zh
  • IT - Italiano
  • EN - English
  • EN-US - American English
  • DE - Deutsch
  • FR - Français
  • ES - Español
  • RU - русский
  • PRIVACY NOTICE

    OUR PRIVACY POLICY IN SHORT
    This is the website of the B&B Italia branded products, brought to you by B&B Italia S.p.A. as part of the Design Holding Group of companies.
    We are thrilled to be able to offer our great design products to you. In order to do that, we are subject to certain rules that protect your personal data and privacy. You will find our extended privacy policy below.
    This is a summary of our extended notice, by which we wish to draw your attention to certain essential elements.
    In some cases, we need your data, because without them we would not be able to perform an order you place through our website (if the Site offers this possibility), or placed in one of our stores or to respond to inquiries you make. Some other processing operations are instead based on our legitimate interest or your consent. In particular, we believe that giving your consent to marketing would be beneficial to you, because for example we would be able to bring you up to date with respect to new product offerings. For the same reason, we seek your consent to profiling. This would enable us to get to know you better and possibly make offers of products especially designed for you.
    Naturally, you have a number of rights under this notice and applicable laws. They are listed in section 6 of the General Part of the extended privacy notice. We do care about your privacy. If you need to contact us for further clarity on how we use your data, do contact us at the following addresses privacy@bebitalia.com or privacy@designholding.com and as specified below.

    EXTENDED PRIVACY NOTICE
    This privacy notice (“Notice”) describes how the companies B&B Italia S.p.A. (“B&B”), Design Holding S.p.A. (“Design Holding”) and the other companies of the Design Holding Group (the “Group”) may process your personal data collected through www.bebitalia.com/it website being it transactional (if applicable) or not (the “Site”), and possibly (if existing) in physical stores (the “Store”) or on any other occasion in which you may deal with us.
    This Notice further describes how the Design Holding and the Design Holding Group companies may further process your personal data for certain jointly controlled marketing purposes and profiling purposes.
    In this Notice:
    • Design Holding Group” or “Group” means each and all of the following companies: Design Holding S.p.A., Flos S.p.A., International Design Group S.p.A., B&B Italia S.p.A., Louis Poulsen A/S, FF Design Design S.p.A. and their respective subsidiaries as listed below. This list can be updated from time to time to the extent that new companies become part of the Group or current companies exit;
    • us”, ”we” or “our” means B&B, Design Holding and the Joint Controllers, as specified below;
    • you” or “your” refers to the natural or legal person, as the case may be, that purchases the Products through the Site or in Store, that use a service offered by B&B or visit one of our official website or store.
    In this Notice you can find the following information in detail:
    1. CONTROLLERS
    2. HOW YOUR PERSONAL DATA ARE PROCESSED
    3. PROCESSING ACTIVITIES
      1. PURCHASES ON THE TRANSACTIONAL SITEI.
      2. REGISTRATION ON THE TRANSACTIONAL AND NON-TRANSACTIONAL SITE
      3. WHEN YOU CONTACT US THROUGH OUR TRANSACTIONAL AND NON-TRANSACTIONAL SITE
      4. PURCHASE IN OUR PHYSICAL RETAIL STORES
      5. MARKETING ACTIVITIES RELATING TO SIMILAR PRODUCTS
      6. B2C MARKETING AND PROFILING ACTIVITIES
      7. B2B MARKETING AND PROFILING ACTIVITIES
      8. PLUG-INS AND INTERACTIONS WITH SOCIAL NETWORKS
      9. BROWSING DATA AND COOKIES
      10. ADMINISTRATIVE AND SECURITY PURPOSES
      11. WHEN YOU DIRECTLY CONTACT THE CONTROLLERS
      12. COMPLY WITH LEGAL OBLIGATIONS AND EXERCISE OF RIGHTS BEFORE COMPETENT AUTHORITIES
    4. WHO YOUR PERSONAL MAY BE DISCLOSED TO
    5. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA
    6. YOUR RIGHTS
    7. CHANGES TO THIS NOTICE
    8. HOW TO CONTACT THE CONTROLLER
    9. HOW TO EXERCISE YOUR RIGHTS
    Protection and privacy of your personal data are a priority for us. This Notice is constantly updated. The head of this Notice shows the latest update date. We invite you to constantly check the Notice to be informed about any updates, provided that as it concerns the list of companies part of the Design Holding Group, the relevant update might occur at later than the actual variation of the Group’s composition, due to technical and organizational reasons.
    1. CONTROLLERS
      Under this notice, three different types of data controllers are envisaged with respect to different types of processing.In particular, for the processing operations that are related to you interacting with us as a consumer, that is when you purchase our products or deal with us for your own needs as an end user, B&B Italia S.p.A. will qualify as sole controller when it processes personal data for the purposes of performing contracts you are a party to or to respond to your queries, whereas with your consent B&B and Design Holding will process your data as joint controllers for marketing and profiling purposes (“B2C Marketing and Profiling Processing Activities”).When you qualify as an employee, collaborator, representative, owner or account in any capacity of our business customers or contacts (such as companies, professional firms and self-standing professionals), B&B Italia S.p.A. will qualify as sole controller when it processes personal data for the purposes of performing contracts you are a party to or to respond to your queries, whereas with your consent all the Group companies will process your data as joint controllers under the law, in order to make B2B marketing propositions embracing our Group’s full potential of product offerings designed on your needs and possibly carry out profiling in order to tailor our Group’s offerings to your preferences (“B2B Marketing and Profiling Processing Activities”).Finally, for administrative and security purposes your data will be stored in the Group CRM by Design Holding S.p.A.The details of who does what follow below.
