PRIVACY POLICY

LYRECO ITALIA Srl , with registered office in via Victor Hugo 4, Milan, and VAT number 11582010150 subject to the management and coordination of the sole quotaholder Lyreco SAS, a company incorporated under French law, with registered office in rue du 19 mars 1962, 59770 MARLY (France), has exclusively business-to-business relationships with its customers and suppliers (hereinafter referred to individually as "Customer / Supplier" and collectively "Customers / Suppliers").

At Lyreco, we believe privacy is important. To protect your privacy, Lyreco will ensure that all personal data is handled securely and used only as described in the sections below. This privacy policy ("Privacy Policy") specifies what personal data we collect, how we use it and what measures we take to keep it safe.

In this Privacy Policy the terms "you" and "your" refer to the interested parties of the Customer / Supplier whose personal data are processed by or on behalf of Lyreco, while the terms "we" and "our" refer to Lyreco.

Definitions

“Affiliated Companies” means companies controlled by, or jointly controlled with, Lyreco.

"Applicable Data Protection Law (s)" means the laws and regulations regarding the protection of personal data, data security, data retention, to which Personal Data is subject, including the GDPR and Italian Legislative Decree 196 / 2003 and subsequent amendments.

"Data Controller" means the natural or legal person, public authority, agency or other body which, on its own or in collaboration with others, determines the purposes and means of the processing of personal data.

“Interested Subjects” means each employee, consultant, agent or other natural person authorized to make or receive purchase orders from Lyreco on behalf of the Customer / Supplier.

"Personal Data" means the personal data of the Interested Subjects processed by Lyreco as the Data Controller.

"General Data Protection Regulation" or "GDPR" means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and repealing Directive 95/46 / EC.

"Personal data" means any information concerning an identified or identifiable natural person ("Interested Subject"); the natural person is considered identifiable who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social.

"Processing", "process", or "processed" indicate any operation or set of operations carried out with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, deletion or destruction.

“Service” means the supply and sale / purchase of products and all related services offered globally or locally by Lyreco.

"Third party (s)" means subjects authorized by Lyreco to process personal data such as, by way of example: auditors, contractors, transporters, commercial agents, consultants, etc.

Scope of

This Privacy Policy applies only to Customer / Supplier Personal Data processed by or on behalf of Lyreco.

Lyreco treats Personal Data fairly and lawfully, in accordance with Applicable Data Protection Laws.

In the event of a conflict between the Privacy Policy and the applicable Data Protection Laws, the provisions of the latter will prevail.

What personal data do we collect and use?

Lyreco processes the Personal Data of Customers / Suppliers in order to provide its Services. In fact, the interested parties of the Customers / Suppliers are those who act on behalf of the Customers / Suppliers themselves and who have commercial relationships with Lyreco.

Lyreco processes the following categories of Personal Data of Customers / Suppliers:

-       Name, surname, telephone number and e-mail

-       Company name, VAT number and company address

-       Information on payment methods and credit cards

-       IP address

In Annex 1 to this Privacy Policy you will find a detailed outline of the Personal Data we collect, the related purposes and legal basis.

What do we use this information for?

The GDPR allows us to process Personal Data to the extent that we have a legal basis or "ground" for doing so. Furthermore, it requires us to tell you what these fundamentals are. Consequently, when we process your Personal Data, we will rely on one of the following legal bases:

