EXTENDED DISCLOSURE UNDER ARTICLES 12, 13, AND, WHERE APPROPRIATE, 14 OF GDPR—REGULATION (EU) 2016/679 RELATING TO THE PROTECTION OF NATURAL PERSONS, WITH REGARD TO THE TREATMENT OF PERSONAL DATA (FOLLOWS GDPR)
The following disclosure is intended for all subjects visiting and interacting with the present e-commerce website of the company Lesy di Cosi Lisetta Srl (“Lesy”), where it is possible to buy products online. The website is managed by Prismi Spa, on behalf of Lesi di Cosi Lisetta Srl.
Lesy and Prismi, acting as proprietor(Lesy) and manager (Prismi) shall treat the personal data You will provide at the time of registration and for the possible conclusion of the online sales contract of a product, in accordance with the provisions of the EU Regulation 679/2016 (the “Regulation”).
The Controller presents below the disclosure under atricles 12, 13, and, where appropriate, 14 of GDPR relating to the treatment of the personal data provided by the Client/subject through the compilation and subscription of the Contract to buy the products/services offered for sale by the Controller itself, voluntarily loading personal data on this website (in particular filling out forms), or simply navigating there.
Data Controller and Contact Data
Principles Applicable to The Treatment of Data
In conformity with the prescriptions of the GDPR, the Controller constantly ensures that the personal data will be:
a) processed lawfully, fairly and in a transparent manner;
b) collected for specified, explicit and legitimate purposes, and not further processed in a way incompatible with those purposes.
c) appropriate, pertinent and limited to what is necessary with regard to the purposes for which they are processed;
d) accurate and, if necessary, kept up to date.
e) kept no longer than is necessary for the purposes for which they are processed.
f) processed using appropriate technical and oganisational measures to ensure the security of its services.
g) processed, where pursuant to consent,, depending on a decision freely made by the Client/subject, on the basis of a request made in a manner clearly distinguishable from the rest, in a comprehensible and easily accessible form, using a simple and clear language.
The Controller shall adopt all the technical and organisational measures in order to guarantee the protection of the personal data by design, and to guarantee that, by default, only the personal data which are necessary for each specific purpose of the processing will be processed,
These privacy statements may be subject to amendments, in accordance with the development of the relevant legislation and of the technical and organisational measures adopted in time by the Controller; the Client/subject is therefore kindly requested to periodically visit this section of the website, to view the latest updates and the current text of the disclosure.
- Modalities of Personal Data Processing
The processing of personal data is carried out both manually and by electronic means, using criteria that are strictly conneccted with the porposes indicated below, and in any case, so as to guarantee the safety and confidentiality of data.
4.The Purposes of Personal Data Processing
(4a) The Purposes That Make Data Processing Necessary
All personal data supplied by the Client/subject are mainly processed for the execution of the Contract and the management of the credit, and, more in general, of the relation arising from the Contract itself.
In particular, within the context of such purposes, Lesy will keep Your personal data, inter alia, in order to
–allow You to access the e-commerce website even as a non regular user, and to navigate the website;
–allow You to register, creating an account, and to take advantage of the services accessible only to registered users, among which, in particular, is the possibility to buy through the website;
–allow You to access the Boutique and navigate there as a logged in user;
–keep and manage Your account:
–memorise in Your account data and information such as, by way of example, Your biographical data, Your order history and possible return history, Your favourite delivery and/or billing address;
–allow You to put the products in Your cart and to conclude the purchase contract through the Boutique.
—allow You to subscribe to Lesy’s NEWSLETTER: should the user decide to subscribe to the “Newsletter di lesi.it”, only after his/her possible, clear and specific consent, will the personal data be processed by the Controller in order to send commercial or promotional information, updates on the latest trends, new arrivals, exclusive offers, special events and promotions. To annull the subscription it is enough to click on the unsubscribe link that can be found at the bottom of the received e-mails, or to write to the address email@example.com
Providing data for this latter purpose is optional: there is therefore no legal or contractual obligation to do so; however, as their processing is necessary to grant access to the Boutique and/or the services for the managing and keeping of the account, as well as the conclusion of any purchase contract through the website, failing to provide such data will imply the user’s impossibility to access and/or navigate the website and/or register to the Boutique, as well as to take advantage of the services accessible only to registered users, and/or to conclude a purchase contract through the Boutique.
(4b) Further Purposes of Data Processing following the Client/subjet’s clear and specific consent
Beside the above mentioned purposes, the personal data that have been provided/acquired can be processed, prior consent of the Client/subject to be given by ticking the box “give consent” on the Contract or on the website (or using other social or web applications of the Controller), also for the implementation of market surveys and commercial and promotional communications, via telephone (also using the mobile number provided) and automated contact systems (e-mail, text message, MMS message, fax, etc.), on products/services of the Controller or of other companies of the Group to which the Controller may belong.
