Welcome to our website www.woolrich.com (“Website”), under article 12 and subsequent articles of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, “Regulation” or “GDPR”), and, in general, in compliance with the principle of transparency provided for by the Regulation, the following information is provided about the processing of Personal Data (i.e. any information concerning an identified or identifiable natural person: “Data Subject”) carried out in connection with browsing on the Website and relating to user interaction.
This information is, therefore, relevant both if you access the Website and simply decide to browse it through its services without purchasing any products, and also if you decide to purchase one or more products.
You should then keep in mind that the information we are providing you with concerns the processing of Personal Data carried out by us (possibly also via parties who work on our behalf as Data Processors), while your interaction with third parties (e.g. social media which you can access via a link on the Website) will result in the latter acting as Data Controllers of the data concerning you, who will provide you with their information.
The Website and all the trademarks, products and any data or information therein are the exclusive property of Woolrich Europe SPA - a single-member company subject to management and coordination by Woolrich International Ltd, with registered office on via dell'Arcoveggio, 59/5 - 40129 Bologna, Italy - (“Woolrich”).
DATA CONTROLLER AND DATA PROTECTION MANAGER
The data controller (i.e. the person who determines the purposes and means of processing your personal data) is Woolrich Europe S.p.A., with sole shareholder, with registered office on Via dell'Arcoveggio n. 59/5, I-40129 Bologna - Italy, registered in the Bologna Register of Companies and tax code number 03506281207, subject to management and coordination by “Woolrich International Limited”, certified email address: email@example.com, tel. +39 051 41 61 411 For contacts specifically concerning the protection of personal data, including the exercise of the rights referred to in point 8 below, please fill out the form in the «Contact us» section of the Website.
We inform you that the Data Controller, under art. 37 of the Regulation, has designated the Data Protection Officer (abbreviated to “DPO”), who can be contacted as follows: telephone +39 051 41 61 411; email firstname.lastname@example.org.
1. PURPOSES OF THE PROCESSING
The personal data may be processed for the following purposes:
1.1 the correct operation and security of the Website (Website operation purposes);
1.2 the promotion and sale of products through letters, telephone, automated communication systems, emails, etc., market and customer satisfaction surveys (direct marketing purposes);
1.3 to carry out automated activities aimed at analysing your interests, preferences and consumption choices in order to offer you products in line with your tastes (marketing profiling purposes);
1.4 management of customer services offered through the Website, such as booking an appointment at a store, notification of the arrival of a temporarily unavailable product, etc. (service management purposes);
1.5 management of the pre-contractual and contractual relationship, including, therefore, registration on the Website, formulation of the offer and stipulation of sales, with the relevant fulfilment of the obligations by the parties and regulatory obligations, including administrative, accounting and tax formalities and requirements (contractual purposes).
2. TYPE OF DATA PROCESSED AND COLLECTION METHOD
We will then process the following data provided by you or, in any case, resulting from your interaction with the Website, including via the chat, such as:
- name, surname and date and place of birth, home address/domicile, tax code and/or VAT number and other tax and related data such as the SdI “recipient code” for electronic invoicing; telephone number/email address/certified email address, shipping address of the products, information relating to the identification of your size, in addition, of course, to the data relating to the access credentials, purchases made and services requested, as well as the products viewed and/or placed in the cart.
3. COMPULSORY AND NON-COMPULSORY PROVISION AND LEGAL BASIS OF THE PROCESSING
As previously mentioned, the transmission of the Browsing Data is inherent in the use of the Website and the legal basis for the processing of Personal Data for the purpose of operating the Website is the legitimate interest of the Data Controller in the carrying out of its business activities.
With regard to the contractual purpose, there is no obligation to provide data in the pre-contractual phase, but failure to provide the data requested could make it impossible to complete the contract (the data required to conclude the contract are clearly indicated in the request form). The processing of Personal Data for the contractual purpose is based on the following legal bases: the need to execute the contract of which the Data Subject is a party or the pre-contractual measures adopted at the request of the latter; for the fulfilment of a legal obligation to which the Data Controller is subject; legitimate interest of the Data Controller to protect its rights; legitimate interest of the Data Controller in its business activity (for those activities which, although not imposing an obligation, are closely linked to the performance of the contractual relationship, e.g. entry in the management system or address book, revenue analysis, internal service quality checks, etc.).
With regard to direct marketing purposes, providing personal data is optional and not providing the data will not affect the contractual relationship or the possibility of using the Website services. This processing is only carried out with the consent of the recipient (in this case, consent is also necessary for legal persons), which can be revoked at any time (see point 8 below “Data subject’s rights”), which constitutes the legal basis. It should, however, be noted that prior collection of consent is not necessary in specific cases of transmission, via the email coordinates provided when a previous purchase was made, communications relating to the direct sale of products or services similar to those already purchased on that occasion, which is permitted (under paragraph 4 of art. 130 of Italian Legislative Decree 196/2003 – Privacy Code) provided that the Data Subject, who has been suitably informed, does not refuse such use, initially or during subsequent communications; in the latter case, the legal basis of the processing is the legitimate interest of the Data Controller in marketing activities. Please note that the revocation of consent or objection to the processing carried out by automatic contact methods (automated call or call communication systems and with electronic communications via email, fax, MMS or SMS messages or other means) is extended to traditional methods (paper-based mail, call with operator), but the possibility of exercising this right is retained only in part, for example, by objecting to the sending only of promotional communications via automated systems.
Processing aimed at marketing profiling will only be carried out with your prior consent and can be revoked at any time, without the lack of consent affecting the contractual relationship or the possibility of using the Website services.