• Execution of a contract: when the processing of Personal Data is necessary to fulfill our contractual obligations. The processing of your Personal Data is necessary to fulfill our mutual contractual obligations (for example, creating and managing accounts in the Lyreco webshop, solving technical problems, processing requests or other types of messages, executing and receiving orders, shipment of orders, credit recovery). We may also process your Personal Data in connection with the use of our profiles on social media, in order to process, organize and manage these profiles, communicate with you and respond to your messages, maintain relationships with users and promote our brand on the Internet. In this case, the legal basis is the performance of a contract and our legitimate interest (Article 6 paragraph 1 letter b) and f) of the GDPR);
• Legal obligation: when we are required to process your personal information to comply with a legal obligation, such as keeping records for tax purposes or transmitting information to a public body or authority;
• Legitimate interest: we will process information about you where it is in our legitimate interest to do so, to the extent that it does not harm your interests. This applies in particular to monitoring our relationships with customers / suppliers, conducting customer satisfaction surveys, preparing sales statistics, monitoring customer experience on our website. In addition, we have an interest legitimate to process your Personal Data in order to create and manage accounts in our webshop, to solve technical problems or to process requests or other types of messages related to the services, as well as to enter into or perform the contract, including the direct execution of orders and their shipment. If you participate in contests organized on our social media profiles, we process your Personal Data in order to organize and conduct the contest, as well as award prizes and announce results. The legal basis for the processing of these categories of Personal Data is our legitimate interest (Article 6 paragraph 1 letter f) of the GDPR). We also have a legitimate interest in the processing of personal data for the purposes of soft spam (use of the interested party's e-mail addresses to promote products or services similar to those being sold); in this case, you have the right to object to the processing of your Personal Data for this purpose by clicking on the appropriate "unsubscribe" link on each newsletter or by writing to us at IT.privacy@lyreco.com;
• The your consent: in some cases, we will ask you for specific permission to process some of your personal information and we will only process your personal data for that purpose if you allow us to do so. You can withdraw your consent at any time by contacting us in the manner specified below.

In Annex 1 to this Privacy Policy you will find a detailed outline of the Personal Data we collect, the related purposes and legal basis.

We also use cookies in order to improve your experience on our website; we invite you to consult the Cookie Policy section of this information.

How long do we keep your personal data?

We will retain your Personal Data for the duration of our business relationship and up to 3 years after the last contact or order with Lyreco, unless applicable law requires us to have different terms, in particular for archival and tax purposes. For example, the Personal Data mentioned in the invoices will be kept for a longer period, in accordance with the applicable legislation.

In the event that the basis for the processing of your Personal Data is our legitimate interest, we will process your Personal Data for the purpose of pursuing that interest until the latter ceases or we do not receive a request to object.

In the event that the basis for processing your Personal Data for a specific purpose is your consent, we will process your Personal Data for that purpose until you withdraw your consent. The withdrawal of consent does not affect the lawfulness of the processing based on consent before the withdrawal.

In the case of sending commercial information requested by you (newsletter), your Personal Data will be processed until you unsubscribe from the newsletter, which you can easily do by clicking on the link contained in each e-mail message containing the newsletter.

Your Personal Data relating to the use of our social media profiles will be processed for the period that you follow these profiles. If you have entered a contest organized by us, your Personal Data will be processed for the time necessary to conduct the contest and identify the winners, and in the event of a win - for approximately 10 years for tax and accounting purposes.

Who do we share your information with?

Your data is accessed and processed by Lyreco staff, for the purposes described above.

Lyreco does not share Personal Data with unaffiliated third parties, except as necessary for its legitimate professional and business needs, to fulfill your requests and / or as required or permitted by law. They therefore include:

·         Suppliers - Lyreco may grant access to Customers' Personal Data:

o   to its service providers or contractors: Lyreco transfers Personal Data to third party companies, such as systems (IT) providers, hosting providers, consultants and other suppliers of goods and services or contractors. Lyreco works with these suppliers to be able to process your Personal Data on its behalf. Lyreco will only transfer Personal Data to such subjects if they meet the rigorous standards adopted by Lyreco regarding data processing and security. Lyreco shares Personal Data for the sole purpose of providing its Services to Customers.

o   Lyreco will share information on payment related transactions with relevant parties. In the case of suppliers chosen by Lyreco, an adequate level of protection of your personal data will be required.

·           Courts, courts, law enforcement or regulatory authorities: Lyreco reserves the right to share your information to respond to duly authorized inquiries from government authorities or where required by law. In exceptionally rare circumstances, where national or societal security is concerned (e.g. in the event of a terrorist attack), Lyreco reserves the right to share its entire database of Customers and Customer Personal Data with relevant governmental authorities.

·           Auditors, auditors, accountants, legal consultants can access documents, such as invoices, which contain Personal Data of Customers, for the purposes of their respective assignments.

