Privacy notice pursuant to article 13 of EU regulation 2016/679
Your privacy and the security of your personal data are particularly important to Woolrich Europe S.p.A. , which is why we collect and process them with the utmost care and attention, while at the same time adopting specific and appropriate technical and organisational measures to guarantee the complete security of their processing.
We therefore inform you, pursuant to Article 13 of European Regulation 2016/679 ("GDPR" or "Regulations") and the Privacy Code ("Privacy Code"), as amended by Italian Legislative Decree 101/2018 (jointly also, the "Regulations"), that the processing of your personal data is carried out in a manner appropriate to guarantee security and confidentiality and is performed, using paper, computer and digital media, as detailed in this notice.
The information highlighted below is therefore relevant both if you access the Site and decide to simply browse through it using its services, without purchasing any products, and if you decide to purchase one or more products. Likewise, the information below is relevant if you make a purchase or visit one of our shops.
2. Data Controller
The processing of your personal data is carried out by Woolrich Europe S.p.A., with sole shareholder (hereinafter also referred to as "Woolrich" or "Data Controller"), with registered office in Via della Cooperazione 21, I-40129 Bologna, Italy, as Data Controller pursuant to the Regulation.
For any query or request related to the processing of your personal data, you may contact the Company at any time by sending a request to the following references:
The Company has appointed a Data Protection Officer ("DPO") in accordance with Articles 37 et seq. of European Regulation 2016/679, who is identified as Paola Casaccino, lawyer, who can be contacted at the email address below.
Company name: Woolrich Europe S.p.A.
Registered office address: Via della Cooperazione 21, I-40129 Bologna
Telephone contact details: +39 051 41 61 411
Email contact details: firstname.lastname@example.org.
3. Types of Data Processed, Purposes and Legal Basis of Processing
The personal data that the Company processes are those that you provide to us while browsing or using the services offered by the Company via the www.woolrich.com website or those that you provide in one of our shops to register your account, to participate in an event, to make a purchase, or to request a VAT refund.
The Data Controller may, therefore, collect data on you such as your name, surname, residence/address for service, tax code, your photograph taken during an event, telephone number/email address, IP address, where the products are to be sold, information relating to the identification of your size, as well as, naturally, data relating to your access credentials, the purchases you have made and the services you have requested, as well as the products you have viewed and/or placed in your shopping cart and your browsing data.
No special data are processed pursuant to Article 9 GDPR or data relating to criminal convictions and offences pursuant to Article 10 GDPR.
Your personal data, once collected, are processed for the following purposes:
A: Direct marketing, such as the promotion of product sales by telephone, automated communication systems, WhatsApp and/or other types of instant messaging, email, etc., for invitations to special events, market and customer satisfaction surveys.
Processing for these purposes is carried out with the specific and free consent of the person concerned. This is without prejudice to the provisions below on so-called 'soft spam'.
B: Management of the pre-contractual and contractual relationship, including registration on the Site, the wording of the offer and the stipulation of sales online or in our shops.
The processing operations carried out for these purposes are based on the pre-contractual and contractual relationship established with the customer and do not require the specific consent of the data subject.
C: Fulfilment of regulatory obligations, with particular reference to administrative, accounting and tax formalities and fulfilments.
Fulfilment of legal obligations.
D: Managing your participation in physical and/or online events (i.e., event registration, event-related communications, collection and/or sharing of audio/video material produced during the event).
The processing operations carried out for these purposes are based on the pre-contractual and contractual relationship established with the customer following the request to participate in a single event and do not require the specific consent of the data subject.
E: Ensuring the proper functioning of our web pages and their content.
The processing operations carried out for these purposes are based on a legitimate interest of the Controller, and do not require specific consent from the data subject.
F: Profiling by means of cookies
Without prejudice to the freedom of the data subject to provide personal data, please note that the provision of data for the purposes referred to in points B), C), D), E) and G) of this paragraph 3 is necessary. Failure to provide data will make it impossible to use the services offered by the Company with reference to the individual purposes pursued.
Finally, please note that, following the purchase of a product of the Controller, or in the context of the potential sale online through the functionality related to the so-called "recovery cart", messages containing our marketing proposals on products and services similar to those purchased may be sent to the email address that the user has provided during the purchase, and/or potential purchase. The legal basis of the processing is the legitimate interest of the Data Controller, whereby pursuant to Article 130(4) Privacy Code, the processing carried out for this purpose does not require specific consent from the data subject. However, you may object at any time to the processing in question (at the time of providing your data or when receiving subsequent messages) in order to stop receiving such messages.
4. Data Processors and Recipients
Your personal data are processed exclusively by the Company's staff specifically authorised and designated in accordance with Article 4, paragraph 10 of the Regulations and Article 2-quaterdecies Privacy Code, who have been adequately trained in relation to the fulfilment of privacy regulations and who process data following precise instructions from the Data Controller.
Your personal data will also be passed on to third parties we use. These persons have been properly selected by us and offer adequate guarantees of compliance with the rules on data processing. Such persons, in the event that they process data in the name and on behalf of Woolrich, have been appointed as Data Processors pursuant to Article 28 of the Regulation, and are required to carry out their activities according to the specific instructions given by the Company and under its control.
Such third parties may belong to the following categories:
- collaborators, suppliers for the Data Controller, within the scope of their relative duties and/or contractual obligations relating to the execution of the contractual relationship with the data subjects; suppliers for the Data Controller include, by way of example, banking and credit institutions, insurance companies, legal consultants; shipping managers; photographers, public relations agencies, software suppliers and relative assistance; in particular, our software structure for the activity of the Site and relative customer relations is also managed through SalesForce, Fluentcommerce and Hubspot.
