EU Regulation 2016/679 provides protection of natural persons with regard to the processing of personal data and the free movement of such data. The processing of personal data should therefore be based on the principles of correctness, lawfulness, transparency and the protection of privacy and rights.

It should be noted that although GC Group S.p.A. (hereinafter the Company) is committed to providing users with the highest level of personal data protection, unauthorized third-party access to personal data cannot be guaranteed.

However, if personal data are no longer necessary for the aforementioned purposes, the Company shall securely erase the data or make it non-identifiable.

This privacy notice, and the policy regarding data processing, applies generally to all situations in which GC Group S.p.A. collects, stores, processes, uses, disseminates, or transfers personal information, whether electronically or on paper.

This privacy notice does not replace or modify any other disclosures or statements concerning the protection of personal information that apply to data, collected or used by GC Group S.p.A., as part of this specific relationship.

The privacy notice does not concern the website www.giannichiarini.com and the links in that site or those that may be accessed by users of the aforesaid site and does not extend to services provided by other companies operating on their own behalf and independently of GC Group S.p.A., such as franchisees and licensees, or when sharing personal information on social media or other online platforms owned and operated by other companies.

GC Group S.p.A. shall therefore not be under any liability for the processing of data by third parties not included in this policy.

The Company therefore recommends that you carefully read the specific information and cookie policy of third parties as they might differ from the present notice, and to contact the respective third party controller should there be any doubts regarding personal data processing.

Personal data is information that directly or indirectly identifies or renders a natural person identifiable and can provide information about his or her characteristics, habits, lifestyle, personal relationships, health status, economic situation, and other matters.

In relation to EU Regulation 2016/679, the following clarifications are provided:

✓   Pursuant to Article 4, para. 1), point 1) "personal data" refers to any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is defined as a natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person;

✓   Pursuant to Article 4, para.1), point 2), "processing" refers to any operation or set of operations performed upon personal data or upon sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment or combination, restriction, erasure or destruction of such personal data;

✓   Pursuant to Article 4, para. 1), point 4), "profiling" refers to any form of automated processing of personal data involving the use of such personal data to evaluate specific personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;

✓   Pursuant to Article 4, para. 1), point 7), the "data controller" is defined as the natural or legal person, public authority, agency or other body who alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such data processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law;

✓   Pursuant to Article 4, para. 1), point 8), the "processor" is defined as the natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller;

✓   Pursuant to Article 4, para.1), point 9), the "recipient" is the natural or legal person, public authority, agency or any other body to whom the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of the data by the aforesaid public authorities shall be in compliance with the applicable data protection rules according to the purposes of data processing;

✓   Pursuant to Article 4, para. 1), point 10), the "third party" refers to the natural or legal person, public authority, agency or body other than the data subject, the data controller, the data processor and persons who, under the direct authority of the data controller or processor, are authorized to process personal data;

✓   Pursuant to Article 4, para. 1), point 11), the "consent of the data subject" refers to any freely given, specific, informed and unambiguous indication of the data subject's wishes, by which he or she, by means of a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

✓   Pursuant to Article 4, para. 1), point 12), a "Personal data breach" is defined as a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored, or otherwise processed.

The data controller of the data is GC Group S.p.A., with headquarters at Via Pistoiese 245/1 - 50145 Florence

The personal data provided to the Company shall be processed exclusively for:

a) the execution of administrative, accounting, tax, commercial obligations and all the other corporate activities related to the existing relationship;

b) the execution of direct marketing, commercial communications, mailing of advertising material by post, e-mail, social networks, telephone, sms, mms, whatsapp and new electronic information tools, solely and exclusively upon specific, explicit, free and express consent;

c) the analysis of consumer choices (known as "profiling"), in compliance with the necessary guarantees and measures provided by the regulations, by tracking the type and frequency of online purchases and/or purchases at G.C. Group S.p.a. stores, in order to provide services that are more carefully targeted and tailored to specific needs, as well as to addressable marketing to help you with future purchases at one of the G.C. Group S.p.a. stores, to pursue the goals of market research and the communication of special initiatives devoted to GC Group S.p.A. customers.

Data defined as "sensitive data" shall not be processed.

More specifically, the data may be disclosed to parties outside the Company such as subsidiaries and/or parent companies and affiliates, marketing companies, professionals, trade associations, etc. used by the Company solely and exclusively with your specific, prior consent.

These parties have been carefully selected from a list of those who provided adequate guarantees of compliance and have been appointed as data controllers; their activities are subject to the Company's supervision.

Personal Data shall be processed via paper and electronic means by the data controller, by the processor and by authorized persons, complying with the required precautions, in order to guarantee security and confidentiality and timely, accurate and complete processing.

The use of credit card information for purposes other than the verification of payment, anti-fraud purposes, the charging and processing of executed payments related to processed orders, and the handling of any complaints and litigation proceedings is excluded.

In this regard, the Company informs that data may be processed by the bank that provides the services related to the management of online payments as well as by the bank that issued the credit card indicated as a means of payment for orders.

In accordance with the relevant regulations in force, Data may be transmitted to the police and to the judicial and administrative authorities in order to ascertain and prosecute offences, to prevent and to protect against threats to public safety, to enable GC Group S.p.A. to establish, exercise or defend a right in court, as well as for other reasons related to the protection of the rights and freedoms of others.

