1. Identity of the data controller. Data protection officer. Contact data
In compliance with the obligations set forth in Articles 12, 13, and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) and set forth in current national legislation on the protection of natural persons with regards to the processing of personal data as well as the free circulation of data, please note that the Subject responsible for the processing of the personal data (hereinafter “Data Controller”) is the business group HOLDING MAGNI with registered office in Prato at via San Leonardo da Porto Maurizio 24-26-28 Zip Code 59100, formally established and consisting of the Group companies that are a part of it, and which can be contacted by email at firstname.lastname@example.org
For the purposes of the above mentioned legislation, the following definitions apply:
"personal data" refers to any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements characteristic of his or her physical, physiological, genetic, mental, economic, cultural, or social identity;
"processing" refers to any operation or set of operations performed upon personal data or sets of personal data, whether or not by automatic means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction;
"archive" refers to any structured set of personal data accessible according to specified criteria, regardless of whether the set is centralised, decentralised, or distributed in a functional or geographical manner;
"controller” refers to the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to its designation may be determined by Union or Member State law;
"data protection officer" refers to the natural or legal person, public authority, agency, or other body processing personal data on behalf of the controller;
"recipient' refers to the natural or legal person, public authority, agency, or other body receiving a communication of personal data, whether or not a third party. However, public authorities which may receive communications of personal data as part of a specific investigation in accordance with Union or Member State law are not considered recipients; the processing of such data by those public authorities complies with applicable data protection rules according to the purposes of the processing;
"data subject's consent' refers to any freely given, specific, informed, and unequivocal expression of the data subject's wishes by which he or she expresses his or her consent, by means of a statement or unequivocal affirmative action, that the personal data relating to him or her may be processed.
3. Categories of personal data processed. Obligatory/optional nature of the disclosure of data. Consequences in case of failure to provide data
The Data Controller processes personal data referring to the user as "data subject", as they are provided voluntarily or legitimately found.
Personal Data can be provided by filling in the appropriate fields in the various sections of the Website, by contacting Customer service or by sending requests via email where required.
The website contains almost no information intended directly for minors. Minors must not provide any information or personal data. Participation in competitions that may be present on the website is intended exclusively for adults.
In particular, the following personal data are processed:
3.1 Data relating to the operation of this site
The computer systems and software procedures used to operate this website acquire, during their normal operation, the following personal data of which transmission is implicit in the use of Internet communication protocols, by way of example:
- the IP addresses; the type of browser used; the addresses of websites from which access has been made, the time of access, other parameters relating to navigation, etc..
This information is not collected in order to be associated with identified data subjects, but could, by its very nature, allow users to be identified through processing and association with other data held by third parties.
3.2 Data relating to promotional and profiling activities
Optionally, subject to the express consent of the data subject (acquired through the voluntary selection of the appropriate flags), the contact data voluntarily provided may be used for the forwarding of communications of a promotional nature and/or the service may be personalised according to the preferences expressed by filling in the respective sections.
These are personal data that do not belong to particular categories (such as name, surname, telephone and e-mail address, date of birth, address of residence, etc.), provided by the data subject concerned to allow their identification, and/or the performance of the service requested (e.g. the sending of newsletters or the communication of promotional initiatives of the Owner) or additional data to allow a personalized service (profiling), in any case only with express consent.
The data that fall into this category is optional and consent to the processing of such data may consequently be denied or revoked by the data subject, at any time and with the same ease with which it is granted, without prejudice to the lawfulness of the processing carried out before the revocation. Consequently, failure to grant and/or revoke consent to the processing of such data will not prevent access to the service by the data subject (the "user") but the Data Controller will not be able to send his or her own commercial communications, allow access to any dedicated promotional advantages and/or personalise the forwarding thereof according to the preferences expressed.
If the user uses the Social authentication function, where present, for registration to the site, access to the data of his/her Social account, specified in the "pop-up" window that is displayed at the time of the request, will be requested and there will be no need for the user to fill in other forms. Through the social platform, the user can activate or deactivate the function that allows the personal data autonomously provided and/or his/her social experience to be transferred to or shared with other websites or applications of third parties. At any time, the user can deactivate the sharing of data of his/her social account by accessing the settings of the relevant service provider.
4. Purpose of the processing for which the personal data are intended. Legal basis of the processing
Below are the purposes of the processing of personal data referring to the user (data subject), i.e. both those acquired automatically through navigation and those voluntarily provided by the user him/herself, according to the needs expressed from time to time when accessing the contact services and/or the various sections of the website, by filling in the forms online or with direct access, through links, to the e-mail address of the Controller relating to the service requested.
4.1 Data relating to the functioning of this website
Browsing data are processed exclusively by persons expressly authorised by the Controller to achieve the purpose of access to the sections of the website, as well as for any participation in promotions and/or games and/or competitions present on the site, including the activities of evaluation, assignment, and/or communication of the offer of digital discount coupons (also through the sending of transactional e-mails), as well as the prizes related to such participation, reply to requests received by e-mail, (by way of example but not limited to: requests of a technical nature on access issues and/or how competition works), in which case the legal basis is the execution of pre-contractual measures or a contract (art. 6(1b) GDPR), or to allow the maintenance of the site, in which case the legal basis of the processing is the legitimate interest of the Controller to guarantee the security of the site, to check that it is functioning correctly, and to obtain statistics in relation to its use (art. 6 (1f) GDPR).
4.2 Data relating to promotional activities (referred to as marketing) and/or market research
Subject to the user's consent and until revocation thereof, the Controller may carry out marketing activities such as, by way of mere example but not limited to: subscription to the newsletter, using the contact data provided by the data subject (ordinary mail, phone number, email address), market research, sending information and promotional material, marketing, and advertising activities regarding the Controller’s products and services, measure the degree of user satisfaction with the quality of the products, services rendered and the activity carried out by the Controller, carried out directly or through specialised companies using distance communication techniques including automated contact methods (such as SMS, MMS, fax, automated telephone calls, e-mail, messages on the web applications) and traditional methods (such as ordinary post and telephone calls through an operator), through personal or telephone interviews, questionnaires, conduct statistical surveys also for marketing purposes, carry out analyses on consumption habits or choices and define the user profile using the information provided by the latter at the time of registration, when filling in questionnaires, on the basis of actions taken while surfing the web or interacting with advertising banners of the Controller with the content published on the various social networks, or through the use of digital coupons, allow users to publish news and/or communications (hereinafter referred to as "posts") in general directly on the Controller’s websites or on websites managed independently by third parties with which the Owner has reached agreements in this sense, such as, by way of example but not limited to, social networks such as Facebook, etc.. (hereinafter referred to as "Social Network"); the posts could also be published together with a pseudonym is chosen by the user when registering on the Controller’s websites and possibly the image associated by the user with his/her nickname for which the user will be exclusively responsible for any choice that might prejudice the interests of third parties, the user is not required to use personal data that would allow third parties other than the Controller to identify him/her, but the user, through the Controller’s websites, could also divulge his/her personal data if he/she has inserted them in his/her nickname, as well as the photo that he/she may have associated with his/her profile.
In all such cases, the legal basis for the processing is the consent specifically and freely given by the data subject (art. 6(1a) GDPR), without prejudice to the right to revoke such consent at any time and without any formality, and without prejudice to any processing carried out by the Controller in the period prior to the revocation.
Consent to the processing of personal data is optional, but in the event of total or partial refusal to provide the data or to consent to the processing and/or communication thereof, it will not be possible to complete the newsletter subscription process and consequently to perform the requested service.
If consent is given only in relation to the forwarding of promotional communications, it will only be possible to complete the newsletter subscription process and consequently carry out the requested service and the processing will be limited to such data for the aforementioned purposes, without the possibility to personalise the forwarding of current promotions and possibly participating in loyalty programs based on the preferences expressed.
At any time it will be possible to revoke the consent given for the aforesaid purposes, either partially or totally with respect to the consent previously expressed, by sending the request to the contacts of the Controller indicated in point 1 of this privacy statement, or simply by selecting the appropriate "unsubscribe" flag for total revocation with respect to the processing of the data optionally provided. By selecting this option in the section dedicated to the subscription on the Controller’s home page, or by communicating the request for total revocation, the personal data provided by the data subject will be completely removed from the system and it will no longer be possible to receive promotional messages from the Controller.
The processing of all personal data described above may, in any case, be carried out for the management and execution of the obligations prescribed by current legislation (accounting, administrative, fiscal, etc.), in which case the legal basis of the processing is the fulfillment of a legal obligation (art. 6(1c) GDPR), or for the management of disputes and possible litigation, in which case the legal basis of the processing is the legitimate interest of the Controller (art. 6, (1f) GDPR).
5. Processing methods. Categories of recipients. Transfer outside the EU
The personal data provided by the persons to whom such data refer (data), directly or indirectly, will be processed in a mainly automated form, with logic strictly related to the aforementioned purposes, through archives managed by the Controller or by third parties appointed as Data Processors (to consult the complete and updated list of the Data Processors appointed for the processing of data concerning him/her, the data subject may contact the Controller at the contact addresses indicated above) and/or integrated computer systems and/or websites owned or used by the Controller.
