Dear User, we hereby inform you that on 22 September 2021 following the procedure for competing tenders pursuant to Article 163-bis, paragraph 5 of the Bankruptcy Law the Court of Mantua awarded the commercial business unit owned by the company “Corneliani S.r.l. in arrangement with creditors“, whose purpose is the production, manufacture and sale of clothing items and related accessories under the “Corneliani“ brand, to the company “Corneliani S.p.A.“ with its legal headquarters at Via Durini n. 24, Milan (MI) and tax code no. 11762610969.

The deed of transfer for the commercial business unit, as identified above, to the company “Corneliani S.p.A.“ has legal, accounting and fiscal effect as of 1 December 2021.

“Corneliani S.p.A.“ has become the sole owner of the personal data collected and processed as part of the activities carried out by the two companies taking part in the operation, as well as the owner of the website www.corneliani.com (hereinafter, the “Website“), with the processing methods and purposes being unchanged.

Corneliani S.p.A. is aware of the importance of the data subject’s personal data (the subject using the website www.corneliani.com, hereinafter, the “User“) and therefore intends to inform and provide it with the greatest possible control over the management of the personal information collected through this Website in its capacity as the creator and promoter of the activities available at www.corneliani.com in accordance with the provisions of Article 13 of European Regulation no. 2016/679 on the protection of individuals with regard to the processing of personal data (hereinafter, the “Regulation“) regarding data collected through the Website.

Therefore, Corneliani S.p.A., as the new data controller (referred to hereinafter as “Corneliani“ or the “Data Controller“), hereby informs you, pursuant to and for the purposes of Article 13 of the Regulation, that the data you provide when accessing and interacting with the Website will be processed in accordance with the provisions of the notice below.

With regard to the data gathered via the Website:

a)   Corneliani S.p.A., with its legal headquarters at Via Durini n. 24, 20122, Milan (MI), VAT no. 11762610969, a share capital and reserves of € 13,500,000.00, enrolled in the Milan Monza Brianza Lodi Company Register with Economic and Administrative Index (REA) no. MI - 2623294, is the independent controller for the personal data collected through the Website;

b)   Drop S.r.l., with its legal headquarters at Via Sandro Pertini n. 1, Montegranaro (FM), VAT no. 01383870431, a share capital of € 100,000.00 fully paid up,  enrolled on the Fermo Company Register with Economic and Administrative Index (REA) no. FR-201713 (hereinafter, “Drop”) is the external supervisor for the processing that Corneliani is the Data Controller for;

c)   Your personal data will be processed by Drop as independent data controller for administrative and fiscal activities, implementing the security measures deemed most appropriate to ensure their protection in the processing and retention activities.  This policy does not refer to the processing of personal data by Drop, which is the independent controller of the processing, whose policy is available here.

d)   The Data Protection Officer (DPO) canbe contacted via the following email address: privacy@drop.it.

For any information regarding the Data Controller and for a complete and updated list of data supervisors,the User may contact Corneliani by writing to privacy@corneliani.it, by fax to +39 0376 304 308 or by post to the above address.

The personal data processed by the Data Controller (hereinafter, the “Personal Data“) are those provided by the User when browsing the Website during registration (such as, for example, their name, surname, e-mail address, username and password), when subscribing to services (such as, for example, Web Chat) that are made available by the Data Controller and/or when purchasing products made available by the Data Controller (such as, for example: their first name, surname, e-mail address, password, date of birth, gender, social media profile data, if the User registers on the Website through social media profiles, in addition to the data necessary in order to provide the online sales service such as, for example, payment data, billing and delivery address, telephone number).

The personal data is processed in order to carry out the following activities:

1. closing and executing the contract of sale for the products offered on the Website: the personal data provided will be used for the purposes of establishing, managing, executing and/or closing the on-line sales contract.

   The data provided will be processed by the Data Controller in order to process the purchase order with reference to, for example, payment, shipment, handling any returns, for customer service, for the performance of administrative and accounting purposes related to managing the order, for the fulfilment of obligations under current legislation.

   For credit card payments, the information required for the transaction (credit card holder, credit/debit card number, expiry date, security code) will be processed by Drop S.r.l. or, where appropriate, by companies responsible for anti-fraud control using a cryptographic protocol and without third parties being able to access it in any way. This information will never be displayed or stored by the Data Controller unless it is to carry out the procedures relating to the purchase and to issue the relevant refunds for any product returns after the User exercises their right of withdrawal or if necessary, to prevent or report any fraud on the Website to the police;

