byou Privacy Policy

Information pursuant to Article 13 of the General Data Protection Regulation “GDPR” (EU/2016/679).

This information is provided pursuant to Article 13 of the GDPR, regarding the “protection of personal data”, for subscribing to the B YOU Loyalty Program.

Gifrab Italia S.P.A. is the Data Controller and will process data in compliance with the provisions of the EU Regulation 2016/679 (hereinafter “GDPR” or “Regulation”) concerning the “protection of personal data”. As an independent data controller, Gifrab Italia S.P.A. informs you that it will process the personal data you provide (the “Data”) in order to allow you to participate in the Regulation related to the B YOU Loyalty Program, as prescribed and established by the controller and according to the terms and conditions of use of the B YOU Loyalty Program.

This information is also provided to regulate the closure of the current Fidelity Card program and the subsequent transition of users to the new BYOU program, currently being launched. During this transition phase, personal data will continue to be processed in compliance with applicable legislation and the purposes already communicated, ensuring continuity of protection and rights for the data subjects.

We also inform you that Gifrab Italia S.P.A. has appointed, pursuant to Article 37 of the GDPR, a Data Protection Officer, contactable at the Controller’s office at Via Marco D’Agrate 41 – 20139, Milan (MI), or by writing to the following email address: rpd@gifrab.it.

Personal data collected through the completion and submission of the Fidelity Form containing the Regulation(s) will be used by the Data Controller or, on our behalf, by pre-designated Data Processors, for the purposes detailed below.

Gifrab Italia S.P.A. will process the following categories of Data you directly provide:

  • personal identification data;
  • contact details (email, phone);
  • data related to your purchases at our stores and/or on our websites, points accumulation, credit acquisition, access to personalized benefits.

Data processing, for the purposes described below, takes place both through automated means – on electronic or magnetic support – and non-automated means – on paper – in compliance with confidentiality and security rules and according to the criteria indicated in Article 32 of the GDPR.

  1. Legal bases and purposes of Data processing:
    1. Participation in the Regulation: by freely and voluntarily joining, obligations arise from the Regulation, aimed at participation in the B YOU Loyalty Program, in physical or electronic form, regarding the identification of Fidelity card holders or B YOU program participants, the acquisition and management of the data required by the registration form, and the provision of services reserved for cardholders. Participation in B YOU involves management activities that cannot be performed anonymously and are necessary to allow subscribers to benefit from and be recognized for discounts and promotions, offer and delivery of rewards, participation in points collection, and access to other ancillary services provided by the Regulation (legal basis: pursuant to Article 6, paragraph 1, letter b) of the GDPR).
    2. Legal and contractual obligations: in accordance with applicable laws and regulations and the B YOU Regulation, also for the purpose of preventing and identifying possible abuses, illegal acts, crimes, or frauds, handling and/or responding to official requests from Public Authorities or Judicial Authorities, fulfilling fiscal and accounting obligations (legal basis: pursuant to Article 6, paragraph 1, letter c) of the GDPR).
    3. Pursuit of legitimate interest: to protect our legal rights and defense in court and IT management, including infrastructure management and IT security related to payment administration and transactions, or only for individuals who have already used our products and services and have expressed interest or consent, pursuant to Legislative Decree 196/2003, Article 130, paragraph 4, as amended by Legislative Decree 101/2018, to promote the sale of products and services (similar or complementary to those already used) via your email address, without prejudice to your right to object and no longer receive such communications (legal basis: pursuant to Article 6, paragraph 1, letter f) of the GDPR).
    4. Marketing: with your consent and considering your interest in receiving updates about products and events organized by Gifrab Italia S.p.A., sending periodic commercial, informational, promotional, and/or advertising material via automated tools, newsletters (email, web, SMS and/or MMS, WhatsApp and Telegram, informative campaigns and social media campaigns, calls without an operator) and/or non-automated tools (postal mail and calls with an operator), as well as market research and initiatives organized by Gifrab Italia S.p.A. (legal basis: upon your explicit and prior consent, pursuant to Article 6, paragraph 1, letter a) GDPR);
    5. Customer profiling: with your consent and considering your interest in receiving updates about products and events organized by Gifrab Italia S.p.A., analysis of your purchases and choices, in order to better understand your preferences and consequently offer a personalized service, including through automated decision-making and profiling processes (legal basis: upon your explicit and prior consent, pursuant to Article 6, paragraph 1, letter a) GDPR);

    Processing of your Data for purposes under points 1.a), 1.b), and 1.c) is necessary for your participation in the B YOU Loyalty Program. Processing of your Data for purposes under points 1.d) and 1.e) is subject to obtaining your prior optional consent.

