EXTENDED STATEMENT PURSUANT TO ARTS. 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR – EU REGULATION 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (‘GDPR’)
ANGELINI BEAUTY S.p.A. provides this policy in accordance with arts. 12, 13 and, where applicable, art. 14 of the GDPR in relation to the protection of personal data provided by the Client/data subject when such data is provided in order to form and enter into a contract to purchase products/services offered by ANGELINI BEAUTY S.p.A., when personal data is voluntarily uploaded to this website (for example, by filling out an online form), or when a Client/data subject is simply browsing the Website.
1. Data controller and contact details
The data controller is ANGELINI BEAUTY S.p.A., whose registered office is at via Melchiorre Gioia, 8, 20124, Milan, VAT number MI 03262350 964, tel. +39 0371 408 1, email firstname.lastname@example.org, website www.laurabiagiottiparfums.com (the ‘Website’).
2. Principles relating to processing of personal data
In accordance with the GDPR, ANGELINI BEAUTY S.p.A. is committed to ensuring that personal data is:
(a) processed lawfully, fairly and in a transparent manner;
(b) collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
(d) accurate and, where necessary, kept up to date;
(e) kept for a period of time that is no longer than is necessary for the purposes for which it is processed;
(f) processed using appropriate technical and organisational measures required in order to safeguard the personal data;
(g) where data is processed on the basis of consent, such consent must be freely given by the Client/data subject, the request for consent shall be presented in a manner that is clearly distinguishable, written in an intelligible and easily accessible form, using clear and plain language.
ANGELINI BEAUTY S.p.A. uses appropriate technical and organisational measures to ensure the safeguarding of personal data by design and for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing, is processed.
ANGELINI BEAUTY S.p.A. will accept and take into utmost consideration any feedback, observation or opinion submitted by the Client/data subject. Comments are welcomed to be submitted via the contact details set out above. This is to enable ANGELINI BEAUTY S.p.A. to set-up a dynamic data privacy management system that ensures the effective protection of individuals in relation to the processing of their personal data.
This policy may be subject to change according to the evolution of the relevant legislation and the varying technical and organisational measures implemented by ANGELINI BEAUTY S.p.A., from time to time. The Client/data subject is therefore invited to regularly visit this section of the Website, to check for any updates or changes to the policy that will be applicable from time to time.
3. How is data processing carried out
The processing of personal data is carried out by automated means both wholly and in part, but always strictly in accordance with the purposes set out below and, in any event, in such a way that ensures the security and confidentiality of such data.
5. The purposes of processing of personal data
(5a) The purposes for which the personal data processing is necessary
The personal data provided by the Client/data subject is processed mainly for the performance of the Contract, for credit management and, more generally, to manage the engagement arising from such Contract.
It is necessary to provide data in order to enter into the Contract or, at a later stage, during the performance of the Contract for the purposes of the relevant processing. Therefore, where data is not provided, or where it is provided only partially or is inaccurate, it will be impossible to enter into and/or perform the Contract and, as a result, the Client/data subject will not be able to receive the products/services of ANGELINI BEAUTY S.p.A.. Further, a Client/data subject who does not provide such data, may even become liable for breach of contract.
It may be necessary to process certain personal data provided by the Client/data subject in order for ANGELINI BEAUTY S.p.A. to: comply with a legal obligation to which it is subject; protect the vital interests of the Client/data subject or of another natural person; perform a task carried out in the public interest or in the exercise of official authority vested in ANGELINI BEAUTY S.p.A.; or, to pursue the legitimate interests of ANGELINI BEAUTY S.p.A. or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Client/data subject (even in such cases, where the provision of the data is mandatory, by not providing the data, or by providing only part of it or providing inaccurate data, the Client/data subject may become liable or subject to fines set out by the Law).
(5b) Further processing based on Client/data subjects’ specific and express consent
In addition to the purposes of processing discussed above, personal data that is provided by the Client/data subject or that is however obtained, may also be processed based on the prior consent of the Client/data subject. Such consent may be obtained either by ticking the ‘I accept’ box in the Contract or on the Website (or via an ANGELINI BEAUTY S.p.A. app or social media page). Based on such consent, personal data may also be processed for market research or for direct marketing and sales purposes, which may be carried out either by phone (including any mobile phone number which is provided) as well as by automated means of communication (such as, email, SMS, fax, etc.). Such marketing material would relate to ANGELINI BEAUTY S.p.A.’s products/services or those of such other companies of the Group to which ANGELINI BEAUTY S.p.A. may belong.
