Access your Reserved Area to send your request
PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA OF CUSTOMERS AND PROFESSIONAL COUNTERPARTIES (B2B)
pursuant to Article 13 of the General Data Protection Regulation (EU) 679/2016 ("GDPR")
This Policy is valid from the date of publication (last updated: June 22, 2026). The Data Controller may make changes and/or additions to this Policy, including as a result of any subsequent regulatory changes and/or additions.
1. Data controller and data protection officer
Cap Design S.p.A. ("Cappellini" or the "Data Controller"), a company subject to management and coordination by Haworth Italy Holding S.r.l., VAT no. 04311900965 with registered office in Via Busnelli, no. 5, 20821 Meda (MB), which can be contacted at the following email address [email protected] , is the data controller in relation to the processing of personal data described in this policy.
2. Data Protection Officer
The Data Controller has appointed a Data Protection Officer ("DPO") who is responsible for ensuring the Controller's compliance with the requirements of data protection legislation. The Data Subject may contact the DPO securely and confidentially at any time with general questions regarding the processing of their personal data, or for any data protection-related issues. The Data Protection Officer's email address is: [email protected].
3. To whom does the Policy apply?
This privacy policy applies to the processing, by the Data Controller, of the personal data of:
a) B2B customers, dealers, resellers and other contractual counterparties of the Data Controller, in the case of natural persons or sole proprietorships; and
b) legal representatives, partners (natural persons), directors, attorneys, members of the board of auditors, members of the supervisory body, technical directors, other individuals with powers of representation and/or management and/or control, as well as employees and collaborators of B2B customers, dealers, resellers, and other contractual counterparties;
(hereinafter jointly referred to as the "Interested Parties").
4. Source of the data processed?
The Data Controller collects personal data relating to the Data Subject directly from the Data Subject—where the Data Controller's contractual partner is a natural person or sole proprietorship—or from the company/organization to which the Data Subject belongs, when registering for the event in which the Data Subject intends to participate, when registering for Cappellini's interactive digital platform, or during events, trade fairs, business meetings, and during the negotiation and/or conclusion and/or execution and/or termination of the contract established with the Data Controller. Furthermore, the Data Controller may collect personal data relating to the Data Subject from lists, registers, and other publicly accessible sources—such as, for example, the data reported in the Chamber of Commerce registration of the company to which the Data Subject belongs—as well as from databases of entities that provide information on the commercial reliability of entrepreneurs and managers.
The collected data will be entered into Cappellini's central database, which will process it as an independent data controller for the purposes of selling its Products, as well as for marketing purposes (as described below). The data may also be collected by Cappellini's affiliates and/or subsidiaries and by retailers or commercial partners operating in Italy and abroad, and in this case, they will be designated by the Data Controller as data processors.
With reference to the sole management of sales and after-sales activities at some of our showrooms, the companies listed below will collect and process the Data as independent data controllers, as indicated in this policy, where applicable.
5. What data is processed?
Depending on the purposes and the time of collection, the Data Controller processes the following types of personal data relating to the Data Subject:
a) personal data, contact details, identity document and role held at the company/organization to which the interested party belongs;
b) the company name, the address of the main office and any secondary offices, the VAT number and/or tax code, and the details of the interested party's bank account(s), if the interested party is a natural person or a sole proprietorship;
c) data relating to the economic and financial reliability of the interested party—in the case of a sole proprietorship or a single-member company—collected through the use of databases of entities that provide information on the commercial reliability of entrepreneurs and managers and that have adhered to the Code of Conduct for the Processing of Personal Data in the Field of Commercial Information approved by the Italian Data Protection Authority. For further information, including on the categories of data collected through these databases, the interested party may consult the privacy policies of the entities providing the information in question, available on the website www.informativaprivacyancic.it;
d) any further personal data relating to the Data Subject that may be collected by the Data Controller during the negotiation and/or conclusion and/or execution and/or termination of the contract established with the Data Controller.
(hereinafter, jointly, the "Data").
Interested parties are advised not to provide the Data Controller with data that is not necessary for the purposes set out in this privacy policy.
