LDA FASHION S.R.L. Via delle Genziane, 13/E 00012 Guidonia Montecelio (RM) PEC ldafashionsrl@pec.gocciagroup.it VAT No. 14345861000 Information pursuant to Articles 13 and 14 of the European Regulation 679/2016 on the protection of personal data [GDPR]). In compliance with the requirements set out in the General Data Protection Regulation, the Data Controller provides the Data Subject with the following information regarding the processing of personal data carried out.
| DATA CONTROLLER |
| Controller |
Mr. Ravicini Andrea |
| Address |
Via delle Genziane 13/E – 00012 Guidonia Montecelio (Rome) |
| VAT / Tax Code |
RVCNDR82P05L182C |
| Contacts |
PEC: ldafashionsrl@pec.gocciagroup.it |
| Legal representative |
Ravicini Andrea |
| Privacy contact person |
Ravicini Andrea (ldafashionsrl@pec.gocciagroup.it) |
| Data protection officer |
Not appointed |
| Joint controllers |
· No joint controllers present |
| If you wish to request further information regarding the processing of your personal data or to exercise your rights, you may contact in writing the Privacy Contact Person indicated above. |
| CATEGORIES OF DATA SUBJECTS |
| List of categories of data subjects |
Customers or Users, Potential Customers, Members, Associates and Subscribers, Minors |
| PROCESSING PERFORMED |
| Online commercial activities with or without customer loyalty programs |
| Description |
Activities related to the processing of personal data for the production, distribution, and sale of goods or services online. It may include customer loyalty programs through enrollment in a loyalty scheme. |
| ORIGIN, PURPOSE, LEGAL BASIS AND NATURE OF THE DATA PROCESSED |
| Origin |
Data are partly collected from the data subject and partly from third parties. Source description: data may be collected through our own or third-party websites managed by us and our management systems. Data also come from publicly accessible sources. |
| Purpose |
1. Mail order or telephone sales - Consent received from the data subject at the time of data collection by means of acceptance included in the information notice. In case of non-consent, mail or telephone sales will not be carried out. 2. Electronic or radio/TV sales - Consent received from the data subject at the time of data collection by means of acceptance included in the information notice. In case of non-consent, electronic or radio/TV sales will not be carried out. 3. Customer management - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 4. Fulfillment of tax and accounting obligations - Data acquisition for issuing and sending invoices, both in paper and digital form. 5. Dispute management - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 6. Monitoring of contractual obligations - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 7. Activity planning - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 8. Marketing (market analysis and surveys) - Consent not required as communications for direct sales of own products/services or for customer satisfaction analysis or market research use the email addresses collected from the data subject in the context of the sale of a product or service similar to that subject to sale, and without the express refusal by the data subject of such use, initially or in subsequent communications. Each communication provides information on the possibility of objecting at any time to processing (so-called opt-out). 9. Advertising - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 10. Promotional activities - Consent received from the data subject at the time of data collection by means of acceptance included in the information notice. In case of non-consent, promotional profiling of the data subject will not be carried out. 11. Customer satisfaction surveys - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 12. Radio and television information - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 13. Customer information on new services/products - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 14. Sending informational and/or advertising material also by phone or internet and instant messaging applications such as WhatsApp, Messenger, Telegram and similar - Consent received from the data subject at the time of data collection by means of acceptance included in the information notice. In case of non-consent, the sending of informational and/or advertising material will not be carried out. 15. Information by electronic means - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 16. Consulting activities - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 17. Service provision - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. |
| Legal basis |
For purposes 1, 2, 3, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17: Consent of the Data Subject. For purpose 4: Processing is necessary to comply with a legal obligation to which the data controller is subject. For purpose 8: Processing is necessary for the pursuit of the legitimate interests of the data controller or third parties. |
| Personal data processed |
Topics of interest, Tax Code and other personal identification numbers, Telephone contact, Bank details, Contact and communication data, Behavioral data, user, consumer or taxpayer profiles, Residential address, Email address, Name, address or other personal identification elements, Declared profession, Video surveillance recordings, Gender M/F |
| “Special” data (sensitive data) are those defined under Articles 9 and 10 of Regulation 2016/679/EU (“GDPR”). Such data are processed in compliance with the GDPR and with the General Authorizations issued by the Data Protection Authority. |
| Special data processed |
- |
| Legal basis Art. 9 |
|
| RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA |
| Categories of recipients |
The communication of your personal data, carried out on the legal bases provided for in Article 6 of Regulation 2016/679/EU, is envisaged towards the following third parties: |
| Judicial authorities, consultants and professionals also in associated form, companies and enterprises, armed forces, police authorities, employers, business associations and companies, parent companies, subsidiaries and affiliated companies, associations and foundations, members and subscribers, judicial authorities, revenue agency, internal processors, external processors, authorized subjects, private individuals (natural or legal persons), maintenance or goods and service supply companies. |
| These entities, organizations, companies and professionals act as Data Processors appointed by Mr. Ravicini Andrea or are themselves Data Controllers of the personal data transmitted to them. |