Where consent is required to carry out data processing for the purposes set out in (5b), the consent must be optional so that where consent is not given, the data will only be processed for a purpose set out in paragraph (5a), unless the processing is necessary for the legitimate interests of the controller or those of a third party.
6. Categories of personal data that are processed
The processing that ANGELINI BEAUTY S.p.A. carries out, whether for the performance of the Contract or to the extent the Client/data subject has given their own consent, does not generally involve sensitive personal data known as special category data (that is, data revealing racial or ethnic origin, political opinions, religious beliefs, data concerning health or data concerning sexual orientation, etc.), nor does it process genetic or biometric data, or data relating to criminal convictions or offences.
However, it is not possible to exclude the possibility that ANGELINI BEAUTY S.p.A., in order to perform its obligations that arise under the Contract, might store and/or may need to process special category data, genetic data, biometric data or data concerning criminal convictions or offences, pertaining to the Client/data subject or to third parties, which the Client/data subject may receive as data processor. In this case, such processing will only be carried out by ANGELINI BEAUTY S.p.A. pursuant to, and in compliance with the periods and limits fixed for, the appointment of ANGELINI BEAUTY S.p.A. as data processor.
ANGELINI BEAUTY S.p.A. also processes so-called browsing data. It does so in its role as data controller with respect to the Website and, potentially, as data processor where specifically appointed as such (in accordance with the scenario pointed out above). The computer systems and software used to operate internet sites obtain, as standard, certain personal data the transmission of which is inherent to the use of communication protocols of the Internet. Although the data processed is not collected to be associated with identified individuals, by its very nature, it may lead to the data subject becoming identifiable. This category of data includes geolocation data, IP address, the type of browser used, the operating system used, domain name details, and web site addresses from which the user logged in or out of the Website, as well as information about the web pages visited by users within the Website, the time they visited the Website, the time spent on a specific web page, and analysis of the internal path and other parameters relating to the user’s operating system and the user’s device. In other words, through processing and cross-referral with data held by third parties, this data could potentially reveal a user’s identity.
Cookies may also be used on the Website, such as, session cookies (those that are not saved on the data subject’s computer, and which disappear when the browser is closed), as well as long-term cookies, used for the transmission of information of a personal nature, or in any case, for the transmission of systems that enable data subjects to be tracked.
7. Sources of personal data
ANGELINI BEAUTY S.p.A. collects personal data directly from Clients/data subjects when they access and browse the Website (or when they use ANGELINI BEAUTY S.p.A.’s app or social media pages), as well as through its sales representatives, when or after the Contract is executed or performed. ANGELINI BEAUTY S.p.A. may also obtain personal data from publicly accessible sources.
As mentioned above, where specifically appointed as a data processor, in its duty to perform the obligations under the Contract, ANGELINI BEAUTY S.p.A. may store and/or process data of third parties, including browsing data or potential sensitive, genetic, biometric or judiciary data, that the Client/data subject provided to the relevant data controller. This data is obtained, subject to the prior consent of such third parties when they visit or browse the website (or use other social media pages or apps which link to ANGELINI BEAUTY S.p.A.’s Website).
8. Legitimate interests
The legitimate interests of the data controller or those or of a third party may provide a lawful basis for processing, provided that the interests and the fundamental rights and freedoms of the data subject are not overridden. Broadly speaking, such legitimate interests could exist, for example, where there is a relevant and appropriate relationship between the controller and the data subject, in situations such as where the data subject is a Client of the data controller. The processing of personal data relating to a Client/data subject be necessary for preventing fraud, for direct marketing purposes, for ensuring the free flow of such data within the Group to which ANGELINI BEAUTY S.p.A. belongs, or for the purposes of ensuring network and information security, that is to say the ability of a network or an information system to resist accidental events or unlawful actions that compromise the availability, authenticity, integrity and confidentiality of data.