  2. Access to Data: Your data may be made accessible for purposes described in points 1.a), 1.b), 1.c), and with your explicit consent, 1.d) and 1.e), to various categories of recipients, such as:
    • employees and collaborators of the Controller as authorized and/or internal data processors and/or system administrators;
    • third-party companies or other entities (e.g., consultants, commercial partners, IT service providers, companies/individuals used by the Controller for data storage activities or outsourcing), in their capacity as external data processors.

    The Controller may also communicate your data for the above purposes to:

    • Supervisory bodies, Judicial Authorities, Police, Public Entities, and all subjects to whom disclosure is legally required for the purposes above. These subjects will process the data as independent data controllers.

    Only with your explicit and prior consent for purposes under points 1.d) and 1.e), the Controller may communicate your personal data to third parties such as marketing and advertising companies, commercial partners, and event organizers, who will process the data as external data processors.

  3. Data transfer: Personal data are not transferred outside the European Union. However, should it be necessary, we may transfer personal data to non-EEA countries, ensuring that such transfer complies with applicable law:
    • for international transfers of personal data from the European Economic Area (EEA) to a non-EEA country, the transfer may occur if the European Commission has recognized that the country provides an adequate level of data protection; in this case, your data may be transferred on this basis;
    • for transfers to non-EEA countries where protection is not recognized as adequate by the European Commission, we may rely on an applicable derogation for the specific situation and/or adopt the standard contractual clauses provided by the European Commission for EU data transfers.
  4. Retention period: For purposes under points 1.a), 1.b), and 1.c), your data will be processed and retained only as long as necessary for the purposes for which they were collected, and in any case for a maximum of 10 years from the end of the contractual and/or commercial relationship, after which the data will be deleted or anonymized, unless further retention is required for legal defense purposes. Data processed for purposes under points 1.d) and 1.e) will be retained for 2 years from registration, if no purchases/activity occurred. In case of purchases/activity, the 2-year retention period is calculated from the date of the last purchase or last active interaction. Data processed for marketing purposes will be retained for a maximum of 24 months from the last significant interaction with the Controller’s communications, unless consent is revoked earlier.
  5. Provision of data and consequences of refusal: Providing data for purposes under points 1.a), 1.b), and 1.c) is mandatory to comply with legal and contractual obligations; failure to provide data in whole or in part may make it impossible for the Controller to execute the contract. Data for purposes under points 1.d) and 1.e) is optional; failure to provide such data will prevent receiving communications, invitations, promotions, or offers, without affecting the ability to use products and services offered by the Controller.
  6. Data subject rights and how to exercise them: You may exercise your rights at any time under Articles 15 et seq. of the GDPR:
    • obtain confirmation of the existence or non-existence of personal data concerning you and their intelligible copy;
    • obtain the updating, rectification, or integration of your Data;
    • request deletion of your data, as permitted by law;
    • object, in whole or in part, to the processing of personal data concerning you;
    • restrict processing in case of violation, rectification request, or objection;
    • request portability of electronically processed data provided on the basis of consent or contract;
    • withdraw consent to the processing of your Data, where applicable;
    • in relation to fully automated profiling, request human intervention to express your opinion and challenge decisions;
    • obtain information regarding the purpose of consent;
    • file a complaint with a supervisory authority.

    You can exercise your rights at any time by writing to the following email: info@gifrab.it or sending a registered letter to: Gifrab Italia S.p.A., Via Marco D’Agrate n. 41, 20139 Milan (Attn: Gifrab Privacy Officer).

    For questions or updates regarding your personal data, you can write to info@gifrab.it. You may also file a complaint with the Supervisory Authority in case of violations.

    For further information, consult the Italian Data Protection Authority website at www.garanteprivacy.it.

  7. Changes and updates to this information: Gifrab Italia S.p.A. may modify, integrate, and/or update, in whole or in part, this Information, including in consideration of future changes to Privacy Legislation. Any modification, integration, or update will be communicated promptly using the electronic or paper means deemed most appropriate by the Controller.