Privacy Policy on the Processing of Personal Data of Program Participants.
"The New Glam Lounge" pursuant to Article 13 of Regulation (EU) 2016/679 ("GDPR")

1. Data Controller
The Data Controller of your personal data is Exelite S.p.A. ante Liu.Jo S.p.A. (hereinafter, "Liu.Jo" or "Data Controller"), with registered office in Viale J.A. Fleming, 17 - 41012 - Carpi (MO) - Italy, C.F. and P.IVA 02322360369. Liu.Jo would like to provide you below with the relevant information about the methods and purposes of the processing of your personal data, in accordance with Article 13 of Regulation (EU) 2016/679 (hereinafter, "GDPR"), in relation to your subscription to the loyalty program "The New Glam Lounge".

2. Data Protection Officer
Liu.Jo has appointed a Data Protection Officer ("DPO"), who can be contacted at the following e-mail address: dpo@liujo.it.

3. Purposes of processing, legal basis, and data retention
Liu.Jo may process your personal data (both in electronic and paper format) such as, but not limited to first name, last name, date of birth, residential address, e-mail, phone number, purchase details, discounts, benefits, rewards, etc.
This personal data is processed for the following purposes:
 
  1. for participation in and management of the loyalty program "The New Glam Lounge" (hereinafter referred to as the "Program"), including registering for the Program, sending communications necessary for the conduct of the Program, managing and delivering rewards and benefits (Program Management). The legal basis for processing is the performance of a contract to which you are a party, pursuant to Article 6(1)(b) of the GDPR. Your personal data will be kept by Liu.Jo until the end of the Program;
  2. for the awarding of Cluster (Bronze Privé, Silver Privé, Gold Privé, Platinum Privé, Diamond Privé) and Reward and Privé Stars based on purchases made or specific actions taken as described within the Regulations (Cluster and Stars). The legal basis on which the processing is based is the performance of a contract to which you are a party, pursuant to Article 6(1)(b) of the GDPR. Your personal data will be stored by Liu.Jo until the end of the Program;
  3. to carry out marketing activities, such as sending commercial communications, exclusive offers and information about new services and products, invitations to events, conducting market research (Marketing). The legal basis for the processing is your express consent, pursuant to Article 6(1)(a) of the GDPR. Your personal data collected for marketing purposes will be processed until you request to revoke your consent;
  4. to carry out profiling activities, such as the creation of advertising material, advice and services tailored to your preferences and purchases (Profiling). The legal basis for the processing is your express consent, pursuant to Article 6(1)(a) of the GDPR. Your personal data collected for profiling purposes will be retained until you request to revoke your consent. Detailed purchase and preference data will be retained for 24 months from the time it was collected;
  5. for the fulfillment of any legal obligation to which Liu.Jo is subject as Data Controller (Fulfillment of legal obligations). The legal basis for the processing is the fulfillment of a legal obligation to which the Data Controller is subject, pursuant to Article 6(1)(c) of the GDPR. Your personal data will be retained for the duration provided for by the applicable sector legislation.
  6. if necessary, to ascertain, exercise or defend the Data Controller rights in judicial proceedings (Exercise of own rights in judicial proceedings). The legal basis for the processing is the legitimate interest of the Data Controller to exercise or defend its rights in judicial proceedings, pursuant to Article 6(1)(f) of the GDPR. Your personal data will be processed for the duration of the litigation, until the time limits for appeal actions are exhausted.
After the above retention periods have elapsed, personal data will be destroyed or anonymized, consistent with technical procedures for deletion and backup.

4. Provision of personal data
For the purposes of Program Management, Cluster and Stars and Fulfillment of legal obligations, the provision of data is mandatory. Refusal to provide such data will not allow participation in the Program.
For the purpose of Marketing and Profiling, the provision of data is optional, and refusal to provide the relevant consents will not preclude enrollment in the Program. In addition, you may at any time revoke the consent given for Marketing and Profiling purposes through the appropriate channels made available by the Data Controller.

5. Data recipients
Your personal data may be communicated to external parties operating as data controllers such as, by way of example, authorities and supervisory and control bodies and, in general, parties, public or private, entitled to request your personal data. Your data may also be processed by external parties designated as Data Processors (pursuant to Article 28 of the GDPR), who carry out specific activities on behalf of the Data Controller (by way of example: accounting, tax and insurance fulfilments, mailing of correspondence, management of collections and payments, etc.).

6. Authorized subjects
The data may be processed by employees of the company functions assigned to the pursuit of the above purposes, who have been expressly authorized to process the data and have received appropriate operating instructions.

7. Personal data transfers
Your personal data will not be transferred outside the European Economic Area ("EEA").

8. Rights of the Data Subject and Complaint to the Supervisory Authority
By contacting the Data Controller at privacyconsumer@liujo.it or the DPO at dpo@liujo.it, you may exercise the rights recognized by Articles 15-22 of the GDPR, and in particular, you may request from the Data Controller access to the data concerning you, their rectification, integration or deletion, as well as the restriction of processing in the cases provided for in Article 18 of the GDPR. You may also, where processing is based on consent or contract and is carried out by automated means, have the right to receive in a structured, commonly used and machine-readable format your personal data, as well as, if technically feasible, the right to transmit them to another Data Controller without hindrance.
You have the right to object at any time, easily and free of charge, for reasons related to the particular situation, to the processing of your personal data in cases of legitimate interest of the owner. 
In any case, you have the right to lodge a complaint with the competent supervisory authority in the Member State where you usually reside or work or with the Authority of the State where the alleged violation occurred.