Version dated 8th October 2021
Cap Design S.p.A., in its capacity of data controller, hereby wishes to inform its B2B clients, dealers, retailers and other contractual counterparties of the Controller, as part of a different commercial relationship, of the processing methods of their personal data, in conformity with Italian Legislative Decree No. 196/2003 as amended and supplemented, and the European General Data Protection Regulation No. 679/2016 (hereinafter, "European Regulation").
1. 1. Controller and data protection officer
Cap Design S.p.A. with sole shareholder ("Cappellini" or "Controller"), a company subject to management and coordination activity by Haworth Italy Holding S.r.l. VAT no. 04311900965 with registered office in Via Busnelli, no. 5, 20821 Meda (MB), which can be contacted at the email address [email protected]
a) B2B clients, dealers, retailers and other contractual counterparties of the Controller, in the case of natural persons or sole proprietorships; and
b) legal representatives, shareholders (natural persons), directors, attorneys, members of the board of statutory auditors, members of the supervisory body, technical managers, other natural persons vested with powers of representation and/or management and/or control, as well as the employees and contract staff of B2B clients, dealers, retailers and other contractual counterparties;
(hereinafter jointly referred to as the "Data Subjects").
1. 3. Which Data are processed?
The Controller collects the personal data relating to the Data Subject directly from the latter - if the Controller's contractual counterparty is a natural person or sole proprietorship - or from the company/entity to which the data subject belongs for registration to the event in which the Data Subject intends to participate, for registration to the Cappellini interactive digital platform or during events, shows, work meetings and in the phase of negotiation and/or conclusion and/or execution and/or termination of the contract entered into with the Controller. Furthermore, the Controller may collect the personal data relating to the Data Subject from lists, registers and other publicly accessible sources - such as, for example, data contained in the chamber of commerce company report of the company to which the Data Subject belongs - as well as databases of organisations that provide information on the commercial reliability of entrepreneurs and managers.
Depending on the purposes and the time of collection, the Controller processes the following types of personal data relating to the Data Subject:
a) personal details, contact data, identity document and role covered at the company/entity to which the Data Subject belongs;
b) company name, address of the main office and any secondary offices, VAT number and/or tax code, details bank account or accounts of the Data Subject, if the latter is a natural person or sole proprietorship;
d) other personal data relating to the Data Subject that may be collected by the Controller during the phase of negotiation and/or conclusion and/or execution and/or termination of the contract entered into with the Controller;
(hereinafter, jointly, the "Data").
1. 4. For what purposes are the Data processed?
The Controller processes the Data of Data Subjects to:
a) carry out negotiations and perform the contract of which the Data Subject is a party during an online purchase or at the showroom, for registration to one of the events organised by the Controller or for registration to the interactive digital platform of the Controller (hereafter "Contractual Purposes");
b) comply with obligations deriving from applicable legislation, therein including tax legislation (hereafter "Legal Purposes"); and
c) if the Controller's contractual counterparty is a company, pursue the legitimate interest of the Controller in holding negotiations and performing the contract of which the company/entity to which the Data Subject belongs is a party;
d) pursue the legitimate interest of the Controller in verifying the commercial and financial security and reliability of its B2B clients, dealers, retailers and other contractual counterparties, to prevent fraud, to guarantee management solidity and the correct execution of commercial relationships between the Controller and its B2B clients, dealers, retailers and other contractual counterparties;
e) exercise and defend its rights, also as part of credit recovery procedures, in relation to the Data Subject or third parties in any dispute;
f) carry out activities functional to sales of businesses and business branches, acquisitions, mergers, demergers or other transformations and for performing those operations;
g) send to potential professional purchasers of the Controller's products and services communications of commercial nature on collections, exhibitions and events relating to the Controller. We will send these communications periodically, indicatively no more than twice a month or on the occasion of particular initiatives (e.g., Salone del Mobile Furniture Fair) by email to the addresses of the Data Subject indicated each time within the contractual relationship between the Controller and the company/entity to which the Data Subject belongs;