| Your personal data, or personal data of third parties in your ownership, may also be communicated to external companies, identified from time to time, to whom Mr. Ravicini Andrea entrusts the performance of obligations arising from the assignment received, to which only the data necessary for the requested activities will be transmitted. All employees, consultants, temporary workers and/or any other “natural person” who, authorized to process data, performs their activity on the basis of the instructions received from Mr. Ravicini Andrea, pursuant to Article 29 of the GDPR, are designated as “Authorized Processors” (hereinafter also referred to as “Authorized Persons”). To the Authorized Persons or Data Processors, if appointed, Mr. Ravicini Andrea provides adequate operational instructions, particularly concerning the adoption and compliance with security measures, in order to guarantee the confidentiality and security of the data. Specifically regarding the protection of personal data, you are invited, pursuant to Article 33 of the GDPR, to report to Mr. Ravicini Andrea any circumstances or events that could lead to a potential “personal data breach,” to allow immediate evaluation and adoption of any actions to counter such an event, by sending a communication to Mr. Ravicini Andrea at the contact details indicated above. Mr. Ravicini Andrea remains obliged to communicate data to Public Authorities upon specific request. |
| TRANSFER ABROAD |
| Transfers to foreign countries (non-EU) or to international organizations |
·Arizona ·Transfer subject to adequate safeguards (Art. 46) ·Code of conduct approved pursuant to Article 40, together with a binding and enforceable commitment by the data controller or processor in the third country to apply adequate safeguards, including with regard to the rights of data subjects ·Personal data are transmitted to a country of the United States of America through the use of a CRM software owned by a third party established in the U.S.A. |
| The transfer abroad of your personal data may occur if necessary for the management of the assignment received. For the processing of the information and data that may be communicated to these entities, equivalent levels of protection as those adopted for the processing of personal data of their own employees will be required. In any case, only the data necessary to pursue the intended purposes will be communicated, and the regulatory instruments provided for in Chapter V of the GDPR will be applied. |
| METHODS, LOGIC OF PROCESSING AND RETENTION PERIODS |
| Duration of processing |
The data for loyalty purposes, meaning those necessary to enable participation in the loyalty program and management of the loyalty card, will be processed and retained for the administrative duration of the relevant program, or in any case until cancellation and/or termination by the participant. In the event of withdrawal, deactivation for non-use within a given time period, expiry, or return of the card (as provided in the separate Loyalty Program Regulation), the retention period of personal data for exclusive administrative purposes (and not for profiling or marketing) will not exceed one quarter (subject to any specific legal obligations regarding accounting document retention). In such cases, the Data Controller has implemented suitable automatic data deletion mechanisms, including by third parties to whom the data may have been communicated. For other purposes, processing will last no longer than necessary for the purposes for which the data were collected. Video recordings are stored for a maximum of 24 hours, followed by automatic deletion. |
| Your data are collected and recorded lawfully and fairly for the purposes indicated above, in compliance with the principles and provisions of Article 5(1) of the GDPR. The processing of personal data takes place using manual, IT and telematic tools, with logics strictly related to the stated purposes and, in any case, in such a way as to ensure their security and confidentiality. |
| NATURE OF THE PROVISION |
| The processing of personal data will be carried out for the following purposes: |
| Purposes that do not require consent |
- Fulfillment of tax and accounting obligations - Acquisition of data for printing and sending invoices in paper or digital form. - Marketing (analysis and market research) - Consent not required since communications for direct sales of own products/services or for satisfaction analysis or market research use the email addresses collected from the data subject in the context of the sale of a product or service similar to that being sold and without the express refusal of such use by the data subject, either initially or on subsequent communications. Each communication provides information on the possibility to object at any time to the processing (so-called opt-out). |
| Purposes that require consent |
- Mail order or telephone sales - Consent received from the data subject at the time of data collection by means of acceptance included in the information notice. In case of non-consent, mail or telephone sales will not be carried out. - Electronic or radio/TV sales - Consent received from the data subject at the time of data collection by means of acceptance included in the information notice. In case of non-consent, electronic or radio/TV sales will not be carried out. - Customer management - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Dispute management - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Monitoring of contractual obligations - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Activity planning - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Advertising - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Promotional activities - Consent received from the data subject at the time of data collection by means of acceptance included in the information notice. In case of non-consent, promotional profiling of the data subject will not be carried out. - Customer satisfaction surveys - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Radio and television information - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Customer information on new services/products - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Sending of informational and/or advertising material also by telephone or internet - Consent received from the data subject at the time of data collection by means of acceptance included in the information notice. In case of non-consent, the sending of informational and/or advertising material will not be carried out. - Information by electronic means - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Consulting activities - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Service provision - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out.