9. Disclosure of personal data
(9a) Disclosure of personal data – categories of recipients
Some processing activities may be carried out by employees of ANGELINI BEAUTY S.p.A. and other associates connected to it (to the extent that such individuals have been duly authorised by ANGELINI BEAUTY S.p.A. to process data in accordance with written operational instructions, in order to be able to guarantee data confidentiality and security), and also by third parties who are entrusted by ANGELINI BEAUTY S.p.A. to carry out certain activities, or part of such activities, because they form a functional purpose as set out in paragraph (5a). Therefore, while performing both contractual and legal obligations, some of the above mentioned third parties need to be mentioned, among which should be included, but not limited to: commercial and/or technical partners; companies that perform banking and finance services; companies providing documents storage services; debt collection companies; accountancy and audit companies; credit rating companies; companies which carry out tasks on behalf of ANGELINI BEAUTY S.p.A., such as, professional service companies; companies which provide customer care services; credit rating companies; companies for the securitisation of receivables or companies which are assignees of the receivables at any other extent; companies of the Group to which ANGELINI BEAUTY S.p.A. may belong; entities that provide sales information; IT service companies. The entities belonging to the above mentioned categories process personal data in their own capacity as autonomous data controllers, or as data processors with reference to specific tasks that fall under the contractual obligations carried out by such on behalf of ANGELINI BEAUTY S.p.A.. Data processors are provided by ANGELINI BEAUTY S.p.A. with appropriate written operational instructions, with particular reference to the implementation of the minimum-security measures, to ensure the confidentiality and the security of the data.
Certain processing activities may be carried out by third parties to which ANGELINI BEAUTY S.p.A. entrusts such activities, or part of them, including activities that are functional to the purposes set out in paragraph (5b), among which should be mentioned , but not limited to: business and/or technical partners; companies which provide marketing services, advertising agencies, entities which provide assistance and advice with reference to competitions and prize-giving operations. The entities belonging to the above mentioned categories process personal data in their own capacity as autonomous data controllers, or as data processors where that specific type of processing falls under the contractual obligations such entities owe to ANGELINI BEAUTY S.p.A.. ANGELINI BEAUTY S.p.A. provides data processors with appropriate written operational instructions, giving particular reference to minimum-security measures required to ensure the confidentiality and security of the data.
Upon written request sent to the address of ANGELINI BEAUTY S.p.A., a list – which is subject to regular updates – of the data processors with which ANGELINI BEAUTY S.p.A. engages, is available.
Further, personal data may also be disclosed, upon prior request, to competent authorities, where such disclosure is required to comply with obligations stemming from necessary legal provisions.
(9b) Transfer of personal data to third countries
Personal data of the Client/data subject may also be transferred to other countries abroad, within the European Union, as well as to countries outside of the European Union. In the case of the latter, such transfers may occur based on an adequacy decision, or within the scope of, and subject to, the adequate guarantees required by the GDPR (that is, in particular, if the model clauses on data protection approved by the European Commission apply), or, regardless of the above circumstances, the transfer may be authorised on the basis of one or more of the derogations set out in the GDPR (namely, on the basis of the express consent of the Client/data subject, where the transfer is necessary for the performance of the Contract entered into by the Client/data subject, or where the transfer is necessary for the performance of a contract entered into between ANGELINI BEAUTY S.p.A. and another natural or legal person in favour of the Client/data subject). Where data is transferred to countries located outside of the European Union, the Client/data subject is allowed, upon a prior written request sent to the address of ANGELINI BEAUTY S.p.A., to be informed of the adequate guarantees, that is to say the derogations on which the cross-border transfer was authorised. It being understood that, where data is transferred to countries located outside of the European Union, every request relating to such data, also aimed at exercising the Client/data subject’s rights under the GDPR, the Client/data subject will always be able to have valid recourse to ANGELINI BEAUTY S.p.A..
10. Criteria for determining the storage period of personal data
For the purposes of paragraph (5a) above, the storage periods of personal data provided by Client/data subject, and the processing that results from such provision, overlaps with the limitation period of (legal, tax, etc.) rights/duties arising from the Contract: generally, the storage period is 10 years except where an interruption event occurs during the limitation period which may extend such limitation period.
