1. WHAT DATA DO WE PROCESS
As concerns the purposes of the processing indicated in point 2 below, we process various types of personal data concerning you, including:
- your identification information (such as first and last name), your contact details (such as email address and telephone number), shipping address and billing address, payment information (such as the method of payment used, cardholder, card number used). This data is processed by ItalianGres in reference to the online sale of ItalianGres products and the corresponding activities related thereto (such as the signing and performance of the contract; payment; invoice issuance, product shipping; any management of the right of withdrawal, return, and the legal guaranties; customer care; the control and prevention of fraud and abusive behaviours, including by third parties, which conflict with the current standards, the applicable contractual provisions, the rules of correctness and good faith). For customer care activities, the information you choose to provide in your communications is also processed;
- if you register on the Site (“My Account”), this includes your identification information, your email address, and your password, as well as the data needed to provide you with services that are reserved for registered users (for example: Wish List, My Orders, Quick Buy, etc.). Your identification and contact information are also used by ItalianGres to manage any requests you may have for information relating to the ItalianGres products.
2. WHY DO WE PROCESS YOUR DATA AND ON WHAT LEGAL BASIS
2.1 Purposes related to the online sale of products
ItalianGres processes your personal data for the online sale of ItalianGres products and the relative activities connected thereto. In particular, to:
- enter into and perform a contract for the purchase on the Site of one or more products, for payment, product shipping, any management of the right of withdrawal, return, and the legal warranty. This processing is necessary to perform a contract to which you are party (purchase and sale agreement). You must provide your personal data; otherwise you will not be able to make a purchase on the Site or manage any requests you may have regarding the right of withdrawal, return, and legal warranty, or to receive the dedicated customer service;
- customer care. Processing is necessary to perform a contract to which you are party (provision of customer care). You must provide your personal data; otherwise you will be unable to receive the customer care you requested;
- the fulfilment of the legal obligations relating to the sales activity (such as, for example, issuing and storing the invoice). This processing is necessary to fulfil a legal obligation to which ItalianGres is subject. It is thus mandatory that you provide your personal data; otherwise you will be unable to make a purchase on the Site;
- register on the Site (“My Account”), or use the services that are reserved for registered users (for example: Wish List, My Orders, Quick Buy, etc.). This process is necessary to perform a contract to which you are party (registration on the Site and the relative provision of services). It is mandatory that you provide your personal data; otherwise you will be unable to register on the Site and use the registered user services;
- prevention and suppression of fraud and abusive behaviours (including by third parties) that conflict with the current standards, the applicable contractual provisions, and the rules of correctness and good faith. The lawfulness of this processing is based on the legitimate interest of ItalianGres to perform security activities and controls for the purpose of preventing and protecting against fraudulent activities and abusive behaviours.
2.2 Marketing purposes
With your consent, which is optional, ItalianGres uses your personal data for marketing purposes. Indeed ItalianGres may send you promotions, commercial or advertising communications about its products, services, and events. The marketing activities may also include market research and surveys to determine your level of satisfaction and to conduct statistical analyses, including using aggregated anonymous data. The processing of your data is based on your voluntary consent, and providing your data is optional. However, without it, you will be unable to purchase our products online.
With your optional consent, ItalianGres uses the data collected in its stores and online, through this or other sites, or through ItalianGres accounts on social media, to collect information relating to your preferences, habits, lifestyle, as well as details about what you have purchased. The data is used to create group and/or individual profiles (“profiling”) which allow us to send you personalised communications that are in line with your interests, or to conduct market research and statistical analyses, including with aggregated anonymous data. The processing of your data is based on your voluntary consent, and providing your data is optional. However, without it, you will be unable to purchase our products online.
To send you marketing communications or personalised offers, methods such as email, newsletters, operator-assisted telephone calls, SMS, instant messaging and social networks. You may unsubscribe from newsletters in the corresponding section of your personal account or by clicking the respective link, which appears at the bottom of every commercial communication.
