INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLES 13 AND 14 OF EU REGULATION 679/2016 (“GDPR”)

Your privacy is extremely important to us, please read this information notice carefully.

We wish to inform you in a complete and transparent manner about the personal data processing that the companies listed in paragraph 1 below will carry out on your personal data provided by you and/or collected in the context of the contacts you will possibly have with us, including for example the following:

1. WHO COLLECTS YOUR PERSONAL DATA

The companies collecting and processing personal data as autonomous data controllers (hereinafter the “Data Controllers” or the “Companies”) or as Joint Controllers are:

OTB and Diesel carry out some activities as joint controllers, taking jointly the decisions regarding the purposes and means of personal data processing. Hereafter, the term “Joint Controllers” means Diesel and OTB jointly considered when they process data as joint controllers.

To facilitate your understanding of the processing activities carried out by the above mentioned subjects as Controllers or Joint Controllers, we have prepared this document explaining which processing activities are carried out autonomously by each company.

Please consider that said processing activities are not intended for minors and the Data Controllers do not knowingly collect or solicit personal data from anyone under the age of 16. If you are less than 16 years old, please refrain from provide any personal data. This does not affect the applicable contract law such as the rules on the validity, formation or effect of a contract in relation to a child.

2. WHAT PERSONAL DATA WE PROCESS

Each Company collects different categories of personal data according to the purpose for which it processes them.

Herein below we specify which categories of personal data are collected; in the following paragraph we will explain for what purposes each category of data is processed by each Data Controller or by the Joint Controllers as appropriate (hereinafter also “Personal Data” if processed jointly).

3. FOR WHAT PURPOSES WE PROCESS YOUR PERSONAL DATA

In this paragraph we explain for what purposes each category of data is processed by each Data Controller or Joint Controller.

3.1 PURPOSES OF DIESEL S.P.A.

Diesel is the company that designs, sells and promotes the Brand’s products “Diesel”. It is the company maintaining the contacts with you if you decide to purchase the products through the Site or other websites controlled by Diesel or through other methods provided for by Diesel itself, if you participate in initiatives promoted by Diesel as prize competitions or other promotional initiatives; Diesel is also the company managing the loyalty program that you can sign in. Diesel will process Personal Data for the following purposes.

a) Sales activities and response to other requests made by customers

If you purchase Diesel’s products through the e-commerce service on the Site or through other methods provided for by Diesel itself, Diesel will process your Biographical Data, Contact Data, Sales Data and Purchase Data to conclude the sale, as well as for all activities strictly connected and related to it, such as delivery or other administrative and accounting obligations.

Similarly, Diesel may need to verify the requirements for participating to special discount programs (e.g. verifying if the purchase made is a first purchase or other requirements of the regulation) and to process your Biographical Data or Contact Data to respond to any further requests that you may formulate through the Site or through the Customer Service, through telephone or chat, such as requests for information, assistance, or to be notified by email when a desired product or size becomes available again on the Site, through the “Notify Me” functionality.

Legal basis: this processing is based on the performance of a purchase contract to which you are a party; the provision of the personal data listed above is necessary for this purpose, since otherwise Diesel will not be able to process your request..

b) Loyalty program Registration

The Biographical Data, Contact Data, Purchase Data and Loyalty Data will also be collected by Diesel to manage your request to join the loyalty program ( called “House of Diesel”, whose Regulation is available at the following link). These data will be processed to complete your membership and for all purposes strictly connected to it or instrumental, including - firstly - all the activities provided for in the loyalty program. Registration could take place: i) online through the Site; ii) offline in the participating shops, by completing the application form present in electronic (tablet or another smart tool) format or through flyers (distributed in shops) with a special QR code, through which customers can join the program themselves via the Site, iii) through further official channels of Diesel S.p.A., (for example, but not limited to social networks such as Facebook, Instagram, WeChat etc.), or iv) through the Customer Service.

All communications relating to the loyalty program may be made by Diesel via the Site, SMS, MMS, Wallet, e-mail, newsletter, social networks and/or any other official communication channel of Diesel. All these communications relating to the program itself are sent solely for the purpose of making available the benefits related to it and do not constitute marketing communications.

Furthermore, by creating an account on the Site in the reserved area, the user will become part of the Diesel’s loyalty program. If you wish to take advantage of the services available on the Site (e.g., purchase products) without joining the program, simply choose the “Guest” option where available (e.g., during checkout for payments).

Legal basis: this processing is based on the performance of a contract for joining the loyalty program to which you are a party; the provision of the Personal Data listed above is necessary for this purpose, since otherwise Diesel will not be able to process your request.

c) Participation in prize contests

Diesel will be able to process your Biographical Data to allow you to participate in prize contests that Diesel could organize. In certain situations, for example to proceed with the delivery of the prize, your Contact Data could also be processed. If participation in the contest requires further information, these will be requested to you upon release of a specific privacy policy.

