Last Update: March 23, 2019

PRIVACY POLICY AND CONSENT TO PERSONAL DATA PROCESSING

Your personal data (hereinafter, the Data) will be processed using informatic and electronic methods and, for specific operations, in hard copy, by Edizioni Condé Nast S.p.A., with registered office in 20123 Milan, Piazzale Luigi Cadorna 5 (Condé Nast), in its capacity as data controller (the Data Controller) in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the relative implementing provisions (jointly, the Regulation) to allow you to register with and access the Condé Nast websites (the Websites) as well as allow you to take advantage of the services connected to the Websites (for example: prize competitions, events, initiatives, etc., the Services) in compliance with regulations in force and in accordance with what is set forth in this disclosure.

A. DATA COLLECTED DURING REGISTRATION WITH THE WEBSITES AND SUBSEQUENTLY

When you register with the Websites, you will be asked to enter some Data. We encourage you to verify which Data are indicated as mandatory and which are instead optional, it being understood that the failure to provide Data marked as mandatory will prevent your registration with the Websites; failure to provide the Data marked as optional does not prevent your registration with the Websites, but could make it impossible to use some Services and/or certain communication channels and/or participate in some events (unless the user provides such Data subsequently). In particular, if users do not provide their mobile phone numbers, it will not be possible to contact them via SMS or another mobile messaging system, in the case of consent, to be invited to sneak previews or events and/or it will not be possible to participate in prize competitions and/or surveys carried out via SMS or another mobile messaging system. You may associate an image (“avatar” or similar) with your user profile and you will have the possibility to express preferences and establish which Data to make public and which to keep private in relation to other users of the Websites. The user bears full responsibility in this regard. Users may change their profile at any time and, if the Data Controller permits this, enter Data previously not provided in order to make use of the Services and/or participate in initiatives that would otherwise would not be available to them. By registering with the Websites, users will benefit from a series of exclusive Services reserved to registered users. The Websites are managed by the Data Controller by sending periodic e-mails to the e-mail address provided by the user, as well as a newsletter if the user has asked to receive it. With such communications, the Data Controller will inform you about the Services present on the Websites, news concerning the Websites and the initiatives that will be organised in favour of Website users or exclusively for registered users (for example: prize competitions, discussion/comment areas, invitations, etc.). The newsletter may also contain advertising banners, ads and advertising offers of the Data Controller as well as third parties, if the user has provided express consent to receive the commercial communications of third parties.

B. REGISTRATION FOR SPECIFIC SERVICES

To be able to take advantage of some specific and additional Services, when you register you may need to provide some Data in addition to those already provided when you registered for the Websites or when you registered for other Services. In that case, the Data requested will be indicated depending on the case as mandatory or optional according to the rules set forth in the previous point.

C. DATA PROCESSING PURPOSES

The Data will be processed by the Data Controller, according to principles of necessity, legality, fairness, proportionality and transparency (i) to allow for the use of the Websites and of each individual Service (including, for example, the periodic newsletter) requested; (ii) to fulfil all legal obligations; (ii) to send advertising materials and carry out promotional, marketing and/or direct sales activities regarding products and/or services sold and/or provided by the Data Controller, unless you decide not to receive these communications when you register with the Websites or subsequently; (iv) for the Data Controller to send commercial communications regarding the products or services of selected third party partners, with which the Data Controller has legal relations (in this case without the data being disclosed to third parties) only with your explicit consent; (v) to carry out profiling activities, or to evaluate your tastes, preferences and consumption habits, including by inviting you to participate in market research, and to subsequently send profiled marketing communications, only with your explicit consent. If you consent to the profiling referred to in point (v) above, this will require automated actions to place you in a category of subjects with similar characteristics (in terms of purchasing preferences) on the basis of your previous purchasing experiences, market analyses in which you may have participated, your demographic class (in relation for example to sex, age and place of residence) and your activities on the Websites. These activities are registered through the cookies present on the Websites (with regard to which see paragraph N below and the Condé Nast Cookie Policy in which you will find detailed information, including on how to disable cookies). Contact methods for direct marketing activities, on behalf of selected partners, and the profiling activities referred to in points (iv) and (v) above may be automated (via email or SMS) or traditional (telephone calls by an operator and mailings). In any event, you may revoke your consent, including partially, for example by consenting only to traditional contact methods.

