PRIVACY POLICY

This policy (hereinafter "Policy") is provided pursuant to EU Regulation 679/2016 and subsequent national adjustment legislation (hereinafter collectively "GDPR"), and describes how the company identified in the following paragraph collects and processes users' or customers' Personal Data (the term "Personal Data" means all the categories of data listed in point 3 below, considered jointly). This Policy applies to all activities for collecting and subsequently processing Personal Data – both online and offline – through various channels, such as the websites owned or operated by Eataly S.p.a., in particular www.eataly.net ("Website"), apps, social networks, physical stores and, more generally, all the activities described in this Policy.

The Policy may be modified, supplemented or updated periodically, also in the light of any changes in the applicable legislation or provisions of the Data Protection Authority. Substantial changes and updates to the Policy will be brought to data subjects' attention as soon as they are adopted, by updating the link to the Privacy Policy in the Website's footer. Data subjects are invited to consult this Policy regularly to be aware of the latest updated version, so as to always be informed about how their Personal Data is collected and used. In the event of changes that significantly affect registered users' rights, the latter will be informed by email with reasonable notice.

Eataly S.p.A. (hereinafter "Eataly") is the data controller of Personal Data (hereinafter the "Data Controller"). Eataly pays the utmost attention to the security and confidentiality of the Personal Data processed while performing its activities, which include, among others, the following: 

- operating e-commerce activities carried out through theWebsite(managing purchases of products and services from the virtual store and related activities);
- operating the Website (e.g.managing and developing the Website and services for users, including the management and functioning of cookies);
- operating physical Eataly-brand stores;
- offering specific services related to them (e.g.in-store courses and events).

WHAT PERSONAL DATA MAY BE COLLECTED

As part of its activities described above, the Data Controller will be able to collect the following categories of Personal Data: 

- Contact data – first name, surname, address, phone number, email address and any other data you voluntarily provide within the Website to proceed with online orders and to register;
- Demographic data and data concerning interests - data that describes your demographic characteristics or habits, for example date of birth, age or age group, gender, geographical origin (postcode), favourite products, hobbies and interests, and information about your family or lifestyle;
- Payment data – information relating to the purchase you made and the related payment (e.g. credit/debit card number, IBAN). This data will be processed to the extent necessary for periodic payments, and if you have not objected to the processing by changing your settings in the "My Account" section on the Website, saved in the "Payment Methods" section for subsequent purchases;
- Use of the website – information on how you use the Website, open or forward communications from the Data Controller, including information collected via cookies; 
- Data provided by third parties (e.g. postal service company, couriers, data entry company) – all Personal Data that the Data Controller receive from other sources to perform their services;
- Social Log-In – information relating to your Social account as well as other data you have provided to the Social Network used to log in to the Website, which can be communicated based on the privacy preferences you have set on that Social Network. 

Eataly will not normally process Personal Data concerning personal beliefs, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information related to health, sex life or sexual orientation (hereinafter "Special Categories of Data"). If it is necessary to process Special Categories of Data, Eataly undertake to process such data in accordance with the applicable legislation. The legal basis for this processing is, as a rule, the fulfilment of a legal obligation, it being understood that Eataly will request your explicit consent if there is no concrete legal obligation for processing such Data. 

HOW WE COLLECT YOUR PERSONAL DATA

The Data Controller can collect and process your Personal Data, in the following ways:

- if you register on the Website or through apps, social networks or other websites owned by or available to the Data Controller;
- if you make online purchases or register for loyalty programmes or prize events, or for the issue of Eataly Cards;
- if you subscribe to the newsletter for the virtual store or individual stores;
- if you contact Customer Service;
- if you provide your Personal Data in physical stores (e.g.in the context of promotional activities, prize events, during participation in courses and events, requests for information and registration for loyalty programmes, issue of Eataly Cards, etc.).

If you provide Personal Data on behalf of someone else, you must always first ensure that these data subjects have read this Privacy Policy and have given their consent where necessary. Eataly asks you to keep your Personal Data up-to-date by informing the latter of any changes.

THE COMPULSORY OR OPTIONAL NATURE OF PROVIDING DATA AND THE CONSEQUENCES OF ANY REFUSAL TO PROVIDE IT

The Personal Data required to register on the Website or identified with an asterisk in the forms for various activities is necessary to enable registration itself; similarly, the data is necessary when required to allow use of the purchase and/or booking and/or online ordering functionality, or to provide the specific service requested. Unnecessary Personal Data is not identified with an asterisk in the various forms and does not entail any consequences if not provided.

WHAT PURPOSES YOUR PERSONAL DATA MAY BE USED FOR

The Data Controller may process your Personal Data for one or more of the purposes set out below and on the basis of the legal prerequisite indicated from time to time. All the purposes indicated below concern both Data Controller except when one of the two company is specifically indicated.

A) Fulfilling purchase orders formulated through the Website and activities related to managing the orders (e.g. providing e-commerce services, customer sales and after-sales assistance, communicating with the customer about the order status, receiving their requests for information on the products purchased, payment management, reports, home delivery and/or in-person collection at the agreed sales point, etc.); and to ensure correct fulfilment of the obligations established by law, including the legislation on prize events if you take part in them. Your Contact Data and Payment Data can be processed by the Data Controller to process the purchase order you have formulated by filling in the appropriate form on the Website.

