The Data Controller processes the personal data of the Data Subject (hereinafter, "personal data" or also "data") to execute a contract or pre-contractual measures

The Data Controller, pursuant to and in accordance with the Regulation, makes it known that the aforementioned legislation provides for the protection of individuals regarding the processing of personal data, and that such processing will be based on the principles of correctness, lawfulness, transparency, and the protection of confidentiality and fundamental rights.

The Data Controller processes the personal data of the Data Subject for the purposes related to the execution of the contract with Monnalisa S.p.A..

Personal data is processed:

A) without the express consent of the Data Subject (Art. 6, para. 1, let. b) of the GDPR), for the following Purposes:

- to execute a contract to which the Data Subject is a party or to execute pre-contractual measures adopted at their request;

- to communicate data to subjects, entities, or authorities to whom communication is mandatory by law or by order of the authorities;

- to exercise the rights of the Data Controller, such as the right of defense in court.

B) only with the specific and distinct consent of the Data Subject (Art. 6, para. 1, let. a) of the GDPR), for the following Purposes:

- management of the "Monnalisa Fun" loyalty program, including the allocation of points, management of membership levels, provision of related benefits, and the sending of communications strictly related to the operation of the program (e.g., points balance, level changes, expirations, and use of benefits). Within the loyalty program, the Data Controller may process, on an optional basis and upon the user's initiative, personal data referring to minors (such as name and date of birth), solely for the purpose of allowing the provision of dedicated benefits (e.g., birthday-related initiatives). Such data is provided by the user under their own responsibility as a parent or person exercising parental responsibility.

- to send via e-mail, mail and/or sms and/or telephone contacts and/or Instant Messaging tools (e.g., WhatsApp and Instagram and Facebook Messenger), newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller and detection of the degree of satisfaction with the quality of services;

- to send via e-mail, mail and/or sms and/or telephone contacts and/or Instant Messaging tools (e.g., WhatsApp and Instagram and Facebook Messenger), newsletters, commercial and/or promotional communications from third parties;

- to send via e-mail, mail and/or sms and/or telephone contacts and/or Instant Messaging tools (e.g., WhatsApp and Instagram and Facebook Messenger), communications relating to in-store or corporate events;

- to carry out profiling activities, including through the analysis of preferences, purchasing habits, and the level of participation in the loyalty program, in order to personalize commercial offers and promotional communications;

Failure to provide consent makes it impossible to carry out the aforementioned activities.

For the purposes referred to in this point B), you may, at any time, revoke your consent in the manner indicated in the "Exercise of rights" section of this policy. In particular, for commercial communications sent via e-mail, you can also revoke your consent by clicking on the appropriate unsubscribe link at the bottom of each communication.

The processing of personal data is carried out using the operations indicated in Art. 4 No. 2) of EU Regulation 2016/679, and precisely: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data. Personal data is subjected to both paper and electronic and/or automated processing.

The Data Controller will process personal data for the time necessary to fulfill the above purposes.

The retention period differs depending on the purpose of the processing: for example, the data collected during the purchase of goods on monnalisa.com and at Monnalisa stores, are processed until the conclusion of all administrative and accounting formalities and are then archived in compliance with local tax regulations (ten years); those used to send you our newsletters are kept until a request to cease sending is made.

The data may be made accessible for the purposes referred to in Art. 3:

- to employees and collaborators of the Data Controller, in their capacity as persons authorized to process personal data and/or internal data processors and/or system administrators;

- to subjects, entities, or authorities to whom communication is mandatory by law or by order of the authorities.

The Data Controller may communicate the data for the purposes referred to in Art. 3 to subjects, entities, or authorities to whom communication is mandatory by law or by order of the authorities. These subjects will process the data in their capacity as independent data controllers.

Personal data is stored on servers within the European Union. In any case, it is understood that the Data Controller, should it become necessary, will have the right to move the servers even outside the EU. In this case, the Data Controller assures from now on that the transfer of non-EU data will take place in accordance with the applicable legal provisions, subject to the stipulation of the standard contractual clauses provided by the European Commission.

The Data Subject, pursuant to Art. 15 of the GDPR, has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of data in question;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed;

d) the envisaged period for which the personal data will be stored, or the criteria used to determine that period;

e) to request from the Data Controller access to data, rectification or erasure of personal data or restriction of processing of personal data concerning them or to object to such processing;

f) with reference to any consent given for the purposes referred to in Art. 2 point B), the right to withdraw the consent given at any time;

g) Regarding the withdrawal of consent (Art. 7 GDPR), the data subject can exercise this right at any time, with the same ease with which it was given, without affecting the lawfulness of processing based on consent before its withdrawal.

h) the right to lodge a complaint with a Supervisory Authority.

Within the “Monnalisa Fun” Program, the Data Controller may process common personal data of the data subject, including:

- personal and identification data (name, surname, date of birth, gender);

- contact data (e-mail address, telephone number, residential or domicile address);

- data relating to purchases made at physical stores and/or online;

- data relating to purchasing preferences, interests, and consumer behavior;

- data relating to the use of the Program, benefits, and promotional initiatives.

The provision of such data is necessary to allow adherence to and management of the Program.

On an optional basis and upon the initiative of the member, the Data Controller may also process personal data referring to minors, such as name and date of birth, exclusively for the purpose of allowing the provision of dedicated advantages, initiatives, and benefits (e.g., birthday-related initiatives).

Such data will be provided by the member under their own responsibility, as a parent or subject exercising parental responsibility over the minor.

The provision of data referring to minors is optional and failure to provide it does not affect participation in the Loyalty Program.

It will be possible to withdraw from the program at any time online in your account, in stores, or by sending an email to customercare@monnalisa.com.

You can exercise your rights at any time by sending:

- a registered letter with return receipt to MONNALISA SPA, Via Madame Curie 7, AR 52100, Italy;

- an e-mail to the address dpo@monnalisa.eu

The Data Controller is MONNALISA SPA with registered office in Arezzo, Via Madame Curie 7. The updated list of data processors and persons authorized to process data is kept at the registered office of the Data Controller.

The DPO is Atty. Flavio Corsinovi, who can be contacted at the following address dpo@monnalisa.eu