D. LEGAL BASES OF DATA PROCESSING

Data processing for the purposes specified in point (i) of the paragraph above is carried out to enable you to use the Services, and therefore does not require your express consent (pursuant to article 6.1, letter (b) of the Regulation). Data processing for the purposes specified in point (ii) of the paragraph above is carried out to fulfil legal obligations, and therefore does not require your express consent (pursuant to article 6.1, letter (c) of the Regulation). Data processing for the purposes specified in point (iii) is carried out on the basis of the legitimate interest of the Data Controller to offer you its products and services (pursuant to article 6.1, letter (f) of the Regulation), unless you object when you register with the Websites or subsequently. In particular, the Data Controller may carry out these direct marketing activities lacking your express consent (by virtue of an assessment of the prevalence of its interest in sending direct marketing communications, lacking any real harm to your interests, rights and fundamental freedoms and as set forth moreover in Recital 47 of the Regulation, which qualifies processing personal data for direct marketing purposes as a “legitimate interest”), but only until you object to such processing. Data processing for the purposes specified in points (iv) to (v) of the paragraph above is carried out only if you provide your express and specific consent and on the basis thereof. The provision of Data for the purposes pursuant to points (i) and (ii) of the paragraph above is therefore necessary in order to register with the Websites and to enable you to make use of the Services: failure to provide them will make it impossible for you to register with the Websites. The provision of Data for the purposes pursuant to points (iii) to (v) is instead optional, but your refusal will make it impossible for the Data Controller to carry out direct marketing activities, on behalf of third parties or with profiling.

E. AREA OF COMMUNICATION AND DISSEMINATION OF DATA

The Data you provide will be processed in compliance with the Regulation and, in any event, in a manner so as to guarantee their security and confidentiality, prevent their unauthorised disclosure or use, alteration or destruction. The Data will be processed on hard copy media and/or with electronic methods, also with the support of electronic and computerised means, directly and/or through delegated third parties, according to logics strictly correlated with the purposes specified above. These subjects will operate as external data processors pursuant to art. 28 of the Regulation. The Data Controller will also directly process your Data in its technological infrastructure and/or by making use of the support and technological infrastructure of third party suppliers appointed as data processors. A list of all processors appointed by the Data Controller is available to you by writing to privacy@condenast.it. The individual processing operations will be entrusted to natural persons appointed as processors. Your Data will be stored in the servers available to the Data Controller situated in the European Union. Where for technical and/or operational reasons, it is necessary to make use of subjects located outside the European Union, or if it is necessary to transfer some of the collected Data to technical systems and services managed in cloud and located outside the European Union area, the treatment shall be regulated in compliance with the provisions of Chapter V of the abovementioned Regulation and shall be authorized according to the European Union specific decisions. All the necessary precautions shall therefore be taken to guarantee the most complete protection of personal data by basing this transfer: a) on adequacy decisions of the recipient third countries expressed by the European Commission; b) on adequate guarantees expressed by the recipient third party pursuant to article 46 of the Regulation; c) on the adoption of binding corporate rules, the so-called corporate binding rules.

F. UNDERAGE USERS

The Data Controller encourages parents to monitor their children’s use of the internet, for a secure and filtered use of the relative content, including by using parental control tools. Aside from guaranteeing an online environment suited to minors, these tools can prevent the disclosure of personal data by children or young people who do not have the consent of their parents. As regards the collection and processing of personal data, the Data Controller does not process the personal data of minors without the consent of their parents. Registration on the Websites is therefore permitted only to adult users or users who are at least 16 years of age. The Data Controller also encourages registration with the Websites by the parents of registered underage users: in this manner, the parents are able to use the Services and remain continuously up to date on the initiatives that the Data Controller makes available to their children, and to thus verify their compliance with their own expectations and educational models and development. In relation to the provision of certain Services, the Data Controller does not require users to provide their age, and/or it is not capable of knowing the age of users. The Data Controller therefore invites all users who are not 18 years of age not to communicate in any case their personal data without the authorisation of a parent, reserving the right to prohibit access to the Services and/or exclude from the Websites any users who have concealed the fact that they are underage or who have in any event provided their personal data without the consent of their parents even though they are less than 18 years of age.

G. CONNECTION TO THIRD PARTY WEBSITES AND SERVICES

In the Websites and/or other messages and/or communications that the Data Controller will send to the user as part of the provision of Services, there may be banners, advertising messages and/or ads of third parties, advertisers or commercial partners of the Data Controller. The Data Controller informs its users that by accepting the offers of the above-mentioned third parties, users may purchase goods or services and access multimedia pages exclusively pertaining to such third parties, which are outside the control of the Data Controller and which are not in any manner required to respect what is set forth in this disclosure. Therefore, the Data Controller invites users to provide their data to such third parties only if they receive suitable guarantees of confidentiality and to pay close attention before accepting the services that they offer, in relation to which the Data Controller cannot carry out any control, nor will it be involved in any manner whatsoever, or liable.

