- Data Controller and contact details
The Data Controller is AXEL BASSANI, via Monte Pertica, 29/2 – 32030 – SEREN DEL GRAPPA (BL), VAT no. 01230940254, tax code BSSXLA99L24D530S, hereinafter also referred to as “Data Controller” or just “Controller”.
The Data Controller can be contacted by e-mail at the following address: firstname.lastname@example.org.
- Personal data subject to processing
The personal data processed through the Website are the following
a. Navigation data
The computer systems and software procedures used to operate the Website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified data subjects, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users who connect to the website, the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, at the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters related to the operating system and the user’s computer environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check its correct functioning to identify anomalies and/or abuse and are deleted immediately after processing. The data could be used to:
- obtain statistical information on the use of the services;
- monitor the proper functioning of the services offered;
- ascertain responsibility in case of hypothetical computer crimes Data provided on a voluntarily base or at the request of public authorities.
b. Data provided on a voluntary base
By means of the Website you may voluntarily provide personal data such as, for example:
- personal data provided by yourself in e-mails sent to the Customer Service e-mail address (email@example.com) or to the Rider’s management contact (firstname.lastname@example.org) for any requests for information and/or clarifications;
- personal data (in particular, name, surname, tax code, VAT number, e-mail address, telephone number, delivery address) provided by filling in the purchase request form for the products sold in the e-Shop;
- data relating to the credit card or other payment instrument used, in accordance with the procedures indicated by the Controller for the purchase of the products. Depending on the case, you may have to enter your payment card details on a page of the Website that will communicate via secure cryptographic protocol with the payment service provider or you may be directed to a page outside the Website where you will have to enter the personal details required by payment service provider to complete the purchase process. In the latter case, the personal data in question will not pass through the Website’s server.
Please note that the user is not expected or required to register on the Website and / or e-Shop, even to purchase products. The user, therefore, will not have a personal account in which data and information referring to the same will be stored (for example, personal data, history of orders/purchases/returns, preferred delivery and invoicing addresses) and accessible by the user for consultation and/or modification.
The Data Controller shall process personal data in compliance with the Applicable Regulations, assuming that they refer to you or to third parties who have expressly authorised you to provide them or whose personal data you were entitled to provide. With respect to these assumptions, you undertake to indemnify and hold harmless the Data Controller from any dispute, claim or request for compensation for damage caused by the processing of personal data that may be received from such third parties.
c. Cookies and other tracking tools
- Purposes and legal bases of the processing
Given the above, your personal data shall be processed for the following purposes:
- allowing and facilitating the on-line purchase of products with the possible execution of the purchase contract through the e-Shop;
- processing the purchase order, starting with those activities which are functional to the delivery of the sold products by third-party couriers;
- providing feedback to any requests for information and/or clarifications functional to any purchases and/or any requests to exercise the right of withdrawal and/or other rights arising from the purchase contract executed on the e-Shop and/or provided for by current legislation in relation to the same contract (assistance and customer care activities carried out by the Customer Service) and to carry out the activities that are necessary as a result of the exercising of those rights (for example, reimbursement in case of return of the product).
The legal basis of the processing carried out for the purposes listed above is the need to implement pre-contractual measures taken at your request and/or the contract to which you are a party (see art. 6, par. 1, lett. b), of the GDPR) and/or to comply with legal obligations to which the Data Controller is bound in relation to the purchase contract executed through the e-Shop [Article 6 (1)(c) of the GDPR].
- to fulfil the obligations of administrative and/or accounting and/or fiscal nature connected with the provision of the e-Shop service and/or the purchase contract concluded through the e-Shop (for example: the keeping of accounting records and the issuing of the sales invoice);
- to respond to any requests to exercise your rights as a data subject under current data protection legislation.
The legal basis of the processing carried out for the purposes listed above is the need to comply with legal obligations to which the Data Controller is bound [Article 6(1)(c) of the GDPR].
- to provide feedback on any reports, complaints or claims made by the user;
- to verify any fraudulent or illegal use of the e-Shop and of the Website in general and ensure their security and functionality in the interest of users and of Data Controller;
- to carry out research/statistical analysis on aggregate or anonymous data, without therefore being able to identify the user, to measure traffic and assess usability and interest with respect to the e-Shop and the Website in general;
- to provide for the storage, hosting and management of the backend infrastructure of the Site;
- to allow the user to be directed to the social profiles of the owner of the Site and to interact with them;
- to establish, exercise or defend legal claims or whenever courts are acting in their judicial capacity;
The legal basis for the processing carried out for the purposes listed above is, respectively, the legitimate interest of the users in receiving feedback regarding any reports, complaints or claims made; the legitimate interest of the Data Controller and of the users themselves in preventing or identifying any fraudulent or otherwise illegal use of the e-Shop; the legitimate interest of the Controller to verify the usability and appeal of the e-Shop and, in general, of the Website; the legitimate interest of the Controller to report the existence of the social profiles of the owner of the Site and to interact with them; the legitimate interest of the Data Controller and, where appropriate, the legitimate interest in establishing, exercising or defending legal claims or whenever the courts carry out their judicial functions [art. 6(1)(f) of the GDPR].
Your personal data will not be processed for marketing purposes, nor will they be profiled and/or communicated to third parties for marketing purposes.
- Consequences of failure to provide personal data
The provision of personal data is optional. Nonetheless, failure to provide the data, in whole or in part, may make it impossible to complete the purchase order and to execute it, as well as make it impossible to respond to any requests for information and/or clarification and/or requests to exercise your rights.
