Personal data management

Personal data management policy - Mondadori Group

The Mondadori Group, a corporate group consisting of companies subject to management and coordination in accordance with article 2359 of the Italian Civil Code of the parent company Arnoldo Mondadori Editore S.p.A. (hereinafter the “Mondadori Group”), has long considered the protection of the personal data of its existing and/or potential customers and users to be of fundamental importance, ensuring that the processing of personal data, carried out by any means, whether automated or manual, is done in full compliance with the safeguards and rights recognised by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “Regulation“) and other applicable legislation on the protection of personal data.

Pursuant to article 4(1) of the Regulation personal data means “any information relating to an identified or identifiable natural person; identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (hereinafter “Personal Data”). In pursuance of Mondadori Group’s objectives, it may learn of or request that you provide certain personal data such as your full name, your email address, your telephone number and postal address, your tax identification number or your VAT number, your date of birth and other data that could render you personally identifiable.

The Regulation requires that before personal data may be subject to processing – defined under article 4(2) of the Regulation as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (hereinafter “Processing”) – the data subject must be informed about the purposes of the processing, the methods of processing as well as lots of other information required by law.

In this respect, the purpose of this page on the website www.mondadorigroup.com is to give you more information, in a simple and user-friendly manner, in addition to that contained in the specific privacy policies issued pursuant to article 13 of the Regulation when communicating and collecting your personal data.

This website page has been prepared on the basis of the principle of transparency and contains all of the elements required by articles 13 and 14 of the Regulation. This page is divided into different sections (hereinafter “Sections” or individually “Section”). Each section deals with one specific issue which makes for simple, straight-forward and intuitive reading (to simplify matters, these sections will be referred to as the “Policy”).

The following companies of the Mondadori Group will process your personal data on an independent or joint basis, depending on one or more of the purposes (such as those mentioned in Section D of this Policy) reported in a specific disclosure that you will be given during the collection of personal data:

  • Arnoldo Mondadori Editore S.p.A. with registered office at Via Bianca di Savoia 12, 20122 – Milan and administrative office at Via Mondadori 1, 20090 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code no. 07012130584 and VAT no. 08386600152
  • Mondadori Libri S.p.A. with registered office at Via Bianca di Savoia 12, 20122 – Milan and administrative office at Via Mondadori 1, 20090 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT no. 08856650968
  • Mondadori Education S.p.A. with registered office at Via Bianca di Savoia 12, 20122 – Milan, administrative office at Via Mondadori 1, 20090 – Segrate (MI) and operative office Via Rivoltana 2D, 20090, registered at the Companies’ Register of Milan, Tax Code and VAT no. 03261490969
  • Rizzoli Education S.p.A. with registered office at Via Bianca di Savoia 12, 20122 – Milan, administrative office at Via Mondadori 1, 20090 – Segrate (MI) and operative office Via Rivoltana 2D, 20090, registered at the Companies’ Register of Milan, Tax Code and VAT no. 05877160159
  • Giulio Einaudi Editore S.p.A. with registered office at Via U. Biancamano 2, 10121 – Turin (TO), registered at the Companies’ Register of Turin, Tax Code no. 08367150151 and VAT Code no. 07022140011
  • Electa S.p.A. with registered office at Via Bianca di Savoia 12, 20122 – Milan, administrative and operative office at Via Mondadori 1, 20090 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code no. 01829090123 and VAT no. 09671010156
  • Mondadori Media S.p.A. with registered office at Via Bianca di Savoia 12, 20122 – Milan and administrative office at Via Mondadori 1, 20090 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT no. 08009080964
  • Mondadori Retail S.p.A. with registered office at Via Bianca di Savoia 12, 20122 – Milan and administrative office at Via Mondadori 1, 20090 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code no. 00212560239 and VAT no. 11022370156
  • Mondadori Scienza S.p.A. with registered office at Via Bianca di Savoia 12, 20122 – Milan and administrative office at Via Mondadori 1, 20090 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT no. 09440000157
  • Press-Di Distribuzione Stampa e Multimedia S.r.l. with registered office at Via Bianca di Savoia 12, 20122 – Milan and administrative office at Via Mondadori 1, 20090 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT no. 03864370964
  • Direct Channel S.p.A. with registered office at Via Bianca di Savoia 12, 20122 – Milan and administrative office at Via Mondadori 1, 20090 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT no. 08696660151
  • Adkaora S.r.l. with registered office at Via Bianca di Savoia 12, 20122 – Milan and administrative office at Via Mondadori 1, 20090 – Segrate (MI), registered at the Companies’ Register of Milan, Tax Code and VAT no. 08105480969

