PRIVACY NOTICE PURSUANT WITH ARTICLES 12, 13 AND 14 OF THE REGULATION (EU) 2016/679 (“GDPR”)
1. ANGELINI BEAUTY S.P.A. hereby provides the Notice required pursuant with Articles 12, 13 and, if applicable, 14 of the GDPR in relation to the processing of the personal data of the data subject through the compilation and signing of the Contract for the purchase of the products/services offered up for sale by ANGELINI BEAUTY S.P.A., spontaneously uploading personal data to this website (in particular through filling in forms) or simply browsing it.
2. Data controller and contact data
The Data Controller is ANGELINI BEAUTY S.P.A., with registered office in Milan, at Via Melchiorre Gioia, 8 – 20124 Milan, Italy, VAT no. MI 03262350 964, tel. +39 0371 408 1, e-mail firstname.lastname@example.org, website http://www.angelinibeauty.com/ (hereinafter referred to as the “Website”).
3. Principles applicable to processing
In compliance with the provisions of the GDPR, ANGELINI BEAUTY S.P.A. strives constantly to ensure that personal data is:
(a) processed lawfully, correctly and transparently;
(b) collected for specific, explicit and lawful purposes and thereafter processed in such a way as not to be incompatible with such purposes;
(c) adequate, pertinent and limited to that necessary for the purposes for which it is processed;
(d) exact and, if necessary, updated;
(e) stored for a period of time that does not exceed the purpose for which it was processed;
(f) processed, by means of suitable technical and organizational measures, in a manner able to guarantee the relevant security;
(g) processed, if by virtue of consent given, by decision made freely by the data subject, on the basis of a request made in a manner that can be clearly distinguished from the rest, in an understandable, easily accessed manner, using simple, clear language.
ANGELINI BEAUTY S.P.A. implements technical and organizational measures that are adequate to assure the protection of personal data right from the design stages, and to guarantee that, by predefined settings, only the data necessary for each specific purpose of processing is effectively processed.
ANGELINI BEAUTY S.P.A. collects and gives due consideration to any indications, observations and opinions expressed by the data subject and sent to the above contact details, so as to implement a dynamic privacy management system that can assure the effective protection of persons in respect of the processing of their data.
This Notice may be amended as the reference legislation and the technical and organizational measures adopted by ANGELINI BEAUTY S.P.A., evolve; the data subject is therefore asked to kindly visit this section of the Website from time to time to view any updates and the Disclosure in the text in force over time.
4. Methods of personal data processing
Personal data is processed both manually and using electronic instruments, with logics that are strictly related to the purposes of the processing and, in any case, such as to guarantee the security and confidentiality of said data.
5. Purposes and legal basis of personal data processing
- (5a) Purposes for which data processing is necessary
The personal data supplied by the data subject is mainly processed for the execution of the Contract and the management, more generally, of the relationship arising from the Contract and, if applicable, to allow the data subject to take part in prize-giving events organized by Angelini Beauty S.p.A. or to use the services offered through the Website or respond to specific requests made by the data subject, including through the “CONTACTS” section. The conferral of data for the processing in question is mandatory; therefore, failure, partial or inexact conferral of such data will make it impossible to stipulate and/or execute the Contract and for the data subject to use the products/services offered by ANGELINI BEAUTY S.P.A. or take part in the prizegiving events indicated above or receive a reply to the requests sent. The legal basis for the processing carried out in connection with the above-specified purposes is to execute precontractual or contractual undertakings. The personal data supplied by the data subject may also be processed if this should be necessary to fulfill a legal obligation to which ANGELINI BEAUTY S.P.A. is subject, to safeguard the vital interests of the data subject or another natural person or to pursue the legitimate interest of ANGELINI BEAUTY S.P.A. itself or third parties, as long as the interests or rights and fundamental freedoms of the data subject do not prevail; in these cases too, the conferral of data is mandatory. The legal basis for the processing carried out in connection with the above purposes is to execute legal obligations or the legitimate interest of ANGELINI BEAUTY S.P.A. or a third party.
- (5b) Additional purposes of processing following specific, express consent by the data subject
In addition to for the above purposes of processing, the personal data conferred/acquired may also be processed, after obtaining consent by the data subject, to be expressed by checking the box «I agree» on the Contract or Website (or using the other social or web applications of ANGELINI BEAUTY), also to carry out market research or make commercial and promotional communications over the telephone (including using the mobile telephone number supplied) and automated contact systems (e-mail, SMS, MMS, fax, etc.) about ANGELINI BEAUTY products/services or those of other companies of the Group of which ANGELINI BEAUTY is a member. Additionally, upon obtaining consent by the data subject, the data will be processed by ANGELINI BEAUTY for profiling for marketing purposes, and, therefore, for example to send advertising messages and other targeted commercial information, in line with the data subject’s preferences, their tastes and consumer habits. The data collected may be enriched and cross-matched with data obtained from other sources (e.g. browsing data on other ANGELINI BEAUTY websites) in order to create a single profile of the data subject on the basis of which to send customized advertising using automated contact means and on all devices. Consent for the purposes of processing indicated under this point (5b) is optional; therefore, following a potential refusal, data will only be processed for the purposes indicated under point (5a) above, save as specified below in reference to the legitimate interests of the data controller or third parties. The legal basis for the data processing for marketing and marketing profiling purposes is the consent given by the data subject.