      1.1. Autonomous data controller
      With regard to the Processing Activities referred to in paragraph I, II, III of this Notice, the following company shall act as autonomous controller pursuant to Article 4(7) GDPR
      •  B&B Italia S.p.A., with registered office at Via Manzoni 38, 20121 Milan (Italy)
      1.2. Joint Controllers for B2C and B2B Marketing and Profiling Processing Activities
      The companies of the Group will act under a joint controllership agreement pursuant to Article 26 GDPR, under which they determine together the means and purposes of the processing operations relating to B2B and B2C Joint Marketing and Profiling Activities, performed with your consent by using your personal data collected through this Site or in Store and/or when you make contacts with us on occasion of purchases made through our transactional Site or in Store and/or because you have provided us with your data upon making inquiries or otherwise by getting in touch with us, including on occasions of visits to shops and stores managed by the Group companies or by third parties on their behalf.
      With regard to the B2C Processing Activities referred to in paragraph VI of this Notice, the following company shall act as joint controllers:

        • B&B Italia S.p.A. with registered office in Via Manzoni, 38, 20121, Milan and administrative office at Strada Provinciale 32, No. 15 – 22060 Novedrate (Como)
        • Design Holding S.p.A. with registered office in Via Alessandro Manzoni, 38, 20121, Milan (Italy)
      With regard to the B2B Processing Activities the Group companies act as joint controllers are described in paragraph VII of this Notice.
      The joint controllers members of the Group (collectively the “Joint Controllers”) are currently the following companies:
      • Design Holding S.p.A., with registered office at Via Alessandro Manzoni, 38, 20121, Milano (Italy)
      • International Design Group S.p.A. with registered office at Via Alessandro Manzoni, 38, 20121, Milano (Italy)
      • Flos S.p.A. with registered office at Via Angelo Faini, 2 – 25073 Bovezzo (Brescia)
      • B&B Italia S.p.A., with registered office at Via Durini 14, 20122, Milano (Italy)
      • Louis Poulsen A/S, with registered office at Kuglegårdsvej 19-23, DK-1434, Copenhagen (Denmark)
      • D Studio – Copenhagen ApS, with registered office at Kuglegårdsvej 13, DK-1434, Copenhagen (Denmark)
      • Fashion Furniture Design S.p.A. with registered office at Via Alessandro Manzoni, 38, 20121, Milano (Italy)
      • The following affiliates of Flos S.p.A.
        ARES SRLVia dell’Artigianato, 24 -20881 Bernareggio 8 (MB)
        FLOS BESPOKE SRLVia Alcide De Gasperi, 2 – 25060 Collebeato (BS)
        ANTARES ILUMINACIÓN SAUCalle Mallorca n. 1 – Polígono Industrial de Reva, Riba-roja de Túria – 46394 Valencia (ES)
        FLOS BENELUX NVBDC/ESPLANADE 1 Bus 95 – 1020 Brussel (BE)
        FLOS FRANCE SAS20-22 Passage Dauphine – 75006- Paris (FR)
        FLOS GMBHObermünsterstr. 18 – 93047 Regensburg (DE)
        FLOS BVCruquiusweg 109 S – 1019 AG Amsterdam (NL)
        FLOS SCANDINAVIA ASSydhavnsgade 28 – 2450 Koebenhavn (DK)
        FLOS SVERIGE ABLützengatan 1 – 115 20 Stockholm (SW)
        FLOS NORGE ASSjolyst Plass 4 – 0278 Oslo (NO)
        FLOS UK LTDCrown Chambers, Princes Street, Harrogate, North Yorkshire – HG1 1NJ (GB)
      • The following affiliates of Louis Poulsen A/S
        Luminous Designs Investment ApSKuglegårdsvej 19 – 1434 Copenhagen (Denmark)
        Louis Poulsen Germany GmbHLiesegangstrasse 17 D-40211 Düsseldorf – Postfach 190136 D-40111 Düsseldorf (Germany)
        Louis Poulsen Sweden ABBox 23013 S-104 35 Stockholm (Sweden)
        Louis Poulsen Norway ASLysaker Brygge 37/39 N-1366 Lysaker (Norway)
        Louis Poulsen Finland OyKyllikinportti 2 FIN-00240 Helsinki (Finland)
        Louis Poulsen Japan Ltd.AXIS Building 3F Minato-ku – Tokyo Japan 106-0032
        Louis Poulsen Switzerland AGTöpferstrasse 5 – CH-6004 Lucerne (Switzerland)
        Louis Poulsen Holland BVDorpsstraat 18 – 1431 CD Aalsmeer Postbus 375 – 430 AJ Aalsmeer (Nederland)
      • The following affiliates of B&B Italia S.p.A.