|
| Only upon your explicit consent expressed at the end of this information notice, the data whose purposes require consent will be processed. Providing the data is, in any case, optional and will not cause prejudice to the existing contractual relationship with the Data Controller. |
| For data collected and used for purposes related to the execution of activities inherent to the contractual relationship and compliance with the legal obligations indicated, your consent is not required. Failure to provide the personal data referred to above will result in the impossibility of continuing with the relationship in question. For data collected and used for the legitimate interest of the Data Controller, your consent is not required (Art. 6, letter f of the GDPR). The provision of the personal data referred to above is optional but necessary for the execution of the services offered by the Controller. Refusal to provide such data will result in the impossibility to fully or partially provide the requested services. |
|
RIGHTS OF THE DATA SUBJECTS (Articles 15 to 22 of the GDPR) |
| Right of access |
The data subject has the right, as provided by Articles 15 to 22 of the GDPR, to request from the Controller access to his or her personal data. |
| Right to rectification |
The data subject has the right, as provided by Articles 15 to 22 of the GDPR, to request from the Controller the rectification of his or her personal data. |
| Right to erasure |
The data subject has the right, as provided by Articles 15 to 22 of the GDPR, to request from the Controller the erasure of his or her personal data. |
| Right to restriction of processing |
The data subject has the right, as provided by Articles 15 to 22 of the GDPR, to request from the Controller the restriction of processing of data concerning him or her. |
| Right to object |
The data subject has the right, as provided by Articles 15 to 22 of the GDPR, to object to the processing of his or her personal data. |
| Right to data portability |
The data subject has the right, as provided by Articles 15 to 22 of the GDPR, to exercise his or her right to data portability. |
| Right to withdraw consent |
The data subject has the right, as provided by Articles 15 to 22 of the GDPR, to withdraw his or her consent to processing. |
| Right to lodge a complaint |
The data subject has the right, pursuant to Article 77 of the GDPR, to lodge a complaint with the competent supervisory authority. |
| AUTOMATED PROCESSING |
| Is there an automated process? |
YES |
| Automated processes or profiling methods |
Without prejudice to the fact that even in the event of consent by the data subject, we will not proceed with the processing (in any case prohibited for profiling purposes) of data suitable for revealing health status or sexual life, we inform you that the processing methods will in any case be relevant and not excessive with respect to the type of goods marketed or services provided. The profiling activity may concern “individual” personal data or “aggregated” personal data derived from detailed individual personal data. Such processing may be carried out using personal data that are also aggregated according to predefined parameters depending on company needs. These data may include various types of personal information, including contractual data and data relating to purchases made, consumption habits and spending levels, procurement of goods and/or services, etc., from which further information relating to each data subject can be inferred (for example, consumption bracket, expenditure level at regular intervals, etc.). We draw your particular attention to the fact that providing personal data and consent to communicate such data to third parties for the purposes described above is entirely voluntary and optional (and in any case revocable at any time without formalities even after being granted), and failure to provide them will only result in the impossibility for the Data Controller to carry out the aforementioned profiling. Even if you have given consent authorizing the Data Controller to pursue profiling purposes, you will remain free at any time to withdraw it by sending a clear communication to that effect without any formalities. Upon receipt of such an opt-out request, the Data Controller will promptly proceed with the removal and deletion of your data from the databases (which in any case are not interconnected or cross-referenced with those used for loyalty purposes) and will inform any third parties to whom the data have been communicated for the same purpose of deletion. The mere receipt of your deletion request will automatically serve as confirmation of the deletion having been carried out. |
| Legal basis |
Explicit consent of the data subject |
The Controller reserves the right to make any changes deemed appropriate or required by applicable laws to this privacy notice, at its sole discretion and at any time. In such cases, users will be duly informed of the changes made.
Information on the processing of personal data
GOCCIA S.R.L. Via Tiburtina km 20.500 - U74 00012 Guidonia Montecelio (RM) PEC gocciasrl@legalmail.it VAT No. 04273501009 Information pursuant to Article 13 of the European Regulation 679/2016 on the protection of personal data [GDPR]. In compliance with the requirements set out in the General Data Protection Regulation, the Data Controller provides the Data Subject with the following information regarding the processing of personal data carried out.
