1. PERSONAL DATA CONTROLLER
In accordance with art. 4, point 7 of GDPR, the Data Controller is the one who“determines the purposes and the means of the personal data processing”. Relatively to the present website, the Data Controller is: ALI S.R.L., based in Via Piero della Francesca, n. 38, 20154 Milano, VAT number 08958250964, (here also “The Data Controller”), certified e-mail: firstname.lastname@example.org
2. DATA PROTECTION OFFICER
The Data Protection Officer – DPO is a figure provided by art. 37 of GDPR. to fulfil support, control, advisory, training and informational functions, whose appointment is mandatory only in the cases provided by art. 37, par. 1, let. B) and c) of GDPR. This figure is not mandatory for the Data Controller of the present website.
3. DATA TYPE AND PURPOSE OF PROCESSING
A. Browsing data
Some personal data, the transmission of which is implicit in the use of Internet communication protocols, are captured by the software and IT systems that enable the operation of this website during their regular exercise and for the only period of connection. Such information is not collected in order to be associated with identified interested parties, but could by their nature be used to identify the users, by means of processing operations and in combination with other data in the possession of third parties. This data category includes IP addresses or domain names of the computers used by the users to access the website, the addresses in URI (Uniform Resource Identifier) notation for resources requested, their time stamps, the method used to deliver the request to the server (success, error, etc.) the country of origin, the time span of the visit (e.g. the time spent on each page) and other parameters connected to the IT system and computing environment of the user.
Such data could be used to:
i) statistics: collection of data and information in aggregate and anonymous form in order to verify the proper functioning of the website. None of such information is connected to the physical person-User of the website, and does not allow identification in any way.
ii) security: collection of data and information in order to protect the security of the website and Users (spam filters, firewalls, virus detection) and to prevent or unmask fraud or abuse to the detriment of the website.
iii) Non-continuous geolocation: this website may collect, with prior consent of the User, location data, in order to provide location-based services. The geographic location of the User is determined in a non-continuous manner, either at the specific request of the User or when the User does not point out its current location in the appropriate field and therefore does not allow the application to detect the position automatically.
B. Data voluntarily provided by the user
This category includes:
– data provided during account registration on an e-commerce platform (of WooCommerce) and User authentication of dedicated account, meaning through the login credentials of social networks such as Facebook, Instagram, Linkedin, Amazon and Paypal provided by their owners.
– data provided when subscribing to the newsletter through the dedicated plug-in of MailChimp.
The personal data processed are: name, surname, company name, tax code, VAT number, certified e-mail, SDI Univocal Code, e-mail address, phone number, shipping address of product, credentials of the social network account you used, payment data which vary according to the chosen payment service (credit card, PayPal).
Such data can be used to:
i) identification and access to the e-commerce platform: allowing identification and access of the User to the e-shop services. Registration and authentication services are provided by means of WooCommerce and of Social Network, through the WooCommerce Social Login plug-in. In such case, the website will be able to access some data, stored by these third party services, for registration or identification purposes. In case of access via social account, the website can gather data from your account on third party services and perform actions with it.
iv) customer service: answering the information requests or the issues of any nature regarding the customer service.
v) user database management constructing User-profiles and tracking User activities through statistical capabilities, in order to structure and improve the efficiency of the website.
4. LEGAL BASIS
– purposes stated on the § 3, let. A), points i) and ii) and let. B) points i) and v): legitimate interest of the Data Controller;
– purposes stated on the § 3, let. B), points ii), iii), iv): contract and pre-contractual negotiations;
– purposes stated on the § 3, let. A) point iii) e let B) point vi): consent of the data subject.
5. NATURE OF THE PROVISION
The provision of the social network account credentials is a User choice about the login option and takes places exclusively on a voluntary basis.
In case the User provides, posts, shares or in any way handles personal data of third parties while using the website features, henceforth guarantees to have the right to perform the treatment and, where necessary, to have previously obtained the consent of the third party for the processing of their data, taking all responsibility in this regard with every indemnification in favour of the website Data Controller.
