PRIVACY NOTICE FOR REGISTRATION ON THE “DIGITAL PRODUCT PASSPORT”

Pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”)

1. DATA CONTROLLER

Poltrona Frau S.p.A. single member, with registered office at Via Luigi Busnelli 1, 20821 Meda (MB), subject to management and coordination by Haworth Italy Holding S.r.l., VAT no. 05079060017 (hereinafter, “Poltrona Frau” or the “Controller”), is the controller of the personal data collected through the “Digital Product Passport” platform. For any request concerning personal data protection, the Controller can be contacted at: [email protected].

2. PURPOSE OF PROCESSING, LEGAL BASIS, CATEGORIES OF DATA, AND RETENTION PERIOD 

Purpose: a) Registration and management of the account on the “Digital Product Passport” platform
Legal basis: Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR)
Data categories: First name, last name, email, login credentials, authentication method, serial number (PIN), activation date, access logs
Retention period: For the account duration and up to 10 years after deactivation for possible reactivation or post-use support

Purpose: b) Linking the product to the user and access to reserved content (e.g. design history, maintenance instructions)
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)
Data categories: First name, last name, email, login credentials, product ID code, serial number (PIN), date and place of purchase, retailer or website, delivery/installation address
Retention period: For the account duration and up to 10 years after deactivation for possible reactivation or post-use support

Purpose: c) Fulfillment of legal obligations (e.g. compliance with EcoDesign regulations)
Legal basis: Legal obligation (Art. 6(1)(c) GDPR)
Data categories: First name, last name, email, purchase data, technical activation data
Retention period: As required by applicable legislation

Purpose: d) Sending promotional communications, newsletters, event invitations, satisfaction surveys, and market research via automated tools (email, SMS, push notifications) and traditional means (paper mail, phone)
Legal basis: Data subject’s consent (Art. 6(1)(a) GDPR)
Data categories: First name, last name, email, communication preferences, data related to the purchased product, country and purchase channel
Retention period: Up to 10 years from collection or until objection

3. METHODS OF PROCESSING

Data will be processed using electronic and/or manual tools in accordance with principles of lawfulness, fairness, transparency, minimization, and security. Access will be restricted to authorized personnel and third-party processors.

4. DATA RECIPIENTS

Personal data may be disclosed or made accessible, within their respective responsibilities, to:

▪ Authorized personnel within the Controller’s organization (e.g. IT, marketing, customer care);

▪ Technology and digital service providers, including Aura Blockchain Consortium S.A., as data processor, for managing the platform and blockchain functions;

▪ Temera S.r.l., for NFC token and authentication flow management;

▪ Providers of consulting, technical support, hosting, maintenance, and development services;

▪ Public authorities or bodies as required by law or regulation.

Data recorded on the blockchain will be pseudonymized and not directly attributable to the user. Only cryptographic (non-reversible) references (hashes) will be stored, not clear personal data

5. DATA SUBJECT RIGHTS

At any time, by writing to [email protected], users may exercise their rights under Articles 12 and 13 GDPR:

▪ Right of access (art. 15 GDPR);

▪ Right to rectification of inaccurate or incomplete data (art. 16 GDPR);

▪ Right to erasure (art. 17 GDPR);

▪ Right to restriction of processing (art. 18 GDPR);

▪ Right to object especially to processing based on public interest or legitimate interest under GDPR art. 6 par.1, clauses e) or f).

Users may also lodge a complaint with the Italian Data Protection Authority (“Garante Privacy”) or other competent authorities (Art. 77 GDPR).
Where processing is based on consent or a contract and is carried out by automated means, users may exercise the right to data portability (Art. 20 GDPR).
Users may also opt to receive marketing communications only via traditional means, and withdraw consent for automated marketing at any time.

6. DATA PROTECTION OFFICER (DPO) CONTACT

The Controller has appointed a Data Protection Officer, who can be contacted at: [email protected].