| DATA CONTROLLER |
| Controller |
Mr. Ravicini Gabriele |
| Address |
Via Tiburtina km 20,500 - U74, 00012 Guidonia Montecelio (Rome) |
| VAT No. |
RVCGRL50S06I284Z |
| Contacts |
PEC: gocciasrl@legalmail.it |
| Legal representative |
Ravicini Gabriele |
| Privacy contact person |
Ravicini Gabriele (gocciasrl@legalmail.it) |
| Data protection officer |
Not appointed |
| Joint controllers |
· None |
| If you wish to request further information on the processing of your personal data or to exercise your rights, you may contact the above-mentioned Privacy Contact Person in writing. |
| CATEGORIES OF DATA SUBJECTS |
| List of data subject categories |
Customers or Users, Potential customers, Members, associates and subscribers, Minors |
| PROCESSING PERFORMED |
| Online commercial activities with or without customer loyalty program |
| Description |
Activity concerning the processing of personal data for the production, distribution and online sale of goods or services. It may include customer loyalty management through registration in a loyalty program. |
| ORIGIN, PURPOSE, LEGAL BASIS AND NATURE OF THE DATA PROCESSED |
| Origin |
The data are partly collected from the data subject and partly from third parties. Source description: data may be collected through our own or third-party websites and managed by us through our management systems. The data come from a publicly accessible source. |
| Purpose |
1. Mail order or telephone sales – Consent obtained from the data subject at the time of personal data collection by means of acceptance included in this notice. In the absence of consent, mail order or telephone sales will not be carried out. 2. Electronic or radio/TV sales – Consent obtained from the data subject at the time of personal data collection by means of acceptance included in this notice. In the absence of consent, electronic or radio/TV sales will not be carried out. 3. Customer management – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 4. Fulfillment of tax and accounting obligations – Acquisition of data for printing and sending invoices in paper or digital form. 5. Dispute management – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 6. Monitoring of contractual obligations – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 7. Activity planning – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 8. Marketing (market analysis and research) – Consent not required since communications for direct sales of our products/services or for satisfaction or market research use email addresses collected from the data subject in the context of the sale of a product or service similar to the one being sold, and without the data subject’s express refusal of such use, initially or during subsequent communications. Each communication provides the possibility to object at any time to processing (so-called opt-out). 9. Advertising – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 10. Promotional activities – Consent obtained from the data subject at the time of personal data collection by means of acceptance included in this notice. In the absence of consent, no promotional profiling of the data subject will be carried out. 11. Customer satisfaction survey – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 12. Radio and television information – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 13. Customer information about new services/products – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 14. Sending of informational and/or advertising material also via telephone or internet and instant messaging applications such as WhatsApp, Messenger, Telegram and similar – Consent obtained from the data subject at the time of personal data collection by means of acceptance included in this notice. In the absence of consent, the sending of such material will not be carried out. 15. Electronic information – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 16. Consulting activities – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. 17. Service provision – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. |
| Legal basis |
For purposes 1, 2, 3, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17: Consent of the data subject. For purpose 4: Processing is necessary for compliance with a legal obligation to which the controller is subject. For purpose 8: Processing is necessary for the legitimate interest pursued by the controller or by third parties. |
| Personal data processed |
Topics of interest, Tax code and other personal identification numbers, Telephone contact, Bank details, Contact and communication data, Behavioral data, user, consumer, or taxpayer profiles, Residential address, Email address, Name, address or other identifying elements, Declared profession, Video surveillance recordings, Gender (M/F). |
| “Special categories” of data (sensitive data) are defined in Articles 9 and 10 of Regulation (EU) 2016/679 (“GDPR”). Such data are processed in compliance with the GDPR and with the General Authorizations issued by the Italian Data Protection Authority. |
| Special data processed |
- |
| Legal basis art. 9 |
|
| RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA |
| Categories of recipients |
The communication of your personal data, carried out on the legal bases provided by Article 6 of Regulation (EU) 2016/679, is envisaged to the following third parties: |
| Judicial offices, Consultants and freelancers (including in associated form), Companies and enterprises, Armed Forces, Police forces, Employers, Trade associations and enterprises, Parent companies, Subsidiaries and affiliates, Associations and foundations, Associated members and subscribers, Judicial authority, Revenue Agency, Internal processors, External processors, Authorized persons, Private individuals or legal entities, Maintenance or goods and service suppliers. |
| These entities, organizations, companies and professionals act as Data Processors appointed by Mr. Gabriele Ravicini, or are themselves Controllers of the personal data transmitted to them. |
| Your personal data, or the personal data of third parties under your ownership, may also be disclosed to external companies, identified from time to time, to whom Mr. Gabriele Ravicini entrusts the performance of obligations arising from the assignment received, to which only the data necessary for the required activities will be transmitted. All employees, consultants, temporary workers, and/or any other “natural person” authorized to process data and carrying out their activities based on the instructions received from Mr. Gabriele Ravicini, pursuant to Article 29 of the GDPR, are designated as “Persons in charge of processing” (hereinafter also “Authorized Persons”). To the Authorized Persons or any appointed Processors, Mr. Gabriele Ravicini issues appropriate operational instructions, particularly regarding the adoption and compliance with security measures to ensure data confidentiality and security. In relation to data protection aspects, you are invited, pursuant to Article 33 of the GDPR, to report to Mr. Gabriele Ravicini any circumstances or events that could result in a potential “personal data breach” in order to allow for immediate assessment and the adoption of any actions to counter such an event, by sending a communication to the contacts indicated above. The obligation of Mr. Gabriele Ravicini to communicate data to Public Authorities upon specific request remains unaffected. |