The above companies may act as the controller, defined in article 4(7) of the Regulation as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” or, in specific cases act as joint controller which under article 26 of the Regulation is defined as “two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”. For the purposes of this Policy, each company mentioned above will be defined individually as the “Controller” or jointly as the “Joint controllers”.

You may contact the Controller or the Joint controllers as follows:

  • by writing to the Mondadori Group Privacy Office at the parent company Arnoldo Mondadori Editore S.p.A., Via Mondadori 1, 20090 – Segrate (Milan);
  • by sending an e-mail to privacy@mondadori.it to the attention of the Mondadori Group Privacy Office;
  • by calling +39 02 75421 and asking to speak with Privacy Office of the Mondadori Group.

To facilitate dealings between you and each Controller, the Mondadori Group decided to adopt and designate a Data Protection Officer as provided for articles 37-39 of the Regulation. According to the Regulation and guidelines adopted by the Article 29 Working Party (Art. 29 WP) – a group made up of representatives from the data protection authorities in the European Union, established under the Directive 95/46/EC and currently replaced by the European Data Protection Board (EDPB) pursuant to article 68 of GDPR – the DPO must be designated on the basis of professional qualities and perform their duties in an independent manner. You can contact the DPO of the Mondadori Group in writing by email at dpo@mondadori.it and/or in writing by post to the Data Protection Officer of the Mondadori Group at Arnoldo Mondadori Editore S.p.A, via Mondadori 1, 20090 – Segrate (MI)  (hereinafter the “DPO”). The tasks of the DPO are:

  • to inform and advise the Controller, the Joint Controllers, the processor and the employees who carry out processing of their obligations pursuant to the Regulation and to other Union or Member State data protection provisions;
  • to monitor compliance with the Regulation, applicable regulations on the protection of Personal Data and the policies and procedures adopted by the Controller and the Joint Controllers;
  • to provide support for the management of Data Subject’s requests;
  • to cooperate with the Garante per la Protezione dei Dati Personali or other competent supervisory authority.

Each Controller, with the exception of those specific cases provided below for joint controllers, may process your Personal Data for the following purposes:

  • registration to websites: In order to complete your registration process to one or more of the Controller’s websites, the Controller needs to collect some of your Personal Data, as requested in the specific data collection form. Your personal data will be processed by the Controller so that you will then be able to access your profile, take part in the initiatives available through the website, receive online newsletters and take advantage of all the other services offered from time to time.
    Legal basis and lawfulness of processing: contractual legal basis pursuant to article 6, point (b) of the Regulation. The legal basis for the processing of your Personal Data is the contractual relationship that will be created between you and the Controller as a result of your acceptance of the terms and conditions of the specific website;
  • subscriptions or the purchase of products and/or services: the Controller, in order to allow you to subscribe to one or more of its magazines and/or to purchase its products and/or services, needs to collect some of your personal data, as requested in the subscription form or purchase order form.
    Legal basis and lawfulness of processing: contractual legal basis pursuant to article 6, point (b) of the Regulation – your Personal Data will be processed by the Controller so that you will be able to receive what you requested and purchased. The legal basis for processing is the contractual relationship that will be created between you and the Controller;
  • participation in events: In order to allow you to participate in one of the events organised by the Controller, it needs to collect some of your Personal Data, as requested in the event registration form/module.
    Legal basis and lawfulness of processing: contractual legal basis pursuant to article 6, point (b) of the Regulation – your Personal Data will be processed by the Controller to sign you up to the event and ensure your participation. The legal basis for processing is the contractual relationship that will be created between you and the Controller;
  • participation in sweepstakes, giveaways or contests: In order for you to participate in any of the sweepstakes, giveaways or contests organised by the Controller, it needs to collect some of your Personal Data, as requested in the entry form/module.
    Legal basis and lawfulness of processing: contractual legal basis pursuant to article 6, point (b) of the Regulation – your Personal Data will be processed by the Controller to allow you to participate in the sweepstakes, giveaway or contest. The legal basis for processing is the contractual relationship that will be created between you and the Controller as a result of your acceptance of the rules and regulations of the sweepstakes, giveaway or contest;
  • request for information: For the Controller to respond to your request for information that it receives by means of one of the methods on its websites, it needs to process some of your Personal Data as requested in the collection form and/or voluntarily provided by you.
    Legal basis and lawfulness of processing: pre-contractual legal basis pursuant to article 6, point (b) of the Regulation – your Personal data will be processed by the Controller to respond to your request for information. The legal basis for processing is therefore the pre-contractual relationship that will be created between you and the Controller;
  • partnership or affiliation requests: In order for the Controller to respond to your request for partnership or affiliation including, but not limited to a request to open a bookstore franchise, a “Focus Junior” play lab or a “Sale e Pepe” cooking school, etc., it needs to collect some of your Personal Data, as requested in the request for information form.
    Legal basis and lawfulness of processing: pre-contractual legal basis pursuant to article 6, point (b) of the Regulation – your Personal data will be processed by the Controller to respond to your request for information. The legal basis for processing is therefore the pre-contractual relationship that will be created between you and the Controller;
  • access to company premises: in order for you to receive permission to enter the company offices of the Mondadori Group, the Controller needs to collect some of your Personal Data, as requested by the receptionist.
    Legal basis and lawfulness of processing: legitimate interest pursuant to article 6, point (f) of the Regulation – your Personal Data will be processed by the Controller and the legal basis for processing is the legitimate interest of the Controller to safeguard and protect its offices and corporate assets and its employees and contractors;
  • video surveillance activities: The Controller uses surveillance cameras at its company offices to capture videos of the people entering the field of view of each video surveillance camera in order to protect its corporate assets, employees and contractors;
    Legal basis and lawfulness of processing: legitimate interest pursuant to article 6, point (f) of the Regulation – your Personal Data will be processed by the Controller and the legal basis for processing is the legitimate interest of the Controller to safeguard and protect its offices and corporate assets and its employees and contractors;
  • execution of contract documents: in order to continue the contractual relationship between you and the Controller as well as to fulfil the related obligations, the Controller needs to collect and process some of your Personal Data as requested in each contractual document;
    Legal basis and lawfulness of processing: contractual legal basis pursuant to article 6, point (b) of the Regulation – your Personal Data will be processed by the Controller to proceed with the signing of each contractual document. The legal basis for processing is the contractual relationship that will be created between you and the Controller;
  • fulfilment of legal obligations: il Titolare del Trattamento, al fine di adempiere ad obblighi di legge, ha necessità di raccogliere e trattare alcuni tuoi Dati Personali così come, di volta in volta, richiesti da specifiche norme di legge;
    Legal basis and lawfulness of processing: the Controller needs to collect and process some of your Personal Data as and when required by specific laws in order to fulfil legal obligations;
  • employee selection process: the Controller needs to process your Personal Data in your Curriculum Vitae and/or in the specific form provided by the Controller, so that it can proceed with the employee selection process and properly evaluate whether your application is for a specific job or is a speculative application.
    Legal basis and lawfulness of processing: pre-contractual legal basis pursuant to article 6, point (b) of the Regulation – your Personal data will be processed by the Controller to evaluate your application. The legal basis for processing is therefore the pre-contractual relationship that will be created between you and the Controller;
  • establishment and management of employment or professional cooperation relationships: to establish and manage an employment or professional cooperation relationship, the Controller needs to collect some of your Personal Data, as requested in the employment contract or cooperation agreement. Your Personal Data will be processed by the Controller;
    Legal basis and lawfulness of processing: contractual legal basis pursuant to article 6, point (b) of the Regulation – your Personal Data will be processed by the Controller to proceed with the establishment and management of your employment or professional cooperation relationship with the Controller. The legal basis for processing is therefore the employment or professional cooperation relationship that will be created between you and the Controller;
  • direct marketing: the communication of any advertising or marketing material carried out by the Controller directed to you. This category includes all activities carried out to promote products, services sold and/or distributed by the Controller;
    Legal basis and lawfulness of processing: legitimate interest pursuant to article 6, point (f) of the Regulation – Your personal data will be processed by the Controller. The legal basis for processing is the legitimate interest of the Controller to promote its products and services, irrespective of the request for your consent and in any case until you object to such processing as better explained in recital 47 of the Regulation where “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This will be possible following the evaluations carried out by the Controller to determine whether your interests, rights and fundamental freedoms which require the protection of Personal Data prevail on the Controller’s legitimate interest to send direct marketing communications. The reason of such interpretation shall be found in your interest expressed towards Data Controller by establishing a relationship with this latter;
  • indirect marketing: the communication of any advertising and/or marketing material carried out by third parties on behalf of the Controller directed to you. This category includes all activities carried out to promote products, services sold and/or distributed by third parties with which the Controller maintain legal relationships without the communication of data.
    Legal basis and lawfulness of processing: data subject’s consent pursuant to article 6, point (a) of the Regulation – Your Personal Data will be processed by the Controller and the legal basis for processing is your free, express and unambiguous consent;
  • profiling: profiling is carried out by the Controller for the purpose of analysing your personal tastes, preferences, and consumer behaviour also as part of market surveys and statistical analyses. This category includes any form of automated processing of personal data to evaluate certain personal aspects including, but not limited to a person’s performance at work, economic situation, personal preferences, interests, reliability, behaviour, location or movements;
    Legal basis and lawfulness of processing: data subject’s consent pursuant to article 6, point (a) of the Regulation – Your Personal Data will be processed by the Controller and the legal basis for processing is your free, express and unambiguous consent;
  • disclosure of information to third parties for marketing purposes: the Controller has the right to disclose information to specifically identified third parties indicated in the Policy provided, where necessary and required, so that these entities may process your Personal Data for their commercial and marketing purposes;
    Legal basis and lawfulness of processing: data subject’s consent pursuant to article 6, point (a) of the Regulation – Your Personal Data will be processed by the Controller and the legal basis for processing is your free, express and unambiguous consent.