        Arc Linea Arredamento SpaViale Pasubio 70, Caldogno, Italia
        B&B Italia London Ltd250 Brompton Road, Cross SW3 2AS, London (UK)
        B&B Italia München GmbHMaximilianplatz 21, Munich (Germany)
        B&B Italia Paris S.à.r.l.3 Rue du Colonel Moll, 75017 Paris (France)
        B&B Italia Contract France sas33 Rue Galilee, 75116, Paris (France)
      • The following affiliates of Fashion Furniture Design S.p.A.
        Fashion Furniture Design UK limited3rd Floor, Palladium House, London, W1F 7LD, (UK)
      Changes to Group’s structure should be expected. Although we will seek to update this notice accordingly, such update might be delayed.
      The essence of the joint controllership agreement entered into by the companies of the Group can be consulted at the end of this privacy policy.
      1.3 Autonomous data controller for administrative and security purposes
      With regard to the processing operations referred to in paragraph of X this Notice, relating to both B2B and B2C processing activities, the following company shall act as autonomous controller pursuant to Article 4(7) GDPR
      • Design Holding S.p.A. with registered office in Via Alessandro Manzoni, 38, 20121, Milan (Italy)
    2. HOW YOUR PERSONAL DATA ARE PROCESSED
      Your personal data are processed through computer, automated and/or manual means in compliance with the principles of lawfulness, fairness, transparency, accuracy, integrity, data minimization and purposes and storage limitation, as well as in accordance with the provisions of the GDPR and applicable legislation on the protection of personal data. Personal data are collected, elaborated, transferred and stored by using appropriate security measures (physical, logical and organisational) to protect them from possible breaches (such as destruction, loss, alteration, unauthorised disclosure or accidental or unlawful access to such personal data) and to ensure that processing is carried out only for the purposes described in this Notice.
    3. PROCESSING ACTIVITIES
      Each of the following paragraphs describe the processing activities carried out within B&B transactional and/or non-transactional Site and when you visit a B&B physical Store. When so specifically indicated in the tables below, the processing activities concerned shall be intended for subjects qualifying as both consumer (B2C) and business (B2B) users or customers.
      1. PURCHASES ON THE TRANSACTIONAL SITE
        This paragraph describes how your personal data are processed when you purchase B&B branded products online from a transactional Site operated under the brand _B&B Italia_, if existing. Namely, you can purchase those products in two ways:
          1. As a “Guest”,
            You are a Guest when you purchase a product from the Site without first creating an account as registered user. Please note that at the time of concluding the purchase, you will be required to read this Notice but not to provide your consent for the processing of data for marketing and profiling purposes. This will instead be required after the conclusion of the purchase (at the “Thank you” page) and your personal will not be processed for marketing or profiling purposes if you do not provide your consent at this occasion, without this affecting the proper performance of the purchase.
          2. As a registered user
            You are a registered user when you create an account on the Site. Please note that when you create the account, you may also be requested to provide your consent for the processing of your data for marketing and profiling purposes.
            ControllersCategories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataRetention period
            B&BPersonal information (name, surname)
            Contact details (e-mail address, phone number)
            For B2B customers:
            Profession, e-mail address, work e-mail address, work telephone number, name of the company/business/organisation you work for.
            Creation of an account on the Website
            Legal Basis: need to perform a contract – Article 6(1)(b) GDPR
            Data subjectImpossibility to create an account on the WebsiteData retained until the cancellation of the account*
            *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority
            B&BPersonal information (name, surname, tax code)
            Country of residence
            Zip code and address
            Contact details (e.g. phone number, domicile/physical address, e-mail address)
            For B2B customers:
            Profession, e-mail address, work e-mail address, work telephone number, name of the company/business/organisation you work for.
            Invoice data
            Payment data
            Performance of the purchase agreement
            Legal Basis: need to perform a contract – Article 6(1)(b) GDPR
            Data subjectImpossibility to proceed with the purchase10(ten) years after the purchase*
            *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority
      2. REGISTRATION ON THE TRANSACTIONAL AND NON-TRANSACTIONAL SITE
        This paragraph describes how your personal data are processed when you register your product and/or create a profile online in our transactional or non-transactional Site.
        Controller Categories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataRetention period
        B&BPersonal information (name, surname)
        Contact details (e-mail address, mail address, phone number)
        For B2B customers:
        Profession, e-mail address, work e-mail address, work telephone number, name of the company/business/organisation you work for.
        Country of residence
        Creation of a profile or registration of a product on the Site
        Legal Basis: need to perform a contract – Article 6(1)(b) GDPR
        Data subjectImpossibility to create a profile or register a product on the SiteData retained until the cancellation of the account*
        *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority
      3. WHEN YOU CONTACT US THROUGH OUR TRANSACTIONAL AND NON-TRANSACTIONAL SITE OR OTHERWISE
        1. When you contact us through the contact us section of our website or otherwise
          ControllerCategories of dataPurpose and legal basis of the processingPurpose and legal basis of the processingConsequences of not providing dataRetention period
          B&BPersonal information (e.g. name, surname)
          Contact details (e.g. e-mail address, phone number, postal address)
          For B2B customers:
          Profession, e-mail address, work e-mail address, work telephone number, name of the company/business/organisation you work for.
