Each of the aforementioned companies holds the role of data controller according to the relative definition contained in Article 4, point 7) of the Regulation, “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” for the processing of personal data instrumental to navigation within the individual Internet Website while they act, for purposes further specified below, as joint controllers pursuant to and for the purposes of Article 26 of the Regulation with regard to all data processing carried out for purposes of direct and indirect marketing and profiling that require the express consent of the user and, in the case of direct marketing, may be performed following an assessment carried out by them on the balance of interests and the primacy of the legitimate interest of the joint controllers. To this end, the joint controllers have concluded a joint controller agreement with which they have undertaken to:
- jointly determine the methods of processing the personal data of the data subjects for marketing and profiling purposes,
- jointly determine, in a clear and transparent manner, the procedures to provide you with timely feedback should you wish to exercise your rights, as provided for in Articles 15, 16, 17, 18 and 21 of the Regulations as well as in cases of portability of Personal Data as provided for in Article 20 of the Regulations as better described in Section I of this Policy,
- jointly define the policies in the parts of common interest, indicating all the information provided for by the Regulation.
As regards the management of the common database on the Mondadori Group’s CRM (Customer Relationship Management) platform, each company has appointed the parent company, Arnoldo Mondadori Editore S.p.A., as the data processor. For the common purposes of direct and indirect marketing and profiling, Arnoldo Editore S.p.A. is responsible for managing the registration, organisation, storage, processing, selection and extraction of the personal data of customers/prospects.
In addition, personal data may be processed by persons appointed data processors, as well as persons appointed as authorized to process, responsible for managing the requested service.
In order to facilitate relations between the data subject and each data controller, the Regulation has provided, in some specific cases, for the appointment of a control and support figure who, among the various tasks assigned, also acts as the contact point with the data subject.
The Mondadori Group has adopted the position of “Data Protection Officer” (“DPO”), identifying and appointing, in accordance with article 37 of the Regulation, Mr. Ugo Ettore Di Stefano.
Pursuant to and for the purposes set out in Article 39 of the Regulation, the DPO is called upon to carry out, inter alia, the following activities:
- inform and advise the Data Controller, the Joint Data Controllers, the data processor and the employees performing the Processing on the obligations arising from the Regulation and from other provisions of the EU or Member State relating to the protection of Personal Data;
- monitor and supervise compliance with the Regulation, applicable regulations on the protection of Personal Data and the policies and procedures adopted by the Data Controller and the Joint Data Controllers;
- provide support in feedback to the data subject
- cooperate with the competent Authority for the Protection of Personal Data
You can freely contact the DPO for all matters relating to the processing of personal data and/or if you wish to exercise your rights, by sending a written communication to the e-mail address email@example.com and/or writing to the Data Protection Officer of the Mondadori Group at Arnoldo Mondadori Editore S.p.A., via Mondadori 1, 20090 – Segrate (MI) and/or calling the number +39 02 75421 by telephone.
At any time it will be possible to consult the “Privacy” section of the Internet Websites, which will contain all the information concerning the use and processing of personal data, the detailed references of each company in the Mondadori Group, updated information on contacts and communication channels made available to all interested parties by the Data Controller.
3_Type of data processed and purposes of processing relating to navigation on Internet Websites
Each Website offers informative and, at times, interactive content. While browsing the Website, information about you can be acquired in the following ways:
- Browsing data
The computer systems and software procedures used to operate each Website acquire, during their normal operation, some personal data whose transmission is inherent in the communication protocols of the Internet.
This category of data includes: IP addresses, type of browser used, operating system, domain name and addresses of websites from which access or exit has been made, information on the pages visited by users within the website, access time, stay on the individual page, analysis of the internal path and other parameters regarding the operating system and computer environment.
This technical/computer data is collected and used solely in an aggregate and non-identifying manner and could be used to ascertain liability in the event of hypothetical computer crimes against the website.
- Data provided voluntarily by visitors
This is all personal data that you freely give us on the Website, for example, to register and/or access a restricted area, to request information about a particular product or service using a form, to write to an e-mail address or to call (in VoIP mode) a toll-free number to have direct contact with customer service. The processing of these personal data will be carried out based on all the information contained in the specific policies provided pursuant to Articles 13 and 14 of the Regulation by each data controller of the Mondadori Group at the time of providing personal data as requested in the appropriate forms.
