Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”)
1. Data Controller and Data Protection Officer
The personal data provided through this form will be processed by Brunello Cucinelli S.p.A., headquartered in
Corciano (PG), Solomeo district, Viale Parco dell’Industria n. 5, tax code and registration number with the Perugia
Business Register 01886120540, acting as Data Controller (hereinafter, the “Controller,” “Company,” or “BC”),
reachable at the e-mail address privacy@brunellocucinelli.it.
The Data Protection Officer (“DPO”), available for any information regarding the processing of your data and your
privacy rights, can be contacted at dpo@brunellocucinelli.it.
2. Categories and Types of Personal Data Processed and Source of Data
The personal data processed includes both “ordinary data” and, where applicable, “special categories” of data as
per Article 9 GDPR. In detail, among ordinary data, the Controller will process your identifying and personal
information, contact details, information for bookings concerning travel and movements, as well as reservations
in hotels or similar facilities, your preferences regarding the organization of experiences you wish to participate in
(e.g., cultural, artistic, culinary or wine experiences, special events for children, sports and leisure activities). Among
special categories, the Controller, where provided by you and with your explicit consent, may process information
regarding any allergies, food intolerances, or specific dietary regimes.
Such data may be provided directly by you during registration for events/experiences organized by the Company
or, alternatively, by the organizers of the events/experiences.
If, during the event/experience booking, you provide data relating to third parties (i.e., identifying data of
companions, including children and minors), please note that, with respect to such data, you act as their
independent data controller, assuming all legal obligations and responsibilities. In this respect, you provide the
broadest indemnity in relation to any dispute, claim, or compensation request for processing that may reach the
Controller from third parties whose personal data were processed through your voluntary submission in violation
of applicable data protection laws. In any case, should you provide or otherwise process personal data of third
parties, you guarantee – accepting all related responsibilities – that such processing is based on a suitable legal
ground legitimizing the processing of the relevant information.
3. Purpose of Processing, Legal Basis, and Nature of Data Provision
The aforementioned personal data will be collected and processed to organize and manage the event or
experience you have chosen to participate in (“Purpose of event/experience organization and management”).
In particular, information about allergies, food intolerances, and specific dietary regimes will be processed to
enable the Company to arrange a suitable meal with the Corporate Restaurant (or other selected facility)
according to your dietary needs.
The legal basis for such processing lies in the necessity to carry out pre-contractual measures requested by you
and the contract to which you are a party (Art. 6, para. 1, letter b) GDPR); regarding the aforementioned special
categories of data, the legal basis is your prior explicit consent (Art. 9, para. 2, letter a) GDPR), which can be revoked
at any time without prejudice to the lawfulness of processing conducted before the revocation.
The provision of these data for the purpose of organizing and managing the event/experience is optional; however,
if you do not provide them, the Controller may be unable to allow you to participate in the chosen
event/experience or to adapt it to your needs or preferences.
Once provided or otherwise collected, your personal data may also be processed for the following purposes:
- to fulfill any legal obligations incumbent upon the Controller (“Compliance Purpose”).
- to establish and exercise a right and meet any defensive needs in court, out-of-court, and pre-litigation phases
(“Defensive Purpose”).
The legal basis for processing for the Compliance Purpose is the need to fulfill legal obligations incumbent on the
Controller pursuant to Art. 6, para. 1, letter c) GDPR.
The legal basis for processing for the Defensive Purpose is the legitimate interest of the Controller pursuant to Art.
6, para. 1, letter f) GDPR, consisting in the need to establish and exercise a right and meet any defensive needs in
court, out-of-court, and pre-litigation phases; regarding any special data provided, the legal basis is Art. 9, para. 2,
letter f) GDPR.
4. Recipients of Personal Data
In pursuing the purposes indicated above, your personal data will be shared:
• with the Company’s employees, who have been duly trained and authorized to process the data pursuant to
Arts. 29 and 32, para. 4 GDPR and Art. 2-quaterdecies of Legislative Decree 196/2003 (“Privacy Code”);
• with service providers involved in the event/experience you have chosen to participate in, as well as IT providers
used by the Company, all acting as data processors pursuant to Art. 28 GDPR;• with other entities and authorities, where required by applicable law, acting as independent data controllers.
You may request the complete list of recipients of your personal data by writing to the contacts provided above
in section 1.
5. Transfer of Data to Third Countries or International Organizations
The Controller does not transfer your personal data outside the European Economic Area.
In case of transfer, it will occur in compliance with applicable legal provisions, adopting suitable safeguards
outlined in Regulation (EU) 2016/679 (i.e., European Commission adequacy decisions, Standard Contractual
Clauses, or other appropriate measures to ensure personal data protection).
6. Data Retention Period
Your data will be retained for the time strictly necessary to organize and manage the event/experience you have
registered for and will be immediately deleted at the end of the event/experience management and, in any case,
within thirty days following its conclusion. However, the Controller reserves the right to retain your data for the
time necessary to fulfill legal obligations and to establish and exercise a right and meet any defensive needs in
court, out-of-court, and pre-litigation phases.
7. Your Privacy Rights
As a data subject, you may, at any time, exercise the following rights:
• Right to withdraw consent (Art. 7 GDPR) – You have the right to withdraw consent at any time, without
prejudice to the lawfulness of processing conducted before withdrawal;
• Right of access (Art. 15 GDPR) – You have the right to obtain confirmation as to whether your personal data is
being processed and receive all relevant information about such processing;
• Right to rectification (Art. 16 GDPR) – You have the right to obtain the correction of your personal data if
incomplete or inaccurate; please note that, with regard to personal data collected through audio and video
recording systems, the right to rectification cannot in practice be exercised due to the intrinsic nature of such
data, which pertains to objective and determined facts;
• Right to erasure (Art. 17 GDPR) – In certain circumstances, you have the right to obtain the erasure of your
personal data from our records;
• Right to restriction of processing (Art. 18 GDPR) – Under certain conditions, you have the right to obtain
restriction of the processing of your personal data;
• Right to data portability (Art. 20 GDPR) – You have the right to obtain the transfer of your personal data to
another data controller and to receive your data in a structured, commonly used, and machine-readable
format;
• Right to object (Art. 21 GDPR) – You have the right to object to the processing of your personal data, stating
the reasons justifying your objection; the Controller reserves the right to assess your request, which may not
be accepted if there are overriding legitimate grounds for processing that prevail over your interests, rights,
and freedoms;
• Right to lodge a complaint with the Supervisory Authority (Art. 77 GDPR) – as outlined below, if you believe
that the processing concerning you violates data protection law, you may lodge a complaint with the
Supervisory Authority of the Member State where you habitually reside, work, or where the alleged violation
occurred;
• Right to take legal action (Art. 79 GDPR).
Solomeo, February 2025
Brunello Cucinelli S.p.A.