h) communicate to other companies of the group to which the Controller belongs the contact information of potential professional purchasers of the products and services of the companies of the Controller's group so that the same can send commercial information on collections, exhibitions and events, even by way of newsletters, in relation to their products and services (the group companies are: Poltrona Frau, Cappellini, Cassina, Ceccotti, DZine, Karakter, Janus et Cie, Luminaire, Luxury Living Group. The updated list of group companies can be requested to the Controller by sending an email to the address indicated in paragraph 11) below. The group companies will send these communications periodically, indicatively no more than once a month or on the occasion of particular initiatives (e.g., Salone del Mobile Furniture Fair) by email to the addresses of the Data Subject indicated each time within the contractual relationship between the Controller and the company/entity to which the Data Subject belongs. Furthermore, in order to limit those communications to what is strictly necessary, the Data Subject will receive emails only subject to evaluating the commercial opportunity by the group company that has registered the contact. This evaluation will be based upon two criteria:
(i) the type of clientele to which the Data Subject belongs (therefore, for example, promotional communications will not be sent to suppliers of Cappellini, which, by virtue of the commercial relationship in place or for which negotiations are in progress with the latter, are considered unlikely to be interested in purchasing products or participating in events of the Controller, while they will always be sent to potential professional purchasers of the products or services of the companies of the group to which the Controller belongs, so that they are made aware of all commercial opportunities with the Group companies); and
(ii) the sector of activity of the Data Subject (for example, if the Data Subject's activity does not involve outdoor furniture, communications relating to Janus et Cie will not be sent).
In this way, communications are not sent indiscriminately and in a potentially inappropriate manner, but rather considering the immediate benefit for both the Data Subjects (which receive all and only the communications they are potentially interested in) and for the Controller. Each Data Subject will in any case be free to request directly from each group company the transmission of promotional material; in that case the evaluation of the company with which he/she originally had contact will not be necessary;
(the purposes indicated in letters c) to h) are known jointly as the "Legitimate Interest Purposes").
1. 5. On what basis are the Data processed?
The processing of Data is necessary with reference to the Contractual Purposes and the Legal Purposes referred to in paragraph 4, letter a) and b), in order to allow you to participate in the event, to register to the platform, to negotiate, enter into, perform and/or terminate the contract between the Controller and the Data Subject, as well as to adhere to the provisions of applicable legislation. Any failure to provide the Data for those purposes will make it impossible for the Controller to allow you to participate in the event, to register to the platform or to perform the aforementioned contract.
1. 6. How are the Data processed?
In relation to the purposes indicated above, the Data will be processed both using IT or automated tools and on paper, and they will be protected by way of appropriate measures to guarantee the confidentiality and security of the personal data. In particular, the Controller adopts appropriate organisational and technical measures to protect the Data in its possession against loss, theft, as well as unauthorised use, disclosure or modification of the Data.
1. 7. To whom are the Data communicated?
For the purposes stated in paragraph 4, the Controller may communicate - in whole or in part - the Data of the Data Subjects to the following categories of entities:
a) employees of the Controller or of the entities indicated below, as persons in charge of the processing, as part of their respective duties and within the limits established by law;
b) providers of services instrumental to or in support of those performed by the Controller and therefore, by way of example but without limitation, legal, administrative and tax consultants, banking institutions for the management of receipts and payments deriving from the execution of the contract between the Controller and the Data Subject or the company/entity to which he/she belongs, auditing companies, events management companies, companies instructed to send marketing newsletters, providers of technological services, in the capacity of autonomous data controllers or processors;
c) sub-suppliers and/or subcontractors engaged in activities connected to the performance of the contract between the Controller and the Data Subject or the company/entity to which he/she belongs, in the capacity of external processors;
d) other companies belonging to the group of which the Controller is part, situated in Italy and abroad, as data controllers for their own marketing purposes;
e) retailers or commercial partners of the Controller or companies of the group to which the Controller belongs which perform services on behalf of the Controller, including the collection of data to be entered in the client relationship management system "CRM". Those entities will act in the capacity of processors;
f) public entities and/or judicial and/or control authorities whose right of access to the data of the Data Subject is envisaged by applicable legislation, in the capacity of autonomous data controllers; and
g) transferees of businesses or business branches, companies resulting from mergers, demergers or other transformations of the Controller, as autonomous controllers.
Some of the entities listed above may be situated in countries outside the European Union or the European Economic Area. More specifically, the Data entered in the CRM database, whose servers are located in the territory of the European Union, will be shared with entities that may, however, be located both inside and outside the EEA, as the Controller offers its products and services to customers and commercial partners in all countries in which it is present.