·         Lyreco may transfer your Personal Data to a prospective buyer, transferee, merger partner or seller and their advisors, in connection with an actual or potential, total or partial, transfer or merger of its companies or businesses, or of any related rights or interests, or to acquire a company or enter into a merger with it.

Lyreco will never sell your Personal Data to third parties, for example to marketers.

Lyreco does not provide Personal Data to "people search", "public lists" or "white pages" sites.

How and where is your Personal Data transferred?

Lyreco transmits your Personal Data only within states of the European Economic Area (EEA) and / or to countries that provide adequate protection, as confirmed by the European Commission, with the exception of the following cases.

If the processing involves a transfer of Personal Data to a state outside the European Union that does not guarantee adequate protection, as confirmed by the European Commission, Lyreco undertakes to protect the transfer with one of the following mechanisms:

-      Standard Contractual Clauses approved by the European Commission (for example, Standard Contractual Clauses for Data Controllers 2004/915/EC or Standard Contractual Clauses for Data Processors 2010/87/EU or any subsequent version);

-      Binding corporate rules: in the event that the interested third parties have adopted Binding corporate rules that cover the Personal Data processed by them.

-      Any other mechanism officially recognized by the applicable Data Protection Laws as such to ensure an adequate level of protection of Personal Data.

Lyreco processes, and will ensure that third parties also process, Personal Data in appropriate jurisdictions, as defined in the applicable Data Protection Law (s). These jurisdictions include states from the European Economic Area and countries recognized by the European Commission as providing an adequate level of protection (for more information, see European Commission, “Commission Decisions on the Adequacy of Personal Data Protection in Third Countries. " )

Details on the transfer of Personal Data to third countries, the guarantees applied to such transfer, as well as a copy of these guarantees can be obtained by contacting us by writing to the e-mail address IT.privacy@lyreco.com .

How do we ensure the processing of your Personal Data?

Lyreco performs security, technical and organizational checks, appropriate from a commercial point of view, to protect Personal Data from theft, loss or improper use. Personal Data will be stored in a secure operating environment, not accessible without authorization. Lyreco applies mitigation measures following periodic risk assessments, in order to guarantee an adequate level of protection of Personal Data.

When uploading sensitive information (such as credit card numbers and passwords):

• we encrypt this information to protect it against interception using SSL;
• the data are protected by encryption even during their conservation;
• we also use measures to improve security, such as the analysis of account behavior, to detect fraudulent or otherwise anomalous behavior;
• we may limit your use of the site's features in response to possible signs of abuse, remove inappropriate content or links to illegal content, and suspend or disable accounts if you violate our terms and conditions.

What are your rights regarding the processing of personal data?

You are granted the following rights regarding the processing of Personal Data carried out by or on behalf of Lyreco:

• Access

In addition to the information that is available on the Lyreco website, you have the right to access the Personal Data that Lyreco retains on you, subject to the exceptions contemplated in the applicable Data Protection Laws. Lyreco will endeavor to accommodate your request. Your identity will need to be confirmed before you are allowed to access your Personal Data. In general, Lyreco does not charge any cost to provide the requested information, but if the request is manifestly unfounded or excessive, in particular, due to its repetitive nature, Lyreco reserves the right to ask for a fee for such requests.

We ask you to send your request in writing:

·         IT.privacy@lyreco.com

·         Lyreco Italia srl, via Papa Giovanni Paolo II snc, 20040 Cambiago (MI)

The request must be complete with:

1      Phone number

2      Description of the specific documents to which access is sought, including their specific dates, where possible

Please provide as much detail as possible.

All formal access requests will be addressed to the Privacy Contact, for the purposes of subsequent review and to determine if Lyreco will have to provide the requested information. The Privacy Contact can be contacted at the following address: IT.privacy@lyreco.com.

