This page contains the personal data protection policy with regard to processing personal data of users who register on the Sergio Rossi website (hereinafter also referred to simply as the User” or collectively as the “Users”) and /or who intend to establish a business relationship with Sergio Rossi S.p.A with or without prior registration on the website, accessible electronically from the address sergiorossi.com (hereinafter also referred to simply as the “Website”). This policy is issued pursuant to Article 13 of EU Regulation no. 2016/679, containing measures for the protection of physical persons with regard to the processing of personal data and the free circulation of said data, (hereinafter also simply “GDPR”).
Personal data refers to “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” and images (Article 4, No. 1 of the GDPR).
1. Data Processors and Data Protection Officer for the Processing Of Users’ Personal Data
Sergio Rossi S.p.A. (Tax no. 05820951001 and VAT No. 03132190400) with registered office in San Mauro Pascoli (FC), at Via Stradone, 600/602 (47030) tel.: +39 0541 – 813111; email: firstname.lastname@example.org Data Controller for Users’ personal data, shall process for the purposes referred to in paragraphs 3.1. “Registering on the Website and creating a personal account”, 3.3. Sergio Rossi Marketing Activity” and 3.4. Sergio Rossi profiling activities” that follow (hereinafter also referred to simply as Sergio Rossi”).
Sergio Rossi has designated a Data Protection Officer (DPO) who may be contacted directly at the following email address: email@example.com.
Sergio Rossi, for some purposes as more fully explained in paragraph 3.2. "Establishment, execution and management of the business relationship” will be partnered by Diana E-commerce Corporation Srl (Tax code and VAT No. 05097740285) with registered offices in Torreglia (PD), at Via San Daniele, 137/139, 35038, email: firstname.lastname@example.org and will act as co-owner for processing (hereinafter also individually, "Diana E-commerce“ and jointly, Sergio Rossi and Diana E-commerce, the “Co-owners ").
Diana E-commerce has appointed a Data Protection Officer - DPO) that the Data Subject may contact by writing to the following address: email@example.com.
The Co-owners, with regard to the processing of Users’ personal data shall process these for the purposes referred to in paragraph 3.2. "Establishment, execution and management of the business relationship “, acting as Co-owner, pursuant to article 26 of the GDPR state that they have entered into a co-ownership agreement, whose essential content is available to users at the premises of the co-owners, which will write in the best mode to indicate in paragraph 11 " Contacts for exercising the rights of the data subject and other information" below.
2. Categories Of personal data processed
2.1. Personal data voluntarily provided by the User
Sergio Rossi will process the following personal information provided by the User directly for the purposes of:
- ensuring the registration on the Website and creating a personal account: first name and surname, telephone numbers, email addresses and passwords.
- finalising an order for the purchase of a product sold on the Sergio Rossi Website: first name and surname, telephone number, address, tax ID code, VAT number, credit card, bank account details and date of birth.
The personal data of Users referred to in paragraph 2.1.2 will also be processed by Diana E-commerce, as co-owner.
2.2. Personal data collected by Sergio Rossi S.p.A. via company IT systems and applications
Both for registration on the Website and for finalising a purchase through the Sergio Rossi product Website, Sergio Rossi will process the following personal data, collected through information technology tools and company application services used by the company:
- browsing data and log files and log data for the network traffic generated by Sergio Rossi IT systems (for example: registering and managing your personal account, managing your wish list; and your purchase and access history;
- sales data for Sergio Rossi products: purchase method, as well as the type, quantity and price of the Sergio Rossi products purchased.
The personal data of users referred to in paragraph 2.2.1. limited to the navigation data and paragraph 2.2.2 will also be processed by Diana E-commerce, as co-owner.
2.3 Personal data of third parties
The User acknowledges that the indication of any personal and contact data of any party other than the User within the framework of the commercial relationship for the purchase of Sergio Rossi products (for example, if the User has purchased a product that is to be delivered to another person, or when the person that pays for the purchase of a product is not the person for whom the product is destined, or when the User intends to inform a friend of a service provided on the Website) represents an instance of personal data processing for which the User acts as the data controller of the personal data of the aforementioned subjects. Therefore, when providing said data to Sergio Rossi, the User must ensure that: i) any personal data submitted by the User to Sergio Rossi have been processed by the User in compliance with the measures in force regarding data protection and ii) that the aforementioned third parties have been duly informed by the User in advance regarding how said data are processed and for what purposes, and that they have provided the User with due authorisation.
The personal data of Users referred to in paragraph 2.3 will also be processed by Diana E-commerce, as co-owner.
