1. DATA CONTROLLER
The data controller for users’ personal data is Luisa Spagnoli S.P.A. (hereinafter, “Luisa Spagnoli”), with legal headquarters at
Strada Santa Lucia 71, 06125, Perugia, Italy; tax code and VAT No.: 02742760545, Economic and Administrative Index: PG n. 238003.
Luisa Spagnoli has nominated its own Data Protection Officer, who can be reached at the email address firstname.lastname@example.org and at the company’s addresses as indicated above.
2. PRINCIPLES OF DATA PROCESSING
In processing users’ personal data, Luisa Spagnoli shall apply the principles of lawfulness, fairness and transparency. Personal data shall be collected for specified, explicit, legitimate purposes (purpose limitation) and shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation). They shall always be kept up to date and accurate and kept for no longer than is necessary to achieve the purposes of the data controller (storage limitation), after which they shall be deleted. Finally, they shall be processed using all appropriate security measures to ensure their integrity and to prevent access by unauthorised third parties (integrity, confidentiality and inaccessibility).
3. HOW DATA ARE COLLECTED ON THE WEBSITE
Data acquired during browsing
As part of their normal operation, the IT systems and software procedures which ensure the functioning of the Website acquire certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified users; however, by its very nature, it could permit users to be identified through processing and association with data in the possession of third parties. This category of data includes the IP addresses or domain names of computers used by users who connect to the Website, addresses of the resources requested in URI (Uniform Resource Identifier) notation, the time of the request, the method used in submitting the request to the server, the size of the file obtained in the response given by the server (successful, error, etc.) and other parameters relating to users’ operating systems and computer environments.
These data are used for the exclusive purpose of deriving anonymous statistical information about the use of the Website and to check that it is operating correctly, and are deleted immediately after they have been processed. The data could be used to determine responsibility in the event of damage to the Website by a hypothetical computer crime. With the exception of this eventuality, the data shall be deleted when they are no longer necessary.
Data voluntarily provided by users
In cases where users availing of the services on the Website provide personal data belonging to third parties, they must declare that they have given this disclosure to those third parties and acquired their consent to the communication of their personal data, if necessary.
4. CATEGORIES OF DATA PROCESSED
The following are collected and processed on the Website: identifying data; data on the age of users; contact information; data on sales and billing; and details of purchases made by users.
Special categories of personal data are not processed.
5. PURPOSES OF PROCESSING AND LEGAL BASIS
5.1. Purposes: supply of services, sale and delivery of products, administrative, accounting and tax-related purposes.
Users’ personal data are generally collected and processed in order to manage their interactions with the Website, for example: registration; purchasing transactions and the fulfilment of purchase orders; payments and the delivery of products; the management of returns; and other activities necessary to manage orders made through the Website. It is necessary to provide the data in order to carry out the above activities. Failure to provide them shall render it impossible to carry out the contract or supply the requested services. The data are also processed for administrative, tax-related and accounting purposes, in order to comply with other obligations imposed by laws and regulations, and potentially to exercise Luisa Spagnoli’s rights in court.
The user’s consent is not required for the processing purposes indicated above.
5.2. Purposes: marketing and loyalty programme
With the user’s consent, which is free and optional, their personal data may also be processed for the purposes of marketing by means of telephone, traditional post, email, newsletters, text messages such as SMS and MMS, chat services and social network. It is always possible to withdraw consent, to object to receiving promotional communications, or to limit consent to some means of communication only, excluding others. In any case, every piece of communication received shall specify how to object to the sending of such material and, therefore, how to avoid receiving any more. The provision of data for marketing purposes, as indicated above, is optional and any refusal to do so shall have no consequences in terms of requesting the products and services offered on the Website.
Luisa Spagnoli may also conduct direct marketing via email aimed at users who have made purchases, to offer them products similar to those already purchased (so-called soft spam). This form of processing does not require the user’s consent, though users may in any case deny this or object at any time, including by clicking on the specific “unsubscribe” link present in every email sent to them.
For the purposes of the loyalty programme, the legal basis for processing is the need to award members the specific advantages and rewards of that programme. The provision of data for the purposes of the loyalty programme is optional, but in the event of refusal it will not be possible to take advantage of the specific advantages and rewards of the programme.
5.3. Purposes: profiling
With the users’ consent, their personal data may also be processed in order to analyse their purchasing decisions and, therefore, to determine their consumption preferences and to create individual and group profiles for the purpose of sending targeted commercial offers consistent with the profiles built as well as automated emails based on their purchasing patterns, or to help them with their purchasing activities. For example, when users interact with the Website and enter their data without completing their order, they might be contacted by Luisa Spagnoli at the addresses they provided. Where necessary, consent for the processing will be sought on a case-by-case basis.
If consent is denied, there will be no repercussions of any kind on the ability to subscribe to the Website.
If consent is granted, users may withdraw it at any time or object to further profiling activities.
The data collected on the Website combined with any information that may be obtained by Luisa Spagnoli in the stores.
6. MEANS OF PROCESSING AND SECURITY MEASURES
Depending on the specific purpose of processing, personal data shall be accessible to personnel authorised for processing, as well as to the data processors.
Fully automated decision-making processes which produce legal effects for users or which significantly affect them are not used.
7. PERSONAL DATA STORAGE
Users’ personal data are processed for the length of time necessary to manage their
interactions with the Website and to ensure that they can enjoy its services, as well as to enable all purchasing
transactions and the fulfilment of their orders. Once these purposes have been achieved, the data shall be stored
for the length of time provided for by the law for administrative, accounting and tax-related purposes and to assert
any contractual rights.
Data processed for marketing purposes and for the purposes of profiling users shall be processed until consent is withdrawn or users object to the processing, in accordance with the most recent rulings of the Italian Authority for the Protection of Personal Data.
8. RECIPIENTS OF PERSONAL DATA
Users’ personal data may be communicated to the authorities, public bodies, professionals, collaborators and commercial partners. Only necessary data are provided to such third parties.
The recipients to whom such data are communicated shall process them as autonomous data controllers or data processors, if appropriate, after entering into special contracts pursuant to art. 28 of the GDPR.
Data processed for the purposes of the loyalty programme, marketing and profiling are not communicated to third parties. For marketing purposes and for certain profiling activities, Luisa Spagnoli has appointed external companies as data processors, entering into special contracts as required by art. 28 of the GDPR. For these same purposes, and for sales and related purposes, Luisa Spagnoli has also appointed its own group companies as data processors for the personal data of Website users.
By using the Social network icons present on the Website, some of the users’ data may also be transmitted to these Social networks. For information on the processing thereof, which is carried out externally to this Website, please see their own specific privacy policies.
All of the above parties are obliged to use the information they receive exclusively for the above-indicated processing purposes and to keep it confidential, intact and inaccessible to unauthorised third parties.
Users’ data are not publicly disclosed.
9. TRANSFER OF DATA
Users’ data may be transferred outside of the European Union, if the servers of the parties with which Luisa Spagnoli has entered into special contracts are located there, or if the data are communicated to companies of the Luisa Spagnoli group with headquarters outside of Europe. In such cases, Luisa Spagnoli shall implement appropriate safeguards as required by the GDPR, in order to protect the personal data of users.
10. RIGHT OF ACCESS TO DATA AND OTHER RIGHTS
Articles 15 to 22 of the GDPR grant users, as data subjects, certain rights.
Article 15 grants users the right to access their own personal data and to obtain a copy thereof. The right
to obtain a copy of the data shall not adversely affect the rights and freedoms of others.
By requesting access, users have the right to obtain confirmation from Luisa Spagnoli as to whether or not personal data concerning them are being processed and to know the purposes of the processing, the categories of data concerned, third parties to whom the data have been communicated, and whether the data have been transferred to a country outside of Europe with suitable safeguards. Moreover, users have the right to know the storage times of their personal data, in relation to the purposes indicated above.
In relation to their own personal data, users have the right to ask for the rectification of inaccurate data and the completion of incomplete data, for erasure (the right to be forgotten) under the conditions outlined in article 17 of the GDPR, and for the restriction of processing and data portability.
Users also have the right to object, at any time, to the processing of data concerning them for marketing purposes, which includes profiling to the extent that it is related to marketing activities. In every promotional email, users shall find instructions on how to object to receiving any further communications and may also, at any time, object to receiving promotional communications through all or even just certain channels.
Users also have the right to withdraw their consent to processing.
The data controller shall also assure users that the need to perform the steps triggered by the above requests has also been brought to the attention of any parties to whom the data may have been communicated, except in cases in which this is impossible or requires an effort that is clearly disproportionate to the rights being protected.
To exercise the above rights, it is necessary to contact Luisa Spagnoli at the email address of its Data Protection Officer,email@example.com , or via post sent to the address of its legal headquarters.
In order to provide a response, it may be necessary to verify the identity of users by asking them to provide a copy of their ID document.
The data controller shall provide a written response without undue delay and, in any case, no later than one month from the receipt of the request itself.
11. COMPLAINTS TO THE AUTHORITY FOR THE PROTECTION OF PERSONAL DATA
Users who believe that the processing of their personal data is in violation of the provisions of the GDPR or national legislation regarding the protection of personal data have the right to lodge a complaint with the Italian Authority for the Protection of Personal Data, which has its headquarters in Rome, in accordance with art. 77 of the GDPR, and/or to appeal to the judicial Authority.