The Controller has adopted suitable security measures to protect users (data subjects) against the risk of loss, abuse or alteration of such data. Although it is not possible to guarantee that the transmission of data via the Internet or websites is perfectly safe from intrusion, the Controller and its suppliers undertake to maintain the physical, electronic and procedural security measures for the protection of personal data, in compliance with the requirements imposed by the regulations, through the adoption of technical and organisational measures appropriate to the risk and as per art. 32 of the aforementioned GDPR. The Data Controller uses the protected data transmission protocols known as http or https, processing such data for the specific, explicit, and legitimate purposes according to which they have been collected in such a way that the processing is not incompatible with such purposes, according to principles of lawfulness, correctness, transparency, minimisation, accuracy, integrity, and confidentiality.
The data of the users (data subjects) are stored on servers located in the European territory or, in the case of electronic platforms such as Google and/or SAP Customer Data Cloud, could be transferred by the Controller to a country outside the EU, in such a case ensuring compliance with the applicable legal provisions and compliance with the appropriate guarantees, as provided for by Articles 46, 47 and 49 GDPR. The Servers are subject to an advanced back-up and disaster recovery system, are protected by firewalls, with strict restrictions on access to personal data, based on necessity and for the sole purposes communicated; the data collected is transferred through appropriate security measures and there is a permanent monitoring system of access to IT systems to identify and prevent any possible abuse.
The data received from the web service is not disseminated, as they may be communicated only to employees or collaborators of the Controller who, operating under the direct authority of the latter, process data and are authorised to do so, or system administrators, receiving appropriate operating instructions from the Controller, or to third parties (i.e. public or private entities, outside the organisational context of the Data Controller), appointed by the latter as Processors (by way of example but not limited to): persons entrusted with assistance, communication, promotion and sale of products and/or services, organisation and management of competitions, IT service providers, operators and/or developers of websites or applications contained therein, operators of electronic platforms, transport companies, customer service management companies) which carry out outsourcing activities on behalf of the Controller, involved in the provision of services requested by the data subject or in operations necessary for the fulfillment of legal obligations connected with the Controller’s business activity, in collaboration with the latter, bound to the strictest confidentiality with regard to any information that may come to their knowledge; they are consequently authorised to process the personal data they receive for the sole purpose of providing the service requested unless disclosure to third parties is strictly necessary to fulfill the requests of the data subject or expressly authorised by the latter, or at the request of the public security authorities.
6. Storage period
The personal data communicated by the data subject or in any case processed by the Controller, are saved for the time necessary to fulfill the specific purposes, as indicated below.
6.1 Data relating to the functioning of this website
The data referred to in point 3.1 and used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check that it is functioning correctly, are kept for a period of 6 months following the request for cancellation from the service, exclusively to comply with the same.
In the case of processing for the purposes of participation in competitions, the processing will be limited to the time strictly necessary to comply with the statutory storage period.
Personal data processed in order to comply with the request for information by the data subject will be kept in relation to the type of request for the time necessary to comply with the statutory storage period and/or for any legal requirements.
6.2 Data relating to promotional and/or market research activities
In the case of consent to the processing of personal data for the purposes referred to under section 3.2, given the type of goods offered/advertised (mattresses, pillows, and related accessories), the data and information collected will be stored for a maximum time of 20 years, as a shorter retention time would prevent us from achieving the purposes for which the data is collected, notwithstanding the withdrawal of consent by the data subject at an earlier date.
At any rate, the retention time may be further extended to comply with a legal obligation or with a specific request of a public or regulatory authority, or to allow the conduct of defense investigations and/or judicial safeguard, where necessary.
7. Rights of the data subject
In relation to the described processing of personal data, the data subject may at any time contact the Controller at the addresses indicated in point 1, without any formality, in order to exercise the rights provided for in Articles 15-22 GDPR, which may be consulted in full on the website www.garanteprivacy.it/regolamentoue, within the limits and under the conditions provided for therein, and listed below by way of example:
right of access: for the purpose of obtaining confirmation or whether or not personal data concerning him or her are being processed and to obtain access to such data and specific information (e.g. purpose of processing, categories of data concerned, recipients to whom the data will be passed on);
right to rectification: in order to obtain the rectification of inaccurate data concerning him/her (e.g. to update, modify or correct them) without undue delay. In this case, the controller is obliged to notify such rectification to all recipients to whom the data have been transmitted, unless this involves a disproportionate amount of effort;
right to erasure (right to be forgotten): according to the purpose of obtaining the erasure of data concerning him/her and the controller is obliged to erase them without unjustified delay if certain reasons exist (e.g. if the personal data are no longer necessary with respect to the purposes for which they were collected; if the data subject withdraws his/her consent; if they have to be erased for a legal obligation). In this case, the controller is obliged to notify such erasure to all recipients to whom the data have been transmitted, unless this involves a disproportionate amount of effort;
right to restriction of processing: according to the purpose of providing for a restriction to the processing of data, e.g. to storage only, to the exclusion of any other use, in certain cases (e.g. if the processing is unlawful and the data subject opposes the erasure of the data; if the data subject contests the accuracy, within the limits of the accuracy verification period). In this case, the controller is obliged to notify such rectification to all recipients to whom the data have been transmitted, unless this involves a disproportionate amount of effort;
right to data portability: according to the purpose of obtaining the return of the personal data provided in electronic format and transmitting them to others or requesting transmission from one data controller to another, if technically feasible;
right to object: to object at any time to the processing for purposes of public interest or legitimate interest; for marketing purposes; for scientific, historical, or statistical research.