6. HOW AND WHERE PERSONAL DATA ARE PROCESSED, TRANSMITTED AND SHARED
The personal data treatment is performed lawfully, correctly and transparently and, in any case, in compliance with the provisions of arts. 5 and 6 of the EU Regulation 2016/679 – GDPR. Your personal data is processed by manual and IT tools, on the basis of principles strictly tied to purposes indicated above and in any case to ensure the security and the confidentiality of the data.
Data management and storage takes place on a server located in Switzerland (see EU Commission Decision of 26 July 2000 on the adequacy of protection of personal data in Switzerland under Directive 95/46/CE, to which validity has been confirmed pursuant to art. 45 of EU Regulation n. 2016/679) where the company that provides the hosting service is based (Hostpoint SA – Neue Jonastrasse 60, 8640 Rapperswil-Jona / Switzerland).
Personal Data may be shared and processed by internal personnel and/or external collaborators of the Data Controller as authorised subjects for treatment, within the framework of their respective functions and in accordance with the instructions given by the Data Controller.
In some cases, personal data may be communicated to external subjects acting on behalf of the Data Controller, duly nominated, if necessary, Responsible of data treatment under art. 28 of GDPR in regards of protection of personal data, such as:
– Natural and legal persons who perform services of website development and maintenance and hosting providers;
– Natural and legal persons who perform services connected to the e-shop, logistics, payment, on behalf of the Data Controller;
– Natural and legal persons who perform marketing activities on behalf of the Data Controller;
– Accountants, lawyers and other practitioners to whom the Data Controller is directed;
– Financial and public institutions.
The updated list of the Responsible can always be requested to the Data Controller. Please note that your data will not be disclosed to indeterminate third parties.
Personal data may be transferred to countries outside the European Union such as United Kingdom (to which, until the 31st December, EU Regulation n.2016 is applied), Japan (23rd January 2019 EU Commission Decision about the adequacy of Japan’s regulation on personal data treatment) and Canada (20th December 2001 EU Commission Decision of conformity of Canada’s regulation of personal data treatment to Directive 95/46/CE, the validity of which, pursuant to art. 45 of GDPR, has been confirmed). It is understood that the Data Controller, where necessary, shall have the faculty of data transfer also in other countries. In such case, the Data Controller hereby guarantees that the data transfer to non-EU countries will be performed in accordance with statutory provisions by stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission.
7. RETENTION PERIOD
8. USER RIGHTS
You may exercise your rights towards the Data Controller by using the following contact information: e-mail email@example.com and telephone: +39 0294155076.
In order to guarantee the correct exercise of your rights, you must be uniquely identifiable. The Data Controller is committed to providing adequate reply within 30 days and, if unable to comply with these deadlines, to justify the possible extension of the deadline established. The feedback will be free of charge except in cases of groundlessness (e.g. there are no data concerning the asking person) or excessive demands (e.g. repetitious over time) for which a fee may apply, nonetheless not exceeding the costs actually incurred for the specific request.
In any moment you can exercise, in pursuance of arts. 15 to 22 of GDPR, the right of:
a) Ask the confirmation of existence or absence of your personal data;
b) Obtain the indications about the purposes of the treatment, the personal data categories, the recipients or category of recipients to whom the personal data have been or will be transferred to and, when possible, the data retention period;
c) Obtain the correction or cancellation of your personal data;
d) Obtain the limitation of treatment;
e) Obtain the data portability, namely receive them from a data controller, in a structured format, commonly used and readable by an electronic device, and to transmit them to another data controller without impediments;
f) Object to the processing of persona data in any moment and also for direct marketing purposes;
g) Object to an automated decision-making process regarding physical persons, including profiling.
h) Ask the Data Controller to access your personal data and the correction/cancellation of the same, or the limitation of the treatment that concerns them, or to oppose their treatment, in addition to the right to data portability;
i) Withdraw consent in any moment without prejudice to the legality of the data processing carried out prior to the withdrawal;
j) Lodge a complaint with a supervisory authority;
9. CHANGES TO THE PRESENT DOCUMENT
It can be subject to amendments or updates. In the case of significant changes and updates, these will be reported with appropriate notifications to users.