B) Registration on the Website, including through the Social Log-In system, to simplify the registration process using the information already made available to your Social Networks 

The Data Controller may process the Contact Data to allow you to complete the registration procedure on the Website and access your Personal Area in order to: (i) download documents relating to the services you have purchased from your Personal Area; (ii) process other requests made through the Website. Registration on the Website may also take place, where you voluntarily decide to use it, including by means of the Social Log-In mechanism. In this way you will not have to enter the data needed for registration (e.g.contact data), which will instead be provided by the Social Network used for Log-In. Please note that in this case, the Data Controller will be able to process the Social Log-In data, i.e.not only that relating to your Social account but also any other Personal Data that could be made visible according to the preferences you have set or based on that Social Network's privacy policy. We therefore invite you to read the Social Network's Privacy Policy, also for further information regarding these preferences.

Prerequisite for processing: fulfilment of contractual obligations, to allow you to register on the Website, it being understood that you are not obliged to use the Social Log-In to complete the registration.

C) Account management in the case of registration on the Website to use the related services

Use of the Website does not require the creation of a personal account; however, to access some pages reserved for registered users, you must create one and thereby become a registered user. The Personal Data you provide may be processed by the Data Controller to manage your personal account on the Website. 

 

Prerequisite for processing: execution of pre-contractual measures requested by the data subject and execution of a contract to which they are party. Provision is mandatory in order to create and manage the account; otherwise we will not be able to proceed. 

 

D) Adhering to and implementing the loyalty programmes announced by the Data Controller (e.g.cash-back) and/or the agreements entered into between the Data Controller and various entities (both public and private), and to issue and manage the related cards (e.g.Eataly Card,“La Piazza” or"Eataly Club" loyalty programmes) necessary to take advantage of the relative prizes and/or discounts connected to these programmes and/or agreements. Your Contact Data and Payment Data can be processed by the Data Controller for the purpose of managing the loyalty programmes and/or to adhere to the above agreements, as well as to issue the related card and allow you to take advantage of the related prizes and/or discounts connected to these programmes and/or agreements. Provision is mandatory in order to allow participation in these programmes and agreements.

Prerequisite for processing: execution of a contract to which the data subject is party and fulfilment of the legal obligations related to this contract. Provision is mandatory for implementing the aforementioned loyalty programmes; otherwise we will not be able to proceed.

E) Marketing activities 

 

With your express consent, your contact data may be processed by Eataly for marketing and advertising communication purposes, and also personalised after analysis of your choices, habits and purchasing preferences, by using email, text messages and other mass messaging tools, etc. or traditional contact methods (e.g. ordinary mail, phone call with operator), or for market research and statistical surveys. 

 

Prerequisite for processing: the data subject's consent. 

 

The absence of consent to marketing activities does not have consequences for contractual relationships. The consent can be revoked at any time via the contact details indicated below in the section "Your data protection rights". Users can also modify or remove their preferences at any time visiting the “My Account” section on www.eataly.net, expressing their consent to be contacted about offers regarding specific stores or products of interest. 

F) Statistical analysis, service improvements and protection of legitimate interest 

 

Eataly may, where possible also in aggregate and anonymous form, use your Personal Data, including that relating to your use of the Website, your choices, habits and purchase preferences, geographical area of reference, level of expenditure incurred, active services and frequency of use, for internal statistical research and improvements to the services offered, as well as for customer care and customer satisfaction activities, complaint management, administrative and accounting management, etc. 

 

Prerequisite for processing: Eataly's legitimate interest. 

 

Within the limits of the provisions of Article 21 of the GDPR, you have the right to object to the processing of personal data concerning you performed by Eataly in pursuit of its legitimate interest. The objection must be sent to the following address: dpo@eataly.it. 

 

Your Personal Data will not be used to profile you for commercial and marketing purposes, except with your prior consent collected pursuant to the provisions of point E) above. Only in this case can the profiling activity described also be performed to send personalised commercial communications as per point E) above. 

G) Defending rights during judicial, administrative or out-of-court proceedings, and in the context of disputes arising in relation to the services offered 

 

Your Personal Data may be processed by the Data Controller to defend their rights or act or even make claims against you or third parties. 

 

Prerequisite for processing: the Data Controller's legitimate interest to protect their rights. 

HOW WE KEEP YOUR PERSONAL DATA SECURE 

 

The Data Controller use suitable security measures to improve the protection, security, integrity and accessibility of your Personal Data. All your Personal Data is stored on our protected servers (or suitably archived hard copies) or those of our suppliers, and is accessible and usable according to our standards and security policies (or equivalent standards for our suppliers). 

HOW LONG WE KEEP YOUR DATA FOR 

 

The Data Controller keeps your Personal Data only for the time necessary to achieve the purposes for which it was collected or for any other legitimate related purpose. Your Personal Data that is no longer necessary, or for which there is no longer a legal basis to keep it, will be irreversibly anonymised or safely destroyed. 

