Personal data refers to “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” and images (Article 4, paragraph 1, no. 1 of the GDPR).
1. The Data Controller of the Personal Data
The Data Controller of your personal data is Sergio Rossi S.p.A. with registered office in Via Stradone, 600/602 (47030), San Mauro Pascoli (Forlì-Cesena), Italy, telephone: +39 0541 – 813111; fax: +39 0541 – 813345; email: email@example.com (hereinafter also simply “Sergio Rossi” or the “Data Controller”).
2. Categories of personal data processed
2.1. Personal data you voluntarily provided
As part of your commercial relationships with Sergio Rossi, the personal data you provided directly when you registered on the Website will be processed: name, surname, address, telephone numbers, email addresses, national insurance number, VAT no., credit card number, bank details, date of birth and password.
2.2 Personal data collected by Sergio Rossi S.p.A. via company IT systems and applications
As part of your commercial relationship, Sergio Rossi may process the following personal data that has been gathered via company IT tools and applications that are in use at the company:
- log files of the traffic generated on the internet by Sergio Rossi IT systems (for example: registering and managing your personal account, managing your wish list and your purchase history
- sales data for Sergio Rossi products: purchase method, as well as the type, quantity and price of the Sergio Rossi products purchased.
2.3 Personal data of third parties
You acknowledge that any disclosure of the personal data and contact information of any person other than yourself within the context of the commercial relationship with Sergio Rossi (for example, if you purchase a product to be sent to another person or when the person who pays for the purchase is not the person to whom the product is being sent, or when you want to recommend a service on this Website to a friend) represents the processing of personal data, whereby you are the data controller of the personal data of the aforementioned persons. For this reason, when providing Sergio Rossi with this data, you must guarantee that: i) the personal data that you may disclose to Sergio Rossi has been processed by yourself in accordance with current privacy provisions and ii) the aforementioned third parties have been duly informed by yourself in advance concerning the methods and purposes of the processing and have given their consent.
3. Purposes of Personal Data Processing and Legal Basis
Your personal data will be processed, with your prior and express consent, when necessary, for the purposes and on the legal basis which are explained in more detail below.
3.1. Establishing, Executing and Managing the Commercial Relationship
Your personal data referred to in paragraphs 2.1 and 2.3 above will be processed to:
- fulfil the legal obligations which apply to Sergio Rossi in accordance with civil, fiscal and accounting regulations;
- establish, execute and manage the commercial relationship and/or to provide auxiliary services for the same commercial relationship. Specifically, for: administrative and accounting purposes; issuing invoices and credit notes; customer data management; fulfilling and sending purchase orders; post-sales support: management of returns and any complaints;
- Website registration and managing your personal account.
The legal basis for the processing of your personal data for the purposes referred to above in paragraph 3.1 is the commercial relationship to which you are party.
3.2 Sergio Rossi Marketing Activity
Your personal data referred to in paragraphs 2.1 and 2.2 above will be processed for promotional activities – via automatic (email, fax, SMS and MMS) or traditional tools (telephone calls with an operator, paper-based mail) – by Sergio Rossi, which include:
- sending newsletters, brochures, catalogues and presentations;
- sending commercial and/or promotional communications, information and updates on Sergio Rossi products and services;
- invitations to special events (promotional sales, fashion shows);
- studies, market research and statistical surveys.
The legal basis for the processing of your personal data for the purposes referred to above in paragraph 3.2 is your explicit prior consent.
3.3 Sergio Rossi Profiling Activities
Your personal data referred to in paragraphs 2.1 and 2.2 above will be processed – via partly-automated profiling. In this instance, the Data Controller will only analyse the sales data of Sergio Rossi products, i.e. the purchase method, type, quantity and price of the Sergio Rossi products your purchased and/or viewed – to:
- develop and/or create profiles based on your preferences and your purchases;
- personalise your experience with Sergio Rossi in line with your interests and your purchase habits.
However, it is not deemed that partly-automated profiling will produce legal ramifications for you or have a significant effect on you in a similar manner.
The legal basis for the processing of your personal data for the purposes referred to above in paragraph 3.3 is your explicit prior consent.
4. Mandatory or optional provision of your personal data and the consequences should you refuse
4.1 The provision of your personal data for the purposes referred to in paragraph 3.1 is optional, however, failure to provide said data will make it impossible for you to register on the Website and to establish and/or continue a commercial relationship and/or for the services connected to this relationship to be provided.
4.2 The provision of your personal data for the purposes referred to in paragraphs 3.2 and 3.3 is optional and failure to provide said data will have no effect on your ability to purchase products or receive the services requested, however we will not be able to inform you about promotions and commercial initiatives or send you invitations to events or assess your interests and preferences.
We would also like to specify that if you have given the Data Controller your consent to carry out the purposes referred to in paragraphs 3.2 and 3.3 above, you are nonetheless still able to withdraw your consent at any time and/or oppose the processing of your data for the aforementioned purposes. This can be done on your personal page on the Website or by sending a clear written notification – without any formalities – to this effect to the addresses listed in paragraph 10 “Contacts for exercising the rights of the data subject and other information” which can be found below.
5. Methods used to process personal data
Your personal data will be processed via manual, IT and telematic tools, as well as paper means.
In particular, your personal data will be processed by Sergio Rossi Customer Relationship Management (“Sergio Rossi CRM”) whose servers are located in Italy. The inclusion of your personal data in the Sergio Rossi CRM is optional and occurs only if you provide consent for the purposes referred to in paragraphs 3.2 and 3.3. Once added to the Sergio Rossi CRM, your personal data may be read, changed and updated by employees of the Sergio Rossi S.p.A. offices and the employees of Sergio Rossi Stores in Italy and abroad, who have been specifically appointed as data processors.