For the purposes of paragraph (5b) above, the storage periods of personal data provided by the Client/data subject, and the processing that results from such provision, ends when the Client/data subject withdraws the consent to such processing that he/she previously granted or, should the Client/data subject not withdraw his/her consent, the storage period would in any case end one year after the termination of any relationship between ANGELINI BEAUTY S.p.A. and the Client/data subject.
11. Rights of the Client/data subject
ANGELINI BEAUTY S.p.A. recognises and facilitates the exercise by the Client/data subject of all their rights under the GDPR, namely, the right to request access to his/her personal data and to obtain a copy of such (art. 15 GDPR); the right to rectification (art. 16 GDPR); the right to erasure (art. 17 GDPR); the right to restriction of the processing concerning him/her (art. 18 GDPR); the right to data portability (art. 20 GDPR, where applicable); and the right to object to the processing concerning him/her (arts. 21 and 22 GDPR, for the cases set out therein and, in particular, for the processing for marketing purposes or for the processing that results in automated decision-making, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her, where applicable).
Where processing is based on consent, ANGELINI BEAUTY S.p.A. grants the Client/data subject the right to withdraw such consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal. In order to exercise this right, the Client/data subject can unsubscribe at any time via the Website (or via the ANGELINI BEAUTY S.p.A. app or social media pages) or by clicking the specific unsubscribe link provided at the footer of any received marketing correspondence. The Client/data subject may also choose to contact ANGELINI BEAUTY S.p.A. via the contact details set out above.
Further, ANGELINI BEAUTY S.p.A. hereby informs the Client/data subject of the right to make a complaint to the Supervisory Authority for the Protection of Personal Data, (i.e. the competent body in Italy), and to bring a judicial claim both against a decision of the Supervisory Authority and against ANGELINI BEAUTY S.p.A. and/or a data processor.
12. Systems and personal data security
Taking into account the state of the art, the costs of implementation and the nature, the scope, the context and the purposes of processing, as well as the risk to the rights and freedoms of natural persons, in terms of likelihood and seriousness, ANGELINI BEAUTY S.p.A. adopts appropriate technical and organisational measures to ensure a level of security which are appropriate to the risk, in particular ensuring, on a permanent basis, the confidentiality, the integrity, the availability and the resilience of processing systems and services (including the encryption of personal data, where necessary), and the ability to restore the availability and the access to personal data in a timely manner in the event of a physical or technical accident, and it adopts internal procedures of regular testing, assessing and evaluating the effectiveness of technical and organisational measures ensuring the efficiency of the adopted technical and organisational measures.
In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular, risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
ANGELINI BEAUTY S.p.A. will ensure that any person acting under its authority who has access to personal data, will not process such data if they have not been instructed to do so by ANGELINI BEAUTY S.p.A..
That said, the Client/data subject acknowledges and accepts that no security system can guarantee, in terms of certainty, absolute protection. Therefore, ANGELINI BEAUTY S.p.A. will not be liable for any acts or events caused by third parties that might unlawfully access the systems without the authorisation needed, where all adequate precautions have been taken.
13. Automated individual decision-making, including profiling
ANGELINI BEAUTY S.p.A. may carry out automated processing, including profiling, in relation to the purposes set out in paragraph (5b) above, in order to improve the navigability of the Website (or the use of other social media or web apps of ANGELINI BEAUTY S.p.A.) and to improve the shopping experience, without prejudice for what specified above concerning the right to object and to withdraw the consent by the Client/data subject.
Profiling means any form of automated processing of personal data evaluating certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning that natural person’s personal preferences, interests, or location also in order to create profiles, or categorise groups of subjects according to characteristics, interests or behaviour.
ANGELINI BEAUTY S.p.A. does not carry out any automated processing which produces legal effects concerning the Client/data subject or that similarly significantly affects him/her, except where: this is necessary for entering into or performing the Contract with the Client/data subject, it is authorised by law, or is based on the Client/data subject’s express consent. In any case, ANGELINI BEAUTY S.p.A. recognises the Client/data subject’s right to obtain human intervention, to express his or her point of view and to challenge the decision.