Corporate merch in other countries:AMArmeniaGEGeorgiaTRTürkiyeRSSerbiaAEUAECYCyprusPTPortugalPLPolandESSpain

Data protection — GDPR compliance for merch programs in Italy

Welcome-kit and gifting programs handle personal data: name, address, T-shirt size, dietary preferences. Here is how we keep it GDPR-compliant under Italian Garante per la protezione dei dati personali (Codice in materia di protezione dei dati personali, D.Lgs. 196/2003 as amended by D.Lgs. 101/2018).

Request documentation

What personal data we process and why

When you upload a recipient list (welcome kits, gifting, event swag with delivery to home address), we process: full name, delivery address, email (for tracking), phone (carrier handoff), T-shirt size (for apparel orders). Legal basis: contract (Art. 6(1)(b) GDPR) where you act as controller and we as processor. We sign a DPA (Data Processing Agreement) on every framework contract.

Retention, deletion and right of access

Personal data retained 90 days post-delivery for warranty/return purposes, then automatically purged from active systems. Encrypted archive 24 months for invoice/audit. Right of access (Art. 15), erasure (Art. 17), portability (Art. 20) honoured within 30 days of request. Data subject requests handled via our DPO ([email protected]).

Sub-processors and international transfers

Sub-processors disclosed in DPA: carriers (DHL, UPS, FedEx, BRT, SDA), email gateway (transactional only), cloud hosting in EU data centres (Frankfurt/Dublin). No transfer outside EEA without SCCs (Standard Contractual Clauses) in place. Recipient list is never used for marketing, never enriched, never resold.

Italy — local data-protection authority

IVA 22% via SdI (Sistema di Interscambio). We comply with Italian Garante per la protezione dei dati personali (Codice in materia di protezione dei dati personali, D.Lgs. 196/2003 as amended by D.Lgs. 101/2018). Privacy notice for data subjects available in Italy and English. Personal data on shipment labels printed at the Milano hub on demand and disposed of securely after print.

FAQ

Are you a controller or processor?

Processor — you remain the controller of the recipient list. DPA signed on framework contract.

Where is the data hosted?

EU data centres (Frankfurt and Dublin). No transfer outside EEA.

Can we get a sub-processor list?

Yes — current list published in DPA annex, with 30-day notice on any change.

Data breach notification?

We notify you within 24 hours of awareness, with details to support your 72-hour DPA notification.

Right to be forgotten on welcome-kit list?

Yes — recipient can email [email protected]; data purged from active systems within 30 days.

Need compliance documentation?