H. PERSONAL DATA STORAGE PERIOD

The Data collected for the processing purposes specified in points from (i) to (iv) of paragraph “Data Processing Purposes” will be stored (but not used for the purposes from (iii) to (iv) without your consent) until the deletion of the account on the Websites, or until your express request for the deletion of the Data (which will however entail the deletion of the account and make it impossible to continue to use the Services) except in the case of exceptional need of the Data Controller to store the Data to defend its rights in relation to disputes outstanding at the moment of the request or at the indication of the public authorities. The Data collected for the processing purposes specified in point (v) of paragraph “Data Processing Purposes” will be stored until you withdraw your consent to the profiled marketing activities described therein or until the deletion of the account on the Websites, or until your express request for the deletion of the Data, except in the case of exceptional need to store the Data to defend its rights in relation to disputes outstanding at the moment of the request or at the indication of the public authorities.

I. YOUR RIGHTS

Please recall that you have the right: – to have the processing stopped if your Data were processed for direct marketing purposes, also in relation to products or services identical to those already acquired from the Data Controller and/or provided through the Websites (right to object) – to obtain information about the purposes for which your Data are processed, the processing period and the subjects to which the Data were communicated (right of access) – to have incorrect Data regarding you rectified or supplemented (right to rectification) – to have Data regarding you deleted in the following cases (a) the Data are no longer necessary for the purposes for which they were collected; (b) you have withdrawn your consent to the processing of the Data if they were processed on the basis of your consent; (c) you have objected to the processing of the Data regarding you if they were processed for a legitimate interest of the Data Controller; or (d) the processing of your Data is not compliant with the law. However, please note that the storage of Data by the Data Controller is lawful provided it is necessary to enable you to fulfil a legal obligation or to establish, exercise or defend a right in court (right to erasure). – to have the Data regarding you only saved without any other use being made of them in the following cases (a) you contest the accuracy of the Data, for the period necessary to enable us to verify the accuracy of such Data; (b) the processing is unlawful but you object in any event to the deletion of the Data by the Data Controller; (c) the Data are necessary to you for the establishment, exercise or defence of a right in court; (d) you have objected to the processing pending the verification of any prevalence of the legitimate grounds to processing of the Data Controller with respect to those of the data subject (right to restriction) – to receive in a structured, commonly used and machine-readable format the Data regarding you processed with automated means, if they were processed based on your registration with the Websites or on the basis of your consent (right to portability). Lastly, please recall that you have the right to contact the Data Protection Authority at Piazza di Monte Citorio, 121 – 00186 Roma (RM) to enforce your rights in relation to the processing of your personal data.

L. CONTACT INFORMATION TO ENFORCE YOUR RIGHTS

The Data Controller is Edizioni Condé Nast S.p.A. Pursuant to arts. 37 et seq. of the Regulation, the Data Controller has appointed a Data Protection Officer (“DPO”), with official address at the registered office of Edizioni Condé Nast S.p.A., and who may be contacted for issues relating to the processing of your Data at privacy@condenast.it. By writing to the same e-mail address, you may exercise the rights specified in the paragraph above. You may also modify the consent provided with respect to the processing of your Data by the Data Controller at any time, directly through the privacy settings of your account. In addition to the foregoing, if you are no longer interested in the promotional e-mail messages sent by the Data Controller, simply click on the link at the bottom of those messages to opt out of receiving e-mails.

M. AMENDMENTS TO THIS DISCLOSURE

Without prejudice to the fact that the Data Controller in any event does not proceed with processing other than that expressly authorised and/or requested by each user, this disclosure may be subject to amendments to comply with new legal provisions, changed Data Controller personal data processing policies and/or following modifications in the characteristics of the Websites and/or the Services. Every updated version of this disclosure will be made available on the Websites in the dedicated section: the Data Controller therefore invites all users to periodically consult the Websites to remain up to date on the most recent version published.

N. WEBSITE BROWSING AND COOKIES

A cookie is a small quantity of data containing an anonymous unique identification code that is sent to your browser by a web server and is subsequently saved on the hard disk of the user’s computer. Cookies are then reread and recognised only by the website that sent them any time subsequent connections are made. The cookies used by the Data Controller are text files that the Websites transfer to the user’s computer in order to facilitate browsing. Thanks to cookies, the recognition of registered users may be facilitated, avoiding for example authentication requirements (using the log-in and password) during every access to the Websites. Cookies can also enable Users to personalise their use of the Websites by saving preferred settings. Cookies also record some information relating to user browsing. All users have the right to autonomously deactivate cookies through the software used on their personal computers to consult the internet (“browser”). Many browsers are set to accept cookies by default unless the user changes the settings. You should check your browser’s cookie settings and adjust them based on your preferences, however keeping in mind that to make use of certain Services, it may be necessary to enable the receipt of cookies (in those cases, you will be duly informed). The technological platform through which the Websites are made available to users, including through cookies, automatically registers certain information on the user’s personal computer and browsing, such as: the name of the internet access provider, the site of origin, the pages visited, date and duration of the visit, etc. This information is used only to allow access to the Websites and/or the use of certain Services and/or may be used in aggregated form for statistical purposes. The Websites also have the possibility to analyse, again in aggregated form, the opinions and preferences expressed by users within the scope of the Services made available.