory for receiving the service.

If consent is not given, this impairs the processing of the data for the specific marketing, promotional and advertising purposes concerned, for sending newsletters and for contacting the user by telephone or by other means.

The data will be processed fully respecting the data subject’s fundamental rights, without harming his privacy or dignity, always fairly, lawfully and in a transparent manner and will not be further processed in a manner that is incompatible with these purposes. All the security measures necessary to ensure the confidentiality and integrity of the data will be taken.

Online warranty application

Purpose of and legal basis for the processing: applying for a digital/online warranty instead of a paper warranty. The legal basis is consent.

Storage period: the Personal Data will be stored until consent is withdrawn. Once consent has been withdrawn, the controller will cease to use the Personal Data for this purpose, but may store them in order to protect itself against possible liabilities based on the processing.

Provision of the Personal Data: explicit and mandatory for fulfilling the purpose of the processing. If consent for this purpose is not given, it will not be possible for the controller to render the service.

E-shop registration/authentication

Purposes of and legal basis of the processing:

• access to the e-shop;
• the fulfilment of all administrative, accounting and financial obligations under any contract entered into or to be entered into with ROBERTO COIN S.p.A. and any other additional activities related thereto;
• the delivery of any customer service including those regarding warranties and post-sales and any additional activities related thereto;
• determining payment terms and any additional activities;
• compliance with international and/or European Union obligations, regulations and/or rules;
• the evaluation of customer satisfaction levels;
• the use of the data to continue with online sales transactions exclusively through the e-shop on company website www.robertocoin.com in conformity to the sales conditions set out in the e-shop area.

The legal basis is the execution of the contract or the controller’s legitimate interest.

Storage period: the Personal Data will be stored for the period of time necessary for the pursuit of the purposes for which they have been collected and processed. After this time the controller will cease to use the Personal Data for these purposes, but may store them in order to protect itself against possible liabilities based on the processing.

Provision of the Personal Data: explicit and mandatory for entering into contact with the Company.

Modalities for processing the Personal Data

The Personal Data are processed with automated tools. They will be processed fully respecting data subjects’ fundamental rights, without harming their privacy or dignity, always fairly, lawfully and in a transparent manner and will not be further processed in a manner that is incompatible with these purposes. All the security measures necessary to ensure the confidentiality and integrity of data subjects’ Personal Data will be taken.

Entities, or categories of entities, to whom the Personal Data could be disclosed

The data subject’s Personal Data could be disclosed to suppliers and third parties that perform certain services on the controller’s behalf, always respecting the arrangements for their processing and, should this be required, with the data subject’s consent. The Personal Data will be shared with and made available to such external services providers only to the extent necessary to satisfy the purposes specified in this informative document. The categories of outside entities of whose services the

Company could avail itself in order to carry out a part of its activities are:

• companies performing banking and financial services;
• companies and/or external advisors performing activities pertinent to the Company’s business activities (management software, gathering economic and financial information, IT systems management, insurance, credit management and protection);
• companies and/or external advisors appointed to fulfil legal obligations (accountancy firms, notaries, lawyers, labour consultants);
• marketing firms, agents and shippers;
• public bodies (tax offices, etc.) and authorised tax assistance centres;
• entities and persons working on contracts with the controller (e.g. technical assistance centres, internet and telecommunications operators, employees and freelancers working for outside firms).

In no circumstances will the Personal Data processed be disclosed to entities unauthorised by the controller except for the disclosure or dissemination of data requested by law by police forces, judicial authorities, information and security bodies or other public bodies for the purposes of the defence or security of the state or the prevention, investigation or repression of criminal offences.

Disclosure of the Personal Data

No Personal Data will be disclosed in any circumstances.

Place of processing

The Personal Data will be processed within the area of the European Union and in non-EU countries.

Amendments

The data controller reserves the right to amend or merely update the contents of this informative document, either in part or totally, also as a result of changes in applicable laws. The data controller suggests that data subjects visit this section regularly in order to acquaint themselves with the most recent and up-to-date version of this document so that they are always aware of the latest information regarding their Personal Data and of the use to which the data controller puts them.

Data subject’s legal rights

Data subjects are legally guaranteed a series of rights regarding their Personal Data. The data controller undertakes to protect Personal Data and comply with the laws on data protection that come into force at any given time. Fuller information and suggestions regarding data subjects’ rights may be obtained by consulting the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) website.

• Right to be informed: data subjects have the right to receive clear, transparent and easily intelligible information on the use of their Personal Data and on their rights. It is for this reason that the information contained in this document is provided.
• Right of access: data subjects have the right to obtain access to their Personal Data (if they are being processed) and other information (similar to that provided in this privacy information). The purpose of this is to enable data subjects to learn whether or verify that their Personal Data are used in compliance with data protection law.
• Right to rectification: data subjects have the right to obtain the rectification of their Personal Data in the event that they are inaccurate or incomplete.
• Right to erasure: also referred to as the “right to be forgotten”, this right enables data subjects to obtain the erasure or removal of their Personal Data if there is no valid reason for continuing to use them. This is not a general right to erasure; there are exceptions.
• Right to restriction of processing: Data subjects have the right to have their Personal Data blocked or to prohibit them from being used further. When processing has been restricted, however, the data controller stores a list of the persons who have requested a restriction on the further use of their Personal Data in order to ensure that the restriction is observed in future.
• Right to data portability: Data subjects have the right to obtain and reuse their Personal Data for their own purposes in various other services. For example, if a data subject decides to change to another supplier, this right consists in being able to move, copy or transfer the information in a secure and protected manner from the Company’s information systems to the data subjects’ own systems without their usability being impaired.
• Right to object to processing: data subjects have the right to object to the processing of their Personal Data for direct marketing purposes (which can only be carried out with their consent) and also to object to processing conducted for the purposes of the protection of the controller’s legitimate interests.
• Right to lodge complaints: data subjects have the right to lodge a complaint with the Italian Data Protection Authority against the modalities with which the controller processes their Personal Data.
• Right to withdraw consent: if they have given their consent to the performance of any activity with regard to their Personal Data, data subjects have the right to withdraw such consent at any time (although withdrawal of consent does not affect the lawfulness of the processing of the Personal Data that has been carried out on the basis of their consent until that time). This includes the right to withdraw consent to the use of their Personal Data for marketing purposes.

Data subjects may exercise the above rights by sending a written communication by email to privacy@robertocoin.com or by recorded delivery with acknowledgement of receipt to ROBERTO COIN S.p.A., Viale Trieste 13, 36100 Vicenza, Italy.

Pursuant to Article 8 of EU Regulation 679 of 2016, consent to the processing of Personal Data may only be given by a person who is at least 16 years old. The Personal Data of a minor who has not yet reached the age of 16 may only be processed on the basis of consent given by the holder of parental responsibility over the minor.

Last edition: May 2020