3. Purposes Of Personal Data Processing And Legal Basis
The User's personal data will be processed, with the User’s prior and express consent where necessary, for the purposes and on the legal basis which are explained in more detail below.
3.1. Registering On The Website And Creating A Personal Account
The personal data referred to in paragraph 2.1.1 will be processed by Sergio Rossi for registration on the Website and the creation and management of the User's personal account.
The legal basis for the processing of personal data for the purposes referred to above in paragraph 3.1 is the commercial relationship to which the User is party.
3.2. Establishment, Execution And Management Of The Commercial Relationship
The personal data referred to in paragraphs 2.1.2, 2.2 and 2.3 above will be processed by the Co-owners to:
- fulfil the legal obligations that apply to the co-owners in accordance with civil, fiscal and accounting regulations;
- for the establishment, execution and management of the commercial relationship and/or to provide the services connected with said commercial relationship. And specifically, for: administrative and accounting purposes; issuing invoices and credit notes; customer data management; fulfilling and sending purchase orders; post-sales support: management of returns and any complaints, also via the “Contact us” form on the Website.
The legal basis for the processing of personal data for the purposes referred to above in paragraph 3.2 is the commercial relationship to which the User is party.
3.3. Sergio Rossi Marketing Activities
The personal data of the User as set forth in paragraphs 2.1 and 2.2 above will be processed by Sergio Rossi - using automated tools (email, fax, sms, instant messaging and mms) or traditional means (telephone calls with an operator employed by Sergio Rossi, traditional mail) – for promotional activities, such as:
- sending newsletters, brochures, catalogues and presentations;
- sending commercial and/or promotional communications, information and updates on Sergio Rossi products and services;
- invitations to special events (promotional sales, fashion shows);
- market research.
The legal basis for the processing of personal data for the purposes referred to above in paragraph 3.3 is the User's explicit prior consent.
3.4. Sergio Rossi Profiling Activities
The personal data of Users indicated in paragraphs 2.1 and 2.2 above will be processed by automated profiling. In this instance, Sergio Rossi will only analyse the sales data of Sergio Rossi products, i.e. the purchase method, type, quantity and price of the Sergio Rossi products the User purchased and/or viewed to:
- develop and/or create profiles based on the User’s preferences and purchases;
- personalise the User’s experience with Sergio Rossi in line with their interests and purchase habits.
However, it is not deemed that partly-automated profiling will produce legal ramifications for the User or have a significant effect on the User in a similar manner.
The legal basis for the processing of personal data for the purposes referred to above in paragraph 3.4 is the explicit prior consentof the User.
4. Mandatory or optional provision of the user’s personal data - consequences of refusal
4.1. The provision of the User's personal data for the purposes referred to in paragraph 3.1 and 3.2 is optional. However, failure to provide said data will make it impossible for them to register on the Website, to create a personal account, or to establish and/or continue a commercial relationship and/or for the services connected to this relationship to be provided.
4.2. The provision of the User’s personal data for the purposes referred to in paragraphs 3.3 and 3.4 is optional and failure to provide said data will have no effect on their ability to register on the Website and/or create a personal account and/or purchase products and/or receive the services requested. However, we will not be able to inform Users about promotions and commercial initiatives or send invitations to events or assess their interests and preferences.
We would also like to specify that if Users have given their consent to authorize Sergio Rossi to carry out activities for the marketing and profiling purposes referred to in paragraphs 3.3 and 3.4 above, they are nonetheless still able to withdraw consent at any time and/or oppose the processing of their data for the aforementioned purposes, also with regard Users’ contact details (for example, if Users wish to have their data processed via traditional contact details, they can oppose processing of their contact details through automated means). This can be done on your personal page on the Website or by sending a clear written notification – without any formalities – to this effect to the addresses listed in paragraph 11 “Contacts for exercising the rights of the data subject and other information” which can be found below.
5. Methods used to process personal data
Your personal data will be processed via manual, IT and electronic tools, as well as paper means.
In particular, the User’s personal data will be processed by Sergio Rossi Customer Relationship Management (“Sergio Rossi CRM”). The inclusion of the User's personal data in Sergio Rossi’s CRM for the purposes set out in paragraphs 3.3. and 3.4. (marketing and profiling) is optional and occurs only in the event of release of the User's consent while for the purposes referred to in points 3.1. and 3.2. (registration and account creation and purchase of a Sergio Rossi product) above, the inclusion of personal data in Sergio Rossi’s CRM is necessary in order to allow Sergio Rossi to properly management and execute the Website registration and sales relationship to which the User is party. Once added to Sergio Rossi’s CRM, your personal data may be read, amended and updated by employees of the Sergio Rossi S.p.A. offices and the employees of Sergio Rossi Stores in Italy and abroad, who have been specifically appointed as data processors.