Legal basis: this processing is based on the performance of a contract for attending the relevant prize contests to which you are a party; the provision of the Personal Data listed above is necessary for this purpose, since otherwise Diesel will not be able to process your request.

d) Marketing

Only with your consent, Diesel will process the Biographical Data, Contact Data and Purchase Data for marketing purposes, that is for advertising on social networks to which you are registered or sending advertising or direct sales material, carrying out market research, commercial communication with automated contact methods (e-mail, newsletter, SMS, MMS, online messaging platforms, etc.) and traditional contact methods (mail).

Legal basis: this processing is based on the consent you have given. In the event that you are registered in the loyalty program and decide to withdraw your consent to marketing, you will continue to receive communications relating to benefits (such as the Birthday or Anniversary Gift or preview access to the new collections and promotions only reserved to members). If, in addition to the withdrawal of consent, you do not want to receive this kind of communication anymore, you will be asked to specify it. Any removal from the loyalty program will also result in the cancellation of your online account, if you have one.

You can at any time withdraw your consent to receive the above-mentioned communications by clicking on the appropriate option in each marketing email received, as well as by writing to the address privacy@diesel.com, or otherwise by contacting the Company at the addresses indicated in paragraph 1.

e) Customer satisfaction

Diesel may use your Contact Data to conduct surveys to measure the level of satisfaction (i.e., customer satisfaction) with the service provided (by way of example but not limited to: in-store post-sales surveys; online post-sales surveys; second hand gold shopping surveys etc.). Please note that in any case the communications made for this purpose will not have an advertising content, or direct sales or will be used for market research or commercial communication.

Legal basis: this processing is based on the legitimate interest of Diesel to verify and improve the quality of its services.

f) Other administrative-accounting activities

Diesel may also process your Personal Data for administrative, accounting and internal statistical analysis for business planning purposes.

Legal basis: this processing is based on the legitimate interest of Diesel to improve the quality of its services and business.

3.2 PURPOSES OF THE JOINT CONTROLLERS (DIESEL AND OTB)

Diesel and OTB operate as Joint Controllers on the basis of a specific agreement for the purpose indicated below.

a) Customer profiling

With your consent, the Joint Controllers will be entitled to process Biographical Data, Contact Data, Sales Data, the Purchase Data, Loyalty Data, Tracking of Newsletters Data and Actions Data and the Navigation Data for profiling purposes and for business analysis, that is for analysis on your purchase preferences consisting of automated processing of the above mentioned Personal Data. This processing is aimed at analytically knowing or predicting your purchasing preferences also in order to create customer profiles and customize the commercial offer so that it is more in line with your preferences.

Legal basis: this processing is based on the consent you have given.

You will be entitled at any time to withdraw your consent to be subject to profiling by writing to privacy@diesel.com or otherwise by contacting the Joint Controllers at the addresses indicated in paragraph 1.

3.3 PURPOSES OF EACH DATA CONTROLLER OR JOINT CONTROLLER

Finally, each Data Controller or Join Controller may need to comply with a specific legal provision to which it is subject or to defend its own right in court.

a. Purposes related to the obligations established by laws or regulations, by decisions/requests of competent authorities or by supervisory and control bodies

Each Data Controller or Joint Controller may process your Personal Data to comply with a legal obligation to which it is subject.

Legal basis: compliance with a legal obligation.

The provision of data for this purpose is mandatory because in the absence of data the Data Controller or the Joint Controller will not be in a position to comply with their legal obligations.

b. Defense of rights during judicial, administrative or extra-judicial proceedings and in disputes arising in connection with the services offered

Your Personal Data may be processed by each Data Controller or Joint Controller to defend their rights or take legal action or make claims against you or third parties, including the prevention of fraud.

Legal basis: this processing is based on the legitimate interest pursued by the Data Controller or Joint Controller to protect their rights.

4. WHAT PROCESSING ACTIVITIES WE CARRY OUT WHEN YOU’RE USING OUR SITE AND YOU NAVIGATE WITHOUT BEING LOGGED IN

The Site is owned by Diesel. It is possible to browse the Site without having to actively communicate your Personal Data if you are not logged in. In this case, while browsing the Site, we inform you that the computer systems and software procedures used to operate the Site acquire, during their normal operation, some data whose transmission is implicit in the use of Internet communication protocols.

This is information that is not directly associated with identified users, but which by its very nature could, through processing and association with data held by third parties, allow these users to be identified.

This category of data includes the IP addresses or domain names of the computers used by users who connect to the Site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, information regarding access, information regarding location , the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), the information regarding the user’s visit including data clickstream of the URL, within and from the Site, the duration of the visit on some pages and the interaction on these pages and other parameters relating to the operating system and the user’s IT environment.

These data are collected through the use of “cookies”. We specifically use browser cookies for various purposes, including cookies strictly necessary for the operation of the Site and the use of services through the appropriate features, and the cookies that are used for personalization, performance/analysis and promotional activities. Our Cookie Policy, available [http://diesel.com/shop/content/cookiepolicy], contains more information regarding the use of cookies on the Site, as well as the options for accepting or rejecting them.