6. Categories of personal data processed
The processing carried out by ANGELINI BEAUTY, both to execute the Contract and by virtue of express consent given by the data subject, does not generally regard special categories of personal data (which disclose racial or ethnic origin, political opinions, religious beliefs, health or sexual orientation, etc.), nor genetic and biometric data or legal data (relative to criminal convictions and offenses). However, it cannot be excluded that in order to fulfill obligations stemming from the Contract, ANGELINI BEAUTY may be required to store and/or process special data, such as that relating to health (e.g. if a person has allergies) of the data subject or third parties. The legal basis for the processing of special data consists of the explicit consent given by the data subject or third party or the ascertainment, exercise or defense of a right in a court of law. ANGELINI BEAUTY also processes browsing data. The computer systems and software procedures used to operate the websites, during normal operation, acquire certain personal data, the transmission of which is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with subjects who are identified, but which, by nature, may enable the identification of the data subject. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and addresses of websites from which access is obtained or exit, information about the pages visited by the users within the website, time of access, time spent on the individual page, analysis of internal paths and other parameters relative to the user’s IT environment and operating system. This is, therefore, information that, by nature, through processing and association with data held by third parties, may make it possible to identify the users.
7. Source of personal data
The personal data processed by ANGELINI BEAUTY is collected directly by ANGELINI BEAUTY from the data subject when and while browsing the Website (or using other social or web applications pertaining to ANGELINI BEAUTY) or filling in the registration form or, also through commercial representatives, during or after stipulating the Contract at the time of its execution, or from public sources. As specified above, in order to fulfill the obligations arising from the Contract, ANGELINI BEAUTY S.P.A. may store and/or process data, in particular relating to browsing and potentially also special data, of the data subject or third parties, available to or acquired by the data subject, upon obtaining the consent of said third parties.
8. Legitimate interest
The legitimate interest of the data controller or third parties may constitute a valid legal basis of the processing, as long as the interests or rights and fundamental freedoms of the data subject do not prevail. As a general rule, such legitimate interest may exist where there is a pertinent, appropriate relationship between the data controller and the data subject, for example when the data subject is a customer of the data controller. More specifically, ANGELINI BEAUTY has a legitimate interest to process the personal data of the data subject: to prevent fraud, for direct marketing purposes (if Angelini Beauty S.p.A. uses, for the direct sale of its products or services, the e-mail addresses provided by the data subject during similar services to those concerned by the sale and the data subject does not object to the processing), to ensure the free movement of such data within the entrepreneurial Group to which ANGELINI BEAUTY belongs for administrative and accounting purposes, or relative to traffic, in order to guarantee the security of the networks and information, i.e. the capacity of a network or system to withstand unforeseen events or unlawful acts that may compromise the availability, authenticity, integrity and confidentiality of the data.
9. Transfer of personal data
- (9a) Communication of personal data – categories of recipients
In addition to being carried out by employees and sundry collaborators of ANGELINI BEAUTY (who have been authorized to perform the processing by virtue of suitable written operating instructions, in order to guarantee data confidentiality and security), certain processing operations may also be carried out by third parties to which ANGELINI BEAUTY entrusts such activities, or part thereof, functional to the purposes described under point (5a) and, therefore, both in the fulfillment of contractual and legal obligations, including, worthy of mention but naturally merely by way of example: commercial and/or technical partners; companies providing banking and financial services; companies providing document archiving services; debt collection companies, auditing companies and those certifying financial statements ratings companies; subjects providing ANGELINI BEAUTY with professional assistance and consultancy; companies offering customer care activities; factoring companies, loan securitization companies or other forms of transfers of receivables; companies of the Group to which ANGELINI BEAUTY belongs; subjects providing commercial information; IT service companies. The subjects belonging to said categories process the personal data as autonomous data controllers or data processors, with reference to specific processing operations that come under the scope of the contractual provisions that the subjects themselves provide in the favor/interests of ANGELINI BEAUTY; ANGELINI BEAUTY gives data processors specific written operating instructions, with specific reference to the adoption of suitable security measures, so as to be able to guarantee data confidentiality and security. Some processing operations may be carried out by third parties to whom ANGELINI BEAUTY S.P.A. entrusts certain activities or part thereof, also functionally to the purposes pursuant to point (5b), including, worthy of mention but naturally merely by way of example: commercial and/or technical partners; companies institutionally providing marketing services; advertising agencies; subjects providing assistance and consultancy with reference to competitions and prize-giving events. The subjects belonging to said categories process the personal data as autonomous data controllers or data processors, with reference to specific processing operations that come under the scope of the contractual provisions that the subjects themselves provide in the favor/interests of ANGELINI BEAUTY S.P.A.; ANGELINI BEAUTY S.P.A. gives data processors specific written operating instructions, with specific reference to the adoption of suitable security measures, so as to be able to guarantee data confidentiality and security. By submitting a written request to the office of ANGELINI BEAUTY S.P.A., a list is available, updated periodically, of the autonomous data controllers and data processors with which ANGELINI BEAUTY S.P.A. entertains relations. Personal data may also be disclosed, if so requested, to the competent authorities, in fulfillment of obligations deriving from essential provisions of the law.
