Notice pursuant to art. 13 and 14 of EU Regulation 2016/679 on the protection of personal data (GDPR)
User Generated Contents
Pursuant to art. 13 and 14 of EU Regulation 2016/679 (hereinafter “GDPR”), Woolrich Europe S.p.A. (hereinafter “Woolrich” or “Data Controller”) with registered office in Via della Cooperazione 21, 40129 Bologna, Italy, in its capacity of personal data controller, in the person of its legal representative pro tempore, informs you that the personal data of some of the physical persons of your employees and/or legal representatives and/or associates will be subject to processing on the part of Woolrich itself through manual processing or processing with electronic or automatic instruments, computers, or telematic instruments, strictly for the purposes listed below, and in any case in such a way as to guarantee the safety and confidentiality of the data.
Identity and contact details of the Data Controller and of the Data Protection Officer
The Data Controller is Woolrich Europe spa, in the person of its legal representative pro tempore, with registered office in Via della Cooperazione 21, 40129 Bologna.
The Data Controller has appointed a Data Protection Officer who you may contact in order to exercise your rights or obtain information regarding the same and/or this Notice by writing to Woolrich, Via della Cooperazione 21, 40129 Bologna or sending an email to dpo@woolrich.com.
Categories of data obtained from subjects other than the Data Subject
For the purposes described in par. “Purposes and lawfulness of data processing”, Woolrich processes the categories of personal data, defined in par. “Retention period of personal data”, obtained directly from the Data Subject (art. 13) or from User who authorizes the Contents (art. 14).
Origin of personal data
Personal data is provided directly by the Data Subject (art. 13) or from User who authorizes the Contents (art. 14).
Purposes and lawfulness of data processing
Personal data is processed by the Data Controller pursuant to art. 6 of the GDPR.
The specific purposes of data processing and their legal basis are listed below:
Purpose of data processing
User Generated Contents
Legal basis of data processing
Performance of a contract or performance of pre-contractual measures (art. 6 par. 1, b) of GDPR)
Nature of data provision and consequences of refusal
Data provision is obligatory for the fulfillment of contractual obligations. Therefore, any refusal to provide the obligatory data will entail the objective inability to pursue the purposes of data processing outlined in this Notice (par. “Purposes and lawfulness of data processing”) and to conclude the contract.
Categories of recipients of the personal data
The personal data may be processed by Bazaarvoice inc. as Data Processor specifically appointed by the Data Controller, pursuant to art. 28 of the GDPR.
The data will furthermore be processed by subjects specifically authorized by the Data Controller pursuant to the GDPR, such as employees of Woolrich following specific instructions given by the Data Controller.
The personal data processed by Woolrich may be subject to disclosure through publication on company social network pages (e.g. Instagram, Facebook, Twitter, Youtube) and websites.
Transfers to countries outside the EU
For the purposes data processing described above, personal data may be transferred to the subjects in the above categories in Italy or abroad, including outside the European Union (EU).
The company that provides the User Generated Contents service is based in the United States and stores the data in the Amazon Web Services. The Data Controller provides adequate guarantees (pursuant to art. 46 of the GDPR) through the adoption of the standard clauses relating to data protection adopted by the European Commission (Standard Contractual Clauses) with the Recipients of the personal data aforementioned, who process data both as Data Controllers and as Data Processors. These guarantees ensure compliance with data protection requirements and data subject rights adequate for processing within the Union, including the availability of the rights of data subjects, including administrative or judicial remedies and claims for compensation, in the Union or in a third country. To obtain a copy of your data, to get information about the adequate guarantees and to know the place where the data you provided have been made available, you can contact the Data Controller, at the following e-mail address: dpo@woolrich.com
Retention period of personal data
Personal data processed by Woolrich will be retained for the time necessary for the performance of the contractual relationship. At the end of such limitations the personal data will be anonymized or deleted except in the case where conservation is necessary for other purposes expressly required by law or to protect our rights.
The details concerning the duration of the data retention period for the purposes outline above, i.e. the criteria used for determining such periods, are listed below:
Purpose
User Generated Contents
Category of personal data
Identifiers: email address, IP Address, BV unique identifier, device fingerprint.
Additionally, in relation to Sampling only: name, postal address, telephone number.
Content data: Ratings given, review content (text/photo/video), questions, answers, nickname.
Demographic information: location, age range, gender, other client-specified demographics.
Behavioural data: including product interests, website browsing information, transaction data e.g. online purchases, website registrations.
Required limitation period before deletion
For the entire duration of the contract.
Automated decision-making
In the pursuit the purposes listed above, no decision will be made based only on automated processing that may cause any legal consequences for the Data Subject or that may similarly have a significant impact on their person.
Rights of the Data Subject
Pursuant to and in accordance with the GDPR, the Data Subject has the following rights that may be exercised towards Woolrich:
a) the right to obtain from the Data Controller confirmation of whether or not personal data concerning the Data Subject is being processed and, in such a case, to obtain access to their personal data and any information provided for in art. 15 and specifically those concerning the purposes of data processing, the categories of the personal data in question, or the categories of the recipients to whom the personal data has been or will be communicated, the retention period, etc.;
b) the right to obtain the rectification of any errors in the personal data concerning the Data Subject, as well as the integration of the any data that is considered incomplete for the purposes of data processing (art. 16);
c) the right to obtain the deletion (“right to be forgotten”) where one of the grounds provided for in art. 17 applies;
d) the right to restrict data processing where one of the