          Any other information that you choose to share in your message or in the attachments
          Deal with and provide a feedback to your requests including when you send us your portfolio
          Legal Basis: consent (provided with a clear affirmative action e.g. when contacting us seeking information) – Article 6(1)(a) GDPR
          Data subjectImpossibility to deal with your requestsTime necessary to deal with and provide a feedback to your requests*
          *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority
        2. When you book an appointment
          ControllerCategories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataRetention period
          B&BPersonal information (e.g. name, surname)
          Contact details (e.g. e-mail address, phone number, postal address)
          For B2B customers:
          Profession, e-mail address, work e-mail address, work telephone number, name of the company/business/organisation you work for.
          Any other information that you choose to share in your message or in the attachments
          Deal with and provide a feedback to your requests including, when you book an appointment
          Legal Basis: consent (provided with a clear affirmative action e.g. when contacting us seeking information) – Article 6(1)(a) GDPR
          Data subjectImpossibility to deal with your requestsTime necessary to deal with and provide a feedback to your requests*
          *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority
        3. When you contact us through the career section of our website or otherwise you send us your application
          As part of the application and selection process, we do not normally ask you to provide us with Personal Data that may reveal your health conditions, religious beliefs, sexual orientation, trade union membership, political opinions, criminal record or criminal charges. If, in the course of the selection process, you provide us with such data (e.g. because they are contained in your CV) we will only process them with your express consent. Failing this, we will not consider this data for selection purposes and will delete it as soon as possible.
          ControllerCategories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataRetention period
          B&B Personal information (e.g. name, surname)
          Contact details (e.g. e-mail address, phone number, postal address)
          Data relating to your qualifications, education and professional career;
          Photograph/personal portrait (if contained in CV);
          Data that could reveal your racial or ethnic origins, health conditions, religious beliefs, trade union membership and political opinions, only if provided by you during the assessment process (e.g. if contained in your CV).
          As part of the application and selection process, need to carry out pre-contractual measures at the request of the data subject
          Legal Basis: need to perform a contract – Article 6(1)(b) GDPR
          Explicit consent provided with an explicit affirmative action – Article 9(2)(a) GDPR
          Data subjectImpossibility to deal with your requests1 (one) year*
          *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority
      4. PURCHASE IN OUR PHYSICAL RETAIL STORES
        When you make a purchase at one of the B&B’s physical stores, we may ask you to provide us with your personal data in order to include it into our database and process it in a manner described in the following table.
        ControllerCategories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataConsequences of not providing data
        B&BPersonal information (name, surname, tax code)
        Country of residence
        Zip code and address
        Contact details (e.g. phone number, domicile/physical address, e-mail address)
        Payment related data
        For B2B customers:
        Profession, e-mail address, work e-mail address, work telephone number, name of the company/business/organisation you work for.
        Invoice data
        Payment related data
        Performance of the purchase agreement
        Legal Basis: need to perform a contract – Article 6(1)(b) GDPR
        Data subjectProvision necessary for the conclusion of the purchase. In case of failure, we will not be able to deal with your request.10(ten) years after the purchase*
        *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority
      5. PURCHASE IN OUR PHYSICAL RETAIL STORES
        This paragraph describes how your personal data can be processed by B&B for marketing purposes relating to products similar to those you have purchased. Pursuant to the applicable legislation, those processing activities do not need your consent but are based on the legitimate interest of the controller. Anyway, you always have the right to object to the processing pursuant to Article 21 GDPR.
        ControllerCategories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataRetention period
        B&BFor both B2C and B2B customers
        Personal information (name, surname)
        E-mail address, work e-mail address
        Marketing activities (i.e. newsletter, promotional communications via e-mail) relating to products similar to those you purchases
        Legal Basis: legitimate interest of the controller* – Article 6(1)(f) GDPR and Article 130(4) Legislative Decree n. 196/2003
        *Opt-out always granted
        Data subjectN/A7 (seven) years from the last purchase*
        *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority;
      6. B2C MARKETING AND PROFILING PROCESSING ACTIVITIES
        This paragraph describes how your personal data can be processed for B2C marketing and profiling purposes.
        With your consent, provided either on a transactional or non-transactional website or in a physical store of B&B personal data processed according to this paragraph will be stored on a common database within the Group held by Design Holding and may be used for engaging in marketing activities relating to B&B Italia branded products.
        Furthermore, with your specific consent, your personal data may be used for profiling operations aimed at the realization of personalized marketing messages and/or product offerings based on your preferences (including activities and purchases concluded on the Website and in Store and possibly other data that we may correlate). Profiling can also be based on personal information collected through cookies, as better explained in the cookie policy which can be accessed through this Site.
        ControllerCategories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataRetention period
        B&B
        Design Holding
        Personal information (name, surname, tax code)
        Purchase history
        Preferences and interests and cluster derived data.
        Country of residence
        Zip code and address
        Contact details (e.g. phone number, e-mail address)
        Invoice data
        Payment data
        Marketing activities (i.e. newsletter, promotional communications via e-mail, telephone, sms, and ordinary mail, surveys, market searches) relating to products, services and initiatives.
        Legal Basis: your consent – Article 6(1)(a) GDPR
        Data subjectImpossibility to receive marketing communications.
        No consequences for the purchase or the other activities on the website
        7 (seven) years from the consent*
        *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority;
        B&B
        Design Holding
        Personal information (name, surname, tax code)
        Country of residence
        Zip code and address
        Contact details (e.g. phone number, e-mail address)
        Invoice data
        Payment data
        Your preferences and interests.