 

Below are the storage times for the different purposes listed above: 

 

a. Fulfilling purchase orders formulated through the Website and activities related to managing orders: for 10 years from the date of purchase in accordance with the ordinary contractual prescription. 

b. Managing accounts in the case of registration on the Website to use the related services: 3 years from the date of the last service provided to the user or, in the absence of activity, 3 years from your registration on the Website. 

c. Adhering to and implementing the loyalty programmes launched by Eataly (e.g. cash-back) and/or the agreements entered into with various bodies (both public and private): 10 years from the date when the user uses the programme or agreement. 

d. Marketing activities to provide promotional offers, including personalised ones: the Personal Data processed for this purpose may be kept for 3 years from the date on which Eataly obtained your last expression of willingness to receive commercial communications (unless you revoke it at an earlier date). Where Personal Data is processed for marketing purposes, including personalised ones, as part of a loyalty programme (e.g. "La Piazza"), the Personal Data will be kept for the entire duration of participation in the loyalty programme (including any renewals, unless you exercise your right to object). 

e. Defending their rights during the course of judicial, administrative or out-of-court proceedings, and in the context of disputes arising in relation to the services offered: for 10 years from the end of the proceedings with the final judgement of the relative ruling or from the transaction and/or agreement entered into. 

WHO WE CAN SHARE YOUR PERSONAL DATA WITH 

 

The other company of the Eataly Group – meaning all the company directly or indirectly controlled by Eataly S.p.A. – may have access to your Personal Data as autonomous Data Controller and/or processors by virtue of intra-group agreements and in connection with needs and activities carried out within the group, along with consultants and external suppliers such as: cloud service provider, IT provider or hosting provider, tax and legal consultants etc. appointed – if they do not act as independent Data Controller – as data processors. 

Furthermore, where requested, your Personal Data and information about transactions and other activities carried out through the Website can be made available to the judicial authorities and police in compliance with procedural rules or other State administrations, where expressly requested. 

TRANSFER OF DATA TO NON-EU COUNTRIES 

 

The Data Controller may transfer your Data to countries that do not belong to the European Union (EU) or the European Economic Area (EEA) (hereinafter "Third Countries"), whose data protection laws may have lower standards than those of the EEA. In the latter case, the Data Controller will ensure that all your data accessible outside the EEA is processed with appropriate safeguards. The Data Controller will provide adequate guarantees and protections for such cross-border transfers, in accordance with the provisions of the legislation on personal data protection; these include the use of Standard Contractual Clauses approved by the European Commission, Codes of Conduct and/or Binding Corporate Rules. These clauses impose similar data protection obligations directly on the recipient, unless we are allowed by applicable data protection law to transfer data without such formalities. Some third countries, such as Canada and Switzerland, have been authorised by the European Commission as they provide protection similar to that of the EEA data protection legislation, and therefore additional legal protections are not necessary. 

CONTACTS 

 

The contact details of the Data Controller are as follows: 

 

- Eataly S.p.A., with registered office in Turin (TO), Via Nizza 224, postcode 10126, Tax Code/VAT Number: 09450580015, certified email address eatalydistribuzione@pec.it 

 

The Data Controller has appointed a Data Protection Officer (DPO) who can be contacted at the following email address: dpo@eataly.it

YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY 

 

In accordance with Articles 15-21 of the GDPR, you have the right to request: 

- access to your personal data and the purposes and logic of the processing activity carried out by the Data Controller ;
- a copy of the Personal Data you have provided to us (so-called portability);
- the correction of your Personal Data held by the Data Controller ;
- the erasure of your Personal Data when: (i) the Personal Data is no longer necessary with respect to the purposes for which it was collected or otherwise processed; (ii) the Personal Data is unlawfully processed; (iii) you have legitimately opposed the processing and there is no prevailing legitimate reason for the data to be kept; (iv) the Personal Data must be erased to fulfil a legal obligation. However, the Data Controller has the right to disregard the request for erasure if the right to freedom of expression and information prevails, or to exercise a legal obligation or defend their rights in court;
- revocation of your consent, if the processing is based on consent; 
- limitation of the processing (i) for the period necessary for the Data Controller to verify the accuracy of your Personal Data in the event of a dispute; (ii) in the event of unlawful processing of your Personal Data when you object to its erasure, requesting a limitation of the processing; (iii) in the event that, although the data is no longer necessary and should be deleted, you need it to be processed to assess, exercise or defend a right in court; (iv) for the period necessary to verify any prevalence of the Data Controller' legitimate reasons with respect to your request to oppose the processing. 

 

Furthermore, you have the right to object to the Data Controller processing your Personal Data for reasons related to your particular situation, except where the existence of the Data Controller' legitimate binding reasons prevails for continuing the processing, or there is a need to keep your Personal Data to assess or defend a right in court. 

 

The Data Controller will take into consideration any complaints or reports about how your Personal Data is processed and will make every effort to respond to your requests. However, you can forward complaints or reports to the competent supervisory authority which is also the so-called "lead authority" with respect to all European company of the Eataly group: the Data Protection Authority - Email: garante@gpdp.it - Certified email: protocollo@pec.gpdp.it