The consent for the processing purposes referred to in this point (4b) is optional; therefore, following a possible denial, the data will be processed for the sole purposes mentioned in the previous point (4a), except for what is specified below, with reference to the Controller’s or third parties’ legitimate interests.
- Types of personal data processed
The Controller will process mainly contact/identifying data (first name, last name, addresses, type and number of identification form, telephone numbers, e-mail, billing addresses, or others) and, should commercial transactions be allowed, financial data (of a banking nature, in particular bank account identifiers, credit card numbers, or any other data connected with the above mentioned commercial transactions).
The Controller’s data processing , both for the execution of the Contract and on the basis of the express consent of the Client/subject, doesn’t generally cover specific kinds of personal data, known as sensitive data (which may reveal race, ethnicity, political opinions, religion, state of health or sexual orientation, etc.), nor genetic or biometric data, nor judicial data (concerning criminal records and crimes).
However, it cannot be excluded that the Controller, in order to perform the obligations in the contract, may have to keep and/or may need to process any sensible, genetic, biometric or judicial data of the Client/subject or of third parties, that the Client/subject may hold as Controller; in this case, the Controller’s data processing will take place on the basis of, under the conditions and within the limits of the appointment by the Client/subject of the Controller itself as Controller.
The Controller, acting as Controller with reference to the Website and, potentially, as Controller appointed (within the above mentiomed limits) by the Client/subject, will process also the so called navigation data. The informatic systems and software procedures operating the websites, during their regular activity acquire personal data, the transmission of which is implicit in the use of internet communication protocols. Such information is not collected in order to be connected with identified subjects, but, given its own nature, may allow the subject’s identification. Among this information are geolocation data, IP addresses, kinds of browser, operating system, domain name and addresses of websites through which the login/logout was made, information on the pages visited by the users within the website, login time, time spent on a specific webpage, analysis of the inside path and other parameters concerning the operating system and the user’s informatic environment. Such information, therefore, by its own nature allows the users’ identification through the elaboration and association with data kept by third parties.
- Source of Personal Data
The personal data processed by the Controller shall be collected from the Client/subject by the Controller itself at the moment of, and during his/her navigation on the website, that is, also through its commercial staff, during or after the signature of the contract, or during the execution phase of the contract, that is, from public sources.
- Legitimate interests
The legitimate interests of the Controller or of third parties may provide a sound legal framework for data processing, provided that the subject’s interest, rights or fundamental freedoms do not prevail. In general, such legitimate interests may exist when a proper and approriate relationship is established between the Controller and the subject, for instance when the subject is a client of the Controller. In particular, it constitutes a legitimate interest of the Controller to process the personal data of the Client/subject: in order to prevent frauds, for direct marketing purposes, that is, related to the traffic, in order to guarantee the safety of the Internet and of the information, which is to say, the ability of a net or a system to resist unforseen events or illicit acts that may jeopardize the availability, the authenticity, the integrity and the confidentiality of the data.
- Circulation of the personal data
(8a) Communication of the personal data – kinds of recipients
Besides the Controller’s employees and the people who collaborate in various ways with the Controller (and who are authorized by the Controller itself to process the data on the basis of adequate written operational instructions, in order to be able to guarantee the confidentiality and safety of the data), some data processing may be taken care of also by third parties, to whom the Controller entrusts some activities, or parts thereof, that are functional to the purposes referred to in point (4a), that is, in execution of both contractual and legal obligations, among which should be mentioned, but, inevitably, are not limited to, the followig: commercial and/or technical partners; companies providing banking and financial services; companies performing services of document archiving; collection agencies; accounting firms; firms that certify the budget data; credit rating agencies; subjects providing the Controller with assistance and professional advice; customer care centres; factoring firms; companies dealing with debt securitisation or that are otherwise transferees of the credit claim; subjects providing commercial information; companies providing IT services. The subjects belonging to the aforementioned categories shall process the personal data themselves as independent controllers, that is, as controllers, with reference to specific processing operations that fall within contract performances that the subjects themselves perform in favour of/in the interest of the Controller; the Controller gives these Data Controllers clear written operational instructions, with special reference to the adoption of basic safety measures, in order to be able to guarantee the privacy and safety of the data. Some processing operations can be conducted by third parties, to which the Controller entrusts some activities, or parts thereof, also functionally to the purposes referred to in point (4b); among these should be mentioned, but are inevitably not limited to, the following: commercial an/or technical partners; companies that offer marketing services; advertising agencies; subjects providing assistance and consulting services with reference to premiums and prize contests. All subjects belonging to the aforementioned categories shall process personal data as independent data controllers, that is, as controllers themselves, with reference to specific processing procedures that fall under the contract, and that are performed in favour of/in the interest of the Controller. The Data Controller shall give these controllers clear written operational instructions, with specific reference to the adoption of basic safety measures, in order to be able to guarantee the confidentiality and the safety of data.