2.3 Other purposes
Your personal data is processed by each controller, within their own area of authority, and also for:
managing requests to exercise personal data protection rights (further information in point 6). This processing is necessary to fulfil a legal obligation to which the data controller is subject;
3. WHO WILL PROCESS YOUR DATA
Duly informed personnel (employees and associates) of ItalianGres, as well as third parties (providers and/or business partners) who were appropriately selected by the controllers and offer a suitable guarantee of compliance with personal data processing rules, may have access to your personal data. These third parties, based on an appropriate designation by the controllers (each of them with respect to their own area of authority) may conduct their activities as “data processors” (thus under the direct responsibility of the data controller who designated them: for example, Internet providers, companies specialised in IT and electronic services, customer care service companies, companies that perform marketing activities, companies specialised in market research and data processing or as “independent data controllers (for example, couriers and shippers, bank operators, independent professionals, or consulting, legal or tax assistance firms).
Your personal data may also be disclosed to third parties, including in the following cases:
(i) when disclosure is required by the applicable laws and regulations for legitimate third party recipients of communications, such as public entities and authorities that process your data as independent controllers for the respective institutional purposes;
(ii) in case of extraordinary operations (for example mergers, acquisitions, disposal of business, etc.);
(iii) when you provide your consent to the companies ItalianGres s.r.l. for independent marketing purposes.
You may request an updated list of the parties to whom we disclose your data by contacting us using the contact details indicatedbelow.
Some of the parties indicated above may also be established outside the European Union (EU) or the European Economic Area (EEA), in countries that do not guaranty an adequate level of protection of personal data according to the standards established by the GDPR. ItalianGres and ItalianGres have adopted the necessary precautions to ensure a lawful transfer of data (in particular, through the use of the Standard Contractual Clauses approved by the European Commission). You may request information about the transfer of your personal data abroad at any time by contacting us using the contact details indicatedbelow.
4. HOW LONG DO WE RETAIN YOUR DATA
We retain your personal data for a limited period of time, which is strictly related to the purpose for which it was collected, and in conformity with the applicable legal or regulatory obligations. At the end of the established retention period, your personal data will be deleted, or in any case irreversibly anonymised, unless ItalianGres or ItalianGres is required to retain the data for an additional period of time to comply with legal or regulatory obligations, or to exercise or defend a right in a judicial proceeding.
The retention period differs according to the purpose of the processing, in particular:
- for the online sale of products and the relative activities connected thereto (point 3.1), your personal data will be retained by ItalianGres for the entire duration of the contractual relationship and for 10 (ten) years after the termination thereof, except for registration on the Site (“My Account”) and the use of confidential services for registered users (for example: Wish List, My Orders, Quick Buy, etc.), in relation to which your personal data will be retained until you request the deletion of your account;
- when ItalianGres processes your data for personalised marketing or profiling purposes, your data is retained for a period of 7 (seven) years from the time you provide your consent for the aforementioned purposes, following an evaluation of the impact on data protection conducted by ItalianGres, with the participation of its Data Protection Officer;
- for general marketing activities, your data is retained by ItalianGres until deletion is requested, consent revoked, or processing opposed; ItalianGres furthermore wishes to protect your data and ensure that you wish to continue to receive its communications. Therefore, it deletes your data when 4 (four) years have elapsed since your last interaction with the ItalianGres sphere, for example through purchases made at ItalianGres stores or the Site, participation in ItalianGres events or newsletters;
- to comply with legal obligations relating to personal data processing matters (point 3.4), your personal data will be processed by each controller, as concerns their specific area of authority, for the period needed to manage your request to exercise the rights recognised under the GDPR or to meet the legal obligation to which the data controller is subject. The data necessary to demonstrate compliance with the legal obligations to which the controller is subject shall be retained for 10 (ten) years;
- in case of a legal or administrative dispute, your data shall be retained for the time needed for ItalianGres or ItalianGres or a third party to seek legal protection of a right, or within the limits imposed by the legal or administrative authority.
For more information about the retention of your personal data, contact us using the contact details indicated below.
