THE PROCESSING OF PERSONAL DATA BY EATALY
PURPOSES OF PROCESSING AND LEGAL BASIS
The data are processed for the following purposes.
- a) Based on the contractual need such as: follow specific user requests (e.g. consider a candidate applying for a job position or responses to their information requests, when the user communicates with our Customer Services, loyalty program etc.), manage the relations with a suppliers (i.e. manage orders and perform related activities such as management of payments, shipments, waybills etc.);
- b) Based on the consent expressed by the user, where the consent has been freely given, is unambiguous and clear (i.e. you when the user has actively opted into a service Eataly provides by ticking a box). The consent may be asked for example in order to contact the user and send commercial communications and promotional offers (also tailored on user’s preferences and interests), when the user sign-up to the Newsletter, with regard to products and activities of Eataly, through SMS, telephone, paper mail or other means, or in connection with the Wifi Services or on a Social Media Platform. The user can withdraw the consent at any time, and Eataly will stop all processing activities that were based on consent as a legal basis for processing. Please note that Eataly may still process the personal data of the users if there is another lawful basis for processing.
- c) Based on the legitimate interest of Eataly as a business specifically: – for the analysis and improvement of its services; – for statistical and/or research and development activities; – in order to defend its rights in the course of court, administrative or extrajudicial proceedings, and in disputes arising in connection with the services offered; – in the case of extraordinary transactions, merger, sale of a business unit, acquisitions, etc. or if any such transaction is proposed.
Furthermore Eataly processes the personal data of the users (including the use of the Site, choices, habits and purchase preferences, geographical area of reference, level of expenditure incurred, active services and frequency of use) based on the legitimate interest as a business in order to give the users the best service, purchasing trend and to protect, promote and grow its business. In particular, Eataly, will process such personal data of the users in order to send tailored marketing communications if the user has given the consent as provided by previous point b). Eataly may also use data which has been collected from third parties to enrich the data Eataly holds relating the user in order to build a fuller picture of what may be of interest to the user. This profiling activity informs how Eataly decides which products, services and offers may be relevant to users, and to send tailored communications accordingly.
Please note that Eataly always considers and balances any potential impact on users (both positive and negative) and user’s rights before any process of user’s personal data for Eataly’ legitimate interests. Eataly will not use users’ personal data for such activities unless there is a compelling interest which is not overridden by the impact on users (unless Eataly has your consent or are otherwise required or permitted to by law).
- d) Based on the need to fulfil the legal obligations to which Eataly is subject.
The provision of data for the purposes referred to in paragraph (a) above is mandatory, refusal to provide personal data for processing makes it impossible to perform the services or to provide the information required. As explained in the “Cookies section” and “Rights of the Data Subject below, you have the right to withdraw consent to certain other processing of your personal data, including withdrawing consent to online tracking and advertising, or receiving our marketing emails.
CATEGORIES OF DATA PROCESSED BY EATALY
Below is a description of the categories of data we deal with:
– Data supplied directly by the interested party: all personal data provided to Eataly in any manner (e.g. in the context of subscription to the Newsletter, or in the application for a job position.). Examples of data provided directly by the interested parties are: name; address and telephone number; credit card data (processed only for the time necessary for the execution of the relevant activity). If the user submits an application for a job position, the information concerning the CV and the relevant position will be collected.
– The data provided by third parties constitute all the personal data Eataly collects from other sources (postal service companies, couriers, data entry companies, etc.) to perform its services. Examples of data provided by third parties are the data on web pages visited that we may receive from other commercial operators with whom Eataly collaborates for certain initiatives, social log-in (information relating to your Social account as well as other data you have provided to the Social Network used to log in to the Site, which can be communicated based on the privacy preferences you have set on that Social Network), personal data concerning the use of the Wi-fi in Eataly premises etc.
– Data collected automatically: these are browsing data and/or collected using the so-called “cookies”. During their normal operation, the computer systems and software procedures used to operate this Site acquire certain personal data whose transmission is implicit in the use of internet communication protocols. This information is not collected with the aim of linking it to identified users, although, by its nature, it might enable user identification through processing and linking with data held by third parties. This category of data includes IP addresses or domain names of computers used by persons who connect to the site, the URI (Uniform Resource Identifier) of requested resources, the time of request, the method used to submit the request to the server, the size of the file received in reply, the numerical code indicating the status of the reply provided by the server (successful, error, etc.) and other parameters regarding the user’s operating system and computer environment.