In that case, the Data will be communicated in accordance with the following paragraph.
1. 8. Are the Data transferred abroad?
In compliance with applicable norms, the Data may be transferred abroad, even to countries not belonging to the European Economic Area and, in particular, to countries in which the companies of the group to which the Controller belongs are based, as well as showrooms and authorised retailers of products and services of the Controller which will have access to them via the CRM system; a full list of those entities is available on the website of the Controller, while the full list of group companies can be requested from the Controller by sending an email to the address stated in paragraph 11) below. Any transfer of Data to countries located outside the European Economic Area will occur, in any case, in respect of the appropriate and adequate guarantees for the purposes of that transfer, in accordance with Articles 44 et seq. of the European Regulation.
1. 9. For how long are the Data stored?
The Data will be stored by the Controller:
a) For registration to the event, for registration to the interactive digital platform or in the case of a positive outcome of the contractual negotiations, for a period equal to the duration of the contract entered into between the Controller and the Data Subject, or the company/entity to which he/she belongs, and for 10 years after its termination;
b) in the case of a negative outcome of the contractual negotiations, the Data will be erased at the end of the negotiation phase;
except, in any case, where the further storage of Data is necessary in order to exercise or defend a claim of the Controller in relation to the Data Subject or third parties in any dispute.
With reference to data processed for the purposes of sending commercial communications, the Controller will process the data of the Data Subject until the right to object is exercised and, in any case, for no more than 2 years from the end of the contractual relationship between the Controller and the company/entity to which the Data Subject belongs.
At the end of the storage period, the data will be erased, anonymised or aggregated.
1. 10. What are the rights of the Data Subjects?
Without prejudice to the possibility for the Data Subject not to provide his/her Data, the Data Subject may, at any time and free of charge:
a) obtain confirmation of the existence or otherwise of Data concerning him/her;
b) ask to be informed about the origin of the Data, the purposes of processing and its methods, as well as the logic applied to processing carried out using electronic tools;
c) request the update, rectification or - if appropriate - supplementation of Data relating to him/her;
d) obtain the erasure, transformation into anonymous form or blocking of Data potentially processed in violation of the law, as well as object, for legitimate reasons, to the processing;
e) withdraw consent, where previously provided;
f) ask the Controller to restrict the processing of the Data relating to him/her if (i) the Data Subject disputes the accuracy of the Data, for the period necessary for the Controller to verify the accuracy of those Data; (ii) the processing is unlawful and the Data Subject objects to the erasure of the Data and instead requests that their use be limited; (iii) although the Controller no longer needs them for the purposes of processing, the Data are required by the Data Subject for establishing, exercising or defending a claim judicially or extra-judicially; (iv) the Data Subject has objected to the processing in accordance with Article 21, paragraph 1 of the European Regulation pending verification with regard to any prevalence of the legitimate reasons of the Controller over those of the Data Subject;
g) object at any time to the processing of his/her Data for Legitimate Interest Purposes;
h) request the erasure of the Data concerning him/her without undue delay; and
i) obtain the portability of the Data concerning him/her.
The Data Subject will also have the right to lodge a complaint with the Italian Data Protection Authority at the contact details indicated on the website www.garanteprivacy.it, where the conditions apply.
Requests to exercise the rights may be sent in writing to the Controller, which can be contacted at the following email address [email protected]
1. 11. DPO
The Controller has appointed a DPO who is responsible for compliance by the Controller with the fulfilments required by personal data protection legislation.
The Data Subject may contact the DPO securely and confidentially, at any time, if he/she has general questions on the processing of his/her personal data, or for any issue relating to data protection. The Data Protection Officer's email address is: [email protected]
1. 12. Amendments and updates
AUTONOMOUS CONTROLLERS FOR
MANAGEMENT OF SALES AT THE SHOWROOMS
Company Name: Poltrona Frau UK Ltd.
VAT no.: GB
With registered office at: 150 St. John Street - London EC1V 4UD
E-mail: [email protected]
Company Name: Poltrona Frau Group North America, Inc.
VAT no.: non
With registered office at: 151 Wooster Street, 2nd floor - New York NY 10012
E-mail: [email protected]