The personal data you have provided will not be subject to fully-automated decision making.
6. Recipients of personal data
Your personal data may be communicated and/or transferred to:
(i) persons appointed by Sergio Rossi to process data, who have been given specific written instructions:
- employees in the marketing and event organisation department;
- employees in the public relations department;
- employees in the retail and wholesale department;
- employees in the IT department;
- employees in the purchasing department;
- employees in the administration and finance department;
- employees in the quality control department;
- employees in the shipping department;
(ii) entities that provide services to Sergio Rossi S.p.A. which the latter has appointed as data processors:
- event service companies and public relations agencies;
- banks we use or those you have indicated to carry out and verify payments;
- IT service providers connected to running the website and its e-commerce service and to respond to requests regarding the rights of the data subject: Diana E-commerce Corporation S.r.l.;
- entities that provide delivery and labelling services, also for invitations;
- entities responsible for customer support;
- ContactLab S.p.a.;
- Sergio Rossi subsidiaries and associated companies: Sergio Rossi USA Inc., Sergio Rossi Hong Kong Ltd, Sergio Rossi Shanghai Ltd, Sergio Rossi Japan Ltd and Sergio Rossi Retail S.r.l.;
(iii) entities that provide services for Sergio Rossi S.p.A. as independent data controllers:
- legal, fiscal and accounting consultants;
- external auditing firm: PricewaterhouseCoopers;
- public authorities in the event of fiscal and financial audits.
For a complete and updated list of the entities to whom your data is communicated, you can write to Sergio Rossi S.p.A. at the addresses given in Article 10 below “Contacts for exercising the rights of the data subject and other information”
7. Duration of personal data storage
7.1 For the purposes referred to in paragraph 3.1, your personal data will be kept for the entire duration of the commercial relationship and for a period of 10 years after the commercial relationship has come to an end.
7.2 For the purposes referred to in paragraph 3.2, your personal data will be kept for 2 years from the relative registration in our systems.
7.3 For the purposes referred to in paragraph 3.3, your personal data will be kept for 1 year from the relative registration in our systems.
Your personal data will be kept on the servers of Diana E-Commerce Corporation S.r.l. located within the European Union.
8. Transfer of personal data outside of the EU
Your personal data will only be transferred outside of the European Union with your prior express consent.
9. Exercising the rights of the data subject
Pursuant to Articles 13, paragraph 2, letters b), c) and d), 15, 16, 17, 18, 19, 20 and 21 of the GDPR, we would like to inform you that:
- you are entitled to request access to your personal data combined with information on the purposes for which it is being processed, the category of personal data processed, the entities or categories of entities to which it has been or will be communicated (with an indication of whether these entities are located in third countries or are organised internationally) and – when possible – indications on the storage period of personal data or the criteria used to determine this period, the existence of your rights to rectify and/or delete the personal data, to limit its processing and to object to its processing and your right to lodge a complaint with a supervisory body, as well as indications on the origin of the data and the existence and reasoning applied in the instance of automated decision making. If you exercise this right, and unless otherwise indicated, you will receive an electronic copy of your data that is subject to processing.
- You are also entitled to obtain:
- the rectification of your personal data if it is inaccurate or incomplete;
- the deletion of your personal data if one of the conditions pursuant to Article 17 of the GDPR exists (for example: if your personal data is no longer required for the purposes for which it was collected, you decide to withdraw your consent to processing – where this is the legal basis – and there is no other legal foundation for the processing, you oppose the processing and there is no other legitimate interest of the Data Controller or your data has been processed illegally);
- the restriction of the processing of your personal data 1) for the time required by Sergio Rossi to ascertain the accuracy of your personal data (in the instance that you have disputed it), or 2) where the processing of your personal data is illegal or you request the restriction of its processing instead of its deletion, or 3) when Sergio Rossi no longer requires your personal data but it is needed for you to ascertain, exercise or defend a right in court, or, lastly, 4) for the time needed to assess the possible prevalence of the legitimate reasons of the Data Controller with respect to your own, if you have opposed the processing of your personal data pursuant to point c below;
- your personal data in a structured, commonly used and machine-readable format, also in order to transfer it to another data controller, if the processing is based on consent or on a contract and is carried out with automated methods (the right to data portability). If you would so like, you may ask Sergio Rossi to send your personal data directly to another data controller if this is technically feasible.
- You are also entitled to oppose the processing of your personal data if it is processed pursuant to Article 6.1, lett. e) (i.e. to carry out a public service with which the Data Controller is vested) or lett. f) (i.e. to pursue a legitimate interest of the Data Controller) of the GDPR, unless compelling legitimate reasons of the Data Controller exist to proceed with the processing, pursuant to Article 21 of the GDPR.
- You are also entitled to withdraw your consent at any time without impairment to the lawfulness of the processing of your personal data based on consent that was carried out before your withdrawal.
- If you are not satisfied by the way your personal data is processed by Sergio Rossi, you can lodge a complaint with the Italian Data Protection Authority, following the procedures and instructions published on the Authority’s official website (www.garanteprivacy.it).
Exercising the above rights is without any form of restriction and free of charge. We will only ask that you verify your identity before carrying out further actions subsequent to your request.
10. Contacts for exercising the rights of the data subject and other information
10.1 To exercise your rights and/or receive any kind of information concerning how the commercial relationship established via the Website is managed, you can write to: Diana E-commerce Corporation S.r.l., Via San Daniele 137/139, Torreglia (Padua), Italy or send a fax to +39 049.810970 or an email to: firstname.lastname@example.org.