Eataly will not normally process personal data concerning personal beliefs, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information related to health, sex life or sexual orientation (hereinafter “Special Categories of Personal Data”). If it is necessary to process Special Categories of Personal Data, Eataly undertakes to process such data in accordance with the applicable legislation. The legal basis for this processing is, usually, the fulfilment of a legal obligation, it being understood that Eataly will request your explicit consent if there is no concrete legal obligation for processing such data.
DATA RECIPIENTS OR CATEGORIES OF RECIPIENTS
In any other case, except as required by applicable law, personal data are not transferred and/or disclosed to third parties.
TRANSFER OF DATA
We may transfer personal data that we collect from you to third-party in countries that are outside the UK or outside the European Economic Area (EEA).
If personal data are transferred to countries outside the UK or the EEA, the transfers will take place in compliance with the provisions established by the GDPR and other applicable legislation, in order to ensure an adequate level of protection. For example, the transfers will take place to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and we will ensure your data receives the same protection as if it were being processed in the UK or EEA.
DATA RETENTION PERIOD
Whenever Eataly collects or processes your personal data, it will only keep them for as long as is necessary for the purpose for which they were collected. As soon as the personal data are no longer necessary for the purposes for which they were collected, Eataly will delete them, unless the law requires further storage, or the user has not consented to the processing for a longer time, or when they are archived. In particular, Eataly will retain the personal data that are necessary to: – fulfill the requests of the authorities within their competence; – defend or assert any existing or potential claim; – handle any complaint regarding contracts or orders concluded. The data retention period necessary to achieve the aforementioned purposes is linked to the limitation period of a claim that in many cases is equal to 10 years. Eataly will retain personal data after such time has elapsed only when required to comply with legal obligations or in the event of disputes and extraordinary claims that reasonably require the retention of personal data. Regarding the data entered when submitting a job application online or by other means, if the application is not successful, such data will be stored in the system for a maximum of 24 months, in order to allow us to evaluate the candidate for other positions. The user can oppose to this processing at any time by submitting a request to the contacts indicated in the section “Rights of the data subject”.
RIGHTS OF THE DATA SUBJECT
Under the GDPR, each user has the right to access their personal data and to obtain confirmation of the existence or otherwise of his personal data, even if not yet registered, and to their communication in intelligible form. In particular, each user has the right to obtain access to his data from Eataly, as well as any information regarding the methods and characteristics of the processing.
Whenever the user has given the consent to use his/her personal data (i.e. when the user ticks the box to receive marketing communications), the user has the right to withdraw that consent anytime, by using the contact details indicated below in the section “Data Controller”. Furthermore, the user has the right to unsubscribe from the Newsletter right away by using the appropriate link at the end of each email.
In addition to the above, the user, in the cases provided by law, has the right to receive his personal data in a structured, plain and readable format, as well as the right to transmit this data to another data controller without impediments. Furthermore, each user has the right to obtain updates, rectification or integration of their data from Eataly. The user also has the right to erase his personal data as well as to limit the processing in cases provided by law.
Finally, each user has the right to object, in whole or in part, to the processing of personal data concerning him/her if the processing is based on the legitimate interest of the controller, as well as for direct marketing purposes.
The requests referred to in the previous points should be addressed to the data controller’s contacts indicated in the “Data Controller” section below.
The controller of the data processing, is: Eataly Retail UK Limited with registered office in London, 135 Bishopsgate, EC2M 3YD, Company number: 08721896.
If you have doubts or if you want more information for any matters regarding the processing of your personal data and the exercise of your rights deriving from the applicable legislation, you can send an email to the following address: firstname.lastname@example.org
CONTACTING THE REGULATOR
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your data, you have the right to fill a complaint with the Information Commissioner’s Office, tel: 0303 123 1113, website: ico.org.uk/concerns.
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.