Information Notice on Protection of B2B Personal Data
Version dated 08 October 2021

With this notice, Cassina S.p.a., as Data Controller, wishes to inform its B2B customers, dealers, retailers, and other contractual counterparties, within the scope of a different business relationship, about the procedures for processing their personal details, in compliance with Legislative Decree 196/2003, as amended and supplemented, and with the European personal data protection Regulation 679/2016 (hereinafter, “European Regulation”).

1. Data Controller and Data Protection Officer

Cassina S.p.A. -- a single shareholder company (“Cassina” or “Data Controller”) subject to management and coordination by Haworth Italy Holding S.r.l. VAT no. 05079060017 with registered offices at Via Busnelli, no. 1 - 20821 Meda (MB), which can be contacted at the following e-mail address [email protected] -- is the Data Controller in relation to the processing of personal data described in this Information Notice.

As described in this notice, Data Controller will collect and process personal data through an innovative system of customer relationship management “CRM”. The Data may be collected directly from Data Subject - when Data Controller’s contractual counterparty is a natural person or sole proprietorship - or by the company/entity to which Data Subject is affiliated when registering for events, on Cassina’s interactive digital platform or during events, trade fairs, business meetings and during the negotiation and/or execution and/or performance and/or termination of the contract established with Data Controller. The Data collected will be stored in Cassina’s central database, in its role as independent Data Controller, where the Data will be processed for marketing purposes (as described below), for activities carried out in Italy as well as abroad. Data may also be collected by associated and/or subsidiary companies or by Cassina’s dealers or business partners operating in Italy or abroad, in which case these latter will be designated by Data Controller as Data Processors.

Instead, as concerns only the management of sales and after-sales activities at some of our showrooms, the companies listed at the foot of this information notice will collect and process the Data as independent Data Controllers, in compliance with the indications in this notice, to the extent applicable.

Data Controller has appointed a Data Protection Officer (“ DPO”), who can be contacted at the references indicated in section 11 of this notice.

2. To whom does this Notice apply?

This Information Notice applies to Data Controller’s processing the personal Data of:

a) Data Controller’s B2B customers, dealers, resellers and other contractual counterparties, if they are natural persons or sole proprietorships; and

b) legal representatives, partners (natural persons), directors, proxies, members of the board of statutory auditors, members of the supervisory body, technical directors and other individuals with powers of representation and/or management and/or control who are natural persons, as well as employees and staff of B2B customers, dealers, resellers and other contractual partners;

(hereinafter jointly referred to as “Data Subjects”).

3. What data is processed?

Data may be collected directly from Data Subjects - where Data Controller’s contractual counterparty is a natural person or sole proprietorship - or from this latter company/entity with which Data Subject is affiliated when registering for events, on Cassina’s interactive digital platform or during events, trade fairs, business meetings or the negotiation and/or execution and/or performance and/or termination of the contract established with Data Controller. In addition, Data Controller may collect personal data relating to Data Subjects from lists, registers and other publicly accessible sources - such as, for example, data contained in Chamber of Commerce registration documents for the company with which Data Subjects may be affiliated - as well as from databases of entities that provide information on the commercial reliability of entrepreneurs and managers.

Depending on the purpose and time of collection, Data Controller shall process the following types of personal data relating to Data Subjects:

a) personal details, contact details, identity document and the role held at the company/body with which Data Subject is affiliated;

b) the company name, addresses of the registered offices and of any secondary offices, the VAT number and/or tax code, details of bank account(s) held by Data Subject, if the latter is a natural person or a sole proprietor;

c) Data concerning Data Subject’s economic and financial reliability - in the case of a sole proprietorship or a one-man company - gathered through the use of databases held by subjects who offer information on the commercial reliability of entrepreneurs and managers and who have adhered to the Code of Conduct for the processing of personal data regarding commercial information approved by the Data Protection Authority for processing personal data. For further information, including on the categories of data collected through the use of such databases, Data Subject may consult the privacy policy notices of the subjects offering the information in question, which may be found at the website, www.informativaprivacyancic.it;

d) Any additional personal data on Data Subject that may be collected by Data Controller during the negotiation and/or execution and/or performance and/or termination of the contract entered into with Data Controller;

(hereinafter all together the “Data”).