6. Recipients Of Personal Data
6.1. Your personal data may be disclosed by Sergio Rossi to:
(i) persons appointed by Sergio Rossi to process data, who have been given specific written instructions:
- employees in the marketing and event organisation office;
- employees in the omni-channel office;
- employees in the public relations department;
- employees in the retail and wholesale department;
- employees in the IT office;
- employees in the purchasing department;
- employees in the administration and finance department;
- employees in the quality control office;
-employees in the shipping office;
(ii) parties that provide services for Sergio Rossi S.p.A. appointed in writing as data processors by the latter:
- event service companies and public relations agencies;
- banks used by Sergio Rossi to carry out and verify payments;
- IT service providers, related to the management of the website including the cloud service and e-commerce service;
- entities that provide delivery and labelling services, also for invitations;
- entities responsible for customer support;
- Sergio Rossi subsidiaries and associated companies: Sergio Rossi USA Inc., Sergio Rossi Hong Kong Ltd, Sergio Rossi Shanghai Ltd, Sergio Rossi Japan Ltd, Sergio Rossi Retail S.r.l., Sergio Rossi UK Ltd; Sergio Rossi Deutschland GmbH;
(iii) parties that provide services for Sergio Rossi S.p.A. as independent data controllers:
- legal, fiscal and accounting consultants;
- external auditing firm: PricewaterhouseCoopers;
- judicial and/or public authorities in cases of express request or in the event of fiscal and financial audits.
For a complete and updated list of the entities to whom your data is disclosed, you can write to Sergio Rossi S.p.A. at the addresses given in article 11 below “Contacts for exercising the rights of the data subject and other information”.
6.2. To achieve the purposes for which personal data are collected, Diana E-commerce may use the following categories of party to whom the data may be disclosed or who can learn about them as data processors:
- providers of IT services, such as direct marketing, internet services and cloud computing;
- persons performing logistics, warehouse, promotion, supply, sale and delivery of Diana E-commerce products and services;
- entities responsible for customer support;
- studios and other entities that provide assistance, consultancy and entertainment services, such as legal, tax, accounting, financial and economic, technical and organizational, data processing, communication;
- entities that provide banking, financial, insurance and credit recovery;
- persons providing fraud control activities on payments;
- subsidiary companies, parent companies and associated companies;
- supervisory and monitoring organisations;
- other companies as part of a merger, acquisition or sale of the company or a branch thereof.
The updated list of the personal data processing personnel is available from Diana E-commerce, to which the User may send a specific request via the procedures indicated in article 11 below "Contacts for exercising the rights of the data subject and other information".
7. Duration Of Personal Data Storage
7.1. For the purposes set out in paragraph 3.1. (registration on the Website), the User's personal data will be stored by Sergio Rossi until the account has been closed by the User. In any case, it is understood that if your account is not operational for 10 years after the last use (e.g. last accessed) of the account by the User, Sergio Rossi will delete personal data relating to the registration and management of the account.
7.2. For the purposes set out in paragraph 3.2. (establishment, execution and management of the business relationship), the User's personal data will be processed by the Co-owners for the duration of the business relationship and for a period of 10 years following the termination of the business relationship, except in cases in which additional storage is justified by additional requirements of law, litigation and/or requests made by the competent authorities.
7.3. For the purposes set out in paragraph 3.3. (marketing), personal data will be stored by Sergio Rossi for 5 years after obtaining consent and the corresponding recording in the CRM of Sergio Rossi, or until the revocation of consent;
7.4. For the purposes set out in paragraph 3.4. (profiling), personal data will be stored by Sergio Rossi for 5 years after obtaining consent and the corresponding message to the CRM Sergio Rossi, or at least until the withdrawal of consent.
The Site and its services are not intended for minors and therefore Sergio Rossi and Diana E-commerce do not knowingly process personal data of persons under 18 years of age.
9. Transfer of personal data outside of the EU
The personal data of Users may be transferred, for the purposes for which they are collected, to the UK and USA, which are outside the European Union.