Data and personal information shall be collected in the following way:

✓   through in-store sales representatives or customer service;

✓   through social media, if consent has been provided;

✓   through any other means of interaction with salespeople and any of the Company's other services.

Data shall be retained only for the amount of time required to provide the requested services, unless the Company is obliged to store them for longer periods as a result of laws, regulations, and EU standards; if the data is no longer necessary for the aforementioned requirements above, the Company shall securely erase them or make them permanently non-identifiable.

At any time, the data subject shall have the right to obtain the following from the data controller, as laid out in the relevant articles of the EU Regulation 2016/679, which are hereby listed for the sake of convenience: art.15 - Right of access by the data subject; art.16 - Right to rectification; art.17 - Right to erasure ("right to be forgotten"); art.18 - Right to restriction of processing; art.19 – Notification obligation regarding rectification; art.20 - Right to data portability; art.21 - Right to object; art.34 Communication of a personal data breach to the data subject.

In particular, data subjects are entitled, at any time, to exercise the following rights regarding the processing of Personal Data:

✓   To access and modify data: by writing to the Data Controller, the data subject may request to view the Personal Data in the Company's possession, demand its correction, rectification and integration; the data subject may also request to receive a copy of the processed data;

✓   To withdraw consent: in any case the data subject shall have the faculty to withdraw consent to the processing of data with respect to any marketing-related activity at any time; in such a case, the processing of Personal Data, as based on this consent, shall be terminated as soon as possible; data processing based on other conditions shall continue in full compliance with applicable law;

✓   To object to the processing of data: the data subject may object to the processing of Personal Data undertaken in accordance with the Company's legitimate interest at any time, indicating the reasons for such a request; GC Group S.p.A., shall evaluate these reasons before proceeding to accept the objection;

✓   To request data erasure: the data subject may request, as provided for in current regulations, that data be erased; if the request is deemed legitimate, processing shall be terminated as soon as possible, erasing the stored Personal Data;

✓   To request the temporary restriction of the processing of Personal Data: GC Group S.p.A. shall continue to store data, without proceeding to any processing, unless otherwise instructed by the data subject and as per the exceptions provided for by the regulations in force; temporary restriction may be requested if the data subject deems personal data to be incorrect or when the data are deemed no longer necessary to G C Group S. p.a. but useful to the data subject for the purpose of exercising rights in court or eventually during the period of time in which the reasons underlying the request to object to the processing shall be evaluated;

✓   To exercise rights pertaining to data portability: the data subject may request that data be transferred to a party he or she has designated; GC Group S.p.A. shall, if technically possible, process such a request;

✓   When the Personal Data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay.

Data subjects of profiling are entitled to the following specific rights:

✓   The right to object to profiling;

✓   The right to object to the use of data for marketing and profiling purposes by not granting consent;

✓   The right of access: the data subject may demand to view the profile that has been created, hence not only the personal data that has been used, but also the data that stems from the analysis of the data subject's behavior;

✓   The right to rectification and erasure: the data subject may demand that the entire profile be erased and that the data be rectified, and demand that profiling be restricted at any time;

✓   The right not to be discriminated against by adopting any prohibited technology under Article 22 of EU Regulation 2016/679

Pursuant to Article 12, para. 5) of EU Regulation 2016/679, information provided under Articles 13 and 14 and any actions taken under Articles 15 to 22 and Article 34 shall be provided free of charge.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee, taking into account the administrative costs incurred in providing the information or communication or taking the requested action, or refuse to act upon the request.

However, the data controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

In order to exercise the rights laid out in Articles 15 to 22 of EU Regulation 2016/679, the Company may request that the data subject provides evidence that such qualifying status is held, namely being an heir of the deceased or executor of the will, or even that the data subject holds a legitimate interest of their own or in protection of the deceased as an authorized representative or on grounds of protecting the family.

In any case, the request may not be granted if the applicable legislation does not so allow or there is a provision to that effect, expressed in writing by the deceased and sent to the Data Controller.

It is hereby stated that the purpose of profiling may be carried out by means of cookies, in full compliance with the requirements of the law and the provisions of the Data Protection Authority, by means of other identifications required for the tracking of purchasing choices.

The data subject shall be asked to provide specific consent to several specific processing operations (including profiling and marketing purposes). However, it should be emphasized that consent is not subject to conditions, it is free and shall be expressed through specific approval.

Subject to the purposes of processing for which GC Group S.p.A. is required to obtain the data subject's express consent, the data subject hereby agrees and consents to be bound by the terms and conditions of this privacy notice and the data subject consents to GC Group S.p.A.'s processing of personal data, without exception.

The data controller is G.C. Group S.p.a., with headquarters at Via Pistoiese 245/1 - 50145 Florence

When exercising rights, the data subject may address the data controller or processor by means of registered letter, telefax or e-mail.

In the event of any questions, comments, complaints, or requests, the data subject may write to the Certified eMail address [email protected] or to the address of the data controller's office at Via Pistoiese 245/1 - 50145 Florence.

Should the data subject deem that their personal data is being processed unlawfully, the data subject may lodge a complaint with one of the competent data protection supervisory authorities.

In Italy, the competent authority for addressing complaints is the Personal Data Protection Authority (www.garanteprivacy.it). The Data Protection Authority website contains all the information required to file a complaint.