1. Data Controller
Vhernier S.p.A., tax-code and VAT number 01150040069, with registered office at Via Borgonuovo, 24, 20121 Milan, is the Data Controller (here in after “Data Controller”).
2. Personal Data Protection Officer
Mr. Alberto Regis is the Personal Data Protection Officer, and his contact details are: Vhernier S.p.A., Via Borgonuovo 24, 20121 Milan; telephone +39 02 5412 2297; firstname.lastname@example.org .
3. Categories of Personal Data
3.1 Browsing Data
Through the Website, we acquire personal data from the normal operation of the computer systems and the software procedures used to operate the Website, since the transmission of such data is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified data subjects; rather, by its nature, through processing and association with data held by third parties, it could enable the identification of the users. This data category includes, for example, IP addresses or domain names of computers used by Website users and other information relaring to user Website access.
3.2 Personal Data Supplied by the User
We collect the following personal data supplied by the data subjects: – contact information: e.g. name, surname, nationality, address, date of birth, e-mail address, telephone number, website; – additional personal data contained in communications sent: e.g. requests, complaints, comments, curriculum vitae; – information relating to the transactions performed, such as, for example, credit/debit card data, or other data needed to fulfil contractual requirements; – any other personal data provided by the data subject in relation to the provision of our services.
4. Purposes and Legal Basis for Processing
4.1 Our processing of personal data is performed for purposes connected or
instrumental to our business and specifically for:
– processing purchase orders, including verifying and carrying out payments and providing the services offered;
– improving and customising our products and services and our business in general;
– market research and analysis;
– data enrichment, for example by analysing preferences, purchase history and interactions with Website users, together with data collected by third parties and/or by public databases;
– communications in response to requests or complaints, or marketing messages containing news, information or updates on our products or services, offers, promotions or special events.
4.2Our processing of personal data has the following legal basis: – processing is necessary for our performance of the contract for the purchase of products or for the provision of the other services we offer, or in order to take the initiatives requested by the data subjects with a view to executing the contract for the purchase of products or the provision of other services; – processing is necessary for our compliance with applicable laws or regulations; – processing is necessary to pursue our legitimate interests, such as to conduct and develop business activities with current or potential customers, including through direct marketing, or to ascertain, exercise or defend a right in court; – processing is based on the data subject’s consent.
5. Nature of Data Provision and Consequences of Failure to Provide
With the exception of browsing data, which are automatically collected by the Website system, the data subject is free to provide or not to provide its personal data.
Failure to provide personal data, as well as the partial or incorrect provision of personal data by the data subject, may render it impossible for us to provide the services we offer.
6. Processing Methods
6.1 Personal data are processed with manual, paper, computing and/or electronic tools, including automated tools or tools capable of storing, managing or transmitting data, in each case in a fair, lawful, transparent and private manner. 6.2Personal data may be subject to automated decision-making processes, including profiling, in order to customise commercial or promotional communications to the data subjects.
7. Personal Data Access and Dissemination
7.1 The following parties may have access to personal data: – the Data Controller and their personnel;
– any company belonging to the Data Controller’s group or suppliers contributing to the provision of the services offered by the Data Controller to the data subjects, in such forms as processing transactions, responding to requests for information, receiving and sending communications, updating marketing lists, analysing data, providing assistance or carrying out other activities for the data subjects.
7.2 In addition, the Data Controller may share data subjects’ personal data with third parties in connection with a potential or actual transfer or restructuring, even partial or indirect, of the Data Controller or its group of companies.
7.3 The Data Controller may disclose personal data where required by law or where disclosure may be needed to protect the Data Controller’s rights and/or to comply with judicial proceedings, court orders, a request by a legislator or any other legal procedure to which the Data Controller is subject.
7.4 In order to process purchase orders or to provide the services offered to the data subjects, it may be necessary to transfer the personal data collected to third-party countries in which the Data Controller operates. The transfer of personal data to third-party countries for purposes other than those set forth in the preceding sentence, will take place to countries in relation to which the European Commission has issued an adequacy decision pursuant to Art. 45 of the GDPR or, in the absence of such decision, in the presence of adequate guarantees, in accordance with Art. 46 of the GDPR.
The security of the personal data we collect is paramount to us. Therefore, we have taken appropriate security measures to protect such personal data from accidental or unlawful destruction or loss, alteration, disclosure, unauthorised access or other violations; however, we cannot guarantee that any of the above mentioned events will not occur.
9. Data Storage
Personal data will be stored for the time period necessary for the purposes for which they were collected, generally three years from the end of the relationship or the last contact with the applicable data subject, unless otherwise required by law. It is possible that we will retain personal data for longer periods of time, for example if necessary to comply with legal, tax or financial obligations, or in order to have accurate records of our transactions in the event of complaints or appeals.
10. Data Subject’s rights
The data subjects may exercise the following rights with respect to their personal data:
– Right to withdraw consent: where applicable, the data subjects have the right to withdraw their consent to data processing at any time. For example, if you wish to stop receiving electronic marketing communications, you can e- mail email@example.com , and no further communications will be sent to you.
– Right to access, rectification and erasure: data subjects have the right to request access to, and receive copies of, all of their personal data held by the Data Controller, request correction of any inaccuracy in their personal data and request its erasure under certain circumstances. You can view and update most of your data online or by contacting the Data Controller at firstname.lastname@example.org.
– Right to data portability: the data subjects have the right to receive all of their personal data in a structured commonly used and machine-readable format, as well as to transmit such data to another controller without hindrance from the Data Controller, when the processing is carried out by automated means and is based on consent or a contract.
– Right to restriction of processing: the data subjects have the right to restrict the processing of their personal data in the instances set forth in Article 18, section 1 of the GDPR. Where processing has been restricted, the Data Controller will process (with the exception of storage) the data, only with the data subject’s consent or to establish, exercise or defend legal claims or to protect of the rights of another natural or legal person or for reasons of public interest.
– Right to object to processing justified on the basis of legitimate interests: where the processing of personal data is based on the Data Controller’s legitimate interests, the data subjects have the right to object to such processing, for reasons related to their specific situation. In these cases, the Data Controller will no longer process the personal data, unless it can demonstrate the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or where it needs to process the data to establish, exercise or defend a legal claim.
– Right to object to processing for direct marketing purposes: where the Data Controller processes personal data for direct marketing purposes, the data subject shall have the right to object to such processing at any time and the Data Controller must discontinue such processing of the data.
– Right to lodge a complaint with a supervisory authority: if the data subjects believe that the Data Controller’s processing of their personal data is contrary to the GDPR, they may lodge a complaint with the Supervisory Authority for the protection of personal data or with any other competent supervisory authority. For more information about their rights, exercising such rights, or for complaints or questions in relation to personal data processing, data subjects may contact the Data Controller at email@example.com.
Evidence of the identity of the data subject may be requested, and we reserve the right to request the payment of expenses, where permitted by law, for example if the request is manifestly unfounded or excessive.
We are committed to responding to the requests of data subjects as soon as possible and, in any case, within the period of time set forth by law.