Privacy Notice

This privacy notice (the “Notice”) applies to the processing of personal data (hereinafter, “Personal Data”) of the users (hereinafter, the “User/s” or the “Data Subject/s”) carried out by DS Smith Packaging Italia S.p.A., based in Via Torri Bianche, 24 -  20871  Vimercate (MB) (hereinafter, the “Data Controller” or the “Company”) through the website/App  (hereinafter, the “Website”) in accordance with Regulation (EU) no. 679 of 27 April 2016 -  General Data Protection Regulation or the “GDPR” - as well as the Italian Legislative Decree 196/2003 (as amended) and other applicable local laws, as amended or replaced (jointly, the “Applicable Privacy Laws”).

I. Data Controller’s and Data Protection Officer’s contact details 

The Data Controller is DS Smith Packaging Italia S.p.A., based in Via Torri Bianche, 24 - 20871  Vimercate (MB), VAT IT12614920150. For any requests regarding the processing of Personal Data, please email us at: .

II. Categories of the processed Personal Data, purposes and legal basis for the processing

The Company processes the following categories of Personal Data, for the purposes and on the legal basis indicated below.


Legal basis

Categories of processed data

a)       To enable Users to use the Website (e.g. to create or modify User’s account, to allow the User to use the Website, to send technical information about how the Website works, to send to the User a code to enter at first authentication, to provide with backup features to recover data inserted within the User’s account).

The legal basis for the processing is the performance of a contractual relationship with the User (art. 6(1)(b) of the GDPR).

Identification and contact information (such as name, email address).

Information necessary to allow the use of the Website (IP address, device type, OS version, ID univocally assigned by DS Smith Packaging Italia S.p.A. to each user,  device language, country as set by the User in the settings of the device, IDFA Apple).

b)       To fulfill Company’s legal obligations and any other obligation potentially arising from the authorities’ instructions.

The legal basis for the processing is the compliance with a legal obligation to which the Data Controller is subject (art. 6(1)(c) of the GDPR).

Identification and contact information (such as name, email address).

Any other information which may be requested under authorities’ instructions.

c)       To process any request for information and/or clarification raised by the Data Subject (also by allowing them to contact our support staff).

The legal basis for the processing is the legitimate interest of the Data Controller (art. 6(1)(f) of GDPR).

Legitimate interest of the Data Controller is to process and give a proper feedback to any request raised by the Data Subject.

Identification and contact information (such as name, email address).

Potential further information inserted within the contents of Data Subject’s request.

The Company’s Website and services are not for subjects under the age of 18. The Company do not knowingly collect personal data from said subjects. If you believe we have received personal data from subjects under the age of 18, please email us at

III. Data retention of User’s Personal Data

Personal Data may be processed by both automated and not automated means. The Data Controller adopts all technical and organizational measures for preventing the loss, improper use and alteration of Data Subjects’ Personal Data, and, in some cases, may adopt data encryption measures, too.

Personal Data processed to fulfill legal obligations and obligations related to the use of the Website will be kept for a period not exceeding the one necessary for the said purposes and, in each case, for no more than 10 (ten) years from the termination of the agreement (i.e., after the cancellation of the Website’s account) except for any legal obligation that set a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.

IV. Mandatory or optional nature of the supply of personal data and consequences of the refusal to answer

The provision of User’s Personal Data for the purposes referred to in points II.a) and II.b) above is mandatory. Any refusal to provide the requested data could make it impossible to create an account and to enjoy the Website’s services.

V. Recipients of Personal Data

Personal Data may be disclosed to the following categories of recipients:

  1. public, judicial or police authorities, within the limits established by applicable laws and regulations;
  2. third parties carrying out activities that are related or instrumental to the Data Controller’s activities, as outsourced data processors duly appointed in writing by the Company in accordance to the Applicable Privacy Laws or acting as autonomous data controllers (such as, by way of example only, suppliers providing IT maintenance and development services, IT or filing services providers, suppliers of mobile marketing services).

The complete and updated list of such entities is available for consultation, upon request, at the Company’s headquarters or by sending an email to
Users’ data will not be disclosed, unless such disclosure is deemed necessary for the fulfillment of legal obligations and/or regulations.

The Company will not share the Personal Data with other third parties for any reason other than those stated above.

VI. Transfer of Personal Data outside EEA

The Company may also transfer personal data of the Data Subjects to countries located outside the European Economic Area (EEA). In such cases, the Company will make sure that such transfer is based on appropriate safeguards listed in the GDPR, including (a) the standard contractual clauses developed by the European Commission; (b) the decisions of adequacy of the European Commission concerning the States in which the addressees are based; (c) binding corporate rules adopted by the Company and approved by the competent authorities or that are parties of agreements with the Company in this regard.

Copies of appropriate warranties are available on request at the holder's office or by sending an email to

VII. Rights of the Data Subjects

The Users, at any time and free of charge, can have and/or exercise the following rights, as specified in the GDPR:

a) the right to be informed on the purposes and methods of the processing of Personal Data;

b) the right of access (i.e., the right to obtain confirmation as to whether Personal Data is being processed by the Data Controller, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Personal Data undergoing processing);

c) the right to ask for the updating, rectification or integration of Personal Data;

d) the right to request the deletion or erasure of Personal Data, subject to certain exceptions under Applicable Privacy Laws;

e) the right to restrict the processing of Personal Data;

f) the right to withdraw the consent to the processing of the data (in such a case, the processing carried out before withdrawal of consent shall remain valid);

g) when Personal Data are processed to pursue a legitimate interest of the Data Controller, the right to object to the processing, wholly or partly, on grounds related to the User’s particular situation; in any event, Users are entitled to object to the processing of Personal Data for direct marketing purposes, including profiling;

h) the right to data portability (i.e. to receive a copy of Personal Data in a structured, commonly used and machine-readable format or to transmit those data to another Data Controller). This provision is applicable provided that the User’s Personal Data is processed by automated means and that the processing is based on the User’s consent or on the basis of a contractual relationship with the User.

Data Subjects also have the right to lodge a complaint before the competent national Data Protection Authority, in particular before the Data Protection Authority of the Member State of their habitual residence, place of work or place of the alleged infringement..

For the exercise of their rights, Users may contact the Data Controller, in writing by sending a letter to the Company’s headquarters or by sending an email to We may take reasonable steps to verify your identity prior to responding to your requests.

VIII.  Third party websites and apps

The Website may include links to other websites or apps operated by third parties. The practices described in this Notice do not apply to data gathered through these third party websites and apps. The Company has no control over, and is not responsible for, the actions and privacy policies of third parties and other websites and apps.

IX. Changes and updates of this Notice

The Company may modify, integrate and/or update, in whole or in part, this Notice, also in view of future changes that may involve the Applicable Privacy Laws. It is understood that any modification, integration or update will be communicated to the Data Subjects promptly and on time via email or at the time of the start of the Application. In this regard, it could be required to the User to read the new version of the Notice and to accept it before continuing to use the Website.


Date of last amendment: March 2021