        Your previous purchases and activities on the Site and in Store
        Your belonging to specific clusters identified by age/gender/profession
        Profiling activities aimed at the realization of personalized marketing messages and/or offerings based on your preferences (including activities and purchases done on the Site and in Store) and relating to branded products Legal Basis: your consent – Article 6(1)(a) GDPRData subjectImpossibility to receive personalized marketing communications from the Group.
        No consequences for the purchase or the other activities on the website
        7 (seven) years from the consent *
        *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority
      7. B2B MARKETING AND PROFILING PROCESSING ACTIVITIES
        This paragraph describes the processing activities of personal data that we carry out with regard to employees, collaborators, representatives, owners or accounts in any capacity of our B2B customers (companies, professional firms and sole professionals).
        ControllerCategories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataRetention period
        Joint Controllers (DH Group companies)Personal information (name of the company/business/organisation you work for, tax code)
        Purchase history.
        Preferences and interests and cluster derived data.
        Country of residence
        Zip code and address
        Contact details (e.g. phone number, e-mail address)
        Invoice data
        Payment data
        Marketing activities (i.e. newsletter, promotional communications via e-mail, telephone, sms, and ordinary mail, surveys, market searches) relating to branded products, services and initiatives.
        Legal Basis: your consent – Article 6(1)(a) GDPR
        Data subject
        Organisations that manage fairs and events in which we have taken part as exhibitors, subject to the prior consent of the data subject to the disclosure of personal data to third parties for the purpose of sending promotional messages for marketing purposes;
        Social networks to which you are subscribed, subject to your prior consent
        Impossibility to receive marketing communications.
        No consequences for the purchase or the other activities on the website
        7 (seven) years from the consent*
        *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority;
        Joint Controllers (DH Group Companies)Personal information (name of the company/business/organisation you work for, tax code)
        Purchase history.
        Preferences and interests.
        Country of residence
        Zip code and address
        Contact details (e.g. phone number, e-mail address)
        Invoice data
        Payment data
        Profiling activities aimed at the realization of personalized marketing messages and/or offerings based on your preferences (including activities and purchases done on the Site and in Store) and relating to branded products
        Legal Basis: your consent – Article 6(1)(a) GDPR
        Data subject
        Organisations that manage fairs and events in which we have taken part as exhibitors, subject to the prior consent of the data subject to the disclosure of personal data to third parties for the purpose of sending promotional messages for marketing purposes;
        Social networks to which you are subscribed, subject to your prior consent
        Impossibility to receive marketing communications.
        No consequences for the purchase or the other activities on the website
        7 (seven) years from the consent*
        *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority;
      8. PLUG-INS AND INTERACTIONS WITH SOCIAL NETWORKS
        The Site may interactions with third parties websites (e.g. the other companies of the Group) and social networks (e.g. Facebook, Instagram, LinkedIn) through hyperlink, sharing button, social plug-in and other similar instruments.
        By accessing one of the areas of the Site equipped with this type of tool, the Internet browser will connect the data subjects (either consumers or business data subjects) directly to the servers of the third-party websites in question, thus transferring their personal data to the providers of those Websites.
        Depending on the specific agreements in place with the providers of such third-party websites, B&B may act as autonomous controller or joint controllers with respect to such data transfers. With regard to the methods of privacy protection and processing of personal data collected by the operators of third- party websites with which the interactions described above occur, please refer to the relevant websites.
      9. BROWSING DATA AND COOKIES
        When a user (either acting as a consumer or as a business user) visits the Site, the controllers may collect the following browsing information:

          • Technical information, including IP address;
          • Information about the devices used by users, browser and operating systems, etc.
          • Information about navigation on the Site, including URLs of the pages visited and activities that are performed on the page, dates and times of navigation, time spent, clickstream.
        This information is collected for the proper operation, management, maintenance and improvement of the Site, as well as to ensure that users’ browsing is safe and to be able to establish liability in the event of security breaches. They may also be used to allow us to obtain statistics on the use of the Website with the possibility of analyzing the data also in aggregate form and to carry out profiling activities.
        Users are always free to decide whether to provide the controllers with their browsing data, for example by choosing to disable cookies through the settings of their browsers. However, refusal to provide information necessary for navigation purposes may make it impossible to carry out activities strictly related to navigation itself and, therefore, also to consult and interact with the Website.
        We keep these data only for the time strictly necessary for the purposes for which they are collected.
        Through the Website, navigation data is collected through the use of cookies. To learn more about how cookies work, and how to activate and deactivate them, please consult our cookie policy which is accessible through this Site.
      10. ADMINISTRATIVE AND SECURITY PURPOSES
        This paragraph describes the processing operations carried out by Design Holding for the purpose of storing your Personal Data in the Group CRM Database for administrative purposes, including purposes aimed at ensuring the same level of network and information security.
