- • The nature of the personal information processed;
- • The purposes and means of the processing of personal information;
- • The identity and contact details of data controllers;
- • The contact details of the Data Protection Officer (DPO);
- • Any third parties involved in the processing activities;
- • The retention period of personal information;
- • The security measures taken to protect personal information;
- • The privacy rights of users.
Users less than 16 (sixteen) years old are not allowed consent to the processing of personal information without parental authorization.
Under the GDPR, the data controller is the subject who, alone or jointly with others, determines the purposes and means of the processing of personal information. The joint data controllers for the activities of the Site are:
- • Herno S.p.A., with registered office in Via Opifici, 100 - 28040 - Lesa (Novara); contact: email@example.com
- • The Level Group S.r.l., with registered office in Piazza Arcole 4, 20143 Milan, Italy; contact: firstname.lastname@example.org
(the "Data Controllers").
There is a designated Data Protection Officer to ensure that the Site processes personal information in compliance with the GDPR. The Data Protection Officer can be contacted for any inquiries at the following email address: email@example.com
PERSONAL INFORMATION AND PURPOSES OF PROCESSING
“Personal Information" means any information relating to users that identifies them personally, either alone or in combination with other information. Personal information is automatically collected by the Site or received via multiple sources: forms, chat, email, apps, devices, social media and other means. The Site processes personal information in various shapes for the following purposes:
The Site collects non-sensitive browsing data by automatic means in order to enable and improve user navigation (e.g. IP address, date/time of the visit and its length, any referring URL, pages visited on the Site, the device used and other information).
The processing of such information allows users to access the Site and fully enjoy its features and services. Furthermore, navigation data may be used to verify that the Site functions properly.
From time to time, browsing data are processed anonymously for statistical purposes.
Browsing data are unlikely to allow identification of the relevant data subject. However, by their very nature, browsing data may allow identification of the users if associated with other information.
The browsing data described above are stored only temporarily in compliance with the applicable law.
At checkout, the Site asks users to provide personal information for the essential purpose of fulfilling their purchase orders and comply with contractual obligations (e.g. name and surname, email address, delivery address, etc.).
Such personal information is also essential for the Customer Service to assist customers on inquiries and for any related necessity, before or after the sale (for example, with respect to the order delivery status of or on product returns).
Personal information related to orders will be stored as long as required to comply with contractual obligations and with the applicable tax and financial reporting requirements.
The Site may also verify the payment instruments used by customers to purchase on the Site (e.g. credit or debit card, etc.), for the main purpose of preventing fraudulent activities or pursuant to the applicable anti-money-laundering laws. As full reliance for payment verification is given to third party payment processors, the Data Controllers do not process or store any financial information belonging to customers.
Failure to provide the personal information required at checkout will prevent users from completing an order on the Site.
Based on its legitimate interest to improve its relationship with customers, the Site will send customers email communications with product suggestions, discounts, feedback requests or other updates. Customers are always free to unsubscribe from such email communications (for example, by clicking the “unsubscribe" link at the bottom of each email).
When users opt to register a personal Site account, they are asked to submit personal information (e.g. date of birth, gender, etc.). The Site clearly indicates which personal information is mandatory (or not) to set up a Site account.
Users must submit personal information that is true and accurate at the moment of registration and are invited to maintain their personal information up-to-date (if changes occur) by logging into their personal account to make all relevant changes.
Users who choose to enable or log in to their Site account via social media, should be aware that when they link their Site account to a social media account, the Site collects certain personal information the user has already provided to that social media (for example, the email address and public profile on Facebook).
Data Controllers do not oversee or control such social media services or the user's profiles on these services, and do not establish privacy settings or rules for how personal information on those services will be used. Users are strongly encouraged to read all the policies and information regarding the applicable social media services to learn more about how they process personal information.
Newsletter and marketing communications
On the Site, users can opt to receive newsletters and commercial communications.
The Site always collects the explicit, free, and unequivocal consent of users before sending newsletters and marketing communications to these users or, more generally, before undertaking electronic marketing initiatives dedicated to them.
In such cases, users may be asked to provide personal information in addition to their email address (e.g. gender, country of residence, etc.) for the purpose of having newsletter and marketing communications tailored to their user profile.
Users can always easily withdraw their consent from receiving newsletters and commercial communications in the following ways:
- • Through their account settings;
- • By clicking the “unsubscribe” link in any such email;
- • By contacting our Customer Service.
Under the explicit user's consent, newsletter and marketing communications may be tailored to the user “profile", based on the personal information the Site collects or receives about the concerned user.
With respect to the customers of the Site, it is in the Site’s legitimate interest to process personal information to offer more interesting products, to improve the Site and to personalize the products offered on the Site.
