Privacy Statement Pursuant to Articles 13 and 14 of Reg. (EU) 2016/679 ("GDPR")

Please find below the information required by the GDPR concerning the processing of personal data provided as part of the registration to the B2B e-commerce website “Gift Card Store” (“Site”) and the use of the related services, as better defined in the relative general terms and conditions.

The data subjects to whom the personal data refer are hereinafter referred to as “data subjects“ or, individually, ”data subject“.

The information on the processing of the browsing data of the data subjects who browse the Site and those relating to the use of cookies can be consulted in the privacy and cookie policy made available in the cookie banner that appears at first access and in the footer of the Site.

1. Identity and contact details of the Controller

The Controller is Amilon Srl, Tax ID and VAT number 05921090964, with registered office in via Natale Battaglia 12, Milan, e-mail address [email protected] (“Amilon” or “Controller”).

2. Contact details of the data protection officer (DPO)

The DPO can be contacted at the e-mail address [email protected].

3. Categories and source of the data processed

  1. Data processed: common data (e.g. name and surname, e-mail address, phone number) of natural persons referable to the legal person to be registered on the Site, whether it is the legal representative or another person duly authorized for this purpose, as well as company contact persons
  2. Data source: the data are provided directly by the Data Subjects or, as in the case of company contacts, by the person who registers on the Site and uses its services.

4. Purpose of the processing, legal bases and data retention periods The data are processed in order to:

  1. allow registration on the Site and use of the related services. The legal basis for such processing is the performance of a contract to which the data subject is a party as far as the data of the legal representative is concerned, whereas, as far as the data of the company contact person is concerned, the legal basis is the legitimate interest of the Controller and of third parties. Therefore, the data will be kept for the entire duration of the contractual relationship and, as an ordinary limitation period, for the following 10 years;
  2. keep the data relating to the credit card used for purchases on the Site and, therefore, facilitate the execution of further purchase transactions. In this case, the legal basis of the processing is the consent of the data subject. The data will be kept until the expiry date of the card, without prejudice to the right of the data subject to request deletion of the data at any time;
  3. fulfil administrative and accounting, tax and other legal obligations, in compliance with the requirements of current legislation (for ex. invoicing obligations). The legal basis for this processing is the fulfilment of a legal obligation to which the Controller is subject. Therefore, the data will be kept for 10 years, which is the general ten-year retention period prescribed by law;
  4. if necessary, to ascertain, exercise or defend the rights of Amilon. The legal basis of this processing is the pursuit of a legitimate interest of the Controller. Therefore, the data will be retained for the duration of the litigation, until the time limits for appeals have expired;
  5. send – to the email address provided by the user – promotional communications relating to products sold by Amilon similar to the ones on sale on the Site (for ex. relating to a new gift card added to the catalogue or to a given discount applied on the gift cards of a brand on the Site). The legal basis of the processing for such purposes is the so called “soft spam”, referred to in art. 130, c.4 of the Legislative Decree 196/2003 (“Privacy Code”). The data will be kept until the consent is revoked by the data subject (by clicking on the "unsubscribe" link present in each communication).
  6. to carry out profiled marketing activities, i.e. the creation of a profile of the data subject on the basis of the data provided (upon registration and purchase), combined with the browsing data (obtained, specifically, from the online consultation of given sections/products of the Site) collected via cookies, enabling Amilon to create tailored promotional communications and/or online contents. The legal basis of the processing for such purposes is the consent of the data subject. The data will be kept for 3 years, without prejudice to the data subject's right to object (by clicking on the "unsubscribe" link present in each communication) or the withdrawal of the consent.

After the above-mentioned retention periods have elapsed, the data will be destroyed, deleted or anonymised, compatibly with the time required for technical deletion and backup.

5. Provision of data

The provision of data is necessary for registration on the Site and the use of the services it provides; therefore, failure to provide

such data will make it impossible for Data Subjects to register and use the services offered by Amilon on the Site.

6. Categories of data recipients

The data may be disclosed to third parties operating as independent controllers, such as public authorities and professional firms, which are entitled to receive them.

The data may also be processed, on behalf of the Controller, by third parties designated as data processors pursuant to Article 28 of the GDPR, who carry out activities that serve the aforementioned purposes (e.g. IT service providers, customer care and marketing).

The data are also processed by Amilon employees - belonging to the corporate departments in charge of pursuing the above- mentioned purposes - who have been expressly authorised to process the data and have received adequate operational instructions.

7. Rights of the data subjects

Data subjects may exercise the rights referred to in articles 15-22 of the GDPR, by sending a communication to the contact points indicated in par. 1.

In particular, data subjects may obtain confirmation from the Controller whether or not the processing of personal data concerning them is in progress and, if so, access to the same and to the information referred to in Article 15, the rectification of inaccurate data, integration of incomplete data, deletion of data in the cases referred to in Article 17, and restriction of processing in the cases referred to in Article 18 of the GDPR. They may also object, on grounds relating to their particular situation, to processing carried out in the legitimate interests of the data controller; furthermore, where processing is based on consent or on a contract and is carried out by automated means, they may request to receive the data in a structured, commonly used and machine-readable format and, if technically feasible, to transmit them to another data controller without hindrance (“right to portability”).

Data subjects may, at any time, revoke the consent given and oppose the processing for direct marketing purposes (by clicking on the "unsubscribe" link present in each communication).

In any case, data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State in which they usually reside or work or in the State in which the alleged violation has occurred.