- tax authorities and other entities for which mandatory notifications are required.
A specific and up-to-date list of such persons is available at the Data Controller's registered office, and can be consulted at the data subject's request.
For administrative purposes, we inform you that your data may be disclosed by the Data Controller to other companies in the Group.
It is understood that your personal data will not be disclosed to third parties so that they can use it for their own promotional purposes and will not be disseminated in any way, except to all persons whose right of access to such data is recognised by law;
5. Non-EU data transfer
Personal Data will be processed within the European Union, and it is not the intention to transfer it outside this area.
The transfer of your personal data to third parties residing or located in countries that do not belong to the European Union and that do not ensure adequate levels of protection will only be carried out with your consent or following the conclusion of specific agreements between the Company and to such parties, containing appropriate safeguards and guarantees for data protection known as "standard contractual clauses", also approved by the European Commission, or if the transfer is necessary for the conclusion and execution of a contract between you and the Company or for the management of your requests.
6. Data Retention
Please note that your data will be stored for a limited period of time, which varies according to the type of processing activity and the specific purposes thereof, as set out below:
- Browsing data are deleted - except in the case of detection of unlawful activity - no later than 48 hours after their collection;
- The data collected for marketing purposes will be processed for a period not exceeding 48 months from the granting of consent or its renewal , or from the last express expression of interest in the products and/or initiatives of WOOLRICH, with the specification that data on purchases (therefore also as a function of marketing on the basis of the legitimate interest ex Article 130(4) Privacy Code, so-called "Soft Spam") will not be processed for marketing purposes beyond 24 months after the relevant purchase;
- The data relating to the services of the Site will be kept for the time necessary to provide the service and to verify the execution of the same; therefore, as a rule, the data will not be kept for more than 6 months following the use of the service;
- Photographic images taken individually during an in-store event will be processed and stored for the time strictly necessary to send them by e-mail, in accordance with the service offered;
- The data connected with the contractual relationship will be stored for the entire duration of the contractual relationship and afterwards - limited to the data required at that point - for the fulfilment of all possible legal obligations and for the protection requirements, including contractual ones, connected with or arising from it; as a rule, therefore, the data will not be stored for more than 10 years after the termination of the contractual relationship.
At the end of these periods, your data will be permanently deleted or, in any case, irreversibly anonymised by the Company.
7. Your rights
We inform you that you are entitled to exercise the following rights in relation to the personal data covered by this notice, as provided for and guaranteed by the Regulation:
- Right of access and rectification (Articles 15 and 16 of the Regulation): you have the right to access your personal data and to request that they be corrected, amended or supplemented. If you wish, we will provide you with a copy of the data we hold on you.
- Right to the deletion of data (Article 17 of the Regulation): in the cases provided for by current legislation, you can request the deletion of your personal data. Once we have received and analysed your request, we will stop processing and delete your personal data, if found to be legitimate.
- Right to restriction of processing (Article 18 of the Regulation): you have the right to request the restriction of the processing of your personal data in the event of unlawful processing or contestation of the accuracy of your personal data by the data subject.
- Right to data portability (Article 20 of the Regulation): you have the right to request to obtain, from the Data Controller, your personal data in order to transmit them to another Data Controller, in the cases provided for in the aforementioned Article.
- Right to object (Article 21 of the Regulation): you have the right to object at any time to the processing of your personal data carried out on the basis of our legitimate interest, by explaining to us the reasons justifying your request; before granting it, the Company will have to assess the reasons for your request.
- Right to lodge a complaint (Article 77 of the Regulation): you have the right to lodge a complaint with the competent Data Protection Authority if you consider that your rights have been or are being infringed with regard to the processing of your personal data.
With reference to any processing carried out on the basis of your consent, you may withdraw your consent at any time, without prejudice to the lawfulness of the processing carried out before the withdrawal (as indicated in point 4 above, with reference to the processing of data for marketing purposes, you may withdraw your consent to the processing also for only one of the methods, traditional or automatic, of communication). Similarly, at any time (and therefore both at the time of providing your data and at a later date) you may express your wish not to receive marketing messages sent to you pursuant to Article 130 Privacy Code ("Soft Spam").
You may exercise your rights at any time with regard to the specific processing of your personal data by the Company.
Without prejudice to what has been expressed so far, we remind you that the above rights may also be exercised by anyone who has an interest of their own, or acts on your behalf, as your agent, or for family reasons deserving of protection, pursuant to Article 2-terdecies Italian Legislative Decree 101/2018.
These rights may be exercised by email at email@example.com or by post at the following address: Woolrich Europe S.p.A., Via della Cooperazione 21, I-40129 Bologna.
Further information on the rights of the data subject may be obtained by asking the Data Controller for the full extract from the above-mentioned Articles.
8. Security measures
The Company adopts suitable and preventive security measures to safeguard the confidentiality, integrity, completeness and availability of the personal data of the data subject. Technical, logistical and organisational measures are put in place to prevent damage, loss (including accidental loss), alteration, improper and unauthorised use of processed data.
Furthermore, the Data Controllers shall not be held liable for any untruthful information sent directly by the user (e.g.: correctness of email address or postal address), as well as information concerning the user that has been provided by a third party, even fraudulently.
9. Amendments to this privacy notice
The constant evolution of our services may lead to changes in the characteristics of the processing of your personal data described so far. This privacy notice may be amended and supplemented over time, as necessary due to new legislation on the protection of personal data, or the evolution/modification of our services.
We therefore invite you to periodically check the content of our policy. Wherever possible, we will endeavour to inform you of any changes and their consequences.
The updated version of the privacy notice will be published on the Company's page, indicating its date of last update.
10. Date of last update