It is strongly suggested that Data Subjects not provide Data Controller with Data not necessary for the pursuit of the purposes set forth in this Data Protection Notice.

4. For what reasons are the Data processed?

Data Controller processes the Data of Data Subjects to:

a) undertake negotiations and perform the contract to which Data Subject will be a party in the course of a purchase online or in a showroom or for registration at one of the events organized by Data Controller or for registration on Data Controller’s interactive digital platform (hereinafter “Contractual Purposes”);

b) comply with obligations arising from applicable legislation, including tax law (hereinafter “Legal Purposes”); and

c) if the contractual counterparty is a company, pursue Data Controller’s legitimate interests in conducting negotiations and performing the contract when the company/entity with which Data Subject is affiliated is a party thereof;

d) pursue Data Controller’s legitimate interests through verification of the safety, commercial and financial reliability of its B2B customers, dealers, resellers, and other contractual counterparties, to prevent fraud, ensure the soundness of the management and the proper performance of commercial relations between Data Controller and its B2B customers, dealers, resellers, and other contractual counterparties;

e) assert and defend its rights, also within the scope of credit recovery procedures, against Data Subject or third parties in any future litigation;

f) carry out activities functional to the sale of companies and company branches, acquisitions, mergers, demergers or other transformations and for the execution of such operations;

g) send potential professional purchasers of Data Controller’s products and services communications of a commercial nature, about collections, exhibitions and events concerning Data Controller. We should be sending out these communications periodically, no more often than twice a month or so, or whenever there are special initiatives (e.g., Salone del Mobile [Furniture Trade Fair]) by e-mail to the addresses the Data Subjects have indicated from time to time within the contractual relationship between Data Controller and the company/body with which Data Subject is affiliated;

h) notify other Data Controller’s group companies the contact information of potential professional buyers of the products and services offered by those same companies in Data Controller’s group so that they can send them information of a commercial nature, on collections, exhibitions and events, including newsletters, in relation to their own products and services (the companies in the group are Poltrona Frau, Cappellini, Cassina, Ceccotti, DZine, Karakter, Janus et Cie, Luminaire and Luxury Living Group. An updated list of the group companies can be requested from Data Controller by sending an e-mail to the address in section 11 below). The group companies will be sending out these communications periodically, indicatively no more than once a month or so, or whenever there are special initiatives (e.g., Salone del Mobile) by e-mail to the addresses of the Data Subjects indicated from time to time in the contractual relationships between Data Controller and the companies/entities with which the Data Subjects are affiliated. Moreover, in order to limit such communications to what is strictly necessary, Data Subjects will receive e-mails only after an evaluation of the commercial opportunity by the company of the group that registered the contact. This assessment will be based on two criteria:

(i) the type of clientele to which Data Subject belongs (hence, for example, Cassina suppliers who, because of existing business relationships or for those involved in ongoing negotiations and who have been deemed to not be interested in purchasing products or participating in Data Controller’s events, will not be sent promotional communications. Nevertheless, they will still be directed to professionals who are potential buyers of the products or services from the companies in Data Controller’s group, so they can remain informed about any business opportunities with the Group); and

(ii) the sector in which Data Subject operates (for example, if outdoor furniture is not relevant to Data Subject’s business, no communications relating to Janus et Cie will be sent to them).

This way, potentially inappropriate promotional notifications will not be sent indiscriminately, but rather, both the Data Subjects (who will receive only communications that may interest them) and Data Controller will garner an immediate advantage. However, each Data Subject will still be free to directly request promotional material from any group company, which would relieve the need to evaluate the company originally contacted;

(the purposes referred to in letters c) to h) are jointly defined as “ Purposes of Legitimate Interest”).

5. Why are the Data processed?

Data processing is necessary for compliance with the Contractual and Legal Purposes referred to in section 4, letters a) and b) and so that you will be permitted to participate in the event, register on the platform, negotiate, enter into, perform and/or terminate an agreement between Data Controller and Data Subject, as well as to comply with current applicable legislation. Failure to provide the Data for these purposes will make it impossible for Data Controller to allow you to participate in the event, register on the platform or perform the aforementioned contract.