- Methods of personal data processing
Personal data are processed with manual and/or paper-based and/or computer-based and/or telematic instruments and/or supports, in any case in such a way as to guarantee their security and confidentiality.
To this end, the Data Controller has adopted and implements security measures, both technical and organisational, appropriate to the level of risk related to the processing of personal data carried out.
In particular, the Website functionality is provided on HTTPS encrypted connection and personal data are collected, filed and stored on secure servers, protected by firewalls and physically located within the European Union.
- Recipients of personal data
Your personal data may be shared, for the purposes set out in paragraph 3 above, with:
- companies, consultants or professionals who may be entrusted with the installation, maintenance, updating and, in general, management of the Data Controller’s hardware and software, including providers of hosting and cloud computing services and who typically act as data controllers pursuant to and for the purposes of Article 28 of the GDPR;
- companies that provide logistical support and/or warehousing and/or packaging and/or shipping and delivery of products purchased through the e-Shop;
- service payment providers;
- persons, bodies or authorities to whom, in their capacity as independent data controllers, it is obligatory to disclose your personal data by virtue of legal provisions or orders of the authorities;
- law firms, associated firms, consultants or professionals (e.g. legal, administrative and/or tax consultancies) who may be appointed to support the Data Controller in order to ensure: the correct fulfilment of the legal obligations with which he is required to comply; the correct fulfilment of the contractual obligations assumed with the completion, on the basis of the general conditions of sale, of the purchase order; the ascertainment, exercise or defence of a right in court or whenever the jurisdictional authorities exercise their jurisdictional functions;
- persons authorised by the Data Controller to process personal data pursuant to and for the purposes of Article 29 of the GDPR and Article 2-quaterdecies of the Italian Privacy Code and who have received specific instructions on how to process the data in accordance with the Applicable Law.
- Transfers to non-EU countries and/or organisations
The Data Controller’s hosting provider’s servers are located within the European Union. Some of the Data Controller’s suppliers or the servers of such suppliers, however, may be located in countries outside the EU. In such cases, personal data may be transferred to countries outside the European Union. In any case, such transfers will only take place if one or more of the conditions set out in the GDPR in force for transfers to non-EU countries are met. More information is available from the Owner, which you can request by writing to the following email address: email@example.com.
- Period of retention of personal data
Your personal data will be retained for a period not exceeding the fulfilment of the purposes for which they are processed and which have been indicated above.
In particular, personal data be kept for the period necessary to meet the user’s and/or buyer’s requests, to fulfil the obligations deriving from the execution of the purchase order and/or envisaged by current legislation in relation to the same, carrying out the activities that become necessary as a result of the buyer’s rights (for example, refunds in the event of product returns) and, in any case, for a maximum period of no more than 10 years from the date of completion of the purchase order. This maximum storage period may be extended, if the conditions are met, in order to allow the Controller to exercise and defend a right in court or whenever the judicial authorities exercise their judicial functions or at their request. In no case will data relating to your credit card or other payment instrument be stored for the sole purpose of facilitating further online transactions.
- Rights of the data subject
We inform you that, as the data subject, you are entitled to:
- to receive confirmation as to whether or not personal data relating to yourself are being processed and, if so, to obtain access to them and to a range of relevant information, including, by way of example, information relating to: a) the purposes of the processing; b) the categories of personal data that are the subject of the processing; c) the entities or categories of entities to whom or which the personal data have been or will be communicated; d) the storage period of the data or, if that is not possible, the criteria used to determine that period; e) the source of the personal data, if they have not been provided by you;
- request and obtain the updating of personal data, the rectification of inaccurate data or, where needed, the integration of incomplete data;
- request and obtain the erasure of personal data if: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) you object to the processing carried out on the basis of a legitimate interest of the Controller and there is no overriding legitimate reason to continue the processing; c) the personal data have been processed unlawfully; d) the personal data must be erased by the Controller in compliance with a legal obligation;
- request and obtain the restriction of processing in the event of: (a) contestation of the accuracy of your personal data for the time necessary for the Data Controller to carry out the requested verifications; (b) unlawful processing of data by the Data Controller, if you object to the deletion of the data and instead request the restriction of its use; (c) establishment, exercise or defence of a right of yours in court, although the Data Controller no longer needs it for the purposes of processing; (d) awaiting the outcome of the verification as to whether the Data Controller’s legitimate reasons prevail over those of the data subject;
- in cases where the processing is based on a contract and is carried out by automated means, to request and receive in a structured, commonly used and machine-readable format the personal data concerning him/her and, if technically feasible, to obtain the direct transmission by the Controller to another controller;
- to object, in whole or in part, on legitimate grounds relating to your particular situation, to the processing of personal data concerning you, even though they are relevant to the purpose of collection;
- to file a complaint with the Italian Data Protection Authority pursuant to Article 77 of the GDPR and Articles 140-bis et seq. of the Italian Privacy Code.
The Data Controller shall inform each of the recipients to whom your personal data have been transmitted of any rectification, cancellation and/or restriction of processing carried out, except where this proves impossible or involves a disproportionate effort.
- Procedures for exercising the rights of the data subject
As a data subject, you may exercise the above rights at any time by sending an e-mail to the following e-mail address: firstname.lastname@example.org.
If you wish to lodge a complaint with the Italian Data Protection Authority, you may use the forms available on the relevant website.