Data controller

This privacy policy applies to Pupa websites, (together also “Sites”) and to the web application by PUPA Milano. Data controller, pursuant Section 28 D.lgs.196/2003 (hereinafter “Privacy Code” or “Code), is MICYS COMPANY SpA (hereinafter also “PUPA”), with its registered office in Monza, via Appiani 25 and headquartered (hereinafter "HQ") in Casatenovo (LC), via de Gasperi 22, Vat IT02089840967, Tax Code 0208984096, registration number Monza e Brianza Chamber of Commerce No.02089840967. 

Purposes of the processing

As better explained in the sections that allow users to join - by giving their personal information - to services provided for by the Site, users’ data are processed to allow us to respond to their specific requests. In particular, collection and subsequent processing of data are done for the following purposes:

•  Site registration;

•  Subscription to the newsletter via email;

•  Content sharing over the Site; 

•  Customer relationship management;

•  Submission of resumes;

•  Requests of information; 

•  Registration to myPUPA Community;

•  Entering and participating to promotions, such as fidelity cards and bonuses/coupons offered to the customers;

•  Use of Pupa application available on the Apple Store for iPhone and iPad, or of other Pupa applications developed for different platforms (Facebook, Twitter, etc.).

When purchasing products or services in the PUPA e-shop, Micys, as the data controller, may send promotional emails about products or services similar to those purchased by the data subject, who may oppose immediately to the sending of such emails by sending an email to

Pupa will not use the data provided for purposes other than those provided for the above mentioned service, that the user has requested, or within the specified limits from time to time described in the eventual additional specific information notice for a different and particular service requested by the user.

Subjects that process your data

For purposes connected to the provision of services requested by the user, personal data will be made available to third parties, who will act autonomous data controllers in providing their services as requested by the user (for example, companies that delivery purchased products) or to whom the communication of data is required to comply with laws or regulations.

We have appointed data processors. In particular,  we have appointed as external data processor for providing hosting service, Inc. Address: The Landmark @ One Market Street, San Francisco, CA 94105, USA.

The updated list of data processors is available upon request sent to the data controller.

Personal data will be made available to people expressly authorized by the data controller - and so appointed as persons in charge of the processing, who carry out processing activities necessary for the purposes listed above; such appointed individuals belong to administrative personnel, communication, accounting, legal advice, technical maintenance of information systems, and marketing personnel, depending on the specific request made by the data subject over this Site.

Your data may be transferred abroad, to European Union countries or to other countries deemed as safe by the European Commission, or even to Countries outside the European Union which are not included in the list of safe Countries, with which we will stipulate in advance, the specific agreements for the protection of your privacy, containing standard contractual clauses given by the European Commission decision of 5 February 2010, or that has obtained the Privacy Shield certification for data transfers between EU and US.

How we process your data

All processing activities performed as part of the services available through this Site is made by electronic or telematic means, or by print/manual means.

The data will be processed within the purposes for which they were collected and in compliance with current security standards, for the purposes listed above or specified from time to time in any further information notice given to the user.

Personal data will be processed for the time strictly necessary to achieve the purposes for which they are collected.

Types of personal data processed and optionality for provision of personal data

The forms to be filled on this Site provides both for personal data that are strictly necessary to request  which if not given it won’t be possible to proceed with the request, and for personal data that is optional and not strictly necessary to respond to requests.

Navigation data

During their normal operation, the computer systems and software procedures used by this website acquire some personal data, the transmission of which is implicit in the use of internet communication protocols. This is information which is not collected in order to be associated with particular persons, but which by its nature could, through processing and combination with data held by third parties, enable users to be identified. This category includes: IP addresses and domain names of computers utilized by users to connect to the website, addresses of requested resources in URI (Uniform Resource Identifier) notation, the time the request was made, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the state of the response given by the server (successful conclusion, error, etc.) and other parameters relating to the user’s operating system and informatics environment.

This data is used solely to obtain anonymous statistical information on the use of the website and to verify that it is functioning correctly (see also the paragraph on Cookies). The data could be used by the competent authorities to ascertain responsibility in hypothetical cases of computer-related crime resulting in damage to the site.: other than this occurrence, personal data are not stored for more than seven days.

Personal data provided voluntarily by the user

Personal data normally required for the use of services of this Site is constituted by personal records, contact and payment instruments and details. The optional, specific and voluntary sending of e-mail to addresses listed on this Site or filling out electronic forms of contact involves the subsequent acquisition of sender’s address, necessary to respond to requests, and any other personal data included in the message. Specific brief information notices will be provided or displayed on web pages dedicated to specific on demand services. Generally, sensitive data is not processed as per Section 4 D.lgs. 196/2003 (in case of processing of sensitive data for certain services a specific information notice will be given together with the express request for consent by the data subject).

Social plug-ins

Access to the Site and services can be performed by using credentials provided by a third party, such as Twitter, Facebook, Google+ or similar services ( "Social Plug-ins"). In this case, the user shall check the service's settings and read carefully the policies of the third party provider, as he may authorize such third party vendor to share his personal information and to authorize Micys to collect information such as contacts, friends and other user personal data. We will store the user's account identification code associated with the third party provider when using it to log in to Pupa or sharing content over the Site; personal data will be stored for as long as necessary to provide the services required. If the user creates a Pupa account or use the Site's services by connecting through social plug-in buttons, we may use the information in the account of origin to complete his profile on the Site. User may update or change the information of the profile and contact information at any time through the social plug-ins. We may also collect information about user and his use of our services through cookies and other similar technologies implemented on the site, in the terms explained in the specific section of this policy.

Data subjects’ rights

Data subjects have the right at any time to obtain confirmation of the existence of such data and to know its content and origin, to verify its accuracy or request its integration, updating, or correction (Section 7 D.lgs. 196/2003).

As per Article 7 D.lgs. 196/2003, the user shall have the right to request the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, and to oppose to the processing for legitimate reasons.

Requests should be sent to the data controller by post or by e-mail to the following address: