Nestlé Privacy Notice
SCOPE OF THIS PRIVACY NOTICE
Please read this Privacy Notice (the 'Notice') carefully to understand our policies and procedures regarding your Personal Data and how we process it. This Notice applies to natural persons who interact with Nestlé services as consumers ('you') and is intended to explain how Personal Data is collected, used and disclosed by Sanpellegrino S.p.A. ('Sanpellegrino', 'we', 'us'), as well as how to access and update your Personal Data and choose how it should be used.
This Notice refers to our data collection activities both online and offline and includes the Personal Data we collect through our various channels, such as Websites, applications, third‑party networks, consumer engagement services, retail outlets and events. Personal Data from different sources, such as Websites and offline events, may also be aggregated and, for this purpose, we combine data originally collected by different Nestlé entities or partners. For more information on how to object to processing, please refer to Section 9.
Where applicable, the Personal Data required will be clearly indicated, including in our registration forms. Failure to provide such information may result in our inability to provide you with our products and/or services. This Notice may be amended from time to time, as further specified in Section 11.
This Notice provides important information in the following areas:
1. Source of Personal Data
2. Categories of Personal Data Collected and Collection Process
3. Children’s Personal Data
4. Cookies/Similar Technologies, Log Files and Web Beacons
5. Use of Personal Data
6. Disclosure of Personal Data
7. Retention of Personal Data
8. Disclosure, Storage and/or Transfer of Personal Data
9. Access to Personal Data
10. Choices Regarding the Use and Disclosure of Collected Personal Data
11. Amendments to the Privacy Notice
12. Data Controllers & Contacts
13. Accessibility
1. SOURCE OF PERSONAL DATA
This Notice applies to the Personal Data concerning you that we collect from you, using the methods described in Section 2, via the following sources:
Nestlé Websites. Consumer‑oriented websites operated by or for Nestlé, including the sites we operate under our domains/URLs and the micro-sites we operate on third‑party social networks, such as Facebook (‘Websites’).
Nestlé mobile sites/applications. Consumer‑oriented mobile sites or applications operated by or for Nestlé, such as smartphone apps.
Emails, text messages and other electronic messages. Interactions via electronic communications between you and Nestlé.
Nestlé Consumer Engagement Center. Communications with our Consumer Engagement Center (‘CES’).
Offline registration forms. Printed, digital or similar registration forms that we collect, e.g. by mail, in‑store demonstrations, contests and other promotions or events.
Commercial interactions. Interactions with our advertisements (for example, if you interact with one of our ads on a third‑party website, we may receive information about that interaction).
Data generated by us. In the course of interactions with you, we may create Personal Data relating to you, such as data about your purchases from our Websites.
Data from other sources. Third‑party social networks (e.g. Facebook), advertising networks (e.g. Google), market research (where feedback is not provided anonymously), third‑party data aggregators, Nestlé promotional partners, public sources and data received following the acquisition of other companies.
2. CATEGORIES OF PERSONAL DATA COLLECTED AND COLLECTION PROCESS
Depending on how you interact with Nestlé (online, offline, by phone, etc.), we collect different types of information from you, as described below.
Personal contact details. Information you provide so we can contact you, such as name, residence, email address, social network details or telephone numbers.
Account login information. Information required to access your specific account profile, such as ID/email address, username, non‑recoverable passwords and/or security questions and answers.
Demographic information and interests. Information describing your demographic or personal characteristics, such as date of birth, age or age range, gender, geographic location (e.g. postal code), preferred products, hobbies and interests, family information or lifestyle.
Computer/mobile device information. Information about the IT system or other technological devices used to access our Websites or apps, such as the Internet Protocol (IP) address used to connect your computer or device to the network, operating system type, and browser type and version. If you access a Nestlé website or application via a mobile device (e.g. a smartphone), the information collected includes, where permitted, the phone’s unique identifier, advertising ID, geolocation and other similar mobile device data.
Website/communication usage information. Information on the actions you take while browsing and interacting with our Websites or newsletters, collected automatically by specific technologies. Such information includes the links you clicked, the pages or content you viewed and for how long, as well as other similar information and statistics about your interactions, such as content response times, download errors and the duration of visits to certain pages. These data are recorded using automated technologies, such as cookies and web beacons, and are also collected using third‑party tracking for statistical and advertising purposes. You can object to the use of such technologies as described in Section 4.
Market research & consumer feedback. Information you voluntarily share with us about your experience using our products and services.
Consumer‑generated content. Content that you create and then share with us on third‑party social networks or by uploading it to one of our Websites or applications, including by using third‑party social networking apps such as Facebook. Examples include photographs, videos, personal stories or other similar materials or content. Where authorised, we collect and publish consumer‑generated content in connection with a wide range of activities, including contests and other promotions, website community features, consumer engagement and third‑party social networking.
Information from third‑party social networks. Information you publicly share on a third‑party social network or information reported in your profile on a third‑party social network (e.g. Facebook) that you authorise it to share with us. Examples include your basic account information (e.g. name, email address, gender, birthday, current city of residence, profile picture, username, friends list, etc.) and any additional information or activity that you authorise the third‑party social network to share. We receive information relating to your profile on the third‑party social network, in whole or in part, whenever you download or interact with Nestlé web applications on a third‑party social network (e.g. Facebook), use a social networking feature integrated into a Nestlé site (e.g. Facebook Connect) or interact with us through a third‑party social network. For more information on how Nestlé obtains your information from a third‑party social network or how to prevent the sharing of such information, please refer to that social network’s website.
Financial and payment information. Information necessary to process an order or complete a purchase, such as your debit or credit card details (cardholder name, card number, expiration date, etc.) or other forms of payment, where available. In all cases, financial and payment information is handled by us or by our payment processing providers in full compliance with applicable laws, regulations and security standards, such as PCI DSS.
Calls to Consumer Engagement Services (CES). Communications with CES may be recorded or listened to for local operational needs (e.g. for quality or training purposes) in accordance with applicable laws. Payment card details are not recorded. Where required by law, you will be informed of the recording at the beginning of the call.
Sensitive Personal Data. In the course of our ordinary business, we do not seek to collect or otherwise process sensitive Personal Data. Should it become necessary to process them for any reason, we will request your prior explicit consent for voluntary processing, e.g. for marketing purposes. Any processing of your sensitive Personal Data for other purposes is based on the following legal grounds: (i) prevention and detection of crimes, including the fight against fraud; and (ii) compliance with applicable laws, such as diversity reporting requirements.
3. CHILDREN’S PERSONAL DATA
We do not knowingly solicit or collect Personal Data from children under the age of 13. If we become aware that we have inadvertently collected Personal Data from a child under the age of 13, such data will be promptly removed from our records. Nestlé may, however, collect Personal Data from children under the age of 18 directly from parents or guardians with their explicit consent.
4. COOKIES / SIMILAR TECHNOLOGIES, LOG FILES AND WEB BEACONS
Cookies/Similar technologies. Please read our Cookies Notice to learn how you can set your cookie preferences and for precise information about the cookies we use and the reasons we use them.
What are cookies? Cookies are small text files saved on your computer by the websites or applications you visit. They are widely used to enable websites and applications to function, to make them work more efficiently, and to provide information to the owner of the website/application.
How and why do we use cookies? We use cookies to improve the use and functionality of our websites and/or applications and to have a better understanding of how visitors use our websites/applications and the tools/services offered by them. Cookies help us tailor websites and applications to your personal needs, enhance your user experience, obtain customer satisfaction feedback regarding our websites/applications (through selected partners) and communicate with you across the web. We do not use cookies to collect personal information such as your name; however, we may link information contained in a cookie to personal information collected from you by other means (e.g. registration on websites/applications).
What types of cookies are used? Below is a description of the various cookies used within our websites/applications.
Necessary cookies. These cookies are strictly necessary for the operation of a website/application. Without these cookies, the website/application will not function properly. Accordingly, we do not request your specific consent for this type of cookie.
Functional cookies. These are cookies that are used for the functionality of a website/application. For example, cookies that remember content you have recently viewed on the website/application or the email address or password you provided when you registered during a previous visit. Cookies may also remember items you previously placed in the shopping cart while visiting a Nestlé online store. Using functional cookies allows us to provide you with personalised, interest‑based content and to save you time without the need to register again or re‑enter information when you revisit a website/application or try to access a restricted section. On some websites/applications, cookies allow us to record your favourite recipes, activities, or high scores.
First‑party cookies. These are cookies that are downloaded by a specific website/application and can only be read by that site.
Third‑party cookies. These are cookies downloaded by a third party, which we use for different types of services (e.g. statistical analysis or advertising). For more information on the use of third‑party cookies, you can visit: http://www.youronlinechoices.com/it/ . For more information on the use of Google Analytics, you can visit: https://www.buonalavita.it/note-legali .
How can I change cookie settings? Please check that your computer/smartphone settings accept or reject cookies according to your choices. You can set your browser to warn you before accepting cookies, or simply configure it to refuse them automatically; however, doing so may prevent full access to website features. For more information on how to set them, use your browser’s Help button. It is not necessary to download cookies in order to browse most of our sites. Remember that if you use different computers in different locations, you will need to ensure that each browser is configured to reflect your cookie preferences.
For DMP cookies management click here: www.salesforce.com/products/marketing-cloud/sfmc/salesforce-dmp-consumer-choice/ . For managing Google cookies: https://policies.google.com/technologies/ads?hl=it .
Log files. We collect data in the form of log files that record website activity and gather statistics about your browsing habits. The data is generated automatically and helps us troubleshoot errors, improve performance and maintain the security of our websites.
Web Beacons. Web beacons (also known as 'web bugs') are small strings of code that deliver a graphic image on a web page or in an email to send data back to us. Data collected through web beacons may include IP addresses and information about how you respond to an email campaign (e.g. when you opened the email, which links you clicked, etc.). We use web beacons on our websites or include them in emails we send you. We use the data obtained through web beacons for a wide variety of purposes, including preparing reports on site traffic, counting visitors, advertising, conducting audits and reports on emails, and personalisation.
Heat mapping. Heat‑mapping services are used to identify which areas of a page are subject to cursor movement or mouse clicks in order to detect which areas attract the most interest. These services allow anonymous monitoring and analysis of traffic data and serve to track user behaviour anonymously.
5. USE OF PERSONAL DATA
The following paragraphs describe the various purposes for which we collect and use your Personal Data and the different categories of data collected for each purpose. Not all uses listed below are relevant to all data subjects.
| Purpose of use of Personal Data | Legal bases | Legitimate interests |
| Consumer service. We use your Personal Data for consumer service purposes, including responding to requests. This process typically requires the use of some personal contact information and information related to the reason for the request (e.g. order status, technical issues, product questions/complaints, general inquiries, etc.) |
|
|
| Contests, marketing and other promotions. With your consent, where required, we may use your Personal Data to provide you with information about products and services (e.g. marketing communications, campaigns or promotions). This may occur via tools such as emails, ads, SMS, phone calls and postal mail, to the extent permitted by applicable laws. Some of our campaigns and promotions are run on third‑party websites and/or social networks. This use of Personal Data is voluntary and, therefore, you may object to processing for these purposes (or withdraw consent, in some countries). For detailed information on how to change your marketing communication preferences, please refer to Sections 9 and 10 below. For more information on our contests and other promotions, please refer to the official rules or specific terms for each contest/promotion. |
|
|
| Third‑party social networks. We use your Personal Data when you interact with third‑party social network features, such as the 'Like' function, to send you advertisements and connect with you on such networks. Your Personal Data is used to send you targeted communications, including via social media, based on your interests and your interactions with our products and services. |
|
|
| Personalisation (offline and online). With your consent, where required, we use your Personal Data (i) to analyse your preferences and habits; (ii) to anticipate your needs based on your profile analysis; (iii) to improve and personalise your experience on our Websites and applications; (iv) to ensure that the content of our Websites and applications is optimised for you and for your computer or device; (v) to send you targeted advertising and content; and (vi) to enable you to use interactive features, if you wish. For example, we remember your login ID/email address or username to allow quick access on your next visit to our site or to easily retrieve products you previously added to your cart. Based on this type of information and with your consent, where required, we also show you Nestlé‑specific content or promotions tailored to your interests. This use of Personal Data is voluntary and, therefore, you may object to processing for these purposes. For detailed information on how to opt out, please refer to Section 10 below. | ||
| Order fulfilment. We use your Personal Data to process and ship your orders, inform you of their status, change addresses and perform identity checks and other fraud detection activities. This requires the use of certain types of Personal Data and payment information. |
|
|
| Other general purposes (such as internal or market research, analytics, security). In accordance with applicable laws, we use your Personal Data for other general business purposes, such as managing your account, conducting internal or market research, and assessing the effectiveness of advertising campaigns. If you have multiple Nestlé accounts, we reserve the right to merge them into a single account. We also use your Personal Data for the management and operation of our communication, IT and security systems. | ||
| Legal reasons or merger/acquisition. If Nestlé or its assets are acquired by another company or are subject to a merger, including following bankruptcy, we will share your Personal Data with the successors. We will also disclose your Personal Data to third parties (i) where required by applicable law; (ii) in response to legal proceedings; (iii) in response to a request from a competent law enforcement agency; (iv) to protect our rights, privacy, safety or property or the public; or (v) to enforce the terms of any agreement or our Website terms. |
|
|
6. DISCLOSURE OF PERSONAL DATA
In addition to the Nestlé entities referred to in Section 12 ('Data Controllers & Contacts'), we share your Personal Data with the following types of third‑party organisations:
Service providers. External companies we use to help run our business (e.g. order fulfilment, payment processing, fraud detection and identity verification, website management, market research, support services, promotions, website development, data analytics, CRC, etc.). Service providers and their dedicated staff are authorised to access and use your Personal Data on our behalf only for the specific tasks assigned to them, under our instructions, and are required to treat it confidentially and securely. [Where required by applicable law, you may obtain a list of providers processing your Personal Data (see Section 12 to contact us)].
Credit data/collection agencies. To the extent permitted by applicable law, credit data suppliers and debt collection companies are external parties we use to verify your creditworthiness (particularly for invoiced orders) or to collect overdue invoices.
Third‑party companies using Personal Data for their own marketing purposes. Unless you have given your consent, we do not license or sell your Personal Data to third‑party companies for marketing purposes. Their identity will be disclosed at the time your consent is requested.
By way of example, we may share with Facebook Ireland Limited ('Facebook') certain data relating to actions you have taken on our Websites, such as your visits and interactions, the use of Facebook Connect, as well as information collected by cookies or similar technologies, including the Facebook pixel. This enables us to measure the effectiveness of our advertising, improve our marketing activities and offer advertisements more relevant to you and to people with a profile similar to yours, including on social media such as Facebook. In this specific case, we are joint controllers together with Facebook. This means that we are required to provide you with this notice but, if you wish to exercise your data protection rights, you should contact Facebook. For more information, including how to exercise your data protection rights and how Facebook processes data as an independent controller, please refer to Facebook’s Data Policy at https://www.facebook.com/about/privacy .
Third‑party recipients using Personal Data for legal reasons or following mergers/acquisitions. Your Personal Data will be disclosed to third parties for legal reasons or in the context of an acquisition or merger (see Section 5 for more details).
7. RETENTION OF PERSONAL DATA
Nestlé takes all reasonably possible measures to ensure that your Personal Data is processed only for the minimum period necessary for the purposes indicated in this Notice. The retention period for your Personal Data is determined based on the following criteria:
(a) Nestlé will retain copies of your Personal Data in an identifiable form only for the period in which: (i) an ongoing relationship with you is maintained (e.g. you are on our mailing list and have not unsubscribed); (ii) your Personal Data is necessary in relation to the purposes set out in this Notice and the related retention is based on a valid legal ground; and also for
(b) the duration of: (i) any applicable statute of limitations (i.e. the period during which a claim may be brought against us), and (ii) an additional 2 months from the end of the applicable statute of limitations, to allow us to identify the Personal Data of the person who may bring claims at the end of the applicable period; and
(c) where claims are brought against us, your Personal Data may be processed for the additional period necessary in relation to such claims.
During the periods referred to in paragraphs (b)(i) and (b)(ii) above, your Personal Data will be processed only for storage operations and data security maintenance, subject to the need for checks and verification in relation to any claims or legal obligations under applicable law. Once the periods referred to in paragraphs (a), (b) and (c) above have ended, as applicable, we will (i) permanently delete or destroy your Personal Data or (ii) anonymise it.
8. DISCLOSURE, STORAGE AND/OR TRANSFER OF PERSONAL DATA
To keep your Personal Data confidential and secure, we use appropriate measures, as described below. These measures, however, do not apply to information you choose to share in public areas, such as third‑party social networks.
Persons who may access your Personal Data. Your Personal Data will be processed by our authorised staff or agents only to the extent strictly necessary to ensure the provision of the service and depending on the specific purposes for which it was collected (e.g. our consumer support staff will have access to your specific consumer record).
Measures adopted in operating environments. We store your Personal Data in operating environments that use reasonable security measures to prevent unauthorised access; in addition, we adopt reasonable standards for the protection of Personal Data. Transmission of information over the Internet cannot be guaranteed to be completely secure and, although we strive to protect your Personal Data, we cannot guarantee its security during transmission via our Websites and apps.
Measures consumers should take. It is important that you also participate in safeguarding your Personal Data. When registering an account, choose a password that is difficult to guess and never disclose it to third parties. As the data subject, you are responsible for the confidentiality of your password and for the use of your account. If you use a shared or public computer, avoid storing your login ID, email address or password and make sure to sign out of your account each time you leave the computer. We also recommend using all privacy settings or controls we make available on our Website and apps.
Transfer of your Personal Data. The storage and processing of your Personal Data, as described above, may require that it be transferred/transmitted and/or stored outside your country of residence, including in countries outside the European Union (EU), for example to other Nestlé entities (e.g. Nestlé USA), including countries with data protection standards different from those applicable within the EU area. We have therefore established Binding Corporate Rules (BCR) approved for Nestlé that, adopted at the Nestlé Group level, provide an internal framework for the processing of Personal Data, ensuring an adequate level of security in accordance with the EU General Data Protection Regulation (GDPR). In particular, the BCR require prior approval by the competent Supervisory Authorities in the various countries and are considered a more flexible and appropriate tool than the previously applicable Standard Contractual Clauses (SCC), as they allow data transfers within the Group without the need to enter into separate contracts for each transfer.
9. ACCESS TO PERSONAL DATA
Access to Personal Data. You have the right to access, review and request a physical or electronic copy of your information held by us, as well as to request information about the source of your Personal Data.
These rights may be exercised by sending an email to dataprotection@sanpellegrino.com, attaching a copy of your identity document or equivalent, at our request and where permitted by law. If the request is made by an intermediary without documentary evidence that it has been lawfully made on your behalf, the request will be rejected. All identification information you provide will be processed in full compliance with and to the extent permitted by applicable laws.
Additional rights (such as modification and deletion of Personal Data). Where provided by law, you may (i) request the deletion, portability, correction or review of your Personal Data; (ii) restrict its use and disclosure; and (iii) withdraw consent to any processing activity by us.
Subject to applicable law, you may also exercise the following additional rights regarding the use of your Personal Data: (a) the right to object, for reasons related to your particular situation, to our use of your Personal Data by us or on our behalf; and (b) the right to object to our processing of your Personal Data for direct marketing purposes.
In some circumstances, we may be unable to delete your Personal Data without also deleting your user account. In addition, we may be required to retain some of your Personal Data even after a deletion request in order to comply with legal or contractual obligations and we may be entitled, under applicable law, to retain some of it for our business needs.
Where available, our Websites provide a dedicated function through which it is possible to review and modify the Personal Data provided. To prevent unauthorised access, before being able to access or make changes to your account information, duly registered consumers will be required to verify their identity, for example through a login ID, email address or password.
We hope to be able to answer all your questions about how we process your Personal Data. However, in case of unresolved concerns, you also have the right to file complaints with the competent data protection supervisory authorities.
10. CHOICES REGARDING THE USE AND DISCLOSURE OF THE PERSONAL DATA COLLECTED
We are committed to providing you with the ability to choose which Personal Data to share with us. The following mechanisms allow you to control your Personal Data:
Cookies/Similar technologies. You may provide or withhold consent through (i) our consent management solution or (ii) your browser to refuse all or some cookies/similar technologies or to receive a warning when they are used. See Section 4 above.
Advertising, marketing and promotions. You may consent to Nestlé’s use of your Personal Data for the promotion of products or services through the checkboxes in registration forms or by responding to questions presented by our CES representatives. If you decide you no longer wish to receive such marketing communications, you may unsubscribe at any time by following the instructions provided in each communication. Subscriptions to marketing communications sent by any means, including third‑party social networks, can be cancelled at any time via the links available in our communications, by accessing the Websites, apps or third‑party social networks and changing user preferences in your account profile by deselecting the relevant boxes, or by calling our CES. Even if you opt out of receiving marketing communications, you will continue to receive administrative communications from us, such as order confirmations or other transactions, notifications about your account activities (e.g. account confirmations, password changes, etc.) and other important non‑marketing notices.
Personalisation (offline and online). Where required by law, if you wish your Personal Data to be used by Nestlé to provide you with a personalised experience and targeted content/advertising, you may indicate this through the relevant checkboxes in the registration form or by responding to questions presented by our CES representatives. If you decide you no longer wish to benefit from this personalisation, you may opt out at any time by accessing the Websites or apps and changing user preferences in your account profile by deselecting the relevant boxes or by calling our CES.
Targeted advertising. For network advertising, on our behalf and on behalf of other unrelated companies, we work with advertising networks and other advertising service providers (‘Advertising Providers’). Some of these ads are tailored to your interests based on information collected over time on Nestlé or other unrelated companies’ sites. By visiting www.aboutads.info/choices you can obtain more information about this type of advertising and how to opt out of interest‑based advertising practices operated by companies participating in the Digital Advertising Alliance (‘DAA’) self‑regulatory program. In addition, you can opt out of this type of advertising in mobile applications of companies participating in the DAA’s AppChoices program by downloading the app from the iOS or Android app store. You can also block the collection of precise location data from a mobile device by accessing the device’s location service settings.
11. AMENDMENTS TO THE PRIVACY NOTICE
If we change how we process your Personal Data, we will update this Notice. We reserve the right to make changes to our practices and to this Notice at any time. We therefore encourage you to check frequently for updates or changes to our Notice.
12. DATA CONTROLLERS & CONTACTS
For questions or comments about this Notice and our privacy practices, or to lodge a complaint regarding compliance with applicable personal data protection laws, please contact us at: privacy.dati@it.nestle.com. We will acknowledge and investigate any complaints regarding our handling of Personal Data, as well as any alleged violations of rights under applicable privacy laws.
Data Controllers
Nestlé Italiana S.p.A., Via del Mulino 6, 20057 Assago (MI) – All activities in all countries
Sanpellegrino S.p.A., Località Ruspino, 24016 San Pellegrino Terme (BG) – All activities in all countries
Nestlé Purina Commerciale S.r.l., Via del Mulino 6, 20057 Assago (MI) – All activities in all countries
Processors
YAM112003 S.r.l., Piazza Borromeo 14, 20123 Milano, Italy
Jakala S.p.A., Corso di Porta Romana, 15, 20122 Milano, MI, Italy
ProWeb Consulting, Viale Breggia 11A – 6834 – Morbio Inferiore – Switzerland
UNITED CALL CENTERS KFT, Kis-Hunyad Street, 2nd floor, 3525, Miskolc, Hungary
SAP (Schweiz) AG, Leugenestrasse 6, 2504 Biel, Switzerland
Sapient Limited, Eden House, 8 Spital Square, London E1 6DU, United Kingdom
13. ACCESSIBILITY
Nestlé is committed to improving usability and digital accessibility across our digital channels, guided by the recommendations of the World Wide Web Consortium (W3C), including the Web Content Accessibility Guidelines (WCAG). Our efforts are also informed by applicable regulations, standards, guidelines and resources. Our improvements are ongoing with periodic testing.
If you have difficulty accessing or navigating our digital channels, contact us online at https://www.buonalavita.it/contatti. Please be ready to provide your contact information, the digital channel on which you are experiencing difficulty, and a description of the issue encountered, including the type of assistive technology you were using when you encountered the problem.