2. Website registration: if the User decides to register on the Website, their personal data will be processed by the Data Controller to register on the Website and to use the services intended for registered users only after express consent is provided.
   Particularly, when the User provides their name, surname, e-mail address, date of birth, sex and sets an access password, these will be used to create a personal account, to speed up the purchase process, to allow the User to view the status of their orders and receive updates on purchases made, to set and modify their own data and any “Preferences“ that will improve browsing, and to update the account, to view their returns history and requests to exchange goods, to save favourite items in the Basket.
   If the User registers for the Website or accesses it without being registered by means of a social media profile, providing their name, surname, email after giving express consent to perform actions via the User account, such information will be processed for the same purposes as above. In some cases, social media sites request some feedback and information regarding the use of logins. For further information, please refer to the corresponding privacy documentation on social media at HTTPS://IT-IT.FACEBOOK.COM/POLICY
3. marketing purposes following the purchase of a product on the Website (soft spam): if the User has purchased a product on the Website, their personal data will be processed in order to send promotional email communications about related products;
4. marketing, profiling and market research purposes: if the User decides to subscribe to the Website, only following free and specific optional consents, the personal data will be processed by the Data Controller to send commercial or promotional communications, for profiling activities or to analyse the preferences aimed at the creation of personalised content and offers as well as for market research purposes. These communications may be sent via email, SMS, MMS or Whatsapp.Please note that the processing for profiling purposes is partly automated and allows for clusters of users with similar purchase characteristics and preferences to be created in order to better target Corneliani's sale initiatives and proposals;
5. subscription to the Corneliani newsletter: if the User decides to subscribe to the Corneliani newsletter, and only after providing express consent, the personal data will be processed by the Data Controller to send commercial or promotional communications via email, for profiling activities or to analyse the preferences aimed at the creation of personalised content via email and offers as well as for market research purposes.
   In order to unsubscribe from the newsletter, you must flick on the unsubscribe link at the bottom of the email or by writing to the following address: privacy@corneliani.it;
6. Web Chat service: if the User browses or registers on the Website, the personal data will be processed by the Data Controller to send commercial or promotional communications, for profiling activities or to analyse the preferences aimed at the creation of personalised content and offers as well as for market research purposes via the Web Chat service.
7. sending CVs: if the User decides to submit their CV to the Website, the Data Controller will use the personal data in order to consider the User's profile for an application for an open vacancy.

The legal bases for data processing for the purposes of item 3) are:

• the provision of its services by the Controller, through the management of the Website - article 6(1)(c) of the Regulation;
• the formation, execution and possible termination of on-line sales contract between the parties and in the obligations connected to the said contract and/or directly and/or indirectly deriving from it - article 6(1)(b) of the Regulation;
• the consent of the data subjects to marketing and profiling - article 6(1)(a) of the Regulation;
• the management of requests from data subjects, including the processing of CVs for applications for open positions - article 6(1)(c) of the Regulation.

The personal data collected for the purposes referred to in point 3) above are processed using mainly computer and/or telematic methods and tools and with organisational and logical methods strictly related to the pursuit of the purposes stated in this statement, adopting security measures to minimise the risks of destruction or loss, including the accidental loss of the data, unauthorised access or processing that is not permitted or does not comply with the collection purposes stated in this notice.

However, due to the nature of the means of online transmission, such measures cannot fully limit or exclude any risk of unauthorised access or loss of data. To this end, it is advisable to periodically check that the computer is equipped with the appropriate software devices for the protection of incoming and outgoing network data transmission (such as up-to-date antivirus systems), and that the internet service provider has taken appropriate measures regarding network data transmission security (such as firewalls and spam filters).

The Data Controller undertakes to process the data in accordance with the principles of correctness, lawfulness and transparency, to collect the data to the extent which is necessary and accurate for the processing, and to allow for its use only by staff which are authorised for this purpose.

The personal data collected for the purposes referred to in point 3) above are provided directly by the User with the exception of the data collected when registering for or accessing the Site via a social media profile and the purchase data provided by Drop S.r.l. in the event that the User has given their consent to profiling.

Providing the personal data which is classified on the Website as “mandatory“ is strictly necessary for the activities referred to in point 3).
If the User refuses to provide the personal data classified on the website as “mandatory“, it will be impossible to perform the activities referred to in point 3)

Providing further data, other than what is stated on the website as “mandatory“ is, on the other hand, optional and has no consequences for the performance of the activities referred to in point 3) above.

Depending on the case and if necessary, the mandatory or optional nature of providing the data will be stated by the presence of an appropriate character (*) by the mandatory information.