5. WHAT ARE YOUR RIGHTS
You may contact each data controller or the respective Data Protection Officers at any time, using the contact details specified below, to exercise your rights pursuant to the GDPR, and particular:
- to obtain confirmation of whether or not your personal data is being processed and, if it is, to obtain access to or a copy of such personal data (”right of access”);
- correction of your personal data, i.e. to obtain the correction, modification, or updating of any data that is inaccurate or no longer correct, as well as to supplement incomplete personal data, including by providing a supplementary declaration (“right of rectification”);
- to revoke your consent (“right to revoke consent”): you may revoke the consent you have given to process your personal data at any time, including in relation to any activity whatsoever with a marketing purpose, including profiling. To that end, we remind you that marketing activities are considered to be the sending of commercial and advertising communications, the completion of market research and surveys to determine level of satisfaction, and the personalisation of commercial offers based on your interests. Once your request has been received, the controller will be responsible for stopping the processing of your personal data that was based on such consent, while different instances of processing, or processing based on other requirements, will continue to be performed in full compliance with the current provisions;
- to request the deletion of your personal data when such data, in particular, (i) is no longer necessary for the purposes for which it was collected or processed, or (ii) was unlawfully processed, or (iii) must be deleted to perform a legal obligation, or, lastly, (iv) you have opposed such processing (see below “right to object”) and there is no prevailing legitimate reason that would allow the controller to nevertheless proceed with the processing (“right to erasure” or “right to be forgotten”);
- to obtain a limitation on the processing of your personal data, i.e. that the controller retains such data, but without being able to use it, save for any requests or exceptions prescribed by law. This right may only be exercised when, in particular (i) you object to the accuracy of the personal data, for the period needed for the controller to verify the accuracy of such personal data, or (ii) the processing of data is unlawful and you ask to limit its use, instead of deleting it, or (iii) even though the controller no longer needs it for processing purposes, you require the personal data to assess, exercise, or defend a right in a legal proceeding, or (iv) you have opposed its processing (see below “right to object”), while awaiting a verification as to any legitimate grounds of the controller that prevail over those of the data subject (right to restriction);
- to request your data or transfer it to a party other than the controller (“right to data portability”). You may ask to receive the data we process based on your consent or based on a contract entered with you, in a form that is structured, commonly used, and readable on an automatic device. If you so desire, where technically possible, we may, upon your request, transfer your data directly to a third party you indicate;
- submit a claim to one of the competent supervisory authorities on compliance with the personal data protection standards, if you believe that your data was unlawfully processed (“right to submit a claim”). In Italy, a claim may be filed with the Personal Data Protection Authority [Garante per la Protezione dei Dati Personali] (http://www.garanteprivacy.it/).
Furthermore, as a data subject, you also have the “right to object”, i.e.:
- object at any time, for reasons related to your specific situation, to the processing of your personal data for the purpose of a legitimate interest of the controller or for marketing purposes, including profiling. The controller shall refrain from further processing your personal data, unless it demonstrates that there are compelling, legitimate reasons to proceed with the processing that prevail over the interests, rights, and freedoms of the data subject, or to assess, exercise, or defend a right in judicial proceedings.
To ensure full respect of the rights described above, and that our users’ data is not unlawfully accessed or violated by third parties, prior to accepting a request from you to exercise one of the rights indicated, we may ask you for certain information to confirm your identity or clarify the request made.
7. DATA SECURITY
We adopt specific technical and organisational security measures to safeguard the confidentiality of Site users’ personal data, which are aimed at preventing the unlawful or fraudulent use of their personal data.
We remind you to take suitable precautions when using the Site, such as, for example, keeping your access credentials strictly private, and changing them periodically.
8. CONTACT DETAILS OF DATA CONTROLLERS AND THE CORRESPONDING DATA PROTECTION OFFICERS
The data controller, for the purposes indicated in points 2.1, 2.2 and 2.3 is ItalianGres s.r.l with registered office at via Ferrari 27, int 110, Formigine (Modena) 41043, Italy.
The Data Protection Officer for ItalianGres, domiciled at the registered office thereof, may be contacted at the following email address: firstname.lastname@example.org
The Data Protection Officer for ItalianGres s.r.l., domiciled at the registered office thereof, may be contacted at the following email address: email@example.com
For any clarification, question, or requirement related to your privacy, or to exercise your rights recognised under the GDPR (see point 5) you may contact us by sending a request to our Customer Care, selecting “Privacy”, or by calling us at +39 351 57 90007. If you so wish, you may also contact us and our Data Protection Officers (DPOs) directly; to do so, you may use the contact details noted above.
Last updated August 2021.