• Edit

If you believe there is an error in your Personal Data, you have the right to request that the information be corrected. We may ask you to provide appropriate documentation to highlight any errors. We will correct the incorrect data within one month and will notify you as soon as the modification requested by you is completed. The GDPR recognizes the right to request the rectification of your Personal Data held by Lyreco if you believe there is an error or omission. It is your right to attach a statement indicating any corrections requested by you, but not made by Lyreco - which will inform each natural or legal person to whom the Personal Data has been transmitted within one year of your request for correction, informing them of the correction.

• Portability

It is your right to ask Lyreco to move, copy or transfer Personal Data concerning you from one IT environment to another, in a safe and secure way, without hindrance. This right applies to your Personal Data held by Lyreco, where the processing has been automated and used in consideration of Lyreco's provision of Services, pursuant to the contract entered into with the Customer, or if the processing is based on your consent. to Lyreco.

You can access the Lyreco online web portal and download the information provided in the “Export” section of the portal.

• Cancellation

Lyreco does not store Personal Data without a predefined and documented purpose. We comply with the laws that require us to delete Personal Data if there is no longer a reason for its collection and storage. We believe this meets the requirements of the privacy principle of the "right to be forgotten".

In the event that Personal Data is held by Lyreco are based on entering into a contract, and it is your desire to be removed from our systems before the expiration of the retention period indicated in the section "How long do we keep your Personal Data?", you are invited to contact our Privacy Contacts at following address: IT.privacy@lyreco.com.

If you have transmitted your Personal Data to us by registering, you can deactivate your account at any time. For security reasons, we have provided a cooling-off period of seven days after your account deletion request; however, accessing your account during that period will result in its reactivation. After deactivation and the cooling-off period expires, the account will be irrevocably suspended, ensuring that no one can use its ID yet.

• Objection to processing

It is your right to object to our processing of your Personal Data if we are no longer authorized to use it. In this case, Lyreco will refrain from further processing the Personal Data unless it demonstrates the existence of compelling legitimate reasons to proceed with the processing that override your interests, rights and freedoms or for the ascertainment, exercise or defense of a right in court.

• Withdrawal of consent

You have the right to withdraw any consent given to Lyreco. In any case, the withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

How can I contact, ask questions and / or propose complaints to Lyreco?

To exercise your rights, express a concern, raise a question, propose a complaint or obtain further information on the processing of your Personal Data by Lyreco, you can send an email to the following address: IT.privacy@lyreco.com by sending a document that proves your identity.

Lyreco undertakes to respond to the request within a period of between one month and three months, depending on the complexity of the request and / or the number of requests received by the company.

In the event of a dispute, it is possible to lodge a complaint with the local regulatory authority responsible for data privacy - Guarantor for the protection of personal data - Piazza Venezia n. 11 - 00187 ROME - Fax: (+39) 06.69677.3785 - Telephone: (+39) 06.696771 - E-mail: garante@gpdp.it - Certified mail: Protocol@pec.gpdp.it .

How do we update / change our Privacy Policy?

Lyreco may occasionally update or modify this Privacy Policy.

If so, it will notify you by posting a notice on the home page of its website or, if required by law, by sending you a notice directly. Lyreco invites you to periodically review this Privacy Policy to be always informed on how Lyreco helps protect the Personal Data collected. Continued use of the Lyreco Services constitutes acceptance by you of this Privacy Policy and its subsequent updates.

What does our Cookie Policy consist of?

Definitions

Cookies are short fragments of text (letters and / or numbers) that allow the web server to store information on the browser to be reused during the same visit to the site (session cookies) or later, even after days (persistent cookies) ). Cookies are stored, according to user preferences, by the single browser on the specific device used (computer, tablet, smartphone).

Cookies are useful because they allow a website to recognize the user's device. They have different purposes such as, for example, to allow you to navigate between pages efficiently, to remember your favorite sites and, in general, to improve the browsing experience. They also help to ensure that the advertising content displayed online is more targeted to the user and his interests. Based on the function and purpose of use, cookies can be classified into technical cookies, profiling cookies, third-party cookies. The Lyreco webshop exclusively uses technical cookies and third-party cookies.