The main purpose of profiling is to propose products, services and initiatives more responsive to the tastes, shopping habits and interests of users and customers.
Personal information may also be used for remarketing, retargeting or profiling purposes, including via third parties (e.g. social networks, etc.).
SHARING AND TRANSFER OF PERSONAL INFORMATION
Data Controllers may transfer customers' personal information to primary third-party suppliers, acting as "data processors" (the "processors"), for the purpose of performing business operations necessary to fulfil their contractual obligations.
Data Controllers will strive to ensure that all Processors will apply their industry best practice to protect personal information and they will not use personal information for any other purposes than those agreed with the Data Controllers.
For example, the Data Controllers may share personal information with the following categories of Processors:
- • Couriers and postal operators;
- • Fulfilment centres and warehouses;
- • Advertising, digital, marketing and social media agencies;
- • IT service providers;
- • Customer care service providers;
- • Payment service providers.
Users can request an updated list of the Processors involved in the processing of personal information relevant to the Site's activities by writing an email to: firstname.lastname@example.org
Data Processors must always reserve the right to disclose personal information about users as required by law (for example, in response to law enforcement requests) and where necessary to protect the rights of Data Processors or their affiliates or third parties.
Moreover, personal information may be disclosed to other companies within the same corporate group as each of the Data Controllers or to third parties in the event of a corporate restructuring process, in full compliance with the applicable law.
In all other cases, the sharing of personal information will be conditional upon the preliminary and explicit consent of the user, unless processing is permitted on an alternative legal basis.
Data Processors will not transfer any personal information outside the European Economic Area (EEA) unless you have explicitly authorized said transfer or if the transfer of personal information outside the EEA is allowed by the GDPR on another legal basis.
PROCESSING METHODS AND SECURITY MEASURES
Personal information of users is processed by the Data Controllers with IT, automated and electronic tools and, in limited cases, by using documentary means. In accordance with the GDPR, specific security measures have been implemented to prevent data loss, unlawful or improper use, and unauthorized access.
Only authorized employees of the Data Controllers, and authorized employees of third-party suppliers, acting as Processors on behalf of the Data Controllers, have access to personal information related to the Site activities. Data processing agreements are in place with the Processors to ensure that they always meet the level of security required by the GDPR when processing personal information relating to the Site activities.
While the Site adopts primary security measures to prevent loss, destruction or dissemination of personal information, at the same time cannot exclude the safety risks that are naturally involved by online transmission of data. The user accepts the inherent risks of providing personal information over the Internet and will not hold the Site liable for any breach of security, unless this breach is due to the Site's negligence or willful misconduct.
STORAGE OF PERSONAL INFORMATION
Data Controllers will store personal information for as long as it is needed to provide users and customers with the required services or to meet legal or fiscal obligations or for the minimum period prescribed by the law.
In order to determine the appropriate retention period for personal information stored by the Site under user consent, Data Controllers will take into account multiple factors to ensure that personal information is not stored for longer than the necessary or appropriate period. Such criteria will also include:
- • The purpose for which the Site holds personal information;
- • Legal, tax and regulatory obligations related to that personal information;
- • The type of ongoing relationship with the concerned user or customer (how often the user logs into their Site account, whether users continue to receive marketing communications, how regularly they browse or buy on the Site, etc.);
- • Any specific user request related to the deletion of personal information;
- • Legitimate business interests.
The Site will promptly delete or anonymize personal information that is no longer needed or retained according to the law.
CONNECTION TO THIRD-PARTY WEBSITES OR PLATFORMS
The Site may contain banners, advertising messages and other links to third-party websites or platforms. Data Controllers cannot control or be held responsible for the conduct of such third-party websites or platforms with respect to privacy law. Users are encouraged to read their privacy policies to verify how they collect and process personal information.
THE RIGHTS OF USERS
Users are entitled to receive confirmation as to the Data Controllers hold any personal information about them on their account.
If this is case, according to the GDPR, users also hold the rights to:
- • Be informed about the collection and use of their personal information;
- • Access their personal information at no cost;
- • Have inaccurate or incomplete personal information rectified or completed;
- • Have personal information erased ("the right to be forgotten");
- • Under specific conditions, obtain the restriction or suppression of their personal information;
- • Obtain and reuse their personal information for their own purpose across different services when processing is based on a contract or on consent and is carried out automatically ("the right to data portability");
- • Under specific conditions, to object to the processing of their personal information;
- • Object at any time to the use of personal information for “profiling" or “automated decision-making” purposes;
- • The right to submit complaints related to the collection and processing of personal information to the competent supervisory authority;
- • The right to withdraw consent to the processing of personal data at any time.
Users can contact the Site for any inquiries and to exercise their privacy rights at the following email address: email@example.com
Last update: July 2020