Privacy policy

ACY POLICY
INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA pursuant to Article 13 of EU Regulation 2016/679
Monnalisa S.p.A., with registered office in Arezzo (AR), via Madame Curie 7, 52100, Tax Code and VAT no. 01163300518, in its capacity as Data Controller (hereinafter also the "Controller"), pursuant to Article 13 of EU Regulation No. 2016/679 (hereinafter the "GDPR" or the "Regulation"), informs you that data will be processed in the following ways and for the following purposes.
  1. Principles applicable to data processing
The Controller processes the personal data of the data subject (hereinafter, "personal data" or "data") in order to perform a contract or pre-contractual measures as described in the “Terms and Conditions of the Service”.
The Controller hereby informs, in accordance with the Regulation, that the said legislation provides for the protection of individuals with regard to the processing of personal data, and that such processing will be based on principles of fairness, lawfulness, transparency, and protection of confidentiality and fundamental rights.
  1. Subject of the processing
The Controller processes the personal data of the data subject for purposes connected to the execution of the contract with Monnalisa S.p.A., as described in the “Terms and Conditions of the Service”.
  1. Purpose of the processing
Personal data are processed:
  1. A) Without the express consent of the data subject (Article 6, paragraph 1, letter b) of the GDPR), for the following purposes:
  • to perform a contract to which the data subject is a party or to take pre-contractual measures at their request;
  • to disclose data to individuals, bodies or authorities to whom such communication is mandatory by law or order of the authorities;
  • to exercise the Controller's rights, for example the right of legal defence.
  1. B) Only with the specific and separate consent of the data subject (Article 6, paragraph 1, letter a) of the GDPR), for the following purposes:
  • to send via email, post and/or SMS and/or phone calls and/or instant messaging tools (such as WhatsApp, Instagram, and Facebook Messenger) newsletters, commercial communications and/or advertising material on products or services offered by the Controller, and to assess satisfaction with the quality of services;
  • to send via email, post and/or SMS and/or phone calls and/or instant messaging tools (such as WhatsApp, Instagram, and Facebook Messenger) newsletters, commercial and/or promotional communications from third parties;
  • to send via email, post and/or SMS and/or phone calls and/or instant messaging tools (such as WhatsApp, Instagram, and Facebook Messenger) communications relating to in-store or corporate events.
Failure to provide consent will result in the inability to carry out the activities referred to in point B).
You may withdraw your consent for the purposes referred to in point 
  1. B) at any time.
  2. Processing methods
The processing of personal data is carried out by means of the operations indicated in Article 4(2) of EU Regulation 2016/679, namely: collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, comparison, use, interconnection, restriction, disclosure, erasure and destruction of data. Personal data are processed both on paper and electronically and/or automatically.
The Controller will process personal data for the time necessary to fulfil the above-mentioned purposes.
The retention period varies depending on the purpose of processing: for example, data collected during the purchase of goods on monnalisa.com or in Monnalisa stores are processed until the completion of all administrative and accounting formalities and then archived in accordance with local tax regulations (ten years); data used to send you our newsletters will be retained until you request that we stop.
  1. Data retention period
Pursuant to art. 13, par. 2, lett. b) in accordance with the principle of "limitation of conservation" in art. 5, the data will be stored until withdrawal of consent by the interested party and in any case for a period not exceeding that provided by the guidelines of the competent authorities. 6. Data access and communication
Data may be made accessible for the purposes referred to in Article 3:
  • to employees and collaborators of the Controller, in their capacity as data processors and/or system administrators;
  • to individuals, entities or authorities to whom communication is mandatory by law or order of the authorities.
The Controller may disclose data for the purposes referred to in Article 3 to individuals, entities or authorities to whom communication is mandatory by law or order of the authorities. These subjects will process the data in their capacity as autonomous data controllers.
  1. Data transfer
Personal data are stored on servers located within the European Union. In any case, it is understood that the Controller, should it become necessary, will have the right to move the servers outside the EU. In such case, the Controller hereby ensures that any transfer of data outside the EU will take place in accordance with applicable legal provisions, subject to the adoption of the standard contractual clauses provided by the European Commission.
  1. Data subject’s rights
The data subject may exercise the rights referred to in Articles 15–22 of the GDPR by contacting the addresses provided in the following point. In particular, pursuant to Article 15 of the GDPR, the data subject has the right to obtain confirmation from the Controller as to whether or not personal data concerning them are being processed, and, if so, access to such personal data and the following information:
  1. A) the purposes of the processing;
  2. B) the categories of data concerned;
  3. C) the recipients or categories of recipients to whom the personal data have been or will be disclosed;
  4. D) the envisaged retention period of the personal data or, if not possible, the criteria used to determine that period;
  5. E) the right to request from the Controller rectification or erasure of personal data or restriction of processing concerning the data subject or to object to such processing;
  6. F) with reference to the consent given for the purposes referred to in point 2B), the right to withdraw consent at any time;
  7. G) the right to lodge a complaint with a supervisory authority.
  8. Exercise of rights
You may exercise your rights at any time by sending:
  • a registered letter with return receipt to MONNALISA SPA, Via Madame Curie 7, AR 52100;
  • an email to: dpo@monnalisa.eu
  1. Controller, processor and authorised personnel
The Data Controller is MONNALISA SPA, with registered office in Arezzo, Via Madame Curie 7. The updated list of data processors and authorised personnel is available at the Controller's registered office.
The DPO is lawyer Flavio Corsinovi, who can be contacted at: dpo@monnalisa.eu