Finally, pursuant to Articles 77 and 79 of EU Reg. 2016/679, the data subject has the right to lodge a judicial appeal, without prejudice to any other available administrative or extra-judicial appeal, including the right to lodge a complaint with a Data Protection Authority (Garante per la protezione dei dati personali, Piazza Venezia n. 11 - 00187 Roma, www.gpdp.it - www.garanteprivacy.it, e-mail: email@example.com, Fax: (+39) 06.69677.3785 Telephone switchboard: (+39) 06.69677.1).
The Controller reserves the right to make changes to this Privacy Statement at any time, with binding effects from the date of its publication, giving notification thereof on this page which may therefore be subject to updates over time, also in compliance with European and national regulations on the subject. Users (data subjects) are therefore invited to constantly check the content of the Privacy Statement in order to ensure that they agree with any changes (taking as a reference the date of the last change indicated at the bottom of the statement), as they are required to stop surfing the website if they do not accept such changes.
Like virtually all websites, our website uses certain cookies. Cookies are small text files that the sites visited by the user (but also other sites or webservers) send and record on his/her computer (or mobile device), to be retransmitted to the same sites (or webservers) at the next visit, in this way sending information.
Cookies are now fundamental tools as they allow modern sites to function at their best, allowing maximum customisation, interaction and fluidity in navigation. But they can also be used to monitor the user's navigation and then send advertising messages in line with this.
Cookies can be:
session cookies (if they expire when the browser is closed) or permanent (they remain until the expiry of a time-limit, which may last years);
first-party or third-party cookies (in the latter case, they are set by a website or a webserver different from the one the user is visiting at that moment);
technical cookies (necessary and sometimes indispensable to allow the website to be used in its entirety – or better) or profiling cookies (which serve to create a profile of the user, in order to send him/her publicity messages in line with the preferences shown by the latter during the previous browsing session).
The Italian Data Protection Authority considers session, functionality, and (only in certain specific conditions) analytics cookies as technical cookies. In particular, the Authority, with the document “Cookie Guidelines and Other Tracking Instruments” of June 10, 2021, has specified that the latter can be likened to technical cookies only if:
- they are used only to produce aggregate statistics and in relation to a single website or a single mobile app;
- the fourth component of the IP address is masked, at least those of third parties;
- third parties abstain from combining analytics cookies, minimized in this manner, with other computed data or from sending them to other third parties (however, it is permitted to third parties to produce statistics with data relating to multiple domains, websites, or apps that can be traced back to the same publisher or business group).
The Data Controller that directly produces only statistics on data relating to multiple domains, websites, or apps that are traceable to it may also use the data in unencrypted form, in compliance with the constraint of purpose.
Technical analytics cookies:
These cookies are used to allow the analysis of access data to the site by users - in anonymous and aggregate form. They are cookies related to the web analytics platform Google Analytics. These cookies do not collect information that can identify the user in any way. For details on how these cookies work and how to block them, please consult the privacy section of the service: https://www.google.com/analytics/learn/privacy.html?hl=it
These cookies are deposited by external persons who enrich the site with their own content, such as social network plugins. This website has plugins from the following social networks that issue cookies:
For details on how these cookies work and how to block them please visit http://www.allaboutcookies.org, https://www.youronlinechoices.com/, http://cookiepedia.co.uk
The user can decide whether to erase or block, some (or all) cookies by configuring his/her browser. As a rule, these programs also allow third-party cookies to be specifically blocked with a specific option. Each browser has different procedures for the management of cookies, below is a link to the specific instructions of the most common ones:
Internet Explorer: http://windows.microsoft.com/it-it/internet-explorer/delete-manage-cookies#ie=ie-11
Google Chrome: https://support.google.com/accounts/answer/61416?hl=it
Apple Safari: http://support.apple.com/kb/HT1677?viewlocale=it_IT
Mozilla Fireforx: https://support.mozilla.org/it/kb/Attivare%20e%20disattivare%20i%20cookie
In addition, please note that by disabling cookies completely in the browser, the user may not be able to use all interactive features.