The personal data is processed by the Data Controller, by the Data Controller’s staff and consultants (who will act as subjects authorised to conduct the processing), by the companies of the Group and by the relevant permanent establishments, as well as by companies that provide the Data Controller with specific technical and organisational services related to the Website and to the management of marketing, profiling and market research activities in their capacity as data processors or subjects authorised to conduct the processing, within the limits and for the purposes set out in point 3). More specifically, the personal data may be communicated to:

1. third parties, solely for the purpose of executing the contract for the purchase of products on the Website (the credit institution for the execution of remote electronic payment services by credit/debit card) and suppliers of services related to the sale (couriers, logistics companies), specifically appointed as data processors, to the extent strictly necessary for the performance of ancillary tasks;
2. law enforcement or judicial and/or administrative authorities, in accordance with the law and after a formal request by such entities, or if there are reasonable grounds to believe that the disclosure of such data is reasonably necessary to (1) investigate, prevent or take action regarding suspected illegal activities or to assist governmental law enforcement or supervisory authorities; (2) defend against any claims or allegations from third parties, or protect the security of its website and business; or (3) exercise or protect the rights, property, or safety of the Data Controller, its group companies, affiliates, customers, employees, or any other person;
3. public or private subjects who are able to access the personal data by virtue of the provisions of law, regulation or EU legislation, within the limits provided for by these rules.

The personal data will not be disclosed.

The personal data may be transferred to countries within the European Union and to countries outside the European Union for the purposes set out in point 3).
The personal data will be transferred to countries outside the European Union where the third countries offer an adequate level of data protection, as determined by the appropriate adequacy decisions made by the European Commission.
The personal data will only be transferred to countries outside the European Union in the absence of an adequacy decision by the European Commission where there are standard contractual clauses approved by the European Commission for the transfer of personal data or where there are Binding Corporate Rules (BCRs).
The User may request a copy of the data transferred to countries outside the European Union by writing to the following address: privacy@corneliani.it.

The personal data is stored in accordance with the following terms depending on its purpose:

• The personal data collected for the conclusion and execution of contracts of sale for the products on the Website: until the administrative and accounting formalities are concluded. Billing data is stored for 10 years from the invoice date. With specific reference to the personal data relating to payments: until the certification of the payment and the relevant administrative and accounting formalities following the expiry of the right of withdrawal and the terms applied to contest the payment have been concluded;
• Personal data relating to registration on the Website: until it is deleted from the Website;
• Personal data relating to subscription to the Corneliani Newsletter, the Web Chat service and soft spam): until the opt-out request is made by the User;
• Personal data relating to purchases that can be associated with the user for marketing and customer profiling purposes: as provided for by the decision of the Italian Privacy Authority of 2005, for 24 and 12 months, respectively;
• Personal data included in CVs: up to a maximum period of 6 months after sending the CV.

When the periods above expire, the personal data will be definitively deleted. This is without prejudice to cases where storage for a later period is necessary for litigation, requests by competent authorities or under applicable law.

The personal data will be handled and stored in archives or on servers located within the European Union owned by the Data Controller and/or third party companies appointed as Data Supervisors and, in any case, currently located in Italy.

By writing to the following address privacy@corneliani.it, you may exercise your rights with regard to the Controller at any time in accordance with the privacy legislation, as reproduced below.
The User is entitled to obtain confirmation as to whether or not personal data concerning them is being processed and, if so, to obtain access to the personal data and the following information:

• the purpose of the processing;
• categories of the personal data in question;
• recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly if they are recipients in third countries or international organisations;
• where possible, the expected retention period of the personal data or, if this is not possible, the criteria used to determine that period;
• the User's right to ask the Data Controller to rectify or erase the personal data or to restrict the processing of the personal data concerning them or to object to it being processed;
• the right to submit a claim to a supervisory body;
• where the data is not collected from the User, all the information available about its origin;
• an automated decision-making process, particularly with regard to profiling, and, at least in such cases, meaningful information on the logic used as well as the importance and expected consequences of such processing for the User.

The User also has the right to:

• be informed of the existence of adequate safeguards pursuant to Article 46 GDPR relating to the transfer if the personal data is transferred to a third country or an international organisation;
• obtain a copy of the personal data subjected to processing;
• rectify any inaccurate personal data relating to them without undue delay in the cases referred to in Article 17(1) GDPR, by writing to the following address: privacy@corneliani.it;
• make additions to any incomplete personal data;
• delete any inaccurate personal data relating to them without undue delay;
• limit the processing in the cases referred to in Article 18, paragraph 1 of the GDPR;
• receive the personal data concerning them which is provided to a data controller in a structured, commonly used and machine-readable format and to transmit such data to another data controller without hindrance from the latter in the cases referred to in Article 20 of the GDPR; in order to exercise their right to take the data to other entities, the User must make an express request by writing to the following address: privacy@corneliani.it;
• object to the processing of the personal data relating to them, as well as profiling at any time on grounds relating to their particular situation;
• not be subjected to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning them or significantly affects them in a similar way.

The Controller reserves the right to make amendments to this policy at any time by advertising it to the User at www.corneliani.com. Please check this page often and take the last modification date found at the end of the document as a reference.

In the event of non-acceptance of the changes made to this policy, the User may request that the Data Controller delete their personal data.

Unless otherwise specified, the above notice will continue to be applicable to the personal data collected up to that point.