The above purposes for processing should be considered as non-exhaustive examples since the Mondadori Group, based on the principle of transparency in relation to the data subject required by the Regulation, has adopted an approach whereby your Personal Data will be processed for the specific purposes explained to you in the policy, in short and/or long form, you will be given before the collection of your Personal Data or within the time limits set out in article 14, paragraph 3, of the Regulation.

The contact methods for direct or indirect marketing and profiling may include the use of automated means (email) or conventional means (where allowed, live calls, material sent by post). At any rate, and as specified in Section H below, you have the right to withdraw your consent, even partially, for example by only agreeing to conventional contact methods.

As regards contact methods which involve the use of your telephone contacts, please note that marketing by companies acting as Joint Controllers will be carried out after checking whether you are registered in the Robinson List (Registro delle Opposizioni), established pursuant to Presidential Decree no. 178 of 7 September 2010, as amended.

With a view to improving the functionality of specific processing activities in the interest of our customers/users and our objectives, all companies in the Mondadori Group as identified in Section B of this policy, on 2 May 2018 entered into a joint controller agreement in accordance with article 26 of the Regulation. Under this agreement each company has agreed to act jointly for (i) the selection of personnel, (ii) direct marketing, (iii) indirect marketing, and (iv) profiling purposes. For these purposes, the Joint Controllers also jointly determined the methods of processing and defined, in a clear and transparent manner, the procedures to provide you with timely feedback should you wish to exercise your rights, as provided for in articles 15, 16, 17, 18 and 21 of the Regulation as well as in cases of Personal Data portability as provided for in article 20 of the Regulation, which is described in detail in Section I of this Policy.

On 2 may 2018, the companies Mondadori Education S.p.A and Rizzoli Education S.p.A also signed an additional joint controller agreement, in accordance with article 26 of the Regulation, with which they have agreed to act jointly for the following purposes: management of the online platforms at www.hubscuola.it and www.scuolaoggidomani.it.