Prior written request to be sent to the headquarters of the Controller, is available the list, subject to regular updating, of the controllers with which the Data Controller itself maintains relations.
Personal data may, moreover, be communicated on request to the competent authorities, in accordance with obligations under mandatory legal regulations.
(8b) Transfer of Personal Data to Third Countries
The management and storage of personal data will take place on the server of the Controller and/or of third companies duly appointed External Controllers, located within the European Community.
Personal data may be transferred abroad, in accordance with the legislation in force, even to Countries that do not belong to the European Community. The transfer to non-EU countries, besides those cases where this is guaranteed by the Commission’s adequacy decision, is performed so as to provide appropriate and proper guarantees, pursuant to articles 46 or 47 or 49 of the Regulation.
- Criteria to Establish The Storage Period of Personal Data
Concerning the purposes referred to above in point (4a), the storage period of personal data supplied by the Client/subject, and their following potential processing, coincides with the prescription period of legal, fiscal (etc.) rights/duties deriving from the Contract: approximately 10 years, therefore, except if events should occur that, interrupting the prescription period, might prolong that period.
For the purposes referred to above in point (4b), the storage period of the data provided by the Client/subject, and their consequent potential treatment, ends with the withdrawal of the consent previously given by the Client/subject him/herself, or, in the absence of such withdrawal, one year after the termination of any relationships between the Controller and the Client/subject.
In any case, care shall however be taken by the Company to avoid any use of data without a time limit, suitably verifying on a regular basis the actual, persisting interest of the subject to which the data refer.
- The Chlient/subject’s rights
The Controller aknowledges—and facilitates the Client’s/subject’s exercise of—all the rights provided by GDPR, in particular the right to request access to his/her personal data and to copy them (art. 15 GDPR), modify them (art. 16 GDPR) and cancel them (art. 17 GDPR); the right to the restriction of the processing of data that concern him/her (art. 18 GDPR), to the protability of personal data (art. 20 GDPR, if the conditions of that provision are met), and to object to the processing of the data relating to him/her (art.21 and 22 GDPR), for the cases mentioned there, and, in perticular, for the processing of data for marketing purposes, or that may result in automated decision-making, including profiling, that may produce legal effects concerning him/her, if the conditions of that provision are met).
Should the processing of data be consent based, the Controller also aknowledges the Client’s/subject’s right to withdraw his/her consent at all times, without affecting the lawfulness of processing, based on consent before withdrawal. To do so, the Client/subject can unsubscribe at all times on the website (or on other social or web applications of the Controller), or by clicking on the unsubscribe link at the bottom of each commercial communication received, or contacting the Controller at the above mentioned addresses.
The Controller further informs the Client/subject of the right to bring complaints to DPAs, as supervisory authority operating in Italy, and to seek a judicial remedy, both disputing a decision of the Authority, and against the Controller itself and/or whoever is responsible for data processing.
- Safety of The Systems and of The Personal Data
Taking into account the state of the art and the implementation costs, as well as the nature, object and purposes of data processing, and even the risk, in terms of probability and severity, for the rights and freedoms of natural persons, the Controller adopts technical and organisational measure held appropriate to guarantee a safety level appropriate for the risk, in particular ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services (also by encrypting personal data, if necessary) and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and adopting internal procedures aiming to test, verify and evaluate on a regular basis the effectiveness of the technical and organisational measures adopted.
The evaluation of the adequate level of security takes into account the risks implicit in the processing of data, deriving in particular from the destruction, loss, alteration, unauthorised disclosure of, or accidental or unlawful access to personal data transmitted, stored or otherwise processed.
The Controller shall make all reasonable eforts to make sure that whoever may act under its authority, having access to personal data, shall not process such data unless instructed to do so by the Controller itself.
Having stated all of this, the Client/subject aknowldedges and accepts that no security system guarantees, in terms of certainty, the absolute protection of data; therefore, the Controller is not responsible for acts or facts by third parties that, despite all the cautions exercised, may illegaly access the systems without the due authorizations.
- Automated decision-making, included profiling
The Controller may carry out automated processing, including profiling, in relation to the purposes above mentioned in point (4b) in order to optimize the navigability of the website (or the use of other social or web applications of the Controller) and to improve the buying experience, except for what above specified with reference to theClient’s/subject’s right to object and withdraw consent.
By “profiling” is meant any form of automated processing of personal data aiming to evaluate certain aspects relating to a natural person, in particular to analyze or predict such aspects as, for instance, the latter’s personal preferences, interests, or location, also in order to create profiles, that is, groups of subjects homogeneous in terms of characteristics, interests or behaviours.
The controller shall not make use of any automated processing that may produce legal effects concerning the Client/subject or that may similarly significantly affect him/her, except if this is necessary for the conclusion or execution of the Contract, if this is authorized by law or is based on the explicit consent of the Client/subject, in any case always aknowledging the latter’s right to require human intervention, to express his/her opinion and to contest the decision.