        ControllersCategories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataRetention period
        Design HoldingPersonal data collected according to the above paragraphsStoring your Personal Data in the Group CRM Database for administrative purposes, including purposes aimed at ensuring the same level of network and information security to all Personal Data individually collected by the companies of the Group
        Legal Basis: legitimate interest of the companies of the Group – Article 6(1)(f) GDPR
        Data subjectN/AThe data will not be stored for a period of time exceeding those indicated in the precedent paragraphs
      11. WHEN YOU DIRECTLY CONTACT THE CONTROLLERS
        This paragraph describes the processing activities carried out by B&B, Design Holding and the Joint Controllers for the purpose of dealing with your requests made when you contact us through the relevant contact channel provided through the Website.
        ControllersCategories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataRetention period
        B&B
        Design Holding
        Joint Controllers (DH Group Companies)
        Personal information (e.g. name, surname)
        Contact details (e.g. e-mail address, phone number, postal address)
        Information contained in your request and provided to the controllers
        Deal with and provide a feedback to your requests
        Legal Basis: consent (provided with a clear affirmative action while contacting us seeking information) – Article 6(1)(a) GDPR
        Data subjectImpossibility to deal with your requestsTime necessary to deal with and provide a feedback to your requests*
        *Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority
      12. COMPLY WITH LEGAL OBLIGATIONS AND EXERCISE OF RIGHTS BEFORE COMPETENT AUTHORITIES
        This paragraph describes the processing operations carried out by B&B, Design Holding and the Joint Controllers for the purpose of exercise of their rights before a competent authority or to comply with legal obligations imposed on them.
        ControllersCategories of dataPurpose and legal basis of the processingSource of dataConsequences of not providing dataRetention period
        B&B
        Design Holding
        Joint Controllers (DH Group Companies)
        Personal data collected according to the precedent paragraphs and other data that can be suitable for the specific intended purposeExercise and/or defence of a right before a competent authority (e.g. judicial, administrative)
        Legal Basis: legitimate interest of the controller – Article 6(1)(f) GDPR
        Data subjectN/ATime necessary for the purpose of exercise and/or defend the specific right involved*
        Extension possible if necessary to comply with a legal obligation or to defend a right before a competent authority
        B&B
        Design Holding
        Joint Controllers
        (DH Group Companies)
        Personal data collected according to the precedent paragraphs and other data that can be suitable for the specific intended purpose.Compliance with a legal obligation
        Legal Basis: need to comply with a legal obligation – Article 6(1)(c) GD
        Data subjectN/ATime necessary for the purpose of complying with the legal obligation concerned
    4. WHO YOUR PERSONAL MAY BE DISCLOSED TO
      When necessary for the purposes described in this Notice, your personal data may be disclosed to third parties as shown in this paragraph.
      1. Data processors
        B&B, the Joint Controllers and Design Holding, where applicable, have appointed third parties for the provision of services relating to the Site (e.g. webmaster, IT consultant and system integrator, e-commerce platform, CRM marketing platform, customer care service provider). Such third parties will process your personal data on behalf and under the instructions of B&B Italia S.p.A., Design Holding or the Joint Controllers pursuant to Article 28 GDPR.
        These subjects have been selected among professionals who guarantee the implementation of appropriate technical and organizational measures, so that the processing is always carried out in compliance with applicable legislation and ensuring the protection of data subjects’ rights.
      2. Other third parties
        Your personal data might be disclosed to other third parties that would process it as autonomous controllers, such as:
        • Carriers of products purchased through the Website.
        • Providers of payment services or payment gateways/platforms used to purchase products through the Website (e.g. PayPal, credit card service providers, banks, financial intermediaries etc.).
        • Third parties in the context of any mergers/acquisitions that may involve the Group, to the extent strictly necessary for the purposes of the transaction based on a legitimate interest, and in any event to the extent permitted by the applicable law.
        • Professionals such as lawyers, auditors or accountants.
        • Third parties such as judicial and/or administrative authorities, law enforcement agencies where necessary for the exercise or protection of rights of B&B and/or, where applicable, Design Holding as well as to comply with statutory obligations.
        You may request more detailed information on those subjects to whom your personal may be disclosed by contacting us as indicated in the paragraph “How to contact the controllers”.
    5. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA
      For the purposes of the processing described in this Notice, your personal data may be transferred to countries outside the European Economic Area (“EEA”), which includes all Member States of European Union, Norway, Liechtenstein, and Iceland.
      If that is the case, we ensure that all possible transfers outside the EEA will be made in such a way as to guarantee the full protection of your rights and freedoms. Namely, with regard to the third country to which the data is transferred, if no adequacy decision has been taken by the European Commission, the data transfers will be carried out by relying on an appropriate safeguard pursuant to Article 46 GDPR. Furthermore, a data transfer impact assessment considering the relevant legislation of the third country concerned will be always carried out in order to determine if your data would be actually protected in case of transfer outside EEA or if further security measures are necessary. Please note that Japan, the United Kingdom and Switzerland, countries in which some of the Companies of the Group are established, benefit from adequacy decisions of the EU Commission and therefore your data can be shared with those jurisdictions.
