This document describes the methods of managing the Website with reference to the processing of the personal data of users who consult it and describes the policy on the processing of personal data that Palazzo di Varignana adopts within its organization.
CONTROLLER AND CONTACT DETAILS
Following access to and consultation of this Website, data relating to identified or identifiable persons may be processed.
Pursuant to the GDPR, the Controller is the company Palazzo di Varignana S.r.l. (hereafter “Controller”), which has its registered office at Via della Zecca, 2, 40141 Bologna (BO), Italy - VAT no. & Tax Code 0265821204, Tel +39 0510827029, Fax +39 0510822435, E-mail: email@example.com (hereafter also “Company”), through its legal representative.
RECIPIENTS AND/OR CATEGORIES OF PERSONAL DATA RECIPIENTS
- Hosting and back-end infrastructure;
- Platform support and management for the services and products offered by the Controller;
- Shipping and logistics;
- Website administration;
- Cookie management;
- Marketing campaign and newsletter management;
The user can ask the Controller for an up-to-date list of Processors at any time through the contact details provided above.
Finally, the personal data of the user may be communicated to public and private entities and/or subjects in order to fulfill specific obligations provided for by laws, regulations, EU legislation and/or for obligations relating to payments for services. Such subjects shall act as independent Controllers.
LOCATION OF DATA PROCESSING
The processing related to the web services of this site and described through it take place mainly at the headquarters of Palazzo di Varignana S.r.l., by personnel officially appointed and trained in the area of personal data protection. No data deriving from the web services is communicated by the Company to third parties if the purpose of the processing is not strictly relevant or imposed by laws or regulations. The processing related to the web services of this site that take place at the premises of the Controller is handled by in-house personnel, officially trained and appointed for such processing or by third parties that are appointed as the Processor.
PURPOSE AND LEGAL BASIS FOR THE PROCESSING
Your personal data may be processed for the following purposes:
1) Processing of data in order to purchase products and services of the Controller.
Through its Website, the Controller offers users the possibility to purchase products or services.
The processing is carried out in order to implement the contract entered into by the user according to Art. 6(1)(b) of the GDPR.
Personal data provided voluntarily and optionally by users is used only for the purpose of performing the requested service and is not communicated to third parties unless the communication is imposed by legal obligations or is strictly relevant and necessary for the fulfillment of the requests.
In particular, any personal data provided voluntarily by the data subjects will be collected electronically and processed, also with the use of electronic means directly and/or through third parties (e.g., companies for the e-mail service, companies for website hosting) for the following purposes:
- to allow registration, to follow the status of orders, to consult the order history, to access support services, to take advantage of services that may be activated from time to time;
- to check the availability of products;
- to allow the sale and shipment of the purchased items;
- execution of the order;
- payment and invoicing;
- transport and delivery, shipping and logistics.
The data will be processed in electronic and paper format to guarantee the execution of the sale under the agreed conditions.
2) Information and/or support at the request of the data subject
The processing of the personal data of users is necessary when, at the request of the user, the Controller provides support and/or information on the products and/or services or in order to acknowledge a contact request from the user through the contact and customer care section.
2.1 WhatsApp channel for support service requests
The Controller provides a support service for users through the WhatsApp channel. The Controller will only process the user’s personal data (phone number, first name, last name) through the instant messaging platform for the sole purpose of dealing with the request.
The processing is carried out in order to handle the user’s support request according to Art. 6(1)(b) of the GDPR. Where not strictly necessary for the support service, the Controller invites the user not to communicate/share any additional personal information that is not strictly necessary.
3) Performance of operations that allow browsing of the Website pages
4) Statistical processing of aggregated data in relation to the Website services
In order to stay up to date on any new initiatives of the Controller, users can choose to opt in voluntarily and optionally to the newsletter service. The processing can only take place with prior optional consent under Art. 1(1)(a) of the GDPR.
The data subject may, at any time, exercise the right to unsubscribe from the newsletter and/or withdraw his or her consent under the rights recognized by the GDPR.