In the event that for the purposes described above, personal data of Users should be transferred to countries outside the EU, Sergio Rossi and Diana E-commerce, each for its own purposes, inform that the transfer of data outside the EU will always be in accordance with the provisions of applicable privacy legislation, which is based on an adequacy decision of the European Commission in relation to the non-EU country to which the personal data of Users will be transferred or, failing that, by obtaining consent, when necessary, or by the adoption of any other measures necessary to ensure the security of personal data that is transferred (these measures include, for example, contractual agreements based on standard contractual clauses as identified by the European Commission) or otherwise to subscribers to the Privacy Shield list, a self-certification mechanism for companies established in the US who wish to receive personal data from the European Union in accordance with EU Implementing Decision 2016/1250 adopted by the European Commission on July 12, 2016.
10. Exercising the rights of the data subject
In accordance with Articles 13, paragraph 2, letters b), c) and d), 15-22 of GDPR, Sergio Rossi and Diana E-commerce – the latter limited to the purposes set forth in paragraph 3.2 "Establishment, execution and management of the business relationship” –- inform that Users:
- have the right to request access to their personal data, together with information on the purposes for which they are being processed, the category of personal data processed, the subjects or categories of subjects to which they have been or will be communicated (with an indication of whether these are subjects located in third-party countries or are international organisations) and – when possible – indications on the storage period of personal data or the criteria used to determine this period, the existence of their rights to rectify and/or delete the personal data, to limit the processing thereof and to object to the processing thereof, and their right to lodge a complaint with a supervisory body, as well as indications on the origin of the data and the existence and reasoning applied in the instance of automated decision-making processes. If they exercise this right, and unless otherwise indicated by the User, they will receive an electronic copy of their personal data that is subject to processing.
- Users are also entitled to obtain:
- the rectification of their personal data if inaccurate or incomplete;
- the deletion of their personal data, if one of the conditions pursuant to article 17 of the GDPR exists (for example: if personal data are no longer required for the purposes for which they were collected, if they decide to withdraw their consent for processing – where this is the legal basis therefor – and where there are no other legal grounds for the processing, the User objects to the processing and there is no other legitimate prevailing interest of the Data Controller, or the User’s data has been processed illegally);
- the restriction of the processing of the User’s personal data: 1) for the time required by Sergio Rossi to ascertain the accuracy of their personal data (in the instance that a User has disputed it), or 2) where the processing of their personal data is illegal or the User requests the restriction of processing instead of deletion, or 3) when Sergio Rossi no longer requires the User’s personal data, but said data are needed for the User to ascertain, exercise or defend a right in court, or, lastly, 4) for the time needed to assess the possible prevalence of the legitimate reasons of Sergio Rossi with over those of the User, if the User has opposed the processing of his/her personal data pursuant to point C below;
- their personal data in a structured, commonly used and machine-readable format, also in order to transfer it to another data controller, if the processing is based on consent or on a contract and is carried out with automated methods (the right to data portability). If in their interests, Users may ask Sergio Rossi and/or Diana E-commerce to send their personal data directly to another data controller, if this is technically feasible.
- Users are also entitled to oppose the processing of their personal data if it is processed pursuant to article 6.1, letter e) (i.e. to carry out a public service the Data Controller is authorised to perform) or letter f) (i.e.to pursue a legitimate interest of the Data Controller) of the GDPR, unless compelling legitimate reasons of the Data Controller exist to proceed with the processing, pursuant to article 21 of the GDPR.
- Users are also entitled to withdraw their consent at any time without prejudice to the lawfulness of the processing of their personal data based on consent and carried out before said withdrawal.
- If they are not satisfied with the way their personal data is processed by Sergio Rossi, Users can lodge a complaint with the Italian Data Protection Authority, following the procedures and instructions published on the Authority’s official website (www.garanteprivacy.it).
- Any rectification or deletion of personal data or processing restrictions implemented at the request of the User – except where impossible or requiring disproportionate effort – will be communicated by Sergio Rossi to each of the recipients to whom Users’ personal data may have been disclosed in accordance with this information.
Exercising the above rights is without any form of restriction and free of charge. Sergio Rossi may ask that Users verify their identity before carrying out further actions subsequent to their request.
11. Contacts for exercising the rights of the data subject and other information
- a written communication to Sergio Rossi S.p.A. (Tax no. 05820951001 and VAT no. 03132190400), based in Via Stradone, no. 600/602, San Mauro Pascoli (Forli-Cesena), Italy, or a send an email to: firstname.lastname@example.org or
- a written communication to Diana E-commerce Corporation Srl, Via San Daniele 137/139 Torreglia (PD), 35038, or email to: email@example.com, limited to the purposes set out in paragraph 3.2. “Establishment, execution and management of the commercial relationship”.