A- Type of Personal Data Processed
Personal Data collected through the Application are listed below.
Name, Last name, Contact Details and other Personal Data
When you create an account to log into the Application Panini may ask your personal information such as: name, last name, gender, contact details, month and year of birth, county or state and country of residence. In the same way, you may be asked to indicate other Data such as: shipping address, the choice of payment method and the age of the collector on the occasion of each purchase of goods and/or services; Data coming from your submission of texts, drawings or registration information, on the occasion of participation in competitions, promotions, interactive games (such as those belonging to the Adrenalyn category) and initiatives of any kind; Data collected through the use of the Panini Zone (the swap tool that allows to complete your Panini sticker collection faster matching your missing sticker or card requests with those offered in the swap pool by other collectors). Further Personal Data may be collected during the management of each relationship through the Application itself or may consist of those that you decide to provide to Panini through the use of the Application / Customer Service area of the Application.
Some sections of the Application can include free text fields in which it is possible to provide Panini with information that may contain Personal Data. Being free fields, you may choose to communicate (even inadvertently) particular categories of Personal Data, such as those revealing political opinions, religious or philosophical beliefs, or union membership, as well as genetic data, biomedical data which can permit to uniquely identify a specific person, data related to health or sex life or sexual orientation.
Panini asks you not to disclose any of these types of data, unless you consider it strictly necessary to pursue the request you forward to us. Since the indication of such information is, as said, totally optional, if you choose to do so, Panini could process such data only with your explicit consent and in compliance with the current legislation. Panini, therefore, underlines the importance of expressing your explicit consent to the processing of these particular categories of Personal Data in case you decide to share them with Panini.
Personal Data of Third Parties
As mentioned in the previous paragraph, by providing in the Applications free text fields in which it is possible to forward any type of message, these could in fact contain Personal Data relating also to other people. In all cases in which you decide to share such Data, you will be considered a self-appointed Data Controller and, as such, you will have to assume all the relevant legal obligations and responsibilities. Therefore, in this regard, you undertake to hold Panini harmless from any dispute, claim, request for compensation for damage from data treatment etc. that could reach Panini from people whose Personal Data have been forwarded by you in violation of the applicable rules on the protection of Personal Data.
As, in such cases, Panini does not collect this information directly from the data subjects (but indirectly from you), you guarantee that this specific treatment can be based on the consent of these data subjects or on another suitable lawful basis that legitimizes the processing of the information in question.
Navigation Data and Cookies
The computer systems and software used to run the Applications acquire, during their normal operation, some Personal Data whose transmission is implicit in the use of Internet communication protocols. This information is not collected by Panini to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow data subjects to be identified. This category of data includes the IP addresses or domain names of the computers used by the users connecting to the Application, the addresses in URI (Uniform Resource Identifier) notation of the requested services, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (good result, error, etc.) and other parameters related to the operating system and the user's computer.
These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Application, to check its correct functioning and to identify anomalies and/or abuses. Except in cases where the data are used to ascertain responsibility in the event of hypothetical computer crimes against the Application or third parties, these data do not persist for more than seven days.
B- Personal Data Processing of Children below the Age of 16 Years
Children aged less than 16 years old or, in accordance with national local laws below the age set to directly collect the consent to the processing from children but in any case not less than 13 years old,– are not allowed to register on the Applications to access the sections reserved for registered users.
Users who do not declare the age will be considered and treated as under 16 or, in accordance with the laws of the country declared at registration, as minors below the minimum age established to grant consent to the processing of data and therefore they not will be able to access the sections reserved for registered users of the Applications.
Children under the age of 18 are not permitted to purchase goods or services from our Applications.