| TRANSFER ABROAD |
| Transfers to non-EU countries or international organizations |
· Arizona · Transfer subject to adequate safeguards (Art. 46) · Approved code of conduct pursuant to Article 40, together with a binding and enforceable commitment by the data controller or processor in the third country to apply the appropriate safeguards, including with regard to data subjects’ rights. · Personal data are transmitted to a country of the United States of America through the use of CRM software owned by a third party established in the U.S.A. |
| The transfer abroad of your personal data may take place when necessary for the management of the assignment received. For the processing of information and data that may be communicated to these entities, the same level of protection adopted for the processing of our employees’ personal data will be required. In any case, only the data necessary to achieve the stated purposes will be communicated, and the legal instruments provided under Chapter V of the GDPR will be applied. |
| METHODS, LOGIC OF PROCESSING AND RETENTION PERIODS |
| Duration of processing |
Data processed for loyalty purposes, i.e., necessary to enable participation in the loyalty program and management of the loyalty card, will be processed and retained for the administrative duration of the relevant program, or in any case until cancellation and/or termination by the member. In case of withdrawal, deactivation due to non-use within a given period, expiration, or return of the card (as provided in the separate Loyalty Program Regulation), the retention period of personal data for administrative purposes only (and not for profiling or marketing) will not exceed three months (without prejudice to any specific legal obligations regarding accounting documentation). In such cases, the Data Controller has implemented appropriate automatic data deletion mechanisms, including by third parties to whom data may have been communicated. For other purposes, processing will not exceed the period necessary for the purposes for which the data were collected. Video recordings are stored for a maximum period of 24 hours, after which they are automatically deleted. |
| Your data are collected and recorded lawfully and fairly for the purposes indicated above, in compliance with the principles and provisions set forth in Article 5(1) of the GDPR. The processing of personal data is carried out using manual, IT, and telematic tools with logics strictly related to the purposes themselves, and in any case, in a manner that ensures their security and confidentiality. |
| NATURE OF DATA PROVISION |
| The processing of personal data will be carried out for the following purposes: |
| Purposes that do not require consent |
- Fulfillment of tax and accounting obligations – Acquisition of data for printing and sending invoices in paper or digital form. - Marketing (market analysis and research) – Consent not required since communications for direct sales of our own products/services or for satisfaction or market research use email addresses collected from the data subject in the context of the sale of a product or service similar to the one being sold, and without the data subject’s express refusal of such use, initially or during subsequent communications. Each communication provides information on the possibility to object to processing at any time (so-called opt-out). |
| Purposes that require consent |
- Mail order or telephone sales – Consent obtained from the data subject at the time of personal data collection by means of acceptance included in this notice. In the absence of consent, mail order or telephone sales will not be carried out. - Electronic or radio/TV sales – Consent obtained from the data subject at the time of personal data collection by means of acceptance included in this notice. In the absence of consent, electronic or radio/TV sales will not be carried out. - Customer management – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Dispute management – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Monitoring of contractual obligations – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Activity planning – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Advertising – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Promotional activities – Consent obtained from the data subject at the time of personal data collection by means of acceptance included in this notice. In the absence of consent, no promotional profiling of the data subject will be carried out. - Customer satisfaction survey – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Radio and television information – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Customer information about new services/products – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Sending of informational and/or advertising material also via telephone or internet – Consent obtained from the data subject at the time of personal data collection by means of acceptance included in this notice. In the absence of consent, the sending of such material will not be carried out. - Electronic information – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Consulting activities – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. - Service provision – Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not be carried out. |
| Only with your explicit consent, expressed at the end of this privacy notice, will the data for which consent is required be processed. The provision of such data is, in any case, optional and will not affect the contractual relationship with the Data Controller. |
| For data collected and used for purposes related to the performance of contractual activities and compliance with the legal obligations indicated, your consent is not required. Failure to provide such personal data will make it impossible to proceed with the relationship in question. For data collected and used for the legitimate interests of the Data Controller, your consent is not required (Art. 6(1)(f) GDPR). Providing such data is optional but necessary for the performance of the services offered by the Controller. Refusal to provide them will result in the impossibility of delivering the requested services in whole or in part. |
|
RIGHTS OF THE DATA SUBJECT (Articles 15 to 22 of the GDPR) |
| Right of access |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to request from the Data Controller access to their personal data. |