6. For what purposes are the Data processed?
The Data Controller processes the Data of the Interested Parties for:
a) carry out negotiations and execute the contract to which the Data Subject is a party during an in-store purchase, for registration for one of the events organized by the Data Controller or for registration on the Data Controller's interactive digital platform (hereinafter "Contractual Purposes");
b) fulfill the obligations arising from applicable legislation, including tax legislation (hereinafter "Legal Purposes"); and
c) if the contractual counterparty of the Data Controller is a company, pursue the legitimate interest of the Data Controller in carrying out negotiations and executing the contract to which the company/entity to which the Data Subject belongs is a party;
d) pursue the legitimate interest of the Data Controller in verifying the security and commercial and financial reliability of its B2B customers, dealers, resellers, and other contractual counterparties, preventing fraud, ensuring the soundness of the management and correct execution of commercial relationships between the Data Controller and its B2B customers, dealers, resellers, and other contractual counterparties,
e) assert and defend its rights, including in the context of debt collection procedures, against the interested party or third parties in any dispute;
f) carry out activities related to business or branch transfers, acquisitions, mergers, demergers or other transformations and for the execution of such operations;
g) send potential professional buyers of the Data Controller's products and services commercial communications about collections, exhibitions, and events related to the Data Controller. We will send these communications periodically, approximately no more than twice a month, or during special events (e.g., the Salone del Mobile) via email to the addresses of the interested parties indicated from time to time as part of the contractual relationship between the Data Controller and the company/organization to which the interested party belongs;
h) communicate to other companies in the group to which the Data Controller belongs the contact information of potential professional buyers of the products and services of the same companies in the Data Controller's group so that they can send commercial information on collections, exhibitions and events, including via newsletters, in relation to their products and services (the group companies are: Poltrona Frau, Cappellini, Cassina, Ceccotti, DZine, Karakter, Janus et Cie, Luminaire, Club House, Luxury Living. The updated list of group companies can be requested from the Data Controller by sending an email to [email protected]. The group companies will send these communications periodically, approximately no more than once a month or during particular initiatives (e.g., the Salone del Mobile) via email to the addresses of the Data Subjects indicated from time to time in the contractual relationship between the Data Controller and the company/entity to which the Data Subject belongs. Furthermore, in order to limit such communications to what is strictly necessary, the interested party will receive emails only after the group company that registered the contact has evaluated the business opportunity. This evaluation will be based on two criteria:
(i) the type of customer to which the Data Subject belongs (therefore, for example, promotional communications will not be sent to Cappellini suppliers, who, by virtue of the existing commercial relationship or for which negotiations are underway with the latter, are deemed not to be interested in purchasing the products or participating in the Data Controller's events, while they will always be directed to professionals who are potential buyers of the products or services of the companies in the group to which the Data Controller belongs, so that they are made aware of all commercial opportunities with the Group companies); and
(ii) the Data Subject's business sector (for example, if outdoor furniture is not of interest to the Data Subject's business, no communications relating to Janus et Cie will be sent to the Data Subject).
In this way, communications are not sent indiscriminately and potentially inappropriately, but rather to the immediate benefit of both the Data Subjects (who receive all and only communications of potential interest to them) and the Data Controller. Each Data Subject will always be free to directly request promotional materials from any group company, in which case it will no longer be necessary to evaluate the company with which they originally contacted them.
(the purposes referred to letters c) to h) are jointly referred as the "Purposes of Legitimate Interest").
7. On what basis are the Data processed?
Data processing is necessary for the Contractual Purposes and Legal Purposes referred to in paragraph 6, letters a) and b), in order to allow you to participate in the event, register on the platform, negotiate, enter into, execute, and/or terminate the contract between the Data Controller and the Data Subject, as well as to comply with applicable law. Failure to provide the Data for these purposes will make it impossible for the Data Controller to allow you to participate in the event, register on the platform, or execute the aforementioned contract.
Data processing for Legitimate Interest Purposes is carried out pursuant to Article 6, letter f) of the European Regulation to pursue the legitimate interest of the Data Controller, which is fairly balanced with the legitimate interest of the Data Subjects, as the Personal Data processing is (i) limited to what is strictly necessary for the execution of the economic transactions and other activities indicated in letters c) to f) above and (ii) functional to maintaining commercial relationships with professional clients for the activities referred to in points g) and h). Processing for Legitimate Interest Purposes is not mandatory, and the Data Subject may immediately or subsequently object to any processing using the methods indicated in paragraph 12) of this Policy. However, if the Data Subject objects to such processing, his or her data cannot be used for Legitimate Interest Purposes. For example, in the case of the activities referred to in points g) and h), the Data Subject may object both to the communication of his or her contact details to other companies in the Group and also, in general, to receiving any promotional communications from the Data Controller, without this in any way prejudicing the contractual relationship with the Data Controller.
8. How is the Data processed?
In relation to the above-mentioned purposes, the Data will be processed both using computerized or automated tools and on paper, and will be protected through appropriate measures to ensure the confidentiality and security of personal data. Specifically, the Data Controller adopts appropriate organizational and technical measures to protect the Data in its possession against loss, theft, and unauthorized use, disclosure, or modification of the Data.