Data processing for the Purposes of Legitimate Interest is conducted pursuant to Article 6, letter f) of the European Regulation for the pursuit of Data Controller’s legitimate interest, which remains fairly well balanced with the Data Subjects’ legitimate interest, since the Personal Data processing activities will be (i) limited to what is strictly necessary for the execution of the economic transactions and other activities indicated in letters from c) to f) above, and (ii) functional to the maintenance of business relations with professional customers for the activities under points g) and h). Processing for the Purposes of Legitimate Interest is not compulsory. Data Subject may object immediately or subsequently to each form of processing as indicated in section 11 of this Information Notice. However, should Data Subject object to said processing, his/her data cannot then be used for those Purposes of Legitimate Interest. For example, in the case of the activities under points g) and h), Data Subject may object both to the communication of his/her contact details to other Group companies and also in general to receiving any promotional communications from Data Controller, without affecting the contractual relationship with the latter in any way whatsoever.

6. How are the Data processed?

Concerning the purposes indicated above, the personal data, which will be processed using both computerized or automated instruments and on paper, will be protected by applying appropriate measures that will ensure their confidentiality and security. Specifically, Data Controller has adopted appropriate organizational and technical measures to protect the Data in its possession against its loss, theft, unauthorized use, disclosure or modification.

7. To whom will the Data be communicated?

For the purposes under section 4, Data Controller may disclose - in whole or in part - Data Subjects’ Data to the following categories of subjects:

a) Data Controller’s staff or the staff of the subjects indicated below, assigned as Data Processors, within the scope of their respective duties and within the limits established by law;

b) suppliers of services that are instrumental or in support of those performed by Data Controller and therefore, for example, though not limited to, legal, administrative and tax consultants, banks for the management of collections and payments arising from the performance of the contract between Data Controller and Data Subject or the company/entity with which the latter is affiliated, auditing firms, businesses assigned to managing events, sending marketing newsletters or the supply of technological services, in their capacity as autonomous Data Controllers or Data Processors;

c) sub-suppliers and/or sub-contractors engaged in activities connected with the performance of the contract between Data Controller and Data Subject or the company/entity with which the latter is affiliated, in their capacity as External Data Processors;

d) other companies belonging to the group with which Data Controller is affiliated, whether in Italy or abroad, in their capacity as Data Controllers for their own marketing purposes;

e) Data Controller’s resellers, business partners or companies in the group with which Data Controller is affiliated, who perform services on behalf of Data Controller, including the collection of Data to be included in the customer relations management “CRM” system. These subjects will act as Data Processors;

f) public bodies and/or judicial and/or control authorities whose right to access Data Subject’s Data is provided for by applicable legislation, in their capacity as independent Data Controllers; and

g) subjects who are assignees of a company or a company branch, companies resulting from possible mergers, demergers or other transformations of Data Controller, as autonomous Data Controllers for processing.

Some subjects listed above may be located in countries outside the European Union or the European Economic Area. Specifically, the Data that will be entered into the CRM database, whose servers are located in the European Union, will be shared with subjects that could be, however, located both inside and outside the EEA, since Data Controller offers its products and services to customers and business partners in all countries where it is present.

In this case, the Data will be communicated in accordance with the section below.

8. Are the Data transferred abroad?

In compliance with applicable regulations, the Data may be transferred abroad including to countries not a part of the European Economic Area and, precisely, to countries where Data Controller’s group companies are located including showrooms and authorized resellers featuring Data Controller’s products and services. All the foregoing will have access to the Data through the CRM system. A complete list of the latter subjects is available on Data Controller’s website, while the complete list of the group companies can be requested from Data Controller by sending an e-mail to the address indicated in section 11 below. Any future transfer of Data to countries outside the European Economic Area shall, in any case, be undertaken in compliance with the appropriate and suitable assurances for the purposes of that transfer, pursuant to Articles 44 et seq. of the European Regulation.