Technical cookies

Technical cookies are those used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide such service. They are not used for other purposes and are normally installed directly by the owner or manager of the website. They can be divided into navigation or session cookies, which guarantee the normal navigation and use of the website; analytics cookies, similar to technical cookies when used directly by the site manager to collect information, in aggregate form, on the number of users and how they visit the site; functionality cookies, which allow the user to browse according to a series of selected criteria in order to improve the service provided.

The prior consent of users is not required for the installation of these cookies.

These cookies can be disabled and / or deleted through the browser settings. All modern browsers allow you to change your cookie settings. These settings can usually be found in the "options" or "preferences" menu of the user's browser. To understand these settings, the following links may be helpful. Or you can use the "Help" option in your browser for more information.

·         Cookie settings in Internet Explorer : https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies#ie=ie-10

·         Cookie settings in Firefox : https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer?redirectlocale=en-US&redirectslug=Cookies

·         Cookie settings in Chrome : https://support.google.com/chrome/answer/95647?hl=en&ref_topic=14666

·         Cookie settings in Safari and iOS : https://support.apple.com/it-it/guide/safari/sfri11471/mac

·         Cookie settings in Opera: https://help.opera.com/en/how-to-clear-browser-cache-history-cookies/

If the use of cookies is blocked, the service offered to the user through the website will be limited, thus influencing the experience of using the site itself.

Profiling cookies

Profiling cookies are cookies used to track the user 's navigation on the network and create profiles on his tastes, habits, choices, etc. With these cookies, advertising messages can be transmitted to the user's terminal in line with the preferences already expressed by the same user while browsing online.

Lyreco does not use profiling cookies within its webshop.

Third party cookies

During navigation, the user may also receive cookies from different sites or web servers on his terminal (so-called "third-party" cookies): this happens because the site may contain elements such as, for example, images, maps, sounds, specific links to web pages of other domains that reside on servers other than the one on which the requested page is located. In other words, these cookies are set directly by website managers or servers other than the Lyreco website. Through these cookies, third parties may obtain information relating to the fact that you have visited the Lyreco webshop.

If the user decides not to grant authorization for the use of third-party cookies, only the functions of the webshop that do not require these cookies can be used.

Below, for each third-party cookie on the site, we report the name, purpose, name of the third party that stores the information and the related link to the third party's website.

Google Analytics

The Lyreco website also includes certain components transmitted by Google Analytics, a web traffic analysis service provided by Google, Inc. ("Google"). Also in this case these are third-party cookies collected and managed anonymously to monitor and improve the performance of the host site (performance cookies).
Google Analytics uses cookies to anonymously collect and analyze information on website usage behavior (including the user's IP address). This information is collected by Google Analytics, which processes it in order to draw up reports on the activities on the websites themselves. This site uses the Google analysis tool to monitor or collect personally identifiable information. Google does not associate the IP address with any other data held by Google nor does it try to link an IP address with the identity of a user. Google may also communicate this information to third parties where this is required by law or where such third parties process the aforementioned information on behalf of Google. For more information, please refer to the link below: https://www.google.it/policies/privacy/partners/

User may disable in a selective way the action of Google Analytics by installing opt -out component provided by Google on his browser. To disable the, please refer to the link below: https://tools.google.com/dlpage/gaoptout

Cookies can be saved on the terminal device based on the consent expressed in the web browser settings, but we use them for statistical purposes, development of services and marketing purposes (display of advertisements on websites), based on the legal basis of the legitimate interest (Article 6 paragraph 1 letter f of the GDPR).

Lyreco uses Google Analytics. Further information on the terms of use of Google Analytics by Lyreco is available at: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=it

Lyreco uses Google Analytics. For more information on Lyreco's use of Google Analytics, see: http://www.google.com/analytics/learn/privacy

To guarantee visitors to its website more choices on the collection of data by Google Analytics, Google has developed the browser add-on for the deactivation of Google Analytics . This add-on communicates with Google Analytics JavaScript (ga.js) to indicate that information about website visits should not be sent to Google Analytics. However, the deactivation of Google Analytics does not prevent the information from being sent to the site itself or to other web analytics services.

* * *

Annex 1 - Detailed table on personal data and related processing purposes

Privacy Policy - updated on 05 August 2022