    6. YOUR RIGHTS
      In accordance with the applicable legislation, and in particular with the provisions of the GDPR and other applicable laws, your rights in relation to the personal data that we process under this Notice are the following:
      • Access: you can obtain information about the processing of your personal data and a copy of that personal data (art. 15 GDPR);
      • Rectification: if you believe that your personal data is inaccurate or incomplete, you may request that such data be corrected or modified by following your instructions (art. 16 GDPR);
      • Erasure: except as provided for by applicable laws, you have the right to request the erasure of your personal data, when: (i) the data are no longer necessary for the purposes for which they were collected and processed; (ii) you withdraw your consent to the processing if processing is based on your consent; (iii) you object to the processing for direct marketing purposes or to the processing carried out for other purposes and there are no overriding legitimate grounds to continue with the processing; (iv) your data are processed unlawfully; (iv) the erasure is required by law (art. 17 GDPR); (v) you are a child and your personal data have been collected in relation to the offer of information society services directly to you;
      • Restriction: you may request the restriction of the processing of your personal data where: (a) you contest the accuracy of the personal data for the period necessary to verify their accuracy; (b) the processing is unlawful and you request the restriction of their use instead of erasure; (c) the controllers no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; (d) you have objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override yours (art. 18 GDPR);
      • Object: on grounds relating to your particular situation, you have the right to object to the processing of your personal data based on the legitimate interest of the controllers (Article 6(1)(f) GDPR) and the controllers will continue to process your data only if there are compelling legitimate grounds for the processing which override your interests, rights and or for the establishment, exercise or defence of legal claims. Your right to object to direct marketing purposes is absolute and can be exercised at any time in the manner indicated in the “How to contact the controllers” section. Your objection to processing carried out through automated means is also valid for processing carried out with traditional means (art. 21 GDPR);
      • Withdrawal of consent: if the processing of your personal data is based on consent, you have the right to withdraw your consent at any time (art. 7 GDPR);
      • Data portability: where the processing is based on consent or on a contract and is carried out by automated means, you have the right to obtain in a structured format, commonly used and machine-readable format the personal data you provided us with and, where technically feasible, to have them transmitted to another data controller.
    7. CHANGES TO THIS NOTICE
      This Notice is subject to periodic updates. To this end, we indicate the last update date at the beginning of this Notice. If you have already submitted your personal data, any change that substantially affects the processing of personal data, will be communicated to you through the appropriate channels in order to ensure that you are effectively aware of the way your data is processed, with a view to full transparency of the processing operations and full and adequate protection of your rights.
    8. HOW TO CONTACT THE CONTROLLERS
      To exercise your rights, and for any query or clarification on how your personal data are processed and used pursuant to this Notice, you can contact:
      1. for the processing operations for which B&B act as autonomous controller:
        CompanyContact details
        B&B Italia S.p.A.E-mail: privacy@bebitalia.com
      2. for the processing operations for which Design Holding act as autonomous controller:
        CompanyContact details
        Design Holding S.p.A.E-mail: privacy@designholding.com   
      3. for the processing operations for which the Group companies act as joint controllers, the single point of contact identified below:
        CompanyContact details
        Design Holding S.p.A.E-mail: privacy@designholding.com   
    9. HOW TO EXERCISE YOUR RIGHTS
      In order to protect your rights and your personal data, you may at any time decide to lodge a complaint with the competent supervisory authority or to bring an action before the competent national courts.
      Anyway, the controllers always invite you to contact them first for any need relating to your personal data.

    ESSENCE OF THE JOINT CONTROLLERSHIP AGREEMENT PURSUANT TO ART. 26 (2) GDPR

    This information is provided in accordance with Art. 26 (2) (“GDPR”). It describes the essence of the Joint Controllership Agreement pursuant to Art. (26) GDPR signed by the companies that are part of the Design Holding Group.
    1. The Parties
      The companies that are part of the Agreement are the following:
      • Design Holding S.p.A. (VAT NUMBER IT10446470964), with registered office at Via Alessandro Manzoni, 38, 20121, Milano (Italy)
      • Flos S.p.A. (VAT NUMBER IT00290820174), with registered office at Via Angelo Faini, 2, 25073, Bovezzo (Italy)
      • B&B Italia S.p.A. (VAT NUMBER IT07122350965), with registered office at Via Durini, 14, 20122, Milano (Italy)
      • Louis Poulsen A/S (VAT NUMBER DK59742817), with registered office at Kuglegårdsvej 19 DK-1434 København K, Copenhagen (Denmark)
      • International Design Group S.p.A. (VAT NUMBER IT 10462810960), with registered office at Via Alessandro Manzoni 38 – 20121 Milano (Italy)
      • D Studio – Copenhagen ApS, with registered office at Kuglegårdsvej 13, DK-1434, Copenhagen (Denmark)
      • Fashion Furniture Design S.p.A., with registered office at Via Alessandro Manzoni, 38, 20121, Milano (Italy)
      • As well as the Affiliates of the above companies as listed in paragrah 1.2 of the privacy policy.
      The Agreement is open to the adhesion by other companies that are or will in the future become part of the same group of Companies (currently Design Holding group).
