Privacy policy

PRIVACY POLICY

Privacy Policy art. 13 of EU Reg. 2016/679

In accordance with the commitment and care we devote to the protection of the personal data of our users and customers, we inform you below about the methods, purposes and scope of communication and dissemination of the personal data of the data subjects and their rights, in accordance with art. 13 of the GDPR.

Who is the Data Controller?

  The Data Controller of the personal data, collected and processed through this website, is the Company Giunti Editore S.p.A. – registered office in Via GB Pirelli 30 - 20124 Milan, operational headquarters in Via Bolognese 165 - 50139 Florence. CF 80009810484 e PI 03314600481, registered in the Milan Business Register with no. 132744 – it is possible to forward your privacy requests to the Data Controller by sending an email to: privacy@giunti.it.
Pursuant to Article 37 of the GDPR, the Data Controller has appointed its own Data Protection Officer or Data Protection Officer – Victoria Parise, Via Bolognese 165, Florence – and has set up an office for the management of requests relating to the privacy of its users and customers. To exercise the rights granted and requested, you can send an email to privacy@giunti.it.

The Giunti Group

Giunti Editore S.p.A., the Data Controller, manages, in certain cases, the information of its customers and users in joint controller with the companies of the Giunti Group, a publishing corporate group made up of companies subject to the management and coordination of the parent company that for years has considered the protection of personal data to be of fundamental importance. In other cases, the Group companies may disclose the personal information of the data subjects in their capacity as Data Processors under Article 28 of the GDPR, in particular for the performance of certain service activities (warehouse, accounting, etc.).  The companies of the Giunti Group act as joint controllers (art. 26 GDPR) with regard to communication and marketing activities, therefore Giunti Editore S.p.A.; Giunti Edu Srl; Editoriale Scienza Srl, Giunti al Punto Srl, Giunti Scuola Srl and Giunti Abbonamenti Srl act as joint controllers for the processing activities indicated.

 What are the purposes of the processing (purpose of data collection and management)

The Data Controller processes personal information provided by the User/Data Subject in order to allow navigation and registration to its websites and for the correct implementation of the functions or services made available from time to time and indicated on the site or in libraries or through other methods (e.g. smartphone apps) and in particular to allow:  online purchases or other web services made available by the Data Controller; purchase of GiftCards; subscription to the Giunti Group newsletter; subscription to the Giunti Card program; contact request for information (returns, cancellations, order changes, exercise of rights under the law, etc.); forwarding of requests for a job (e.g. work with us function); registration in the personal area of the site for online purchases (always optional); the processing takes place for the realization of the services offered at the bookstores or through the App and the consequent processing operations (administrative, accounting, tax and legal management) needs to collect some Personal Data of Customers/Users, as also indicated in the registration forms prepared, both paper and telematic, and always in compliance with the principles of relevance and limitation of processing to information,  also in accordance with the applicable legal requirements.

It follows that the personal data requested through the website or App are necessary for the pursuit of the following purposes:

  1. browsing the Data Controller's website (see also reference to the cookie policy);
  2. purchase of GiftCards (via website) or e-commerce products;
  3. registration to the Giunti Card program  (physical, via website or App);
  4. submission of job applications;
  5. request for information, contact, exercise of rights, including privacy by the interested parties;
  6. subscription to informative and commercial newsletters (marketing also at group level);
  7. profiled marketing on the basis of: browsing (see cookie policy), purchases, age, gender or place of residence if such information were provided with specific consent.

What are the legal bases of the processing that allow the Data Controller to process the data of users/Customers and what categories of data does the Data Controller process?

The Processing of Personal Data of Data Subjects (Customers/Users of the website/App/Libraries) has its own legal basis depending on the different purposes pursued and indicated above, in particular:

  1. navigation on  the Data Controller's website

The Data Controller necessarily processes some personal data of the interested parties to allow them to correctly navigate and view their website. In some cases, these data may also be collected indirectly – by means of electronic tools that allow web browsing (browsers, PCs, phones, tablets, etc.) – or they can be provided directly by the data subject himself (e.g. free, filling in forms for account creation, adhering to initiatives on supports, including paper, entering shipping address and/or invoicing in the case of purchases,  newsletter subscription, etc.).

With reference only to navigation on the site, the Data Controller may process the following categories of users' personal data.

Data collected through cookies, for more details, please refer to the information dedicated to cookies. In any case, we inform you that the cookies present on the site are necessary to proceed with a correct navigation so-called "cookies".  technical cookies, in the absence of them, a perfect display or navigation will not be guaranteed (e.g. from mobile phone, specific browser, etc.). the processing of personal data by means of technical cookies is possible even in the absence of consent according to the provisions of the Privacy Code art 122. For the use of any non-technical cookies (profiling and marketing, including third-party cookies), the provision of data is always optional and an explicit and specific consent of the data subject is required (e.g. which can be expressed through a special banner and modified from the dedicated menu). : non-personal data because they are anonymous for technical cookies; common personal data in the case of marketing and/or profiling cookies.
Legal basis: for non-technical cookies, the legal basis is the consent given by the data subject (Article 6, paragraph 1, letter a) of the GDPR), which is free, informed and specific, and which the data subject may revoke at any time, not only from the appropriate functions, but also by sending a written request to the Data Controller at the address: privacy@giunti.it and/or the link at the bottom of the e-mails that will be sent to the data subject. Such data will be processed with the application of security measures appropriate to the risk (art. 32 GDPR) and within the EU, by the Data Controller and by authorized parties pursuant to art. 28 GDPR or 2 quaterdecies of the  Privacy Code as reformed by Legislative Decree 101/18. The data will not be disclosed to other third parties in the absence of appropriate information and with the consent of the interested party. The data collected and processed for marketing purposes will also be known by the Joint Controllers (of the Giunti Editore Group). Duration of processing: for the execution of the purpose according to cookie policies. Third-party cookies: subject to consent, third-party cookies may also be installed, please refer to the above-mentioned cookie policy, in some cases it will also be possible that a transfer to third countries may take place (subject to consent).