In any case, Data Subject will be made aware of any transfer of Data outside the European Economic Area, by updating this information notice, in the manner indicated in the sections below.

9. How long will the Data be kept?

The Data will be kept by Data Controller:

a) For the registration to the event and to the interactive digital platform or in case of a positive outcome of the contractual negotiations, for a period equal to the duration of the contract entered into between Data Controller and Data Subject, or the company/body with which Data Subject is affiliated, and for 10 years after termination of that contract;

b) should the contractual negotiations result in a negative outcome, the Data will be deleted once negotiations have ceased;

except in any case when additional storage of the Data becomes necessary for Data Controller to exercise or defend a right against Data Subject or third parties in a possible dispute.

With reference to the Data processed and kept for the purpose of sending business communications, Data Controller will process Data Subject’s Data until any future exercise of the right to object, or, in any case, for no longer than 2 years after the contractual relationship between Data Controller and the company/body with which Data Subject is affiliated has ended.

At the end of the storage period the Data will be deleted, anonymized or aggregated.

10. What are Data Subject’s rights?

Notwithstanding the possibility that Data Subject not confer his or her own data, at any time and free of charge, Data Subject may:

a) obtain confirmation of whether or not the Data concerning him/her exists;

b) be informed about the Data’s origin, the purposes and methods of its processing, the logic applied to that processing using electronic instruments;

c) request that the Data concerning him/her be updated, corrected or, if it is necessary, supplemented;

d) object to the Data being processed for legitimate reasons or obtain the deletion, transformation into anonymous form or the block of any Data processed in violation of the law;

e) revoke consent, where previously given;

f) request that Data Controller limit the processing of the Data concerning him/her in the event that (i) Data Subject contests the accuracy of the Data, for the period necessary for Data Controller to verify the accuracy of such Data; (ii) the processing is unlawful and Data Subject opposes the deletion of the Data and requests instead that its use be limited (iii); although Data Controller no longer needs the Data for processing purposes, the Data are necessary to Data Subject for the establishment, exercise or defense of legal or extrajudicial claims; (iv) Data Subject has objected to the processing pursuant to Article 21, paragraph 1, of the European Regulation, pending verification of whether Data Controller’s legitimate reasons prevail over Data Subject’s;

g) object to the processing of his or her Data for Purposes of Legitimate Interest at any time;

h) request the cancellation of the Data concerning him or her without undue delay; and

i) obtain the portability of the Data Subject’s Data.

If the conditions exist, Data Subject shall also have the right to lodge a complaint with the Data Protection Authority, at the contacts available on the website www.garanteprivacy.it.

Requests for the exercise of Data Subject’s rights may be made in writing to the Data Controller, who can be contacted at the following e-mail address [email protected]

11. DPO

Data Controller has appointed a DPO (Data Protection Officer) who is responsible for Data Controller’s compliance with the requirements of data protection legislation.

Data Subject may contact the DPO securely and confidentially, at any time, if he or she has general questions about the processing of his or her personal data, or for any data protection issue. The DPO’s e-mail address is: [email protected] .

12. Amendments and updates

This notice is valid as of its effective date. Data Controller may nevertheless make changes and/or additions to this information, also as a result of any subsequent changes and/or additions to the law.

AUTONOMOUS DATA CONTROLLER FOR PROCESSING FOR THE MANAGEMENT OF SALES AT SHOWROOMS
UNITED KINGDOM	Company Name ; Poltrona Frau UK Ltd. VAT GB 766218904 Registered Offices at 150 St. John Street - London EC1V 4UD E-mail : [email protected]
FRANCE	Company Name ; Cassina France Sarl VAT FR69301857132 Registered Offices at 236, Boulevard Saint Germain - 75007 Paris E-mail : [email protected]
SPAIN	Company Name ; TWENTY TWENTY P.F.G. DESIGN SL VAT ESB87545745 Registered Offices at CALLE LAGASCA 28 - 28001 MADRID E-mail : [email protected]
USA	Company Name ; Poltrona Frau Group North America, Inc. VAT no VAT Registered Offices at 151 Wooster Street, 2nd floor - New York NY 10012 E-mail : [email protected]