| Right to rectification |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to request from the Data Controller the rectification of their personal data. |
| Right to erasure |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to request from the Data Controller the erasure of their personal data. |
| Right to restriction of processing |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to request from the Data Controller the restriction of processing concerning them. |
| Right to object |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to object to the processing of their data. |
| Right to data portability |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to exercise their right to data portability. |
| Right to withdraw consent |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to withdraw consent at any time. |
| Right to lodge a complaint |
The data subject has the right, pursuant to Article 77 of the GDPR, to lodge a complaint with the competent supervisory authority. |
| AUTOMATED PROCESSING |
| Is there an automated process? |
YES |
| Automated processes or profiling methods |
Without prejudice to the fact that, even in the case of consent from the data subject, we will not process (as it is in any case prohibited for profiling purposes) data capable of revealing health status or sexual life, we inform you that the processing methods will in any case be relevant and not excessive with respect to the type of goods marketed or services provided. Profiling activities may concern "individual" personal data or "aggregated" personal data derived from detailed individual personal data. Such processing may be carried out using personal data also aggregated according to predefined parameters depending on business needs. These data may include various types of personal information, including contractual data and data relating to purchases made, consumption habits, spending levels, and procurement of goods and/or services, from which additional information relating to each data subject may be inferred (e.g., consumption category, regular spending levels, etc.). We particularly emphasize that providing personal data and consenting to their communication to third parties for the purposes mentioned above is entirely optional (and may be revoked at any time without formalities, even after consent has been given). Failure to provide consent will only result in the Data Controller being unable to carry out the aforementioned profiling. Even if you have given consent authorizing the Data Controller to pursue profiling purposes, you remain free to withdraw it at any time by sending a clear communication to that effect, without any formalities. Upon receiving such an opt-out request, the Data Controller will promptly proceed to remove and delete your data from its databases (which are not interconnected or cross-referenced with those used for loyalty purposes) and inform any third parties to whom the data were communicated for the same purpose. The mere receipt of your deletion request will automatically serve as confirmation that deletion has taken place. |
| Legal basis |
Explicit consent of the data subject |
The Data Controller reserves the right to make any changes deemed appropriate or required by current legislation to this Privacy Policy, at its sole discretion and at any time. In such cases, users will be duly informed of the changes made.
Information on the processing of personal data
GOCCIA 1982 S.R.L. Via delle Genziane, 13/E 00012 Guidonia Montecelio (RM) PEC goccia1982@legalmail.it VAT no. 14801651002 Information pursuant to Article 13 of the European Regulation 679/2016 on the protection of personal data [GDPR] In compliance with the requirements of the General Data Protection Regulation, the Data Controller provides the Data Subject with the following information regarding the processing of personal data carried out.
| DATA CONTROLLER |
| Controller |
Ms. Denise Ravicini |
| Address |
Via delle Genziane 13/E - 00012 Guidonia Montecelio (Rome) |
| VAT / Tax Code |
RVCDNS78A51H501W |
| Contacts |
PEC: goccia1982@legalmail.it |
| Legal representative |
Ravicini Denise |
| Privacy contact person |
Ravicini Denise (goccia1982@legalmail.it) |
| Data Protection Officer |
Not present |
| Joint controllers |
· No joint controllers present |
| If you wish to request further information regarding the processing of your personal data or to exercise your rights, you may write directly to the Privacy Contact person indicated above. |
| CATEGORIES OF DATA SUBJECTS |
| List of categories of data subjects |
Customers or Users, Potential customers, Members, associates and subscribers, Minors |
| PROCESSING ACTIVITIES |
| Online commercial activities with or without customer loyalty programs |
| Description |
Activity related to the processing of personal data for the production, distribution and sale of goods or services online. It may include customer loyalty programs through registration in a loyalty scheme. |
| ORIGIN, PURPOSE, LEGAL BASIS AND NATURE OF THE DATA PROCESSED |
| Origin |
The data are partly collected from the data subject and partly from third parties. Source description: data may be collected through our own or third-party websites managed by us and through our management systems. The data come from a publicly accessible source. |
| Purpose |
1. Mail order or telephone sales - Consent obtained from the data subject at the time of data collection through acceptance included in this notice. Without consent, mail order or telephone sales will not proceed. 2. Online or broadcast sales - Consent obtained from the data subject at the time of data collection through acceptance included in this notice. Without consent, online or broadcast sales will not proceed. 3. Customer management - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. 4. Fulfilment of tax and accounting obligations - Data acquisition for the issuance and sending of invoices, both in paper and digital form. 5. Dispute management - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. 6. Monitoring of contractual obligations - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. 7. Business planning - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. 8. Marketing (analysis and market research) - Consent not required, as communications for direct sale of the Controller’s own products/services or for satisfaction or market analysis purposes use the email details collected from the data subject during the sale of a product or service similar to that being sold and without the data subject’s express refusal for such use, initially or upon subsequent communications. Each communication includes information on the right to object at any time (so-called opt-out). 9. Advertising - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. 10. Promotional activities - Consent obtained from the data subject at the time of collection through acceptance included in this notice. Without consent, promotional profiling will not proceed. 11. Customer satisfaction surveys - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. 12. Broadcast information - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. 13. Customer information about new services/products - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. 14. Sending informational and/or advertising material, including by telephone or internet and instant messaging applications such as WhatsApp, Messenger, Telegram, and similar - Consent obtained from the data subject at the time of collection through acceptance included in this notice. Without consent, no informational or advertising material will be sent. 15. Electronic information - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. 16. Consulting activities - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. 17. Service provision - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. |
