- • The nature of the personal data processed (as defined below)
- • The purposes and means of the processing of personal data
- • The identity and contact details of the controllers
- • The contact details of the data protection officer (DPO)
- • Any third parties involved in the processing operations
- • The period the personal data will be stored
- • A brief description of the security measures adopted to protect personal data
- • The existence of the data subject’s right to request from the controller access to and rectification or erasure of his/her personal data, right to limit the processing of the data concerning him/her or to oppose their processing, and the right to the portability of user data.
Users with fewer than 16 (sixteen) years old are unable to give consent to the processing of personal data without the authorization of the holder of parental responsibility.
Pursuant to the GDPR, the controller is the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers.
The joint controllers relating to the activities of the Site are:
- • THE ATTICO S.r.l., with registered offices in Milano (MI), Piazza Castello, 4 - 20121, Italy; contact: firstname.lastname@example.org
- • THE LEVEL GROUP S.R.L., with registered offices in Milano (MI), Piazza Arcole 4 - 20143, Italy; contact: email@example.com
- (the "Joint Controllers")
A Data Protection Officer has been designated to ensure that personal data is processed in accordance with the GDPR. The Data Protection Officer may be contacted for any request at the following email address: firstname.lastname@example.org
Regarding the processing of personal data relating to marketing and profiling activities, The Attico S.r.l. acts as the sole Controller, while The Level Group S.r.l. will carry out data processing activities as the processor on behalf of The Attico S.r.l.
PERSONAL DATA: PURPOSE OF THE PROCESSING
The term “personal data” means any information relating to users of the Site, including data that identify them personally, alone or in combination with other information.
Personal data are collected automatically through the Site or received through multiple sources: forms, chats, emails, apps, devices, social media and other means.
The Joint Controllers process personal data in connection with the following activities:
• Managing Site browsing
The Joint Controllers collect browsing data (which, according to the GDPR, do not fall under the special categories of data) using automatic means to enable and improve the user’s browsing of the Site (e.g. IP address, date/time of the visit and relative duration, any referring URLs, pages visited on the Site, device used and other information).
The processing of such personal data allows users to access the Site and make full use of its features and services. Browsing data may also be used to ensure the Site is functioning properly.
From time to time, browsing data are processed anonymously for statistical purposes.
Browsing data are unlikely to allow identification of the relevant data subject. However, by their very nature, browsing data may allow identification of data subjects if associated with other information.
The browsing data described above are stored only temporarily in accordance with applicable regulations.
The legal basis for the processing of personal data in this case is the legitimate interest of the controller.
• MANAGING ORDERS
At the time of verification, the Site will ask users to provide personal data for the essential purpose of ensuring the management of orders and complying with existing contractual obligations with users (the data processed include, but are not limited to, first name, last name, email address, delivery address).
These personal data are also necessary to allow customer service to assist customers with any requests or questions before or after the sale (e.g. concerning the delivery status of the order or returns of products).
Personal data relating to orders are kept for as long as necessary to fulfil contractual obligations and any accounting and tax obligations.
The Joint Controllers may also verify that payment instruments used by customers for purchases on the Site (e.g. credit or debit cards, etc.) are valid, mainly to prevent fraud or to fulfil statutory anti-money laundering obligations. Since this activity is delegated to duly authorized third parties, the Joint Controllers do not process or store financial information relating to customers and payment instruments.
Failure to transmit/provide the personal data requested at checkout will prevent users from completing an order on the Site.
The legal basis for the processing of personal data in this case is Article 6(1)(b) of the GDPR (performance of a contract to which the data subject is party).
Based on their legitimate interest (Article 6(1)(f) of the GDPR) in improving customer relations, the Joint Controllers will send customers who have made purchases on the Site email communications containing product suggestions, discounts, requests for feedback or other updates. Customers are free to object to any further email communication at any time (e.g. by clicking on the “unsubscribe” link at the foot of each email).
• Registering an account on the Site
When users decide to create and register a personal account on the Site, they are asked to provide personal data (e.g. date of birth, gender, etc.). The Site clearly indicates which personal data are (or are not) required to set up an account on the Site.
Users must provide true and accurate personal data at the time of registration and are encouraged to keep their personal data up to date by accessing their personal account to make any necessary changes.
Users who choose to activate or access their account on the Site through social media must be aware that when they connect their Site account to a social media account, the Site collects certain personal data the user has already provided to that social media platform (e.g. email address and public profile on Facebook).
The Joint Controllers do not monitor or manage these social media services or user profiles on these social media services, nor do the Joint Controllers establish the personal data protection settings or the rules regarding the methods of use of personal data on these social media platforms (Facebook, Twitter, or other). Users are strongly encouraged to read any information published by the managers of these services concerning the protection of personal data to obtain further information on the methods of processing personal data through these channels.
The legal basis for the processing of personal data in this case is the data subject’s consent given at the time of registration (Article 6(1)(a) of the GDPR).
• NEWSLETTER AND MARKETING COMMUNICATIONS
Site users can opt to receive newsletters and marketing communications.
The Joint Controllers collect users’ freely given, express, and unequivocal consent before sending them newsletters and marketing communications or, more generally, before undertaking dedicated marketing initiatives.
In these cases, in addition to their email address, users may be asked to provide personal data (e.g. gender, country of residence, etc.) to receive marketing communications and newsletters tailored to their user profile.
Users may at any time withdraw their consent to receive newsletters and marketing communications:
- • in their account settings
- • by clicking on the “unsubscribe” link at the bottom of an email;
- • by contacting our customer service representatives.
The legal basis for the processing of personal data in this case is the data subject’s consent to the processing of his/her personal data.
Based on the user’s express consent, the newsletter and marketing communications may be adapted to the user’s profile, based on the personal data the Joint Controllers collect about the user concerned.
As for the customers of the Site, it is in the legitimate interest of the Joint Controllers to process personal data to offer more interesting products, improve the Site and personalize the products offered on the Site.
The main purpose of profiling is to offer products, services and initiatives that better meet users’ and customers’ tastes, purchasing habits and interests.
Personal data may also be used for remarketing, retargeting or profiling purposes, including through third parties (e.g. social networks, etc.).
Neither the Site nor the Joint Controllers profile minors.
The legal basis for the processing of personal data in this case is the data subject’s consent to the processing of his/her personal data (Article 6(1)(a) of the GDPR).
SHARING AND TRANSFER OF PERSONAL DATA
The Joint Controllers transfer customers’ personal data to major third-party providers acting as data processors (the “Processors”) to carry out the operations necessary to fulfil their contractual obligations (e.g. delivery of ordered goods, payments, etc.).
The Joint Controllers make every effort to ensure that all Processors apply the best procedures available to protect personal data and do not use these data for purposes other than those established by the controllers.
For example, the Joint Controllers may share personal data with the following categories of Processors:
- • Courier services and postal operators;
- • Fulfilment centers and warehouses;
- • Advertising, digital, marketing and social media agencies;
- • IT service providers;
- • Customer support service providers;
- • Payment service providers;
Users may obtain information about the categories of recipients to whom the personal data have been or will be communicated by sending an email to email@example.com or firstname.lastname@example.org
The Joint Controllers are required to share personal data with third parties where strictly required by law and where necessary to protect the rights of the Joint Controllers, related parties, or third parties.
Personal data may also be disclosed to other companies within the same group of companies to which each of the Joint Controllers belong or to third parties in the event of a company reorganization procedure, in full compliance with applicable law.
In all other cases, the sharing of personal data is subject to users’ prior express consent, unless the processing is permitted on the basis of another legal basis.
The Joint Controllers will not transfer any personal data outside the European Economic Area (EEA), unless the user (data subject) has explicitly authorized the transfer or the transfer of personal data outside the EEA is permitted by the GDPR based on another legal basis.
PROCESSING METHODS AND SECURITY MEASURES
Users’ personal data are processed by the Joint Controllers using information technology, automated and electronic tools and, in limited cases, paper means. In compliance with the GDPR, specific security measures have been implemented to prevent data loss, unlawful or improper use of and unauthorized access to data.
Only the persons authorized by the Joint Controllers or by the providers acting as Processors have access to personal data relating to the activities of the Site. Instructions and security measures have been defined in agreements or when appointing the Processors to ensure that the level of security required by the GDPR is ensured at all times during the processing of personal data for Site activities.
While security measures have been adopted in Site settings and processing operations to prevent the loss, destruction or dissemination of personal data, the security risks associated with the online transmission of data cannot be excluded.
STORAGE OF PERSONAL DATA
The Joint Controllers keep personal data for as long as necessary to provide users and customers with the services they request or to comply with legal or tax obligations or for the minimum period prescribed by law.
The Joint Controllers promptly delete or anonymize personal data whose retention is no longer necessary/mandatory according to the law.
Without prejudice to the right to be forgotten within the limits established by the applicable legislation, where the retention of personal data is no longer permitted/provided for by legislation, the maximum storage period of personal data is 10 (ten) years from the date of the relevant data subject’s last interaction with the Site.
CONNECTION TO THIRD-PARTY WEBSITES OR PLATFORMS
The Site may display banners, advertisements and other links to third-party websites or platforms. The Joint Controllers have no control over and are not responsible for the conduct of these third-party websites and platforms in relation to data protection legislation. Users are encouraged to read the data protection policies of third-party websites for information on their personal data collection and storage or processing procedures.
RIGHTS OF USERS
Users/customers (as data subjects) have the right to obtain confirmation as to whether or not personal data concerning them is held by Joint Controllers.
Where this is the case, under the GDPR, users, as data subjects, also have the right to:
- • be informed about the collection and use of personal data concerning them
- • obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, if so, obtain access to the personal data and the following information:
- a) the purposes of the processing
- b) the categories of personal data concerned
- c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
- d) where possible, the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
- e) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing
- f) the right to lodge a complaint with a supervisory authority (in Italy: Garante per la protezione dei dati personali – Personal Data Protection Authority)
- • obtain the rectification or completion of inaccurate or incomplete personal data
- • obtain the erasure of their personal data (“the right to be forgotten”)
- • object at any time to the processing of personal data concerning them for the purposes of “profiling” or “automated decision-making processes”
- • object, under specific conditions, to the processing of personal data concerning them
- • withdraw, at any time, their consent to the processing of their personal data, where requested and given, without affecting the lawfulness of processing based on consent before its withdrawal
- • lodge a complaint with the competent Italian supervisory authority: Garante per la protezione dei dati personali, Piazza di Montecitorio n. 121, 00186, Rome (RM), Italy.
Users may contact the Joint Controllers with any queries and to exercise their data protection rights at the following email addresses: email@example.com, firstname.lastname@example.org.
Last update: December 2021