Corporate Governance

PRIVACY NOTICE

PRIVACY NOTICE PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679 AND LEGISLATIVE DECREE NO. 196/2003, AS AMENDED BY LEGISLATIVE DECREE NO. 101/2018

The Data Controllers (the “Controllers”) and, for processing carried out for Marketing and Communication purposes, the Joint Controllers (the “Joint Controllers”), as defined below, pursuant to Article 13 of Regulation (EU) 2016/679 (the “Regulation”), hereby inform you of the purposes for which your personal data are collected and processed, in accordance with the principles of lawfulness, fairness and transparency, ensuring confidentiality and compliance with the applicable legislation.

1. Data Controllers / Joint Controllers

ALKEMY S.p.A. (“Data Controller”)
Registered office: Via San Gregorio, 34 - 20124 Milano (MI)
e-mail: privacy@alkemy.com

ALKEMY PLAY S.r.l. (“Data Controller”)
Registered office: Via San Gregorio, 34 - 20124 Milano (MI)
e-mail: privacy@alkemy.com

COSMIC S.r.l. (“Data Controller”)
Registered office: Via Monte Rosa, 91 - 20149 Milano (MI)
e-mail: gdpr@retex.com

D.COM S.r.l. (“Data Controller”)
Registered office: Via San Gregorio, 34 - 20124 Milano (MI)
e-mail: gdpr@retex.com

DIGITAL RETEX S.r.l. (“Data Controller”)
Registered office: Via San Gregorio, 34 - 20124 Milano (MI)
e-mail: gdpr@retex.com

RETEX S.p.A. (“Data Controller”)
Registered office: Via San Gregorio, 34 - 20124 Milano (MI)
e-mail: gdpr@retex.com

WTL S.r.l. (“Data Controller”)
Registered office: Via San Gregorio, 34 - 20124 Milano (MI)
e-mail: gdpr@retex.com

XCC S.r.l. (“Data Controller”)
Registered office: Via del Commercio, 36 - 00154 Roma (RM)
e-mail: privacy@alkemy.com

hereinafter collectively referred to as the “Companies”, the “Controllers” or, for Marketing and Communication purposes, the “Joint Controllers”.

For purposes related to the performance of contractual obligations, compliance with legal obligations and the establishment, exercise or defence of legal claims, as further detailed in Section 4 below, each Company acts as an independent Data Controller pursuant to the Regulation, independently determining the purposes and means of processing. With regard to Marketing and Communication activities, as further detailed in Section 4, the Companies act as Joint Controllers, jointly determining, each within the scope of its responsibilities, the purposes and means of processing. In their capacity as Joint Controllers, the Companies have entered into a joint controllership agreement pursuant to Article 26 of the Regulation, an extract of which is available upon request by data subjects.

2. Data Protection Officer (DPO)

The Controllers/Joint Controllers have appointed a Group Data Protection Officer (DPO), who may be contacted for any matter relating to the processing of personal data, including requests regarding the extract of the joint controllership agreement pursuant to Article 26 of the Regulation, and for the exercise of data subjects’ rights. Contact details of the DPO: privacy@alkemy.com.

3. Categories of personal data processed

Processing may concern common personal data, identification and contact data, collected directly or through third parties, including – by way of example and not limitation – identification details (name, surname, address, telephone number, business email address, company/studio details, industry, job title, role and function, and similar information), also relating to representatives, employees, collaborators or persons otherwise connected to your professional activity, as well as fiscal and administrative data necessary for contract management (tax code, VAT number, IBAN and bank/postal details). No special categories of personal data are processed.

4. Purposes and legal basis of processing

4.1 Contractual relationship management. Each Data Controller processes personal data of its clients/users to provide the requested services and for purposes strictly connected with and instrumental to the management and performance of pre-contractual and/or contractual relationships, as well as for compliance with legal and regulatory obligations and instructions issued by competent authorities. Processing is necessary to carry out activities related to the purchase of services and/or products, such as order management, service provision and/or production and/or shipment of purchased products, invoicing and payment management, handling of complaints and support requests, provision of customer support, sending of informational communications related to the service and/or contract, and compliance with contractual obligations.
Legal basis: Article 6(1)(b) and (c) of the Regulation.

4.2 Establishment, exercise or defence of legal claims. Personal data are processed in order to establish, exercise or defend the rights of the Data Controller and/or to defend against claims, in judicial or out-of-court proceedings.
Legal basis: Article 6(1)(f) of the Regulation.

4.3 Marketing and Communication. The Joint Controllers jointly process data collected in the course of their activities for Strategic Marketing, Brand and Corporate Communication purposes, including:

• i) sending of advertising material, direct sales, market research and commercial communications relating to offers, discounts and promotions of services/products of the Joint Controllers through traditional means (e.g. postal mail, telephone calls with operator) and/or automated means (e.g. email, SMS, instant messaging applications, web and mobile push notifications), as well as newsletters;
• ii) profiling activities based on interests, preferences and habits, including analysis of transmitted data and purchased services/products, in order to send promotional messages and/or commercial proposals consistent with expressed preferences.

Legal basis: Article 6(1)(a) of the Regulation (consent of the data subject).

iii) The Joint Controllers may send emails relating to promotions and offers of services/products similar or related to those already purchased by the data subject, unless the data subject has objected to such processing at the outset or subsequently.
Legal basis: Article 130(4) of Legislative Decree No. 196/2003. The data subject has the right to object at any time to processing for this purpose.

5. Mandatory or optional nature of data provision

5.1 Provision of personal data is mandatory for the purposes referred to in Sections 4.1 and 4.2.

5.2 Provision of data for the purposes referred to in Section 4.3 is optional and subject to the data subject’s consent. Any refusal will not affect the performance of the requested services.

5.3 With reference to the purposes under Section 4.3, the Joint Controllers have jointly defined the processing methods and procedures for responding to data subjects’ requests pursuant to Articles 15–22 of the Regulation. The single point of contact for the exercise of rights is the Group DPO, whose contact details are provided in Section 2. An extract of the joint controllership agreement is available upon request.

6. Processing methods and data retention

6.1 Personal data are processed by authorised and trained personnel, lawfully and fairly, with or without electronic or automated means, and include all operations necessary for the processing, including recording and storage, with appropriate security measures to ensure confidentiality and protection against unauthorised access, disclosure, misuse or loss. No automated decision-making processes pursuant to Article 22 of the Regulation are carried out.

6.2 For the purposes under Sections 4.1 and 4.2, personal data are retained for the time strictly necessary to achieve the purposes for which they were collected, to comply with legal obligations related to administrative, accounting, tax and social security matters (10 years), and for the duration of any disputes, without prejudice to further legal obligations.

6.3 For Marketing and Communication purposes: a) purposes under Section 4.3(i): up to 24 months from the last interaction; b) purposes under Section 4.3(ii): up to 12 months from the last interaction; c) purposes under Section 4.3(iii): up to 24 months from termination of the relationship.

7. Data disclosure

7.1 Personal data may be shared among the Joint Controllers and with authorised employees, staff and collaborators for the purposes set out in Section 4.

7.2 Personal data may also be disclosed to third parties to comply with legal obligations or to entities such as, by way of example, external consultants, banks and financial institutions, professionals, IT maintenance providers, service providers for information systems, websites, web applications and telecommunications networks, as well as any other third parties involved in the performance of contractual obligations. Such parties shall act as independent Data Controllers or Data Processors, in accordance with applicable instructions.

7.3 The updated list of Data Processors is maintained by each Company and is available upon request.

8. Data transfers

8.1 Personal data are not processed or transferred outside the European Union. Where transfers to third countries become necessary, including for data storage purposes, such transfers shall take place in compliance with the Regulation, applicable law and appropriate safeguards, including Standard Contractual Clauses approved by the European Commission or equivalent measures.

9. Rights of the data subject

Pursuant to Articles 15–22 of the Regulation, you have the right to:

• i) access your personal data;
• ii) obtain confirmation as to whether or not personal data concerning you are being processed and to know their content and origin;
• iii) request rectification, updating or erasure of personal data;
• iv) object to processing or request restriction of processing;
• v) data portability;
• vi) withdraw consent at any time, where applicable, without affecting the lawfulness of processing based on consent before its withdrawal, and to object to processing for marketing and/or profiling purposes pursuant to Article 21 of the Regulation;
• vii) lodge a complaint with the competent Data Protection Authority.

These rights may be exercised by contacting the Group DPO at the details provided in Section 2.

10. Amendments

The Controllers/Joint Controllers reserve the right to amend or update this Privacy Notice, in whole or in part, also as a result of changes in applicable legislation. Any amendments will be communicated in a timely manner.