| Legal basis |
For purposes 1, 2, 3, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17: Consent of the Data Subject. For purpose 4: Processing is necessary to comply with a legal obligation to which the Controller is subject. For purpose 8: Processing is necessary for the pursuit of the legitimate interests of the Controller or third parties. |
| Personal data processed |
Topics of interest, Tax code and other identification numbers, Telephone contact, Bank details, Contact and communication data, Behavioral data, user, consumer, taxpayer profiles, Residential address, Email address, Name, address or other personal identification data, Declared profession, Video surveillance recordings, Gender (M/F). |
| “Special” data (sensitive data) are those defined by Articles 9 and 10 of Regulation (EU) 2016/679 (“GDPR”). Such data are processed in compliance with the GDPR and in accordance with the General Authorizations issued by the Data Protection Authority. |
| Special data processed |
- |
| Legal basis art. 9 |
|
| RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA |
| Categories of recipients |
Communication of your personal data is envisaged, carried out on the legal bases provided for by Art. 6 of Regulation (EU) 2016/679, to the following third parties: |
| Judicial authorities, Consultants and professionals (including associated firms), Companies and enterprises, Armed forces, Police forces, Employers, Business associations and trade organizations, Parent companies, Subsidiaries and affiliates, Associations and foundations, Members and subscribers, Revenue Agency, Internal processors, External processors, Authorized persons, Private entities (natural or legal persons), maintenance or service supply companies. |
| These entities, organizations, companies, and professionals act as Data Processors appointed by Ms. Denise Ravicini, or they themselves are Controllers of the personal data transmitted to them. |
| Your personal data, or the personal data of third parties in your ownership, may also be communicated to external companies, identified from time to time, to which Ms. Denise Ravicini entrusts the performance of tasks deriving from the assignment received, and to which only the data necessary for the required activities will be transmitted. All employees, consultants, temporary staff, and/or any other “natural person” authorized to process data and operating based on the instructions received from Ms. Denise Ravicini, pursuant to Art. 29 of the GDPR, are designated as “Authorized Data Processors” (hereinafter also referred to as “Authorized Persons”). To the Authorized Persons or Processors, where designated, Ms. Denise Ravicini issues appropriate operational instructions, particularly regarding the adoption and observance of security measures to ensure the confidentiality and security of data. Specifically, with reference to data protection aspects, you are invited, pursuant to Art. 33 of the GDPR, to promptly report to Ms. Denise Ravicini any circumstances or events that may lead to a potential “personal data breach” so that an immediate assessment and any necessary countermeasures can be undertaken, by sending a communication to the contacts indicated above. Ms. Denise Ravicini remains obliged to communicate data to Public Authorities upon specific request. |
| TRANSFER ABROAD |
| Transfers to foreign countries (non-EU) or international organizations |
· Arizona · Transfer subject to adequate safeguards (Art. 46) · Approved code of conduct under Article 40, together with the binding and enforceable commitment by the data controller or processor in the third country to apply appropriate safeguards, including for the rights of data subjects · Personal data are transmitted to a country in the United States of America through the use of a CRM software owned by a third party established in the USA. |
| The transfer abroad of your personal data may occur when necessary for the management of the assignment received. For the processing of information and data that may be communicated to these entities, levels of protection equivalent to those adopted for the processing of the Controller’s own employees’ personal data will be required. In any case, only the data necessary for the achievement of the intended purposes will be communicated, and the regulatory instruments provided for by Chapter V of the GDPR will be applied. |
| METHODS, LOGIC OF PROCESSING, AND RETENTION PERIOD |
| Duration of processing |
The data collected for loyalty purposes, i.e., those necessary to allow participation in the loyalty program and the management of the fidelity card, will be processed and retained for the administrative duration of the program or until cancellation and/or termination by the participant. In the event of withdrawal, deactivation due to non-use within a certain period, expiration, or return of the card (as provided by the separate Loyalty Program Regulation), the retention period of personal data for administrative purposes only (and not for profiling or marketing) shall not exceed three months (subject to specific legal obligations regarding the retention of accounting documentation). The Data Controller, in such cases, has implemented appropriate mechanisms for the automatic deletion of data, including by third parties to whom they may have been communicated. For other purposes, processing will last no longer than necessary for the purposes for which the data were collected. Video surveillance footage is retained for a maximum of 24 hours, after which it is automatically deleted. |
| Your data are collected and recorded lawfully and fairly for the above purposes, in compliance with the principles and provisions of Art. 5(1) of the GDPR. Personal data are processed using manual, computer, and telematic tools, according to logic strictly related to the stated purposes, and in any case in a manner that ensures their security and confidentiality. |
| NATURE OF DATA PROVISION |
| The processing of personal data will be carried out for the following purposes: |
| Purposes that do not require consent |