Providing the data requested for Website services is optional and the only consequence for failing to provide the data will be that it may be impossible to use these services. The legal basis for the processing of these data is the need to follow up on your requests (deemed pre-contractual, as these services are required to allow you to decide whether to proceed with a purchase).
4. PROCESSING METHODS AND TERMS OF DATA STORAGE
The processing will be carried out:
- through the use of manual and automated systems;
- by subjects or categories of subjects authorised and trained to perform the relevant tasks;
- using adequate measures to ensure data confidentiality and avoid access to the data by unauthorised third parties.
It should be noted in particular that Personal Data related to marketing purposes, will also be processed through:
-the use of automated call or call communication systems;
-electronic communications via email, SMS (Short Message Service) messages, WhatsApp and instant messaging in general, push notification or similar;
-the use of the telephone with operator and paper-based mail.
Browsing data are deleted no later than 48 hours following their collection, except when illegal activity is detected.
The data will be processed for marketing purposes for a period not exceeding 48 months from consent being given or renewed, provided that the data on purchases (therefore, in relation to marketing on the basis of legitimate interest under art. 130, paragraph 4 of the Privacy Code as well) will not be processed for marketing purposes after 24 months from the relevant purchase.
Profiling data will not be stored for more than 12 months from their collection.
Data relating to the Website services will be stored for the time required to fulfil the service and verify that it has been fulfilled; therefore, the data will not normally be stored for more than 6 months following the use of the service.
The data connected to the contractual relationship will be stored for the entire duration of the contract and at the end of the contract, limited to the data required at that point to fulfil all legal obligations and for protection requirements, including contractual ones, connected or deriving from it; consequently, the data will not normally be stored for more than 10 years from the termination of the contract.
5. DATA COMMUNICATION
The data collected and processed may be communicated, exclusively for the purposes specified above, to:
- all subjects whose right of access to such data is recognised through regulatory provisions;
- employees, partners and suppliers of the Data Controller, as part of their duties and/or contractual obligations relating to the fulfilment of the contractual relationship with the Data Subjects; the suppliers of the Data Controller include, by way of example, banking and credit institutions, insurance companies, legal consultants; shipment administrators; software suppliers and relevant support centres; specifically, our software structure for Website activity and relevant customer relations is also managed through Salesforce, Fluentcommerce and Hubspot, who act as our Data Processors. You can, in any case, request a complete and updated list of the persons appointed as Data Processors by contacting one of the contacts indicated below.
- financial administration and other Bodies for which mandatory communications are required.
Your data are not subject to disclosure.
6. LOCATION OF DATA PROCESSING
The Personal Data will be processed within the European Union and will not be transferred outside said territory.
7. DATA SUBJECT’S RIGHTS
The GDPR provides the following rights to the Data Subject concerning his/her personal data (the short description is given by way of example, for the complete explanation of these rights, including their limitations, please refer to the Regulation, and in particular to articles 15-22):
-access to personal data (the Data Subject has the right to obtain free-of-charge the information regarding personal data held by the Data Controller and related processing, as well as to obtain a copy in an accessible format);
-rectification of personal data (upon notification by the Data Subject, the correction or integration of personal data - not the expression of evaluation elements - which are incorrect or inaccurate, even if they have become obsolete because they have not been updated);
- erasure of personal data (right to be forgotten) (e.g. the data are no longer necessary for the purposes for which they were collected or processed; they have been unlawfully processed; they must be erased to fulfil a legal obligation; the Data Subject has revoked consent and there is no other legal basis for the processing; the Data Subject objects to the processing, if conditions exist);
- limitation of the processing (in certain cases - contesting the accuracy of the data, in the time required for the verification; contesting the lawfulness of the processing with objection to erasure; the need to use the data for the rights to the Data Subject’s defence, while they are no longer useful for processing purposes; if there is an objection to the processing while the necessary checks are carried out - the data will be stored so that it can be restored, but, in the meantime, they cannot be consulted by the Data Controller except in relation to the verification of the validity of the limitation request by the Data Subject, or with the consent of the Data Subject or for the assessment, exercise or defence of a right in legal proceedings or to protect the rights of another natural or legal person or for reasons of significant public interest of the European Union or Member State);
- objection, in whole or in part, for reasons related to the specific situation of the Data Subject, to the processing carried out on the basis of legitimate interest; you will not be required to justify your decision to object to processing for marketing or profiling purposes;
- data portability (if the processing is based on consent or on a contract and is carried out by automated means, the Data Subject party, at his/her request, will receive, in a structured and commonly used format that can be read by automatic device, the personal data that concern him/her and may transmit them to another Data Controller, without hindrance by the Data Controller to whom he/she provided them and, if technically feasible, said data may be transmitted directly by the latter).
Furthermore, if the processing is carried out based on the consent expressed by you (see point 4 above), you may revoke your consent at any time, without affecting the lawfulness of the processing carried out before the revocation (as indicated in point 4 above, you can revoke your consent to processing, in relation to data processing for marketing purposes, even for only one of the methods, i.e. traditional, automatic or communication methods). The easiest way to revoke your consent will be the link at the bottom of our communications or the personal section in the reserved area of the Website.
The Data Subject also has the right to lodge a complaint with the Authority for the protection of personal data if he/she deems that the processing concerning him/her violates the legal provisions on the protection of personal data; the Authority for the protection of personal data can be contacted through the contact details indicated on the Authority’s website “www.garanteprivacy.it”. We would, however, like to have the opportunity to address any concerns of the Data Subjects beforehand. We can be contacted via the email address: email@example.com or the other contact details for the Data Controller and DPO indicated above regarding any clarification concerning the processing of the Data Subjects’ personal data and to exercise the relevant rights, including the revocation of consent.