C- Purposes of the Personal Data Processing
We will process your Personal Data for the following purposes:
- allowing the execution of operations strictly connected and instrumental to the management of relationships with you, such as managing the response to queries received via the contact forms; enabling restricted sections of the Applications; assisting you in case you lose the login/password data of your personal account on the Applications; executing contracts for the sale of goods and/or services, managing and fulfilling orders via E-Commerce platforms; allowing you to consult the chronology of your purchases; ensuring the delivery of the purchased products and tracking your order status; allowing you to participate in games, initiatives, competitions and prize events (Services Provision);
- allowing the correct execution of the contractual obligations we have assumed towards you and vice-versa (Contractual Obligations);
- complying with laws, regulations and EU legislation or with provisions issued by authorities empowered by law and provisions issued by Supervisory and Control Bodies, as well as allowing tax and accounting compliance (Legal Compliance);
- carrying out information activities about our products and/or services as well as promotional, commercial, marketing campaigns and market research through the use of automated systems without operator intervention (for example, e-mail), but also through traditional methods of contact, such as the postal service; performing customer satisfaction surveys (by sending questionnaires, conducting surveys or conducting surveys) (Marketing)
- sending you, if you are using or have used a service on an Application or if you are buying or you have bought a product or a service through the Application, direct marketing and promotional communication via e-mail about similar products or services (Soft Spam);
- setting-up groups of users by processing the data provided by our users so that we don’t send generalized commercial and promotional communications to all users in an indistinct way. This enables us to segment users, creating groups based upon common features for example, on the country of origin, language, gender, previous purchases, etc. This allows us to send commercial communications - through the use of automated systems without the intervention of the operator (for example, e-mail), but also through traditional methods of contact, such as the postal service - that are the most relevant and least invasive possible, limiting as far as possible the circumstance that you receive messages not of your interest (Profiling).
D- Lawful Basis for Processing Personal Data, Mandatory/Discretionary Provision of Personal Data and Consequences in case of not providing
The provision of Personal Data, and the related processing for purposes related to Legal Compliance, is necessary for Panini in order to comply with the related legal obligations. When you provide your Personal Data to Panini, we must process them in accordance with applicable laws which may include the storage and communication to the competent authorities for compliance with tax, customs or other obligations.
The provision of Personal Data, and the related processing, for the purposes related to the activity of Soft Spam is based on the legitimate interest of Panini to send marketing communications via e-mail regarding products and services similar to those you have already used or purchased through the application. You can stop the receipt of these communications without suffering any consequence (other than that of not being able to receive further communications of this kind by Panini) using the link at the bottom of each of the e-mails received for that purpose.
E- Personal Data Sharing
The Personal Data will be made known to the Panini staff in charge of the development and management of the Applications that is authorized to process them for the purpose of achieving the aforementioned purposes and who are committed to confidentiality or otherwise have received an appropriate legal obligation to confidentiality.
Personal Data may be shared, used and transferred within the companies belonging to the Panini group for accounting and administrative purposes.
Personal Data will be made known to third parties, appointed as Data Processors, as they process Data on behalf of Panini (for example, companies responsible for managing and processing sales orders, suppliers with whom it is necessary to interact for the Service Provision such as hosting providers, platform providers for sending e-mails or, again, suppliers who perform technical maintenance activities including the maintenance of network equipment and electronic communications networks, suppliers who develop interactive games and competitions, software developers for the payment systems, suppliers providing the technological platform and payment gateway for orders for products in the e-payments area, payment service providers for e-payments activities).
Personal Data may be shared with third parties with whom Panini has ongoing contractual relationships concerning services functional to the performance of the activity (such as couriers for the delivery of products, audit firms, persons, companies or professional firms that provide assistance and advice on the subject, administrative, legal, tax, financial and credit recovery firms relating to the provision of the Services).
Finally, Personal Data will be communicated when requested to the competent taxation offices, or to other public bodies, according to the provisions of the laws in force.
Personal Data is not intended for publication or dissemination.