9. To whom are the Data communicated?
For the purposes referred in paragraph 6, the Data Controller may communicate - in whole or in part - the Data Subjects' Data to the following categories of subjects:
a) employees of the Data Controller or of the persons indicated below, as data processors, within the scope of their respective duties and within the limits established by law;
b) suppliers of instrumental or support services to those performed by the Data Controller and therefore, by way of example but not limited to, legal, administrative and tax consultants, banking institutions for the management of collections and payments deriving from the execution of the contract between the Data Controller and the Interested Party or the company/entity to which the latter belongs, auditing companies, commercial information companies authorized pursuant to Article 134 of the TULPS (Consolidated Law on Public Security), companies responsible for event management, companies responsible for sending marketing newsletters, and technology service providers, acting as independent data controllers or processors;
c) end customers who request a name or contact address of the interested party in order to use the services offered by the interested party or by the company/organization to which the interested party belongs;
d) subcontractors and/or subcontractors engaged in activities related to the execution of the contract between the Data Controller and the Data Subject or the company/entity to which the Data Subject belongs, in their capacity as external data controllers;
e) other companies belonging to the group to which the Data Controller belongs, located in Italy and abroad, as data controllers for their own marketing purposes;
f) resellers or business partners of the Data Controller or companies in the Data Controller's group that perform services on the Data Controller's behalf, including collecting data for entry into the customer relationship management (CRM) system. These entities will act as data processors;
g) public bodies and/or judicial and/or supervisory authorities whose right to access the data subject's data is provided for by applicable legislation, in their capacity as independent data controllers; and
h) transferees of a business or branch of a business, companies resulting from possible mergers, demergers, or other transformations of the Data Controller, as independent data controllers.
Some of the entities listed above may be located in countries outside the European Union or the European Economic Area. Specifically, the Data entered into the CRM database, whose servers are located within the European Union, will be shared with entities that may be located both within and outside the EEA, as the Data Controller offers its products and services to customers and business partners in all countries where it operates.
In this case, the communication of the Data will take place in accordance with what is indicated in the following paragraph.
10. Is the Data transferred abroad?
The Data may, in compliance with applicable regulations, be transferred abroad, including to countries outside the European Economic Area, and in particular to the countries where the Data Controller's group companies are based, as well as showrooms and authorized dealers of the Data Controller's products and services, who will have access to the Data via the CRM system. A complete list of these entities is available on the Data Controller's website, while a complete list of group companies can be requested from the Data Controller by sending an email to [email protected]. Any transfer of Data to countries outside the European Economic Area will, in any case, take place in compliance with appropriate safeguards for the purposes of the transfer, pursuant to Articles 44 et seq. of the European Regulation.
In any case, the interested party will be informed of any transfer of data outside the European Economic Area by updating this information notice in the manner indicated in the following paragraphs.
11. How long is the Data stored?
The Data will be stored by the Data Controller
a) For event registration, for registration on the interactive digital platform, or in the event of a successful contractual negotiation, for a period equal to the duration of the contract stipulated between the Data Controller and the Interested Party, or the company/organization to which the latter belongs, and for the 10 years following its termination;
b) in the event of a negative outcome of the contractual negotiations, the Data will be deleted at the end of the negotiation phase;
and unless further retention of the Data is necessary to exercise or defend a right of the Data Controller against the Data Subject or third parties in any dispute.
With reference to data processed for the purpose of sending commercial communications, the Data Controller will process the Data Subject's data until the right to object is exercised and, in any case, no later than 2 years after the end of the contractual relationship between the Data Controller and the company/entity to which the Data Subject belongs.
At the end of the retention period, the data will be deleted, anonymized, or aggregated.
12. What are the rights of the interested parties?
Without prejudice to the Data Subject's right not to provide his/her Data, the Data Subject may, at any time and free of charge:
a) obtain confirmation of whether or not data concerning him or her exists;
b) know the origin of the Data, the purposes of the processing and its methods, as well as the logic applied to the processing carried out using electronic tools;
c) request the updating, rectification or - if interested - the integration of the Data concerning him/her;
d) obtain the cancellation, transformation into anonymous form or blocking of any Data processed in violation of the law, as well as to oppose, for legitimate reasons, the processing;
e) revoke your consent, if previously given;
f) ask the Data Controller to restrict the processing of his or her Personal Data in the event that (i) the Data Subject contests the accuracy of the Data, for a period enabling the Data Controller to verify the accuracy of the Data; (ii) the processing is unlawful and the Data Subject opposes the erasure of the Data and requests the restriction of its use instead; (iii) although the Data Controller no longer needs the Data for the purposes of the processing, the Data Subject requires it to establish, exercise, or defend legal claims; (iv) the Data Subject has objected to the processing pursuant to Article 21, paragraph 1, of the European Regulation pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject;
g) object at any time to the processing of your Data for Legitimate Interest Purposes;
h) request the deletion of the Data concerning him/her without undue delay and
i) obtain the portability of the Data concerning him.
The interested party will also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) using the contact details available on the website www.garanteprivacy.it, where the conditions exist.
Requests to exercise these rights may be submitted in writing to the Data Controller, who can be contacted at the following email address: [email protected].
Access your Reserved Area to send your request