- Fulfilment of tax and accounting obligations - Data acquisition for the issuance and sending of invoices, both in paper and digital form. - Marketing (analysis and market research) - Consent not required, as communications for the direct sale of own products/services or for satisfaction or market analysis purposes use the email addresses collected from the data subject during the sale of a product or service similar to that being sold and without the subject’s express refusal for such use, initially or upon subsequent communications. Each communication includes information on the right to object at any time (so-called opt-out). |
| Purposes that require consent |
- Mail order or telephone sales - Consent obtained from the data subject at the time of data collection through acceptance included in this notice. Without consent, mail order or telephone sales will not proceed. - Online or broadcast sales - Consent obtained from the data subject at the time of data collection through acceptance included in this notice. Without consent, online or broadcast sales will not proceed. - Customer management - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. - Dispute management - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. - Monitoring of contractual obligations - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. - Business planning - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. - Advertising - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. - Promotional activities - Consent obtained from the data subject at the time of data collection through acceptance included in this notice. Without consent, promotional profiling will not proceed. - Customer satisfaction surveys - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. - Broadcast information - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. - Customer information about new services/products - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. - Sending informational and/or advertising material, including by telephone or internet - Consent obtained from the data subject at the time of data collection through acceptance included in this notice. Without consent, such material will not be sent. - Electronic information - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. - Consulting activities - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. - Service provision - Explicit consent obtained from the data subject, stored in our management systems and specific assets, without which the described activities will not proceed. |
| Only with your explicit consent, to be expressed at the bottom of this notice, will data whose purposes require consent be processed. The provision of data is optional and will not affect the existing contractual relationship with the Data Controller. |
| For data collected and used to perform activities related to the contractual relationship and to comply with the legal obligations indicated, your consent is not required. Failure to provide the above personal data will make it impossible to continue the relationship in question. For data collected and used for the legitimate interests of the Data Controller, your consent is not required (Art. 6, letter f, GDPR). The communication of the above personal data is optional but necessary to provide the services offered by the Controller. Any refusal to provide such data will result in the impossibility of providing, in whole or in part, the requested services. |
|
RIGHTS OF THE DATA SUBJECT (Articles 15 to 22 of the GDPR) |
| Right of access |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to request from the Controller access to their personal data. |
| Right to rectification |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to request from the Controller the rectification of their personal data. |
| Right to erasure |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to request from the Controller the erasure of their personal data. |
| Right to restriction |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to request from the Controller the restriction of processing concerning them. |
| Right to object |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to object to the processing of their personal data. |
| Right to data portability |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to exercise their right to data portability. |
| Right to withdraw consent |
The data subject has the right, pursuant to Articles 15 to 22 of the GDPR, to withdraw consent at any time. |
| Right to lodge a complaint |
The data subject has the right, pursuant to Article 77 of the GDPR, to lodge a complaint with the competent supervisory authority. |
| AUTOMATED PROCESSING |
| Is there an automated process? |
YES |
| Automated processes or profiling methods |
Without prejudice to the fact that even in the case of the data subject’s consent we will not process (as it is in any case prohibited for profiling purposes) data capable of revealing health status or sexual life, please note that the processing methods will in any case be relevant and not excessive with respect to the type of goods marketed or services provided. Profiling activities may concern “individual” personal data or “aggregated” personal data derived from detailed individual personal data. Such processing may involve personal data also aggregated according to predefined parameters depending on business needs. These data may include various personal information, including contractual data and data relating to consumption, purchases made, spending habits and levels, procurement of goods and/or services, etc., from which additional information may be inferred for each data subject (e.g., consumption range, regular spending level, etc.). Please note that providing personal data and consenting to their communication to third parties for the purposes described above are entirely optional (and revocable at any time without formalities, even after having been given), and the lack of provision will only result in the Controller being unable to perform the mentioned profiling. Even if you have consented to allow the Controller to pursue profiling purposes, you remain free to withdraw consent at any time by sending a clear communication to that effect, without formalities. Upon receipt of such an opt-out request, the Controller will promptly proceed to remove and delete your data from its databases (which are not interconnected or cross-referenced with those used for loyalty purposes) and inform any third parties to whom the data have been communicated for the same purpose. The mere receipt of your deletion request will automatically serve as confirmation that deletion has occurred. |
| Legal basis |
Explicit consent of the data subject |
The Data Controller reserves the right to make any changes deemed appropriate or required by current legislation to this Privacy Policy, at its sole discretion and at any time. In such cases, users will be duly informed of the changes made.