  1. Purchase of products (via website)

The Data Controller provides Customers/Users with the opportunity to make online purchases  on its website. For the processing of Personal Data relating to purchases, the legal basis for the processing is the need for the Data Controller to execute the pre-contractual or contractual relationship to which the data subject is a party (Article 6(1)(b) of the GDPR) and the legal and tax regulations applicable to the purchase or service contract (Article 6(1)(c) of the GDPR). For the aforementioned purposes, the data will be requested and collected within the limits of what is strictly necessary to execute the contract and will not be processed by the Joint Data Controllers. Such data will be processed with the application of security measures appropriate to the risk (art. 32 GDPR) and within the EU, by the Data Controller and by authorized parties pursuant to art. 28 GDPR or 2 quaterdecies of the  Privacy Code as reformed by Legislative Decree 101/18. The data will not be disclosed to other third parties in the absence of appropriate information and with the consent of the interested party. Duration of processing: for the performance of the contractual purpose; Retention: within the terms provided for by law (tax and in terms of prescription of rights), generally 10 years from purchase.

It should be noted that the subjects who will provide installment payment services or provide alternative payment methods (Teachers' Card, Card 18, etc.) are Recipients of the data and therefore autonomous Data Controllers, these subjects will make an autonomous privacy policy by independently collecting the data of the Data Subjects.

  1. request for information, contact, exercise of rights, also in terms of privacy by the Data Subjects/Users

The Data Controller provides its Customers with a number of contact channels in order to provide: customer service and information requests. The processing concerns common categories of data such as name, surname, e-mail and reason for the contact request in order to process the request, the legal basis is art. 6 para. 1 lit. b) GDPR, i.e. the fulfilment of pre-contractual or contractual obligations.

  1. Subscription to informational and commercial newsletters (marketing purposes)

In the specific newsletter section, the interested party may provide his/her data optionally, subject to the provision of consent in order to receive periodic commercial communications concerning the activities or initiatives of the Data Controller and the Group Companies (Joint Data Controllers, as indicated at the top of this policy). The category of data processed for the above purposes is of a common type: e-mail (as the delivery address of communications)The legal basis is the consent freely given by the data subject pursuant to Article 6 paragraph 1 letter a) of the GDPR, and the processing of data will last until its revocation (by written request to the Data Controller privacy@giunti.it or via links at the bottom of email communications.). The personal data of the data subject will be processed with the application of security measures appropriate to the risk (art. 32 GDPR) and within the EU, by the Data Controller and by authorized subjects pursuant to art. 28 GDPR or 2 quaterdecies of the  Privacy Code as reformed by Legislative Decree 101/18.

Data communication and transfer outside the EU

The Data Controller, as indicated for each purpose, does not communicate the data to third parties and does not transfer the personal data of the data subjects to non-EU countries, except for any indications on third party suppliers of cookies as specifically indicated in the cookie policy and in any case such transfer will take place only under the required legal conditions and in specific cases subject to the specific consent of the data subject. The subjects who may know the personal data of the data subjects are subjects who carry out part of the Processing activities and/or activities connected and instrumental to them on behalf of the Data Controller or the Joint Data Controllers, and who are appointed pursuant to art. 28 GDPR (such as technical service providers, postal couriers, hosting providers, IT companies); individuals, employees and/or collaborators of the Data Controller or Joint Data Controllers, who have been entrusted with specific and/or more Processing activities on your Personal Data (they are also appointed pursuant to Article 2 quaterdecies of the  Privacy Code); when required by law or to prevent or suppress the commission of a crime, Personal Data may be disclosed to public bodies or judicial authorities. The updated list of Data Processors and Joint Data Controllers may be requested at any time from the Data Controller. This is without prejudice to transfers or communications to third parties that are carried out on the basis of appropriate information or consent.

Duration of processing and storage of personal data

The Data Controller, as indicated for each purpose and as provided for by art. 5 Letter e) of EU Regulation 2016/679 will process the data provided for the entire duration of the execution of the services/contracts requested/concluded and will keep them for the time necessary to comply with legal obligations, except for interruptions of the statute of limitations (10 years from the termination of the contractual relationship). If consent has been given for newsletters and/or in general for promotional and marketing purposes, including profiled, such consent is valid until its revocation, except for marketing activities related to the loyalty program as better indicated in the appropriate paragraph. Once the aforementioned terms have expired, the Data Controller and the Joint Data Controllers shall cancel them or transform them into anonymous form.

Rights of the data subject

The following rights are granted to data subjects: Articles 15 - "Right of access of the data subject", 16 - "Right to rectification", 17 - "Right to erasure", 18 - "Right to restriction of processing", 19 - "Obligation to notify in case of rectification or deletion of personal data or limitation of processing", 20 - "Right to data portability", 21 - "Right to object", 22 - "automated decision-making process relating to natural persons, including profiling" of the GDPR within the limits and under the conditions provided for by art. 12 GDPR. And it is always possible for the Data Subject (customer) to lodge a complaint (pursuant to Article 77 of the GDPR) with the Italian Data Protection Authority. To exercise these rights, it will be necessary to contact the Data Controller, with a written request, sent to the Data Controller or the DPO at the addresses indicated above. The Data Controller is required to respond to the Data Subject within 30 days of the request, except in the event of particular difficulties in processing the request or in the event of necessary additions.