By selecting the relevant check box, the user declares/consents to receive marketing communications, to find out about new initiatives and the sponsorship of products or services provided by the Controller. Such communications may be made through automated means, in compliance with the applicable privacy regulations. Users can decide not to receive any marketing communications at any time by using the opt-out link at the bottom of each message and in any case exercising the relative right to withdraw consent. The processing takes place on the basis of prior optional and voluntary consent under Art. 1(1)(a) of the GDPR.
TYPE OF PERSONAL DATA PROCESSED
The personal data processed by the Controller, relevant and necessary with respect to the aims pursued, falls within the definition of personal data pursuant to Art. 4 of the GDPR and could concern the following categories: first name, surname, e-mail, phone number, date of birth (optional), country of origin (optional), destination address, payment method, billing address, shipping address, order date, customer IP address, device used, payment method, total purchased, type of product purchased, experience purchased, date and time of experience/purchase, purchase channel, language used, and type of discount used.
With reference to browsing data, the computer systems and software procedures used to operate this Website acquire, during their normal operation, some personal data whose transmission is implicit to the use of Internet communication protocols. This information is not collected in association with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This data category includes the IP addresses or domain names of computers used by users who connect to the Website, Uniform Resource Identifier (URI) addresses of the requested resources, the time of the request, the method used to submit the request to the server, and other parameters related to the user’s operating system and computing environment. The optional and voluntary sending of e-mails to the addresses indicated on the Website or by filling out the appropriate contact form involves the acquisition of the user’s personal data, as indicated therein, which is necessary to respond to user requests.
TRANSFER OF PERSONAL DATA TO NON-EU COUNTRIES
Personal data may be transferred to a non-EU country, subject to the conditions set out in the GDPR. Specifically, the above transfer may be put in place, without specific authorizations, if the third country to which the data is transferred falls under those which guarantee an adequate level of protection according to the European Commission. In the absence of such an adequacy decision adopted by the European Commission, this transfer to third countries can be carried out by adopting the adequate guarantees referred to in Art. 46 of the Regulation, based on which the above-mentioned personal data transfer occurs. In the absence of an adequacy decision or additional guarantees, the transfer of personal data to third countries can be carried out if the terms are met and the additional conditions set out by the GDPR exist, including the possibility to make use of the derogations for specific situations in Art. 49 of the GDPR.
DATA RETENTION TIMES
We hereby inform you that the data supplied and processed by Palazzo di Varignana S.r.l. for the purpose of purchasing products or services of the Controller will be kept for 5 years from the termination of the processing. If the user has submitted a request for support through the WhatsApp channel or through the contact and customer care form, the data will be processed only for the time necessary to fulfill the request.
If the user has given consent, the personal data will be kept for 12 months from the time of subscription to the newsletter and for 24 months in relation to the processing for marketing purposes. This is without prejudice to other retention times required by law and the possibility of revoking consent or exercising all the rights granted to the data subject by the GDPR and indicated below in this policy.
As for browsing data, the Controller will delete this information 12 months after the last online interaction that occurred in relation to the Controller’s communications or the content published on the Website for which the Controller has direct evidence of this interaction (e.g., clicks, opening, response).
NATURE OF THE PROVISION OF DATA
The processing of personal data for the purposes of the performance of services and data subject requests is necessary. However, if the user does not provide the necessary personal data, the Controller will not be able to supply the service and/or respond to the request.
As far as marketing purposes and the newsletter are concerned, the provision of data is optional and there are no consequences for the requested service and for the execution of the service.
DATA SUBJECT RIGHTS
Data subjects may, where the conditions exist, exercise all the rights recognized under the GDPR, such as: the right to obtain confirmation that there is or is not ongoing processing of personal data concerning the data subject; the right of access to his or her personal data; the right to obtain rectification of inaccurate data or have incomplete data completed; the right to obtain deletion of personal data regarding him or her; the right to obtain the restriction of processing of his or her personal data; the right to receive the personal data concerning him or her in a structured and machine-readable format; the right to oppose the processing; and the right to withdraw consent at any time whenever the processing is based on consent;
The data subject may exercise these rights by writing to the Controller using contact details provided above.
The data subject has the right to submit a complaint to the Italian Data Protection Authority.