In order to ensure the proper management and performance of the joint controller agreements, the companies acting as Joint Controllers identified the parent company Arnoldo Mondadori Editore S.p.A as the entity tasked with specific processing activities by appointing it as Processor in accordance with article 28 of the Regulation, by means of signing a separate written agreement.

Your Personal Data may be disclosed to specific parties regarded as recipients of such Personal Data; a recipient is understood as a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

In this context, in order to properly carry out all of processing activities necessary to fulfil the purposes set out in this Policy, the following recipients may find themselves in a position where they need to process your Personal Data:

  • third parties which perform part of the Processing and/or activities connected with or instrumental to the processing on behalf of the Controller or Joint Controller. These parties have been appointed as processors, i.e. a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;
  • individuals employed by and/or contracted by the Controller or Joint Controllers, who have been assigned one or more activities relating to the processing of your Personal Data. These individuals have been given specific instructions concerning the security and correct use of Personal Data and are defined as persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data;
  • third parties which carry out Processing activities and/or activities connected with or instrumental to the Processing acting as autonomous data controllers, including but not limited to consulting companies, consultants, banks and financial institutions, insurance companies, external companies and/or companies belonging to the Mondadori Group;
  • where required by law or to prevent or suppress the commission of an offence, your Personal Data may be disclosed to public bodies or to the courts without them being regarded as Recipients. According to the regulation, public authorities which may receive personal data in the framework of a particular inquiry in accordance with the European Union or Member State law shall not be regarded as recipients.

One of the principles that applies to the processing of your Personal Data concerns limited storage periods, regulated by article 5, paragraph 1, point (e) of the Regulation which states “Personal Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject”.

In the light of this principle, your Personal Data will be processed by the Controller for no longer than is needed for the purposes set out in Section D of this Policy. Specifically, the period for which your personal data will be limited to the strict minimum, as indicated in Recital 39 of the Regulation, i.e., where the legal basis for the Processing is a contract entered into by and between you and the Controller, up to ten years after the termination of the contractual relationship between you and the Controller, although further retention may be required or allowed by law, as provided for in Recital 65 of the Regulation.

As regards the processing carried out for the purposes laid down in this Policy for which a consent has been sought, the Joint Controllers may lawfully process your Personal Data until you communicate, using one of the methods provided for in this Policy, your wish to withdraw consent to one or all the purposes for which it was requested. Should you withdraw your consent, the Joint Controller companies will be required to immediately stop processing your Personal Data for such purposes.

In accordance with the Regulation, if you have given your consent to the processing of your Personal Data for one or more of the purposes for which it was sought, you may, at any time, withdraw it, in whole or in part, without affecting the lawfulness of Processing based on consent given before its withdrawal.

Moreover, you may object at any time to the Processing of your Personal Data, where:

a) your Personal Data are processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing;

b) the Processing is based on the legitimate interests of the Controller, the Joint Controllers or third parties, on grounds relating to your particular situation, unless the Controller and/or the Joint Controllers demonstrate compelling legitimate grounds for the Processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

The procedure to withdraw consent and exercise your right to object is very simple and straightforward: you only have to contact the Controller and/or the Joint Controllers and/or the DPO by means of the contact channels provided in Section C of this Policy and .

In addition to the above and to keep things simple, if you happen to receive advertising emails from the Joint Controllers that are no longer of interest to you, simply click on the unsubscribe button at the bottom to longer receive no further communication or, if there is no button, via the additional contact channels made available by the Controller or by the Joint Controllers.

In accordance with the Regulation, you may exercise the following rights at any time, vis-à-vis the Controller and/or the Joint Controllers:

Right of access: pursuant to article 15 of the Regulation, you have the right to obtain from the Controller and/or the Joint Controllers confirmation as to whether or not your Personal Data are being processed, and, where that is the case, obtain access to the Personal Data and the following information: a) the purposes of the processing; b) the categories of Personal Data concerned; c) the Recipients or categories of Recipient to whom the personal data have been or will be disclosed, in particular Recipients in third countries or international organisations; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the Controller and/or the Joint Controllers rectification or erasure of Personal Data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the Personal Data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject . All this information can be found in this Policy that will always be available in the Privacy section of each of the websites.

