Privacy Policy

25th May 2018

INFORMATION ON THE PROCESSING OF PERSONAL DATA As per art. 13 of the EU Regulation 679/2016

Monnalisa S.p.A., a company with registered offices in Arezzo (AR), at via Madame Curie, 7, 52100 T.C. and VAT N. 01163300518, as the Controller of the data processing (hereinafter called “Controller”), as per art. 13 of the EU Regulation n. 679/2016 (hereinafter, "GDPR" or "Regulation" ) ”) informs that the data will be processed with and for the following means and aims.

1. Principles applicable to the processing

The Controller processes personal data (hereinafter, “personal data” or also “data”) to execute a contract or for pre-contractual measures.

The Controller, for the aims and the effects of the Regulation, notifies that the previously mentioned regulation foresees the protection of natural persons with respect to the personal data processing, and that this processing must be based on principles of propriety, legality, transparency and the protection of privacy and the fundamental rights.


2. Aim of the processing

The Controller processes the interested person’s data for the aims connected to the execution of the contract with Monnalisa S.p.A..


3. Purpose of the processing

Personal data is processed:

A) Without the express consent of the Interested person (art. 6, par. 1, let. b) of the GDPR), for the following Purposes:

- Execution of a contract of which the Interested person is a party or for the execution of pre-contractual measures chosen by request of the same person;

- communicate the data to parties, entities or authorities to whom the communication is obligatory on the basis of dispositions of the law or orders of the authorities;

- Implement the Controller’s rights, e.g. the right to defence in Court cases.

B) Only with prior, explicit and separate consent of the interested person (art. 6, par. 1, let. a) and art. 7 GDPR), for the following Purposes:

- To send via e-mail, mail and/or s.m.s. and/or phone contacts and/or Instant Messaging instruments (e.g. WhatsApp, Instagram and Facebook Messenger), newsletters, commercial communications and/or advertising materials of products or services offered by the Controller and of surveys on the degree of satisfaction concerning the quality of the services;

- send via e-mail, mail and/or s.m.s. and/or phone contacts and/or Instant Messaging instruments (e.g. WhatsApp, Instagram and Facebook Messenger), newsletters, commercial communications and/or third party promotional materials.

- send via e-mail, mail and/or s.m.s. and/or phone contacts and/or Instant Messaging instruments (e.g. WhatsApp, Instagram and Facebook Messenger), communications concerning in-store or company events.

The non-communication of your consent implies the impossibility of carrying out the above specified activities.

For the aims indicated in this point B), you may revoke your consent at any moment.


4. Processing methods

The processing of personal data is carried out by means of the operations indicated in art. 4 n. 2) of the EU regulation 2016/679 and more precisely: collection, recording, organization, storage, consultation, elaboration, modification, selection, retrieval, comparison, use, interconnection, blockage, communication, cancellation and destruction of the data. The personal data is processed on paper and using electronic and/or automated systems.

The Controller will process the personal data for the time strictly required for the execution of the above specified aims.

The conservation period varies according to the aim of the processing: e.g. the data collected when products are purchased on monnalisa.com and at the Monnalisa sales points, is processed to complete the administrative and accounting formalities and is therefore stored in conformity with the local tax regulations (ten years). We store the data used to send you our newsletter, until you request us to stop sending it.


5. Access to and communication of the data

The data may be rendered accessible for the aims mentioned in art. 3:

- To employees and collaborators of the Controller, in their duties as person in charge and/or responsible, internally and externally, for the processing of data and/or system administrators.

- to persons, entities or authorities to whom the communication is mandatory according to laws and orders of the authorities.

The Controller may communicate the data for the aims indicated in art. 3 to persons, entities or authorities to whom the communication is mandatory according to laws and orders of the authorities. Said persons will process the data by acting as independent processing controllers.


6. Data transfer

Personal data is stored on a server/s inside the European Union. It is understood, that the Controller, should it become necessary, will also have the right to move the servers outside the EU. In this case, the Controller assures, as of now, that the transfer of the data outside the EU will be carried out according to the applicable law dispositions, subject to the standard contractual clauses contemplated by the European Commission.


7. Rights of the interested person

The Interested person, in accordance with art. 15 of the GDPR, has the right to obtain from the Controller, the confirmation that the processing of personal data regarding her/him is being carried out or not, and, in this case, may obtain access to the personal data and the following information:

a) the purpose of the processing;

b) the categories of data in question;

c) the recipients or categories of recipients to whom the personal data has been or will be communicated;

d) the expected period of storage of the personal data or the criteria used to define said period;

e) request the Controller, to access the data, correct or cancel the personal data regarding yourself, or limit the processing or oppose its processing;

f) with reference to the eventual consent that you may have given for the aims mentioned in art. 2 point B), the right to revoke, at any time, the consent given;

g) the right to send a complaint to the Guaranteeing Authority.


8. How to exercise your rights

At any time you may exercise your rights by sending:

- a registered letter with return receipt to MONNALISA SPA, Via Madame Curie, 7, AR 52100;

- an e-mail to the address:dpo@monnalisa.eu


9. Controller, person in charge and appointees

The Controller of the processing is MONNALISA SPA with registered offices at Arezzo, Via Madame Curie 7. The updated list of the people in charge of and persons responsible for processing is stored at the registered offices of the Controller of the processing.

The D.P.O. is the lawyer Flavio Corsinovi who can be contacted at the following address dpo@monnalisa.eu