    2. Subject matter of the Agreement
      Personal Data included in the Database can be processed: a) by each Brand, either singularly or collectively, for B2B marketing and profiling activities relating to the Brands of DH Group for what concern B2B customers (i.e. when an individual qualifies as an employee, collaborator, representative, owner or account in any capacity of our business customers (such as companies, professional firms and self-standing professionals) (the “B2B Joint Activities”); b) by the single Brand concerned, with the exclusion of Fashion Furniture Design S.p.A. and its affiliates, and Design Holding S.p.A. for B2C customers (i.e. when individuals qualify a non-professional end user) (the “B2C Joint Activities”). Notwithstanding the fact that Design Holding hosts and directly manages the database, the Parties jointly determine the means and purposes of the Joint Activities and shall therefore qualify as joint data controller pursuant to Article 26 of the GDPR. The Parties define every aspect relating to the performance and implementation (either by themselves or through third parties appointed as Processors) of the Joint Activities, if necessary also through the conclusion of specific and additional written agreements detailing the personal data shared, the means, the purposes of the Joint Activities, the security measures to be adopted and the relevant technical standards.
      The Parties acknowledge that, with regard to the processing activities of personal data different from the Joint Activities carried out under the Agreement each Party shall autonomously determine the purposes and means of processing. Therefore, in this respect, each Party shall qualify as autonomous Controller and it assumes separate responsibilities under applicable legislation.
    3. General obligations of the Parties
      The Parties will carry out the Joint Activities through computer, automatized and/or paper instruments in compliance with the principles of fairness, lawfulness, transparency, accuracy, integrity, data minimization and purpose and storage limitation, as well as in accordance with the provisions of the GDPR and the applicable data protection legislation.
      The Parties guarantee the security and confidentiality of the personal data subject to the Joint Activities in light of the GDPR and applicable data protection legislation.
      The Parties undertake to process the Personal Data falling under the Joint Activities only for the purposes for which they agreed and, also after the termination for any reason of the Agreement, not to use the Personal Data for different purposes, unless this is necessary for the fulfilment of legal obligations or for the protection of the Parties’ rights before any competent authorities.
      The Parties undertake to adopt all technical, logic and organizational security measures pursuant to Article 32 GDPR, in order to guarantee the protection of Personal Data processed under the Agreement and to ensure a level of security appropriate to the risks to the rights and freedoms of the Data Subjects.
      Should this be necessary to ensure the proper carrying out of the Joint Activities, each Party shall undertake to adopt and sign with third parties – the Processors – specific contracts or other legal acts pursuant to Article 28 of the GDPR.
      In case of a Personal Data Breach (as defined in Article 4(12) of the GDPR), or in the event that a Party has reason to suspect that such a breach may reasonably occur, it will notify the other Parties immediately and in any case within a maximum of 12 (twelve) hours from the moment in which it became aware of the breach or from the moment in which it became aware of information that would suggest the occurrence of such a breach. In this case, each Party undertakes to provide maximum cooperation and assistance in order to identify and implement all corrective measures to eliminate or in any case limit the effects of the breach as much as possible.
    4. Transfer of Data outside EEA
      The Parties acknowledge and agree that if the Personal Data processed under the Agreement should be transferred or processed – also through Processors or Sub-Processors – in a country located outside the European Economic Area (“EEA”) for which no adequacy decision has been issued by the European Commission, they shall resort to one of the mechanisms provided for by Articles 46 ff GDPR. In particular, the Parties shall resort to the standard clauses for the transfer of personal data to third countries approved by the European Commission, as well as assess the actual level of protection of personal data ensured to the Data Subjects in the aforementioned country. The Parties shall take into account both the mechanisms pursuant to Articles 46 ff GDPR concretely adopted and the legislation of that third country of destination, and adopt, if necessary, additional security measures aimed at the protection of personal data, such as cryptography.
    5. Rights of the Data Subjects/Single Point of Contact
      The Parties have designated a single contact point of contact for the exercise of the Data Subjects rights pursuant to Articles 15-22 GDPR, this being Design Holding S.p.A., that can be contacted at the following e-mail address: privacy@designholding.com (the “Leading Party”). 
      Notwithstanding the foregoing, Data Subjects may validly contact each of the Parties in order to enforce their rights with respect to the Joint Activities and each Party shall comply with the same procedure established by the Parties for the management of Data Subjects’ requests. If necessary, the Party who first receives the request (the “Receiving Party”) shall communicate it to the other Parties within 3 working days, sending them a copy, in order to collaborate actively to give timely feedback to these requests and agree on the actions to be taken in accordance with the provisions of paragraph 3 below.
      All requests made by the Data Subjects to enforce their rights must be delivered in a manner that allows the verification of the identity of the relevant Data Subjects (e.g. by means of a named email address) and the identity of persons that they may appoint as their representative. 
      The Receiving Party shall provide the Data Subjects with information on action taken on their requests without undue delay and in any event within 1 (one) month of receipt of the request. That period may be extended by 2 (two) further months where necessary, taking into account the complexity and number of the requests. The Receiving Party shall inform the Data Subjects of any such extension within 1 (one) month of receipt of the request, together with the reasons for the delay. Each response should be agreed upon in advance by the Parties before being provided. Where possible, the Receiving Party shall provide all feedbacks to the Data Subjects on privacy matters from dedicated e-mail account.
    6. Liability
      Where the Parties are involved in the same processing and where they are, pursuant to Article 82, paragraphs 2 and 3 of the GDPR, responsible for any damage caused by processing, each Party shall be held liable for the entire damage in order to ensure effective compensation of the Data Subject.
      Each Party shall remain solely and exclusively liable for the damage caused by its own processing infringing the GDPR, as well as if it has acted in a manner that is different from or contrary to the requirements contained in this Agreement.