The data collected while browsing the Site will be processed to (i) manage the Site and resolve any operating problems, (ii) make sure that the content of the Site is presented in the most effective way for its devices, developing, testing and making improvements to the Site, (iii) as far as possible, to keep the Site safe and secure, (iv) to obtain anonymous statistical information on the use of the Site and to check its correct functioning, (v) identify anomalies and/or abuses in the use of the Site. The data could also be used to ascertain responsibility in case of possible computer crimes committed against the Site or third parties and may be presented to the Judicial Authority, if this makes an explicit request.

5. WHAT HAPPENS IF YOU DO NOT PROVIDE PERSONAL DATA

Some Personal Data that we will indicate you from time to time during the registration or purchase process are necessary for the completion of the purchase contract and for administrative and accounting purposes.

In the description of the purposes in paragraph 3, we have specified when it is necessary to provide Personal Data. Where not expressly indicated as mandatory, therefore, the provision of Personal Data is optional and there will be no consequences if you do not provide them, if not the impossibility for the Data Controllers or Joint Controllers to act as described (for example, the impossibility to carry out marketing activities).

6. HOW AND HOW LONG WE WILL PROCESS PERSONAL DATA

The Personal Data provided to and/or collected by the Data Controllers or the Joint Controllers are processed and stored with automated tools and, in some cases, may be processed and stored on a paper backing. In particular, the Personal Data processed for purposes of marketing and of customer profiling will be entered and stored in the CRM systems that allow the processing of Personal Data for these purposes.

The Personal Data (either electronical and paper copies) will be stored for the time necessary to achieve the purposes for which they were collected. In particular, the following rules will apply:

In any case, for technical reasons, the termination of the processing and the consequent cancellation or irreversible anonymization of the related Personal Data will be definitive within thirty days from the terms indicated above.

The cancellation process is carried out periodically on the basis of the customer's request or at the expiry of the retention period, through an automatic flow that involves the data bases concerned; otherwise, Personal Data will be permanently anonymized; the hard copies will be destroyed by using appropriate devices.

With particular reference to the judicial protection of our rights or in case of requests from the authority, the data processed will be stored for the time necessary to process the request or to protect the right.

7. WHERE PERSONAL DATA MAY BE TRANSFERRED

For the purposes indicated above, we may also transfer your Personal Data to third countries, not belonging to the European Union, which may possibly do not guarantee the same level of protection. The transfer to third countries will always take place in accordance with the provisions of the GDPR, adopting any other measures necessary to ensure the security of the Personal Data being transferred. These measures possibly include agreements incorporating the so-called “standard contractual clauses” issued by the European Commission or your consent. You can ask for information regarding this third countries and how to obtain a copy of the appropriate safeguards using the following email address privacy@diesel.com or writing to the postal addresses indicated above.

8. WHO WILL PROCESS PERSONAL DATA

Personal Data will be processed by:

Personal Data may also be disclosed to third parties, independent Data Controllers, in particular to freelancers or companies providing legal or tax advice and assistance and to companies managing payments made by debit or credit cards or for fraud prevention and management activities. Furthermore, in order to be able to offer you Klarna’s payment options, we will pass to Klarna certain aspects of your personal information, such as contact and order details, in order for Klarna to assess whether you qualify for their payment options and to tailor the payment options for you. General information on Klarna you can find here. Your Personal Data is handled by Klarnas as Data Controller in accordance with applicable data protection law and in accordance with the information in Klarnas privacy statement.

Personal Data will not be disseminated in any way.

9. YOUR RIGHTS

Pursuant to Chapter III of the GDPR, you have the right to ask each Data Controller or Joint Controller:

Right to object: in addition to the rights listed above, you always have the right to object at any time to the processing of your Personal Data carried out by the Data Controller or Joint Controller for the pursuit of its legitimate interest. You have the right to object to direct marketing, which includes profiling. If you prefer that the processing of your Personal Data is carried out solely through traditional contact methods, you can object to the processing of your Personal Data carried out through automated contact methods.

You also have the right to withdraw, in whole or in part, the consent to the processing of Personal Data concerning you for the purpose of sending advertisements or direct selling or for carrying out market research or commercial communication with automated contact methods (e-mail, other remote communication systems via communication networks such as, for instance: SMS, MMS, messaging platforms, etc.) and traditional contact methods (mail).

The exercise of these rights, which can be done through the contact details indicated in paragraph 1, is not subject to formal constraints. In the event that you exercise any of the above mentioned rights, it will be the responsibility of the Data Controller or Joint Controller that you contacted to verify if you are entitled to exercise the right and to provide you with an answer, normally within a month.

As regards the Joint Controllers relationship, please note that OTB and Diesel entered into a specific agreement pursuant to article 26 of the GDPR, an extract of which is available for consultation contacting each of the Joint Data Controllers using the contact details indicated under paragraph 1.

If you believe that the processing of your Personal Data is carried out in breach of the provisions of the GDPR, you have the right to lodge a complaint with the Supervisory Authority or to start the appropriate legal actions before the competent courts.

To exercise your rights, you can send a request to the Data Controllers or Joint Controllers by writing to the addresses indicated in paragraph 1. The OTB and Diesel’s Data Protection Officer can be contacted at the email address dpo@otb.net.