4_How data is processed
The processing of personal data is carried out mainly using procedures and electronic media for the time strictly necessary, in accordance with Article 5 of the Regulation.
Personal data will be processed by the data controller to the extent strictly needed for the pursuit of the main purpose. In particular, personal data will be processed for a period of time equal to the minimum necessary, as indicated in Recital 39 of the Regulation, i.e., until the termination of the contractual relationship between the data subject and the data controller except for a further period of retention that may be required by law as also provided for in Recital 65 of the Regulation.
5_Redirect to external websites
The Internet Websites may use so-called social plug-ins. Social plug-ins are special tools that allow incorporating social network features directly into the Internet Website (e.g., Facebook’s “Like” feature).
All social plug-ins on the Internet Websites are marked with their respective logo, which is the property of the social network platform.
When you visit a page on the Internet Websites and interact with the plug-in (e.g., by clicking on the “Like” button) or decide to leave a comment, the corresponding information is transmitted from the browser directly to the social network platform (in this case Facebook) and stored there.
6_Connection to and from third-party sites
You can connect to other third-party websites from the Internet Websites.
In this regard, none of the companies of the Mondadori Group can be held liable for the possible management of personal data by third-party websites and for the management of login credentials provided by third parties.
7_Rights of data subjects
As provided for in Article 15 of the Regulation, the data subject may access his/her personal data, request that it be corrected and updated, if incomplete or incorrect, request its cancellation if it was collected in violation of a law or regulation, as well as oppose processing for legitimate and specific reasons.
In particular, below is a list of all the rights that can be exercised, at any time, vis-à-vis the data controller and/or the joint data controllers:
Right of access: the right, pursuant to article 15(1) of the Regulation, to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. All this information can be found in the policy that will always be available in the Privacy section of each of the websites.
Right to rectification: right to obtain, pursuant to Article 16 of the Regulation, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, it is possible to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure: right to obtain, pursuant to Article 17(1) of the Regulation, the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing; c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. In some cases, as provided for in Article 17(3) of the Regulation, the controller is entitled not to delete your personal data if their processing is necessary, for example, to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest, for purposes of filing in the public interest, scientific or historical research or for statistical purposes, for ascertaining, exercising or defending a right in court.
Right to restriction of processing: the data subject has the right to obtain the restriction of processing, pursuant to Article 18 of the Regulation, where one of the following applies: a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; c) the data subject has objected to processing pursuant to Article 21(1) of the Regulation pending the verification whether the legitimate grounds of the controller override those of the data subject. In case of restriction of processing, personal data will be processed, except for storage, only with the consent of or for the establishment, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest.
Right to data portability: Pursuant to Article 20 (1) of the Regulation the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. In this case, it will be the responsibility of the data subject to provide us with all the exact details of the new data controller to whom he or she intends to transfer his or her personal data by providing written authorization.
Right to object: Pursuant to Article 21(2) of the Regulation and as also reiterated in Recital 70, the data subject may object at any time to the processing of his or her personal data if they are processed for purposes of direct marketing, including profiling to the extent that it is related to such direct marketing.
Right to lodge a complaint with a supervisory authority: without prejudice to the right to appeal to any other administrative or judicial body, if the processing of personal data carried out by the data controller and/or joint controllers is deemed to be in violation of the Regulation and/or applicable law, a complaint may be lodged with the relevant Data Protection Authority.
To exercise all rights as identified above, simply contact the data controller and/or joint controllers in the following ways:
- writing to the Mondadori Group Privacy Office at the parent company Arnoldo Mondadori Editore S.p.A., Via Mondadori 1, 20090 – Segrate (Milan);
- by sending an e-mail to firstname.lastname@example.org to the attention of the Mondadori Group Privacy Office
- by calling the telephone number +39 02 75421 and asking the Privacy Office of the Mondadori Group
Please note that at any time, you may also contact the Mondadori Group DPO in the manner provided.