F- Personal Data Transfer
Given the international presence of Panini, some of your Personal Data may be shared with recipients, referred to in the previous paragraph, which could be found in countries outside the EU or the European Economic Area. Panini ensures that the processing of your Personal Data by these parties will be in compliance with applicable law. Therefore, the transfers will be made with adequate guarantees, such as adequacy decisions, models of Standard Contractual Clauses approved by the European Commission or other guarantees considered adequate.
More information is available by writing to Panini at the following address: email@example.com
G- Personal Data Retention
The Personal Data processed for the purpose of Services Provision and Contractual Obligations will be retained by Panini for the time strictly necessary for the execution of the requested service and for the correct execution of the contractual relationship with you. As this Personal Data is processed to provide you with the Services and allow the execution of the contractual relationship, Panini may keep them for a longer period, in particular for what may be necessary in order to protect the interests of Panini against possible claims arising from the Services Provision.
In any case, Panini specifies that the retention time related to any orders and purchases you have made is equal to 24 months. Panini, moreover, specifies that it will keep your authentication credentials to the Application Services up to 54 months from the date of the last login (the underlying logic is that Panini has calculated that the retention time identified is the period of time with reference to the frequency of major sporting events such as, for example, the Football World Cup). At the end of this period the data will be made anonymous.
Your requests, and the data contained in them, collected through the Contacts/Customer Service area of the Applications will be maintained for one year from the closure of the request in order to allow Panini to handle any additional requests received after closure. At the end of this period the Data that permit the identification, even indirect, of a physical person (such as name, surname, e-mail) will be made anonymous and maintained, only in the form of aggregated data, for statistical purposes.
The Personal Data processed for the purposes of Legal Compliance will be retained by Panini for the period envisaged by specific legal obligations or applicable legislation.
The Personal Data processed for the purposes of Marketing and Profiling will be retained by Panini until the revocation of the consent you have given and renewed periodically. Once your consent is withdrawn, Panini will no longer use your Personal Data for such purposes, but may retain them, particularly as may be necessary in order to protect Panini's interests from possible liability based on such processing.
Panini informs you that, in order to respond to the principle of limitation of conservation, the data processed for the purposes of Marketing and Profiling will in any case be maintained for a maximum of 54 months from the date of the last login in accordance with the logic used for the retention of authentication credentials to the Application Services referred to above.
The Personal Data processed for the purpose of Soft Spam will be kept by Panini until you object to the process through the link found at the bottom of each of the Soft Spam e-mails sent.
H- Data Subject Rights
At any time you are entitled, as Data subject, to:
- request access to your Personal Data, (and/or a copy of such Personal Data), as well as further information on the current treatment of them;
- request the correction or updating of your Personal Data processed by Panini, where they are incomplete or out of date;
- request the deletion of your Personal Data from the Panini databases, where you deem the processing unnecessary or illegitimate;
- request the limitation of the processing of your Personal Data by Panini, where you believe that your Personal Information is not correct, necessary or is unlawfully processed, or if you had opposed its processing;
- exercise the right to data portability, i.e. to obtain a copy of the Personal Data supplied to Panini that relates to you in a structured format, for common use and readable by an automatic device, or to request transmission to another Data Controller;
- oppose the processing of your Personal Data, using a legal basis relating to your particular situation, which you believe should prevent Panini from processing your Personal Data;
- revoke your consent for the purposes of Marketing and Profiling and to oppose the processing for the purpose of Soft Spam. We remind you that the express consent for forwarding promotional communications referred to the Marketing and Profiling purposes extends not only to communications sent through the use of automated systems without the intervention of the operator (for example, e-mail), but also the traditional methods of contact, such as the postal service. It is always possible to withdraw consent to the treatment, even in a disjointed way, for example, deciding to receive such communications only through postal service and not through automated systems such as e-mail
Please note that the Personal Data you provided to Panini may be changed at any time, through the "modify data" section of the Applications or by writing to: firstname.lastname@example.org. You may exercise the above rights by means of the methods indicated above.