- (9b) Transfer of personal data to third countries
The personal data of the data subject may also be transferred abroad, both to European Union Member States and outside the European Union and, in this latter case, either on the basis of a decision of adequacy or under the scope of and with the suitable guarantees envisaged by the GDPR (therefore, in particular, in the presence of data protection type contractual clauses approved by the European Commission) or, outside the above hypotheses, where one or more of the derogations envisaged by the GDPR applies (in particular by virtue of explicit consent by the data subject or for the execution of the Contract stipulated by the data subject or for the execution of a contract stipulated between ANGELINI BEAUTY and another natural person or legal entity in the favor of the data subject). In the event of data transfer to countries outside the European Union, the data subject is allowed, by sending a written request to this effect to the office of ANGELINI BEAUTY, to find out which countries and the suitable guarantees given, or the derogations, that make the cross-border processing legitimate. It is agreed that in the event of the transfer of data outside the European Union, the data subject can in any case make any requests relating to the data, including to exercise the rights granted him by the GDPR, by contacting ANGELINI BEAUTY.
10. Personal data retention period
For the purposes pursuant to point (5a) above, the retention period for the personal data given by the data subject and the consequent potential processing thereof coincides with the period for statute-barring of the rights/duties (legal, tax, etc.) arising from the Contract: this tends to be 10 years, save for any onset of events that would interrupt statute-barring and effectively consequently extend said period. For the purposes pursuant to point (5b) above, the storage period of data given by the data subject and the consequent potential processing thereof ends when the consent given previously by the data subject is revoked or, for lack of such, in any case once 24 months have passed in respect of the purpose of carrying out direct marketing and 12 months for profiling for direct marketing.
11. Rights of the data subject and how to exercise them
ANGELINI BEAUTY acknowledges and facilitates the exercise by the data subject of all rights envisaged by the GDPR, in particular the right of access to personal data and to obtain a copy thereof (Art. 15 GDPR), to rectification (Art. 16 GDPR) and to erasure (Art. 17 GDPR), to the restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR, where conditions are met) and to object to processing (Articles 21 and 22 GDPR for the hypotheses detailed therein and, in particular, to processing for direct marketing purposes and/or profiling for direct marketing purposes and/or processing based on the legitimate interest of the Data Controller or a third party, or which results in an automated decision-making process, including profiling, which has legal effects that regard him, where conditions are met). ANGELINI BEAUTY also acknowledges that where processing is based on consent, the data subject has the right to revoke said consent at any time, without prejudice to the lawful nature of processing based on consent given prior to revocation. To do so, the data subject can unsubscribe at any time, using the specific link at the foot of each commercial communication received, or by contacting ANGELINI BEAUTY using the details given above. These same details can be used to exercise the other rights of the data subject specified above. ANGELINI BEAUTY also informs the data subject that he has the right to make a complaint to the Italian Data Protection Authority, which is the control authority operating in Italy and to bring a legal petition both against a decision made by the Data Protection Authority and in regard to ANGELINI BEAUTY and/or a data processor.
12. Security of systems and personal data
Taking into account the state-of-the-art and the costs of implementation, as well as the nature, subject, context and purposes of processing, as well as the risk, in terms of probability and severity, for the rights and freedoms of natural persons, ANGELINI BEAUTY takes technical and organizational measures that are deemed appropriate to guarantee an adequate level of security in respect of the risk, in particular permanently assuring the confidentiality, integrity, availability and resilience of the systems and services used for processing (including through the encryption of personal data where necessary) and the capacity to promptly restore data availability in the event of a physical or technical incident and adopting internal procedures aimed at testing, verifying and regularly assessing the effectiveness of the technical and organizational measures employed. In assessing the appropriate level of security, due consideration is given to the risks involved with the processing that arise in particular from the destruction, loss, modification, unauthorized disclosure of or access to, accidentally or illegally, personal data that is transmitted, stored or otherwise processed. ANGELINI BEAUTY will take action to ensure that anyone acting by its authority and with access to personal data does not process such data unless instructed to do so by ANGELINI BEAUTY.
13. Automated decision-making processes, including profiling
ANGELINI BEAUTY may carry out automated processing, including processing, in connection with the purposes pursuant to point (5b) above, in order to optimize Website browsing (or the usability of other social or web applications of ANGELINI BEAUTY) and to improve the purchasing experience, save that specified above with regard to the right of the data subject to object and revoke consent.