Right to rectification: you have the right to obtain, pursuant to article 16 of the Regulation, the rectification of your inaccurate Personal Data. Taking into account the purposes of the Processing, you also have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

Right to erasure: you have the right to obtain, pursuant to Article 17 of the Regulation, the erasure of your personal data without undue delay and the Controller and/or the Joint Controllers shall erase your Personal Data where one of the following grounds applies: a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) you have withdrawn consent on which the Processing of your Personal Data is based, and where there is no other legal ground for the Processing; c) you have objected to the Processing pursuant to Article 21(1) or (2) of the Regulation and there are no overriding legitimate grounds for the Processing of your Personal Data; d) your Personal Data have been unlawfully processed; e) your personal data have to be erased for compliance with a legal obligation in the European Union or Member State law to which the Controller and/or the Joint Controllers are subject. In certain cases, as provided for in Article 17(3) of the Regulation, the Controller and/or the Joint Controllers are entitled not to erase your Personal Data if their Processing is necessary, for instance, for exercising the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest; for archiving, scientific or historical research purposes in the public interest; or for the establishment, exercise or defence of legal claims.

Right to restriction of processing: you have the right to obtain, under Article 18 of the Regulation, from the Controller and/or the Joint Controllers restriction of Processing where one of the following applies: a) you have contested the accuracy of your Personal Data (the restriction will be for a period enabling the Controller and/or the Joint Controllers to verify the accuracy of the Personal Data); b) the Processing is unlawful but you oppose the erasure of your Personal Data and request that their use be restricted instead; c) although the Controller and/or the Joint Controllers no longer need them for the purposes of the Processing, your Personal Data are required for the establishment, exercise or defence of legal claims; d) you have objected to the Processing under Article 21(1) of the Regulation pending verification whether the legitimate grounds of the Controller and/or the Joint Controllers override your own. If the Processing is restricted your Personal Data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important reasons of public interest. We will in any case inform you before the restriction of processing has been lifted.

Right to data portability: under Article 20(1) of the Regulation you have the right at any time to ask for and receive all your Personal Data processed by the Controller and/or by the Joint Controllers in a structured, commonly used and machine-readable format or to ask for it to be transmitted to another controller without hindrance. In this case you will need to provide us with full and accurate details of the new controller to which you would like your Personal Data to be transferred, and to give us your authorization in writing.

Right to object: under Article 21of the Regulation, you have the right to object at any time to the Processing of your Personal Data a) if they are processed for purposes of direct marketing, including profiling to the extent that it is related to such direct marketing, or b) on grounds relating to your particular situation, if the Processing is based on the legitimate interests of the Controller, the Joint Controllers or third parties, unless the Controller and/or the Joint Controllers demonstrate compelling legitimate grounds for the Processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

To exercise any of the above rights, you may simply contact the Controller and/or the Joint Controller using the channels provided for in Section B of this Policy.

Please note that can also contact the Mondadori Group’s DPO at any time, as explained in Section C of this Policy.

You also have the right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent Data Protection Authority if you believe that the processing of your personal data by the Controller and/or Joint Controllers is in violation of the Regulation and/or applicable law.

Your Personal Data will be processed by the Controller and/or by the Joint Controllers within the European Union.

In case for technical and/or operational issues, it is necessary to rely on entities outside the European Union, those entities, where they process Personal Data on behalf of the Controller and/or the Joint Controllers, will be appointed as Processors pursuant to Article 28 of the Regulation and the transfer of your Personal Data to those entities, which will be limited to the performance of specific Processing activities, will be performed in accordance with the provisions of Chapter V of the Regulation. All necessary safeguards will be taken to guarantee the highest degree of protection of your Personal Data, since the transfer will be based on: (a) adequacy decisions by the European Commission with regard to the third country; (b) standard contractual clauses provided for by the European Commision; (c) the adoption of binding corporate rules.

In any case, you can ask the Controller and/or Joint Controller for further details whenever your Personal Data have been processed outside the European Union, by asking for evidence of the specific safeguards in place.