We inform you that for the Marketing purposes you can revoke and terminate at any time the sending of this commercial information, by writing to the e-mail address indicated above or, in the case of communications received through IT tools, following the procedure indicated at the bottom of the communication (via the "Unsubscribe" button).
You can also stop receiving Soft Spam using the appropriate link at the bottom of each e-mail received (via the " Unsubscribe " button).
Consent for the purpose Profiling can be revoked by changing, at any time, the preferences of the user profile that can be created on the Application or by writing to the e-mail address indicated above.
Panini also informs you that you always have the right to lodge a complaint with the competent Supervisory Authority (for example that of the State in which you have your habitual residence, in Italy the Guarantor for the Protection of Personal Data) if you believe that the processing of your data is contrary to the legislation in the field of personal data protection actually applicable.
J- Orders' Payment Data Collection
Furthermore we hereby inform you, in connection with your order, your personal data relating in particular to your identity, domicile, personal status, phone number, email address, bank card and bank account numbers, or to the transactions you enter into or payments you make, are processed by Ingenico Financial Solutions SA/NV (“Ingenico FS”)
- with the purpose of allowing Ingenico FS to be able to perform its agreement with Panini SpA,
- with the purposes of fraud monitoring and fraud management (determining the risk levels associated with transactions, detecting and managing any resulting alerts), and
- with the purpose of compliance with Ingenico FS’ legal obligations under the applicable legislation relating to the fight against money laundering and the financing of terrorism and
- with the purpose of compiling market analysis, statistics, analysis of transaction data, improvement of the service provided by Ingenico FS.
The collection of your personal data is a mandatory requirement for these purposes. Without this personal data your transaction could be delayed or rendered impossible and your order cancelled.
Please be informed that Ingenico FS, with registered office at Boulevard de la Woluwe 102, in 1200 Brussels and with company number 886.476.763 is the data controller for such data processing.
Ingenico FS will not communicate your personal data to third parties, except in the following two cases:
- Communication by Ingenico FS of personal data to its affiliates, subcontractors or other parties with whom Ingenico FS has a contractual relationship and that provide services for / assistance to Ingenico FS in the framework of i) the performance of the agreement between us and Ingenico FS, ii) fraud prevention and management and iii) with the purpose of compliance by Ingenico FS with its legal obligations under the applicable legislation relating to the fight against money laundering and the financing of terrorism and (iv) communication to third parties of anonymous or aggregated data. The third parties that are providing service/assistance to Ingenico FS with regard to fraud monitoring and fraud management can insert your personal data into their own specific database(s) that is (are) used by them to provide services for a multitude of merchants to prevent and manage fraud.
- If Ingenico FS is required by law to communicate certain information or documents to the National Bank of Belgium, to the Financial Intelligence Processing Unit (CTIF-CFI), to similar Belgian or foreign authorities, or generally speaking to any judicial or administrative authority, law enforcement authorities or any legal or administrative authorities. Communication of personal data to those entities will be limited to the extent necessary or required under the applicable regulations.
Furthermore, a fraud may give rise to the recording of certain personal data relating to you in a dedicated file managed by Ingenico FS. The purpose of such file is to retain a trace of previous frauds, in particular to provide information for criteria used to evaluate transaction risks and the scoring templates used for this purpose. The recording of your data in this file may also lead to you being assigned a higher risk level in the event of any subsequent order placed with a merchant that is customer of Ingenico FS, and consequently could potentially lead to the rejection of this order.
You are entitled to have access to your personal data and have the right to query, access and correct your data, as well as the right to object, for a legitimate reason, to the processing of your personal data. For the exercise of these rights, please address a written request (by registered mail), dated and signed, to the registered office of Ingenico FS (see above) or send an e-mail to email@example.com and mention in this letter or e-mail your name, address and telephone number where you can be reached during office hours, and enclose a copy of both sides of your identity card or passport. You may hide the data that you are not required to provide according to your local legislation.